Check out the new ransomware trends documented by DHS, as well as a joint CISA-FBI alert about the Snatch ransomware. Plus, find out what CISA has in store for its Known Exploited Vulnerabilities catalog. Furthermore, don’t miss new source-code management tips from the OpenSSF. And much more!
Dive into six things that are top of mind for the week ending September 22.
It looks like 2023 is shaping up to be a banner year for ransomware gangs.
During the first half of this year, ransomware actors have extorted at least $449 million globally, and are on track to have their second most profitable year yet. So says the U.S. Department of Homeland Security in its “Homeland Threat Assessment 2024” report.
“Ransomware actors continue to target a variety of victims, almost certainly reflecting malicious cyber actors’ target refinement to entities perceived as the most vulnerable or likely to pay a ransom,” reads the 38-page report.
Other ransomware insights from the report include:
The report also highlights new and refined tactics employed by ransomware groups, such as:
For more information about recent ransomware incidents and trends, check out these Tenable resources:
And speaking of ransomware, it’s being identified as the main driving force behind a recent spike in cyber insurance claims.
Insurance provider Coalition said in its “2023 Cyber Claims Report: Mid-year Update” that cyber claims rose 12% in the first half of 2023 compared with the second half of 2022, a surge driven primarily by ransomware attacks.
Ransomware claims increased 27% in the first six months of this year, while the average ransom demand grew 47% to $1.62 million.
(Source: Coalition’s “2023 Cyber Claims Report: Mid-year Update,” September 2023)
The severity of ransomware claims hit a record in the first half of 2023 with an average loss amount of more than $365,000. Overall, ransomware claims accounted for 19% of all reported claims during the period.
(Source: Coalition’s “2023 Cyber Claims Report: Mid-year Update,” September 2023)
To get more details, read the report’s announcement and the full report.
And staying with the ransomware topic, the FBI and CISA are urging cybersecurity teams to prepare to fend off attacks from ransomware group Snatch, which targets critical infrastructure organizations in sectors including defense, agriculture and information technology.
The joint advisory “#StopRansomware: Snatch Ransomware,” published this week, details tactics, techniques and procedures, as well as indicators of compromise associated with this ransomware variant.
“After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid,” the document reads.
Snatch, which appeared in 2018 and was originally known as Team Truniger, uses a ransomware-as-a-service (RaaS) model to operate, and employs a variety of frequently changing methods to breach systems and establish network persistence, the agencies said.
For more information about the Snatch ransomware:
A catalog of vulnerabilities exploited in the wild that CISA began compiling almost two years ago recently reached 1,000 items, prompting the agency to look back on the project – and to look forward at what’s to come.
CISA launched the Known Exploited Vulnerabilities (KEV) catalog in November 2021, in order to highlight an important criteria to consider when prioritizing which bugs to fix first: whether a vulnerability has been exploited in the wild.
“The purpose of the KEV is simple: while focusing on vulnerabilities that have been exploited isn’t sufficient, it’s absolutely necessary – so let’s start there,” reads CISA’s blog about the KEV milestone.
However, now that the KEV catalog has more than 1,000 vulnerabilities – specifically 1,008 at the time of this writing – the question of how to prioritize this catalog is starting to pop up. Hint: context is everything.
“The answer is nuanced but essential: the importance of a given vulnerability isn’t constant, but is highly dependent on how the vulnerable product is being used in a specific instance,” the blog reads.
(Tenable addressed this question with recommendations tailored for Tenable customers right after the KEV catalog’s launch in a blog titled “CISA Directive 22-01: How Tenable Can Help You Find and Fix Known Exploited Vulnerabilities.”)
To include a vulnerability in the KEV catalog, CISA must first confirm beyond doubt that it was exploited in the wild and that an effective mitigation exists for it. The bug must also have a Common Vulnerabilities and Exposures (CVE) ID.
Federal civilian executive branch agencies are required to remediate internet-facing KEVs within 15 days and all other KEVs within 25 days. Since November 2021, these agencies have collectively remediated more than 12 million KEV vulnerabilities, including 7 million this year.
So what future plans does CISA have for the KEV catalog? Here are a couple:
For more information about prioritizing vulnerability remediation, check out these Tenable blogs:
The Open Source Security Foundation (OpenSSF) has published the “Source Code Management (SCM) Best Practices Guide,” which is intended as a repository of SCM security policies and guidelines.
The guide, which covers practices including user authentication, access control and change management, is aimed at developers and security operations teams that want to boost the security of their source code projects on SCM platforms.
“This guide is a comprehensive resource dedicated to raising awareness and education for securing and implementing best practices for SCM platforms,” reads an OpenSSF blog.
Recommendations include:
For more information about securing open source software projects:
Most cellular internet-of-things (IoT) modules shipped globally in the second quarter had no dedicated hardware security, and almost a third had no security features at all.
Given this reality, makers of these IoT modules should ramp up their adoption of dedicated hardware security, and buyers should choose IoT products with this security feature.
That’s according to IoT Analytics’ “Global Cellular IoT Module and Chipset Market Tracker & Forecast Q2 2023” report, which tracks revenue and shipments from vendors of IoT modules and chipsets for cellular IoT deployment.
Specifically, the report found that only 34% of cellular IoT modules shipped in Q2 had dedicated hardware security. Meanwhile, 37% had non-dedicated hardware security, and the rest – 29% – had no security features at all.
“With a hardware-based root of trust, manufacturers and consumers can ensure the authenticity of the modules—helping to address cloning and counterfeiting—and protection of the device’s keys,” reads an IoT Analytics statement about the report.
(Source: IoT Analytics’ “Global Cellular IoT Module and Chipset Market Tracker & Forecast Q2 2023”, September 2023)
For more information about the security of cellular IoT components:
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.