Cybersecurity Briefing | A Recap of Cybersecurity News in June 2023
by Alex Applegate on Jul 5, 2023 9:32:00 AM
State of the Industry
Legislation & Regulatory
Florida enacted a new data privacy law Tuesday that mirrors legislation passed in nine other states but also has faced criticism from privacy experts because it is geared toward only the largest tech companies and contains several other politically motivated provisions.
Gov. Ron DeSantis signed Senate Bill 262, making Florida the latest in a string of Republican-dominated states to get privacy legislation through statehouses in 2023 after Iowa, Indiana, Tennessee and Montana.
The law, which takes effect July 1, 2024, contains the kind of basic consumer rights found in most data privacy legislation, including the right to know what information companies are collecting, the right to correct and delete certain data and the right to limit some data disclosure.
But privacy advocates note that it only applies to companies making more than $1 billion in annual revenue, effectively leaving out large numbers of popular websites and apps that collect data from individuals.
The law also does not apply to pseudonymous information like online cookies, which experts say makes it “largely meaningless” that the law also gives Floridians the right to opt out of targeted advertising.
Large online platforms can help us connect with others, shop, work, and express ourselves, but they also play a key role in the spread of disinformation, discrimination against marginalized groups, romance scams, privacy violations, and other online harms. With the ever-evolving social media landscape, we must enact tools to scrutinize these platforms and safeguard the health of the Internet.
Minister for Digital Transition and Telecommunications Jean-Noël Barrot wants to protect the French public from "digital insecurity" with an "aggressive bill" that provides "concrete answers to the suffering caused by digital technology."
Among the main provisions is the creation of social media bans for people convicted of certain offenses (notably harassment or hate speech), the blocking without a court order of sites offering pornographic content without restricting the age of their visitors (including mainstream platforms such as Twitter), and an "anti-scam filter" that is supposed to prevent internet users from accessing specific fraudulent sites.
Lawmakers in Europe signed off 14 June on the world’s first set of comprehensive rules for artificial intelligence, clearing a key hurdle as authorities across the globe race to rein in AI.
The European Parliament vote is one of the last steps before the rules become law, which could act as a model for other places working on similar regulations.
Senate Majority Leader Chuck Schumer on Wednesday introduced a plan to develop comprehensive legislation in Congress to regulate and advance the development of artificial intelligence in the U.S. New York Democrat Schumer’s plan, called the “Safe Innovation Framework for AI Policy,” outlines ways to “protect, expand, and harness AI’s potential” as Congress pursues legislation, his office said. In a keynote speech at the Center for Strategic and International Studies in Washington, Schumer said there is “no choice but to acknowledge that AI’s changes are coming,” and pointed out the need for a strategy to support innovation. He also highlighted the role of the federal government in AI regulation.
On 13 June, CISA issued Binding Operational Directive (BOD) 23-02 – an order that all federal civilian agencies are required to abide by. The order says agencies have two weeks after the discovery of an internet-exposed networked management interface to either remove it from the internet or institute access control measures like zero trust architecture.
Agencies will also have to implement technical or management controls to “ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive,” are only accessible from an internal enterprise network or protected by access controls.
The Senate Judiciary Committee held the chamber’s first public hearing on reauthorizing Section 702 of the Foreign Intelligence Surveillance Act (FISA). The statute allows U.S. agencies to collect electronic data of foreigners overseas, even if those communications involve U.S. citizens, without a warrant and retain the information for national security investigations. The authority is due to expire at the end of the calendar year.
Mergers, Acquisitions, Funding, Partnerships
Managed cybersecurity services provider Blackpoint Cyber has landed a $190 million investment from a Series C funding round, which the startup said would be allocated toward increasing its workforce and improving its technology. Blackpoint Cyber has been offering the SNAP-Defense software platform, which includes managed detection and response technology and enables network activity visibility across managed services providers' on-premises and cloud environments, as well as employee devices. Along with SNAP-Defense, Blackpoint Cyber has also been offering the LogIC service that seeks to ease data security compliance and another tool preventing unauthorized software installations, as well as the Blackpoint RISK insurance service with cyberattack coverage.
Silent Push, a threat intelligence startup with former FireEye Vice President Ken Bagnall and FireEye Research Labs Director John Jensen as co-founders, has emerged with $10 million in seed funding. Novel attacker infrastructure and operations are being identified by Silent Push through an extensive analysis of internet-exposed infrastructure around the world, said the company, which touted its efforts to enable clients to have a deeper knowledge of threat actors' tactics, techniques, and procedures, compared with traditional indicators of compromise.
Cyware, a startup developing products to help enterprises modernize their security operations, raised $30 million in a Series C funding round led by Ten Eleven Ventures. Advent International, Zscaler, Emerald Development Managers, Prelude and Great Road Holdings also participated, bringing Cyware’s total raised to $73 million.
Cyera closed a $100 million Series B funding round led by Accel, with participation from Sequoia, Cyberstarts and Redpoint Ventures. The round brings Cyera’s total raised to $160 million, which Segev, who serves as Cyera’s CEO, says will be put toward investing in engineering talent and R&D.
The funding is all the more impressive in the context of the broader cybersecurity landscape, which — once bright — has been dimming slightly, at least in terms of the VC investments floating around. Funding for cybersecurity startups dropped 58% in Q1 2023 compared to Q1 2022, with deal flow dipping to 149 deals — the lowest in years and down 45% year-over-year, according to CrunchBase.
CBIZ acquired Pivot Point for $6.6m. A significant investment underpinning the company’s ongoing commitment to the expansion of their cybersecurity services. Pivot Point has been offering its services to small and medium-sized enterprises since its inception in 2001.
PPS specializes in helping businesses navigate the intricate maze of information security and compliance. Their offerings include certification and compliance preparations for significant U.S. and international regulatory frameworks, vulnerability assessments, penetration testing, and vendor risk management. They also offer consulting services, including an outsourced virtual Chief Information Security Officer. Boasting a skilled team of 30 employees, PPS recorded a revenue of $6.6m in 2022.
With this funding, CBIZ intends to amplify the breadth and depth of their cyber and security services, benefitting their clients across the United States. This move follows a longstanding search for a company to augment CBIZ’s capabilities in this domain.
US-based cybersecurity startup Snyk, founded by Israeli entrepreneurs, said it is buying Tel Aviv-based startup Enso Security to bolster its developer security platform for software applications.
The financial terms of the acquisition were not disclosed. Estimates in the Hebrew press put the price tag between $45 million to $50 million. Founded in 2015 by Israeli entrepreneurs Guy Podjarny, Assaf Hefetz, and Danny Grander, Snyk helps software developers and companies integrate security solutions into their workflows as they are building applications from code to cloud to protect them against sophisticated cyber attacks.
With the fast adoption of AI enabling developers to introduce code faster, Snyk says it is more difficult than ever for developers and application security professionals to identify and prioritize risks to their business. In this complex environment, application security teams need a toolkit for better visibility to find and fix security issues.
Snyk chief product officer Manoj Nair said the integration of Enso’s platform into its security solutions will help “enterprises achieve greater supply chain security transparency, allowing them to eliminate crucial security coverage gaps across their business.”
Blattner Tech, leaders in data analytics, artificial intelligence, and machine learning, announced today the acquisition of Jigsaw Security Enterprise, a provider of threat intelligence capabilities. With this acquisition, Blattner Tech aims to enhance its cybersecurity capabilities and expand into the machine learning security (ML Sec) space.
Jigsaw Security Enterprise is a renowned provider of cyber threat intelligence services, offering a range of solutions to help organizations stay protected from cyber threats. Their Security Operations Center (SOC) provides continuous, near real-time cyber security indicators, enabling organizations to detect and respond to threats quickly and efficiently.
As a leading provider of Predictive Transformation services and tools in the Data Analytics, Artificial Intelligence and Machine Learning industry, Blattner Tech will now be able to help organizations better detect malware in encrypted traffic, identify insider threats, and protect data in the cloud by identifying suspicious user behavior.
Melbourne-based cybersecurity firm Tesserent has agreed to be acquired by French multinational Thales, in a $176 million share scheme recommended unanimously by the Tesserent board June 13.
The deal, which is subject to regulatory approval, values Australia’s largest listed cybersecurity company at $0.13 a share, which Thales said represented a 165.3 per cent premium to the closing price of Tesserent on June 9.
odix - a leading provider of advanced malware prevention solutions - announces its merger with AKITA, a renowned technology company specializing in Zero-Trust and network security solutions. This strategic merger brings together two innovative forces in the cybersecurity industry. odix's expertise lies in file-based attack prevention using its patented content disarm and reconstruction (TrueCDR™) technology. odix's algorithms introduce a Zero-Trust approach to files and therefore neutralize active code from all commonly used files. While AKITA's focus has been on the Zero-Trust approach in network security and access management.
By joining forces, odix, and AKITA will combine their respective strengths to offer comprehensive and cutting-edge Zero-Trust cybersecurity solutions to their customers.
As part of the merger, odix will integrate AKITA's talented team of cybersecurity professionals to strengthen its development and customer support capabilities.
The result of this integration of AKITA's solutions with odix's innovative Deep File Analysis (DFA) technology will provide a holistic approach to businesses that wish to adopt the Zero-Trust method across their organization network and cloud applications.
The combined capabilities of odix and AKITA will empower organizations to effectively detect, prevent, and respond to advanced cyberattacks, safeguarding their critical assets and maintaining business continuity.
Classification society DNV has purchased more than 93% of shares in cyber-security provider Nixu following a public tender offer, valuing the deal at €98M (US$107M)
Nixu will be delisted from the Nasdaq Helsinki Stock Exchange and its business, including a 500-strong expert team, will be combined with DNV’s own cyber-security products. Nixu chief executive Teemu Salmi will lead this combined business.
DNV expects this deal to enhance its abilities to safeguard IT and industrial control system environments in sectors including maritime, energy, telecommunications and financial services. Together, they will provide consulting and management services, and cyber-security certification.
DNV group president and chief executive Remi Eriksen explained the rationale behind this acquisition.
“In this decade of transformation, fulfilling our purpose of safeguarding life, property and the environment is no longer restricted to managing risk for physical systems – it must now cover many distributed and interlinked cyber-physical systems,” he said.
“By joining forces with Nixu we will make cyberspace a more secure place with even greater impact than either company could achieve alone.
“Together, we will shape the future through cyber security, enabling more than 100,000 customers, their systems and their supply chains to manage emerging risks,” said Mr Eriksen.
Exacom, a company that provides communication recording services to public safety and local government customers, has acquired Maryland-based cybersecurity firm SecuLore Solutions.
The purchase expands Exacom’s services from mission-critical multimedia logging recording to IT protection for critical infrastructure and government operations, the New Hampshire-based company said Sunday.
SecuLore was founded in 2016 by Tim and Alexander Lorello. One of their first milestones was Paladin, a cybersecurity tool for visualizing and monitoring network traffic in the 9-1-1 emergency system of a county in Maryland.
Exacom, on the other hand, has been in business for 36 years. It evolved from a telecommunications tech research and development company into a specialist in multimedia recording and transcription services for public safety missions.
Dataprise, a premier provider of managed IT, cybersecurity and cloud solutions, announced June 21 that it acquired RevelSec, a security-first managed service provider headquartered in Texas. The acquisition will further expand Dataprise's national footprint and add high-value vertical expertise while providing RevelSec clients access to Dataprise's broad portfolio of powerhouse services.
Since 2011, RevelSec has been helping clients protect what matters most through leading-edge cybersecurity, cloud, and managed services. RevelSec serves 200 clients across heavily regulated industries including financial services, healthcare, and oil and gas. These clients now have seamless access to Dataprise's world-class Service Desk and unrivaled Cybersecurity, Data Protection, and Microsoft Cloud technology practices to drive their businesses forward.
Reveald and Epiphany Systems are pleased to announce the completion of their strategic merger, resulting in a powerhouse cybersecurity entity that will operate under the Reveald brand. Guided by industry leaders Dan Singer, appointed as Chief Executive Officer, and Brett Kelsey, appointed as Chief Operating Officer, the unified company aims to guide organizations along their journey from reactive to predictive defense and ultimately to revolutionize cybersecurity operations.
The merger creates an innovative convergence of technology and expertise, well-equipped to assist security teams in protecting their organizations from ever-evolving cyber threats. Leveraging the AI-powered Epiphany platform, Reveald's solutions integrate predictive AI with human expertise to deliver attack path identification, continuous monitoring, and rapid remediation. This approach minimizes risk, trims operational costs, and boosts operational efficiency through consistent and predictable maturity enhancements.
Reflecting on the merger, Dan Singer, former CEO of Epiphany Systems, commented, "Cyber defenders today face a multitude of challenges, including sophisticated cyber adversaries, complex tools, and a shortage of expertise and staffing. These obstacles often mean that even the most competent security teams are stuck in a cycle of reaction rather than driving a proactive security program. With the Epiphany-Reveald merger, we can address these challenges head-on. The combination of Reveald's market success and seasoned experts, coupled with Epiphany's AI-driven technology platform, will offer unprecedented visibility and prioritization of critical cyber threats across the entire attack surface."
Socure, a Nevada-based startup that provides digital identity verification and fraud prevention solutions, has announced its first acquisition: Berbix, a San Francisco-based startup that developed a high-accuracy document verification solution. The deal, valued at approximately $70 million in cash and stock, marks a significant milestone for Socure as it aims to become the leader in the identity verification market.
According to a company blog post announcing the acquisition, Socure has also launched its Predictive Document Verification (DocV) 3.0 solution, which integrates Berbix’s technology with Socure’s existing platform. The new solution claims to set a new bar in accuracy, speed, user experience and fraud reduction, far outpacing market competitors.
HashiCorp, Inc. (NASDAQ: HCP), a leader in multi-cloud infrastructure automation software, today announced it has acquired BluBracket, an innovator in code security for developers and security engineers. With this acquisition, HashiCorp is expanding its product portfolio to enable customers to discover and manage their entire secrets inventory.
BluBracket lets organizations prevent, find, and fix risks across multiple threat vectors including source code, development environments, and code pipelines. With BluBracket’s capabilities, companies can ship secure code without compromising speed or changing developer workflows, so their teams can securely build and deliver new applications. BluBracket’s ongoing scanning of secrets will complement HashiCorp Vault’s secrets management functionality to help prevent accidental leaks and secret sprawl.
Bitdefender has agreed to acquire Horangi Cyber Security to address the growing demand for advanced, streamlined management of cybersecurity, compliance, and governance of multi-cloud environments.
As organizations continue to accelerate cloud adoption, they struggle to manage the thousands of configuration settings and permissions, identities, and entitlements presented by multiple cloud providers.
According to Gartner, “Misconfigured cloud resources continue to be a primary reason for cloud-related data breaches.” A single point of insight and control across multiple hybrid-cloud environments simplifies the application of configuration management and least privilege for organizations.
With this acquisition, Bitdefender will incorporate Horangi’s Cloud Infrastructure Entitlement Management (CIEM) and Cloud Security Posture Management (CSPM) capabilities into the Bitdefender GravityZone unified risk and security analytics platform to add critical compliance and governance capabilities to Bitdefender’s leading threat prevention, protection, detection and response capabilities.
Additionally, Horangi’s security services offerings, including proactive risk assessment, red teaming, and penetration testing, will integrate with and complement Bitdefender Managed Detection & Response (MDR) services.
News with some relation to DNSFilter or its products
FBI warns that sextortionists are now scraping publicly available images of their targets, like innocuous pictures and videos posted on social media platforms. These images are then fed into deepfake content creation tools that turn them into AI-generated sexually explicit content.
Although the produced images or videos aren't genuine, they look very real, so they can serve the threat actor's blackmail purpose, as sending that material to the target's family, coworkers, etc., could still cause victims great personal and reputational harm.
The FBI says that explicit content creators sometimes skip the extortion part and post the created videos straight to pornographic websites, exposing the victims to a large audience without their knowledge or consent.
In some cases, sextortionists use these now-public uploads to increase the pressure on the victim, demanding payment to remove the posted images/videos from the sites.
The FBI reports that this media manipulation activity has, unfortunately, impacted minors too.
Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.
The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.
Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.
The revolutionary technology of GenAI tools, such as ChatGPT, has brought significant risks to organizations' sensitive data. But what do we really know about this risk? A new research by Browser Security company LayerX sheds light on the scope and nature of these risks. The report titled "Revealing the True GenAI Data Exposure Risk" provides crucial insights for data protection stakeholders and empowers them to take proactive measures.
By analyzing the usage of ChatGPT and other generative AI apps among 10,000 employees, the report has identified key areas of concern. One alarming finding reveals that 6% of employees have pasted sensitive data into GenAI, with 4% engaging in this risky behavior on a weekly basis. This recurring action poses a severe threat of data exfiltration for organizations.
The report addresses vital risk assessment questions, including the actual scope of GenAI usage across enterprise workforces, the relative share of "paste" actions within this usage, the number of employees pasting sensitive data into GenAI and their frequency, the departments utilizing GenAI the most, and the types of sensitive data most likely to be exposed through pasting.
Meta continued its push into the increasingly crowded AI field on Friday, announcing the creation of a tool called Voicebox. It's an app for generating spoken dialogue with a variety of potential use cases—but it's also ripe for misuse, as Meta admits, which is exactly why the social media giant isn't releasing Voicebox to the public just yet.
Unlike previous voice generator platforms, Meta says Voicebox can perform speech generation tasks it was not specifically trained on. With text input and a brief audio clip for context, the AI tool can create a potentially believable chunk of new speech that sounds like whoever was featured in the source clip.
Over 101,100 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials.
The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News.
"The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said. "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year."
Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.
A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealer (78,348), followed by Vidar (12,984) and RedLine (6,773).
Security and IT teams are routinely forced to adopt software before fully understanding the security risks. And AI tools are no exception.
Employees and business leaders alike are flocking to generative AI software and similar programs, often unaware of the major SaaS security vulnerabilities they're introducing into the enterprise. A February 2023 generative AI survey of 1,000 executives revealed that 49% of respondents use ChatGPT now, and 30% plan to tap into the ubiquitous generative AI tool soon. Ninety-nine percent of those using ChatGPT claimed some form of cost-savings, and 25% attested to reducing expenses by $75,000 or more. As the researchers conducted this survey a mere three months after ChatGPT's general availability, today's ChatGPT and AI tool usage is undoubtedly higher.
Security and risk teams are already overwhelmed protecting their SaaS estate (which has now become the operating system of business) from common vulnerabilities such as misconfigurations and over permissioned users. This leaves little bandwidth to assess the AI tool threat landscape, unsanctioned AI tools currently in use, and the implications for SaaS security.
With threats emerging outside and inside organizations, CISOs and their teams must understand the most relevant AI tool risks to SaaS systems — and how to mitigate them.
The challenge lies in the fact that, once learned, it is virtually impossible to ‘remove’ knowledge from these models—the information remains embedded in their neural networks. This means safety mechanisms primarily work by preventing the model from revealing certain types of information, rather than eradicating the knowledge altogether.
Understanding this mechanism is essential for anyone exploring the safety and security implications of LLMs like ChatGPT. It brings to light the conflict between the knowledge these systems contain, and the safety measures put in place to manage their outputs.
GPT-4, in many aspects, represents a next-level advancement in the field of AI models, including the arena of safety and security. Its robust defense mechanisms have set a new standard, transforming the task of finding vulnerabilities into a substantially more complex challenge compared to its predecessor, GPT-3.5.
Several vulnerabilities or “jailbreaks” were published for previous generations of the model, from simple “answer me pretending you’re evil” to complicated ones like “token smuggling”. The continuing improvements in the GPTs protective measures require new, more subtle approaches to bypass the model's restrictions.
CPR decided to challenge GPT-4’s sophisticated defenses, to see how secure it is. The result: not secure enough.
Current general-purpose LLMs tend to hallucinate, which means they will give a convincing response but one that is entirely wrong.
Speaking to Infosecurity during Infosecurity Europe, Jon France, CISO of the non-profit (ISC)2, acknowledged that this makes current LLMs a risky tool for cybersecurity practices, where accuracy and precision are critical.
“LLMs can still be useful for various security purposes, like crafting security policies for everyone to understand,” he added.
Ganesh Chellappa, the head of support services at ManageEngine, agreed: “Anyone who has been using any user and entity behavior analytics (UEBA) solutions for many years has a huge amount of data that is just sitting there that they were never able to use. Now that LLMs are here, it’s not even a question; we must try and leverage them to make use of this data.”
Meanwhile, Chapman argued: “They can also be helpful for cybersecurity practitioners as a data pre-processing tool in areas such as anomaly detection (email security, endpoint protection…) or threat intelligence.”
At this stage of development, France and Chapman insisted that the key thing to remember in using LLMs in cybersecurity is “to consider them as another tool in the toolbox – and one that should never be responsible for executive tasks.”
Open Source LLM Projects Likely Insecure, Risky to Use
There is a lot of interest in integrating generative AI and other artificial intelligence applications into existing software products and platforms. However, from a security standpoint these AI projects are fairly new and immature, exposing organizations using these applications to various security risks, according to recent analysis by software supply chain security company Rezilion.
Since ChatGPT’s debut earlier this year, more than 30,000 open source projects now use GPT 3.5 on GitHub, which highlights a serious software supply chain concern: How secure are these projects that are being integrated left and right?
Rezilion’s team of researchers attempted to answer that question by analyzing the 50 most popular Large Language Model (LLM)-based projects on GitHub – where popularity was determined by how many stars the project has. The project's security posture was measured by the OpenSSF Scorecard score. The Scorecard tool, from the Open Source Security Foundation, assesses the project repository on various factors, such as the number of vulnerabilities it has, how frequently the code is being maintained, its dependencies, and the presence of binary files, to calculate the score. The higher the number, the more secure the code.
The researchers mapped the project’s popularity (size of the bubble, y-axis) and security posture (x-axis). None of the projects analyzed scored higher than 6.1 – the average score was 4.6 out of 10 – indicating a high level of security risk associated with these projects, Rezilion said.
The number of recorded business email compromise (BEC) attacks doubled over the past year, with the threat comprising nearly 60% of social engineering incidents studied by Verizon for its 2023 Data Breach Investigations Report.
The much-anticipated annual report was this year based on analysis of 16,312 security incidents and 5199 breaches over the past year.
The category of “pretexting,” or BEC, is now more common than phishing in social engineering incidents, although the latter is still more prevalent in breaches, the report noted. The median amount stolen in pretexting attacks now stands at $50,000.
In a cunning display of cyber deception, hackers have devised an intricate phishing attack by leveraging the reputation of Germany’s renowned Anga Com conference. By sending spoofed emails and creating deceptive web pages, these hackers are deceiving unsuspecting users into divulging their login credentials.
Security researchers at Avanan, a subsidiary of Check Point Software, have uncovered the details of this sophisticated attack, shedding light on the techniques employed by crooks. Anga Com is a widely attended conference in the broadband and media distribution industry, drawing more than 22,000 participants from 470 companies globally.
Typically, conferences serve as a platform for companies to generate interest and revenue by sharing lead lists. However, hackers have exploited this process by inserting themselves into the lead delivery system. In this case, they have created fraudulent web pages on legitimate developer sites, making it challenging for victims to detect the scam.
Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing businesses worldwide more than $50 billion in the last 10 years — a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.
The agency's Internet Crime Complaint Center (IC3) 2022 report on BEC found that US business have lost more than $17 billion to these types of scams between October 2013 and December 2022, with global businesses counting losses of nearly $51 billion for the same period, according reports that the IC3 receives from organizations.
The number of organizations that have reported falling victim to BEC in the US alone over these years is 137, 601 across all 50 states — a number that's likely higher as it represents only the incidents that have been reported to the FBI, security professionals say. This means the total losses attributed to BEC for companies not just in the US but also globally is probably a lot higher than reported numbers as well, they say.
Despite organizations' overall increased awareness of and defense against BEC — which has been an attack vector for more than a decade — it continues to represent a thriving cybercriminal activity.
The Cofense Phishing Defense Center discovered a multi-stage phishing campaign targeting customers from Xneelo, a South African web hosting provider who supports over 500,000 customers. Xneelo provides customers with two options of control panels to manage accounts: the Xneelo control panel and the older KonsoleH control panel. In this four-stage attack, threat actors attempted to obtain login details for the Xneelo control panel and Webmail credentials through a fake KonsoleH login page, as well as credit card information and SMS two-factor authentication (2FA) codes.
A particularly nasty slice of phishing, scamming, and social engineering is responsible for DoorDash drivers losing a group total of around $950k.
DoorDash drivers are contractors who pick up food deliveries from stores and restaurants and deliver the products to the customer. A 21 year old man named David Smith, from Connecticut, allegedly figured out a way to extract large quantities of cash from drivers with a scam stretching back to 2020. Incredibly, this means it all began when he was 18. There’s picking up a new hobby, and then there’s this.
The theft would begin by placing a bogus DoorDash order, receiving the driver details, and then contacting said driver by text and / or phone claiming to be DoorDash support. From here, the driver would be convinced to hand over banking details or log in to a fake portal. The end result would be a loss of funds, and potentially not being able to do their job.
A common deceptive technique employed by cybercriminals, brand phishing also known as brand impersonation or brand spoofing, is used to impersonate known brands or organizations to steal valuable data for later scams. By taking on the identity of a known brand, the attacker can trick the recipient into clicking on a malicious link or opening a virus-infected email attachment, exploiting the brand’s trust to manipulate the victim into revealing sensitive data or becoming a victim of malicious activities.
SEO poisoning is a type of malicious advertising that can result in credential theft, malware infections and financial losses. This type of attack has been used "recently and frequently" against the U.S healthcare and public health sector, warned the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert issued Thursday.
Threat actors behind SEO poisoning campaigns manipulate search engines such as Google so that the first advertised links actually lead to attacker-controlled sites, "generally to infect visitors with malware or to attract more people using ad fraud," according to HHS HC3. Healthcare entities are becoming a more frequent target for such attacks as the sector continues to become increasingly digitized, the alert said.
But it's not just U.S. healthcare organizations that have been targeted with such attacks. Researchers at Trend Micro reported in January that the criminal group behind Gootkit malware attacks had been leveraging SEO poisoning to attack the Australian healthcare industry during the second half of 2022 (see: Gootkit Malware Found Targeting Australian Healthcare Sector).
The healthcare industry is facing an increasing number of SEO poisoning attacks as threat actors target these organizations for their highly confidential and valuable data, said Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry.
The Cofense Phishing Defense Center (PDC) has noted an increase in the number of malicious emails utilizing this attack vector. In an attempt to bypass traditional file and text detection software, QR codes provide threat actors with a different tactic to encode malicious URLs.
While it is possible to open QR codes on a computer, they are most conveniently accessed using a smart phone or tablet with its inbuilt camera. As a user’s personal mobile device, they commonly lack the protection from network and endpoint solutions which would commonly prevent access to malicious URLs and create alerts for security teams to investigate. With most of the attack occurring outside of the protection bubble created by a company, it is more difficult to gather evidence of the attack and tracking any subsequent actions taken by the user.
Viewed through a phone screen these webpages, which endeavor to impersonate legitimate websites, are less likely to be spotted. Their imperfections can easily be attributed to the buggy nature of mobile browsers and their constant struggle displaying webpages efficiently, especially when a page is primarily accessed through a desktop browser.
European organizations experienced a greater volume and frequency of BEC attacks over the last year, as compared to organizations in the United States, according to Abnormal Security.
The data is based on an analysis of email attack trends between June 2022 and May 2023. This included an analysis of traditional BEC attacks like executive impersonation, vendor-focused invoice, and payment fraud, as well as credential phishing, malware, and extortion.
According to the data, the total number of email attacks steadily increased in both the United States and Europe over the course of the year. However, email attacks in Europe increased at a slightly faster rate.
While total attacks in the United States grew by 5x between June 2022 and May 2023, Europe saw total attacks increase by 7x during the same period—to an average of 2,842 attacks per 1,000 mailboxes in May.
When evaluating BEC attacks specifically, the disparity was even greater. Between June 2022 and May 2023, BEC attacks in the United States increased by just over 2x. Meanwhile, in Europe, there was a 10x increase in BEC attacks, from an average of one attack to an average of 10 attacks per 1,000 mailboxes.
Other Cybersecurity News
When researchers talk about DNS security, they often refer to anything that protects DNS infrastructure. Although protective DNS and DNS security fall under the cybersecurity umbrella, protective DNS takes a different approach to cybersecurity than standard DNS security. Both security strategies are important for the stability of your business, but protective DNS reduces risks from your weakest link–human error. Protective DNS is critical for you...
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.