Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
- by nlqip
Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
Dive into six things that are top of mind for the week ending May 3.
1 – Verizon DBIR: Hackers feasting on unpatched vulnerabilities
This year’s edition of Verizon’s “Data Breach Investigations Report” (DBIR) is out, and a key finding is that attackers tripled down on exploiting vulnerabilities to gain an initial foothold in victims’ networks.
Specifically, the exploitation of vulnerabilities as a first entry point shot up 180% compared to last year’s report. A big driver of this trend: Ransomware attackers’ targeting of unpatched assets. In particular, the zero-day vulnerabilities in Progress Software’s MOVEit Transfer product were a major target.
“While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” Chris Novak, Verizon’s Senior Director of Cybersecurity Consulting said in a statement this week.
In an analysis of CISA’s Known Exploited Vulnerabilities (KEV) catalog, which lists known vulnerabilities that are being exploited in the wild, the DBIR authors found a troubling disconnect between the time it takes attackers to exploit these vulnerabilities and the time it takes defenders to patch them.
For example, 30 days after a patch is available, 85% of these vulnerabilities are still unpatched. But mass exploitation of the average CISA KEV vulnerability typically happens in a matter of days.
Survival Analysis of CISA KEV Vulnerabilities
(Source: Verizon’s “2024 Data Breach Investigations Report,” May 2024)
Here are other important findings from the 2024 report, which covers the period of Nov. 1, 2022 to Oct. 31, 2023:
- 68% of breaches involved a person inadvertently making an error or falling prey to a social engineering scheme
- 15% of breaches involved a third party, such as a supplier
- 32% of breaches involved an extortion technique, including ransomware
- Attackers have used stolen credentials in almost one-third of breaches over the past 10 years
For this latest DBIR report, Verizon analyzed about 30,500 security incidents globally and about 10,600 confirmed breaches.
To get more details, check out:
For more information about prioritizing and fixing vulnerabilities quickly and continuously as part of an exposure management program, check out these Tenable resources:
Blogs
On-demand webinars
2 – Critical infrastructure orgs stamp out hundreds of ransomware-friendly vulns via CISA program
A U.S. government program that helps critical infrastructure organizations fend off ransomware attackers resulted in the mitigation of vulnerabilities in 850-plus devices last year.
Announced in March 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Ransomware Vulnerability Warning Pilot program probes internet-facing assets from participating organizations.
To identify vulnerable devices, the program uses various methods, including CISA’s free Cyber Hygiene Vulnerability Scanning service. When the program detects vulnerabilities that ransomware gangs commonly exploit, it notifies organizations.
Last year, participating U.S. critical infrastructure organizations received more than 1,700 such notifications, and took action in about half of the cases – 852 – such as by patching the vulnerability or taking the device offline, according to CISA.
“The RVWP program enables organizations from all critical infrastructure sectors to harden their networks with respect to the vulnerabilities that ransomware gangs are known to use,” reads a CISA statement.
Ransomware Vulnerability Warning Pilot Program’s 2023 Notifications
(Source: CISA, April 2024)
To enroll in the Ransomware Vulnerability Warning Pilot program, organizations can email [email protected].
To get more details, check out:
3 – Visit Tenable at RSA Conference 2024!
Tenable will be at the venerable RSA Conference next week – May 6 to May 9 – at the Moscone Center in San Francisco, so please visit our booth (N-5245) and attend our presentations – we’ll make it worth your while!
Here’s an overview of what we’ve got planned for RSA Conference 2024.
Come to our booth
We’ll be demoing products and hosting lightning talks at our interactive booth (N-5245.) Swing by to learn the latest about Tenable products and pick up free goodies like selfie lights. And try your luck in our raffles for a chance to win prizes including Beats headphones and Polaroid cameras.
Tenable sessions you shouldn’t miss
Get insights and best practices from our experts at these sessions.
AI Shake Up: The Future Risks and Opportunities with AI in Software Development (at the Cloud Security Alliance AI Summit at RSA)
Vincent Gilcreest, VP of Engineering, Data & Analytics at Tenable
Gavin Millard, Deputy CTO, Tenable
Mon. May 6 from 11:05 am to 11:35 am PT Moscone South 303
Gilcreest and Millard will discuss the risks and opportunities AI brings to software development – including real-world examples from the engineering team behind Tenable ExposureAI.
Cloud Security Novice to Native in 10 Steps: A CNAPP Approach
Shai Morag, Tenable’s Senior VP and GM of Cloud Security
Tue. May 7 from 2:25 pm to 3:15 pm PT
Moscone South 155
Morag will explain how a unified platform empowers multiple stakeholders to drive identity-driven visibility, risk prioritization and remediation across complex multi-cloud and hybrid environments.
It’s an Acquired Taste
Tenable CSO and Head of Research Robert Huber
Thu. May 9 from 8:30 am to 9:20 am PT
Moscone West 2014
Huber and Merlin Namuth, vCISO at Lodestone, will share their experiences and best practices for integrating security when an organization acquires another company. They’ll talk about the importance of having a plan in place, as well as of performing critical tasks in the 30 days after the acquisition.
AI, Ted Lasso, Alicia Keys
RSA Conference 2024, whose theme is “The Art of the Possible” and which will be attended by about 40,000 people from about 130 countries, will, unsurprisingly, offer a heavy dose of AI, including these keynote sessions:
Oh, and of course don’t miss Ted Lasso himself, Jason Sudeikis, who’ll be on stage Wednesday at 11:30 a.m. PT with RSA Conference Executive Chairman Hugh Thompson; and music superstar and 16-time Grammy winner Alicia Keys, who’s in charge of the closing celebration on Thursday at 2:40 p.m. PT.
To get more details about RSA Conference 2024, check out:
4 – UnitedHealth CEO: Attackers breached Change Healthcare via stolen creds, app with no MFA
And here’s your weekly update on the devastating Change Healthcare hack: UnitedHealth Group’s CEO confirmed that the ransomware attack started when attackers swiped credentials to an application that wasn’t protected with multifactor authentication (MFA).
Specifically, attackers gained initial access to Change Healthcare’s network on February 12 via a Citrix portal that’s used to provide remote access to desktop computers, UnitedHealth CEO Andrew Witty told a U.S. Congress subcommittee this week.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said, identifying the ransomware attackers as the ALPHV / BlackCat group.
Witty also provided more details about the extent of the data theft, saying he estimates that “maybe a third” of Americans are impacted by the stolen health and personal information. Last week, UnitedHealth said it will take months to identify and notify all impacted customers.
Witty also reiterated that UnitedHealth paid a ransom to the attackers, and that he authorized the payment, which he said is “one of the hardest decisions I’ve ever had to make.”
Previously, UnitedHealth said the breach cost it about $870 million in the first quarter, and expects costs to balloon to about $1.6 billion by the end of the year.
Rick Pollack, President and CEO of the American Hospital Association has called the breach “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”.
The breach threw a wrench into Change Healthcare’s systems for over a month, triggering nationwide chaos for patients, hospitals, doctors and pharmacies. Areas impacted included billing, payments processing, patient care and prescription fulfillment.
For more information about the importance of identity and access management, check out these Tenable resources:
VIDEO
Tenable CEO Amit Yoran Discusses Ransomware Attack on UnitedHealth on CNN
5 – New DHS AI board tasked with helping critical infrastructure orgs
In yet another attempt to stay on top of the development and deployment of AI, the U.S. Department of Homeland Security (DHS) has created a board with industry, government, academia and civil rights experts.
Its main charter: to help critical infrastructure organizations use AI safely and securely.
“The Board will develop recommendations to help critical infrastructure stakeholders, such as transportation service providers, pipeline and power grid operators, and internet service providers, more responsibly leverage AI technologies,” reads a DHS statement.
The board will also craft recommendations aimed at preventing and preparing for AI-related disruptions to critical services in areas such as economic activity, public health and national security.
6 – Alert: Pro-Russia hacktivists targeting OT systems
The U.S., U.K. and Canadian governments are warning critical infrastructure operators in North America and Europe about a threat from pro-Russia hacktivists. At risk are industrial control systems (ICS) and small-scale operational technology (OT) systems.
The attacks seem mostly unsophisticated, aimed at tampering with ICS equipment to cause “nuisance effects,” according to a joint fact sheet issued by multiple law enforcement and cybersecurity agencies, including CISA, the Canadian Centre for Cyber Security and the U.K.’s National Cyber Security Centre.
“However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments,” the document reads.
To get more details, read the Tenable blog “As Pro-Russia Hactivists Target OT Systems, Here’s What You Need To Know.”
Source link
lol
Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more! Dive into six…
Recent Posts
- Bob Sullivan Discovers a Scam That Strikes Twice
- A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
- CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- Xerox To Buy Lexmark For $1.5B In Blockbuster Print Deal
- Vulnerability Summary for the Week of December 16, 2024 | CISA