At a glance.
- MOVEit vulnerability remediated faster than most.
- Report: US companies made up 51% of ransomware victims in Q2 2023, with LockBit taking first place among the gangs.
- Report: WhatsApp accounts may be at risk.
- Possible privilege escalation within Google Cloud.
- APT compromises JumpCloud.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
- And security innovation.
MOVEit vulnerability remediated faster than most.
Bitsight has published a report looking at organizations’ remediation of the various MOVEit vulnerabilities disclosed over the past few months: “We are observing what Bitsight calls ‘rapid remediation’ for these vulnerabilities. Typical remediation rates for software vulnerabilities are at a mere 5 percent per month, while these remediation rates are significantly faster. In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days. In other words, organizations are remediating CVE-2023-34362 roughly 21X faster than what’s considered typical. The point? Organizations are taking these MOVEit vulnerabilities very seriously, and rightfully so.”
Bitsight believes the rapid patching is due to Progress Software’s “diligence in publishing timely and informative advisories,” as well as the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) issuance of alerts.
Report: US companies made up 51% of ransomware victims in Q2 2023, with LockBit taking first place among the gangs.
In its annual ransomware report, GuidePoint Security describes the current state of ransomware, what industries it affects the most, and casts a spotlight on threat actors. The report explains that ransomware has reached an all time high since GuidePoint Research and Intelligence Team (GRIT) has begun tracking it, and now seems to primarily affect organizations in the US which make up 51.74% of the victims reported. In comparison, the second most affected country is the UK which makes up just 5% of the reported victims. The industries most heavily impacted by ransomware, in Q2 2023, are manufacturing, followed by technology and banking and finance. By far the most prolific organization conducting these attacks is LockBit, with Alphv placing at second, and 8Base showing at third. To sum up their findings GuidePoint writes:
“Q2 2023 continued to highlight the growing ransomware threat to organizations worldwide, from both Established ransomware gangs and Emerging or Ephemeral opportunistic groups. Reduced barriers to entry afforded by the Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost certainly encourage more entrants going forward, and though the re-use of historical malware and ransomware provides an advantage for well-prepared and resourced defenders, smaller or less-resourced organizations will face an increased risk from the greater volume of threats.”
Report: WhatsApp accounts may be at risk.
Security researcher Jake Moore tweeted that it appears to be possible to deactivate any WhatsApp account by simply emailing the company. If a user emails the phrase “Lost/Stolen:Please deactivate my account” along with the account’s phone number, the service will temporarily deactivate the account. Moore found that the request can be sent from any email address. The account can be reactivated if the user logs back in within thirty days, but Moore points out that someone could write a script that continually emailed deactivation requests. Forbes notes that WhatsApp appears to have suspended the automated deactivation of accounts, and is now requiring users to send a phone bill to verify their ownership of the account. For more on the risk, see CyberWire Pro.
Possible privilege escalation within Google Cloud.
Orca Security reports a privilege escalation vulnerability, "Bad.Build," in Google Cloud that could open the door to supply chain attacks by allowing an attacker to infect users and customers. “As we have seen with the SolarWinds and recent 3CX and MOVEit supply chain attacks, this can have far reaching consequences,” the researchers write. Google has closed the vulnerability. Orca’s report explains “By abusing this flaw that enables the impersonation of the default Cloud Build service account, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code. Any applications built from the manipulated images are then affected, with potential outcomes including Denial-of-Service (DoS) attacks, data theft, and the spread of malware.” Orca Security has alerted Google to this vulnerability, however they note that Google has issued only a partial fix by removing a single permission from the default cloud build. Orca writes “The revoked permission wasn’t related to Artifact Registry, which turns the supply chain risk into a persistent one. In view of this, it’s important that organizations pay close attention to the behavior of the default Google Cloud Build Service Account to detect any possible malicious behavior. Applying the Principle of Least Privilege and implementing cloud detection and response capabilities to identify anomalies are some of the recommendations for reducing risk.”
APT compromises JumpCloud.
JumpCloud announced that its systems were breached in a sophisticated attack conducted by a state-sponsored threat actor. “On June 27 at 15:13 UTC we discovered anomalous activity on an internal orchestration system which we traced back to a sophisticated spear-phishing campaign perpetrated by the threat actor on June 22. That activity included unauthorized access to a specific area of our infrastructure. We did not see evidence of customer impact at that time. Out of an abundance of caution, we rotated credentials, rebuilt infrastructure, and took a number of other actions to further secure our network and perimeter. Additionally, we activated our prepared incident response plan and worked with our Incident Response (IR) partner to analyze all systems and logs for potential activity. It was also at this time, as part of our IR plan, that we contacted and engaged law enforcement in our investigation.” The company is convinced the attack was sponsored by a nation-state, but JumpCloud is unsure which state was behind the attack. In further forensic investigation Jumcloud discovered further unauthorized activity in the form of “unusual activity in the commands framework for a small set of customers.” In response, JumpCloud performed a force-rotation of all of the admin API keys on July 5th, the same day the unusual activity was discovered. Ars Technica explains, JumpCloud hosts a user base of over 200,000 organizations with 5,000 paying customers including Cars.com, GoFundMe, and Foursquare. For more on the JumpCloud compromise, see CyberWire Pro.
Russia-Ukraine hybrid war update.
Russian drone and cruise missile strikes have continued to hit the Ukrainian port city of Odessa. he attacks form part of Moscow's strategy, implemented this week, to interdict grain shipments and induce famine to pressure Western countries into relaxing sanctions and forsaking support for Ukraine. The disruption of grain exports is expected to hit Africa especially hard. World grain prices have risen in response to Russia's newly announced blockade. The move carries risks for Russia, the principal risk being alienation of Moscow's shrinking number of already tepid international sympathizers. Expect the blockade to evoke a supporting Russian influence campaign.
In response to Russia's announcement of what amounts effectively to a blockade, Ukraine issued its own warning to mariners that they should avoid Russia's Black Sea ports. Kyiv calls out the Kerch Strait and the Sea of Azov as a region of particular risk. The US has accused Russia of mining the Black Sea approaches to Ukrainian ports, an implausibly deniable operation widely advocated and openly applauded on Russian state television. Russian naval units have emphasized the blockade by conducting anti-shipping missile firing drills in the Black Sea.
In a telegram video posted on July 19th, Wagner Group proprietor Evgeny Prigozhin announced the company's move to Belarus. Recording from what looks like a field camp, Mr. Prigozhin announced that his employee (first name Segei, callsign "Pioner") would commanding the private military company during its stay in Belarus. Mr. Prigozhin explained that Wagner’s primary role in Belarus would be to train the Belarusian army into “the second best army in the world.” Should the need arise, he said, Wagner troops would follow the Belarusian army into combat. Prigozhin then handed the mic to Dmitry Valerievich Utkin, the GRU alumnus who founded the Wagner Group. Lieutenant Colonel (retired) Utkin has a colorful background. He's an enthusiast for things Nazi, and an admirer of the composer Richard Wagner's antisemitism and neopagan style. He took the composer's name "Wagner" as his callsign; from there it became the name of the private military company. Lieutenant Colonel (retired) Utkin's speech didn't disappoint. “This is not the end, the most important work in the world will begin very soon." He added (in English, significantly) "Welcome to Hell!” After the speech the leaders took a walk through a formation of contractors, one of whom asked, “Are we going to continue to kill the [slur for homosexual]?” to which Lieutenant Colonel (retired) Utkin replied, “We are obligated to extinguish the LGBT!”
Another Telegram post from an account associated with the Wagner Group offered a tally of the number of troops the mercenary company committed to Russia's war against Ukraine. The post puts the total number of those who fought in Ukraine at 78,000. 49,000 of these were recruited from prisons. By the end of May Wagner Group forces had lost 22,000 killed and 40,000 wounded. The Wagnerites now have some 25,000 available for duty. Of these, 10,000 are headed for Belarus (or are already there) and 15,000 are leaving the company. The point of the post was the debunking of Russian official media reports that 33,000 Wagner fighters were joining the regulars.
Patch news.
ArsTechnica reports that newly exploited vulnerabilities affecting Adobe ColdFusion and Citrix NetScaler products have the vendors scrambling to create a fix. Specifically, CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467 affect the NetScaler ADC and NetScaler Gateway, with CVE-2023-38203 and CVE-2023-29298 affecting Adobe’s ColdFusion.
Both Adobe and Citrix have released updates to fix the vulnerabilities. However, Adobe has apparently released an incomplete fix for CVE-2023-29298. Rapid7, the research organization that discovered CVE-2023-29298, reported that “Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14).” Rapid7 also reports that Project Discovery, a cybersecurity research organization, seems to have mistakenly released a zero-day vulnerability for Adobe Coldfusion before Adobe provided a patch. Rapid7 explains, “It’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 in their July 12 blog post. Adobe published a fix for CVE-2023-29300, which is a deserialization vulnerability that allows for arbitrary code execution, on July 11. In actuality, what Project Discovery had detailed was a new zero-day exploit chain that Adobe fixed in an out-of-band update on July 14.” Project Discovery took down their blog regarding the new exploit and republished it after Adobe had released a fix for the issue which was then called CVE-2023-38203.
It now appears that all five vulnerabilities in Adobe Coldfusion and NetScaler have been patched. Rapid7 warns that the vulnerabilities are being exploited in the wild while organizations work to update their systems.
Crime and punishment.
Odessa City Council (that’s Odessa, Texas, not Odessa, Ukraine) has disclosed it suffered a data breach and is currently conducting an investigation. It was discovered that an email account belonging to former city attorney Natasha Brooks, who was terminated from her position last December, had been accessed numerous times after her firing. Odessa Mayor Javier Joven says the intruder accessed a wide variety of the city’s document databases and downloaded approximately two hundred 200 documents. Immediately after Brooks was fired, Former assistant city manager Cindy Muncy and former IT director Mike Parrish were instructed to deactivate Brooks’ email account, but apparently this never happened. Joven added that the email account of another former official was also accessed but did not reveal this official’s identity. Joven has authorized the Odessa Police Department to conduct a criminal investigation into the records breach assisted by the Texas Attorney General’s Office. The Texan notes that Brooks recently filed a complaint with the Equal Opportunity Employment Commission claiming her termination was racially motivated, and she has threatened to take legal action against the city.
Courts and torts.
HCA Healthcare, a medical facilities operator based in the US state of Tennessee, has been hit with at least five lawsuits connected to a massive data breach disclosed earlier this month. HCA explained that the attacker exfiltrated data from an external storage location, and then posted the stolen info online. Becker’s Hospital Review reports that the incident impacted up to 11 million patients across nineteen states, and complaints have been filed by victims in Tennessee, California, Florida and Texas. Attorney Tricia Herzfeld is representing a patient from Nashville, Tennessee says the purpose of her complaint is to "be able to take on a big corporation like HCA and say, 'No, we're not going to take this, and you do have obligations to safeguard our information, and we're going to band together, all 11 million of us in this class, to make sure you know that." After learning of the lawsuits, HCA stated, "Our commitment to our patients is unwavering and is not affected by any class-action lawsuits or other legal proceedings. We will respond to any lawsuits or proceedings, in the appropriate forums and ordinary course."
Policies, procurements, and agency equities.
The White House has announced a cybersecurity labeling program for smart devices: “Under the proposed new program, consumers would see a newly created ‘U.S. Cyber Trust Mark’ in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.” Manufacturers and retailers that have committed to the voluntary program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics.
The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidance for 5G network slicing. The guidance is intended to “help foster communication amongst mobile network operators, hardware manufacturers, software developers, non-mobile network operators, systems integrators, and network slice customers in the hopes that it may facilitate increased resiliency and security hardening within network slicing.”
CISA has also published a factsheet outlining free tools for cloud environments, “to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security.”
Labor markets.
TechCrunch released a report titled “If cybersecurity isn’t recession-proof, what is?” in which it discusses the impact of the current market on cybersecurity investments. “Cybersecurity startups only raised 1.6 billion in Q2 2023,” the report reads. This is a 63% decrease in funding when compared to Q2 2022 and is also the lowest amount raised since Q4 2019. A report from CrunchBase News shows that the investments have been on a steady downward trend since a high in Q4 of 2021. This downward trend could be caused by many factors but one factor might be the role that AI has played in the cybersecurity field. CrunchBase explains, “Security companies likely will look to AI to improve offerings, helping security operations run more efficiently. Cybersecurity also could play a role in making sure the data AI is using is not corrupted.” CrunchBase news predicts that “the second half of the year could be an interesting ride.”
Mergers and acquisitions.
CISO Global, Inc. announced its acquisition of SB Cyber Technologies, “a cybersecurity company that specializes in identifying, enhancing and applying emerging government and military grade capabilities to critical commercial technical security challenges.”
Safe Security acquired RiskLens, the pioneer of the Cyber Risk Quantification standard. “We are at a critical inflection point in the market with new cyber risk management guidelines stemming from the White House and regulatory bodies, like the SEC. I am thrilled to welcome RiskLens, which has pioneered the FAIR model of cyber risk quantification and established a trusted standard for measuring cyber risk, supported by over fourteen thousand practitioners, representing 50% of Fortune 500 companies,” said Saket Modi, CEO and Co-founder at Safe Security.
Investments and exits.
PingSafe announced its launch from Stealth with $3.3 in seed funding. LEading the company will be Anand Prakash as CEO and Co-founder with Nishant Mittal as CTO and Co-founder. The press release states, “PingSafe is a cloud security platform that bridges the gap between attackers’ modus operandi and security solutions currently on the market. By aggregating intelligence via Cloud APIs and logs, PingSafe utilizes its graph database to generate a normalized architecture of the cloud real estate of a client. Utilizing its Offensive Security Engine, PingSafe then detects toxic and exploitable vulnerabilities, allowing security teams to make efficient decisions without relying on human verification of alerts.”
The Wall Street Journal reported that Netcraft has raised $100 million in an investment from Spectrum Equity Management.
Bureau, a fraud and identity decisioning platform, has ended its series A funding with $16.5 million from GMO venture partners, reports NewsDirect.
And security innovation.
Egress reported that it would be partnering with KnowBe4 in an effort to increase email security through a “proactive approach to defending against advanced inbound and outbound threats, and transform the way in which they manage human risk in email.”