A growing number of North Korean IT workers are posing as remote freelancers from other countries in an effort to gain access to companies in Europe, raising concerns about potential espionage, data theft, and operational disruption.

According to Google’s Threat Intelligence Group (GTIG), these workers—who refer to themselves as “warriors”—are securing remote roles with foreign organisations to generate revenue for the Democratic People’s Republic of Korea (DPRK). The activity, previously concentrated in the United States, is now increasingly being observed in European countries such as Germany, the United Kingdom, and Portugal.

Since GTIG’s last report on DPRK IT worker activity, recent crackdowns in the US have made it more difficult for these individuals to secure and maintain employment there. According to a blog post by Jamie Collier, lead adviser for Europe at Google’s Threat Intelligence Group, GTIG has observed a rise in operations globally, with particular growth in Europe over the past few months. Countries targeted include Germany, the UK, and Portugal.

The workers often misrepresent their nationalities, claiming to be from countries such as Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. They find jobs through freelance platforms like Upwork and Freelancer, as well as communication channels such as Telegram. Payments are typically made in cryptocurrency or through digital payment platforms including Wise and Payoneer.

Upwork provided a statement following publication, clarifying it did not receive the initial request for comment. The company said:

“Fraud prevention and compliance with US and international sanctions are critical priorities for Upwork. The tactics outlined in this report represent a challenge that affects the entire online work industry, and Upwork is at the forefront of combating these threats. Any attempt to use a false identity, misrepresent location, or take advantage of Upwork customers is a strict violation of our terms of use, and we take aggressive action to detect, block, and remove bad actors from our platform.

Upwork has long invested in industry-leading security and identity verification measures, deploying advanced technology alongside a dedicated team of global professionals across legal, investigations, intelligence, identity risk management, compliance, anti-money laundering, and machine learning detection. These experts work relentlessly to prevent fraudulent activity before it reaches our customers, and quickly respond to new methodologies and trends.

As fraud tactics evolve, Upwork continuously enhances its proactive screening for attempts to bypass geographic restrictions, monitoring for signs of misrepresentation both before and after contracts begin. Our sophisticated detection tools, paired with strong partnerships with law enforcement and regulatory bodies, enable us to take swift and decisive action when fraudulent behaviour is identified.

While no online platform is immune to fraud, Upwork is setting the standard for trust and safety in the industry. We will continue to invest in cutting-edge fraud prevention measures and vendor solutions, collaborate with industry stakeholders, and innovate to protect our customers and uphold the integrity of our marketplace.”

Freelancer, Telegram, Wise, and Payoneer did not respond to requests for comment.

GTIG reports that since October, there has been an uptick in cases where previously terminated workers attempt to extort their former employers by threatening to leak sensitive company information to competitors. Collier suggested that mounting pressure on these workers may be pushing them toward more aggressive tactics to maintain income.

One case in late 2024 involved a North Korean individual operating under at least 12 separate identities while applying to organisations in the defence and public sectors, reportedly using false references. In the UK, North Korean IT workers have been linked to work ranging from standard web development to more advanced projects in blockchain and artificial intelligence.

Google’s research points to risks associated with bring-your-own-device (BYOD) policies, where employees use personal devices to access internal systems. These setups often lack proper security oversight, making it more difficult to detect unauthorised access.

Authorities in the US and UK have issued multiple warnings about these activities. The FBI has advised firms to improve identity verification practices, while the US Treasury in January sanctioned two individuals and four entities accused of generating revenue for the North Korean government. Officials allege the regime withholds up to 90% of wages earned by these workers.

In a separate legal action, a US federal court in Missouri indicted 14 North Korean nationals in December for allegedly participating in an employment scheme that generated US$88 million over six years. Some of these individuals were reportedly employed by US firms for extended periods, earning hundreds of thousands of dollars without detection.

The UK’s Office of Financial Sanctions Implementation has also responded. In September, it recommended employers implement stricter identity checks, including video interviews, and advised against using cryptocurrency for payments.

Collier noted that North Korea has a long history of engaging in cyber operations to fund its regime. “A decade of diverse cyberattacks (encompassing SWIFT targeting, ransomware, cryptocurrency theft, and supply chain compromise), precedes North Korea’s latest surge,” he wrote.

“This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations. Given DPRK IT workers’ operational success, North Korea will likely broaden its global reach. With APAC already impacted by these operations, this problem is set to escalate. These campaigns thrive on ignorance and will likely enjoy particular success in areas of APAC with less awareness of the threat.”

The post Google warns of North Korean freelancers targeting European firms appeared first on TechWire Asia.

It’s been an eventful time for Australia recently. While winning the Cricket World Cup may have sparked some joy, the reality is that businesses in Australia are increasingly concerned about the number of cybersecurity incidents happening in the country.

Despite the government making changes to cybersecurity laws and businesses investing heavily in their cyber defenses, cybercriminals are still finding ways to infiltrate systems and wreak havoc on Australian businesses.

The recent DP World cyberattack, affecting several ports in Australia, highlights how vulnerable systems can be. The cyberattack forced the company to stop operations for a few days. Although the port has now resumed operations, the incident raised several questions.

One particular question arises about the importance of strong backup and recovery plans. Could the downtime have been reduced if the company had had a well-planned backup and recovery option?

To understand more about this, we caught up Michael Alp, managing director for Australia and New Zealand at Cohesity.

TWA: Could an efficient data management system have reduced the damage these companies faced and are organizations paying the ransom because they don’t have sufficient backup?  

Firstly, it’s important to note that the complete details of the DP World cyberattack have not yet been fully disclosed. However, the occurrence of the attack is not surprising, given that businesses now operate in a world where cyberattacks are a matter of when, not if.

In fact, when we polled 509 Australian & New Zealand IT and security decision-makers (split 50:50) in our 2023 State of Data Security & Management survey, 56% said their organization had been a victim of ransomware in the six months prior to being surveyed, and 95% felt the threat of ransomware to their industry had increased in 2023 compared to 2022.

That means it’s also unsurprising that 71% of respondents lack full confidence in their company’s ability to recover data and critical business processes after a system-wide cyberattack. This finding underscores both the necessity of cyber-resilience and the challenges in establishing or maintaining it.

Cyber-resilience is the ability to continue delivering business outcomes and generating revenue, even in the face of an adverse cyber-event. When a malicious attack occurs, it’s not just a business’s technology, people, or processes that are tested, but their cyber-resilience, due to its crucial role in ensuring business continuity in the digital world.

While efficient backup alone wouldn’t have prevented DP World’s cyberattack, modern data security and management capabilities might have helped either prevent the attack or limit its impact. These capabilities could have enabled quicker recovery, contributing to cyber-resilience. Notably, the reported cause of the attack was a failure to patch a vulnerability, a fundamental cybersecurity measure.

Modern data security and recovery technology provides organizations with critical capabilities like encryption and immutability, ensuring data integrity. It also enables the detection of attacks and compromises in real-time through AI and ML anomaly detection, and integrations with third-party security solutions, as well as facilitating automated rapid recovery and instant mass restore at scale.

However, if our survey data is anything to go by, there is still a significant journey that organizations must undertake to establish cyber-resilience and adopt the modern data security and recovery technology that today’s threat landscape demands.

95% of ANZ respondents to our survey revealing their organization would consider paying a ransom if it meant being able to recover data and restore business processes. This, coupled with more than 4 in 5 saying their organization would need four or more days to recover data and restore business processes if a cyberattack occurred, certainly suggests that cyber-resilience and data recovery gaps are leading to organizations paying, or at least considering paying, ransoms.

TWA: Is paying the ransom cheaper than going through backup and recovery?  

According to Gartner, the average cost of a ransomware attack is 10 to 15 times the ransom demand, a concerning statistic for companies considering ransom payment as a fallback option in the event of a cyberattack.

Given that the average ransom demanded globally has risen from US$812,380 in 2022, to US$1,542,333 in 2023, according to the Sophos State of Ransomware 2023 report, this means that simply paying a ransom as a reactive countermeasure is likely to not be nearly as cost-effective as proactively procuring the right cybersecurity, data security, and data recovery capabilities that allow you to recover without paying the ransom.

It is up to each business to determine if paying a ransom is an acceptable option. However, there will be some companies that are forced to make this decision in response to an adverse cyber-event because they do not have the right cyber-resilience capabilities in place to refuse the ransom, or because there is a gap in their cyber-resilience strategy.

There are multiple reasons why paying a ransom is a bad and ineffective response, including:

• It does not guarantee that you will recover all your data and restore your business processes to their prior state.
• Often, the data when returned is either so corrupted, encrypted irrevocably, or misaligned, that it requires a ‘professional services’ fee to be paid to malicious actors to help you reinstall it.
• Malicious actors may return only parts of your business-critical data and demand a second or even third ransom payment; some malicious actors leave backdoors or malware to make a secondary compromise easier.
• Ultimately, some of the ransom payment will be used to fund a strike on another business.

As many countries consider banning ransom payments, relying on them instead of cyber-resilience is not a sustainable long-term strategy for recovery from cyberattacks.

TWA: What are reasonable recovery times for any business experiencing a cybersecurity incident?  

It’s vital for businesses to understand that recovering from a cyberattack isn’t just about retrieving data; it’s about restoring business processes. This is crucial because a cyberattack compromises not only data but also a business’s operational ability, making attacks like ransomware particularly destructive.

Before determining an acceptable recovery timeframe—a period during which downtime can significantly impact revenue, brand reputation, and customer trust—it’s crucial for businesses to identify the data critical to their operations and assess its sensitivity, considering whether its compromise or theft would halt their business.

By pre-emptively assessing these data risks, a business ensures two things:

• Firstly, that this data can be backed up and made recoverable, and that it can test its data recovery and business processes restoration plan.
• Secondly, that it can determine what additional capabilities it may require or where the gaps exist in its data recovery strategy.

However, while a business should aim to be back up and running as soon as possible after a cyberattack, IT outage, or other disaster event, this is not nearly as simple as it sounds. When asked ‘How long would your organization take to recover data and business processes if a cyberattack occurred’ – in our 2023 Data Security and Management survey – over 99% of ANZ respondents revealed they would need over 24 hours, 80% said they would need more than four days, and almost half (47%) of respondents said over a week would be required.

This not only demonstrates the cyber-resilience and data recovery challenges that many organizations are facing, but also raises the question for businesses: how long can I afford to be offline? And for their customers: how long could I accept for a company to be offline before it affected my willingness to become or remain a customer?

These questions should guide businesses in defining a reasonable recovery timeframe and serve as criteria to measure the effectiveness of their cyber-resilience strategies and data security and management capabilities.

TWA: Can AI play an important role in data management, especially for backup and recovery for cybersecurity incidents? 

Death and taxes used to be the only two certainties in life. With the current business and cyberthreat landscape, cyberattacks are now very much a third.

In fact, in our 2023 State of Data Security & Management Report, 79% of Australian respondents (402) revealed they were concerned about their organization’s cyber-resilience strategy being able to ‘address today’s cyber-challenges and threats.’ Given this sentiment, for many organizations, there are clearly improvements that can be made to their cyber-resilience strategies, and data security, management, and recovery capability gaps to address.

It is vital that organizations can protect and secure their data, detect cyberthreats such as ransomware, and respond or recover rapidly when the worst occurs. The good news is that not only are these capabilities provided by modern data security and management platforms, but many of these capabilities are also now being enhanced by AI or made possible by AI. These include:

• AI & ML powered anomaly detection: to help monitor data and detect when anomalous changes are made to data, such as size or format, which typically indicate malicious activity is taking place or has taken place. This technology can recognize these patterns, triggering an alert that allows IT and security teams to act fast and respond to a compromise before it becomes a widespread attack, or limit its blast radius.
• AI-enabled multifactor authentication (MFA): the strong importance of MFA is well-documented because of its ability to defend against password cracking and brute-force methods. With AI, MFA can be enhanced to account for behavior (such as typing speed), become adaptive (requiring multiple authentications based on data risk), or detect fraud (automatically blocking a user if their access strays beyond normal boundaries).
• AI system behavior tracking: near real-time monitoring of privileged and administrative users to indicators of anomalous activity.
• AI-enabled ransomware detection: AI can analyze network traffic or file access to identify activity that could indicate a ransomware attack is imminent or in progress, including by ingesting threat intelligence from external threat feeds that help pre-identify IOC indicators.
• AI-enabled activity and behavior monitoring: AI can look at access and user behavior and determine if the activity is suspicious and could signal a ransomware attack: failed login attempts, excessive file access, or other activity that is out-of-band of established norms could be indications of ransomware activity. Activity monitoring can establish norms for both user and application behavior based on continuously analyzing activity logs with AI.
• AI-enabled optimized scheduling: based on the critical need and usage of data, seasonality, and other variables, AI can adjust and optimize backup schedules to ensure recovery point objectives (RPOs) are always met.
• AI retirement of inactive data: as part of the backup process, AI can help organizations determine what data has become dormant for archive. This helps reduce recovery time by eliminating the unnecessary recovery of unused data as well as creating efficiency and cost reduction in storage.

The post Data management: backup and recovery can make a difference in cyberattacks appeared first on TechWire Asia.

Australia has recently witnessed a record number of cyber-incidents. The Australian government has since taken the initiative to strengthen the country’s cyber-resilience. This includes strengthening Australia’s cybersecurity laws by adding attack surface management to its existing security posture.

Australia’s Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil MP, introduced six key shields that underpin Australia’s upcoming cybersecurity strategy. These shields span diverse domains from advancing automated threat detection, to sharing and blocking, to fostering coordinated global cybersecurity efforts through international collaboration.

Underscoring the crucial need for the government to enhance its cyberdefenses, especially after the recent cyber-incidents in the country, attack surface management has emerged as a cornerstone of effective cybersecurity practice, and is pivotal to creating cyber-resilience across national critical infrastructure.

Palo Alto Networks describes this as the process of continuously identifying, monitoring and managing all internal and external internet-connected assets for potential attack vectors and exposures. Put simply, attack surface management helps organizations gain visibility into, and reduce risks on, their attack surface. Both internal and external attack surface management are necessary, due to the dynamic nature of organizations pursuing a move to the cloud.

Australia’s focus on attack surface management echoes what the United States Cybersecurity and Infrastructure Security Agency (CISA) outlined in its 2024-26 strategic plan for critical infrastructure uplift. CISA states that it will leverage commercial attack surface management to help its critical infrastructure and other partners  ‘identify exploited or exploitable conditions and gain a better picture into security trends across the country.’

The European Union also recognized attack surface management’s value in a landmark law in 2022, that encourages national cybersecurity incident response teams to deploy its capabilities to ensure they can ‘identify, understand and manage the entity’s overall organizational risks.’

While the US and EU governments have developed various policies emphasizing the role of attack surface management in national cyber-resilience, the Australian government has yet to release guidance or policy addressing this capability.

Cyber defence through the eyes of the adversary

According to Sarah Sloan, head of government affairs and public affairs, New Zealand ANZ at Palo Alto Networks, the surge in cloud adoption, continuous digital transformation, and the ubiquitous embrace of remote work – all further accelerated by the disruptive impact of the Covid-19 pandemic – have expanded the digital footprint and attack surface of an average organization. Collectively, Sloan believes, this has rendered corporate and government networks larger, more dispersed and dynamic, and with a constant influx of new assets interfacing with the network.

As Palo Alto Networks 2023 Attack Surface Threat Report highlights, cloud-based IT infrastructure remains in a constant state of flux; in a given month, an average of 20% of an organization’s cloud attack surface will be taken offline and replaced with new or updated services.

“As a consequence, organizations struggle with gaining clear visibility across all their internet-facing assets that may or may not be vulnerable to attacks. This challenge is often compounded by (manually managed) traditional asset discovery and vulnerability management processes, which were developed when corporate networks were more stagnant and centralized. This complex digital environment unfolds against a backdrop of an increasingly hostile cyber-terrain, financial constraints, and a global shortage of cybersecurity expertise,” said Sloan.

In response, Sloan explained that attack surface management has become a foundational element in contemporary cybersecurity practice. It gives organizations a view of their network from an adversary’s perspective – identifying targets and assessing risks based on the opportunities they present to a malicious attacker.

“The ultimate goal of attack surface management is to increase attack surface visibility and reduce risk across both known and unknown assets of which an organization’s security team is unaware  and has not authorized or sanctioned,” added Sloan.

Setting the direction: attack surface management as a focal point in global government policies

In the US, Sloan pointed out that the government has made a number of references to the strategic importance of attack surface management across various government strategies and reports from the US Congress. CISA not only included attack surface management in its strategic plan for the years 2024-2026 but also released Binding Operational Directive 23-01, which compelled Federal Civilian Executive Branch agencies in the US to perform a range of automated asset discovery and vulnerability enumeration activity.

Sloan also highlighted that the US National Security Agency (NSA) has contributed to this narrative by providing no-cost attack surface management services through its Cybersecurity Collaboration Center to protect defense industrial base (DIB) entities. According to the NSA, its attack surface management service ‘has detected thousands of vulnerabilities on DIB networks and worked with network defenders to implement mitigations before they became compromises.’

There are also various legislative provisions, such as the National Defense Authorization Act, that have called for the US Department of Defense to achieve real-time visibility of all internet-connected assets and attack surfaces across the DoD enterprise using commercial-off-the-shelf (COTS) solutions.

Sloan added that the EU has adopted the revised Network and Information Security Directive (NIS2) that also encourages cybersecurity incident response teams to be able to provide, upon request of a covered entity, ‘a proactive scanning of the network and information systems used for the provision of the entity’s services and assistance in monitoring ‘an entity’s internet-facing assets… to identify, understand and manage the entity’s overall organizational risks.’

“It’s clear in the global context that attack surface management is increasingly seen as playing a critical role in safeguarding national interests,” said Sloan.

Enhancing Australian policies to proactively confront cyber-risk

For Sloan, as Australia strives to become the world’s most secure nation by 2030, the government must emphasize the vital role of attack surface management through the forthcoming cybersecurity strategy, which should emphasize the need to integrate it across key government policies such as the ‘Essential Eight’ and the Critical Infrastructure Risk Management Program (CRIMP).

Sloan explains attack surface management (ASM) in both policies below:

1) From the Essential Eight to the Necessary Nine

The Australian Cyber Security Centre’s (ACSC) Essential 8 (E8) has long been positioned as a beacon for organizations to shield themselves against a multitude of cyber-threats.  In recent years, the government has promoted these prioritized mitigation strategies as the cybersecurity standard for all organizations and has dedicated substantial resources to the promotion and adoption of the E8 across the federal government. Nonetheless, the E8 does carry certain limitations and while their implementation can be instrumental in preventing threats, for many organizations, effectively implementing these mitigations often presents formidable challenges and substantial costs.

In light of these considerations, the government may wish to expand the E8 to become the ‘Necessary 9,’ incorporating ASM as its foundational cornerstone. Consider this scenario: an organization leveraging an ASM platform gains awareness of potential common vulnerabilities and exposures (CVE), such as a zero-day exploit, within an unpatched internet-facing application – enabling them to prioritize this in the organization’s E8 remediation over an application that may be internal-facing only. By integrating ASM into the E8, government agencies can pivot towards a risk-based approach to cybersecurity, an increasingly indispensable stance, especially within financially constrained circumstances.

Of course, such a paradigm shift should be accompanied by a corresponding revision of the ACSC’s guidance and materials such as the Information Security Manual (ISM) Cybersecurity Principles and Cybersecurity Guidelines. These revisions are vital to engendering a comprehensive understanding among government entities and other stakeholders regarding ASM capabilities, articulating the critical functions essential for an organization’s business operations.

Level up your organization’s cybersecurity measures with the Essential Eight – a set of the most effective mitigation strategies to help organisations protect themselves against cyber-threats. Learn about each strategy & how to start implementing them ???? https://t.co/KYL1JzAIg8 pic.twitter.com/xrMiU3RajU

— Australian Cyber Security Centre (@CyberGovAU) September 6, 2023

2) Proactive Risk Management for Critical Infrastructure

In 2022, a significant milestone was achieved as the Australian government concluded the final phase of amendments to the Security of Critical Infrastructure Act 2018 to elevate the resilience of Australia’s critical infrastructure across 11 vital sectors. The amended legislation now mandates that critical infrastructure sectors establish a comprehensive CIRMP encompassing an ‘all-hazards’ approach to risk – including cyber and supply chain risks.

To further fortify this framework, the Australian government might consider incorporating ASM capabilities into the CIRMP. The integration of ASM can serve as a catalyst for organizations, empowering them to proactively grapple with cyber-risks, rather than responding reactively to breaches or incidents. Importantly, this proactive engagement enables these entities to strategically allocate resources, effectively prioritizing remediation endeavors – offering a cost-effective approach to cyber-risks.

“In an era where cyber-threats are a constant reality, nations must be proactive in their approach to cybersecurity. Attack surface management has emerged as an effective strategy to enhance cyber-resilience by identifying vulnerabilities and mitigating risks.

“The Australian government should look to provide clear guidance and incentivize the adoption of attack surface management capabilities across government departments and critical infrastructure sectors, thus fortifying its cyber-shields. In doing so, Australia can confront the ever-evolving cyber-threats, reinforce its cyberdefenses and secure its national interests,” concluded Sloan.

The post Fortifying Australian cyber-resilience through attack surface management appeared first on TechWire Asia.

A recent study commissioned by Cohesity reveals that many companies in Australia and New Zealand are inadequately equipped with the essential cybersecurity strategies and abilities to effectively combat the rising tide of cyber threats like ransomware and ensure business continuity. The pace of their efforts in improving cyber resilience is far behind the rapidly evolving cyber threats. The lack of data security and recovery technologies limits their eligibility for cyber insurance and amplifies the consequences of successful cyber attacks.

When juxtaposing the cybersecurity landscape of 2023 with that of 2022, a staggering 94% of survey participants claimed that the danger of ransomware attacks to their industry had escalated in 2023. What’s more worrisome is that more than half (56%) confirmed a ransomware attack had hit their company in the previous six months, while nearly one out of ten (9%) were uncertain.

Survey participants also acknowledged that their firms’ cyber resilience and data security capabilities were not up to speed. 79% voiced their apprehensions regarding their company’s cyber resilience strategy and its ability to confront today’s cyber threats and challenges.

Ransomware still causing havoc in the cybersecurity landscape

The recent data breaches happening in Australia, particularly among large corporations, have raised serious concerns. One major incident occurred in March 2023, when Latitude, an Australian personal loan and financial service provider, suffered a data breach that affected more than 14 million individuals in Australia and New Zealand. Although the initial disclosure said only 328,000 customers were affected, that number quickly climbed to 14 million after further investigation.

This incident involving Latitude was one of the most significant breaches in Australia’s recent past and followed a succession of high-profile attacks, including those on Optus and Medibank. The breach occurred due to stolen employee credentials, which provided unauthorized access to Latitude’s customer data, including full names, physical addresses, phone numbers, and passport numbers.

The data was predominantly from 2005, leading to questions about why companies retain customer records beyond the mandatory seven-year period. This situation has even prompted the government to contemplate expanding the mandate of federal cyber agencies to intervene when private companies come under attack.

The Australian health insurance behemoth, Medibank, was also targeted in a major data breach that compromised the personal details of 9.7 million customers. The attack was purportedly orchestrated by a notorious ransomware group based in Russia, the REvil ransomware gang.

The privacy violation was first noticed when REvil posted 6GB of raw data samples on a dark web blog, implying that they possessed even larger data sets to release and demanded a US$10 million ransom. This data encompassed names, birthdates, passport numbers, medical claims data, and medical records.

Despite suffering one of the most extensive data breaches in Australian history, Medibank refused to pay the ransom. Although the data is believed to have been entirely released on the dark web, there have been no reported incidents of identity theft or financial fraud. Medibank has also advised customers to remain alert to credit checks and phishing scams and has invested substantially in its cybersecurity measures. It was even reported by ABC News that the Medibank data hack was far worse than Optus breach. Watch the video below:

The frequency of data breaches in Australia, especially within the financial and healthcare sectors, is increasing. In response, the Australian government is revamping its cybersecurity protocols and policies to bolster resistance against nation-state threats.

However, Australian businesses can’t solely depend on government-led cybersecurity initiatives. The Australian Signals Directorate (ASD) has conceded that the proposed security frameworks merely set a minimum standard for security. It remains incumbent upon individual businesses to further raise this standard by implementing additional data breach prevention measures.

Battle against time

Maintaining business continuity in the face of cyber threats is crucial. The ability of organizations to recover data and restore business operations quickly is limited. When queried about how long their organization would need to restore data and business processes following a cyberattack, an overwhelming 99% of participants stated they would require more than 24 hours, 80% suggested it would take over 4 days, and nearly half (47%) claimed more than a week would be necessary.

Seven out of ten respondents (71%) lacked complete confidence that their company could retrieve their data and crucial business operations in the event of a comprehensive cyberattack. When diving deeper into perceptions of cyber resilience and actual data recovery capacities, 95% of participants acknowledged their organization might consider paying a ransom. Almost 4 out of 5 (78%) went further, confirming their organization would indeed surrender to ransom demands if it guaranteed swift restoration of data and resumption of business activities.

Michael Alp, Managing Director, Cohesity Australia & New Zealand, asserted that organizations cannot afford to be offline and halt operations, especially for more than a day.

“The stark reality is that many organizations are vulnerable to leverage from cyber criminals because they are incapable of rapidly recovering their data and business processes when necessary,” Alp remarked. “Therefore, it’s no surprise that less than 5% of respondents said their organization would not consider paying a ransom to maintain business continuity and that the vast majority of respondents believe their organization would pay cybercriminals a ransom.”

To pay or not to pay

Regarding ransom payments, the Australian Cyber Security Center (ACSC) sternly advises against conceding, as they may sometimes be deemed illegal. It is a serious offense to support criminals or financially fund criminal activities. Hence, ransom payments could be considered illegal and should be avoided, as outlined in the Criminal Code Act 1995, and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Given these regulations, Australian businesses must establish advanced cybersecurity measures to evade situations where ransom payments are demanded. Nevertheless, the success of ransomware attackers and the increasing frequency of attacks on Australian companies have stimulated the proposition of a contentious Labor bill. This legislation would obligate Australian organizations to report any ransom payments made if enacted.

The Ransomware Payments Bill 2021 requires victims of ransomware attacks to notify the Australian Cyber Security Centre (ACSC), ideally before a ransom payment is made. The aim is to diminish compliance with cybercriminals’ demands by presenting victims with alternative solutions they might not have previously considered. An advantageous side effect of this support is the provision of valuable intelligence to law enforcement agencies that could assist in tracking down criminal groups.

Noteworthy details include the ransom amount demanded (typically specified in bitcoin), the details of the cryptocurrency wallet where the ransom payment should be made, and indicators of compromise. The proposed legislation doesn’t define the consequences of non-compliance, but it does warn that a failure to notify the ACSC will result in a penalty.

In response to emerging nation-state threats, the Australian government is aligning its cybersecurity regulations with the United States’ new stance. This has resulted in significant changes to the expectations for how Australian businesses should react to cyberattacks.

The need for anti ransomware solutions and comprehensive cybersecurity posture insights

When asked about the main obstacles hindering their organization’s recovery from a successful cyberattack, participants cited a lack of coordination between IT and security (33%), a lack of timely and detailed alerts (32%), and the absence of a recent, clean, and unaltered copy of data (30%). Moreover, less than half expressed confidence in the security and protection of all their data stored in the cloud (45%) or at the edge (38%), with only one in six respondents (17%) expressing confidence in on-premises data security and protection.

As a result, 88% of participants voiced the need for data and cybersecurity vendors to collaborate in providing comprehensive and integrated anti-ransomware solutions. Additionally, 91% of respondents felt their organization would benefit from a data security and management platform that offers insights into their overall security posture and cyber resilience.

The urgency of having robust data backup and recovery services is highlighted by the fact that they’re critical for qualifying for cyber insurance. Not all solutions meet this criterion. While 75% of respondents confirmed their company has cyber insurance, nearly half (48%) reported it is now more challenging to obtain cyber insurance than in 2020. The three most crucial technologies or capabilities needed to secure cyber insurance were identified as “strong encryption” (39%), Multi-Factor Authentication (37%), and the “ability to verify the integrity of backups” (34%).

Alp highlighted the need for IT and SecOps to jointly manage their organization’s cyber resilience outcomes to identify sensitive data and effectively protect, detect, respond, and recover from cyberattacks. He stressed that dependence on traditional backup and recovery systems, which lack modern data security capabilities, is a risky approach in the face of today’s sophisticated cyber threats.

“Organizations should opt for data security and management platforms that harmonize with their existing cybersecurity solutions and offer visibility into their security posture to enhance cyber resilience,” he concluded.

The post Australia’s cybersecurity crisis: Organizations need to stop paying ransoms appeared first on TechWire Asia.

Some of the most popular APT groups include APT41, a prolific cyber threat group that carries out Chinese state-sponsored espionage activities in at least 14 countries since 2012. Another example is APT 39, which targets the telecommunications sector. Suspected to be from Iran, the group primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor.

While there are several other high-profile APT groups, cybersecurity vendor Group-IB has published findings into Dark Pink, an ongoing APT campaign launched against high-profile targets in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina.

Group-IB believes the campaign was launched by a new threat actor, which has also been termed Saaiwc Group by Chinese cybersecurity researchers. This new APT group is notable due to its specific focus on attacking branches of the military, and government ministries and agencies. To date, Group-IB’s Threat Intelligence has been able to attribute seven successful attacks to this particular group from June-December 2022, with targets including military bodies, government ministries and agencies, and religious and non-profit organizations, although the list of victims could be significantly longer.

The first successful attack took place in June 2022, when threat actors gained access to the network of a religious organization in Vietnam. Following this particular breach, no other attack attributable to Dark Pink was registered until August 2022, when Group-IB analysts discovered that the threat actors had gained access to the network of a Vietnamese non-profit organization.

Dark Pink’s activity ramped up in the final four months of the year. Group-IB’s Threat Intelligence Team uncovered attacks on a branch of the Philippines military in September, a Malaysian military branch in October, two breaches in November, with the victims being government organizations in Bosnia & Herzegovina and Cambodia, and finally, in early December, an Indonesian governmental agency. Group-IB’s Threat Intelligence also discovered an unsuccessful attack on a European state development agency based in Vietnam in October.

While the first Dark Pink breach, as confirmed by Group-IB, took place in June 2022, there are clues to suggest that the group was active as far back as mid-2021. Group-IB found that the threat actors, upon infection of a device, were able to issue commands to the infected computer to download malicious files from Github, with these resources uploaded by the threat actors themselves. Interestingly, the threat actors have used the same GitHub account for uploading malicious files for the entire duration of the APT campaign to date, which could suggest that they have been able to operate without detection for a significant period of time.

How do APT groups like Dark Pink launch successful attacks?

According to Group-IB, Dark Pink utilizes a set of custom tools and sophisticated tactics, techniques, and procedures (TTP) that have made a major contribution to their successful attacks over the past seven months. This included targeted spear phishing emails.

Group-IB was able to find the original email sent by the threat actors in one unsuccessful attack. In this instance, the attackers posed as a job seeker applying for the position of PR and Communications intern. In the email, the threat actor mentions that they found the vacancy on a jobseeker site, which could suggest that the threat actors scan job boards and craft a unique phishing email relevant to the organization that they find.

The spear-phishing emails contain a shortened URL linking to a free-to-use file-sharing site, on which the victim is presented with the option to download a malicious ISO file that always contains three specific file types: a signed executable file, a nonmalicious decoy document (some ISO files seen by Group-IB had more than one), and a malicious DLL file. However, these file types can differ in their content and functionality, and Group-IB analysts uncovered three separate kill chains, underscoring the sophistication of this particular APT group.

The sophistication of Dark Pink’s attacks is also underlined by the custom malware and stealers in the threat actors’ arsenal. They created two custom modules, named by Group-IB as TelePowerBot and KamiKakaBot, which are written in PowerShell and .NET, respectively. These two pieces of malware are designed to read and execute commands from a threat actor-controlled Telegram channel via Telegram bot. Group-IB researchers noted that all communication between the devices of the threat actors and victims was based entirely on Telegram API, and they utilized numerous evasion techniques, including Bypass User Account Control, to remain undetected.

The threat actor also created two custom stealers, dubbed Cucky and Ctealer by Group-IB.  When launched on the victims’ devices, the thieves can steal passwords, history, logins, and cookies from dozens of web browsers. In this campaign, the threat actors also wrote script that allowed them to transfer their malware to USB devices connected to the compromised machine, and spread their malware across network shares.

The threat actors also leveraged a custom utility, dubbed ZMsg by Group-IB, to exfiltrate data from the Zalo messenger on victims’ devices. Researchers found evidence that the APT group could steal data from the Viber and Telegram messengers as well. One of the only off-the-shelf tools that the threat actors utilized were the publicly available PowerSploit module Get-MicrophoneAudio, which is loaded onto the victim’s device via download from Github. This module, which the threat actors customized to ensure they were able to bypass antivirus software, allowed them to record audio input and later exfiltrate these recordings via their Telegram bot. Group-IB analysts noted that the custom script added to this PowerSploit module was changed multiple times, after several unsuccessful attempts to record the microphone audio on infected devices.

In short, Dark Pink exfiltrated data from victims via three specific pathways: via Telegram, Dropbox, and email.

“Group-IB’s analysis of Dark Pink is of major significance, as it details a highly complex APT campaign launched by seasoned threat actors. The use of an almost entirely custom toolkit, advanced evasion techniques, the threat actors’ ability to rework their malware to ensure maximum effectiveness, and the profile of the targeted organizations demonstrate the threat that this particular group poses. Group-IB will continue to monitor and analyze both past and future Dark Pink attacks with the aim of uncovering those behind this campaign,” commented Andrey Polovinkin, Malware Analyst at Group-IB.

Dark Pink APT’s recent campaign is yet another example of how individuals’ interactions with spear-phishing emails can result in the penetration of the security defenses of even the most protected organizations.

As such, Group-IB recommends solutions, such as its proprietary Business Email Protection, that can counter this threat effectively and stop malicious emails from ending up in employees’ inboxes. That said, Group-IB urges organizations to foster a culture of cybersecurity and educate their employees on how to identify phishing emails. Group-IB’s Threat Intelligence platform led the analysis into Dark Pink, can help organizations shore up their security posture by equipping them with the latest insights into emerging threats.

The post New APT group Dark Pink targeting governments in APAC appeared first on TechWire Asia.

In recent years, there has been a growing trend of countries using cyberattacks as a tool in their conflicts. A notable example is the ongoing cyber warfare between Russia and Ukraine.

The ongoing cyber warfare between the two nations.

One of the key events in the war occurred in 2015 when Russia was accused of launching a cyber-attack on Ukraine’s power grid. There were 225,000 individuals without electricity as a result of this incident. It was the first known case of a cyberattack being used to interfere with a power grid, was a reminder of the potential risks of such attacks to nations worldwide.

Since then, multiple cyberattacks have allegedly been carried out by both Russia and Ukraine. In recent years, the situation has worsened, as both nations accuse one another of conducting cyber espionage and propaganda efforts. In 2020, the Ukrainian government alleged that the release of private official documents was caused by a Russian cyberattack on its IT infrastructure.

It’s worth noting that this cyber warfare also involved the usage of malware, APT organizations, and hacking groups, including well-known ones like SandWorm, BlackEnergy, and NotPetya (which is thought to have been responsible for the Petya attack).

These cyber warfare clashes seem terrible, but in January 2022, one day after US-Russian negotiations on Ukraine’s membership in NATO fell through, Russia began attacking Ukrainian government websites. Then, in February, the nation began its disastrous all-out invasion of Ukraine. The long-running cyber conflict between Russia and its neighbor has also entered a new phase, during which Russia occasionally appeared to be attempting to pitch the function of its hacking activities in the context of a brutal, physical ground conflict.

Lessons after one year of the significant Russia-Ukraine cyber-warfare.

January 14th 2023,  will mark a year since Russia’s first significant cyberattack, which brought down several government websites in Ukraine and set off a series of cyberattacks against banks and other companies that ended in the invasion of the Russian military into Ukraine.

As a result of these attacks, regulators and businesses worldwide have increased their attention to cyber defense, realizing that anyone could be a cyber attacker, even foreign governments. Similarly, the security systems market in Southeast Asia is maturing and system defenders will need to adopt a more proactive defensive strategy to protect citizens and governments from threats.

“As the winter months and stalemate continue, it’s likely we’ll see retreats from kinetic warfare and renewed focus on cyber capabilities by Russian actors,” said John Fokker, who leads the threat intelligence efforts for the Trellix Advanced Research Center. “We expect heavily sanctioned countries, like Russia, Iran and North Korea, to rely on cyberespionage and disruptive cyberattacks in times where physical activities are not driving results and economic resources are dwindling.”

In addition to this, John has several key takeaways for the cybersecurity community below:

• Physical + cyber conflict: Using Wiper malware in conjunction with kinetic military activity was one of the most important lessons from the Russia/Ukraine war. Wipers are nothing new, but kinetic war and their scope have never been seen together.
• Hacktivism: Hacktivism has the potential to grow in scale as those backing the Russian and Ukrainian/Western regimes become savvier and more confident to deface websites, leak information, and carry out DDoS attacks.
• Information exchange: Pronounced information sharing regarding the cyber conflict between the public and corporate sectors reduced collateral harm. The security industry was able to share information, alert organizations in advance, and inform customers due to this dispute, preventing the effects of future attacks.
• Phishing continues to drive results for attackers: Along with Wiper malware, phishing is still a powerful tool that cyber actors in the Russia-Ukraine conflict use. Businesses cannot ignore the significance of employee education and email security solutions to secure their intellectual property (IP), staff, customers, and bottom line.
• What’s next: Russia’s desire to disrupt both Ukraine and the West in response to heavy sanctions, and they may turn to more affordable cyber tactics to win the upper hand in their battle.

According to Fokker, although Russia is a strong cyber adversary and launched multiple strikes against Ukraine in early 2022, these actions had little impact until combined with physical invasion. Ukraine has repeatedly shown that its cyber defenses are effective following years of attacks intended to destabilize Ukraine’s people and government.

The post What has the cyber warfare between Russia and Ukraine taught the world? appeared first on TechWire Asia.

Cryptocurrencies, like Bitcoin and Ethereum, have gained much attention in recent years, both as a means of financial transaction and as an investment opportunity. However, the popularity of crypto has also made it a target for cybercriminals to hack.

Over US$ 8 million was recently stolen from a Singapore-based cryptocurrency wallet provider on December 26 after a hacker manipulated files to allow customers to download the wallets on their phones. According to blockchain security and data analytics firm PeckShield, the stolen cryptocurrencies included Ether, stablecoins Dai and Tether and Binance’s BNB Coin.

One would assume that since it was the Christmas season, cybercriminals would take a vacation and enjoy themselves, but they were more determined than ever to cause havoc.

On December 26, some BitKeep customers who utilize the multichain cryptocurrency wallet claimed that money was being taken out of their wallets and transferred when they were not using them. A spokesman for BitKeep told The Straits Times that the company had taken precautions to protect users from future losses, such as tracking the addresses used in the breach and freezing some of the stolen money.

He added that a police report was filed at the end of December and that the police and cybersecurity professionals worked together to form a task force.

The BitKeep team acknowledged that some APK package downloads had been compromised by some attackers and deployed with malicious code in their official Telegram group.

Last Wednesday, BitKeep CEO Kevin Como released a statement on the company’s website acknowledging the incident and explaining how the hacker had carried it out by taking control of and inserting code on version 7.2.9 of the APK files available for download on the website. Android users can download apps directly to their devices using APK files instead of the Google Play Store.

Via its official Telegram channel, affected users were encouraged to update to BitKeep version 7.3.0, which was released on December 28.

As the hack continued, the BitKeep team advised its customers to move their money to a wallet that originated from an official source, such as Google Play or the Apple App Store. In addition, the team urged community members to use newly generated wallet addresses because their old ones may have already been “leaked to hackers.” The BitKeep team requested that the impacted users provide the pertinent information via a Google form to help with the investigation.

This hack was not the first time that BitKeep experienced it. On October 17 last year, a similar incident occurred when the attacker fled with BNB valued at US$ 1 million. The exploit was carried out through a service that permitted token swaps. The wallet company shut down the service and promised to compensate any impacted customers.

The state of crypto hack.

As reported above, the increased interest in cryptocurrencies has the potential to spur both the wrong kinds of motivation and opportunities for investment. Every year, more people lose their assets due to cryptocurrency fraud and scams, which are not their fault.

Since cryptocurrencies have become so popular in recent years, there have been costly hacks and scams involving them, including the Plus Token Ponzi. According to a report from CoinJournal, this scam is the most expensive crypto scam, with approximately US$ 3 billion worth of Bitcoin and Ethereum stolen. Plus Token was a Ponzi scheme that pretended to be an investment program. A Ponzi scheme is a form of fraud in which new investors are attracted to pay off older investors, deceiving its victims into believing the earnings result from legitimate commercial transactions.

WoToken was another Ponzi scheme that deceived over 700,000 users out of US$ 1 billion. WoToken was dubbed “Plus Token 2.0” by the media due to its resemblance to the Plus Token scam. Additionally, it was discovered that one of the WoToken members was part of the Plus Token scam.

There are cryptocurrency users and investors worldwide. Five APAC countries were discovered to be ranked in the top 10 worldwide, with South Korea and Japan coming in third and fourth, respectively. Singapore, meanwhile, came in ninth place with four breaches totaling US$ 14,600,000.

The interest in cryptocurrencies is natural, given their potential to revolutionize the financial sector. People must, however, adopt the necessary security measures to protect their assets and themselves against hacks and scams.

The post Not so jolly for Singapore-based crypto firm – lost more than US$ 8 million to a hack appeared first on TechWire Asia.

Despite many organizations investing in cybersecurity, the threat landscape today remains challenging because of businesses undergoing digital transformations, hybrid workplace models, and interconnected digital supply chains expanding the attack surface. With cyber threats evolving, organizations are at increased risk, whether it’s ransomware, business email compromise (BEC), impersonation fraud, spear-phishing, tech support fraud, or identity theft.

Rise of industrial cyber attacks

Ransomware attacks have grown drastically in the last few years with modern ransomware gangs now not only stealing data but also encrypting it and thus compromising the availability of critical resources required to carry out daily business processes.

Moreover, attacks have started targeting a wider range of industries that historically faced fewer cyber threats, leading them to lower their guard regarding cybersecurity. With these industries having viewed themselves as safe from cyberattacks, cybercriminals have realized that they have large vulnerabilities in terms of their awareness and protection. Hence, these industries have become soft targets.

For instance, engineering and construction companies can be at risk for cyberattacks due to their knowledge of physical security while being underprepared for cybersecurity. Similarly, legal firms face attacks like phishing and BEC, and these attacks can be a financial burden as well as a reputational one.

Manufacturing firms are at a heightened risk of cyberattack due to their valuable data, while the financial services industry is facing challenges with customer data coming under attack, reputation at risk, and compliance mandates to meet.

Educational institutions are encountering increasingly sophisticated threats to their intellectual property and student’s and staff’s personal details. Healthcare and medical organizations which store enormous electronic healthcare records containing huge quantities of personal information and financial details are also being targeted.

The increase in data breaches and security breaches for state and local government agencies is reaching unprecedented levels, whether spying, hacktivists trying to promote their political views or cyber criminals.

Navigating the cyber landscape in Asia Pacific

Low barriers to entry for criminals, greater sophistication of attackers’ operations and targeting, and a broader range of threats (with ransomware and nation-state threats increasing in particular) mean that attacks are now more frequent and varied, and potentially costly. At the same time, as interlinked, web-connected devices are burgeoning, the digital and physical are blending. Supply chains are extending and interconnecting, and remote and hybrid working models are being adopted via collaboration tools, all of which are expanding the attack surface.

According to Forrester, last year 68 % of Asia Pacific (APAC) organizations were breached in 2021, up from 61% in 2020, highlighting that the overall APAC region is unprepared for the storm of cybersecurity breaches. In the same year, nearly every organization surveyed in Singapore (97%) in Mimecast’s State of Email Security report was the target of a phishing attack, with these attacks becoming more frequent. Moreover, 84% of the organizations surveyed also received an increased number of email-based threats – the largest amount globally, marking Singapore and the APAC region as key targets for threat actors.

Large-scale strikes also rose, seeing Indonesia and South Korea taking a hit on their crucial infrastructures, distributed denial of service (DDoS) attacks taking banks in New Zealand offline, and Australian power stations shutting down due to an attack on an energy supplier.

Inconsistent cybersecurity maturity across APAC a challenge

The lack of alignment on regulation and variations in cyber maturity across APAC makes a unified response difficult. Despite cyber threats crossing borders, cybersecurity regulation in the region remains fractured and localized, with a lot to be done toward harmonization. As per the Global Cybersecurity Index, the maturity levels across APAC have Singapore (4th), Malaysia (5th) and Japan (7th) making it to the global top ten, with India and Australia (10th and 12th) not far behind. Other nations, such as the Philippines (61st) and Myanmar (99th) fare less well, while smaller territories including the Solomon Islands (166th) and Timor-Leste (173rd) are near the bottom of the table.

Cybersecurity advancement despite inconsistent regulations

Disparities in awareness and resourcing are heightened by different data privacy laws and regulations in each country, often even among local states. There is an emerging trend toward common ground. The European Union’s (EU) General Data Protection Regulation (GDPR) measures are increasingly driving global alignment, and some nations’ standards, such as those of Japan, are comparable with the EU’s.

Singapore recently changed its Personal Data Protection Act to tighten rules surrounding the misuse of data and mandatory reporting, while Thailand’s legislation was updated this year to more closely mirror GDPR. South Korea has required IT businesses to report hacks since 2004.

While privacy laws across territories cover similar ground, there are differences. For example, Australia’s Privacy Act does not make a distinction between data controllers and data processors, unlike the EU. Others lag behind the standards set by GDPR, and while Australia is introducing tough new laws (particularly surrounding critical infrastructure), other highly developed economies, such as Hong Kong, are still waiting while legislation is developed. India still doesn’t have an overarching cybersecurity framework, instead relying on a hotchpotch of laws and individual regulators.

Geopolitics, tight budgets affecting CISOs

The lack of standardized regulation is not the only problem facing APAC nations. An increase in state-sponsored attacks, territorial tensions and wars is further adding to complications. Adding the rise of ransomware and the risk associated with increased remote working, it’s no surprise dark clouds are looming for many chief information security officers (CISOs) across the region. Almost three-quarters of respondents to an Ernst & Young survey noted an increase in the number of disruptive attacks in the last year – and 47% warned that their budgets are not sufficient to manage new challenges.

Finding a way: Technology and Collaboration

Successful implementation of cyber defenses fluctuates across APAC. A recent cyber readiness report stated that 40% of Australian firms were confident in the maturity of their software supply chain risk management, compared to only 26% of Japanese and 35% of Indian companies. Contrastingly, 31% of Japanese organizations had fully developed zero-trust frameworks, compared to only 16% in Australia.

In this challenging environment, zero trust, extended detection and response (XDR) and better cloud management are among the measures that can help businesses across APAC increase their cyber resilience. However, the majority of businesses believe governments must lead the change – around 9 in 10 respondents felt formal government initiatives would significantly reduce cyber risk.

Finding cybersecurity opportunities despite the threats 

With APAC now the number-one target of cyber attackers around the world, organizations must raise their cyber game. Building a competent cybersecurity strategy and making sure that the organization has the funds and resources to realize it, is essential. New threats require new solutions, including holistic cloud defenses, effective use of automation, and zero-trust frameworks.

A good starting point for CISOs would be to benchmark their security against global cybersecurity frameworks, even if their local market doesn’t require it. It’s also an authoritative approach to enhance their organization’s profile and gain access to new markets.

To bring this to fruition, effective regulation and more collaboration are required at the governmental level. Cross-border initiatives, such as the Association of Southeast Asian Nations (ASEAN)’s continued cybersecurity collaboration and new legislation in countries across the region may help – but for the moment, businesses must take ownership of their defenses.

The views in the article are of the author and may not represent the views of Tech Wire Asia. 

The post How cyber ready is APAC:  Understanding today’s cybersecurity trends appeared first on TechWire Asia.

The only consistency with the threat landscape is that it’s inconsistent. The security industry has warned about the sophistication of DDoS attacks prepared by attackers for years.

Businesses must be ready to endure DDoS attacks, especially reflective DDoS attacks. Further, but businesses also need to be aware of any potential weaknesses in their defenses that might allow them to become an unsuspecting participant.

A pair of study publications from Black Lotus Labs, a security research division of Lumen Technologies, indicate how attackers have been abusing the CLDAP protocol in Microsoft environments.

What is CLDAP?

CLDAP stands for Connectionless Lightweight Directory Access Protocol. An IP network can use the industry-standard LDAP protocol to communicate with a directory service. An organization has directory information, including usernames, passwords, email addresses, and employee names, which must be kept somewhere. Business applications can query user data via LDAP.

The “C” in CLDAP stands for “connectionless,” and it refers to the fact that information requests are made using UDP, a best-effort protocol that, unlike TCP, does not require connection confirmation before sending or receiving data.

What makes this attack strategy so successful for attackers?

CLDAP has a bandwidth amplification factor of 56 to 70 times the original request, making it a desirable reflection vector. Almost all the mirrored CLDAP traffic during the May 2021 DDoS attack on Belnet, one of the ISPs for the Belgian government, was CLDAP.

Russian-aligned Killnet hacktivist group has been using CLDAP reflection and other DDoS attack methods against its targets. Furthermore, according to a recent study by Black Lotus Labs, the number of CLDAP reflectors accessible online has grown by more than 60% in the last year.

It is concerning that CLDAP is still prevalent and capable of producing significant, damaging attacks, says Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs, especially considering the well-established best practices for prevention.

“Organizations running Active Directory should understand the risks of publicly exposing CLDAP, and we strongly recommend they restrict access to only the hosts and networks that need access,” he added.

Attackers continuing to launch DDoS attacks

Black Lotus Labs is still monitoring and analyzing vulnerable CLDAP reflectors and incorporating the information into the Lumen Connected Security portfolio. Along with stopping long-lived CLDAP reflector traffic from travelling over the Lumen global backbone, the team is stepping up its efforts to alert legitimate, third-party hosts of CLDAP reflection activity.

Key findings from the Lumen Q3 2022 DDoS report:

• The highest bandwidth attack cleaned by Lumen was 493 Gbps, and the company mitigated 5,547 attacks in Q3, a 21% increase over Q2. The largest mitigation in Q2—which was also Lumen’s largest to date at 06 Tbps—was almost half the scale of this.
• Despite accounting for only 3% of mitigations, Session Initiation Protocol (SIP) attacks, which target VoIP infrastructure, continue to be of interest due to a sharp increase in the past year. This quarter’s growth over Q2 was 59%.
• The top five businesses targeted were telecommunications, gaming, software and technology, government and finance.
• Nearly 40% of the 5,500+ attempts that Lumen stopped in Q3 were directed at just one government customer. The customer didn’t notice any outage despite the barrage and a focused effort around July 4.

The combined research from Black Lotus Labs and the Lumen DDoS mitigation software, according to Peter Brecl, head of security product management for Lumen, emphasizes a crucial truth for businesses today. Attacks have become more sophisticated, and cybercriminals are constantly looking for new ways to accomplish their goals.

“This means organizations need to consider a holistic security solution that includes DDoS mitigation to protect the availability of infrastructure and applications, Web Application and API Protection (WAAP) to protect against application-layer attacks, and bot management services to protect from malicious or unwanted bots. As organizations navigate through their digital transformation, this type of multi-layered approach is more important than ever,” explained Brecl.

The post Attackers are using CLDAP to amplify DDoS attacks up to 70 times appeared first on TechWire Asia.

The size and nature of the cyber-attack surfaces have changed dramatically from earlier times. Organizational cybersecurity used to be similar to building defense in that it was a fairly simple, one-dimensional activity. However, the modern era has demonstrated that recent cyber-attacks are capable of wreaking havoc on a variety of businesses, including the media, financial institutions, governments, the oil and gas industry, and others.

These hacks occur at the same time as a worrying rise in ransomware as part of an array of increasingly sophisticated attacks. As corporations began to expose their networks, data, and procedures in an effort to change to a new digital era, these incidents increased in numbers.

There is simply more available for threat actors to target in today’s enterprise cyber-attack surface than ever before. Additionally, an organization’s ability to respond quickly to attacks may be hampered by its lack of understanding of its cyber-attack surface.

Tech Wire Asia had the opportunity of speaking with Rick McElroy, Principal Cybersecurity Strategist at VMware, about how deepfake technology is being leveraged to carry out a cyber-attack.

What is the current threat landscape looking like in the APAC region?

Overall, the picture for cybersecurity currently remains a bumpy ride for the foreseeable future. APAC region experienced 23.5% of the total cyber issues reported in 2021, resulting in a long-term impact on organizations and individuals. New capabilities are being seen from threat actors like North Korea which should cause concern for the region. Additionally, organizations in APAC are also struggling to find and retain the right cyber talent, putting businesses at greater risk amid the surge in security breaches and attacks.

Why is a cyber-attack being launched using deepfake technology? Is it due to how simple it is to launch?

Simply put, it is working. Two out of three respondents surveyed this year in our Global Incident Response Threat Report saw malicious deepfakes used as part of an attack, a 13 percent increase from last year, with email as the top delivery method. Cybercriminals use deepfake technology to compromise and gain access to organizations and in the era of fake news, deepfake have become more popular to manipulate people.

Attackers do what works and invest time in techniques that generate high ROI. In this case, using deepfakes allows for targeted attacks that yield fruit. I think this also speaks to email-based phishing attacks probably being disrupted by organizations, which causes a change to how the criminal elements are operating.

What kinds of threats may a deepfake attack cause to a company?

Deepfakes pose grave threats to individuals, companies, and institutions as cybercriminals gain access to sensitive data, spread false information, and damage a company’s reputation. Studies show that majority of reputational damage often occurs within 24 hours after the incident. It might be too late before the company responds and the damage might be irreversible.

Deepfakes are often used to scam companies to either demand money or gain access to sensitive/classified data. This is done through various means such as wire scams, fraud, and certainly, the targeting of individuals to get them to do things like password resets or add a criminal into multi-factor authentication (MFA) mechanisms. They are also using deepfakes in an attempt to gain employment and receive a paycheck. The FBI in the US warned about this in July of this year.

Is exploiting lateral movement to conduct an attack a recent practice among cybercriminals?

No, however, the prevalence and lack of visibility or prevention mechanisms by organizations needs to be shored up. We are not doing enough globally to stop attackers once they gain access to systems. But it’s not enough to solely focus on prevention since it’s impossible to prevent/stop every attack. Cybercriminals are relentless with finding their way into networks and around perimeter defenses, so organizations need to shift their focus to detection and analyzing the tactics and strategies deployed by cybercriminals to gain a significant leg up. Currently, attackers seem to be able to move around undetected for long periods of time. We need better security to combat this.

Are cybercriminals also leveraging the privilege escalation approach while using lateral movement to compromise organizations?

Yes, their main goal is to not get caught and gather as much information as possible and access to credentials, specifically accounts with elevated privileges. Once attackers get admin access, they can disable security tools, delete logs, and even install their own software across numerous systems. Therefore, cybersecurity leaders must place ample focus on lateral movement and credential harvesting attacks since most of the downstream impacts are due to the aforementioned issues.

What countermeasures should organizations take against these “new” attack types? What is the best way to deal with deepfakes?

We’ll need focused deepfake education to groups that may be impacted. In my opinion, this starts with the finance and IT sectors. Additionally, lateral movement prevention focus needs to happen at the switch level (where traffic traverses) and the hyper visor level, and there are several technologies that focus on limiting lateral movement. Credential harvesting looks to move towards a well implemented, well managed MFA solution. Although this will not stop all attackers, it is a step in the right direction. That being said, well implemented MFA requires a large amount of effort on the attacker side to bypass because this level of effort can cause them to focus on easier, lower hanging fruit. Simply put, don’t be a soft target.

The post Everyone’s falling for the shape-shifting threat – so how to overcome this recent cyber-attack? appeared first on TechWire Asia.