Connect with us


Fortinet Lists 2023 Threat Predictions



Fortinet has today unveiled predictions from the FortiGuard Labs global threat intelligence and research team about the cyber threat landscape for the next 12 months and beyond. From quickly evolving Cybercrime-as-a-Service (CaaS)-fueled attacks to new exploits on nontraditional targets like edge devices or online worlds, the volume, variety, and scale of cyber threats will keep security teams on high alert in 2023 and beyond.

Derek Manky, Chief Security Strategist and VP of Global Threat Intelligence, FortiGuard Labs, said, “As cybercrime converges with advanced persistent threat methods, cybercriminals are finding ways to weaponize new technologies at scale to enable more disruption and destruction. They are not just targeting the traditional attack surface but also beneath it, meaning both outside and inside traditional network environments. At the same time, they are spending more time on reconnaissance to attempt to evade detection, intelligence, and controls. All of this means cyber risk continues to escalate, and CISOs need to be just as nimble and methodical as the adversary. Organizations will be better positioned to protect against these attacks with a cybersecurity platform integrated across networks, endpoints, and clouds to enable automated and actionable threat intelligence, coupled with advanced behavioral-based detection and response capabilities.”

Success of RaaS is a Preview of What Is to Come with CaaS
Given cybercriminal success with Ransomware-as-a-Service (RaaS), a growing number of additional attack vectors will be made available as a service through the dark web to fuel a significant expansion of Cybercrime-as-a-Service. Beyond the sale of ransomware and other Malware-as-a-Service offerings, new a la carte services will emerge. CaaS presents an attractive business model for threat actors. With varying skill levels they can easily take advantage of turnkey offerings without investing the time and resources upfront to craft their own unique attack plan.

And for seasoned cybercriminals, creating and selling attack portfolios as-a-service offers a simple, quick, and repeatable payday. Going forward, subscription-based CaaS offerings could potentially provide additional revenue streams. In addition, threat actors will also begin to leverage emerging attack vectors such as deepfakes, offering these videos and audio recordings, and related algorithms more broadly for purchase.

One of the most important methods to defend against these developments is cybersecurity awareness education and training. While many organizations offer basic security training programs for employees, organizations should consider adding new modules that provide education on spotting evolving methods such as AI-enabled threats.

Reconnaissance-as-a-Service Models Could Make Attacks More Effective
Another aspect of how the organized nature of cybercrime will enable more effective attack strategies involves the future of reconnaissance. As attacks become more targeted, threat actors will likely hire “detectives” on the dark web to gather intelligence on a particular target before launching an attack. Like the insights one might gain from hiring a private investigator, Reconnaissance-as-a-Service offerings may serve up attack blueprints to include an organization’s security schema, key cybersecurity personnel, the number of servers they have, known external vulnerabilities, and even compromised credentials for sale, or more, to help a cybercriminal carry out a highly targeted and effective attack.

Attacks fueled by CaaS models mean stopping adversaries earlier during reconnaissance will be important. Luring cybercriminals with deception technology will be a helpful way to not only counter RaaS but also CaaS at the reconnaissance phase. Cybersecurity deception coupled with a digital risk protection (DRP) service can help organizations know the enemy and gain an advantage.

Money Laundering Gets a Boost from Automation to Create LaaS
To grow cybercriminal organizations, leaders, and affiliate programs employ money mules who are knowingly or unknowingly used to help launder money. The money shuffling is typically done through anonymous wire transfer services or through crypto exchanges to avoid detection. Setting up money mule recruitment campaigns has historically been a time-consuming process, as cybercrime leaders go to great lengths to create websites for fake organizations and subsequent job listings to make their businesses seem legitimate.

Cybercriminals will soon start using machine learning (ML) for recruitment targeting, helping them to better identify potential mules while reducing the time it takes to find these recruits. Manual mule campaigns will be replaced with automated services that move money through layers of crypto exchanges, making the process faster and more challenging to trace. Money Laundering-as-a-Service (LaaS) could quickly become mainstream as part of the growing CaaS portfolio. And for the organizations or individuals that fall victim to this type of cybercrime, the move to automation means that money laundering will be harder to trace, decreasing the chances of recovering stolen funds.

Looking outside an organization for clues about future attack methods will be more important than ever, to help prepare before attacks take place. DRP services are critical for external threat surface assessments, to find and remediate security issues, and help gain contextual insights on current and imminent threats before an attack takes place.

Virtual Cities and Online Worlds Are New Attack Surfaces to Fuel Cybercrime
The metaverse is giving rise to new, fully immersive experiences in the online world, and virtual cities are some of the first to foray into this new version of the internet-driven by augmented reality technologies. Retailers are even launching digital goods available for purchase in these virtual worlds. While these new online destinations open a world of possibilities, they also open the door to an unprecedented increase in cybercrime in unchartered territory.

For example, an individual’s avatar is essentially a gateway to personally identifiable information (PII), making them prime targets for attackers. Because individuals can purchase goods and services in virtual cities, digital wallets, crypto exchanges, NFTs, and any currencies used to transact offer threat actors yet another emerging attack surface. Biometric hacking could also become a real possibility because of the AR and VR-driven components of virtual cities, making it easier for a cybercriminal to steal fingerprint mapping, facial recognition data, or retina scans and then use them for malicious purposes. In addition, the applications, protocols, and transactions within these environments are also possible targets for adversaries.

Regardless of work-from-anywhere, learning-from-anywhere, or immersive experiences-from-anywhere, real-time visibility, protection, and mitigation is essential with advanced endpoint detection and response (EDR) to enable real-time analysis, protection, and remediation.

Commoditization of Wiper Malware Will Enable More Destructive Attacks
Wiper malware has made a dramatic comeback in 2022, with attackers introducing new variants of this decade-old attack method. According to the 1H 2022 FortiGuard Labs Global Threat Landscape report, there was an increase in disk-wiping malware in conjunction with the war in Ukraine, but it was also detected in 24 additional countries, not just in Europe. Its growth in prevalence is alarming because this could be just the start of something more destructive.

Beyond the existing reality of threat actors combining a computer worm with wiper malware, and even ransomware for maximum impact, the concern going forward is the commoditization of wiper malware for cybercriminals. Malware that may have been developed and deployed by nation-state actors could be picked up and re-used by criminal groups and used throughout the CaaS model. Given its broader availability combined with the right exploit, wiper malware could cause massive destruction in a short period of time given the organized nature of cybercrime today. This makes time for detection and the speed at which security teams can remediate paramountly.

Using AI-powered inline sandboxing is a good starting point to protect against sophisticated ransomware and wiper malware threats. It allows real-time protection against evolving attacks because it can ensure only benign files will be delivered to endpoints if integrated with a cybersecurity platform.

What These Attack Trends Mean for Cybersecurity Professionals
The world of cybercrime and the attack methods of cyber adversaries, in general, continue to scale at great speed. The good news is that many of the tactics they are using to execute these attacks are familiar, which better positions security teams to protect against them. Security solutions should be enhanced with machine learning (ML) and artificial intelligence (AI) so they can detect attack patterns and stop threats in real-time. However, a collection of point security solutions is not effective in today’s landscape. A broad, integrated, and automated cybersecurity mesh platform is essential for reducing complexity and increasing security resiliency. It can enable tighter integration, improved visibility, and more rapid, coordinated, and effective response to threats across the network.


NETSCOUT Highlights Cyberthreats to Watch Out for in 2023



NETSCOUT has revealed its top security trends to watch out for in 2023. Based on recent data, the company has predicted that geopolitical unrest, the evolution of ransomware, and the growing popularity of Adaptive DDoS, Direct-Path DDoS, and Outbound and Cross-bound DDoS attacks will have a significant impact on the security industry in 2023.

Emad Fahmy, Systems Engineering Manager Middle East at NETSCOUT, explained, “In the world of cybercrime, innovation is a constant. By constantly innovating and adapting, attackers are designing new, more effective attack vectors or doubling down on existing effective methodologies. Although the future is always difficult to predict, one thing is certain, cyber-attacks will not subside. Moreover, when it comes to cyber-attacks, no business sector is off-limits. Cybercriminals target regional businesses of all sizes and in all sectors, whether public or private.”

Geopolitical Unrest
Although distributed denial-of-service (DDoS) attacks have steadily increased over the past 20 years, recent data firmly establishes the reality that network operators need to understand, prepare for, and expect attacks related to politics, religion, and ideology. Nation-state actors often directly target internet infrastructure to take out critical communications, e-commerce, and other vital infrastructure dependent on internet connectivity. This, of course, means targeting internet service provider (ISP) networks to limit internet connectivity.

Further, nation-states typically possess vastly greater resources at their disposal than other malicious actors. Every year, they create new DDoS attack vectors, proving that they are constantly innovating and exploring new, more potent attack methods. As DDoS defenses become more precise and effective, attackers continue to develop new DDoS attack vectors and methodologies to circumvent these defenses. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

Ransomware attacks have posed a significant threat to businesses and individuals in recent years and will continue to evolve and become more sophisticated in 2023. One trend that will continue to evolve is the use of ransomware in combination with other attacks, such as supply chain attacks. It is also likely that malicious actors will continue to target specific industries or types of organizations with ransomware attacks, specifically to maximize their profits. For example, hospitals and other healthcare organizations have been particularly vulnerable to ransomware attacks in the past because, with lives at stake, they may be more willing to pay a ransom to regain access to critical systems and data.

Another ransomware trend that will continue in 2023 is the use of triple extortion attacks. These campaigns begin by infiltrating a network and stealing valuable assets, such as trade secrets, source codes, credit cards, authentication credentials, and other personally identifiable information (PII). In phase two, ransomware is planted to encrypt valuable data or even entire storage systems. At this point, cybercriminals will demand a ransom in exchange for decryption keys. If the victim refuses to pay the ransom, perhaps because they could simply restore good backups, the threat actors then threaten to release sensitive data publicly if the ransom is not met.

This form of attack has been around for several years and can add additional pressure on the victim because the potential repercussions of the data being released to the public can be severe. While the first two actions can be invisible to the public, the third phase cannot escape publicity. Finally, a DDoS attack or even the threat of such turns the pressure up to the max. If the ransom is not paid, DDoS can take down an organization’s internet presence, thus exposing the entirety of the security threat and failure to protect valuable assets.

Adaptive DDoS
In an adaptive DDoS attack, adversaries conduct extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target. They are increasingly employing botnet nodes and reflectors/amplifiers that are closer to the target, a trend recently observed in botnet attacks on Ukraine. This minimizes the number of boundaries that DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack. The combination of increased available bandwidth and throughput increased populations of abusable devices, and adaptive DDoS attack techniques magnify the threat to network operators. As such, network operators should move from a default posture of DDoS mitigation to a new posture of DDoS suppression.

Direct-Path DDoS Attacks
Direct flooding and application-layer DDoS attacks are becoming more popular as anti-spoofing efforts increase globally, making it more difficult for spoofed packets to travel across the internet. Old techniques have become popular again as this methodology returns from the past, back before reflection/amplification attacks dominated the landscape. Enhanced for the modern network, these attacks now come from much more powerful sources, such as cloud-based infrastructure with massive computing and bandwidth resources. Further, adversaries are compromising hosts much closer to the target, thus avoiding many layers of transit, potential discovery, and mitigation. Because of this, organizations must beware of the enemy within.

Outbound and Cross-bound DDoS Attacks
Those are not the only threats coming from within – DDoS attack traffic is increasingly originating from within the network it is targeting, thus avoiding ingress and transit points. DDoS defenses traditionally have been focused on protecting internet properties and networks by implementing detection and mitigation technologies at points of convergence for inbound network traffic. This approach worked well to protect targeted organizations and networks from inbound DDoS attacks; however, outbound and cross-bound DDoS attacks can be just as devastating and disruptive as inbound attacks. Because of adversary innovation and adaption, defenders must change their way of thinking and, in turn, adapt to the current threat landscape.

Continue Reading

Cyber Security

Global Political Events and Accessibility of new Tech will Breed Innovative Threat Actors



Written by Manoj Reddy, Rhonda Leopold & Max Kersten, researchers at Trellix Advanced Research Center

When protecting digital estate, companies search high and low for the right talent. In recent years, as cybersecurity has increased in importance in the Gulf region, we have often discussed the scarcity of that talent. Now we fear that our digital adversaries may be recruiting it for the same reason that regional SOCs have: to enhance a skills base and become more innovative.

More and more teen cybercriminals are getting involved with what can now only be described as professional criminal enterprises. As a result, cyber gangs are now firms with reputations and products. They are part of a wider ecosystem that is innovating much as legitimate enterprises do. Frontline operators use soft skills, backed by predesigned malware kits that are often offered in aaS-style subscriptions. Remember that Lapsu$, a group that made trouble for some big names, appeared to do so without ever dropping any malware. Attackers are changing and we must allow for this. Here are some major developments that CISOs should note.

Hacktivism moves to the center stage
For many years the headlines have been dominated by state-sponsored and financially motivated cyber threats. Hacktivism — politically or socially motivated hacking by activists — has remained in the background in recent years. Given current global tensions, we are already seeing the re-emergence of Hacktivism and expect this to play a larger part in 2023. As groups of loosely organized individuals, fueled by propaganda align for a common cause, they may continue to ramp up their use of cyber tools to voice their anger and cause disruption.

Patriotic hacktivism has increased in 2022 as war and other conflicts continue, and it breaks down into broad streams of actions like DDoS attacks, defacements, doxxing, intrusions, and leaking of personally identifiable information (PII). Hacktivists are targeting a wide range of industries and sectors that don’t align with their ideological and political views, including the telecommunication, energy, aviation, technology, media, and government sectors.

As tensions in 2023 are expected to rise, we expect hacktivism to continue to scale as it suits the political agenda of opposing parties and offers perfect plausible deniability for actions since they are initiated and undertaken by activists.

Increasing activity by teen cybercriminals at every scale
We are seeing technically talented young people being recruited by bad actors and organizations. Beginning in late 2021 a 16-year-old allegedly led successful hacks of international organizations like Microsoft, NVIDIA, Okta, and Samsung under the guise of the Lapsus$ gang. These cybercriminal organizations are today the talent competition of Fortune 500 companies and security companies who all work to protect society online.

In 2023, we expect to see increased activity from teens and young adults — everything from large-scale attacks on leading organizations to low-level crime targeting family, friends, peers, and strangers to make a quick buck, cause embarrassment, test new skills, and gain social capital. This problem may grow, budget increases will follow, and costs will continue to be handed back down to us as consumers. Teaching children what a crime is on the keyboard is essential.

There are some global initiatives to help prevent our youngsters from sliding off into a world of cybercrime. To educate the young on the dangers of cybercrime, there are some new initiatives like Hackshield that teach kids about the dangers of gaming. But the generational gap needs to be addressed and parents need to be educated to ensure they are leading their children away from petty cybercrime or even more nefarious crimes.

Declining accuracy of code-based attribution
With regard to cybersecurity, attribution is often heavily based upon dissected malware samples. It has been proven time and again that coding styles can be linked to actors, much like someone’s handwriting.

Attribution purely based on code alone can, however, pose a problem. Whereas advanced espionage groups are often known to create their own tooling for their campaigns to preserve their secrecy, some other malware types do not require such secrecy per se. Prime examples of such malware are wipers.

Once a wiper is used, it isn’t novel anymore, and the detection and prevention of malware are bound to be implemented. The creation of malware is often thought to be done by coders, who then sell the malware-as-a-service, or work with affiliates. Creation can also be outsourced to legitimate contractors, thus obscuring the code base attribution immensely, as the contracted authors have different coding styles.

The decrease in accuracy of code-based attribution, albeit seemingly insignificant on its own, is likely to become more problematic in the future, especially when taking the re-use of (leaked) malware source code and the collaboration between actors in the segmented underground into account. We, therefore, urge analysts to include their confidence level when making claims that aren’t (fully) supported by facts. This provides a clear indication to the reader with regards to the way the report should be perceived, allowing the appropriate actions to be taken from the get-go.

Skill up or get out-skilled
The cybercrime industry is fishing for talent just as the cybersecurity industry is. Facing competition, one must compete. We must look to the employee experience when attracting security talent, being mindful of the allure of shadowy worlds. We must make the SOC more attractive than the digital back alleys that beckon our young talent. We must equip them with tools that allow them to innovate and add value.

Meanwhile, we must look inward. For those employees that show interest and skill in cybersecurity, we must find the budget and invest in them. This is a war. We will not win it by conscription. We must equal the bad actors for their capacity to incentivise innovation. If we do not, they will outmatch us at every turn.

Continue Reading

Cyber Security

2022 in Review: 10 of the Year’s Biggest Cyberattacks



Written by Phil Muncaster, guest writer at ESET

The past year has seen the global economy lurch from one crisis to another. As COVID-19 finally began to recede in many regions, what replaced it has been rising energy bills, soaring inflation, and a resulting cost-of-living crisis – some of it spurred by Russia’s invasion of Ukraine. Ultimately, these developments have opened the door to new opportunities for financially-motivated and state-backed threat actors.

They have targeted governments, hospitals, cryptocurrency firms, and many other organisations with impunity. The cost of a data breach now stands at nearly $4.4 million – and as long as threat actors continue to achieve successes like those below, we can expect it to rise even higher for 2023.

Here are 10 of the worst cyber incidents of the year, be it for the damage they wrought, the level of sophistication, or geopolitical fallout. The list is in no particular order, but it makes sense to open it with malicious cyber operations that took aim at Ukraine and immediately raised concerns about their wider ramifications and associated cyber risks faced by the wider world.

Ukraine under (cyber)attack: Ukraine’s critical infrastructure has found itself, yet again, in the crosshairs of threat actors. Early into Russia’s invasion, ESET researchers worked closely with CERT-UA on remediating an attack that targeted the country’s grid and involved destructive malware that Sandworm had attempted to deploy against high-voltage electrical substations. The malware – which ESET named Industroyer2 after an infamous piece of malware used by the group to cut power in Ukraine in 2016 – was used in combination with a new version of the destructive CaddyWiper variant, most likely to hide the group’s tracks, slow down incident response and prevent operators of the energy company from regaining control of the ICS consoles.

More wipers: CaddyWiper was far from the only destructive data wiper discovered in Ukraine just before or in the first few weeks of Russia’s invasion. On February 23rd, ESET telemetry picked up HermeticWiper on hundreds of machines in several organizations in Ukraine. The following day, a second destructive, data-wiping attack against a Ukrainian governmental network started, this time delivering IsaacWiper.

Internet down: Barely an hour before the invasion, a major cyberattack against commercial satellite internet company Viasat disrupted broadband internet service for thousands of people in Ukraine and even elsewhere in Europe, leaving behind thousands of bricked modems. The attack, which exploited a misconfigured VPN device to gain access to the satellite network’s management section, is believed to have been intended to impair the communication capabilities of the Ukrainian command during the first hours of the invasion. Its effects were felt far beyond Ukraine’s borders, however.

Conti in Costa Rica: A major player in the cybercrime underground this year was the ransomware-as-a-service (RaaS) group Conti. One of its most audacious raids was against the small South American nation of Costa Rica, where a national emergency was declared after the government branded a crippling attack an act of “cyber-terrorism.” The group has since disappeared, although its members are likely to simply have moved on to other projects or rebranded wholesale, as RaaS outfits generally due to avoid scrutiny from law enforcers and governments.

Other ransomware actors: There were also in action in 2022. A CISA alert from September explained that Iran-affiliated threat actors compromised a US municipal government and an aerospace company, among other targets, by exploiting the infamous Log4Shell bug for ransomware campaigns, which isn’t all that common for state-backed entities. Also intriguing was a US government compromise in November that was also blamed on Iran. An unnamed Federal Civilian Executive Branch (FCEB) organization was breached and crypto mining malware was deployed.

Ronin Network: This was created by Vietnamese blockchain game developer Sky Mavis to function as an Ethereum sidechain for its Axie Infinity game. In March it emerged that hackers managed to use hijacked private keys to forge withdrawals to the tune of 173,600 Ethereum ($592 million) and $25.5 million from the Ronin bridge, in two transactions. The resulting $618 million theft, at March prices, was the largest ever from a crypto firm. Infamous North Korean group Lazarus has since been linked to the raid. The hermit nation has been traced in the past to thefts worth billions of dollars, used to fund its nuclear and missile programs.

Lapsus$: This burst onto the scene in 2022, as an extortion group using high-profile data thefts to force payment from its corporate victims. These have included Microsoft, Samsung, Nvidia, Ubisoft, Okta and Vodafone. Among its many methods are bribery of insiders at firms and their contractors. Although the group had been relatively silent for a while, it re-emerged at the end of the year after hacking Grand Theft Auto developer Rockstar Games. Several alleged members of the group have been arrested in the UK and Brazil.

International Red Cross (ICRC): In January, the ICRC reported a major breach that compromised the personal details of over 515,000 “highly vulnerable” victims. Stolen from a Swiss contractor, the data included details of individuals separated from their families due to conflict, migration, and disaster, missing persons and their families, and people in detention. It was subsequently blamed on an unnamed nation-state and occurred when an unpatched system was exploited.

Uber: The ride-hailing giant was famously breached back in 2016 when details on 57 million users were stolen. In September it was reported that a hacker, potentially a member of Lapsus$, had compromised email and cloud systems, code repositories, an internal Slack account, and HackerOne tickets. The actor targeted an Uber external contractor, most likely grabbing their corporate password from the dark web.

Medibank: All of the Australian health insurance giant’s four million customers have personal data accessed by ransomware actors in an attack that may end up costing the firm US$35 million. Those responsible are believed to be linked to the infamous ransomware-as-a-service (RaaS) outfit REvil (aka Sodinokibi) with compromised privileged credentials responsible for initial access. Those impacted now face a potential barrage of follow-on identity fraud attempts.

Whatever happens in 2023, some of the cautionary tales from these 10 major incidents should stand everybody, including CISOs, in good stead. Get your cybersecurity processes and operations right, organize cybersecurity awareness training for all employees, and partner with reputable security companies whose solutions can stand up to the complex methods deployed by threat actors.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.