World Economic Forum Names Cybercrime and Cyber Insecurity Among Top 10 Global Risks for 2023

Business and cyber leaders polled by WEF worry that geopolitical unrest will trigger a “catastrophic cyberattack” in the next two years. Here’s what you need to know.

A two-year global pandemic. The war in Ukraine. The inflation and cost of living crisis. Increasingly frequent natural disasters and extreme weather events. One thing that these severe geopolitical and economic crises have in common is that they constantly change the cyberthreat landscape, making it more difficult for businesses to keep pace and defend themselves, as emboldened cyberattackers get craftier and more sophisticated.

How will global unrest heighten cyber risk in the medium and long term? That’s an issue that the World Economic Forum explored in two recent reports: World Economic Forum’s Global Risks Report 2023 and Global Cybersecurity Outlook 2023. The reports examine the cybersecurity trends that will impact our economies and societies in the years to come, and serve as a call to action, urging businesses and organizations to build cyber resilience. A key finding: A majority of cyber and business leaders worry that geopolitical instability will cause a major cyberattack at some point in the next two years. Here’s what you need to know.

Cybersecurity ranks 8th in the WEF’s top 10 global risks

The WEF’s Global Risks Report 2023 ranked cybercrime and cyber insecurity as the eighth most severe global risk within a two-year and a 10-year period, making it clear that cyber risks will remain a constant and significant concern over the next decade.

The report is based on a survey of 1,200 - plus risk experts, including the WEF’s Global Risks Report Advisory Board and its Chief Risk Officers Community, as well as thematic experts from academia, business, the international community, civil society and the government.

Continue reading
0

Cybersecurity Snapshot: If Recession Hits, Infosec Teams Expected to Suffer the Fewest Job Losses

Find out why a study says cybersecurity pros will weather staff reductions better than all other employees. Plus, AI abuse concerns heat up as users jailbreak ChatGPT. Also, learn all about the ransomware threat from North Korea aimed at hospitals. Then check out how the Reddit breach has put phishing in the spotlight. And much more!

Dive into six things that are top of mind for the week ending Feb. 17.

1 - Cybersecurity teams to be the least impacted by job cuts 

With employers concerned about global economic headwinds and a possible recession, continued layoffs are probable in 2023, but infosec pros are the least likely employees to lose their jobs.

That’s according to the (ISC)2 cybersecurity industry non-profit organization, which this week published the results of a survey of 1,000 C-level business executives from Germany, Japan, Singapore, the U.S. and the U.K. conducted in December 2022.

Titled “How the Cybersecurity Workforce Will Weather a Recession,” the study excluded high-level technology executives, such as CIOs and CISOs, so it specifically reflects the importance that business leaders currently place on cybersecurity.

Continue reading
0

South Korean and American Agencies Release Joint Advisory on North Korean Ransomware

South Korean and American Agencies Release Joint Advisory on North Korean Ransomware

Several South Korean and American agencies have released a joint cybersecurity advisory on North Korean state-sponsored ransomware operators.

Background

As part of their #StopRansomware campaign, the Federal Bureau of Investigations and Cybersecurity and Infrastructure Security Agency have released a joint Cybersecurity Advisory (CSA) in collaboration with South Korea's National Intelligence Service and Defence Security Agency. The advisory focuses on North Korean state-sponsored threat actor activity and highlights some of their tactics, techniques and procedures (TTPs), indicators of compromise, and mitigations against these attacks.

This advisory supplements a CSA released in July 2022 which discusses the use of Maui ransomware by the threat actors against healthcare organizations. The use of Maui has been linked to Andariel (aka BeagleBoyz, Lazarus, APT38 and many other monikers), a North Korean threat actor. A week after that CSA was released, Microsoft attributed the use of H0lyGh0st ransomware to the same actor.

The threat group has been active since 2014 and have been implicated in several high profile heists such as the Bangladesh bank robbery in 2016, where the group stole $81 million dollars by hacking the SWIFT banking system, the WannaCry attacks in 2017, which severely impacted the United Kingdom's National Health Service's network, and the $540 million Axie Infinity hack in 2022. Three members of the group have been indicted in the US on charges relating to attacks where more than $1.3 billion has been stolen or extorted.

Tactics, Techniques and Procedures

According to the advisory, the threat actors acquire infrastructure such as domains, personas and accounts using ill-gotten cryptocurrency. The actors use third-party entities to receive ransom payment, in attempts to mask their identity. The threat actors use virtual private networks/servers and IP addresses in countries outside of North Korea to further obfuscate their identities.

Continue reading
0

How Industry Partnerships Support Taking a Proactive, Preventive Approach to Cybersecurity

Exposure management requires open collaboration across the security ecosystem to solve difficult customer problems. An August 2022 technical issue identified by Microsoft and behind-the-scenes resolution among multiple technical teams over a weekend demonstrates how proactive collaboration can benefit customers.

The work cybersecurity professionals do every day to prevent an event from happening rarely gets the headlines. Yet, it’s just as significant as the work we do to respond to an incident as it’s happening. Such was the case in the story we’re about to share. It’s one of those events in which an ounce of prevention was worth a pound of cure, and speaks to the value of taking a proactive, preventive approach. It also speaks to the interconnected nature of cybersecurity technologies and demonstrates how effective collaboration between vendors ultimately benefits users.

In mid-August 2022, Microsoft tech support had been fielding an uptick in reports of users not being able to access Azure-hosted Office 365 services. By the end of the week, they had identified a common theme among customers that were using both Tenable and Microsoft products in their environments., When Tenable vulnerability scans were run on Windows machines joined to Azure Active Directory (AAD), the machines were being negatively impacted.

Using established partnership channels, Microsoft reached out to points of contact within Tenable Research in the afternoon of Saturday, Aug. 20. By Saturday evening, engineering team members from both Tenable and Microsoft were collaborating on identifying the root cause of the issue and continued communications through the night.

On the next morning’s status call, a shared customer — who was willing to engage on this issue — was identified and all parties collaborated throughout the day to determine the issue and test proposed solutions.

Continue reading
0

Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)

View Posts By Category AllCareersCompanyCyber Exposure AlertsEngineeringNews and ViewsProductsRemote WorkforceResearch

Search the Blog

Subscribe
Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)

Microsoft addresses 75 CVEs including three zero-day vulnerabilities that were exploited in the wild.

9Critical66Important0Moderate0Low

Microsoft patched 75 CVEs in its February 2023 Patch Tuesday Release, with nine rated as critical and 66 rated as important.

This month’s update includes patches for:

Continue reading
0

Cybersecurity Snapshot: Check Out Our No-Holds-Barred Interview with ChatGPT

We pulled no punches in our question-and-answer session with ChatGPT: Find out what the world’s most famous AI chatbot had to say. Plus, CISA and the FBI offer help in dealing with a massive ransomware campaign. Also, are CIOs becoming de-facto CISOs? And cyber attackers are aiming at finance and accounting data. And much more!

Dive into six things that are top of mind for the week ending Feb. 10.

1 - Our animated Q&A with ChatGPT

Red flags are flying all over the place regarding the potential abuse of ChatGPT by threat actors to do things like craft legitimate-sounding phishing emails and write malicious code. So we went straight to the source: ChatGPT. Check out an edited version of our lively conversation.

ChatGPT, are you trying to be a naughty chatbot?

No, I am not programmed to be "naughty." My goal is to assist users with helpful and respectful responses. 

Continue reading
0

How to Extract Data and Value from Tenable’s EASM Solution

It’s essential for external attack surface management products to offer users a variety of data-extraction methods so that they can use the data in different scenarios and use cases. Learn how Tenable.asm’s various data-extraction capabilities can help you operationalize your EASM data.

One of the first things organizations want to do after building an external attack surface map is to start extracting data out of the system so they can use the data within other workflows. That’s understandable because an external attack surface management (EASM) tool should be treated more like a data pipeline in a security management process. As the external asset data flows in, it is enriched and then extracted into useful buckets of data to triage. 

An EASM solution should offer a variety of data-extraction methods in order to give users flexibility to operationalize data and options so they can choose the best method based on their needs and use cases. That’s how Tenable.asm is designed.

In this blog, we’ll explain how and when you might use different extraction methods, why they’d be useful for different scenarios, and how to use Tenable.asm’s robust data-extraction capabilities. 

Using the data within the user interface

First and most obvious is viewing the data right within Tenable.asm user interface. At first blush, people may overlook this option, but it's one of the most useful methods to view the data in real time. Here are some instances where using the UI is convenient and powerful. 

Continue reading
0

Navigating Federal Cybersecurity Recommendations for Public Water Utilities: How Tenable Can Help

Cyberthreats to water and critical infrastructure have prompted the EPA to recommend states use the increased funding provided in the Bipartisan Infrastructure Bill for the Drinking Water State Revolving Fund to bolster their cybersecurity defenses. Here’s what you need to know — and how Tenable can help.

It’s been nearly 18 months since the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency (EPA) issued a joint Cybersecurity Advisory warning that U.S. water and wastewater systems were being targeted by malicious actors. In February 2021, attackers attempted to poison the water treatment system in Oldsmar, FL. The U.S. Environmental Protection Agency (EPA) has said it is “critical” for such facilities to implement cybersecurity best practices. 

Cyberattacks against public water supplies are certainly not unique to the U.S. For example, U.K. water supplier South Staffordshire PLC was the victim of a ransomware attack in August 2022. Yet, the unique nature of U.S. systems — which are managed by a patchwork of state and local governments and private-sector entities — makes shoring up their cybersecurity particularly challenging.

In its “Water Sector Cybersecurity Brief for States,” the EPA recommends that all drinking water and wastewater utilities take mitigation actions, including:

prioritizing the remediation of known exploited vulnerabilities; enabling and enforcing multifactor authentication with strong passwords; closing unused ports; and removing any unnecessary applications.

It is also expected that the EPA will soon require states to expand inspections to include cybersecurity threats for about 1,600 water systems.

Continue reading
0

Cyber Watch: A Peek Inside NIST’s AI Risk Framework, Protecting Employees from Scams, How to Talk to Your Business Counterparts, and more

View Posts By Category AllCareersCompanyCyber Exposure AlertsEngineeringNews and ViewsProductsRemote WorkforceResearch

Search the Blog

Subscribe

Chat GPT got you worried? In this week's edition of the Tenable Cyber Watch we unpack NIST's new AI risk framework. Also covered: how to communicate better with business colleagues, and tips for protecting your employees from money-transfer scams. 

Learning to secure AI? Curious to know how organizations are balancing AI and data privacy? Want to improve your business-security communications? Struggling to protect employees who fall prey to money-transfer scams? 

We've got you covered in this week's edition of the Tenably Cyber Watch, a weekly video news digest highlighting four cybersecurity topics that matter right now.

Continue reading
0

Tenable Cyber Watch: IoT Vendors Lack Vulnerability Disclosures, Cyber Ranks As Top Business Concern - Again, The GAO’s Frustrations with Federal Agencies Not Heeding their Cybersecurity Advice

View Posts By Category AllCareersCompanyCyber Exposure AlertsEngineeringNews and ViewsProductsRemote WorkforceResearch

Search the Blog

Subscribe

This week's edition of the Tenable Cyber Watch unpacks the importance of vulnerability disclosures, explores the top reasons why cyberthreats remain a top concern among business leaders, addresses the GAO's frustrations with federal agencies not heeding their cybersecurity advice and provides guidance on how to boost employee cybersecurity awareness. 

Curious to know why cyberthreats continue to be a top concern among business leaders? Looking for tips on how to boost employee cybersecurity awareness? Interested in learning more about the Government Accountability Office's (GAO) cybersecurity recommendations that can help you better protect sensitive data? Are vulnerability disclosure policies an ethical obligation?

We’ve got you covered in this week’s edition of the Tenable Cyber Watch, a weekly video news digest highlighting four cybersecurity topics that matter right now.

Continue reading
0

GoDaddy admits: Crooks hit us with malware, poisoned customer websites

Late last week [2023-02-16], popular web hosting company GoDaddy filed its compulsory annual 10-K report with the US Securities and Exchange Commission (SEC).

Under the sub-heading Operational Risks, GoDaddy revealed that:

In December 2022, an unauthorized third party gained access to and installed malware on our cPanel hosting servers. The malware intermittently redirected random customer websites to malicious sites. We continue to investigate the root cause of the incident.

URL redirection, also known as URL forwarding, is an unexceptionable feature of HTTP (the hypertext transfer protocol), and is commonly used for a wide variety of reasons.

For example, you might decide to change your company’s main domain name, but want to keep all your old links alive; your company might get acquired and need to shift its web content to the new owner’s servers; or you might simply want to take your current website offline for maintenance, and redirect visitors to a temporary site in the meantime.

Continue reading
0

S3 Ep122: Stop calling every breach “sophisticated”! [Audio + Text]

The birth of ENIAC. A “sophisticated attack” (someone got phished). A cryptographic hack enabled by a security warning. Valentine’s Day Patch Tuesday. Apple closes spyware-sized 0-day hole.

DOUG.  Patching bugs, hacking Reddit, and the early days of computing.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

Continue reading
0

Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs

Deciphering Microsoft’s official Update Guide web pages is not for the faint-hearted.

Most of the information you need, if not everything you’d really like to know, is there, but there’s such a dizzing number of ways to view it, and so many generated-on-the-fly pages are needed to display it, that it can be tricky to find out what’s truly new, and what’s truly important.

Should you search by the operating system platforms affected?

By the severity of the vulnerabilies? By the likelihood of exploitation?

Should you sort the zero-days to the top?

Continue reading
0

Apple fixes zero-day spyware implant bug – patch now!

Apple has just released updates for all supported Macs, and for any mobile devices running the very latest versions of their respective operating systems.

In version number terms:

iPhones and iPads on version 16 go to iOS 16.3.1 and iPadOS 16.3.1 respectively (see HT213635).Apple Watches on version 9 go to watchOS 9.3.1 (no bulletin).Macs running Ventura (version 13) go to macOS 13.2.1 (see HT213633).Macs running Big Sur (version 11) and Monterery (12) get an update dubbed Safari 16.3.1 (see HT213638).

Oh, and tvOS gets an update, too, although Apple’s TV platform confusingly goes to tvOS 16.3.2 (no bulletin).

Apparently, tvOS recently received a product-specific functionality fix (one listed on Apple’s security page with no information beyond the sentence This update has no published CVE entries, implying no reported security fixes) that already used up the version number 16.3.1 for Apple TVs.

As we’ve seen before, mobile devices still using iOS 15 and iOS 12 get nothing, but whether that’s because they’re immune to this bug or simply that Apple hasn’t got round to patching them yet…

Continue reading
0

Reddit admits it was hacked and data stolen, says “Don’t panic”

Popular social media site Reddit – “orange Usenet with ads”, as we’ve somewhat ungraciously heard it described – is the latest well-known web property to suffer a data breach in which its own source code was stolen.

In recent weeks, LastPass and GitHub have confessed to similar experiences, with cyercriminals apparently breaking and entering in much the same way: by figuring out a live access code or password for an individual staff member, and sneaking in under cover of that individual’s corporate identity.

In Reddit’s own words:

Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.

We’re not sure quite how suitable the adjective “sophisticated” is here, not least because Reddit quickly goes on to state that:

Continue reading
0

Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug

Last week, we wrote about a bunch of memory management bugs that were fixed in the latest security update of the popular OpenSSL encryption library.

Along with those memory bugs, we also reported on a bug dubbed CVE-2022-4304: Timing Oracle in RSA Decryption.

In this bug, firing the same encrypted message over and over again at a server, but modifying the padding at the end of the data to make the data invalid, and thus provoking some sort of unpredictable behaviour…

…wouldn’t take a consistent amount of time, assuming you were close to the target on the network that you could reliably guess how long the data transfer part of the process would take.

Not all data processed equally

If you fire off a request, time how long the answer takes, and subtract the time consumed in the low-level sending-and-receiving of the network data, you know how long the server took to do its internal computation to process the request.

Continue reading
0

S3 Ep121: Can you get hacked and then prosecuted for it? [Audio + Text]

DOUG.   Patches, fixes and crimelords – oh my!

Oh, and yet another password manager in the news.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

Continue reading
0

OpenSSL fixes High Severity data-stealing bug – patch now!

OpenSSL, probably the best-known if not the most widely-used encryption library in the world, has just release a trifecta of security updates.

These patches cover the two current open-source versions that the organisation supports for everyone, plus the “old” 1.0.2-version series, where updates are only available to customers who pay for premium support.

(Getting into a position where you no longer need to pay for support is probably better for you, even if you don’t care about the cost, because it means you’ll finally be weaning yourself off a version that OpenSSL itself tried to retire years ago.)

The versions you want to see after you’ve updated are:

OpenSSL 3.0 series: new version will be 3.0.8.OpenSSL 1.1.1 series: new version will be 1.1.1t (that’s T-for-Tango at the end).OpenSSL 1.0.2 series: new version will be 1.0.2zg (Zulu-Golf).

If you’re wondering why the older versions have three numbers plus a letter at the end, it’s because the OpenSSL project used to have four-part version identifiers, with the trailing letter acting as a counter that could support 26 sub-versions.

Continue reading
0

VMWare user? Worried about “ESXi ransomware”? Check your patches now!

Cybersecurity news, in Europe at least, is currently dominated by stories about “VMWare ESXi ransomware” that is doing the rounds, literally and (in a cryptographic sense at least) figuratively.

CERT-FR, the French government’s computer emergency response team, kicked off what quickly turned into a mini-panic at the tail end of last week, with a bulletin entitled simply: Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi (Cyberattack exploiting a VMWare ESXi vulnerability).

Although the headline focuses directly on the high-level danger, namely that any remotely exploitable vulnerability typically gives attackers a path into your network to do something, or perhaps even anything, that they like…

…the first line of the report gives the glum news that the something the crooks are doing in this case is what the French call rançongiciel.

You probably don’t need to know that logiciel is the French word for “software” to guess that the word stem ranço- came into both modern French (rançon) and English (ransom) from the Old French word ransoun, and thus that the word translates directly into English as ransomware.

Continue reading
0

Tracers in the Dark: The Global Hunt for the Crime Lords of Crypto

Hear Andy’s thoughtful commentary on cybercrime, law enforcement, anonymity, privacy, and whether we really need a “war against cryptography” – codes and ciphers that the government can easily crack if it thinks there’s an emergency – to cement our collective online security.

[MUSICAL MODEM]

PAUL DUCKLIN. Hello, everybody.

Welcome to this very, very special episode of the Naked Security podcast, where we have the most amazing guest: Mr. Andy Greenberg, from New York City.

Andy is the author of a book I can very greatly recommend, with the fascinating title Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

So, Andy, let’s start off…

Continue reading
0