Serco Hit by Cyber Attack, Disrupting Prisoner Tracking and Transport Operations

Serco, the British multinational known for providing technology services to the military and defense sectors across Europe, has reportedly been the target of a cyber attack. The incident has severely affected the company’s ability to monitor prisoners and track the prison vans used for inmate transportation.

The company is actively working to mitigate the damage and find a solution to recover from the breach, as the incident threatens to damage its reputation significantly. Serco, which holds a contract with the Ministry of Justice to oversee the surveillance of prisoners, is responsible for monitoring and transporting approximately 300,000 individuals annually.

From a technical standpoint, Serco is not directly to blame, as the attack originated from a third-party vendor, Microlise, which was providing software services to Serco. Microlise fell victim to a sophisticated cyber attack, believed to be ransomware, on October 31, 2024. This breach has had ripple effects on other companies, including DHL and NISA, which have also been impacted.

Both the London Stock Exchange and the UK Information Commissioner’s Office (ICO) were notified of the attack earlier this week, and a joint forensic investigation has been launched.

In a statement issued late yesterday, Microlise revealed that the attack also compromised employee data. The cybercriminals are believed to have accessed sensitive information regarding staff members during or prior to the attack.

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has suggested that the attack may have been carried out by a cybercriminal group with links to Russian intelligence, though this theory remains speculative and lacks concrete evidence.

In the wake of the breach, Serco has disabled the surveillance systems used for monitoring its transport vans. Meanwhile, physical surveillance of the prison facilities has been increased as a precautionary measure.

The post Serco Hit by Cyber Attack, Disrupting Prisoner Tracking and Transport Operations appeared first on Cybersecurity Insiders.

November 06, 2024 at 08:45PM

Read More

The Most Notorious Cyber Threat Groups: A Global Overview

In the digital age, cyber threats have evolved from isolated incidents to organized, sophisticated attacks that can target governments, corporations, and individuals worldwide. Among these threats are cybercriminal groups, state-sponsored hackers, and hacktivists that operate under various motives—ranging from financial gain to political objectives. Some of these groups have earned infamy due to their highly impactful attacks, complex tactics, and elusive nature. Here’s a look at some of the most notorious cyber threat groups to date.

1. APT28 (Fancy Bear) – Russia’s Cyber Warfare Unit

Country of Origin: Russia
Primary Focus: Espionage, Disruption
Known Targets: U.S. Democratic National Committee, various political entities, military networks

APT28, also known as Fancy Bear, is a Russian cyber espionage group linked to the Russian military intelligence agency, GRU. This group has been active since at least the mid-2000s, and its operations are widely believed to be state-sponsored. APT28 is infamous for its role in high-profile cyberattacks, including the 2016 hack of the U.S. Democratic National Committee (DNC), which exposed emails and communications that caused a major political scandal during the U.S. presidential election.

APT28 is known for its use of sophisticated malware and phishing tactics to infiltrate networks, often targeting government organizations, military institutions, and political groups in Western nations. Their operations are typically motivated by espionage, with the aim of acquiring sensitive political and military data.

2. APT29 (Cozy Bear) – Russia’s Cyber Espionage Group

Country of Origin: Russia
Primary Focus: Espionage, Data Theft
Known Targets: U.S. government agencies, European institutions, research organizations

Another Russian-backed cyber threat group, APT29, also known as Cozy Bear, is widely believed to be associated with Russia’s intelligence agency, the SVR. APT29 is known for its stealth and long-term infiltration strategies. While they are less overt in their methods than APT28, their cyberattacks are no less damaging.

APT29 is most notorious for its involvement in the 2016 U.S. election interference campaign, where they successfully breached U.S. government agencies, including the Department of State and the White House. In addition, Cozy Bear has targeted pharmaceutical companies and research institutions, with a particular focus on stealing intellectual property related to COVID-19 vaccines.

3. Lazarus Group – North Korea’s Cyber Warfare Operative

Country of Origin: North Korea
Primary Focus: Cybercrime, Espionage, Financial Theft
Known Targets: Sony Pictures, South Korean banks, global financial systems

One of the most feared cyber threat groups globally, Lazarus Group, is allegedly sponsored by the North Korean government. Known for its cybercrime and espionage activities, Lazarus has carried out some of the most disruptive attacks in recent history. The group is responsible for the 2014 Sony Pictures hack, where they exposed sensitive internal data, including emails, films, and personal information of executives. The attack was believed to be in retaliation for the release of the movie The Interview, which depicted the assassination of North Korean leader Kim Jong-un.

Beyond Hollywood, Lazarus is notorious for financially motivated cyberattacks, including the WannaCry ransomware attack in 2017, which affected thousands of organizations worldwide, including the UK’s National Health Service. The group has also targeted financial institutions, with the 2016 Bangladesh Bank heist being one of the largest cyberattacks in history, where hackers stole over $81 million from the bank’s account at the Federal Reserve.

4. REvil – Ransomware as a Service (RaaS) Syndicate

Country of Origin: Russia (assumed)
Primary Focus: Ransomware Attacks
Known Targets: JBS Foods, Kaseya, multiple healthcare and manufacturing companies

REvil, also known as Sodinokibi, is a notorious ransomware group that operates under the Ransomware-as-a-Service (RaaS) model. While their exact origin remains unclear, many believe that REvil has Russian ties. The group is responsible for some of the largest and most disruptive ransomware attacks in recent years.

In July 2021, REvil carried out an attack on Kaseya, an IT management company, which resulted in over 1,500 businesses worldwide being affected by ransomware. Another significant attack took place in June 2021, when the group targeted JBS Foods, one of the largest meat suppliers in the world, causing a global supply chain disruption. REvil is known for its tactics of demanding high ransoms in exchange for the decryption of critical data and for publishing stolen data if their demands are not met.

In October 2021, the U.S. government reportedly targeted the infrastructure used by REvil in an attempt to dismantle the group. While the group temporarily disappeared, experts believe they may have simply rebranded or regrouped under different names.

5. Anonymous – The Global Hacktivist Collective

Country of Origin: Global (loosely affiliated)
Primary Focus: Activism, Political Causes
Known Targets: Governments, corporations, individuals deemed unethical

Unlike the other groups listed here, Anonymous is not a single, centralized entity, but rather a decentralized collective of hackers. Known for its hacktivist agenda, Anonymous engages in cyberattacks to promote political and social causes. The group first gained attention in the mid-2000s and became widely known for its attacks on organizations that it deemed corrupt, unjust, or unethical.

One of the group’s most significant campaigns was the attack on Scientology in 2008, where Anonymous launched Operation Chanology to protest the church’s controversial practices. Anonymous has also been involved in attacks against government institutions, corporations, and individuals, particularly in response to social issues or government censorship. Most recently, the collective has shown its support for Ukraine, launching cyberattacks against Russian websites in protest of the invasion.

6. China’s APT Groups (e.g., APT10, APT1) – Cyber Espionage for Economic and Political Gain

Country of Origin: China
Primary Focus: Espionage, Intellectual Property Theft
Known Targets: U.S. corporations, global tech companies, academic institutions

China is home to several state-sponsored cyber threat groups, including APT10, APT1, and others, which are believed to be linked to the Chinese government and military. These groups have been involved in cyber espionage and intellectual property theft on an industrial scale.

APT10, also known as Stone Panda, has been particularly active in targeting technology and telecommunications companies worldwide. The group has stolen sensitive intellectual property, research data, and government documents. APT10’s infamous Cloud Hopper campaign focused on breaching managed IT service providers to gain access to their client networks, resulting in widespread global data theft.

APT1, another group believed to be backed by China’s military, has targeted a wide range of industries, including aerospace, energy, and high-tech manufacturing, with the goal of stealing trade secrets and proprietary technologies.

7. DarkSide – Ransomware Group with Political Motives

Country of Origin: Russia (assumed)
Primary Focus: Ransomware and Extortion
Known Targets: Colonial Pipeline, global oil and gas companies

DarkSide is another prominent ransomware group that gained global attention in May 2021 when it launched a ransomware attack against Colonial Pipeline, one of the largest fuel pipeline operators in the U.S. The attack resulted in fuel shortages across the East Coast of the United States, highlighting the serious potential for ransomware to disrupt critical infrastructure.

While DarkSide claims to operate with a “no-politics” stance, their attacks are believed to have political implications. The group is known for demanding large ransoms, usually in the form of cryptocurrency, and for leveraging threats to leak stolen data. In response to U.S. law enforcement efforts, DarkSide announced that it would shut down its operations, though experts believe they may reemerge under a different name or form.

Conclusion

The cyber threat landscape is constantly evolving, with sophisticated groups using a range of tactics to achieve their objectives. Whether motivated by financial gain, political agendas, or national security objectives, these groups have shown the world the devastating potential of cyberattacks. Governments, organizations, and individuals must continue to bolster their cybersecurity defenses to combat these growing threats, while also remaining vigilant to the geopolitical implications of cyber warfare.

 

The post The Most Notorious Cyber Threat Groups: A Global Overview appeared first on Cybersecurity Insiders.

November 06, 2024 at 03:54PM

Read More

Schneider Electric ransomware attack to cost $125k and more in Baguettes

A little-known cybercriminal group, Hellcat ransomware, has recently gained attention after reportedly attacking Schneider Electric, a French-based energy management company. The group claims to have stolen approximately 60GB of data, threatening to release 40GB of it on the dark web unless a ransom of $125,000 is paid in a cryptocurrency called Baguettes.

In response, Schneider Electric issued an official statement apologizing to its customers and partners, assuring them that the situation is under investigation and that updates will be provided as new information becomes available.

Stolen Data: Truth or Bluff?

While the hackers insist that the stolen data contains sensitive information, including personal details about employees and partners, early investigations suggest that their claims may be exaggerated. Initial analysis indicates that the data in question is outdated and no longer useful to the company. However, the potential risk of phishing attacks and identity theft remains a concern, as the hackers might still have access to valuable contact information.

The Mysterious Baguette Cryptocurrency

The ransomware group is demanding payment in Baguettes, a relatively obscure French cryptocurrency. Each Baguette is valued at just $15, a fraction of the value of more widely used digital currencies like Bitcoin, which currently stands at over $72,000. Baguettes are difficult to trace and are not commonly used, making them an ideal medium for illicit transactions.

How Did the Attack Happen?

The exact method by which the Hellcat ransomware group gained access to Schneider Electric’s systems remains unclear. However, discussions on cybercrime forums suggest that the attack may have begun through a breach of Atlassian Jira, a popular project management tool used by many companies. This highlights the growing risks associated with software vulnerabilities in widely used enterprise tools.

Hellcat Ransomware: A Rising Threat

Not much is known about the Hellcat ransomware group itself, but it has been linked to attacks on high-profile organizations across several sectors, including government, education, energy, and water utilities. This group is also known for using double extortion tactics—where they not only demand payment to avoid leaking stolen data but also threaten to release additional files unless their ransom is paid. If the victim is a large multinational company, the group may also leak a sample of the stolen data as a demonstration of its capabilities.

As cyberattacks continue to grow in sophistication, businesses across the globe must remain vigilant and invest in robust cybersecurity measures to protect themselves from emerging threats like Hellcat ransomware.

The post Schneider Electric ransomware attack to cost $125k and more in Baguettes appeared first on Cybersecurity Insiders.

November 06, 2024 at 03:47PM

Read More

Nokia starts investigating source code data breach claims

Nokia has recently initiated a thorough investigation into claims of a cyberattack allegedly carried out by a hacking group known as IntelBroker. The group has been circulating sensitive information on the internet for the past three days, raising alarm bells within the company and the cybersecurity community. In response to the breach, Nokia has hired a team of forensic experts to track the origins of the attack and to prevent the stolen data from being sold or disseminated further, particularly on the dark web.

This breach is being considered particularly serious because the stolen data includes a variety of highly sensitive materials, such as source code, SSH keys, RSA keys, SMTP credentials, webhooks, and Bitbucket credentials—all of which are crucial to the integrity and security of the company’s operations. Such a leak could have far-reaching consequences if the data falls into the wrong hands, potentially exposing Nokia to significant risks, including intellectual property theft, unauthorized access to systems, and further exploitation.

The Leak and Its Origins

The information leak, according to initial investigations, seems to have been perpetrated via a third-party contractor. This contractor was responsible for overseeing a critical research and development (R&D) project related to Nokia’s 5G product line. While it appears that the breach was facilitated through this external party, early reports indicate that the internal systems and core data infrastructure of Nokia were not directly impacted by the hack.

Despite this, the company is treating the breach with the utmost seriousness. As a precautionary measure, Nokia has suspended all ongoing R&D activities related to its 5G products. The company is also in active discussions with its Indian telecom partner, Vi (Vodafone Idea), to assess any potential risks stemming from the breach and to explore mitigation strategies. Nokia is keen to ensure that the integrity of its relationships with key partners is maintained and that any potential damage from the leak is minimized.

Stolen Data and Dark Web Activity

According to a source who goes by the handle Visionary Lizard on Telegram, the stolen data is currently being offered for sale on the underground forum BreachForums for approximately $20,000, with transactions being conducted via cryptocurrency. The breach appears to be one of many similar incidents in recent years where cybercriminals seek to profit from the theft of proprietary data by selling it on illicit marketplaces.

The type of data involved in this breach, including source code and access credentials, could have far-reaching consequences if it were to fall into the hands of malicious actors. Typically, the sale of such sensitive information might attract the interest of threat groups looking to exploit it for financial gain, espionage, or other forms of cyberattacks. While it’s unclear whether the data has already been used to compromise Nokia’s systems or products, there is always the risk that future exploitation could occur.

Technical Impact and Future Risks

While the stolen data poses a significant risk, experts believe that simply acquiring this information does not necessarily enable an immediate attack on Nokia’s infrastructure or products. Counterfeit operations, for instance, would require more than just the stolen source code—it would require a deep understanding of Nokia’s internal systems, processes, and hardware, all of which are not directly accessible through the leak.

Furthermore, Nokia’s reputation could face more substantial damage due to the potential use of this stolen data by competitors or threat actors seeking to undermine the company’s position in the market. The reputation risk associated with such breaches is often the most concerning, as it can erode trust with customers, partners, and investors.

Historical Context: Nokia’s Journey and Market Perception

While this breach poses a significant threat to Nokia’s business, it’s important to consider the context of the company’s position in the global market. Nokia, once a dominant player in the mobile phone industry, has reinvented itself over the past decade as a key player in the 5G network infrastructure space. After shifting away from the mobile handset business, Nokia has focused its efforts on providing technology solutions for telecom operators, offering everything from network hardware to 5G and IoT solutions. In recent years, the company has seen success with its affordable 5G-enabled smartphones, helping it carve a new niche in the competitive Android phone market.

However, this reinvention has not been without its challenges. In the past, Nokia’s mobile devices were tied to the Windows Mobile operating system—a venture that initially attracted tech enthusiasts but ultimately faltered due to the platform’s inability to compete with iOS and Android in terms of app development and user experience. Following its acquisition by Microsoft in 2014, Nokia’s mobile phone division struggled to gain market share, and the sale of the company’s handset business to Microsoft marked the end of an era for the iconic brand.

Nokia has since repositioned itself as a leader in the telecommunications infrastructure and 5G network technology sectors, with a focus on providing essential connectivity solutions to global markets. Still, the company’s brand carries a legacy that is closely associated with its early dominance in the mobile phone industry—a legacy that can both work in its favor and pose challenges when dealing with security and trust issues.

Global Market Impact and Comparisons with Huawei and ZTE

The risk of a data breach tarnishing a company’s reputation is particularly pronounced in the tech industry, where security incidents can be perceived as a sign of vulnerability, often leading to loss of customer confidence. For instance, companies like Huawei and ZTE, which have faced significant scrutiny in recent years due to concerns over national security and data privacy, have suffered heavily from the global backlash. The U.S. government and other Western nations have accused these companies of potential ties to the Chinese government, alleging that their devices could be used to spy on users or transfer data to Chinese servers. As a result, both companies have faced bans in countries such as the United States and Canada, severely impacting their global sales.

In this context, any leak of proprietary information could exacerbate Nokia’s position in the market, particularly as the company competes in the 5G space with rivals like Huawei and Ericsson. While the risk of the stolen data being used for espionage or sabotage remains a concern, the technical barriers to exploiting this information on a large scale are significant. Even so, the perception of a security lapse could have long-lasting reputational consequences.

Conclusion

As Nokia investigates the data breach and works to mitigate its effects, the company’s immediate focus is on securing its intellectual property and maintaining the trust of its partners and customers. While the technical implications of the breach may not immediately compromise its infrastructure, the reputational risks are considerable. Nokia’s efforts to address the situation and safeguard its R&D operations, particularly in relation to its 5G products, will be crucial in determining how well the company navigates this crisis. In a world where data breaches are becoming increasingly common, the response to such incidents can make all the difference in maintaining a company’s standing in the competitive tech landscape.

The post Nokia starts investigating source code data breach claims appeared first on Cybersecurity Insiders.

November 05, 2024 at 08:42PM

Read More

Three UK Council websites hit by DdoS Cyber Attacks

Three UK councils—Salford, Portsmouth, and Middlesbrough—were disrupted by a Distributed Denial of Service (DDoS) attack, causing temporary outages on their websites. The National Cyber Security Centre (NCSC), part of the UK’s GCHQ, has confirmed that the attack was carried out by the pro-Russian hacking group NoName057(16). Fortunately, no sensitive data was compromised in the incident.

The attack has affected users trying to access the websites of these councils, with service interruptions and difficulties retrieving certain data. Recovery efforts are ongoing, and two additional councils, Bury and Trafford, were also impacted.

A DDoS attack involves overwhelming a server with a flood of fake traffic, rendering the website or service temporarily inaccessible to legitimate users. The NCSC has advised that disruptions may continue while the affected councils work to restore normal service.

NoName057(16): A Pro-Russian Cybercrime Group

According to Radware, a cybersecurity firm specializing in network protection, NoName057(16) is a pro-Russian group known for its extensive DDoS campaigns. The group first gained attention in March 2022, coinciding with the start of Russia’s invasion of Ukraine. Its initial targets included Ukrainian infrastructure, including a nuclear facility near the Ukrainian border.

The group developed a DDoS tool, DDOSIA, which they have used to target national infrastructure, news outlets, government websites, and tech companies in various countries.

In addition to attacks on Ukraine, NoName057(16) has launched significant DDoS campaigns against global events, including the 2023 G20 Summit in India. Since late 2023, the group has focused increasingly on political targets, including the Czech Presidential Elections in January 2023.

The group’s activities highlight the growing use of cyberattacks in geopolitical conflicts, with a clear shift toward political disruption in recent months.

The post Three UK Council websites hit by DdoS Cyber Attacks appeared first on Cybersecurity Insiders.

November 05, 2024 at 10:48AM

Read More

ChatGPT new search engine features cause data sanctity concerns

ChatGPT, developed by OpenAI and backed by Microsoft, is poised to enhance its functionality this week by integrating search engine capabilities. This update will allow paid users to pose a variety of questions to the AI chatbot, seeking information on topics such as weather, news, music, movie reviews, and sports updates. The AI will leverage generative technology to pull data from the web, primarily sourcing results that align with those found on Google.

A significant aspect of this development is the introduction of “SearchGPT,” which will curate content exclusively from established publishers. This means that premium users will receive tailored information accompanied by credible references. However, there is a notable limitation: the chatbot will only engage with well-known publishers, effectively sidelining smaller entities.

To illustrate this point, consider a scenario where a user seeks news coverage of the 2024 U.S. Elections. The results provided by SearchGPT will include headlines solely from publishers with which Microsoft has partnerships. Consequently, information from other sources will be omitted, leading to a somewhat monopolized perspective on the news. This approach bears resemblance to the information control seen in countries like China and Russia, where users are presented only with content deemed safe by the government. Controversial topics may be classified as disinformation to maintain political and social stability.

There are concerns about the potential for content manipulation, where information could be skewed to align with business interests or current political climates. This issue has sparked discussions on platforms like Reddit, though concrete evidence regarding content curation remains elusive. Much of the conversation appears to be speculative rather than grounded in verifiable facts.

It’s important to note that integrating AI into search engines is not a novel concept; platforms like Baidu in China, DuckDuckGo, and Bing have already implemented such technologies effectively. Their search results tend to be accurate and reliable. Therefore, while the introduction of AI capabilities may enhance the functionality of search engines, it is unlikely to revolutionize the underlying operations of these platforms.

The post ChatGPT new search engine features cause data sanctity concerns appeared first on Cybersecurity Insiders.

November 04, 2024 at 08:33PM

Read More

Gmail Security Challenges Amid Rising Phishing Scams

Gmail, often heralded as one of the most secure email services globally, is currently facing a wave of security-related controversies that have raised concerns among its users. Recent insights from Google’s Threat Analysis team reveal that several Gmail users have become victims of sophisticated phishing scams, originating from a nefarious security reset scheme orchestrated by hackers.

According to recent reports, these cybercriminals have managed to gain unauthorized access to users’ email addresses and their linked phone numbers. Once they have this information, they initiate a login attempt using incorrect passwords. When Gmail’s security system detects this unusual activity, it triggers an alert, sending an email to the legitimate user notifying them of the suspicious login attempt and prompting them to take action.

In a calculated maneuver, the hackers then contact the user directly, often posing as legitimate representatives, and request a security code. This code can be found within the user’s account settings, specifically in the “Manage Account” section under the security features. If the unsuspecting user shares this code, the hackers can then reset the account password, effectively locking the original user out of their account.

Once they gain access, these cybercriminals often engage in data theft, using the compromised account to send urgent emails to the victim’s contacts. These messages typically request money or other favors, leveraging the trust built within the user’s social network. This not only prevents the victim from accessing their own account but also jeopardizes their reputation, potentially leading to social and financial ramifications.

To mitigate these risks, it is crucial for users to exercise caution. Users should remain skeptical of unsolicited requests for sensitive information, especially from unfamiliar sources. Implementing two-factor authentication (2FA) adds an extra layer of protection, and utilizing a physical security key can significantly enhance account security. Additionally, users are advised to avoid clicking on links or responding to messages received via WhatsApp, email, or other messaging platforms that seem suspicious.

It is noteworthy that some cybercriminals have refined their tactics, employing AI-generated cyber attacks that accelerate their operations and diminish the likelihood of successful recovery for victims. These advancements in cybercrime technology pose a significant threat, making it essential for users to remain vigilant.

Despite these challenges, Alphabet Inc., the parent company of Google, continues to demonstrate a steadfast commitment to user cybersecurity. The company is consistently working on implementing best practices and advanced measures to combat increasingly sophisticated cyber threats. However, from the user’s perspective, adhering to basic cybersecurity hygiene practices is equally vital to safeguard personal information and maintain account integrity in an ever-evolving digital landscape.

The post Gmail Security Challenges Amid Rising Phishing Scams appeared first on Cybersecurity Insiders.

November 04, 2024 at 10:44AM

Read More

Quadrant Launches Free Dark Web Reports to Help Organizations Identify Leaked Credentials and Sensitive Information

Quadrant Information Security (Quadrant), a prominent provider of Managed Detection and Response (MDR) services, has introduced Free Dark Web Reports designed to help organizations detect and manage their exposed credentials and data on the Dark Web. These reports equip organizations with key insights into compromised information and actionable guidance to mitigate potential risks.

Quadrant’s Free Dark Web Reports offer a strategic solution by flagging exposed credentials and related data specific to each organization. With this new service, clients can access monthly reports that spotlight recently discovered leaks, enabling timely interventions like password resets and policy updates to protect their environments.

Quadrant is extending this complimentary service to non-clients for a limited time, targeting organizations with up to 5,000 employees. Each report redacts sensitive information to meet regulatory privacy standards.

“Many security leaders are shocked to see the sheer amount of compromised data sitting on the Dark Web related to their organization,” stated Jeff Foresman, President of Services at Quadrant. “This proactive discovery of compromised credentials helps companies avoid expensive breaches and data loss. These reports are informational and directly useful for implementing better security measures.”

Key Advantages of Quadrant’s Free Dark Web Reports:

• Proactive Risk Management: Early identification of compromised credentials enables swift actions, such as password resets and security adjustments, to prevent potential breaches.
• Enhanced Protection for High-Risk Users: The service identifies users at greater risk of phishing or credential theft, allowing organizations to concentrate defensive efforts where they are needed most.
• Detailed, Actionable Insights: These reports deliver comprehensive insights that organizations can incorporate immediately into their cybersecurity strategies to reinforce their defenses.

In light of the increase in credential-based attacks, having visibility into Dark Web activity is now more essential than ever. Quadrant’s Free Dark Web Reports provide a critical resource for organizations aiming to safeguard their assets and minimize vulnerabilities. To request a free Dark Web Report, visit https://ift.tt/HZCUSpl.

The post Quadrant Launches Free Dark Web Reports to Help Organizations Identify Leaked Credentials and Sensitive Information appeared first on Cybersecurity Insiders.

November 04, 2024 at 08:53AM

Read More

2024 Application Security Report -Fortinet

Introduction

In today’s digital ecosystem, the expansion of application and API landscapes offers both opportunities and challenges for organizations. Advancements in application development and integration foster unparalleled business agility and innovation but also enlarge the attack surface, creating numerous opportunities for threat actors to exploit. This complexity presents a formidable challenge for IT security teams to maintain visibility and control, ensuring comprehensive protection against increasingly sophisticated adversaries.

The 2024 Application Security Report, based on a detailed survey of over 500 cybersecurity professionals, is aimed at uncovering current trends, challenges, and practices in application security.

Key findings include:

• Application Vulnerability: Half of the respondents report that their applications were compromised in the past year, highlighting the prevalent risk and the critical need for more robust security measures.

• Expertise Gap: Only 19% of security professionals identify as experts in application security, highlighting a significant need for further development of skills among the remaining 81% to effectively counteract cyber threats.

• Visibility Challenges: 45% of participants are not confident in their awareness of all applications used within their organizations, underlining the difficulties in achieving comprehensive application visibility.

• Bot Attack Concerns: 45% raised concerns over their preparedness to defend against sophisticated bots, emphasizing the evolving nature of threats that organizations face.

• Patch Management Hurdles: 40% of respondents acknowledge that they are unable to patch vulnerabilities in a timely manner, leaving organizations vulnerable to attacks.

We sincerely thank Fortinet for their essential contribution to this survey. The insights and best practices derived from this survey highlight the critical areas for organizations to focus their efforts in order to minimize and reduce their attack surface. With the right tools—those capable of discovering and enhancing visibility of digital assets while employing sophisticated measures like machine learning and threat analytics—businesses are better equipped to safeguard applications and APIs against advanced threats.

We trust that our readers will find this report helpful in their journey towards improved application security and in navigating the complexities of modern digital landscapes with confidence.

Thank you,

Holger Schulze

Founder, Cybersecurity Insiders

Application Security Expertise

Application security is a critical part of cybersecurity that demands nuanced expertise to effectively navigate its complexities. Applications are becoming increasingly vulnerable due to the rapid pace of digital transformation and the complexity of modern, cloud-first software development. This environment, rich with APIs and third-party services, opens numerous attack vectors. Furthermore, threat actors’ evolving tactics, such as AI-automated attacks, often outpace organizational security measures and elevate risk.

Only 19% of the survey respondents identify as experts, possessing extensive experience and a profound grasp of application security, including leadership in security projects. 46% of participants have intermediate proficiency in application security, reflecting an understanding and practical engagement with application security measures.

This majority indicates a workforce capable of implementing essential security practices, yet possibly lacking in advanced skills or experience. However, the 35% at the beginner and novice stages highlights a substantial segment that might not yet effectively contribute to safeguarding applications, underscoring a need for targeted upskilling.

To bridge this expertise gap, organizations should prioritize comprehensive training and development for those at the beginner and novice levels. Tailored programs that enhance practical skills and theoretical knowledge in application security will be critical. Furthermore, fostering an environment that encourages collaboration and knowledge exchange among all expertise levels can accelerate the collective advancement towards a more secure application ecosystem.

Confidence in Application Security Posture

Reflecting on the varied levels of application security expertise, it’s also beneficial to examine the confidence levels among cybersecurity professionals regarding their organization’s application security posture. This confidence speaks to both the strength of security measures in place and how well these measures are understood and implemented by the cybersecurity team.

More than half of the survey respondents (53%) report a concerning lack of confidence in their organization’s application security posture, with 35% being only moderately confident and 18% slightly or not at all confident. This suggests a high degree of doubt in the existing application security strategies.

By focusing on state-of-the-art security practices and tools, as well as cybersecurity training, organizations can not only strengthen their application security posture but also enhance the confidence of their cybersecurity professionals in the organization’s overall security strategy.

Prioritizing Application Security Concerns

Cybersecurity professionals’ wide-ranging concerns about application security reflect the complex nature of this challenge and the need for a comprehensive approach to protect applications at all development stages and across different environments.

The top concern is data protection, noted by 43% of respondents (and in the same spot as in our 2021 survey), underlining the continued importance of shielding sensitive information from unauthorized access and breaches. Close behind, 42% emphasize the need for effective threat and breach detection (up from the #4 spot in 2021), highlighting the necessity for advanced monitoring to quickly spot and address threats. Securing cloud applications, a concern for 40%, points to the shift towards cloud environments and their specific security challenges (rising from the #5 spot in 2021). Additional worries include malware defense, mentioned by 35%, and the task of managing an increasing number of vulnerabilities, identified by 31% of participants. This underscores the evolving threat landscape and the need for vigilant vulnerability management.

Organizations should adopt a comprehensive security strategy, integrating advanced technologies like encryption, modern Web Application Firewalls (WAFs), and Cloud Workload Protection Platforms (CWPP) to enhance data and cloud application security. Embracing DevSecOps principles ensures security is an integral part of the development lifecycle, addressing vulnerabilities in in-house applications. This approach helps tackle key security concerns, fostering a robust and adaptable security posture.

Recent Application Breaches

The frequency and recency of application related security incidents within organizations offer crucial insights into the current cybersecurity landscape and the effectiveness of prevailing security measures.

Notably, 50% of respondents reported an application breach within the last year. This statistic highlights the continuous threat activity and the essential need for effective detection and rapid response. Collectively, It indicates that half of the surveyed organizations have encountered recent security incidents, emphasizing the critical need for improved security measures.

On the other side, 36% experienced breaches between 1-5 years ago, pointing out that while many have avoided recent incidents, the threat of breach remains. The 14% with breaches occurring more than 5 years ago suggests either ongoing security success or potential gaps in detecting newer incidents.

Organizations should thus focus on implementing robust, real-time monitoring and response solutions, including next-generation firewalls, web app and API solutions, and automated security orchestration. Embracing continuous security assessment and a Zero Trust model—verifying every access request—can significantly reduce incident risks.

Common Application Attack Vectors

In the context of recent incidents, understanding the types of attacks against applications sheds light on adversary tactics and informs the creation of targeted defense strategies. The array of attack vectors over the past year reflects the complexity of the threat landscape and the need for a comprehensive security approach.

Malware leads the reported attack vectors at 29%, underscoring the need for robust endpoint protection andup-to-date defenses against malicious software. Following closely, 26% of organizations encountered exploits of software vulnerabilities, highlighting the critical need for continuous vulnerability management and timely patching to mitigate the risk of exploitation.

Stolen credentials, reported by 21% of respondents, underscores the importance of robust authentication mechanisms, including multi-factor authentication (MFA), to prevent unauthorized access. DDoS attacks and information leakage, both at 19%, further illustrate the diverse methods attackers employ to disrupt services and exfiltrate sensitive data, calling for advanced threat detection and data protection solutions.

Cross-site scripting and brute force attacks, each cited by 18% and 17% of participants respectively, alongside application misconfiguration and content spoofing, stress the importance of secure coding practices, comprehensive security assessments, and the deployment of solutions such as Web Application Firewalls (WAFs) to defend against these prevalent threats. These common attack vectors underscore the urgent need for organizations to bolster their security posture through a combination of proactive, AI-driven threat intelligence, real-time monitoring, and the adoption of Zero Trust principles.

Application Hosting Strategies

The choice of hosting environment for applications significantly influences an organization’s operational flexibility, scalability, and security posture. This decision reflects not only technological preferences but also strategic priorities regarding data sovereignty, access control, and threat mitigation.

The largest group of respondents, 38%, reveals a preference for hybrid cloud environments, suggesting a strategic balance between the scalability and innovation offered by cloud services and the control and security associated with on-premises resources. This approach likely reflects an understanding of the nuanced security needs across different hosting environments, as well as a desire to leverage the benefits of both without fully committing to the security and compliance complexities of a cloud-only approach. The on-premises/datacenter model, favored by 23% of organizations, underscores a continued reliance on traditional hosting methods, possibly due to regulatory requirements, data sensitivity concerns, or specific performance needs. While offering greater control over security configurations, this choice requires robust internal security measures and infrastructure maintenance.

Private cloud solutions, selected by 21%, highlight the importance of exclusive resource utilization within a controlled environment, offering a compromise between the scalability of cloud services and the security and control of on premises hosting. Public cloud adoption, at 18%, while the least common response, still represents a significant portion of organizations moving towards fully cloud-based solutions, attracted by their cost-effectiveness, scalability, and the evolving security features offered by cloud providers. In light of the varied attack vectors mentioned earlier, it’s crucial for organizations to tailor their security strategies to their chosen hosting environments. Hybrid and multi-cloud architectures demand sophisticated security orchestration and policy management to ensure consistent security postures across different platforms. For on-premises and private cloud environments, dedicated security controls and vigilant monitoring are paramount. Public cloud users must navigate shared responsibility models, ensuring that their configurations and usage adhere to best security practices. Emphasizing advanced threat protection, data encryption, and identity and access management across all environments can help mitigate the specific risks associated with each hosting model.

Navigating Application Awareness

Ensuring comprehensive awareness of all applications within an organization is crucial for mitigating security risks, especially in the context of shadow IT, where unauthorized applications can introduce vulnerabilities. Only 21% of survey respondents feel very confident in their knowledge of applications used, highlighting either effective control measures or a possible underestimation of their organization’s true application landscape.

Conversely, the 45% indicating varying degrees of uncertainty (somewhat confident to not confident) underscores the challenges shadow IT presents, from bypassing security protocols to complicating compliance. This finding emphasizes the need for strong governance strategies and technologies like application discovery tools to reveal hidden applications.

To curb the risks of shadow IT and enhance organizational security posture, fostering an environment of security consciousness and clear policies for technology adoption is crucial. Initiatives should focus on bridging IT governance with organizational innovation, ensuring a secure and adaptable application environment.

API Inventory Confidence

APIs play a critical role in application integration and communication, yet they introduce unique security challenges and shadow IT risks without careful management and documentation.

A majority (58%) feel confident or very confident in their knowledge of all APIs in their organization, suggesting effective governance and discovery practices in place for these crucial components. This level of assurance suggests robust API management strategies, including the use of API gateways and management platforms to catalog and secure API landscapes. However, this level of assurance could also suggest a degree of overconfidence among cybersecurity professionals, potentially overlooking gaps in their API inventory management.

On the other hand, 42% expressing some doubt or outright lack of confidence underscores the complexities and challenges in achieving complete visibility over their API footprint. This group highlights the potential for shadow APIs—unauthorized or undocumented APIs that can expose organizations to severe security threats due to inadequate oversight.

To tackle these issues, a balanced approach of technology and policy is essential. Organizations should adopt advanced API tools that include discovery for enhanced visibility and security across all APIs. It’s also crucial to foster a culture that emphasizes clear governance around API creation and use, encouraging developers to maintain up-to-date API documentation and reviews. This strategy not only reduces the risks associated with shadow APIs but also bolsters the security infrastructure, ensuring APIs are consistently managed according to security best practices.

Defending Against Sophisticated Bots

The rise of sophisticated, human-like bots marks a significant cybersecurity challenge, where distinguishing between legitimate user interactions and automated, often AI-powered, attacks becomes increasingly difficult. These bots can mimic human behavior, making them particularly effective at evading detection and exploiting vulnerabilities in applications and APIs.

A majority (55%) feel confident or very confident in their ability to defend against such advanced bots. This suggests a high level of optimism or trust in current security measures and strategies to identify and mitigate these threats. However, the 45% who are only somewhat confident or not confident at all reflect the complexities involved in defending against bots that closely emulate human behavior. This concern suggests a recognition of the inadequacy of traditional security measures and a call for more advanced, innovative solutions to adapt to the advancing tactics of automated threats.

To better prepare for human-like bots, leading organizations invest in next-generation security solutions that incorporate advanced machine learning and behavioral analytics. These technologies can analyze patterns of activity to distinguish between genuine users and sophisticated bots. Additionally, fostering a culture of continuous learning and adaptation is crucial, encouraging teams to stay informed about the latest threat vectors and defense mechanisms.

Bot Attack Concerns

In the context of preparing for sophisticated bots, understanding the most concerning bot attacks provides important insight into the threat landscape and guides defense strategies.

Credential stuffing, identified by 49% of respondents, emerges as the tope concern, underscoring the acute awareness of the risks associated with unauthorized access to user accounts. This type of attack leverages stolen username-password pairs (often from a data breach) to gain access to accounts across different services through large-scale automated login requests. Closely following at 47% are DDoS (Distributed Denial of Service) attacks. These attacks disrupt service availability, directly impacting business operations and damaging reputations. Card fraud and web scraping attacks, with 35% and 33% respectively, also rank high. Card fraud represents a direct financial threat to organizations and their customers, while web scraping can lead to the loss of intellectual property and competitive advantages, underscoring the broad implications of bot attacks beyond just security breaches.

To mitigate these bot threats, organizations should employ a layered security approach that includes advanced features such as browser fingerprinting, biometric detection, real-time threat intelligence, and comprehensive analytics. Educating users on the importance of secure password practices and implementing multi-factor authentication can further reduce the risk of credential stuffing and other bot-related attacks.

Resources for Vulnerability Management

Swift detection and remediation of application vulnerabilities are key to a secure application landscape, particularly against the backdrop of complex threats, from sophisticated bots to credential stuffing attacks.

Sixty percent of survey respondents, including those agreeing or strongly agreeing, reflect confidence in their organization’s vulnerability management resources. This confidence suggests trust in the effectiveness of their tools, processes, and teams to preemptively address security vulnerabilities.

However, an alarming 40% of organizations say they can’t detect and remediate vulnerabilities in time, leaving organizations exposed. This group reports gaps in their vulnerability management practices, possibly due to constraints in budget, expertise, or technology.

Improving vulnerability management requires strategic investments in both advanced technology and skill development. Organizations should consider leveraging automated security scanning tools, continuous integration/continuous deployment (CI/CD) pipelines with integrated security checks, and threat intelligence platforms to gain insights into emerging threats. Equally important is fostering a culture of security within development teams, ensuring that security is a priority throughout the application lifecycle, from design to deployment.

Strategies for Application Monitoring

Organizations employ a variety of monitoring techniques to ensure their applications remain resilient against cyber threats. The reliance on firewalls, as indicated by 56% of participants (up from 43% in our 2021 survey), showcases the continued importance of this foundational security measure in protecting applications from unauthorized access and attacks. Meanwhile, 50% of organizations actively monitor applications in production (unchanged since 2021), utilizing threat intelligence to identify and respond to potential security issues in real-time. Endpoint security, mentioned by 36%, highlights the recognition of protecting not just the application environment but also the devices accessing these applications that could serve as entry points for attackers.

To further enhance application security monitoring, organizations should consider integrating security solutions like Web Application Firewalls (WAFs) and automated vulnerability scanning tools. These technologies, coupled with a robust security culture that emphasizes the importance of security at every stage of the application lifecycle, can provide a comprehensive defense mechanism against potential threats.

Adopting WAF Protection

The deployment of Web Application Firewalls (WAFs) across both on-premise and cloud environments is a vital part of modern cybersecurity strategies. A majority of organizations, 67%, use WAFs (up from 46% in 2021), which underscores their effectiveness in safeguarding applications from a wide range of threats, including SQL injection, cross-site scripting (XSS), and other sophisticated attacks that target the application layer.

This high WAF adoption rate reflects a strategic approach to application security and the necessity to protect assets regardless of their deployment environment. This security posture is essential, especially with the rise of hybrid cloud models, ensuring consistent protection across diverse infrastructures.

For the 33% not currently utilizing WAFs, adopting this technology presents an opportunity to strengthen their security framework. Integrating a WAF into security architectures provides an additional layer of defense, offering real-time threat analysis and mitigation capabilities.

A staggering 90% of survey respondents highlight the importance of Web Application Firewalls (WAFs) in securing API workloads, an increase from 79% in 2021, signaling a shift in application security priorities. This consensus reflects a recognition of WAFs’ role in countering modern cyber threats. With APIs serving as vital channels for data exchange and application functionality, they increasingly attract cyber attacks due to their widespread use, potential vulnerabilities, and access to sensitive data.

Ensuring that WAFs can effectively interpret and protect API traffic has become essential to address these security challenges head-on.

API Security Strategies

The survey responses reveal varied approaches to API security, emphasizing the importance of tailored solutions to protect these critical interfaces. API access controls like OAuth, used by 47% of respondents, underscores the importance of robust authentication to restrict API interactions to authorized entities.

Additionally, 44% of organizations rely on application-native security measures, such as API keys and rate limiting, indicating a decentralized approach to safeguarding against abuse. Meanwhile, 37% incorporate API gateway features into their security infrastructure, such as WAFs, to strengthen API protection through network-level controls. The adoption of dedicated API gateways by 28% and API discovery tools by 18% reflects strategies aimed at managing API interactions and uncovering APIs across the digital ecosystem, respectively.

This array of API security measures illustrates the comprehensive and layered defense mechanisms organizations deploy to navigate the complexities of API security more effectively.

Application Security Best Practices

In the face of evolving cyber threats, fortifying application security has never been more important. Below are essential best practices derived from industry insights and survey findings, designed to empower cybersecurity professionals with actionable strategies for enhancing their organization’s defense mechanisms against sophisticated attacks.

IMPLEMENT ROBUST AUTHENTICATION & ACCESS CONTROLS:

Deploy mechanisms like OAuth and multi-factor authentication to ensure application access is restricted to authorized users and systems.

DEPLOY WEB APPLICATION FIREWALLS (WAFS):

Utilize WAFs to protect both on-premise and cloud-hosted applications from a range of threats, aligning with our findings that 67% of organizations use WAFs for comprehensive protection.

SECURE APIS VIGOROUSLY:

Choose a WAF that discovers and protects your APIs as well as your web applications. The significant concern for protecting API workloads is confirmed by 90% of organizations.

MONITOR APPLICATIONS & UTILIZE THREAT INTELLIGENCE ACTIVELY:

Keep a vigilant eye on application performance and potential security threats in real time, a practice adopted by 49% of organizations.

ENCRYPT SENSITIVE DATA DILIGENTLY:

Protect sensitive data through encryption both in transit and at rest. Prioritizing the protection of data, as 43% of respondents did, is crucial in safeguarding against breaches and ensuring privacy.

ASSESS VULNERABILITIES & APPLY PATCHES REGULARLY:

Conduct continuous vulnerability assessments and apply patches promptly to address security flaws.

IMPLEMENT RATE LIMITING & API KEYS:

Utilize rate limiting and API keys for each application to prevent abuse and ensure secure API usage, as indicated by the 44% of organizations that rely on application centric security controls.

DEVELOP A SECURITY-FOCUSED CULTURE:

Foster a security-aware culture within the organization, emphasizing the importance of security best practices across all roles involved in application development, deployment, and use.

By adhering to these best practices, cybersecurity professionals can significantly enhance the security posture of their application footprint, effectively mitigating risks and ensuring a resilient defense against the evolving threat landscape.

Methodology and Demographics

The 2024 Application Security Report is based on a comprehensive global survey of 507 cybersecurity professionals conducted in February 2024, to uncover how cloud user organizations are adopting the cloud, how they see cloud security evolving, and what best practices IT cybersecurity leaders are prioritizing in their move to the cloud. The respondents range from technical executives to IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.

—

Fortinet (NASDAQ: FTNT) secures the largest enterprises, services providers, and government organizations around the world. Fortinet empowers our customers with complete visibility and control across the expanding attack surface and the power to take on ever-increasing performance requirements today and into the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in networks, application, multi-cloud, or edge environments. Fortinet ranks #1 as the company with the most security appliances shipped worldwide and more than 730,000 customers trust Fortinet to protect their businesses. www.fortinet.com

—

Cybersecurity Insiders brings together 600,000+ IT security professionals and world-class technology vendors to facilitate smart problem-solving and collaboration in tackling today’s most critical cybersecurity challenges.

Our approach focuses on creating and curating unique content that educates and informs cybersecurity professionals about the latest cybersecurity trends, solutions, and best practices. From comprehensive research studies and unbiased product reviews to practical e-guides, engaging webinars, and educational articles – we are committed to providing resources that provide evidence-based answers to today’s complex cybersecurity challenges.

Contact us today to learn how Cybersecurity Insiders can help you stand out in a crowded market and boost demand, brand visibility, and thought leadership presence. 

Email us at info@cybersecurity-insiders.com or visit cybersecurity-insiders.com

 

The post 2024 Application Security Report -Fortinet appeared first on Cybersecurity Insiders.

November 03, 2024 at 01:24PM

Read More

Medusa Ransomware attack impacts 1.8 million patients

In what could potentially be the largest data breach in the history of pathology labs in the United States, the Medusa Ransomware group has reportedly affected over 1.8 million patients associated with Summit Pathology Laboratory in Colorado. This incident underscores a significant vulnerability within the healthcare sector and raises serious concerns about data security practices.

The breach occurred in April when an employee at Summit Pathology inadvertently clicked on a phishing email sent by the Medusa Ransomware gang. This seemingly innocuous action triggered a series of events that would lead to a massive compromise of sensitive patient information. Nearly six months after the initial breach, the hackers decided to notify the affected patients via email, leaving many feeling exposed and anxious about the security of their personal data.

According to reports from Cybersecurity Insiders, the compromised information includes a wide array of sensitive data such as names, addresses, medical histories, billing details, insurance information, dates of birth, Social Security numbers, and even some financial data. The breadth of this information highlights the potential for identity theft and fraud, posing a serious risk to the affected individuals.

A particularly alarming aspect of this incident is that it occurred despite the fact that employees at Summit Pathology had received training aimed at preventing such attacks. This raises questions about the effectiveness of current cybersecurity training programs and the ongoing risks that organizations face in an increasingly sophisticated threat landscape.

In a troubling turn of events, it has been reported that Summit Pathology has paid a ransom to the hackers, a decision that contradicts Colorado’s HIPAA data security laws, which strongly advise against complying with extortion demands. This move has sparked outrage among many in the healthcare community and may have legal ramifications for the company.

As of the latest updates from the U.S. Department of Health and Human Services, Summit Pathology is now facing over eight class-action lawsuits filed in recent weeks. Affected patients may be eligible for financial compensation due to the breach of their sensitive information, which has understandably left them feeling vulnerable.

In response to the incident, Summit Pathology has announced that it will provide complimentary identity theft and fraud prevention services to all patients whose data was compromised. While this step is commendable, it does little to alleviate the anxiety surrounding the potential misuse of the stolen information.

At this point, there is no concrete evidence that the stolen data has been misused by the hackers. However, the threat remains ever-present, as the criminals behind the breach could exploit the compromised information for fraudulent activities at any time. This incident serves as a stark reminder of the importance of robust cybersecurity measures and the need for continuous vigilance in protecting sensitive patient data.

The post Medusa Ransomware attack impacts 1.8 million patients appeared first on Cybersecurity Insiders.

November 01, 2024 at 08:31PM

Read More