Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Insights into Initial Access Brokers and Ransomware Victims

A new report from strategic threat intelligence firm KELA provides some fascinating insights into the scale and operations of the top ransomware gangs, the industry sectors and countries they are targeting, and the role of initial access brokers in selling network access to the ransomware gangs.

The most prolific ransomware and data leak actors in Q3 2022 were LockBit, Black Basta, Hive, Alphv/BlackCat and the relatively new BianLian, and while they targeted the US most - with 40% of ransomware and extorion attacks - European countries were next in line. The explanation, presumably, is very simple: that's where the money is. It also makes sense that the most-targeted industry sector was professional services - that's where the sensitive data is.

During Q3 2022, KELA traced over 570 network access listings for sale, which would give the initial access brokers a total revenue of around $US4 million. The average price for access was around $US2800 and the median, $US1350. The number of listings was only slightly higher than Q2, but the prices are rising.

Borochov, Sarit, Ransomware Victims and Network Access Sales in Q3 2022, technical report, October 2022. Available online at https://ke-la.com/wp-content/uploads/2022/10/KELA-RESEARCH_Ransomware-Victims-and-Network-Access-Sales-in-Q3-2022.pdf.

Ransomware Impact on US Banks: $US 1.2 Billion

The US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) has released it Financial Trend Anaysis of ransomware trends. The report, released in conjunction with the International Counter Ransomware Initiative Summit, is based on Bank Secrecy Act (BSA) data, and shows a significant increase in ransomware-related filings during the second half of 2021.

Among the notable findings:

• Reported ransomware-related incidents have substantially increased from 2020 levels.
• Ransomware-related BSA filings in 2021 approached $1.2 billion.
• Roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 pertained to Russia-related ransomware variants.

FinCEN identified 84 ransomware variants during the period of this review; all of the top five highest-grossing ransomware variants in this period are connected to Russian cyber actors.

Uncredited, FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021, news release, 1 November 2022. Available online at https://www.fincen.gov/news/news-releases/fincen-analysis-reveals-ransomware-reporting-bsa-filings-increased-significantly.

Webinar and FAQ on Cyber Insurance

Sticking with the theme of ransomware: one concern is that cyber insurance policies are distorting the ransomware market by incentivizing victims to simply pay the ransom, since the cost will be covered by an insurance policy. Some insight into this process can be found in an interesting webinar and FAQ provided by Trend Micro, in which their cyber risk specialist, Vince Kearns talks to the VP of Insurance at iBynd, an InsurTech broker that specializes in cyber insurance.

The top question is pretty obvious: What are the most important cyber insurance policy coverages for businesses? And here is the answer:

1. Notification and expense coverage
   After customer data is compromised, there are state-regulated notification requirements an organization must follow. Cyber insurance companies help navigate and handle the notifications and expenses associated with them such as hiring a forensics expert to identify the cause of the breach, monitoring the affected individuals’ credit score, and paying costs to restore stolen identities.
   
2. Business interruption
   Remember when Kaseya, a US ransomware attack, led to Swedish supermarket chain, Coop, shutting down 800 stores? If Coop had business interruption coverage, it would help recoup (no pun intended) some or all the lost revenue.
   
3. Liability
   In the event a group or individual decides to sue your business after a breach – for example, for negligence because you didn’t have the right security controls and procedures in place to stop sensitive data from being compromised — liability coverage would assist with legal expenses and/or settlement costs.
   
4. Funds transfer fraud
   The FBI estimates that since 2016, business email compromise (BEC) attacks have caused $43B in losses. If an unsuspecting employee falls victim to a BEC scam, funds transfer fraud covers helps cover losses.
   
5. Ransom/extortion
   If you find yourself being extorted after cybercriminals encrypt and potentially exfiltrate sensitive data, this coverage will help you attribute the threat actor, negotiate, and pay on the behalf of the business to regain access.

The FAQ continues, deliving into the factors that affect policy pricing, the role of risk rating services like Security Scorecard and Bitsight, the effect of cryptocurrency on ransomware policy coverage and other useful information.

Trend Micro staff, Cyber Insurance Market 2022: FAQs & Updates with iBynd, blog post, 5 August 2022. Available online at https://www.trendmicro.com/en_us/ciso/22/h/cyber-insurance-market-2022.html.

OpenSSL 0day Patches Appearing - But No Big Deal

The expected patches for the widely-noised OpenSSL 3.0 vulnerabilities have now started to flow through the supply chain, but as also expected, there was a lot of smoke but not much fire, primarily due to the fact that OpenSSL 3.0.x is not yet widely deployed.

CVE-2022-3602 is a buffer overflow (in 2022?) in the code for name constraint checking in X.509 certificate verification, but its exploitation would require a certificate authority to sign a malicious certificate (or the verifying application to ignore the absence of a path to a trusted issuer), and could conceivably lead to remote code execution. CVE-2022-3786 is a similar buffer overflow (yes - in 2022) which could crash a system.

The update has now started to flow through software distribution channels - our only vulnerable machine, a dev/test server, updated its OpenSSL installation around 0330z on 2 November. The Dutch NCSC is running a Github page listing software which incorporates OpenSSL, along with vulnerability status, at https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md.

Uncredited, OpenSSL Security Advisory [01 November 2022], security advisory, 1 November 2022. Available online at https://www.openssl.org/news/secadv/20221101.txt.

Australia's Shadow Security Minister Embarrassed By Site Hack

Liberal Senator James Paterson, chairman of Parliament's Joint Committee on Intelligence and Security in the previous Liberal/National Coalition government, has been embarrassed by the revelation that the website of an organization he had founded had been overrun by for over a year by hackers posting thousands of pages touting illegal and dubious products, including "endorsements of graphic pornography, cryptocurrency schemes, apparently non-prescription use of steroids and an erotic, Russian version of poker".

The site also hosted pages promoting spyware, keystroke loggers and, for a litle over an hour after queries were sent to the Senator, a gateway for credit card payments (adult membership: $120.00).

Senator Paterson has been a strong proponent of increasing government powers to monitor the Internet to counter foreign threats, and to increase the powers of the Australian Cyber Security Centre, and so after the site was shut down, senior Liberals promptly referred the case to the ACSC.

There is no suggestion that Senator Paterson was directly responsible for the administration of the site, which had fallen into disuse. However, it was minimally maintained and secured, and there was a definite failure of governance in this case.

Robertson, James and Matthew Elmas, James Paterson's cyber hard line undermined as website is overrun by bots, The New Daily, 2 November 2022. Available online at https://thenewdaily.com.au/news/politics/2022/11/02/james-paterson-cyber-security-embarrassment/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.