ransomware

Software-as-a-Service (SaaS) is very much in demand, according to a new survey. This is good news for vendors offering SaaS services as well as MSPs who are grabbing a steadily larger slice of the expanding as-a-Service pie. The report reveals that many companies are struggling to manage their many SaaS applications. They often don’t know which apps are running, who authorized them, who needs them, and how much they cost. Only about 40% of businesses, it turns out, comprehensively track SaaS information. The rest are seriously lacking in relevant data about their SaaS portfolio.

One of the key findings was that 30% of organizations already spend 50% of more of their software budget on SaaS. Another 40% estimate that SaaS accounts for anywhere from 25% to 50% of their software expenditure. Thus, in the modern world, only 30% of organizations have less than 25% of their annual software budget being spent on SaaS. Clearly, SaaS is here to stay. That is good news for the vendors offering it as well as MSPs who add value by taking the management, tracking, and billing burden away from user organizations. These MSPs provide the service, charge a monthly fee, and take care of everything for their clients. This frees up IT to work on strategic priorities.

The major areas where MSPs can gain ground, according to the survey, are security, compliance, and cost. Two-thirds of respondents expressed concern around security risks, data breaches, and noncompliance. No wonder MSSPs are picking up business from enterprise users to ensure their SaaS-rich environments are safeguarded. As well as taking over the running of SaaS applications for functions such as CRM, ERP, and backup, MSPs are gaining business by upselling a host of security tools such as patch management, vulnerability management, endpoint management, and more.

The survey also noted that 57% of respondents expressed concerns around wasted spending and hidden or untracked SaaS costs. Part of the problem is that 89% of companies said at least three departments were involved in SaaS management. While the IT/software asset management teams often took the lead, they typically deal with at least two other parts of the organization that want to be involved in selecting, deploying, and managing various parts of the SaaS estate. Again, this is an area where MSPs are stepping in as a means of centralizing SaaS management.

In some cases, MSPs help organizations optimize their SaaS application portfolios. 80% of companies covered in the report said they were actively optimizing their applications or were planning to. Similarly, 75% said application rationalization and consolidation was a stronger focus than before. In this arena, MSPs must compete with vendors offering application management and rationalization platforms.

Finding the Right Security Vendors

Those MSPs wanting to add security services to their current offerings are advised to choose their partners carefully. The Syxsense Managed Service provider program is designed for MSPs and MSSPs looking to provide a higher level of management services to their customers. It consolidates multiple solutions together into a single offering that includes IT Management, Patch Management, Security Vulnerability Remediation, and a robust policy-based Zero Trust product.

Syxsense provides innovative, intuitive SaaS-based endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Our unified security and endpoint management platform centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm.

For more information, visit: www.Syxsense.com

Historically, successful attack strategies continue until adequate defenses are assembled. For example, the Mongol hordes ravaged Asia and Eastern Europe for centuries. A simple invention – the walled town – ended their ability to ride in from the wilderness and devastate a settlement. Since then, innovation has ended the dominance of the long bow and other forms of weaponry.

Maybe there will come a time when ransomware, too, will finally go away. But it is so lucrative that the bad guys are using it for all its worth. It is up to enterprises to up their game to be able to thwart it.

Ransomware Rising

Research from NCC Group reveals that ransomware activity is rising again. December of 2022 saw 269 ransomware attacks in the US, approaching the peak levels for the year seen that was experienced back in March and April of 2022. The leading antagonist in December was Lockbit, which accounted for 19% of attacks, followed by BianLain (12%) and BlackCat (11%). BianLain saw a 113% increase in ransomware activity for the month using the rare ‘Golang’ programming language. This group can encrypt victim devices rapidly and has a playbook that is causing concern. They release victim names in stages to prompt organizations into payment. If payment is not received, they release all the names.

Researchers at Comparitech came up with similar findings. They found 335 publicly reported ransomware attacks in 2022 in the US. But they drew attention to the previous year when double the number of ransomware attacks occurred.

Why the decline in 2022? One reason could be more targeted attacks. Hackers want to catch the biggest fish. They are going after them with more tailored tactics aimed at securing the biggest paydays. Further, in the event of non-payment, they prefer big names and well-known companies where there is a major embarrassment factor when they post the data for sale on the dark web or publish it online. Thus, we have seen ransom demands drop from an average of $5.5 million in 2021 to $4.74 million 2022 – yet the business sector experienced a surge in ransom demands, from $8.4 million average in 2021 to $13.2 million in 2022. Additionally, the average number of records breached in ransomware attacks in the business sector increased from 100,000 in 2021 to almost 900,000 in 2022.

The worldwide pattern largely follows that of the US. 1,365 ransomware attacks in 2021 dropping to 769 in 2022. However, the effectiveness of attacks has risen – again showing the likelihood of more precise targeting. In 2021, 49.8 million records were impacted by ransomware attacks and that number more than doubled to 115 million in 2022. Major victims include: TransUnion South Africa (54 million records), Russia’s Digital Network Systems (16 million records), Australia-based Optus (9.8 million), Medibank (9.7 million), and AirAsia Group (5 million).

Governmental and educational organizations remained heavily targeted by cybercriminals. Government-based ransomware attacks saw average ransom demands surge from $1.7 million in 2021 to a $10.2 million in 2022. Further, the volume of records breached per attack rose from 15,327 to 39,383.

Safeguarding the Enterprise

In the modern world, there is no time to bury one’s head in the sand and hope for the best when it comes to ransomware. Organizations should expect incursion attempts to be made steadily. Therefore, they must be well prepared in advance to prevent, detect, mitigate, and cleanse all systems before major damage occurs. They must ensure that no single unspotted vulnerability or unpatched system exists across their network.

Syxsense Enterprise offers a way to stop breaches with one endpoint security solution. It encompasses:

• Scanning for vulnerabilities: prevent cyberattacks by scanning authorization issues, security implementation, and antivirus status.
• Device quarantining: Block communication from an infected device to the internet, isolate the endpoint, and kill malicious processes before they spread.
• Patch Management: With support for all major operating systems, automatically deploy OS and third-party patches as well as Windows 10 Feature Updates.
• Collaboration: IT and security teams can automatically collaborate in a single console to know and close attack vectors.
• Mobile Device Management: Control over the devices in your organization to keep your business-critical resources secure on every single endpoint in your network.

For more information, visit: www.Syxsense.com

Phishing remains one of the most popular avenues of attack by cybercriminals. Yes, zero-day exploits sometimes help them to strike gold. But the bread-and-butter front-line troops of cybercriminal gangs are phish-ers of men and women.

It is rumored that in some regions these scammers work in office buildings , much like regular employees in the work-a-day world. They clock in at 9 am, enjoy the office banter, gather round the water cooler, maybe even get some employee benefits, and clock out at 5 PM. The only difference is their job descriptions revolve around phishing and hacking. Some devise campaigns while others are involved in areas such as researching phishing success, finding the best potential targets, composing new subject lines for emails, inserting malware into attachments and URLs, setting up fake websites, cold calling people, sending text scams, and trawling through social media to glean valuable data on high-value targets. This could be characterized as the ugly stepchild of modern marketing. They work hard to trick you. Some are really good at it.

Hot Phishing Subject Lines to Watch Out For

The latest report on phishing from security awareness training vendor KnowBe4 lays out the top email subjects clicked by users in the simulated phishing tests they conduct, the top attack vectors, and popular phishing email tactics.

Bottom line: Phishing via email continues to be one of the most common and effective methods to maliciously impact users and networks. The report lays out the ways in which cybercriminals constantly refine their strategies and how this helps them to keep outsmarting end users. They regularly review the click rates of their email subject lines. If the numbers dip sharply, they change the campaign or the topic. They are always looking at the headlines for something that will grab user attention to lead to an inadvertent click.

Most recently, phishers have focused on business-related email subjects as being the most fruitful. That’s why you are seeing so many fake messages about HR, IT, management issues, as well as subject lines about web services such as Google and Amazon. A big surprise in this year’s KnowBe4 report is that nearly 50% of email subjects were about HR matters. The rest were primarily on career development, IT issues, and notifications about work projects.

Users have grown accustomed to receiving regular emails from HR to do this or that, comply to X, or complete Y by end of week. Scammers know this. They send genuine-looking emails about fake HR subjects (and sometimes they even hack into corporate email systems and send these phishing emails from an actual HR user account). Users tend to open these emails and a good number click on the attachments or links. This either directly infects their systems, or fools them into entering login and other personal details.

What Users Need to Do to Minimize Phishing Impact

Here are some of the following steps to avoid falling prey to phishing scams:

1. Institute regular security awareness training to keep users up to speed on the latest tactics used by scammers
2. Simulate phishing attacks to measure user tendency to click on malicious links and attachments.
3. Conduct regular scans of all endpoints on the network to locate vulnerabilities, weak points, unpatched systems, and misconfigurations.
4. Deploy an automated patch management system to ensure all endpoints are properly patched.

Syxsense Enterprise delivers real-time vulnerability monitoring, automated patch management, instant remediation for all endpoints, IT management, Mobile Device Management (MDM), and zero trust capabilities across your entire environment. Breaches can now be detected and remediated within one endpoint solution. It can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread. It automatically prioritizes and deploys OS and third-party patches to all major operating systems, as well as Windows feature updates. IT and security teams can use Syxsense Enterprise to collaborate on the detection and closing of attack vectors. It offers management, control, and security for any and all desktops, laptops, servers, virtual machines, and mobile devices.

For more information, visit: www.Syxsense.com

The education sector has been in the crosshairs of cybercriminals for years. If anything, it is getting worse. According to a study by Comparitech, almost 1000 schools were affected by ransomware in 2021, impacting about a million students. Total price tag? The estimates of the cost to education institutions is around $3.5 billion in downtime alone, not to mention the ransomware payments themselves.

In many cases, the ransom is paid. Otherwise, schools and colleges face days or weeks of shutdowns, often at critical periods such as during exam or enrollment for the new year. In some cases, these attacks are fatal. Lincoln College, attacked in late 2021 has now permanently closed its doors due to fallout from the attack that led to a lack of enrollments. To make matters worse, the college paid the ransom.

Ransomware payouts from educational institutions vary widely. They range from $100,000 to as much as $40 million. Hackers typically do their homework in advance and have become skilled in knowing the means of the institution and the business impact of being shut out of systems. They set their ransoms accordingly.

Further tactics include double-extortion attempts: hackers encrypt systems and demand a fee to hand over the encryption key. But they also threaten to post sensitive data online. This double-whammy kind of treatment has been meted out to the likes of Broward County Public Schools, Clover Park School District, Somerset Independent School District, Union Community School District, and the Affton School District. Top targets include New York, Texas, Florida, and Arizona.    

Vice Society

The most recent headlines about school cybercrime have centered around a threat group known as Vice Society. It specifically goes after K-12 school systems. It successfully breached the LA County Unified School District (LAUSD) in September 2022. Timed to disrupt the district at the beginning of the academic year, hackers hoped to extort funds due to around 640,000 students being impacted by the ransom attack.

Vice Society targets schools as they are thought to be relatively soft targets. As well as being more likely to pay a ransom due to possessing a strong desire to serve their students, they are also not known to have strong security.

At LAUSD, Vice Society exfiltrated 500 GBs of personal information. They asked for a ransom and threatened to leak sensitive personal data to the public. In this case, the school district decided not to pay up. They reasoned a) there was no guarantee hackers wouldn’t end up leaking the data and b) the money could be put to better use by funding student needs.

That is part of a growing trend. While some organizations continue to pay ransoms, a many others are now refusing to do so.

Schools Need Help

Educational institutions have been late to the cybersecurity party as their focus is always on attending to the needs of their students. But recent events have forced them to pay more attention to security. However, it is not their core competency.

Thus, schools are encouraged to seek outside help in combating cybercrime. Vendor-based Software-as-a-Service (SaaS) security offerings are widely available. Alternatively, managed security service providers (MSSPs) can provide robust security safeguards that combat ransomware, safeguard systems, and free up the IT departments within educational bodies to focus on tools and systems that serve an educational purpose.

Syxsense Enterprise offers the educational sector real-time vulnerability monitoring, automated patch management, instant remediation, and IT management across all endpoints on one console. It can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread. In addition, it can automatically prioritize and deploy OS and third-party patches to all major operating systems, as well as Windows 10 and 11 feature updates. It offers peace of mind for any and all desktops, laptops, servers, virtual machines, and mobile devices. Syxsense Enterprise is also available to MSPs via our MSP Partner Program.

For more information, visit: www.Syxsense.com

A series of recent incidents has led to debate concerning the value of password managers.

• PayPal sent out breach notifications to thousands of users that had their accounts accessed through credential stuffing attacks that exposed some personal data. Some linked the attack to password reuse across systems. As many people use the same password on multiple accounts, they run the risk of their accounts being breached by bad actors who compromise one account and use that same password to enter other systems used by the user.
• Credential stuffing attacks are becoming more common. Attackers use bots to attempt thousands of logins a second.
• The popular password manager LastPass has been hacked multiple times over the past year or two. This has people wondering whether they should use such a tool or not.

So, should you use a password manager or not? The short answer is yes, they need to be used. Why? According to KnowBe4, the average user accesses more than 170 different sites and services. Each one needs a password. This number may seem excessive. But take a moment to add it all up. Every bank account, all the work-related sites, social media, Amazon and other cloud services, travel sites, hotel sites, and on and on. (I added mine up and came up with over 200 logins). That’s part of the problem. What do users typically do to cope with this ridiculous number of passwords? They reuse passwords over and over and that opens the door to more widespread breaches.

When security policies are implemented forcefully concerning passwords, users are forced to change them every quarter, and in recent times have had to move from 6 characters to eight to ten or more. They have also been required to add capitals, numbers, and symbols. What is the user response? The average person without a password manager has less than 10 passwords (or password patterns) that they use across all the sites they deal with.

To make matters worse, many of these passwords are relatively weak. They can be broken quickly using brute force techniques. The consequence? If a hacker breaks one password, they can try it in many other places. Perhaps they only compromise Facebook at first. From there, however, they can try bank account logins using the person’s email and preferred password. They often strike gold. Crypto accounts, Amazon, and work accounts are also exposed to attack.

Password Manager Failings

Password managers, then, should be used. They provide strong, random passwords that are different for every site or service. Unlike eight-character passwords that can be cracked via brute force in short order, these passwords are unguessable by any known technology. But as the LastPass hacks made clear, password managers are not infallible. Those that store your passwords in the cloud are especially susceptible to attack. Those that store them locally are better such as on a device where you use your password manager. Yet there remains a single point of failure on that local machine. If the bad guys gain access to it, they can get inside the password manager if the user leaves it unlocked. That allows them to see stored passwords and export them. Users are advised to configure password managers to automatically lock after a very short time.

Keyloggers can also be employed to steal the master password used to access any password manager. A good way around it is to require multi-factor authentication to unlock the password manager, such as receiving a text to your phone.

And like any software or system, password managers contain software vulnerabilities. They can be used by attackers to access or exploit password managers, sometimes even when they are locked. Vendors issue patches to fix these exploitable bugs.

Lack of encryption can be another weakness. Choose password managers that use strong encryption of stored passwords, logon names, URLs, and other sensitive data.

There are many other ways that hacking can occur. But like any other online system, the basics still apply:

1. Use a reputable password manager that applies the safeguards noted above.

2. Include multifactor authentication as part of the login process.

3. Update all password managers with the latest fixes and patches to keep them secure.

4. Include password managers in vulnerability scans to ensure no weaknesses are left undiscovered.

5. Keep systems in general fully patched and up to date. Password managers employ browser extensions and interface with other systems. Those other systems and extensions need to be patched, too.

Syxsense automates the process of installing patches, performing vulnerability scans, and remediating any issues found.

For more information, visit: www.Syxsense.com

There is so much news about cybercrime that you might get the idea that it is happening to everyone everywhere – to all organizations of all sizes and across all industries. Certainly, there is some truth to the statement that all are at risk. But it remains a generality.

Orange Cyberdefense’s Security Navigator 2023 report makes it clear that specific industries, company sizes, and architectures are far more likely to be targeted and breached than others. So, should you be worried? Let’s take a closer look at the areas that pose the most risk, and the targets cybercriminals are most likely to go after.

Most Likely to Be Victimized

The report delivered insights from around 100,000 incidents worldwide. Here are the major findings:

• Asia and Europe are surging as hot cyber-extortion destinations, but North America remains a key target. From 2021 to 2022, an increase was observed in the number of victims from Europe (+18%) the UK (+21%), East Asia (+44), and especially the Nordic countries (+138%). North America, too, remains heavily attacked, but a little less so than before. 2022 showed the USA down by 8% and Canada by as much as 32%. 
• Small businesses are under the gun. The study found that 4.5x more small businesses fell victim to cyber extortion than medium and large businesses combined. This indicates a clear shift in tactics by cybercriminals as they have noted the lax defenses that often exist in the SMB sector. That said, large businesses can’t rest easy. In terms of sheer volume of attacks, they suffered by far the most attacks, and were also the most heavily impacted when they did get breached.
• The manufacturing sector is in danger. The report found that manufacturers were the most likely to fall victim to cyber-extortion. It attributed this fact to poor IT vulnerability management among large manufacturers and the fact that they often rely on legacy infrastructure. As a result, they possess a lot of non-IT operational technology (OT) systems that are rarely as well secured as IT infrastructure.
• Malware was the most prominent attack vector, appearing in 40% of all incidents processed. Network and application anomalies were the second highest incident type but dropped in frequency from 22% down to 19%.
• 47% of all security incidents detected originated from internal actors. Whether deliberate or accidental, insider threats are growing. As well as from sheer malice, this can be due to misconfiguration, unpatched systems, or other errors made within companies.

• Criminal groups are evolving fast. From the top 20 actors list observed in 2021, 14 are no longer in the top 20 of 2022. After Conti disbanded in Q2 2022, Lockbit2 and Lockbit3 become the biggest cyber extortion actors in 2022 with over 900 victims combined.

How to Avoid Becoming a Victim

The report laid out a series of key steps that organizations can take to ensure they do not land on the naughty list (also known as the cybersecurity victims list):

• Implement multifactor authentication (MFA) on authentication interfaces
• Frequently backup business-critical assets and complement this with offline backups.
• Test the integrity of these backups regularly by restoring critical functions.
• Implement or upgrade endpoint protection and anti-malware systems.
• Install defenses against Distributed Denial of Service (DDoS) attacks.
• Configure firewalls and other perimeter equipment to allow only the minimum of outbound traffic to the internet.
• Monitor outbound traffic closely for anomalies. 
• Identify trust boundaries and implement tight controls for services and users that want to cross into those zones. Least privilege and Zero Trust concepts can also apply here as well as network segmentation. 
• Identify and patch any internet-facing technologies, especially Remote Access like VNC and Microsoft RDP, Secure Remote Access like VPNs, and other security technologies like firewalls.
• Continuous vulnerability management
• Prioritize patches based on whether vulnerabilities have known working exploits. This is applicable to infrastructure as well as end-user software or devices. Internet-facing services with known vulnerabilities must be patched.

Syxsense Enterprise takes care of the last three points while providing a Zero Trust framework. It offers automated patch testing, deployment, and prioritization, as well as continuous vulnerability scanning, mobile device management (MDM), IT management, and automated remediation.

For more information, visit: www.Syxsense.com

There are hundreds of Common Vulnerabilities and Exposures (CVEs) in existence, some more serious than others. All need attention, yet many organizations have gotten sloppy about how they take care of CVEs. Some take months to deploy urgent patches as covered in CVEs. Sometimes in can take years. In a few cases, there are CVEs unresolved in organizations that are more than a decade old.

Those in IT and cybersecurity that are guilty of ignoring or taking far too long to remediate CVEs are advised to either update their CVs and resumes and start sending them out – or bring in an MSP that can completely take care of patch management and vulnerability management. It’s the easy way to ensure no CVEs are unaddressed anywhere in IT systems.

CVEs in Neglect

Let’s take a look at some of the important CVEs that are largely neglected in many organizations. These are only a few examples out of many that could be lurking:

CVE-2018-13379 FortiGate VPNs: The CVE title includes the year of release. This one from 2018 is still being exploited despite regular alerts being issued about it.  Advanced Persistent Threat (APTs) groups continue to use it in attacks. It is such a severe risk that anyone using this VPN without the patch deployed should assume they are now compromised and to begin incident management procedures. Remediation steps include removing these VPNs from service, returning them to factory default settings, reconfiguring them, installing all patches, and once done, returning them to service. An upgrade to the latest FortiOS version is also recommended. Further action indicated is to scan all hosts and networks that are in any way connected to the VPN to look carefully for any signs of malicious activity.

There are also several high-priority patches from 2019 that are often unpatched in enterprise systems:

CVE-2019-19781 about Citrix NetScaler from 2019 has been used to compromise, among others, an Australian defense database.

CVE-2019-11510 relates to Pulse Secure Connect. It can result in arbitrary file disclosure and leaks of admin credentials. This one has been used in attacks via VPNs and by nation-state actors.

CVE-2019-3396 for Atlassian Confluence is a remote code execution bug.

CVE-2020-0688 for Microsoft Exchange. Dating back to early 2020, it leaves server data unencrypted and open to attack. Nearing its third anniversary, it remains a potent vulnerability for the bad guys to exploit.

This is just a partial list. Others that are deemed serious from 2019 include CVEs related to a Cisco router, Oracle WebLogic Server, Kibana, Zimbra software, the Exim Simple Mail Transfer Protocol. When you factor in the CVEs from 2020, 2021, and 2020, the list is very long indeed.

Watch Your Back

Anyone with vulnerabilities and CVEs unpatched dating back more than a couple of months in 2022 should watch their back as they are open to charge of neglecting their cybersecurity duties. Anyone with un-remediated CVEs from 2021, 2020, 2019, or even as far back as 2018 as in the case of FortiGate VPN, could well be soon looking for a new job. They better dig out their CV and get it updated fast.

Before the axe falls, a smart move would be to draft in help from an MSP to help eliminate these vulnerabilities, institute vulnerability management and attack readiness processes, and fully patch all applications, operating systems, and endpoints including mobile devices.

Syxsense offers managed security services for patch management, vulnerability management, and remediation. These services provide real-time, 24-hour security coverage. Syxsense also offers an MSP/MSSP program with a world-class platform. Both are built on the foundation of Syxsense Enterprise, an automated patch management, vulnerability scanning, mobile device management (MDM) and IT management platform. It detects outdated patches and threats in real time and can be used to implement updates before bad actors can take advantage of exploits. Syxsense Enterprise incorporates Zero Trust practices and includes features such as patch supersedence, patch roll back, and a wealth of automation and configuration features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

For more information, visit: www.Syxsense.com