Cybersecurity Saturday

From the cyber breaches front, Health IT Security reports

Healthcare data breaches cost an average of $10.1 million per incident last year, IBM Security found in the 2022 edition of its “Cost of a Data Breach Report.” The figure signified a 9.4 percent increase from the 2021 report and a 41.6 percent increase from 2020. For the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs compared to any other industry examined in the report. * * *

The use of stolen or compromised credentials remained the top cause of a data breach in the 2022 report, accounting for 19 percent of all analyzed breaches.

[P]hishing attacks emerged as the second most common cause of a breach, accounting for 16 percent of all analyzed breaches. Additionally, phishing was the most expensive breach type, averaging $4.91 million.

Business email compromise (BEC) averaged $4.89 million in costs, making it nearly as expensive as a phishing attack. Unsurprisingly, incidents that had the longest average times to identify and contain them were also the most expensive.

From the cybervulnerabilities front —

Cybersecurity Dive tells us

Threat actors are increasingly distributing malware via container files, including ISO and RAR, as well as Windows shortcut files (LMK), following prior decisions by Microsoft to block macros by default in Microsoft Office, according to Proofpoint research released Thursday.  

Microsoft previously disclosed plans to block XL4 and VBA macros in Office by default in October 2021 and February, respectively. 

Proofpoint researchers said the use of VBA and XL4 macros fell by 66%  between October 2021 and June of this year. The researchers call the movement one of the “largest email threat landscape shifts in recent history.”

CISA added another known exploited vulnerability to its catalog. Hackers News explains

The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances. “A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group,” CISA notes in its advisory.

From the ransomware front, while regrettably Bleeping Computer’s The Week in Ransomware is off again this week, Bleeping Computer does report

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.

Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

This continues a downward trend since Q4 2021, which represented a peak in ransomware payments both average ($332,168) and median ($117,116).

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” comments Coveware in the report.

“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts.” The median size of the companies targeted this quarter dropped even further, with the actors looking for smaller yet financially healthy organizations to disrupt, the company says.

Security Week adds

Cybersleuths at Microsoft have found a link between the recent ‘Raspberry Robin’ USB-based worm attacks and EvilCorp, a notorious Russian ransomware operation sanctioned by the U.S. government.

According to fresh data from Redmond’s threat intelligence team, a ransomware-as-a-service gang it tracks as DEV-0206 has been caught rigging online ads to trick targets into installing a loader for additional malware previously attributed to EvilCorp.

Even more ominously, Microsoft said its research teams discovered EvilCorp malware distribution tactics and observed behavior all over the ‘Raspberry Robin’ worm seen squirming through corporate networks earlier this week.

The connection suggests the cybercriminals behind the EvilCorp operation are working with other groups to get around the U.S. Justice department sanctions that block ransomware extortion payments.

“The use of a RaaS payload by the ‘EvilCorp’ activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status,” Microsoft said. EvilCorp is allegedly run by Russian nationals Maksim Yakubets and Igor Turashev, who were charged by the United States in 2019. 

Leave a Reply

Your email address will not be published.