Information Technology

Image: Shutterstock
Eight cybersecurity authorities from the Five Eye nations have come together to release a joint cybersecurity advisory that more malicious cyber activity is on the way as Russia’s invasion of Ukraine continues to affect geopolitical stability. “Evolving intelligence indicates that the Russian government is exploring options for potential cyber attacks,” the agencies said. The advisory is a joint warning by the US Cybersecurity and Infrastructure Security Agency, the US Federal Bureau of Investigation, US National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre, UK National Cyber Security Centre, and the UK National Crime Agency. They said that some cybercrime and cyber threat groups have recently publicly pledged support for the Russian government in light of its invasion into Ukraine. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government and the Russian people, the advisory states. Some groups have also threatened to conduct cyber operations against countries and organisations providing materiel support to Ukraine, while other groups have conducted disruptive attacks against Ukrainian websites as well. Among the identified cybercrime groups that have aligned with the Russian government are The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and the Xaknet Team. Meanwhile, Primitive Bear and Venomous Bear have been flagged as Russian-aligned cyber threat groups that have not been attributed to the Russian government. Since the Ukraine invasion, the Five Eye cybersecurity authorities have also detected malicious cyber operations against IT networks from various Russian government entities. These include the Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18, the Russian Foreign Intelligence Service, Russian General Staff Main Intelligence Directorate, GRU’s Main Center of Special Technologies, Russian Ministry of Defense, and the Central Scientific Institute of Chemistry and Mechanics. In light of this malicious activity, the Five Eyes cybersecurity authorities have urged critical infrastructure network defenders to prepare for potential cyber threats — including destructive malware, ransomware, DDoS attacks, and cyber espionage — by hardening their cyber defences and performing due diligence in identifying indicators of malicious activity. To protect against this growing cyber threat landscape, the Five Eyes authorities have called for organisations to immediately take four precautions.The first is to update software, including operating systems, applications, and firmware, on IT network assets. According to the Five Eyes authorities this would entail prioritising patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. They also recommended for IT networks to consider using a centralised patch management system and for OT networks to use a risk-based assessment strategy to determine the OT network assets and zones that should participate in patch management programs. The second precaution is to enforce multi-factor authentication to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords. The remaining two calls for organisations to provide end-user awareness training and for users of remote desktop protocols to secure and monitor these more risky protocols closely. “RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker,” the advisory states. Prior to this warning, US President Joe Biden had already urged local organisations last month to bolster their cyber defence efforts as Russia has been considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” Biden said at the time. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks.” Related Coverage More

Hacking isn’t necessarily about just having an in-depth knowledge of code: It’s about enjoying a challenge and problem-solving. While understanding the bare bones of computing, specific programming languages, risk analysis, and networking before working your way up is valuable and may help you have a successful career in cybersecurity, the work opportunities vary based on your interests and the path you wish to pursue. One path you can pursue is that of ethical hacking: Learning how to think like an attacker in order to find and remediate vulnerabilities before threat actors are able to exploit gaps in enterprise systems for illicit financial gain, cyberespionage, or to cause damage. Ethical hacking is also core to the concept of bug bounties — finding vulnerabilities and security problems in services and software on behalf of vendors in return for credit and financial rewards.One aspect of these courses is that they focus more on offense rather than defense, and topics covered often include penetration testing, malware analysis, exploit creation, learning how to use the programming languages which often provide the backbone for today’s malware and a study of modern hacking tools. Below, ZDNet has compiled a list of recommended courses to explore in the ethical hacking field.

EC-Council CEH

Best overall because it is globally recognized

The first recommendation, and perhaps the most well-known option today, is the EC-Council’s Certified Ethical Hacker (CEH) qualification. CEHv11 teaches students about today’s modern hacking techniques, exploits, emerging cybersecurity trends and attack vectors, and how to use commercial-grade tools to effectively break into systems. Modules also include cyberattack case studies, malware analysis, and hands-on hacking challenges. Hacking challenges are introduced at the end of each module to put theory into practice, pushing learners to apply their new knowledge of attacks to business settings. The course makes use of ParrotOS, too, an alternative security-based operating system to Kali.This certification would suit a range of roles, including security analysts, pen testers, network engineers, and consultants. 

Offensive Security Pen 200 (OSCP)

Best for those who want hands-on learning

Offensive Security’s Penetration Testing with Kali Linux (PEN-200) is the organization’s foundation course in using the Kali Linux OS for ethical hacking. The vendor’s focus is hands-on learning rather than just lectures and academic study and encourages both critical thinking and problem solving with the “Try Harder” slogan. You will need a solid grounding in network principles, and an understanding of Windows, Linux, and Bash/Python will help. If you’re serious about pursuing a career in ethical hacking but are looking for somewhere to start, the OSCP will give you a qualification well-received in the cybersecurity industry. You can also sign up for a subscription to earn your OSCP at a more relaxed pace. 

Offensive Security Pen 300, Evasion Techniques and Breaching Defenses

Best for those who desire advanced penetration testing training

You should consider another ethical hacking certification, the PEN 300 (OSEP). The course builds upon PEN 200 and offers more in-depth, advanced penetration testing training, fieldwork instruction, and studies in perimeter attack and defense. Topics include antivirus evasion, post-exploits, how to bypass network defenses and filters, and Microsoft SQL attacks. You are awarded the OSEP once you have passed the 48-hour exam. “As a general rule, it will not specifically deal with the act of evading a blue team but rather focus on bypassing security mechanisms that are designed to block attacks,” the vendor says.

SANS SEC560: Enterprise Penetration Testing

Best for reconnaissance and infiltration

The SANS Institute also offers courses that are likely to be of interest to anyone pursuing a career in enterprise security, penetration testing, and ethical hacking. One such course is SEC560, which focuses on on-premise systems, Azure, and Azure AD as a penetration tester. By learning about and exploiting real-world vulnerabilities, learners are taught how to think like a modern attacker and what security holes need to be looked out for when testing enterprise systems. The course includes over 30 practical lab sessions and ends with a Capture The Flag exercise to test your new skills. SANS offers a six-day in-person course or remote learning. 

CREST certifications

Best for tho who want defined exam paths to certified status

CREST is a course provider also of note as an organization that offers professional development qualifications in information security. CREST’s certifications, accredited globally, are organized into three levels: practitioner, registered and certified. To reach the certified level, you can take exams in subjects including cybersecurity analysis, penetration testing, web applications, threat intelligence, and incident response. Prices vary. 

What is the best ethical hacking certification?

EC-Council CEH is our top choice, but one size doesn’t fit all

If you’re looking at a certified ethical hacking course, you should consider what course is right for you in terms of career development. Cybersecurity professionals are in high demand, and while the career can be a lucrative one, you should have researched whether or not specific qualifications will benefit you in the future, whether at your current job or in a future role. While ‘cybersecurity expert’ is an umbrella term, the industry itself has distinct career opportunities ranging from penetration testers to compliance, legal, and auditing professionals. 

How did we choose these certifications?

Our recommendations are based on courses that offer learners instruction in different areas of ethical hacking: whether focused on offensive security, pen testing, or the aftermath of incidents and the means to investigate as a member of a cyberforensics team effectively. 

What roles can an ethical hacking qualification benefit?

Recruitment paths vary country-to-country, but ethical hacking courses can be of use to those who want to become penetration testers, security analysts — an umbrella term common in the field — cyberforensics investigators, consultants, and members of red teams. 

ZDNet Recommends More

Every year, Forrester delivers the Forrester Analytics Business Technographics® Security Survey, which gives us insight into the current state, challenges, and forward-looking priorities of security decision-makers. This year, we analyzed the data to see how digital transformation hesitancy, disaster recovery preparedness, and balancing expectations with data affect the cost and effects of breaches. Our research, included in The 2021 State Of Enterprise Breaches report, revealed the following: 

Sixty-three percent of organizations were breached in the past year, 4% more than the year before. In the past 12 months, organizations faced an average of three breaches. It’s not surprising that this was less than in the previous year, given the shift to remote work during the COVID-19 pandemic. Regions that hesitated to address challenges with business alignment were breached at a higher rate than those that addressed such challenges early on. Enterprises spend a median of 37 days and a mean of $2.4 million to find and recover from a breach. Globally, organizations took a median of 27 days to find an adversary and eradicate an attack and a median of 10 days to recover from a breach, totaling 37 days to find and recover from a breach. Costs came out to a global mean of $2.4 million in total per breach. Concerns over types of breaches are far afield from reality on the ground. Security decision-makers are more concerned about external attacks than any other attack vector, at 47%. Breaches come in various ways, however, and are much more evenly spread in frequency among external attacks, lost/stolen assets, internal incidents, and third-party providers. What to take away from this data The findings in this research go far beyond what is mentioned above to dig into how geographic differences played an outsize role in how enterprises were affected by breaches. In the full report, we dive into the nuances by region and analyze why these nuances came about. Through our findings, we highlight the following key takeaways for security professionals: The future waits for no one. Procrastinating on digital transformation efforts and other IT priorities works … until an urgent forcing function changes everything. As security professionals, you need to advocate for technology updates internally to help the organization be more flexible, adaptable, and prepared for dramatic shifts, which will continue into the foreseeable future. Following metrics leads to better outcomes. With the constant drumbeat of headline-making breaches, it’s not surprising that security professionals are most concerned with external attacks. It’s important, however, to lead your organization with data and metrics to ensure that you aren’t missing attacks from other, more prevalent vectors. Adjust your strategy according to the data, not the headlines. Adapting to regional challenges within global companies is imperative. Not all regions are built the same — geopolitical conflict, regulations, culture, staffing availability, and other world events greatly influence the rate of breaches and timely response. Your global strategy will face challenges in different regions because of this. Adapt your timelines, strategy, and metrics to address regional limitations, and set appropriate expectations. This post was written by Analyst Allie Mellen and it originally appeared here.

ZDNet Recommends More

Hardly a week goes by when we don’t hear of a data breach, an exposed AWS bucket owned by a company that has been leaking the records of millions of customers for years, or a serious cybersecurity incident that gives IT teams sleepless nights and prompts government agencies to issue alerts to warn the enterprise of new threats. Cybersecurity incidents over the past few years — including the Microsoft Exchange Server zero-day vulnerabilities debacle, the ransomware attack against Colonial pipeline, and now the hack-and-forth between Ukraine and Russia — have highlighted the need for cybersecurity experts to protect both enterprise resources, critical services, and infrastructure. Cybersecurity Ventures estimates that by 2025, there will be 3.5 million open cybersecurity job vacancies.The industry does not necessarily demand certifications to get started, but they can be a great starting point to give you an idea of your particular interests and what sectors of the field to pursue: whether this is in risk analysis, vulnerability management, penetration testing, offensive/defensive work, or bug bounty hunting, among many other options. Either way, undertaking a course or two can give you a thorough grounding in different concepts and deepen your knowledge. Below, we have listed the best options to get you started and to stand out when you apply for a role in this lucrative field.

Cybrary courses

Best overall, with both free and paid courses

Cybrary is an excellent online resource for video-based courses in cybersecurity, suiting a range of skill levels and existing qualifications. You can enroll in courses that explain the fundamentals of particular career paths, whether as a system administrator or as a network engineer — and if you can ignore the cheesy thumbnails used to tout some of the courses, the actual content is valuable. The courses also come with an estimated time to completion and difficulty rating. You might want to explore some of these courses as introductory prep for other formal qualifications, such as the EC-Council’s Certified Ethical Hacking (CEH) and CISSP. Virtual labs for tools including Wireshark and practice tests for qualifications including CompTIA Security+, CISM, and others are also available. (However, it should be noted that the resources on offer, such as for the CEH, are not official courseware or lab sessions.)Also of note is that Coursera offers suggested ‘paths’ toward professional qualifications in line with industry standards, such as those managed by NIST. Courses can also be completed at your own pace, and some do result in formal qualifications after you pass.Some courses are free, while others require an enrollment or test fee. 

CompTIA Network+, Security+

Best for networking and basic business security concepts

It might not be as exciting as learning about penetration tools, Cobalt Strike beacons, or password crackers, but a thorough understanding of networks is necessary for today’s cybersecurity defenders. To get started, you should consider the CompTIA Network+ course, which teaches learners how to build a network from the ground up and how to identify different kinds of network topology and configurations. A solid foundation in networking protocols and standards can help you identify and understand network-based intrusions, propagation, and malware, including ransomware, operating on target networks.You can take Security+, a baseline qualification in security concepts and roles, risk analysis, hands-on troubleshooting, and more from this entry-level course. The Security+ exam has had a recent refresh to SY0-601.

SANS SEC401: Security Essentials Bootcamp Style

Best for those who want an intense deep dive

The SANS Institute is a respected provider of professional cybersecurity courses, and SEC401 is described as a “bootcamp” for those with some existing knowledge of IT, networking, and security. While certainly not a cheap undertaking, the in-depth course covers security metrics, audits, risk assessments, network protection, incident detection and response, and more. SANS says the course “will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud.”As a course for working professionals, SANS offers flexibility through on-demand, online, or in-person — where possible — training.  You can complete the course virtually or in-person over six days.

Offensive Security Pen 200 (OSCP)

Best for those who want to focus on offense and hands-on learning

Offensive Security’s Penetration Testing with Kali Linux (PEN-200) is the organization’s foundation course in using the Kali Linux OS for ethical hacking. The vendor’s focus is on offense and hands-on learning rather than lectures, tickboxes, and completely academic study. Offensive Security encourages critical thinking and problem-solving with its “Try Harder” slogan. After all, if you can learn to think like an attacker, you can better protect systems against them. You will need a solid understanding of networking principles, and some understanding of Windows, Linux, and Bash/Python will help. Successfully completing the course will give you the OSCP certification — as long as you can handle the 24-hour exam. The vendor has recently added the course as an option on a subscription basis for busy individuals who need the flexibility to learn at their own pace. 

Certified Information Systems Security Professional (CISSP)

Best for those who want a globally recognized qualification

CISSP, offered by the International Information System Security Certification Consortium, is one of the most well-known professional cybersecurity qualifications worldwide. The course covers the design and implementation of cybersecurity programs, including engineering, security architectures, risk management, identity and access management, and software security, among other topics. CISSP can be taken in the classroom and led by instructors in real-time, but you will need years of experience in the field as a prerequisite. Online training is possible, but costs vary. 

ISACA Certified Information Security Manager (CISM)

Best for moving into management

ISACA Certified Information Security Manager (CISM) certification is focused on four areas: information security governance, risk management, infosec program creation and management, and security incident management. Therefore, this qualification isn’t suitable as a foundation course but rather could be valuable to move up the management chain in an enterprise security role. To become certified, you need to both pass the exam and have acceptable work experience. Still, afterwards, ISACA says the average salary of a CISM-certified individual can reach $118,000 (although there is an annual maintenance fee). If you’re interested in this course, it should be noted that the old syllabus will be retired in June 2022 to make way for an updated exam. 

GIAC certifications

Pick your roadmap

Global Information Assurance Certification (GIAC) is an institution that offers an array of IT and cybersecurity qualifications. GIAC’s offerings include topics such as security administration, management, legal, auditing, cyberforensics, and software security. Depending on your areas of interest, you can follow roadmaps with suggested courses to broaden your knowledge and skill set. GIAC is an affiliate of the SANS Institute, and some courses, such as GIAC Security Essentials, correspond to training offered by its partner organization. Prices vary for different certifications.

What is the best cybersecurity certification?

Cybrary is our top choice for cybersecurity courses, but one size doesn’t fit all

Choosing a course should depend on your knowledge level and current skill set. Rather than jump right in with an advanced qualification, you may need to spend time learning the basics with a CompTIA, or you may already have enough industry experience to tackle one of the more advanced courses on our list. 

How did we select these cybersecurity certifications?

While compiling our recommendations, we covered a range starting from entry-level and broad courses designed to give you foundational knowledge in IT — from the hardware to networks and how systems communicate — to more advanced technical certifications sought after by employers. 

Should you pay for a course?

If you’re unsure, check out free courses on Cybrary, YouTube tutorial videos, and Hack The Box before you sign up for a qualification. We especially recommend these options for those who are not completely sure they want a career in cybersecurity.

Is it really important to learn about networking and PCs first?

Yes. If you don’t understand the fundamentals, this will lead to a flawed understanding of cybersecurity concepts. You should take the time to build yourself a foundation in IT knowledge first rather than go straight into playing with pen testing software. However, it’s also important to have fun with it, and there are plenty of legal online hubs for learning about cybersecurity — without landing yourself in hot water. 

Do you have to be certified?

There is a range of options out there: being self-taught, apprenticeships, degrees, and professional qualifications. If you’re serious about a career in cybersecurity and want to eventually move up the ladder, qualifications can give you a good start, just as in many other fields. 

ZDNet Recommends More

In this day and age, you should be doing everything in your power to boost the security and privacy of your browsing efforts. If you don’t, you’re being tracked, logged, and monitored by just about every site you visit. For some, that is simply not acceptable. If that sounds like you, and you’re a macOS Safari user, you owe it to yourself to give Apple’s web browser a helping hand with DuckDuckGo Privacy Essentials. This browser add-on helps prevent online tracking by automatically blocking third-party trackers and even grades each site’s privacy from A-F (A being trustworthy and F being absolutely not trustworthy).I’m going to show you how to install and use this free Safari extension so you can extend the privacy of Safari. All you’ll need is an Apple laptop or desktop and the Safari browser. Now let’s add some privacy protection to your favorite browser.Adding the DuckDuckGo Privacy Essentials to SafariBefore installing, make sure to close Safari. Once you’ve done that, open the Apple App Store and search for DuckDuckGo in the search bar. You should see an entry for DuckDuckGo Privacy Essentials. Click on that entry and then click Get (Figure 1).Figure 1The DuckDuckGo Privacy Essentials entry in the Apple App Store.Next, click Install and, when prompted, either tap the fingerprint sensor (if your hardware has one) or type your user password. The installation will begin and finish very quickly.Once the installation completes, close the App Store and open Safari. Near the top of the browser window, you’ll see a notification warning that you need to turn on both “Privacy Protection” and “Privacy Dashboard” in the Extension Preferences (Figure 2).Figure 2The next step is enabling these two features in Safari.Click Turn On and Review and then, in the next window (Figure 3), click the checkboxes for both Privacy Dashboard and Privacy Protection.Figure 3Enabling both features for DuckDuckGo Privacy Essentials in Safari.You’ll be prompted to okay the enabling of the features, so make sure to click Turn On when asked.Close and restart Safari. Next, visit any website you choose and you’ll notice the small circle directly to the left of the address bar will display a grade for the site (Figure 4).Figure 4Facebook earned a C privacy grade.If you click on the grade a new popup will appear with all of the information you need to see. As you can tell, Facebook was upgraded from a previous D listing and DuckDuckGo has blocked 1 tracker (Figure 5).Figure 5DuckDuckGo blocked a single tracker from Facebook.You do not have to do anything to prevent DuckDuckGo from blocking trackers in Safari. This one-two punch of both Safari and DuckDuckGo tracker blocking should go a long, long way to keep your browsing experience safe from trackers keeping tabs on your comings and goings within the browser.If you’re concerned about your privacy, you should consider the addition of the DuckDuckgo Privacy Essentials extension a must.

Jack Wallen: How To More

Enterprise software giant Oracle has released its April Critical Patch Update (CPU) advisory, which includes 520 fixes for security flaws. Critical Patch Updates are collections of security fixes for Oracle products, published quarterly. This update addresses security flaws in dozens of products with three bugs getting a severity rating of 10 out of a possible 10, and about 70 with a score of 9.8.

ZDNet Recommends

Oracle notes that customers should update their software as soon as they can, as it continues to receive reports periodically of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches: “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyOracle Communications Cloud Native Core Network Exposure Function has two bugs with a score of 10, both tracked as CVE-2022-22947, and 31 bugs with a score of 9.8, while Oracle Communications Billing and Revenue Management is affected by one flaw with a score of 10, CVE-2022-21431.  Eric Maurice, Oracle’s VP of security assurance, says the updates are for a “wide range of product families”, from its database server to the blockchain platform and Oracle Virtualization. Maurice flagged a small adjustment to the timing of Oracle’s CPU release schedule from this point on. “With this Critical Patch Update release, Oracle is making a small adjustment to the Critical Patch Update release schedule. Critical Patch Updates will no longer be released on the Tuesday closest to the 17th of the month of January, April, July, and October, but they will be released on the third Tuesday of January, April, July, and October,” he says in a blogpost.    “This minor adjustment will not affect the frequency of Critical Patch Update releases (still 4 times a year), but essentially, makes it easier to set calendar reminders and determine the date of future Critical Patch Update releases.”  Of the 520 patches, Oracle Communications products received 149 of them, 98 of which “may be remotely exploitable without authentication.” Oracle Financial Services applications received 41 patches, with 19 possibly remotely exploitable without authentication. Oracle Fusion Middleware got 54 patches and 41 of them may be remotely exploitable without authentication. Some 13 vulnerabilities have a severity score of 9.8, affecting products such as Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle HTTP Server, and more. SEE: Windows 11 security: How to protect your home and small business PCsThe other major recipient of patches was Oracle MySQL, which got 43 patches, of which 11 may be remotely exploitable without authentication. Oracle Retail applications got 30 patches, 15 of which may be remotely exploitable without authentication. Oracle Retail Xstore Point of Service was hit by a 9.8 severity bug tracked as CVE-2022-22965. Oracle Blockchain platform received 15 patches, 14 of them may be remotely exploitable without authentication. It has one bug with a severity score of 9.8 that affects its nginx backend.  Admins of Oracle E-Business Suite Cloud Manager and Cloud Backup Module also need to fix a bug with a score of 9.8, which affects the Log4j component that was hit by the Log4Shell bug. More

Of the 58 zero-day exploits in popular software that Google’s Project Zero tracked in 2021, only two were particularly novel, while the rest relied on the same techniques over and again. That’s both good and bad news for the software industry. 2021 was a record year in terms of the number of zero-day flaws in software like Chrome, Windows, Safari, Android, iOS, Firefox, Office and Exchange that Google Project Zero (GPZ) tracked as being exploited in the wild before a vendor patch was available. 

At 58, that was more than double the annual rate of discovery and detection of zero-day exploits in the wild since GPZ started tracking zero days in mid-2014. SEE: These are the problems that cause headaches for bug bounty huntersGoogle security researchers have previously pointed out the problems with deriving trends from data about zero days in the wild. For example, just because a bug wasn’t spotted, that doesn’t mean it wasn’t being used. Google has argued that detection is getting better. But there was also a major gap in information: there were only five samples of the exploits used against each of the 58 vulnerabilities. While zero days that are discovered in the wild are a “failure” for attackers, Maddie Stone, a researcher with GPZ, points out in a blogpost that “without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method.”This focus means that attackers are able to continue using their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method, she says. Attackers, she notes, are successfully using the same bug patterns and exploitation techniques and going after the same attack surfaces. This repetition means attackers aren’t yet being forced to invest in new methods and raises questions about how much the industry is raising the cost for attackers. “Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox,” she notes. To make progress in 2022, GPZ hopes to see all vendors agree to disclose that a flaw is being exploited in the wild in their bug bulletins, as Google’s Chrome security team routinely does. Apple disclosed that status for iOS for the first time in 2021. It also wants exploit samples or detailed technical descriptions of the exploits to be shared more widely. And GPZ would like to see more work on reducing memory corruption vulnerabilities, which are by far the most common type of flaw, according to both Microsoft and Google.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upStone notes that 67% – or 39 – of the 58 in-the-wild 0-days for the year were memory corruption vulnerabilities.GPZ’s conclusion is that the industry made some progress in 2021 through better detection and disclosure, but Stone adds that “as an industry we’re not making 0-day hard.”As she explains: “The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.”   More

A highly successful and aggressive ransomware gang is getting even faster at encrypting networks as they look to extort ransom payments from as many victims as possible.   Researchers at Mandiant examined ransomware attacks by a cyber-criminal group they refer to as FIN12 – responsible for one in five attacks investigated by the cybersecurity company – and found that there’s been a significant decrease in the amount of time between initially breaking into networks and their encryption with ransomware, most commonly Ryuk ransomware. 

ZDNet Recommends

According to data published in Mandiant’s M-Trends 2022 report, the average dwell time of FIN12 campaigns – the amount of time between criminal hackers gaining initial access to the network and triggering the ransomware attack – has dropped from five days to less than two days.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesOne of the reasons the life cycle of these attacks has been so heavily reduced is because FIN12 campaigns don’t focus on finding sensitive data and stealing it before triggering a ransomware attack.  Searching for and stealing data has become a common tactic for many ransomware groups, who in addition to encrypting the data, threaten to publish it if a ransom isn’t paid. It’s a successful technique that many of the most high-profile ransomware gangs deploy to coerce the victim into paying the ransom. But despite not adopting this technique, FIN12 is still a highly successful ransomware operation, which in addition to deploying speed also appears to specially select what they perceive to be easy targets from which to extort ransoms. For example, the cyber-criminal group is known to frequently target hospitals and healthcare – organisations that desperately need networks up and running to provide patient care. That means victims in the healthcare sector might be more willing to give into ransom demands than victims in other industries. The group also targets organisations that make high revenues, potentially a tactic that is also deployed because the attackers believe they have the best chance of making large amounts of money from ransoms.  “The lack of large-scale data exfiltration in FIN12 incidents has almost certainly contributed to the group’s high cadence of operations,” says the Mandiant report. There are several methods that FIN12 uses to infiltrate networks, including gaining access via earlier backdoor malware infections, such as TrickBot and BazarLoader. The malware is delivered to machines – sometimes via phishing email – and it’s common for ransomware groups to lease out or otherwise leverage this access to ultimately encrypt the network. Researchers also note that several FIN12 campaigns have leveraged legitimate usernames and passwords to log in to virtual environments, including Microsoft Office 365. It’s possible that these credentials were bought on underground forums. FIN12 tends to focus attacks against North American victims – but Mandiant warns that the ransomware group could potentially target a wider range of victims around the world.  “The United States government and law enforcement community have significantly amped up the pressure on ransomware operators. This has increased the risks of ransomware groups targeting American organisations and by extension makes EMEA a more tempting target,” said Jamie Collier, senior threat intelligence advisor at Mandiant “Cyber criminals will often seek to capitalise on the mixed levels of security maturity within EMEA to focus on high-value, low-security targets,” he added. Some of the steps that organisations can take to help avoid falling victim to ransomware attacks include applying security patches promptly, so cyber criminals can’t exploit known vulnerabilities to deliver malware and to ensure that any password that is known to have been breached is changed. Organisations should also provide users with multi-factor authentication as an additional barrier against cyberattacks that attempt to abuse leaked credentials.  MORE ON CYBERSECURITY More