Consortium Networks has had a great kick-off to the Summer with many work-iversaries and other celebrations to kick off June. In addition, our powerhouse team of interns have settled in well and have been absolute rockstars so far (including in the writing and editing of this newsletter).
This month’s newsletter covers the cyber insurance landscape, the Snake malware takedown, AI integration with security products, and much more, including a brand-new series diving deeper into a specific malware that has been in the zeitgeist over the last month.
Be sure to sign up for the newsletter here to join our mailing list so you never miss an edition.
The Cyber Insurance Labyrinth
Businesses and their boards are increasingly doubting the validity of cyber insurance and for good reason. The cyber insurance marketplace has become increasingly confusing, exclusionary, and expensive.
The first cyber insurance policy was written in 1997 by AIG but it didn’t become a mainstream must-have until the late-2010s with the market growing by 155% between 2017 and 2021. Indeed, experts assess that the current $11.9 billion cyber insurance market will grow to $33.3 billion by 2027. Alongside this growth have come a number of major events that have shaken up the market and led to the labyrinth-like landscape we have today.
One of the major events that was a part of last year’s shift is a court ruling over an insurance dispute following the massive 2017 NotPetya cyberattack. NotPetya was a Russian supply chain attack on a small accounting firm in Kyiv, Ukraine, that spread across the globe, eventually costing over $10 billion. A company impacted by the attack, Merck, was locked in a legal battle with its insurance company until last year when the court sided with Merck in its $1.4 billion claim.
This and similar issues caused by NotPetya and the widespread ransomware attack WannaCry (also in 2017) changed the way that insurers engaged with the market. Since then, exclusions and workarounds for the insurance companies have been introduced to alleviate some of the risk posed by massive, global-scale cyberattacks.
Recently, British insurance giant Lloyd’s of London’s expanded definition of the typical “war exclusion” went into effect, shielding Lloyd’s from any liability for “state-backed cyberattacks.” This move seems like a natural extension of war exclusions built into nearly every insurance policy (cyber and otherwise), but when attribution is a highly commercialized and incredibly complicated process (unlike in the physical world), this change introduces a slew of uncertainty over what is and is not covered by a policy. Often, decisions on attribution are made unilaterally by the insurance companies which claim that it could be “reasonably” assumed that the attacker was a nation-state. This lack of clarity and transparency makes understanding a policy difficult and potentially impossible.
In addition, sublimits on ransomware events have been lowered with even multi-million dollar cyber policies having ransomware sub limits of as low as $25,000. According to a recent study by IBM, the average cost of a ransomware event on a company is $4.62 million, not including the actual ransom payment which is just shy of $1 million according to Palo Alto Networks, though the highest ransom payment reported to date was paid by JBS Foods in 2021 at a whopping $11 million. This massive discrepancy could leave businesses in ruin following an attack even when they do have cyber insurance.
Aside from the confusing nature of what is or is not covered in a policy, the cost of cyber insurance provides another reason to consider its worth. The year-over-year increase in premium costs in the cyber insurance market from 2020 to 2021 was 94.7%, a trend that continued into 2023 with an additional 50% increase in cost to businesses.
With this as the backdrop for business decision making, it is no wonder that many companies are considering moving toward self-insuring and investing in security solutions instead. For the Googles and Metas of the world, this is an option, but what do smaller companies do in the face of a complicated market and growing threat landscape?
The insurance market has felt this shift in attitudes about cyber insurance and, in an effort to both retain customers and protect itself from undue risk, has begun exploring different ways of doing business. Insurers are moving away from stock questionnaires as the sole determinant of if a company is insurable and toward relying on security professionals (internal or external) to determine a candidate’s security posture.
Some “active insurance companies” base their actuarial model on internal security assessments. These insurers work with clients to understand their threat environment and security stature and reduce their risk through a number of ways, including insurance. One cyber insurance company is taking this proactive method in a different way with its new partnership with an IT security management provider. Under this partnership, companies using the security company’s platform will be fast tracked for approval and receive discounts on premiums. Practitioners within the field believe this trend of “leaving the security assessments to the security professionals” will continue.
Options like this will help insurers save money and reduce their exposure by ensuring their customers have a baseline of security products and policies. In turn, this will help to stabilize the market and clean up the low hanging fruit that is so often exploited by criminal groups.
In addition to moves being made by private sector insurers, both the White House and the Department of the Treasury are exploring a federal cyber insurance backstop, primarily to help small- to medium-sized businesses. While sources close to the matter do not believe this idea will go anywhere any time soon for a variety of reasons– largely logistical– federal attention and pressure on the matter is likely to have an impact on private sector insurance companies. However, as with most things in the policy world, there may be a window of opportunity opened by the next Colonial Pipeline or JBS Foods -level emergency.
In all, the current upheaval of the cyber insurance market is likely a sign of growing pains in a nascent line of business. Premium hikes continue but are slowing, insurance companies are better understanding the world of cybersecurity, and the power of the federal government is applying pressure to the situation. Things are looking up.
As it continues to settle, companies should focus on building up their programs on the front end and ensure their organizations are resilient to attack while working with their insurance companies to create a policy that works for them. Once insurance brokers and providers are engaged, there will need to be a significant undertaking in completing information requests. In many cases this has an unexpectedly high level of effort similar to an audit. Cybersecurity leaders consistently struggle to accurately respond in time. Once the information is provided, there could be only weeks left to address gaps.
The good news is Consortium Networks knows what these information requests entail and how to prepare programs ahead of the ‘whirlwind.’Companies can use tools like Metrics that Matter® and an advisory engagement to prepare. Metrics that Matter® is built to assess NIST Cybersecurity Framework functions from people, process and technology perspectives which Cyber Insurance providers will seek. Contact us to learn more.
Who is Turla, What Just Happened, and Why Does it Matter for Your Company?
Last month, the FBI infiltrated and neutralized the notorious Snake malware used heavily by Turla group. Turla is a hacking group that is part of the Russian domestic intelligence service, which commonly expands its purview into the broader region and adversarial countries as well. Turla is most famous for the 1996-1999 Moonlight Maze operation, attacks on G20 Summit attendees, NATO computer hacks, and many other strategically targeted attacks. Obviously, Turla is in no way the “new kid on the block” as, according to an affidavit by the FBI, its “Snake malware had been in use for nearly 20 years.”
Turla is commonly understood as two separate entities: the group working for the FSB and a separate group focused on cyber espionage. The FSB is a Russian domestic intelligence agency but they are often credited for operations outside of Russian borders. Snake is arguably the most notorious of their tools making this FBI takedown all the more important.
The malware itself is complex and lacks the presence of bugs common with code so complicated. This makes Snake extremely stable and difficult to detect within a system. The malware uses a P2P network that connects computers around the world. Within this architecture, each computer serves as a relay node which helps to hide any operational traffic. Snake can run on implants for Windows, MacOS, and Linux operating systems. This is one of the longest running malware tools in history. The FBI’s court-authorized neutralization of Snake was called Operation Medusa. Operation Medusa used a tool called “Perseus” to turn the malware against itself which caused it to self-destruct in all infected computers. This malware has been a plague on the world for almost 20 years.
Why This is Important to Your Company?
Data protection is extremely important to organizations in any sector. Failure to adequately protect yourself against malicious cyber actors can lead to data breaches, increased financial risk, disruptions to business continuity, non-compliance to legal requirements, and reputational damage..
Turla is one of the most prolific malicious actors in the world and they have held this role for over 20 years. Just because this specific software has been taken out does not mean that Turla is gone for good; they will likely reappear with a vengeance in the not-too-distant future. Their most common points of attack have been spear phishing campaigns, minting authentication cookies, watering hole attacks, and exploiting software vulnerabilities. Their primary focus has been intelligence gathering and stealing sensitive information. Consortium Networks recommends that companies in Turla’s typical crosshairs use this opportunity to shore-up their security postures as Turla regroups.
June Malware Spotlight
BellaCiao, an allusion to an old Italian resistance song, is the newest malware out of Charming Kitten/APT 35, an Iranian state-backed advanced persistent threat. According to The Hacker News, “BellaCiao is a personalized dropper that’s capable of delivering other malware payloads onto a victim’s machine based on commands received from an actor-controlled server.” This malware already has reported victims in the United States, Europe, Turkey, and India.
Actor: Charming Kitten (Mint Sandstorm, PHOSPHOROUS, and APT35)
Charming Kitten, also known as Mint Sandstorm, PHOSPHOROUS, and APT35, is an Iranian state-backed hacking group. Charming Kitten is responsible for several cyber attacks that have hit the United States and other countries. They have previously targeted a wide variety of victims including political dissidents, critical infrastructure, government employees, activists, and journalists internationally. In particular, Charming Kitten actively targets critical infrastructure in the United States and in the Middle East. According to the Microsoft Threat Intelligence team, the group “is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities.” Unlike other malevolent groups in play at the moment this group seems to have pretty distinct ties back to the Islamic Revolutionary Guard Corps (IRGC).
AI Integration with Security Platforms
AI has been and continues to be one of– if not the– hottest topic of conversation in tech circles and beyond and cybersecurity is no exception.
Recorded Future kicked off the revolution by integrating an AI model based on ChatGPT that can provide automatic assessments of an organization’s threat landscape based on Recorded Future threat intelligence.
This month, Crowdstrike introduced Charlotte AI to its security platform in an effort to accelerate users’ ability to use the platform and contribute to closing the cybersecurity skills gap. Additionally, Crowdstrike announced a partnership with Amazon Web Services (AWS) to build on this momentum and develop generative AI solutions that will “safeguard AI where it happens” in and between cloud environments.
Not to be excluded from the conversation, Palo Alto Networks announced that it plans to release a generative AI model that will integrate into its products by the end of the year. The company cites goals of improving detection and prevention capabilities, customer interactions with datasets, and internal operations as reasons for hopping on the AI bandwagon.
As noted by both Crowdstrike CEO George Kurtz and Palo Alto Networks CEO Nikesh Arora, datasets that large language models are built on are the defining quality of a useful product. By integrating datasets from their platforms, which ingest millions of data points per day, generative AI can synthesize and summarize massive data streams for the users of these platforms in a way that can’t be done by widely available public AI platforms like ChatGPT or Google’s Bard (which, while great in their own right, are not suitable for adding value to the clients of security products like Crowdstrike Falcon or Palo Alto Networks Cortex).
In Other News
DC Metro Network at Risk: According to a report released last month, the capital city’s metro system is at significant cyber risk due to long-standing security issues such as years of missing computer security updates, interdepartmental disputes that stop Metro’s cybersecurity team from working, having Russia-based contractors with high-level clearance, and many other critical security holes.
Dallas Will Need Weeks to get Back Full Functionality: The city of Dallas continues to work toward recovery following a devastating ransomware attack. According to Dallas Police Sergeant Sheldon Smith, the city is “working like it’s 1965 but it’s 2023.”
APTs Targeting Small and Medium Sized Businesses with Phishing Attacks: Proofpoint threat researchers have found that small to medium sized businesses (SMBs) are facing higher and higher amounts of cyber attacks, specifically phishing attacks.
Microsoft Now Scans Your Password Protected Zip Files: Microsoft can see into password protected zip files to check for malware and other potential threats. They can also assess the email sent to check for any sort of password within the actual email.
In the Courts
Meta Receives Record Fine Over Data Transfers to US: The Irish Data Protection Commission announced a record $1.3 billion fine on behalf of the European Union for violating EU data transfer laws. The EU says that the US does not adequately protect user data from government surveillance.
OneMain Financial Group Fined $4.25 Million for Cybersecurity Lapses: OneMain Financial Group was fined $4.25 million by the New York State Department of Financial Services (NYS DFS) for having insufficient cybersecurity practices. The company said it has “long since addressed” problems found in the investigation, which examined its policies from 2017 to early 2020.
EyeMed Vision Care to Pay $2.5 Million Settlement: EyeMed Vision Care, a major eye insurance provider, reached a settlement with the states of Florida, New Jersey, Oregon, and Pennsylvania for $2.5 million after violating several state consumer protection and personal information protection laws and HIPAA. This settlement comes after the insurer already paid a $4.5 million fine to the New York State Department of Financial Services (NYS DFS) and a $600,000 settlement with the New York Attorney General.
Yum Brands Employees Suing over Ransomware Attack: Yum Brands, best known as the operator of Taco Bell and KFC, is facing a class action lawsuit of employees following this year’s ransomware attack because employee data was stolen.
Business Email Compromise Attacks Rise as Hackers Find New Ways to Evade Detection: Hackers have begun using platforms that can scale up their operations to enterprise levels. With this change in scale they have also become harder to detect due to residential internet protocol and other ways of hiding the origin.
KeePass Security Hangs in the Balance Until Users Can Implement a Patch:A vulnerability found in password manager KeePass leaves users at risk of being hacked. A patch is set to be published with the next update.
Lancefly, a Government Backed Group, Hacks Targets Across South and Southeast Asia: Lancefly, though not officially recognized, has been known to use malware that is associated with Chinese government hackers. This group has been previously implicated in the 2020 phishing attack on the 37th ASEAN Summit.
FIN7 Cybercrime Family Linked to Clop Ransomware: Cyber Crime cartel FIN7 has added another malware to its fully stocked repository. Clop ransomware gained notoriety earlier this year for its exploitation of a vulnerability found in Fontra’s file transfer product.
Uncovered APT- CloudWizard: A previously unknown group called “CloudWizard” has been using PowerMagic and CommonMagic implants attacking targets in Donetsk, Crimea, and other parts of Ukraine. This group has been able to hack into computers and take screenshots, microphone recordings, keylogs, and more.
Israeli Shipping and Logistics Companies Become the Target of Suspected Iranian Hackers: A hacking campaign that swept through at least eight Israeli websites by way of a watering hole attack has been attributed “with a low confidence” to the Iranian nation-state actor Tortoiseshell. Iran and Israel often engage in somewhat of a shadow cyber war and this is likely one more casualty in that war.
‘Dark Pink’ attacks groups in Thailand, Brunei, Belgium, Vietnam, and Indonesia: Hacker group Dark Pink was tied to five attacks on governments, private organizations, and militaries in five major countries. This group has been active since at least 2021 infiltrating at least 13 organizations or groups since then.
Agrius Deployed New Ransomware Against Israeli Based Organizations: Agrius’s new ransomware called Moneybird is written in C++ and “demonstrates the group’s expanding capabilities and ongoing effort in developing new tools” according to CheckPoint investigators. They are known for gaining access through public facing servers and then moving laterally within networks. Agrius primarily focuses on companies and organizations based in Israel.
Microsoft’s patch for Russian Exploit: In early May Microsoft released a patch for a vulnerability patched initially in March but was found to be flawed. Both patches are related to CVE-2023-29324.
Babuk Code: Ransomware actors are taking advantage of the lead Babuk ransomware source code to make Linux encryptors. They are targeting VMware and ESXi servers. Several groups including Play, Mario, Conti POC, REvil, Cylance ransomware, Dataf Locker, BabLock, and Lock4 have implemented this since 2022.
ChatGPT Reported Data Leak: A March open-source vulnerability exploitation on ChatGPT came to light this month leading to some users being able to look into the chat history of other users of the application, this includes personal information about the other users including their name, email address, payment address, and a portion of their card information.
Department of Transportation Hack: The USDOT confirmed the exposure of approximately 237,000 employee’s information, both former and current. At the moment no specific threat actor has claimed the attack.
Georgia and Tennessee Colleges Hit with Cyber Attacks: Tennessee’s Chattanooga Community College and Macon, Georgia’s, Mercer University were both hit with major cyber attacks. The Mercer attack has been claimed by Akira but Chattanooga Community College, lovingly called Chatt State by locals, still remains unclaimed.
T-Mobile Experiences Second Hack of 2023: T-Mobile’s second hack of the year affected the data of 836 subscribers before it was neutralized. The breach exposed pin numbers, contact information, social security numbers, government IDs, and all other relevant information that T-Mobile has on their customers. This is their 9th reported hack since 2018.
Point 32 Heath Hack: Point32 Health which oversees Harvard Pilgrim Health Care reported that data was stolen from their servers including patient medical history and diagnoses.
Israeli Rocket Alert Hack: Hackers allegedly linked to Russia and Iran attempted to take down a number of Israeli rocket alert apps which alert citizens of incoming missiles, largely being sent over by Palestinian groups in Gaza. This hack, if connected to a state actor, crosses a traditionally held red line of directly endangering civilians.
Greek National High School’s Exams are Disrupted by a DDoS Hack: According to the Education Ministry of Greece, this DDoS hack was “one of the most extensive cyber attacks in the country’s history.” While there is no group claiming the attack and no ransom reported, the attack did leave students waiting for hours in classrooms to finish their exams.
MCNA Hack Impacts Nearly 9 Million: Major dental insurer Managed Care of North America (MCNA) saw a data leak that affected nearly 9 million people. This attack was claimed by LockBit ransomware group and claimed to have stolen 700 gigabytes of data from their servers.
Pharmerica has 5.8 Million Patients’ Data Stolen: Pharmerica, a pharmacy services provider, had 5.8 million patients’’ medical information hacked. The Office of the Maine Attorney General was alerted of this breach on March 12th of 2023. The breach included full names, addresses, dates of birth, SSNs, medical history, and insurance info.
Japanese Toyota Users Data Leaked: Toyota Motor Corporation reported that the data of 2.15 million users in Japan was publicly available since 2012 due to a human error.
Hospital Tech Giant NextGen Healthcare Leak: Multi billion-dollar healthcare company NextGen reported data leak connected to ransomware group Blackcat/AlphV.
Dole Ransomware Attack Costs $10.5M: The unclaimed attack on the Dole servers cost $10.5 million in damages. This ransomware attack affected around half of the Dole servers and one fourth of the end user computers.
300,000 Customers Affected in Dish Ransomware Attack: Nearly 300,000 people have been impacted by a data breach through DISH. DISH is offering two years of free credit report monitoring for those affected.
4 Critical Infrastructure providers hit by RA Group: RA Group has been targeting manufacturing, finance, insurance, and pharmaceutical sectors. This group, using Babuk ransomware source code, hit three organizations in critical infrastructure industries in the US and one in South Korea within a week of its emergence in the field.
ABB confirms “IT Security Incident”:: ABB, the tech giant based in Switzerland, was attacked by ransomware group Black Basta on May 7th, 2023. Black Basta has also reportedly hit the American Dental Association, Deutsche Windtechnik, and Capita.
San Bernardino County Pays Ransom: After the San Bernardino County Sheriff’s Department was hit with a ransomware attack, county officials paid half the million dollar ransom and insurance covered the rest. These hackers were located out of Eastern Europe and have ties to a network of larger Russian hacker operations.
Spartanburg County South Carolina Hit with Ransomware Attack: Spartanburg County is working with limited IT capabilities and phone systems in the wake of a recent ransomware attack on their systems. This attack has not yet been claimed by any specific ransomware group.
City of Lowell Massachusetts hit by Infamous Oakland Attackers: On April 24th, 2023 the city of Lowell Massachusetts was hit with a ransomware attack that was said to have stolen an undisclosed amount of personal data, passports, government IDs, financial documents, and more.
National Gallery of Canada Hit by Ransomware Attack: The National Gallery of Canada spent two weeks shut down while recovering from a ransomware attack. Luckily, this museum does not store full credit or debit card numbers and their payment systems were not affected.
VMWare Continues to be a Target to Ransomware Groups: Due to vulnerable infrastructure and a lack of security tools, VMWare continues to be a target to ransomware groups. VMWare has over 500,000 customers and commands “71% of the global market for virtualization infrastructure software.”
New Cyber Guidance from NIST: An updated federal guideline published by NIST which will directly affect NIST SP 800-171 Rev.3. They are accepting public feedback until July 14th of this year.
#StopRansomware Guide Updated by CISA and Partners: On May 23rd an updated version of the #StopRansomware Guide was published by CISA and the FBI. This guide provides insight on how to react to ransomware attacks.
Atomic Stealer Uses New Malware for Financially Motivated CyberCrime: A new MacOS malware being used by Atomic Stealer has the capability to steal account passwords, browser data, session cookies, and cryptocurrency wallets. This malware has been focused on gaming and cryptocurrency users thus far but has potential to break into other subgroups.
Russian-Linked Malware has the Ability to Disrupt and Damage Power Grids: A recently discovered Russian malware, Cosmic Energy, has the ability to greatly disrupt critical infrastructure including power grids. This malware shares DNA with malware created to damage industrial targets and thus could prove to do a lot of damage.
PCR’s Cyber Actors “Living Off the Land”: Volt-Typhoon, a People’s Republic of China backed cyber actor, utilizes the “living off the land” strategy. FBI and CISA warn that this approach uses built-in administrative channels to infect the system.
Cyber Traffickers Using False Job Ads to Trick Their Victims: These attacks, most popular in Southeast Asia, consist of luring individuals in with a false job advertisement and then stealing their information. The FBI advises job seekers to research a company before accepting a position.
Chinese Actors Might Have Access to Important US Networks: The NSA is seeing Chinese hackers hide away into networks without any imminent action. It is speculated that this is in preparation for conflict over Taiwan.
Policy and Politics
White House Considering Ransomware Payment Ban: In a break from last September’s decision not to ban ransomware payments, Deputy National Security Advisor Anne Neuberger said during a presentation at the Institute for Security and Technology Ransomware Task Force that the U.S. is considering the ban with a waiver option for organizations which need to pay to deliver critical services. Some are concerned that this would paint an even larger target on the backs of companies delivering these critical services and lead to higher ransom demands as this would narrow the scope of potential profitable victims for ransomware groups.
Senate Focusing on Satellite Cybersecurity: A bipartisan group of Senators have advanced a bill aiming to improve the cybersecurity of commercial satellites and would require CISA to consolidate voluntary recommendations into a single, easily accessible resource for the public sector. At this time, all guidance from CISA would remain voluntary.
Indiana Signs Data Privacy Law: On May 1, Indiana Governor Eric Holcomb signed the Indiana Data Privacy Law, making it the seventh state in the United States to pass a comprehensive data privacy law. The law will become effective on January 1, 2026.
Tennessee Signs Consumer Privacy Law: Tennessee became the eighth state to pass a consumer privacy protection act after Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) on May 11, though the “business friendly” approach to the law leaves it largely without teeth and much less comprehensive than many privacy experts would prefer. The law will go into effect on July 1, 2025.
Montana Passes Consumer Data Privacy Law: Montana Governor Greg Gianforte signed the Consumer Data Privacy Act into law last month, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia to become the 9th state to pass a comprehensive consumer privacy law. The law was structured after the Connecticut law and will go into effect on October 1, 2024.