Information Technology

Security researchers have put the spotlight on a little-known but growing group of people who make up a significant part of the cyber-criminal ecosystem, even though some of them may not even be aware that they’re actually taking part in illegal activities. A collaborative research project by Czech Technical University in Prague, plus cybersecurity companies GoSecure and SecureWorks, analyzed the activities of people on the fringes of cybercrime, those behind projects like building the websites that end up being used for phishing attacks, affiliate schemes to drive traffic towards compromised or fake websites or writing the code that ends up in malware. 

The people behind these projects are doing it because it’s an easy way to make money. But by doing this work, they’re laying the foundations for cyber criminals to carry out malicious campaigns.SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) The research, titled The Mass Effect: How Opportunistic Workers Drift into Cybercrime and presented at Black Hat USA, has its origins in analysis by Czech Technical University that revealed the inner-workings of Geost, a botnet and Android malware campaign that infected hundreds of thousands of users, which allowed researchers to examine chat logs of some of those involved. They were able to trace people in these chat logs to online forums and other discussion platforms and gain an insight into what motivates them.”We started to understand that, although they were involved in spreading malicious applications, they weren’t necessarily the mastermind behind it, but rather the informal workers, those who work on small gigs,” said Masarah Paquet-Clouston, security researcher at GoSecure. 

But while these people are at the bottom of the hierarchy, they’re performing useful tasks for cyber criminals who use the websites and tools they build for malicious activities, including phishing and distributing malware.  “They are trying to earn a living and maybe crime is paying better so they go there, they drift into crime and come and go,” said Sebastian Garcia, assistant professor at Czech Technical University, who argues that more attention needs to be paid to the people who dance the line between cybercrime and legal activity. “There is a mass of people in these public forums that the security community is not looking into, but these are the support, these are the people doing the majority of the work, building web pages for phishing emails, APKs, the encryption, the malware, the money mules,” he said. SEE: Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyoneIf we always focus on ‘motivated offenders’, the masterminds who actually thought of building the botnet and making money through all of this, we forget the workers, warned Paquet-Clouston. “We as a community often forget that there are many people involved, but they’re not necessarily highly motivated people but rather just those who end up doing the activity,” she said. However, this doesn’t necessarily mean that the people involved in these schemes should be treated as if they’re criminal masterminds, particularly when some may not even know that their skills are being exploited to aid cybercrime.  In fact, it could be possible to provide many of these people with opportunities to use their skills in a way that’s beneficial, rather than using them to help cybercrime. “There is a lot of people that, maybe given the correct opportunity, they don’t have to drift into crime,” said Garcia. MORE ON CYBERSECURITY More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended the passage of the so-called “hacking” Bill that will afford three new computer warrants to two Australian law enforcement bodies, providing its 33 other recommendations are met.The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime.The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.The Bill has been criticised for its “wide-ranging” and “coercive” powers by the Office of the Australian Information Commissioner (OAIC), human rights lawyers have asked the Bill be re-drafted, and the likes of Twitter have labelled parts of the proposed Bill as “antithetical to democratic law”.After considering all the submissions made and testimonies provided on the Bill, the PJCIS in its report [PDF] has called for some tweaks, such as amending the Bill to provide additional requirements on the considerations of the issuing authority to ensure the offences are reasonably serious and proportionality is maintained.

“The effect of any changes should be to strengthen the issuing criteria and ensure the powers are being used for the most serious of offending,” it added.The committee wants the issuing authority for all of the new powers introduced by the Bill, including emergency authorisations, to be a superior court judge, either of the Federal Court or a state or territory Supreme Court, except for account takeover warrants which may be granted by an eligible Judge as law according to the Surveillance Devices Act 2004.The issuing authority, PJCIS asked, must give consideration to third parties, specifically their privacy, and to privileged and journalistic information.It wants the Bill amended so that, in order to provide an emergency authorisation for disruption of data held in a computer, an authorising officer must be satisfied that that there are no alternative means available to prevent or minimise the imminent risk of serious violence to a person or substantial damage to property and that they consider the likely impacts of the proposed data disruption activity on third parties.In addition, the committee said the Bill should be amended so that, where an issuing authority declines to retrospectively approve an emergency data disruption authorisation, the issuing authority may require the AFP or ACIC to take remedial action, including financial compensation.See also: Intelligence review recommends new electronic surveillance Act for AustraliaThe OAIC previously testified the definition of a “criminal network of individuals” has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.To remedy that, the PJCIS has asked the definition under the network activity warrant require there to be a reasonable suspicion of a connection between the suspected conduct of the individual group member in committing an offence or facilitating the commission of an offence and the actions or intentions of the group as a whole.Where applying for authorisation is concerned, the committee wants changes made to reflect that only an AFP or ACIC law enforcement officer can apply for a data disruption warrant or an account takeover warrant. The person must also be approved, in writing, by either the AFP Commissioner or ACIC CEO to apply for data disruption warrants, and the relevant agency head must also be satisfied that person possesses the requisite skills, knowledge, and experience to make warrant applications.Further amendments requested include that the individual must make a sworn affidavit setting out the grounds of an application for an account takeover warrant.The PJCIS has asked the issuing criteria for each of the warrants require satisfaction that the order for assistance, and not just the disruption of data, is “reasonably necessary to frustrate the commission of the offences that are covered by the disruption warrant; and justifiable and proportionate, having regard to the seriousness of the offences that are covered by the disruption warrant and the likely impacts of the data disruption activity on the person who is subject to the assistance order and any related parties”.It wants it made clear that decisions under the Bill are not excluded from judicial review.The PJCIS wants the Bill to impose a maximum period for a non-emergency mandatory assistance order to be served and executed, and asked that if the order is not served and executed within that period, the order will lapse and a new order must be sought.It also wants all applications for a non-emergency mandatory assistance order to be made in writing and for the AFP and the ACIC, unless absolutely necessary, to be prohibited from seeking a non-emergency mandatory assistance order in respect of an individual employee of a company.Further amendments include the Bill making it clear that no mandatory assistance order can ever be executed in a manner that amounts to the detention of a person, and that the Bill introduce immunity provisions for both assisting entities and those employees or officers of assisting entities who are acting in good faith with an assistance order.The AFP and ACIC, the committee said, should also be required to notify the Commonwealth Ombudsman or the Inspector-General of Intelligence and Security (IGIS) as soon as reasonably practicable if they cause any loss or damage to other persons lawfully using a computer. Similarly, the PJCIS wants any computers that have been removed from premises under a data disruption warrant or a network activity warrant required to be returned to as soon as reasonably practicable.Elsewhere, PJCIS has requested an amendment to allow it to conduct a review of the three warrants no less than four years from when the Bill receives Royal Assent. It also wants each of the new powers to sunset five years from the date on which the Bill receives Royal Assent.The final recommendation, recommendation 34, simply states: The committee recommends the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 be passed, subject to the amendments outlined above.MORE ON THE HACKING BILL More

Image: Microsoft
The lead of Microsoft Edge Vulnerability Research Johnathan Norman has detailed an experiment in Edge that disabled the JavaScript just-in-time (JIT) compiler to enable some extra security protections. Describing JIT compiling as a “remarkably complex process that very few people understand and it has a small margin for error”, Norman pointed out that half of all vulnerabilities for the V8 JavaScript engine was related to the process. With the JIT engine turned off, it was possible for Edge to turn on protections — such as the hardware-based Control-flow Enforcement Technology (CET) from Intel, and Windows’ Arbitrary Code Guard (ACG) and Control Flow Guard (CFG) — that were previously incompatible with JIT. “This is unfortunate because the renderer process handles untrusted content and should be locked down as much as possible,” Norman said. “By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult. “This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers.”
Image: Microsoft
In testing Edge with JIT disabled, Norman said users rarely noticed a difference in daily browsing, but the JIT-less Edge was hosed in benchmark tests, with performance reduced by as much as 58%.

“Our tests that measured improvements in power showed 15% improvement on average and our regressions showed around 11% increase in power consumption. Memory is also a mixed story with negatively impacted tests showing a 2.3% regression, but a larger gain on the tests that showed improvements,” Norman wrote. “Page Load times show the most severe decrease with tests that show regressions averaging around 17%. Startup times, however, have only a positive impact and no regressions.” Super Duper Secure Mode is currently available via edge://flags for users of canary, dev, and beta release channels of the browser, and currently switches CET on, but is not currently compatible with WebAssembly. “It will take some time, but we hope to have CET, ACG, and CFG protection in the renderer process. Once that is complete, we hope to find a way to enable these mitigations intelligently based on risk and empower users to balance the tradeoffs,” Norman said. “This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome. Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature.” On Twitter, Norman said plans were afoot to take Super Duper Mode to MacOS and Android, and to get WebAssembly working. Related Coverage More

Image: Getty Images/iStockphoto
A report from Western Australia’s Auditor-General has found that some former staff at state entities still had access to IT systems and equipment despite their employment being terminated.The finding was made as part of the Office of the Auditor-General’s (OAG) probe into staff exit controls in place at three state government agencies. The audit [PDF] assessed if the Department of Planning, Lands and Heritage (DPLH), the Department of Finance, and the Department of Local Government, Sport and Cultural Industries (DLGSC) effectively and efficiently managed the exit of staff to minimise security, asset, and financial risks.The audit covered the period 1 July 2019 to 31 December 2020 with a sample of 30 staff from DLGSC, 27 from DPLH, and 26 from Finance, including consultants and third-party contractors, that left during that period.While the report found all entities cancelled exiting staff’s IT system access, it was not always done immediately. According to the report, it took between two and 161 days to deactivate or withdraw access to information systems after staff left the entity. At Finance, OAG said it took between six and 161 days to cancel access to IT systems after the last day of employment. The case that took 161 days was related to a secondment arrangement where the former employee continued undertaking work on behalf of the entity, however. Setting that case aside, Finance took, on average, seven days to cancel IT systems access, despite its security management framework noting that IT access for terminated staff is meant to be disabled on the last day of employment. DPLH does not record specific dates when IT access is cancelled, but in probing system log information, where it was available, OAG found late cancellations ranged between one and 124 days after the individual had left.

Similarly, the OAG said DLGSC did not have sufficient information to determine when access to IT systems was cancelled for all 30 people in its audit sample. “System logs showing the dates of when this occurred were not recorded. In the absence of this information, we checked whether any of the individuals had accessed the IT systems and found that 29 did not access the system after they left,” the report said.”One person had accessed the system four days after their exit date.”The report also found that DPLH and DLGSC both lacked adequate information to show that office access passes were returned or deactivated for 72% of the sampled former staff. OAG said staff at DLGSC were charged a AU$12 fee for any changes to the status of passes from the private operator that managed the building and were therefore disincentivised to undertake the process.All access passes were cancelled or deactivated after staff left Finance, however for five out of the sample of 26, OAG said the cancellation of passes was not timely. For four people, OAG said it took between six and 44 days. The individual on secondment still had physical building access for the 116 days they continued to have systems access.Also under scrutiny was the asset returns process at the three entities, with OAG finding none had a complete and easily accessible record of all assets, including IT equipment, provided to staff.The report said OAG was unable to verify whether all IT assets had been returned to DPLH because there were insufficient records of what was issued to the 27 people in its sample. It said 15 staff had left with no evidence of laptop return. Only two of the 27 people were known to have had a phone issued, with evidence proving only one had been returned.At DLGSC, the OAG found records of only six exited staff in its sample of 30 pertaining to laptop returns and Finance demonstrated that 19 of 26 staff in the sample returned their IT equipment.To minimise the risk of unauthorised access to premises when staff leave, OAG recommended entities maintain an accurate register of all access passes including returns and cancellation/deactivation, conduct regular audits of all active passes, and ensure all access passes are returned when staff leave.The OAG has also requested the entities to ensure access to IT systems are removed or disabled immediately when staff leave. It has also asked the entities to clearly record when the removal of IT system access occurred and maintain a register of all assets issued to staff at commencement, during employment, and what is returned at exit.In addition, entities have been asked to minimise the risk of financial loss from overpayments to terminated employees, better manage the risks with different circumstances of employment termination, and improve communication between business functions responsible for staff exits.MORE FROM THE WEST More

Cybersecurity company Nozomi Networks Labs has warned the industrial control system (ICS) security community about five vulnerabilities affecting Mitsubishi safety PLCs.In a new report, the company said Mitsubishi acknowledged the issues — which are focused on the authentication implementation of the MELSOFT communication protocol — after they were discovered at the end of 2020. The Japanese manufacturing giant has devised a strategy to patch the issues but Nozomi Networks Labs said software updates for safety PLCs or medical devices often take longer to deploy than other software products. Vendors must go through specific certification processes before patches can be released, the report explained. “Depending on the type of device and regulatory framework, the certification procedure could be required for each individual software update,” Nozomi Networks Labs researchers wrote.”While waiting for the patch development and deployment process to be completed, we deployed detection logic for customers of our Threat Intelligence service. At the same time, we started researching more general detection strategies to share with asset owners and the ICS security community at large.”The researchers noted that the vulnerabilities they found “likely” affect more than one vendor and said they were concerned that “asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations.”The security company disclosed the first batch of vulnerabilities through ICS-CERT in January 2021 and another batch more recently, but patches are still not available. 

Mitsubishi has released a number of mitigations and Nozomi Networks Labs urged customers to assess their security posture in light of the advisories. The report specifically leaves out technical details or proof of concept documents in an effort to protect systems that are still being secured. Researchers discovered the vulnerabilities while researching MELSOFT, which is used as a communication protocol by Mitsubishi safety PLCs and corresponding engineering workstation software GX Works3. They found that Authentication with MELSOFT over TCP port 5007 is implemented with a username/password pair, which they said are “effectively brute-forceable” in some cases. The team tested multiple methods that gave them access to systems and found that there are even instances where attackers can reuse session tokens generated after successful authentication.”An attacker that can read a single privileged command containing a session token is able to reuse this token from a different IP after it has been generated, within a window of a few hours,” the report said.”If we chain together some of the identified vulnerabilities, several attack scenarios emerge. It’s important to understand this approach as real world attacks are often executed by exploiting several vulnerabilities to achieve the final goal.” Once an attacker gains access to a system, they can then take measures to lock other users out, forcing the last-ditch option of physically shutting down the PLC to prevent further harm.Nozomi Networks Labs suggested asset owners protect the link between the engineering workstation and the PLC so that an attacker cannot access the MELSOFT authentication or authenticated packets in cleartext. They also suggest protecting access to the PLC so an attacker cannot actively exchange authentication packets with the PLC. More

Facebook is facing significant backlash from lawyers and professors at two New York universities after the platform shut down a study being done on political ads and the spread of misinformation. New York University (NYU) and Columbia University released a statement on Wednesday condemning the decision by Facebook, which decided to shut down the accounts of New York University researchers Laura Edelson and Damon McCoy Tuesday evening.In a statement, Edelson said they had been negotiating with Facebook for months over a research tool called Ad Observer. The tool is part of work of NYU Cybersecurity for Democracy, where Edelson is lead researcher and a Ph.D. candidate in computer science at New York University Tandon School of Engineering.Ad Observer is a browser plugin that gave Facebook users the chance to share “limited and anonymous information” about the political ads they see on a daily basis. The tool also allows researchers and reporters to look through political advertising trends on Facebook in their states.”Yesterday evening, Facebook suspended my Facebook account and the accounts of several people associated with Cybersecurity for Democracy, our team at NYU. This has the effect of cutting off our access to Facebook’s Ad Library data, as well as Crowdtangle,” Edelson said.”Over the last several years, we’ve used this access to uncover systemic flaws in the Facebook Ad Library, to identify misinformation in political ads, including many sowing distrust in our election system, and to study Facebook’s apparent amplification of partisan misinformation. By suspending our accounts, Facebook has tried to shut down all this work.” Edelson added that Facebook had effectively cut off access to more than two dozen other researchers and journalists who get access to Facebook data through our project, including work measuring vaccine misinformation with the Virality Project and other partners.

Facebook did not respond to a request for comment, but Facebook product management director Mike Clark released a blog post accusing the university of studying political ads “using unauthorized means to access and collect data from Facebook” that was in violation of the website’s Terms of Service. “We took these actions to stop unauthorized scraping and protect people’s privacy in line with our privacy program under the FTC Order. The researchers gathered data by creating a browser extension that was programmed to evade our detection systems and scrape data such as usernames, ads, links to user profiles and ‘Why am I seeing this ad?’ information, some of which is not publicly-viewable on Facebook,” Clark said. “The extension also collected data about Facebook users who did not install it or consent to the collection. The researchers had previously archived this information in a now offline, publicly-available database.”Clark corroborated what NYU said, writing that the two sides had been negotiating since Facebook sent both Edelson and McCoy a cease-and-desist letter last fall demanding they stop using the tool. Facebook wanted the two to take down all of their previous research as well. Clark said they told NYU the tool was against their Terms of Service before they even deployed it in the summer of 2020. He compared the research project to “scraping,” a widespread problem many social media sites now face from cybercriminals and political actors who abuse privileges to steal troves of data from sites like LinkedIn and Facebook. In April, information belonging to 553 million Facebook users was posted online following a scraping incident.

The researchers also turned down an attempt by Facebook to give them data collected by the social media platform itself on political ad targeting data from the 2020 US election. Facebook has set up internal programs similar to Ad Observer. “We made it clear in a series of posts earlier this year that we take unauthorized data scraping seriously, and when we find instances of scraping we investigate and take action to protect our platform,” Clark said, arguing further that the violations of privacy outweighed the research’s value.  “While the Ad Observatory project may be well-intentioned, the ongoing and continued violations of protections against scraping cannot be ignored and should be remediated.”Edelson said the work they were doing to “make data about disinformation on Facebook transparent” was “vital to a healthy internet and a healthy democracy.”She added that Facebook is “silencing” the two because they were calling attention to the platform’s issues dealing with misinformation in political ads, which has become a sensitive topic for the social media giant. “Worst of all, Facebook is using user privacy, a core belief that we have always put first in our work, as a pretext for doing this,” Edelson said. “If this episode demonstrates anything it’s that Facebook should not have veto power over who is allowed to study them.”McCoy pointed out that Facebook made this decision right as it is facing widespread backlash from the US government for the spread of COVID-19 vaccine disinformation. Last month, President Joe Biden made waves when he said Facebook was “killing people” through COVID-19 misinformation. McCoy also criticized Facebook for citing privacy violations considering advertisers “consented to making their ads public.”The two noted that reporters across the country used the tool to write about the 2020 election and that Facebook waited months to shut down their accounts. Hours before their accounts were shut down, they told Facebook they were “studying the spread of disinformation about January 6 on the social media platform.”The researchers’ lawyer, Seth Berlin, called it “remarkable” that Facebook would argue political advertising is private considering its purpose and disputed the platform’s claims that the Ad Observer team collect private user information. “Facebook’s primary justification for trying to shut down this important research simply doesn’t hold up,” Berlin said.  More

BLACK HAT USA: What began as an incredible job offer for a naive, young security analyst turned into an explosive case of former US experts unwittingly helping a foreign service create an offensive security branch.

Known as Project Raven, a team of over a dozen former US intelligence operatives was poached with promises of job roles that seemed too good to be true — only for them to participate in activities on behalf of the United Arab Emirates (UAE) that were, at the least, dubious.  Project Raven, as previously reported by the New York Times and Reuters, involved the clandestine surveillance of other governments, militant groups, human rights activists, journalists, and other parties of interest to — or, critical of — the monarchy.  One of these operatives was David Evenden, a former offensive intelligence analyst, member of the Navy, and now founder of StandardUser LLC who once worked for the US National Security Agency (NSA).  At Black Hat USA in Las Vegas, Evenden described his time working for the UAE, a story that has also previously been covered extensively in the Darknet Diaries podcast.  After working for the NSA for roughly three years, in 2014, a recruiter from CyberPoint, reported to have been vetted by the US government, approached Evenden with a new career opportunity.  He was told he would be involved in security work in Abu Dhabi and would be helping to tackle terrorist activity and reduce the workload on government agencies in his homeland, as part of a wider defense agreement with the United States. 

“It was all above board and we all felt confident in what we were doing,” Evenden said. As noted in “This is how they tell me the world ends,” penned by Nicole Perlroth, the overarching contract was known as Project DREAD — or Development Research Exploitation and Analysis Department. Perlroth writes that Project DREAD relied “heavily” on subcontractors including CyberPoint as well as the “dozens of talented former NSA hackers like Evenden.”The security specialist explained that upon arrival, two back-to-back briefings were set up. The “cover” story, in a purple folder, was that he would be working on defensive measures. However, in the following meeting, a black folder was issued.  The black folder revealed that Evenden would be working with NISSA, the UAE’s NSA counterpart, in offensive security, surveillance, and collecting data on targets of interest — and this was never to be acknowledged to the general public.  If this wasn’t a red flag, the use of a converted villa for operations — as well as the promise of a tax-free lifestyle and a lucrative salary — should have tipped Evenden off to something not being quite right.  For the first few months, reconnaissance was performed to combat terrorism, such as pulling data from the Twitter API, keyword analytics, and computational deltas of social media chatter.However, while originally told he would be working on behalf of the US and allies, the operative said in Darknet Diaries that it wasn’t long before CyberPoint was hacking “real and perceived” Emirati enemies on behalf of its clients, rather than terrorist operatives. ISIS was one of the first groups in scope, but this eventually turned to everyone from civil rights activists to journalists and individuals criticizing the UAE on Twitter. “We then began to get questions about following the money,” the security expert said, adding that the group was then asked to gain access to Qatar to see if there was any cash being funneled to support the Muslim Brotherhood — and when told that they would need to hack the country’s systems, permission was granted. Intel submissions then started to deviate — such as requests made for the Qatari royal family’s flight plans. It was the moment that emails belonging to Michelle Obama landed on his PC, in 2015, that changed the game. The emails related to the former First Lady’s team and a trip to the Middle East to promote the “Let Girls Learn” initiative.  “This was the moment I said, “We shouldn’t be doing this. This is not normal,” Evenden told Perlroth.In late 2015, a local entity, DarkMatter, took over the Project Raven operation. The group was allowed to perform offensive operations against foreign organizations, and operatives were told to join or go home. “People who are loyal to the United States are not going to do that, so we jumped ship and moved home,” Evenden said. Another member of the team was Lori Stroud, a cybersecurity specialist who had previously worked for the NSA. A request from DarkMatter reportedly came in to target a US journalist, and once Stroud voiced her concerns, she was promptly removed from the project. Speaking to Reuters, Stroud said that at that moment, she became “the bad kind of spy.”The red flags Evenden missed can be taken as a lesson to other security professionals considering a move abroad, and he has some advice to give — in the hope that others do not make the same mistakes. “Vet your leadership — that’s one of the main things I learned out of this,” Evenden commented. “If you get those hairs standing up on your arms, you need to step back [and] make sure you have an exit strategy — whether or not an organization provides you with one, you need one, too.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new report from Accenture has found that for the first half of 2021, the volume of cyber intrusion activity is up 125% globally compared to last year.Accenture said the report is based on their work with clients recovering from incidents. They attributed the increase in intrusions to web shell activity, ransomware incidents and supply chain attacks. While the US (36%) led the way as it usually does on the list of most targeted countries, the UK (24%) and Australia (11%) were not far behind.Consumer goods and services companies faced the highest number of attacks among Accenture’s customers, followed by organizations in the manufacturing industry, banking and hospitality. Robert Boyce, who leads Accenture’s Cyber Investigations, Forensics & Response business globally, said organizations are only protecting their core corporate systems and leaving themselves vulnerable to attack through third parties and other supply chains they are part of. Any subsidiary or affiliate also needs to be secured, Boyce said. “Industries that previously experienced lower levels of cyberattacks during the pandemic — such as consumer good & services, industrials, travel & hospitality, and retail — should reevaluate their cybersecurity posture as increased consumer activity in these industries present renewed opportunities for cybercriminals,” Boyce added. 

Ransomware dominated the report’s section on malware, with the now-defunct REvil/Sodinokibi group accounting for 25% of attacks seen by Accenture’s team. Accenture’s insurance industry customers were targeted most often by ransomware groups making up 23% of all ransomware targets. Consumer goods and services companies as well as telecommunications companies were targeted heavily as well. The report also made clear what their main targets are. The report found that 54% of all ransomware or extortion victims were companies with annual revenues between $1 billion and $9.9 billion.The researchers also found that there has been a rise in the number of backdoors, droppers and credential stealers being used by cybercriminals in the first half of 2021.  More