At a glance.
- Cl0p claims to have accessed data from a third Big Four accounting firm.
- A malign AI tool: FraudGPT.
- Report: Ransomware victims increased by 66% from Q1 to Q2 2023.
- Data breaches exact a rising cost.
- Norwegian government offices sustain a zero-day attack of undetermined origin.
- Russia-Ukraine hybrid war update.
- Patch news.
- Crime and punishment.
- Courts and torts.
- Policies, procurements, and agency equities.
- Labor markets.
- Mergers and acquisitions.
- Investments and exits.
Cl0p claims to have accessed data from a third Big Four accounting firm.
Cl0p has posted data it claims to have hacked from Big Five accounting firm Deloitte, Cybernews and other outlets report. The gang says it exploited vulnerabilties in MOVEit to accomplish the data theft. It had earlier this month counted coup against PricewaterhouseCoopers (PWC) and Ernst & Young (EY). Deloitte acknowledged receiving Cl0p's attentions, but discounted the effect as negligible. “Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited. Having conducted our analysis, we have seen no evidence of impact on client data,” Cybernews quotes a Deloitte Global spokesperson as saying.
A malign AI tool: FraudGPT.
Another malicious generative AI tool is being sold on the dark web, according to researchers at Netenrich. The bot, called “FraudGPT,” is designed to write malicious code, craft phishing pages, write scam emails, and more. The tool launched on July 23rd, and is being offered for $200 per month or $1700 per year. The researchers note, “While organizations can create ChatGPT (and other tools) with ethical safeguards, it isn’t a difficult feat to reimplement the same technology without those safeguards.”
A similar tool, called “WormGPT,” launched earlier this month. WormGPT also advertised itself as an “ethics-free” version of ChatGPT.
Report: Ransomware victims increased by 66% from Q1 to Q2 2023.
ReliaQuest has released a report ransomware trends for the second quarter (Q2) of 2023. The study concludes that victim counts for Q2 have skyrocketed. “In the second quarter of 2023, close to 1,400 organizations were named on ransomware and data-extortion websites. This marked a substantial increase (66%) from Q1 2023, which saw close to 850 affected organizations. What makes this increase even more impressive is that Q1 2023 had set the record for the most victims we ever recorded, but Q2 2023 shattered that record with 500 more. The number of organizations being named on ransomware websites has more than doubled over the past two quarters, highlighting a sudden growth in ransomware operations.”
ReliaQuest finds that Cl0p’s MOVEIt campaign was the most impactful of the campaigns in Q2, but they note that it’s technically an extortion campaign as opposed to a ransomware effort strictly speaking: Cl0p has yet to encrypt the files they’re taking. The cybercriminals with the highest victim count belong to LockBit, with close to 250 organizations being named in their ransom requests. The US continues to be the main target for cybercrime campaigns, with the UK, Germany, Canada, and France trailing by large margins. The sectors most heavily hit were science and technology (20.2%), manufacturing (19.6), and finance and insurance (10.5%).
Data breaches exact a rising cost.
IBM has published its Cost of a Data Breach report for 2023, finding that the average cost of a breach in 2023 is $4.5 million. The researchers state, “This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.”
The healthcare industry, however, has seen a 53.3% increase in data breach costs since 2020: “The highly regulated healthcare industry has seen a considerable rise in data breach costs since 2020. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of USD 10.93 million.”
The report also found that victims of ransomware attacks often saved significant sums of money if they involved law enforcement in the response: “Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.” For more on IBM's study, see CyberWire Pro.
Norwegian government offices sustain a zero-day attack of undetermined origin.
Norway continues its investigation of the zero-day attack several government organizations underwent earlier this month. Details are scarce, but remediation seems to be well in hand. Twelve ministries, all of whom share a common ICT (information and communications technology) platform were affected, BleepingComputer reports. The Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs, all of which use a different platform, were unaffected. Neither Norwegian authorities nor anyone else has attributed the attack to any specific threat actor. Several observers point out that Russia has a recent record of cyberattacks against its neighbor, which is a NATO member, Europe's largest oil producer, and a strong supporter of Ukraine during the present war. But this remains a priori probability, insufficient for credible attribution. The zero-day itself is tracked as CVE-2023-35078, an authentication bypass vulnerability afflicting all supported versions of Ivanti's EPMM mobile device management software (formerly known as MobileIron Core). Ivanti has issued a patch accessible to all registered users of the software.
Russia-Ukraine hybrid war update.
Ukraine appears to have opened a significant new phase of its counteroffensive, which has been in progress for weeks, but which has developed slowly. The main attack is being made in the south, in the Zaporizhzhia Oblast, and the operational objective is the Sea of Azov. Reaching the sea would sever occupied Crimea from Russia proper. The attack represents a significant offensive; whether it's the inaugural phase of a new, major effort remains, the Washington Post writes, unclear; it could still represent a feint. President Putin acknowledged the new offensive in remarks offered on the side, during his summit with African leaders. “We confirm that hostilities have intensified and in a significant way," he said. He also claimed that the Ukrainian attack had already failed, but no one outside of Russian official circles seems to credit that. Ukrainian President Zelensky was, in a video address last night, optimistic without revealing many details. “Today our boys had very good results at the front. Good for them. Details will follow," the Telegraph quotes him as having said.
Anonymous Sudan (which, remember, is neither Anonymous nor Sudanese, but rather a front for Russian intelligence services) has claimed responsibility for a cyberattack against Kenya's eCitizen portal. The East African reports that Kenya's ICT minister acknowledged an attack on the system, a place where Kenyans access government services online, but said that no data had been lost. The government was working to secure eCitizen and restore it to full operation.
To see what official censorship looks like in a country whose government isn't shy about flexing its muscles with little regard for civil liberties, see the Kremlin's current engagement with Vkontakte. As internal stress increases with continued indifferent-to-poor performance in its war against Ukraine, Russia has increased its domestic censorship. The New York Times puts that increase at "thirty-fold." The Times cites a report by the University of Toronto's Citizen Lab, which yesterday released a study of censorship of the social platform Vkontakte (which translates to "In contact;" the service is roughly speaking a Russophone analog to Facebook). Citizen Lab found that 94,942 videos, 1,569 community accounts, and 787 personal accounts had been blocked. Vkontakte's censorship runs mainly inside Russia. The censorship doesn't appear to extend to Vkontakte users in Canada or Ukraine. The blocking and takedowns are driven by content, and include media reports on Russia's war against Ukraine.
Patch news.
Apple has released security patches for sixteen vulnerabilities affecting iPhones, Macs, and iPads, 9to5Mac reports. Apple believes two of the flaws may have been exploited in the wild. One of these affects the kernel, and the other affects WebKit. The company says of the kernel flaw, “An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.”
Crime and punishment.
The case deciding the fate of Jack Teixeira, an Air National Guardsman charged with distributing hundreds of classified documents on Discord, is not expected to start for several months. The Washington Post reports that given the large amount of classified material and the various agencies involved, the administrative work necessary to process the evidence will take several months. “A Justice Department attorney told a judge in federal court in Boston that the documents are held by ‘a number of other government agencies,’ each of which must be consulted before authorities can hand over the material to Teixeira’s attorneys, a laborious and usually slow process that is typical for cases featuring classified information.”
Airman Teixeira’s lawyers complain of the delay in bringing him to trial, contrasting his pretrial confinement unfavorably with the treatment received by former President Donald Trump. Mr. Trump, charged with a similar crime, has not been taken into custody. Mr. Teixeira’s lawyers claim that the government “greatly over exaggerates Mr. Teixeira’s risk to national security," and has no means to flee the country, whereas Mr. Trump possesses plenty of means and in fact owns several properties overseas.
Prosecutors say the two cases are different. WCVB reports that, “The judge's decision to detain Teixeira came after Justice Department lawyers revealed in court filings a history of disturbing online remarks. He wrote in November that he would ‘kill a (expletive) ton of people’ if he had his way, because it would be ‘culling the weak minded.’ Prosecutors also argue that Mr. Teixeira said he may still have material that hasn’t been released, which could be of “tremendous value to hostile nation states that could offer him safe harbor and attempt to facilitate his escape from the United States.”
Courts and torts.
In what is believed to be the first decision of its kind, the Circuit Court of Ireland awarded 2,000 Euros to a plaintiff for non-material damages under the General Data Protection Act (GDPA). The plaintiff argued that video footage from CCTV cameras was shown to his colleagues that showed him making a mistake without his permission. The plaintiff claimed that, as a result, he was ridiculed and suffered damage and distress. Cooley, a law firm, writes that the court considered the following conditions when deciding the case:
- "A ‘mere breach’ or a mere violation of the GDPR is not sufficient to justify an award of compensation for non-material harm, but damages should nonetheless be interpreted broadly (as per Recital 146 of the GDPR).
- "A claim does not have to meet any threshold of seriousness, but compensation should not cover ‘mere upset’ – and the non-material damage must be genuine, not speculative.
- "There must be a link between the infringement and the damages claimed and this must be proven; for example, in a claim for distress and anxiety, independent evidence such as a psychologist report or medical evidence is desirable.
- "Data policies, employee privacy notices, and CCTV policies must be clear, transparent and accessible by all parties affected."
Cooley concludes that companies need to take note of the judgment offered by the Circuit Court of Ireland as it sets a new precedent for employees taking issues to court, rather than submitting a formal complaint to the regulator responsible for such matters, and could lead to other employees and individuals taking this path as it could result in more timely resolutions.
Policies, procurements, and agency equities.
The Office of the Director of National Intelligence (ODNI) declassified and released a FISA 702 FISC order on Friday in which it is shown that the FBI improperly queried the name of a US senator and two state officials, Reuters writes. The statement from ODNI reads, “Consistent with the Principles of Intelligence Transparency for the Intelligence Community, ODNI, in consultation with DOJ, is also today making publicly available, with redactions, a 2021 FISC Order that examined certain FBI compliance errors involving the querying of U.S. person information. The errors discussed in the 2021 FISC Order preceded the FBI remedial reforms discussed in the 2023 FISC Opinion, which were initially deployed during the summer of 2021, and the 2021 FISC Order thus does not reflect the current status of FBI compliance.” The FISA section 702 is set to expire at the end of the year; however, intelligence officials including the prospective NSA director are championing its renewal. Reuters explains that the renewal is facing skepticism from both sides of the aisle writing, “Skepticism only deepened when an earlier court order - declassified in May - revealed that the FBI had improperly searched for the foreign intelligence database more than a quarter million times over several years.”
In a long-awaited move, US President Joe Biden today announced his nominee to take over as the next national cyber director: Harry Coker, a four-decade veteran at the Central Intelligence Agency and National Security Agency, to serve as the next national cyber director. Coker would replace Chris Inglis, who left the Office of the National Cyber Director (ONCD) in February.
The US Securities and Exchange Commission (SEC) today voted to adopt new rules governing how publicly traded companies will handle cybersecurity issues. Specifically, Reuters reports, companies will be required to disclose a cyber incident within four days of determining that there was likely to be a material effect on investors. (An exception was made for cases in which such disclosure might have adverse implications for national security.) Companies will also be required to render periodic reports on their efforts to identify and manage cyber threats. And, in an attempt to forestall a repetition of the 2021 "meme-stock rally," broker-dealers will henceforth have to address conflicts of interest in any use they may make of artificial intelligence in their trading.
In an amendment to the Cyber Resilience Act (CRA), the European Council has determined that manufacturers will be required to report actively exploited vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based. This decision is a rejection of a proposal that called for manufacturers to disclose such vulnerabilities to one central EU body, the European Union Agency for Cybersecurity (ENISA). Instead, ENISA will operate and maintain an intelligence sharing platform, which the various CSIRTs will use to disseminate warnings about reported vulnerabilities.
Labor markets.
Researchers conducting a study on behalf of the UK Department for Science, Innovation and Technology (DIST) have discovered significant skill gaps in the cyber security industry. “Approximately 739,000 businesses (50%) have a basic skills gap. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers. The most common of these skills gaps are in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware,“ the report finds. What's more, 33% of businesses have more advanced skill gaps in forensic analysis, security architecture, and interpreting malicious code. The researchers note that while the figures for basic and advanced skill gaps have not changed, the proportion of businesses who lack confidence in their ability to carry out tasks has steadily risen since 2020. 22% of businesses report that applicants lack the required skills to fulfill their prospective job, and 49% report that their existing staff or applicants are underqualified. A significant portion (61%) of the cyber security workers expressed that they have pursued or are pursuing a cyber generalist specialization, in which their work is spread across several specialties in the “career road map.”
The report finds that job listings for cyber security roles have increased at a rate of 5,921 jobs per month in 2022, to a total of 71,054 jobs for the year. “When compared to 2021 levels, this suggests that the number of core cyber job postings has increased by 33% (from 53,586 in 2021). Demand for ‘all cyber roles’ has also increased by 30% in this time period,” write researchers. For more on the study, see CyberWire Pro.
Cengage Group released a report regarding recent graduates of cyber security programs and their thoughts about AI relating to their job security. A key finding in the reports was that 46% of recent graduates answered that they felt threatened by AI and 52% questioned their readiness for the workforce. Additionally, AI looks to have caused 59% of employers surveyed to have changed their requirements and prioritizations when hiring new employees. Most surprising is that 50% of employers have now dropped the 2 and 4-year degree requirements for entry level positions.
Mergers and acquisitions.
BusinessWire reports that Coro has announced its acquisition of Privatise, an Israeli network security solutions supplier for in office and hybrid work environments. “The acquisition adds critical SASE capabilities to Coro’s all-in-one platform and is part of an aggressive growth strategy, fueled by Coro’s $155M funding over the last 12 months, to expand the capabilities of Coro’s cybersecurity platform both organically and through strategic acquisitions,” BusinessWire writes.
Thales has announced its acquisition of Imperva from Thoma Bravo for $3.6 billion with the intention of significantly expanding Thales’ accessible market. “The acquisition of Imperva marks a major milestone in Thales’ cybersecurity strategy. With this acquisition, we are seizing a unique opportunity to accelerate our cybersecurity capabilities and are taking an important step towards our ambition to build a world-class global cybersecurity integrated player, providing a comprehensive portfolio of products and services,” wrote Patrice Caine, Chairman and CEO of Thales.
Investments and exits.
SecurityWeek reports that OneTrust has raised $150 million in funding bringing the total funding acquired to over $1 billion. “OneTrust says the new investment round will support its growth and help it meet customer demand for its trust intelligence software. The new funding round was led by Generation Investment Management, with participation from previous investor Sands Capital,” wrote SecurityWeek.
Earlyworks, a Japanese private blockchain technology company, has announced the pricing of its American Depositary Shares at $5 a share. “The Company expects to receive aggregate gross proceeds of US$6.00 million from the Offering, before deducting underwriting discounts and other related expenses. In addition, the Company has granted the underwriters a 45-day option from the closing of the Offering to purchase up to an additional 180,000 ADSs at the public offering price, less underwriting discounts,” the company wrote in its press release. The shares were set to begin sale on July 25th.