News Items

Security researchers at Beyond Identity have found that companies with a compound annual growth rate (CAGR) of 40% or higher are more likely than companies growing at a standard rate to have suffered ten or more cybersecurity breaches. The researchers surveyed 1102 employees, ranging from entry-level and mid-level to business leaders, about cybersecurity issues within their organizations. While 62% of hyper-growth company employees claimed that their organization was proactive towards cybersecurity threats, only 61% backed up data, and only 55% encrypted data. Fewer than half (48%) of the employees of standard growth companies said their organization was proactive towards cybersecurity threats. However, 66% said they back up data, and 53% said they encrypted data. The researchers noted that fewer than half (44%) of all the respondents said they used anti-malware and firewall software, with 39% of hyper-growth companies taking these precautions compared with 42% of standard growth companies. Secure hardware was used by 64% of hyper-growth companies but only 57% of standard growth companies. Regarding password security, 72% of hyper-growth company employees said they used a password manager app. However, 62% stored their passwords in a document on their computer, 41% stored them in a note on their phone, and 46% wrote them down on paper. Among standard growth company employees, 54% used a password manager app, 39% stored their passwords on their computer, 27% stored them on their phone, and 34% wrote them down on paper. The researchers also found that nearly two-thirds of companies (62%) had experienced at least one cybersecurity breach. While 6% of standard growth companies had suffered between 6 and ten breaches, and 1% had experienced more than 10 breaches, 15% of hyper-growth companies had been breached five to 10 times, and 5% had been hit on more than ten occasions. The average estimated cost of an attack was $20k-$25k for hyper-growth companies and $34k-$119k for standard growth companies. Following a cyberattack, educating employees on cybersecurity was a measure taken by 70% of hyper-growth companies but just 45% of standard growth companies.

Infosecurity reports: "Hyper-Growth Linked to Higher Hacking Risk"

Researchers at the Massachusetts Institute of Technology (MIT) developed an Application-Specific Integrated Circuit (ASIC) chip to defend Internet of Things (IoT) devices against power-based side-channel attacks. A side-channel attack is a security exploit that seeks to gather information by measuring or exploiting the indirect effects of a system or its hardware rather than directly targeting a program or code. For example, in one type of side-channel attack, a skilled hacker could monitor a device's power consumption fluctuations while a neural network operates to extract protected information that leaks out of the device. Current methods developed to prevent some side-channel attacks are known to be power-intensive, and therefore, are not feasible for IoT devices such as smartwatches, which rely on lower-power computation. To address this issue, the MIT researchers built an integrated circuit chip capable of protecting IoT devices against power-based side-channel attacks while using significantly less energy than typical security techniques. Their chip, which is smaller than a thumbnail, could be implemented into a smartwatch, smartphone, or tablet to perform secure Machine Learning (ML) computations on sensor values. The researchers wanted to build an integrated circuit that performs ML on edge, so that it is low-power but still defensive against these side-channel attacks, and the privacy of these models is still preserved. The chip is based on a special type of computation called threshold computing, which involves splitting data into unique random components rather than having a neural network operate on the actual data. With the chip, the network operates on those different components individually in a random order before collecting the final result. Using this method, the information leakage from the device is random every time, thus preventing any actual side-channel information from being revealed. This article continues to discuss the new lower-energy chip developed by MIT researchers to prevent hackers from extracting hidden information from an IoT device.

MIT reports "Toward a Stronger Defense of Personal Data"

The global market size of the consumer Internet of Things (IoT) is expected to grow from $45 billion in 2022 to $154 billion by 2028. In conjunction with the increasing use of connected devices is the growth in cyber threats as new products introduce vulnerabilities that can lead to hacking and the leakage of personal data. The World Economic Forum's Council on the Connected World established a multistakeholder coalition composed of business leaders, government officials, and technology experts to develop a consensus on baseline security protections in order to address this challenge. The stakeholders agreed on five security requirements for consumer-facing IoT devices, which align with the interests of industry, consumers, white hat hackers, and governments. This article continues to discuss the global consensus to improve the security of Internet-connected home and wearable devices.

World Economic Forum reports "Global Consensus Emerges to Secure Internet-Connected Home and Wearable Devices"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Cisco Email Security Appliance (ESA) devices are impacted by a vulnerability that could lead to the execution of Denial-of-Service (DoS) attacks. Although Cisco's product security incident response team has not seen the vulnerability being actively exploited, the company and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) urge that the patches released to address it be applied immediately. The vulnerability, tracked as CVE-2022-20653, stems from the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco's AsyncOS software used in Cisco ESA. According to Cisco, the vulnerability exists because of insufficient error handling in DNS name resolution. In order to exploit the vulnerability, the attacker needs to send a specially-crafted email to be processed by an impacted device. The attacker can then make the device unreachable from management interfaces and block the processing of additional email messages until the device recovers, thus resulting in a DoS condition. Continued attacks could make the device completely unavailable in a persistent DoS condition. Cisco's advisory says the vulnerability affects all Cisco ESA devices running a vulnerable version of Cisco AsyncOS software with the DANE feature enabled and the downstream mail servers configured to send bounce messages. This article continues to discuss the root, potential exploitation, and impact of CVE-2022-20653, as well as the fixes released for the vulnerability and the importance of patch management.

BankInfoSecurity reports "Cisco's Email Security Appliances at Risk of DoS Attacks"

VMware has released a patch for a high-severity vulnerability discovered in NSX Data Center for vSphere. It affects the NSX Edge appliance component, a virtual router placed at the edge of the tenant network that enables communication between virtual data centers and the outside world. The vulnerability, tracked as CVE-2022-22945, has been given a CVSS score of 8.8. Its exploitation could allow an attacker to remotely execute arbitrary operating system commands as root. In addition to gaining unrestricted access to the underlying operating system, exploiting the vulnerability could enable an attacker to install malware on the virtual device and gain network access to virtual servers, including for network traffic capture and man-in-the-middle (MITM) attacks. This article continues to discuss the patching, potential exploitation, and impact of the VMware NSX vulnerability.

Security Week reports "VMware NSX Data Center Flaw Can Expose Virtual Systems to Attacks"

Security researchers at Neustar Security Services have found that carpet bombing Distributed Denial of Service (DDoS) attacks are on the rise. Carpet bombing, in which a DDoS attack targets multiple IP addresses of an organization within a very short time, accounted for 44% of total attacks last year. The researchers found that in the first two quarters of 2021, carpet bombing represented just over a third (34%) of total attacks mitigated by the SOC. However, this form of DDoS attack became more prevalent in the second half of the year, accounting for 60% of all attacks in Q3 and 56% in Q4. The researchers stated that the most intense carpet bombing attack was clocked at 369 million packets per second (Mpps). The researchers noted that while "the majority of attacks were over in minutes," the longest-running attack dragged on for nine days, 22 hours, and 42 minutes.

Infosecurity reports: "Carpet Bombing Attacks on the Rise"

According to Bleeping Computer, Element Vape, a major online seller of e-cigarettes and vaping kits, is serving a credit card skimmer on its website, likely after being compromised by hackers. Researchers have observed Element Vape's website loading a malicious JavaScript file from a third-party website. The file appears to contain a credit card stealer. Threat actors known as Magecart have used such credit card stealers on eCommerce stores by injecting scripts. Multiple webpages of the Element Vape online store, including the homepage, were found to have an obscure base64-encoded script. It remains unknown how long the malicious script has been present on the website. When decoded and analyzed, the discovered script was seen collecting customers' payment card and billing information on the checkout page. The script looks for email addresses, payment card numbers, expiration dates, phone numbers, and billing addresses. This information is then exfiltrated to the attacker through an obfuscated hardcoded Telegram address in the script. In addition, the script has anti-reverse-engineering features to deter analysis by detecting when it is being run in a sandbox environment or in other analysis tools. This article continues to discuss the discovery of a malicious JavaScript file being pulled by Element Vape's website to skim credit cards.

Bleeping Computer reports "Warning: Popular E-cigarette Store Hacked to Steal Credit Cards"

Security experts at Wordfence are urging users of a popular WordPress plugin to update immediately after a bug was found that could allow attackers to steal sensitive data and potentially even hijack vulnerable sites. UpDraft Plus describes itself as "the world's most trusted WordPress backup." The researchers noted that UpDraft Plus contains valuable data, including configuration files that could be used to access websites' backend databases and their contents. The new vulnerability CVE-2022-0633 could allow any logged-in user, including subscriber-level users, to download backups made with the plugin. The researchers stated that one of the features that the plugin implemented was the ability to send backup download links to an email of the site owner's choice, but unfortunately, this functionality was insecurely implemented, making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files. The researchers noted that threat actors would need an active account on a victim's system to exploit the vulnerability, meaning it would be largely confined to highly targeted attacks. However, a CVSS score of 8.5 is rated high severity. The researchers stated that the consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases, site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database. All UpDraft Plus users are urged to upgrade to version 1.22.3 to fix the bug.

Infosecurity reports: "High Severity WordPress Plugin Bug Hits Three Million"

How much time an individual spends on different smartphone apps is enough to identify them in a larger group in more than one in three cases, according to researchers warning of the implications for security and privacy. The researchers analyzed smartphone data from 780 people. They loaded 4,680 days of app usage data into statistical models, with each day being paired with one of the 780 users so that the models can learn the individuals' daily app use patterns. Then the researchers tested whether the models could identify an individual when fed only a single day of smartphone activity that was anonymous and not yet paired with a user. The models, which were trained on only six days of app usage data per individual, were able to identify the correct person from a day of anonymous data one-third of the time. The models could also list the most to least likely candidates when predicting who owns the data. The list provided when the models made a prediction showed the top 10 most likely individuals that a specific day of data belonged to, and nearly 75 percent of the time, the correct user would be among that top 10. The researchers warn that software granted access to a smartphone's standard activity logging could generate a reasonable prediction about the identity of the user even if they are logged out of their account. Identification is still possible without the monitoring of conversations or behaviors within apps themselves. This article continues to discuss the study on how app usage data can reveal a person's identity.

Lancaster University reports "How Picking Up Your Smartphone Could Reveal Your Identity"

The Federal Bureau of Investigation (FBI) has issued an alert pertaining to the growing use of virtual meeting platforms to carry out Business Email Compromise (BEC) attacks and Email Account Compromise (EAC) scams. These schemes involve using social engineering tactics to trick employees, who can make or authorize payments, into transferring funds into fraudulent accounts. They are typically performed over business or personal email addresses, but the FBI's Internet Crime Complaint Center (IC3) has observed an increase in complaints about BEC attacks being performed over virtual meeting platforms. This article continues to discuss the FBI's warning of BEC attacks in which virtual meeting platforms are abused and how organizations can stay protected against such scams.

Security Week reports "FBI Warns of BEC Scams Abusing Virtual Meeting Platforms"

Security researchers at Imperva claim to have stopped the largest bot attack they've ever seen, leveraging 400,000 compromised IP addresses to scrape web data. The researchers stated that the large-scale botnet generated 400 million requests from the IP addresses over four days, comprising around 10 requests per IP per hour on average. The researchers spotted the 30-fold surge in traffic volume to the impacted site and mitigated the attack. The victim was a job listings site with a presence in six countries. The attack was designed to harvest job seekers' profiles from the site. The researchers noted that the OWASP Foundation considers web scraping as an automated threat (OAT-011), defined as collecting accessible data and/or processed output from the application. The researchers warned that while web scraping treads a fine line between business intelligence and violating data privacy, it remains one of the most prominent automated attacks affecting organizations today. Scraping can result in lower conversion rates, skewed marketing analytics, a decrease in SEO ranking, website latency, and even downtime (usually caused by aggressive scrapers).

Infosecurity reports: "Researchers Block "Largest Ever" Bot Attack"

The International Committee of the Red Cross (ICRC) has concluded that a nation-state hacker was behind a cyberattack on its servers discovered last month. However, The forensic report does not attribute the attack to any specific advanced persistent threat (APT) group, and ICRC declined to speculate on the culprit. During an investigation into the breach, it was found that the attack compromised the personal data of more than half a million individuals helped by ICRC's program, which reunites families separated by conflict, disaster, or migrations. Personal data included names, locations, and contact information of individuals served by the group and login information for staff and volunteers. The breach was discovered on January 18 and occurred on November 9, 2021. The ICRC stated that the hackers were able to get into the system by exploiting an unpatched vulnerability in the password reset management system Zoho ManageEngine ADSelfService Plus, which allowed them to place web shells that provided further access to move within the systems and exfiltrate data. Microsoft warned in November that Chinese-based hackers were using the vulnerability to target victims in the U.S. defense industrial base, higher education, consulting services, and information technology sectors. The ICRC analysis presumes that hackers were able to copy or export data, but none of that information has shown up on the dark web yet. The attack on the human rights organization drew a rebuke from the U.S. State Department, which called on other nations to condemn cyberattacks on humanitarian data.

CyberScoop reports: "Red Cross Attributes Server Breach to Nation-State Actor"

The personal information of tens of thousands of members of the Internet Society (ISOC) has been exposed in a data security breach. International non-profit organization ISOC was founded in 1992 with the mission to ensure open internet development by enhancing and supporting internet use for individuals and organizations worldwide. Researchers at Clario discovered the unsecured data on December 8, 2021, in an open and unprotected Microsoft Azure blob repository containing millions of files. Data exposed in the blob included the full names of ISOC members together with their residential addresses, email addresses, gender, login details, and password hash. The information was stored in json files. The researchers reported the incident to ISOC via email on the day of the leak's discovery. ISOC responded by launching an investigation into the leak and securing the data. During the investigation, ISOC attributed the security breach to a misconfiguration error by their management system provider MemberNova. ISOC noted that its investigation had not revealed "any instances of malicious access to member data as a result of this issue." The society said that individuals who were impacted by the incident were notified of the breach before the holidays.

Infosecurity reports: "Internet Society Data Leaked"

Chaos, a popular modder for the Cities: Skylines city-building game, has been banned after reportedly hiding an automatic updater in several of their mods to deliver malware to those who downloaded them. The modder released a redesigned version of a core framework project that most Cities: Skylines mods use to function called Harmony. The author then reworked other popular mods, listing his Harmony redo as a core download, thus requiring players to download it to get the mods to work. However, Chaos' version of Harmony was discovered to contain an updater that enabled the modder to infect the devices of those who downloaded it, with malware. Chaos also planted malware in other mods to bog down gameplay in order to get more players to download additional poisoned mods that he had created as solutions. The modder's accounts have been suspended, and some of his mods have been removed from the Steam Workshop. John Bambenek, the principal threat hunter at digital IT and security operations company Netenrich, pointed out that the distribution of malware via games, game mods, or pirated/cracked games is now a fairly common tactic among malicious American and European actors. This article continues to discuss the banning of a Cities: Skylines modder due to hidden malware.

Threatpost reports "'Cities: Skylines' Gaming Modder Banned Over Malware"

The Cybersecurity Association of Maryland, Inc. (CAMI), a nonprofit organization, has announced plans to expand its membership program and create multiple Centers of Excellence. CAMI's mission is to advance cybersecurity in Maryland through collaboration and advocacy. CAMI will do this by creating opportunities for companies in all industries to come together. In a statement released recently, CAMI stated that it will be expanding its membership qualifications to "companies across all verticals who view cybersecurity as a strategic initiative." In creating three new Centers of Excellence, the association aims to provide a forum through which Marylanders can share best security practices. The first center will be focused on business growth and innovation and will support members with raising capital, scaling operations, marketing, and mentorship. Center number two will be dedicated to working with organizations to close the cybersecurity talent gap. The final center will specialize in cyber resilience, providing knowledge and resources to members, including support with Cybersecurity Maturity Model Certifications (CMMC), securing state, local and educational (SLED) agencies, and offering cyber-hygiene help for small and medium-sized businesses. CAMI was established in 2015 and is Maryland's only organization solely dedicated to the growth of Maryland's cybersecurity industry.

Infosecurity reports: "Maryland Cyber Nonprofit to Create Centers of Excellence"

The complexity of power grids continues to grow because of the increase in energy demands, environmental regulations, and small-scale renewable energy systems. Establishing small groups of sources and loads called microgrids helps maintain the resiliency of power supplies. Microgrids are capable of operating independently of the main power grid, and therefore, can still support hospitals during a natural disaster. However, as microgrids become increasingly complex, they need sophisticated computer networks for coordinating, controlling, and distributing different power sources, thus making them vulnerable to cyberattacks. To help prepare for these types of events, KAUST researchers have been performing attack simulations to assess the impact of potential attacks as well as develop detection methods and techniques for suppressing malicious behavior. In the study, they took a realistic approach by adopting a model in which the threat actor has limited knowledge but can design attacks using historical measured data on the performance of the grid. The researchers considered three different types of attack, one of which involves the alteration of measurement data used by the microgrid system operator to coordinate the power generation of inverter-based Distributed Generations (DGs). The simulations revealed that such attacks could induce high costs, cause power loss, and damage equipment. In addition to the attack simulations, the researchers identified effective methods to quickly and accurately detect abnormal conditions associated with incoming attacks. This article continues to discuss the KAUST researchers' work on developing methods for protecting microgrids from cyberattacks.

KAUST Discovery reports "Blocking Microgrid Cyberattacks To Keep the Power Flowing"

Cybercriminals have attacked the San Francisco 49ers with ransomware. Confirmation of the attack came after the 49ers were listed on a dark web leak site as a victim of ransomware-as-a-service (RaaS), BlackByte. The attack might have been carried out by the ransomware creators or by an affiliate accessing the malware in return for a share of any illegal proceeds gained through its use.

Researchers at Rutgers University-New Brunswick studied how voice command features provided by Virtual Reality (VR) and Augmented Reality (AR) headsets could lead to eavesdropping attacks. Their study found that hackers could steal sensitive information such as credit card data and passwords communicated via the voice command features of popular (AR/VR) headsets with built-in motion sensors to record subtle speech-associated facial dynamics. They developed an eavesdropping attack called Face-Mic to highlight the existence of vulnerabilities in AR/VR headsets. According to the leader of the study, Yingying Chen, Face-Mic is the first work to infer private and sensitive information through the use of facial dynamics associated with live human speech while using face-mounted AR/VR devices. The researchers demonstrated the performance of a Face-Mic attack to derive a headset wearer's sensitive information with Oculus Quest, HTC Vive Pro, and other mainstream AR/VR headsets. They studied three types of vibrations captured by motion sensors on the AR/VR headsets, including speech-associated facial movements, bone-borne vibrations, and airborne vibrations, finding that both cardboard headsets and high-end headsets contain security vulnerabilities that could expose a user's sensitive speech and speaker information without permission. This article continues to discuss the findings from the study on how hackers could use AR/VR headsets to steal sensitive information communicated via voice command features.

Rutgers News reports "Rutgers Researchers Discover Security Vulnerabilities in Virtual Reality Headsets"

A memory issue has been discovered affecting iPhone, iPad, and macOS devices, allowing attackers to execute arbitrary code following the processing of malicious web content. The zero-day vulnerability found in Apple's WebKit browser engine is being actively exploited to compromise devices. The vulnerability, tracked as CVE-2022-22620, is described as a Use-After-Free issue, which involves the incorrect use of dynamic memory during a program operation. In regard to Apple's zero-day vulnerability, attackers can execute arbitrary code on affected devices after processing maliciously crafted web content, potentially leading to unexpected OS crashes. According to the vulnerability's description on the Common Weakness Enumeration website, the easiest way for threat actors to exploit the flaw involves the system's reuse of freed memory. Referencing memory after freeing it can cause a program to crash, use unexpected values or execute code. Exploiting previously freed memory can have various consequences, such as the corruption of valid data, the execution of arbitrary code depending on the instantiation and timing of the flaw, and more. Apple released separate security updates for its products to address the issue, both of which improve how the OSes manage memory. The vulnerability impacts numerous Apple devices, including iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the 7th generation iPod touch. The flaw also affects desktops and notebooks running macOS Monterey. This article continues to discuss the potential exploitation and impact of the zero-day WebKit flaw.

Threatpost reports "Apple Patches Actively Exploited WebKit Zero Day"

Data belonging to a California community college has been compromised in a "sophisticated" cyberattack. Adversaries struck the Ohlone Community College District (OCCD) network in Fremont on January 20, 2022, disrupting access to certain files. School officials said the private information of some staff, faculty, and current and former students was compromised. The private information that was potentially compromised during the attack includes Social Security numbers, dates of birth, driver's license numbers, US alien registration numbers, medical information, and bank account details. Other data that may be impacted included health insurance information, student ID number, race/ethnicity, class list, course schedule, disciplinary file, grades, transcripts, and/or IEP/504 plan information. The online student portal was down for 17 days, and Ohlone College's phone and email systems were knocked offline for 10 days. A separate student information system was also impacted. Around 16,000 students attend OCCD per year. In response to this incident, the school changed account passwords and is implementing additional security measures. The college is also reviewing its policies and procedures related to network security.

Infosecurity reports: "Californian College Attacked with Ransomware"

Master decryption keys have been released for the Maze, Sekhmet, and Egregor ransomware strains. The alleged malware developer released the master ransomware keys for these three strains on the Bleeping Computer forums. The security firm, Emsisoft, has verified that the master decryption keys work and released a free decryptor. According to Bleeping Computer, in order to use the decryptor, the victim must have a ransom note for the infection that includes an encrypted decryption key for Emsisoft's tool to decrypt. The master keys were released by someone seemingly tied to the groups, meaning that any organization whose files were locked using any of those strains of crypto-locking malware can now decrypt their files for free. Brett Callow, a threat analyst at Emsisoft, says that companies commonly archive any encrypted data that they could not recover, expecting that a decryptor will eventually become available. If victims still have the original encrypted files on a disk, they can now recover their data. Although this may not make a significant difference regarding business continuity, it could help victims get their critical historical records back for tax purposes, insurance purposes, and more. While the release of master decryption keys for all three strains helps victims recover important data, the keys do not repair the considerable damage and disruption associated with the ransomware strains. The Maze and Egregor ransomware strains were among the most observed ransomware infections with the greatest ransom demands. For example, the threat actors behind Maze ransomware regularly demanded $1 million to $2 million worth in ransoms. In 2020, Maze and Conti were the most commonly seen strains of ransomware used in attacks against healthcare sector organizations. In addition, the actors behind the ransomware strains have introduced innovative new business practices such as the double-extortion tactic in which threats are made to release the data unless a victim paid the demanded ransom. This article continues to discuss the release of decryption keys for Maze, Sekhmet, and Egregor victims, as well as the history, impact, and constant innovation of the three ransomware strains.

BankInfoSecurity reports "Decryption Keys Released for Maze, Sekhmet, and Egregor Ransomware Strains"

Attackers have increasingly targeted Linux environments due to the frequent use of Linux as the basis for cloud services, virtual-machine hosts, and container-based infrastructure. According to VMware's "Exposing Malware in Linux-Based Multi-Cloud Environments" report, there has been an increase in the number of ransomware programs targeting Linux hosts to infect virtual-machine images or containers. The report also revealed a rise in the use of cryptojacking to monetize illicit access as well as over 14,000 instances of the red-team tool Cobalt Strike, 56 percent of which are pirated copies used by criminals or companies that have not purchased licenses. The red-team tool has grown so popular as a way to manage compromised machines that underground developers have created their own protocol-compatible version of the Windows program for Linux. Initial access by attackers on the Linux side is often achieved through credential theft. Giovanni Vigna, senior director of threat intelligence at VMware, pointed out that stolen credentials often give attackers more time to explore a victim's network than remote code execution. Attackers have developed various tools to compromise and monetize compromised Linux systems, including ransomware, crypto-miners, implants from remote access management software, and more. This article continues to discuss key findings surrounding the increased targeting of Linux in multi-cloud infrastructure.

Dark Reading reports "Linux Malware on the Rise"

The UK, US, and Australian authorities have issued a new warning for critical infrastructure (CNI) providers after a surge in ransomware attacks over the past year. The joint cybersecurity advisory comes from the UK's National Cyber Security Centre (NCSC), the Australian Cyber Security Centre (ACSC), and the FBI, NSA, and US Cybersecurity and Infrastructure Security Agency (CISA). The agencies reported that 14 out of 16 US CNI sectors were hit by ransomware in 2021, while education was the number one target in the UK. Phishing, stolen or brute-forced remote desktop protocol (RDP) credentials, and vulnerability exploitation remain the top threat vectors, with the agencies warning of growth in ransomware-as-a-service affiliates. The joint cybersecurity advisory also warns that different ransomware groups in Eurasia are sharing information with each other. However, it's not clear in many instances if the groups are distinct or have merely rebranded. The joint cybersecurity advisory also contains an extensive list of industry best practices that could help CNI firms mitigate the risk of ransomware compromise. The agencies stated that ransomware groups have also increased their impact by targeting vulnerabilities in cloud applications, virtual machine software, orchestration software, and cloud accounts and APIs.

Infosecurity reports: "New Ransomware Warning for Critical Infrastructure Providers"