The IT Nerd

Proofpoint published its second annual Cybersecurity: The 2023 Board Perspective report and found that almost 75% of the board members believe that their organizations face a risk of a major cyberattack in the next 12 months, up from 65% the previous year and 53% of those board members believe their organization is not prepared, a slight increase over the prior year. Meanwhile, 61% of CISOs feel underprepared, up from 50% in 2020.

“That those closest to the action, CISOs, feel even more underprepared should be great cause for concern.

“Still, that board members and CISOs feel largely unable to defend and remediate these all-but-inevitable cyber threats should ring alarm bells,” states the report.

The disconnect is further highlighted by the report’s attention to communication and collaboration between board members and CISOs with just 53% of board members regularly interacting with their CISOs, and nearly a third of board members say they see the CISO only as part of report.  

“Growing even stronger board-CISO relationships will be instrumental in the months ahead so directors and security leaders can have more meaningful conversations and ensure they’re investing in the right priorities,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint in a press release.

Proofpoint’s survey also noted:

• 70% of respondents agreed that cybersecurity is a priority for their board
• 70% believe that they have adequately invested in cybersecurity
• 84% reported believing that their cybersecurity budgets would increase in the next year
• 60% say malware was listed as the most pressing concern

George McGregor, VP, Approov had this to say:

   “It seems that the real issue here is the engagement of board  members – only half the board members surveyed have regular contact with the CISO and much of that seems to be related to understanding their own personal liability –  So it would appear that the recommendations around increasing board member understanding and awareness will be the most impactful.”

Emily Phelps, Director, Cyware follows with this:

   “Proofpoint’s report illustrates how important communication and collaboration are across all levels of an organization. The rise in board awareness is a great first step to addressing cyber attacks; ultimately, we want to capitalize on the growing awareness so that enterprises can more quickly get to meaningful action that reduces risk.

   “As the report notes, new technologies pose new security risks, and while new technologies can also aid in security defense, it’s more important to ensure the technologies CISOs and security teams adopt work well together. The more collaborative the tools are, the better organizations can address people, tech, and data silos, making it easier to get the right information to the right people at the right time so organizations can take the right action with confidence.”

Everyone has to be on the same page in order to make cybersecurity work. Otherwise bad things will happen. This survey highlight this fact.

According to Proofpoint’s report The Human Factor 2023, social engineering is more than three times more likely to be used in a cyber-attack than any other technique. 

“Among the many attacks we classified, the vast majority relied on some element of psychological manipulation. 

“Social Engineering is endlessly scalable and limited only by attackers’ ingenuity. And even without the use of malware or technical exploits, the aftermath of a successful social engineering attack can be devastating,” said the report. 

Assisting with social interactions was the rise in threat actors’ ability to sidestep user defenses with MFA bypass kits accounting for millions of phishing messages. 

Also, indicating the adoption by a significant number of less sophisticated groups: peaking at over 13 million per month is telephone-oriented attack delivery (TOAD) threats, and a twelvefold increase in “conversational” scams including romance fraud, fake job ads–the fastest growing threat in mobile.  

“…our research has consistently led us toward a simple but powerful observation: people – not technology-are the most critical variable in today’s cyber threats,” stated the report. 

Willy Leichter, PV of Marketing, Cyware had this to say:

    “As cybersecurity improves, it shouldn’t be surprising that humans are increasingly the weakest link. But it’s also a cop out for the security industry to shrug and blame the victims. Humans will inevitably get fooled and lured into scams. As an industry we must do a better job of connecting the dots and disseminating actionable intelligence on threats and attacks to keep the damage from spreading.”

This is where education and re-education can help to make humans less of a factor in terms of attacks. Hopefully there will be a shift to make that more of a focus than it is right now.

A new study by Proofpoint researchers found that Advanced persistent threat (APT) actors are increasingly using vulnerable regional managed service providers (MSPs) to leverage attacks on the small and medium-sized businesses (SMB’s) they service. Once through the MSP’s defenses, the attackers are feeding off of the less well defended SMB’s for financial gain.

The report published this week found that the state aligned actors from Russia, Iran and North Korea were increasingly using this supply chain approach to breach SMB’s defenses.

Proofpoint: “Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses. APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end-user environments.”

David Mitchell, Chief Technical Officer, HYAS starts off the commentary with this:

   “MSP/MSSPs have been a concern for quite some time, primarily due to the access required into a customer network, along with varying degrees of technical and security expertise on the provider side. Managed services is no longer a high margin business and as such, many MSPs are still utilizing legacy technologies to provide services to their customers, which leaves everyone in that chain exposed.

   “Understanding the security posture of your third party providers is a difficult, if not impossible undertaking for small and medium businesses. Until there is a more scalable way of continuously auditing your service providers, the risk fully lies with whether the customer chose a capable MSP or not.“

Roy Akerman, Co-Founder & CEO, Rezonate adds this:

   “We’ve seen the increased risk around third-party access and supply chain risk increasing for the past few years. The Kaseya VSA software vulnerability used by many MSPs was a key part of distributing REvil ransomware all the way to SMB organizations managed by MSPs. So was the SolarWinds security breach. “Watching-the-watcher” was and will continue to be a focus for organizations who outsource their work externally while always being able to identify who’s doing what and for what reason. Zero trust principles can help tackle and reduce risk by limiting MSPs to only do what they need to and not take the path of a yet-another-superadmin across your network.”

For many small and midsize companies, having someone else remotely monitor and manage their computer network is perceived as a no-brainer. The managed service provider can improve efficiency, reliability, security, and maintenance — all while lowering costs and freeing up IT staff to work on more strategic projects. But there are risks, and this Proofpoint research illustrates that in black and white.

Multi Factor Authentication or MFA is the new hotness in terms of keeping yourself secure. But not so fast. In a new report published today from Proofpoint, researchers are warning that phishing actors are coming up with new ways to bypass multi-factor authentication (MFA). The increased use of MFA, given the pandemic and the migration of WFH, has pushed threat actors to use transparent reverse proxy solutions, and to cover the rising demand, reverse proxy phish kits are being made available for purchase.

Key takeaways from the report include:

•  As multi-factor authentication becomes a standard security practice, phish kits are evolving with the times to steal these tokens and bypass this trusted layer of security. 
• Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to man-in-the-middle (MitM) a browser session and steal credentials and session cookies in real-time.  
• It is likely that more threat actors will turn to these MitM phish kits, making security increasingly difficult for defenders.  

Aimei Wei, Founder and CTO, Stellar Cyber has this to say:

“Hackers are evolving quickly in response to the security defense measures such as MFA. While security industry prepares to deal with this blind spot, people should always be vigilant on the email or website before clicking a link or login to a website.”

If this concerns you, and it should, then one of the mitigation strategies that you might want to consider is passwordless authentication. A number of companies are bringing this technology to market, or have already brought this technology to market. Thus it might be an option for your enterprise.

Proofpoint just released their quarterly threat summary, which included some insight on mobile security threats I thought might be of interest to your readers. Key takeaways include: 

• Mobile exploit kits and zero-day attacks targeted iOS and Android. Most mobile devices today have 10-20 exploitable zero-days. Roughly 30% of those are serious and could allow attackers to run malicious code on infected devices. 
• Pokémon GO-related malware spawned malicious counterfeits. Malware in the form of malicious side-loaded clone apps, dangerous add-ons, and other risky apps grew out of the game’s popularity. Users can download apps from anywhere, and even the major app stores offer only limited screening of apps and updates.

Mobile app threats: Not playing games

Pokémon GO is one high-profile example of an app whose popularity has created an ecosystem of mobile threats. Games are a major target, as are apps related to major events. Some apps are overtly malicious, and others create business risks by requiring excessive permissions or handling data poorly. Whether downloaded by employees or their family members, malicious and other risky apps are following users into the workplace.

Key stat: Nearly 5% of mobile devices on corporate networks are running Pokémon GO.

Analysis: Released in July, Pokémon GO was an immediate international sensation. Because of its staggered global release, pent-up demand led users who could not access it through legitimate app stores to sideload the app through third parties and direct downloads. Within three days of Pokémon GO’s release in Australia and New Zealand, we identified a cloned version of the Android app in a malware repository. The counterfeit copy included DroidJack, a remote access Trojan capable of taking over the device, and modified app permissions indicated in Figure 7. Though not observed in the wild, this version of Pokémon GO showed just how easily attackers could modify a popular app and distribute a malicious version to users.

A recent survey showed that Pokémon GO is installed on nearly 5% of mobile devices accessing corporate networks. Like many popular games, Pokémon GO has spawned numerous game guides, cheats, and add-ons. Many of them are risky or malicious, potentially exposing networked resources to attackers. We have identified at least three malicious versions of Pokémon GO this quarter along with numerous malicious companion apps. Even among legitimate installations, 4% of devices accessing corporate networks were an early version of the game that granted excessive permissions.

The Olympic Games in Rio also provided further examples of ways in which threat actors co-opted popular phenomena for malicious purposes. We identified over 4,000 Android apps and over 500 iOS apps related to the Olympics that exhibited risky or malicious behaviors. 

Mobile threats continue with Pegasus and other zero-day tools

Most mobile devices have multiple serious, unpatched vulnerabilities that could expose them to a slew of malware and attack vectors. This includes both Android and iOS devices. As mobile devices become primary means of daily work and regular communication, these vulnerabilities can have serious consequences. That’s why organizations need dynamic, intelligent protection and management.

Key stat: The average mobile device has between 10 and 20 exploitable zero-day vulnerabilities.

Analysis: In August, we found that the so-called “Pegasus mobile device attack kit” was available in both the criminal underground and the research community. This kit can be used to attack any device that is running any iOS version between iOS 7 and iOS 9.3.5. Although the malware originally surfaced as a result of a high-profile attack on a political dissident in the United Arab Emirates, it can be used against any person or enterprise with a vulnerable device.

Like many other types of both mobile and desktop malware, Pegasus can be delivered through a URL with a convincing lure. Because it targets mobile devices, the link can be distributed via SMS, email, social media, malicious search results or even other apps. When installed, Pegasus exploits a vulnerability in many versions of iOS. It silently roots the phone and gains unencrypted access to a variety of apps and communication on the phone.

Apple’s rapid response with an update to iOS and the significant public attention the issue received helped mitigate the immediate risk. But Pegasus was only the best known of such malware: the average mobile device has 10 to 20 exploitable zero-day vulnerabilities that can be targeted by mobile malware. Roughly a third of these are serious flaws that enable attackers run malicious code. 

Fans of the popular game Pokémon Go may be trying to catch them all. But according to Proofpoint, evil doers may be out to get them. Here’s why. The company has identified 543 social media accounts related to Pokémon GO across Facebook, Twitter, and Tumblr and of these, 167 – over 30% – were fraudulent. Of note: 

• 44 accounts had links to download files, many purporting to be Pokémon GO, game guides, etc.
• 79 were imposter accounts.
• 21 accounts promised “free giveaways”.

Accounts with downloads affected both mobile and desktop platforms and delivered adware, malware, and software other than the one advertised.

So, why is this an issue now? It’s simple. Yesterday Apple announced that Pokemon Go will now be available on the Apple Watch. That means that this is about to become a bigger problem. 

The full blog post outlining Proofpoint’s research can be found here. But I am not finished with the bad news just yet. 

Pokémon GO has found its way onto devices connected to corporate networks. 4.5% of devices across the organizations we surveyed had Pokémon GO installed, including a small percentage of them (4%) running early versions of the game that had no patch for the Google permissions issues.

In short, your attempt to catch them all may be risky.

The Olympics in Brazil starts today. And Proofpoint has found thousands of potential risks in Olympics-related social media accounts and mobile apps. There were over 4,500 of risky apps associated with the Olympics on Android and iOS, including clearly malicious apps with the ability to take over mobile devices.

A close look at Olympic-related social media accounts also revealed a wide range of impostor accounts, as well as substantial numbers conducting more overt illegal activities such as:

●15% of Olympics-related social media accounts were fraudulent and many featured illegal live streaming, phishing, illegal ticket sales, and more.

●82% were impostor accounts, with misleading use of Olympic or sponsor brand elements to attract followers and interaction.

●6% used the popularity of the Olympics to steal follower credentials in phishing attacks

●4% involved fake or unauthorized ticket sales.

●3% emulated Olympics pages to distribute anti-Olympics or anti-Brazil propaganda.

The full details of the findings are available on Proofpoint’s blog: https://www.proofpoint.com/us/corporate-blog/post/malicious-apps-social-media-scams-target-2016-Rio-Olympic-fans-and-brands.

3 Tips for Social Media and Mobile Users:

• Only engage with verified pages and use official mobile apps 
• Only purchase tickets from the official Olympics site
• Avoid free-streaming, “too good to be true” offers, and unofficial mobile apps

5 Tips for Brands:

• Automate content moderation to deal with increase in content volume
• Use a discovery tool to find and help you take down fraudulent social media accounts and mobile apps
• Install a social media protection tool to mitigate account hacks
• Use strong passwords and adopt two-factor authentication
• Limit the number connected apps that can publish to your pages