Information Technology

Microsoft has released security updates for its Exchange on-premises email server software that businesses should take on board.

ZDNet Recommends

The security updates are for flaws in Exchange Server 2013, 2016, and 2019 — the on-premises versions of Exchange that were compromised earlier this year by the Beijing-backed hacking group that Microsoft calls Hafnium. Four vulnerabilities in on-premises Exchange server software were exploited, and now Microsoft has warned that one newly-patched flaw — tracked as CVE-2021-42321 — is also under attack. The Exchange security updates were released as part of Microsoft’s November 2021 Patch Tuesday updates for Windows, the Edge browser, the Office suite, and other software products. “The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment,” Microsoft said in a blog post about the new Exchange bugs. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action,” Microsoft notes.  Attacks that affect users after authentication are risky because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless since the malware does its trick after a person has authenticated with a second factor. The China-based attackers accessed Exchange Servers through the four bugs or stolen credentials, allowing them to create web shells — a command-line interface — to remotely communicate with an infected computer. Web shells are handy for attackers because they can survive on a system after a patch and need to be manually removed.

Attackers generally go after admin credentials to run malware, but they also use connections that aren’t protected by a VPN. Alternatively, they attack VPNs themselves. Microsoft provides detailed update instructions that Exchange admins should follow, including updating the relevant cumulative updates (CU) for Exchange Server 2013, 2016, and 2019. The company cautions that admins should update to one of the supported CUs: it won’t be providing updates to unsupported CUs, which won’t be able to install the November security updates.  Microsoft confirmed that two-factor authentication (2fa) won’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised. “If auth is successful (2FA or not) then CVE-2021-42321 could be exploitable,” says Microsoft program manager Nino Bilic.  “But indeed, 2FA can make authentication be harder to go through so in that respect, it can ‘help’. But let’s say if there is an account with 2FA that has been compromised — well, in that case it would make no difference,” Bilic adds. To detect compromises, Microsoft recommends running the PowerShell query on your Exchange server to check for specific events in the Event Log: Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” } More

A new spying campaign involving PhoneSpy malware has infected thousands of victim devices to date. 

On Wednesday, Zimperium zLabs published a new report on PhoneSpy, spyware developed to infiltrate handsets operating on Google’s Android OS. To date, 23 malicious apps harboring the spyware have been found, but none of the samples were discovered in the official Google Play Store — suggesting that PhoneSpy is being distributed via third-party platforms.  Also: How to find and remove spyware from your phoneThe latest PhoneSpy campaign appears to be focused on South Korea, with the malware bundled into seemingly-benign mobile apps including messaging, yoga instruction, photo collection and browsing utilities, and TV/video streaming software.  zLabs suspects that the initial infection vector is a common one: the use of phishing links posted to websites or social media channels.  Once a victim installs and executes the app’s APK file, PhoneSpy is deployed. PhoneSpy targets Korean-speakers and will throw up a phishing page, pretending to be from a popular service — such as the Kakao Talk messaging app — in order to request permissions and to steal credentials. 

When you think of spyware right now, it may be that Pegasus comes to mind — a silent, pernicious form of malware that has been used to spy on high-profile lawyers, activists, government figures, and journalists.  While PhoneSpy appears to be more run-of-the-mill, the malware’s capabilities, too, cannot be dismissed out of hand. The malware is described as an “advanced” Remote Access Trojan (RAT) capable of quietly conducting surveillance on a victim and sending data to a command-and-control (C2) server.  PhoneSpy’s functionality includes monitoring a victim’s location via GPS; recording audio, images, and video in real-time by hijacking mobile microphones and both front and rear cameras; intercepting and stealing SMS messages, call forwarding, call log and contact list theft, sending messages on behalf of the malware’s operator, and exfiltrating device information.  In addition, PhoneSpy has been developed with obfuscation and concealment features and will hide its icon to stay undetected — a common tactic employed by spyware and stalkerware. The malware may also attempt to uninstall user apps, including mobile security software. zLabs believes that the campaign has been used to gather “significant amounts of personal and corporate information [from] victims, including private communications and photos.” The campaign is still ongoing. US and Korean authorities have been informed.  “The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss,” the researchers say. “Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

A hacker-for-hire operation offered by cyber mercenaries has targeted thousands of individuals and organisations around the world, in a prolific campaign of financially driven attacks that have been ongoing since 2015.

ZDNet Recommends

Human rights activists, journalists, politicians, telecommunications engineers and medical doctors are among those who have been targeted by the group, which has been detailed by cybersecurity researchers at Trend Micro. They’ve dubbed it Void Balaur, after a multi-headed creature from Slavic folklore. The cyber-mercenary group has been advertising its services on Russian-language forums since 2018. The key services offered are breaking into email and social media accounts, as well as stealing and selling sensitive personal and financial information. The attacks will also occasionally drop information-stealing malware onto devices used by victims. See also: A winning strategy for cybersecurity (ZDNet special report). It doesn’t appear to matter who the targets are — as long as those behind the attacks get paid by their contractors. Only a handful of campaigns are run at any one time, but those that are being run command the full attention of Void Balaur for the duration.  “There will just be a dozen targets a day, usually less. But those targets are high-profile targets — we found government ministers, members of parliaments, a lot of people from the media and a lot of medical doctors,” Feike Hacquebord, senior threat researcher for Trend Micro told ZDNet, speaking ahead of the research being presented at Black Hat Europe. Some of those targeted include the former head of intelligence and five active members of the government in an unspecified European country.

The individuals and organisations being targeted are spread around the world, spanning North America, Europe, Russia, India and more. Many of the attacks appear to be politically motivated, carried out against people in countries where, if exposed, the victim could have their human rights violated by governments.  Like other malicious hacking campaigns, the entry point of many Void Balaur campaigns is phishing emails, which are tailored towards the chosen victim. However, the group also claims to offer the ability to gain access to some email accounts without any user interaction at all, offering this service at a premium rate compared with other attacks. The service relates to several Russian email providers and the research paper notes: “We have no reason to believe that it is not a real business offering”. Some of the campaigns go on for extended periods of time. For example, one targeting an unspecified large conglomerate in Russia was active from at least September 2020 to August 2021 and didn’t just target the owner of the businesses, but also their family members, and senior members of all the companies under the same corporate umbrella. “There’s a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted and that all happens over more than one year,” said Hacquebord. The hackers-for-hire target a wide range of victims in many industries at the behest of whoever is hiring their illicit services — but the key theme is that the targets are almost all organisations and individuals who have access to large amounts of sensitive data. For example, one campaign has targeted at least 60 IVF doctors. There’s a lot of sensitive information involved in healthcare, but there’s also a lot of money exchanged, so it’s possible the end goal of this particular Void Balaur contract was personal data, financial data, or both. See also: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes. Another campaign targeted senior engineers working for mobile phone companies, predominantly in Russia, but there were also targets in the West. These individuals would be useful to compromise for cyber-espionage campaigns. “If you’re able to compromise these engineers, you might be able to get a foothold in the company. You see the same for banks and fintech — key people are being targeted. These people have a lot of access to information, it matches the offerings of Void Balaur,” said Hacquebord. Researchers haven’t attributed Void Balaur to any one particular country or region, but note that the attackers work long hours, starting around 6am GMT and going through until 7pm GMT. Those working for the group seem to be active seven days a week and rarely take holidays – potentially indicating the vast demand for their services. “Cyber mercenaries is an unfortunate consequence of today’s vast cybercrime economy,” said Hacquebord “Given the insatiable demand for their services and harbouring of some actors by nation-states, they’re unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts,” he added. In order to protect against hacking campaigns by cyber mercenaries and other malicious cybercriminals, researchers at Trend Micro recommend using multi-factor authentication to protect email and social media accounts — and to use an app or physical key rather than a one-time SMS passcode, which could be exploited by attackers. It’s also recommended that people use email services from a reputable provider with high privacy standards and that encryption should be used for as many communications as possible.
More on cybersecurity More

A new report from Mimecast has found that the US leads the way in the size of payouts following ransomware incidents. In the “State of Ransomware Readiness” study from Mimecast, researchers spoke with 742 cybersecurity professionals and found that 80% of them had been targeted with ransomware over the last two years. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Of that 80%, 39% paid a ransom, with US victims paying an average of $6,312,190. Victims in Canada paid an average of $5,347,508 while those in the UK paid nearly $850,000. Victims in South Africa, Australia, and Germany all paid less than $250,000 on average.More than 40% of respondents did not pay any ransom, and another 13% were able to negotiate the initial ransom figure down. Of the 742 experts who spoke to Mimecast, more than half said the primary source of ransomware attacks came from phishing emails with ransomware attachments, and another 47% said they originated from “web security.” Phishing emails that led to drive-by downloads were also a highly-cited source of ransomware infections. Less than half of respondents said they have file backups that they could use in the event of a ransomware attack, and almost 50% said they needed bigger budgets to update their data security systems. Also: What is malware? Everything you need to know about viruses, trojans, and malicious software

Despite the lack of backups, 83% of those surveyed said they could “get all their data back without paying the ransom.” Another 77% of executives said they believed they could get their company back to normal within two days following a ransomware incident. This confused Mimecast researchers, considering nearly 40% of respondents admitted to paying ransoms. A number of respondents called for more training and more information-sharing about threats. “Ransomware attacks have never been more common, and threat actors are improving each day in terms of their sophistication and ease of deployment,” said Jonathan Miles, head of strategic intelligence & security research at Mimecast. “Preparation is key in combating these attacks. It’s great to see cybersecurity leaders feel prepared, but they must continue to be proactive and work to improve processes. This report clearly shows ransomware attacks pay, which gives cybercriminals no incentive to slow down.”Ransomware incident costs stretch far beyond the ransom itself; 42% of survey respondents reported a disruption in their operations, and 36% said they faced significant downtime. Almost 30% said they lost revenue, and 21% said they lost customers. Another cost? Almost 40% of the cybersecurity professionals surveyed said they believed they would lose their jobs if a ransomware attack was successful.Two-thirds of respondents said they would “feel very or extremely responsible if a successful attack occurred. When asked why, almost half said it would be because they “underestimated the risk of a ransomware attack.” More

You know the non-profit Internet Security Research Group (ISRG) for its Let’s Encrypt certificate authority, the most popular way of securing websites with TLS certificates. The group wants to do more. Its newest project, Prossimo, seeks to make many basic internet programs and protocols memory-safe by rewriting them in Rust.

Rust, like some other memory-safe programming languages such as Go and Java, prevents programmers from introducing some kinds of memory bugs. All too often memory safety bugs go hand-in-hand with security issues. Unfortunately, much of the internet’s fundamental software is written in C, which is anything but memory safe. Of course, you can write memory-safe programs in C or C++, but it’s difficult. Conversely, you can create memory bugs in Rust if you try hard enough, but generally speaking Rust and Go are much safer than C and C++.Also: The most popular programming languages and where to learn themThere are many kinds of memory safety bugs. One common type is out-of-bounds reads and writes. In these, if you wrote code to track a to-do list with 10 items in C without memory protection measures, users could try to read and write for an 11th item. Instead of an error message, you’d read or write to memory that belonged to another program. In a memory-safe language, you’d get a compile error or crash at run time. A crash is bad news too, but it’s better than giving a hacker a free pass into some other’s program memory. Using that same example, what happens if you delete the to-do list and then ask for the list’s first item? A badly written program in a non-memory-safe language will try to fetch from the old memory location in what’s called a use-after-free error. This trick is used all the time to steal data and wreak havoc on a poorly secured program. Again, with Rust or Go, you must go far out of way to introduce such a blunder. As ISRG’s executive director, Josh Aas, explained in a speech at the Linux Foundation Membership Summit: We’ve only started talking about security seriously recently. The problem is mainly C and C++ code. That’s where these vulnerabilities are coming from. New memory safety vulnerabilities come up in widely used software every day. I think it’s fair to say that this is out of control. 90% of vulnerabilities in Android; 70% from Microsoft and 80% of zero-day vulnerabilities come from old language memory-based. There are real costs to this stuff every day people get hurt.

Why are they doing this now? Because, Aas explained, “We didn’t have great system languages to replace C. Now, we have that option.”So it is that under the Prossimo umbrella, ISRG is sponsoring developers to create memory-safe versions of internet programs. So far this includes a memory-safe TLS library, Hyper, and module, mod_tls, for the Apache webserver; a memory-safe curl data transfer utility; and memory-safe Rustls, a safer OpenSSL alternative.Next up, Prossimo wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Of course, replacing critical C-based programs throughout the internet is a gigantic and complex task. But it’s a job that must be done as we grow ever more dependent on the internet for our personal lives, business work, and indeed the entire global economy. Related Stories: More

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   Read on: Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.”Last year, there were more than double this number of CVEs fixed,” the organization says. “Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors.”

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

One of my favorite parts of our annual predictions process is reviewing the accuracy of Forrester’s predictions from the previous year. This is not simply navel gazing. Looking backward actually makes us far better predictors, keeps us firmly grounded in the reality of our customers, and ensures that our predictions remain firmly embedded in reality. Some teams within Forrester even have a rating system, ranging from “completely missed the mark” to “nailed it.” I won’t lie that it is an absolute thrill when a prediction I’ve contributed to comes true, especially when it has the potential to positively impact our clients, the industry, or even society as a whole. Twelve months ago, we predicted that at least one Asia Pacific (APAC) government would embrace a Zero Trust (ZT) framework in the coming year. In keeping with our rating system, I’m happy to say we nailed it! Since 2009, when ZT was coined by Forrester, large technology companies have adopted it as their security model, and now the US federal government is following suit. In Europe, ZT went from concept to reality for many firms during 2020 and then accelerated in 2021 as COVID-19 hastened the death of traditional security models across the region. Unfortunately, APAC has been a very different story. ZT adoption has been slow; according to the Forrester Analytics Business Technographics® Security Survey, 2021, only 13% of security leaders in APAC cite Zero Trust as a top strategic information/IT security priority. While ZT is slowly gaining momentum in the Asia Pacific region, it faces many adoption challenges: concerns over the nomenclature, paucity of ZT pioneers, under-resourced security teams. With all these challenges in play, predicting that an APAC government would embrace a ZT framework in 2021 was a bold call, indeed. Why’d we make it? We fully expected ZT momentum to accelerate for a number of reasons: 1) the shift to remote work requires a new approach to security; 2) the evolving regulatory landscape across APAC has increased focus on data protection; 3) Forrester Analytics survey data shows that APAC consumers and citizens are prioritizing security and privacy in their purchasing decisions; and 4) the release of the US’s National Institute of Standards and Technology’s publication on ZT architecture, which further validated the approach. I’ve led multiple APAC CISO roundtables on the topic of Zero Trust over the past 12 months. While participants were supportive of the prediction in principal, they were also skeptical — there were no indications in the media or elsewhere to support such a big call. And then in October, exactly one year after we made the prediction, Singapore Senior Minister and Coordinating Minister for National Security Teo Chee Hean announced Singapore’s new cybersecurity strategy. The strategy was supported by Prime Minister Lee Hsien Loong, who acknowledged in the strategy foreword: “Five years ago, we launched the first Singapore Cybersecurity Strategy. The world is now a different place,” noting the need for a new way of thinking about security. The new Singaporean cybersecurity strategy clearly defines ZT as “[a] security framework requiring all end users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.” The strategy endorses a mindset shift from perimeter defense toward a ZT cybersecurity model, encourages critical infrastructure owners to adopt a ZT cybersecurity posture for critical systems, and states that the government is implementing the Government Trust-based Architecture that translates ZT principles to government context. Looking to the future, we will continue to make important predictions about the state of Zero Trust adoption, particularly in governments. In fact, in our 2022 public sector predictions, we make the call that five governments will adopt Zero Trust to revive public trust in digital services, following the lead of the US and Singapore.  

For more regional insight beyond ZT, check out Forrester’s 2022 Asia Pacific predictions, where trust and values take center stage. We look forward to assessing how we fared this time next year.This post was written by Principal Analyst Jinan Budge, and it originally appeared here. More

Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.

ZDNet Recommends

The vulnerable TCP/IP stacks – communications protocols commonly used in connected devices – are also deployed in other industries, including the industrial sector and the automotive industry. The 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks have been detailed by cybersecurity researchers at Forescout and Medigate. Dubbed Nucleus:13, the findings represent the final part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks used in connected devices and how to mitigate them. SEE: A winning strategy for cybersecurity (ZDNet special report)  The vulnerabilities could be present in millions of devices based around Nucleus TCP/IP stacks and could allow attackers to engage in remote code execution, denial of service attacks and even leak data – although researchers can’t say for certain if they’ve actively been exploited by cyber criminals. Now owned by Siemens, the Nucleus TCP/IP stack was originally released in 1993 and is still widely used in critical safety devices, particularly in hospitals and the healthcare industry where they’re used in anaesthesia machines, patient monitors and other devices, as well as for building automation systems controlling lighting and ventilation. Of the three critical vulnerabilities identified by researchers, CVE-2021-31886 poses the greatest threat, with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. It’s a vulnerability in (File Transfer Protocol) FTP servers that doesn’t properly validate the length of user commands, leading to stack-based buffer overflows that can be abused for denial-of-service and remote code execution.

The remaining two critical vulnerabilities both have a CVSS score of 9.9. CVE-2021-31887 is a vulnerability in FTP servers that doesn’t properly validate the length of PWD or XPWD FTP server commands, while CVE-2021-31888 is a vulnerability that occurs when the FTP server doesn’t properly validate the length of MKD or XMKD FTP commands. Both can result in stack-based buffer overflows, allowing attackers to begin denial-of-service attacks or remotely launch code. Because the stacks are so common, they are easy to identify and target. It’s also possible to find some of the connected devices on IoT search engine Shodan – and if they are publicly facing the internet, it’s possible to launch remote attacks. This is why researchers decided to examine them specifically. “We found some promotional material for the stack that mentions using this for medical applications,” Daniel dos Santos, research manager at Forescout Research Labs, told ZDNet. “Then when you look at some of the data promoting medical devices, they mention the use of the stack directly.” Attackers would need to jump through a number of steps, detailed extensively in the paper, to fully exploit the vulnerabilities. But, as long as they exist, that potential is there – along with the potential for disruption. In hospitals, not only could this affect machines used for patient care, systems in the building such as alarms, lighting and ventilation could be affected. Organisations are recommended to apply the available security patches released by Siemens in order to mitigate the threat. “All vulnerabilities that are being disclosed on Nov 9th have been fixed in the corresponding latest fix releases of active Nucleus version lines,” a Siemens spokesperson told ZDNet.  Researchers also suggest that networks should be segmented in order to limit the exposure of any devices or software that could contain vulnerabilities, but can’t be patched. “Make sure that you know your network, so even if devices are not patched and you know that probabilities exist, you can still live with a network configuration that lets you sleep at night,” said dos Santos.

“The main thing is network segmentation and being able to know and to make sure that devices that are potentially vulnerable and maybe can’t be patched are contained, and can only talk to other devices they’re allowed to.” SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report)  Nucleus:13 represents the final part of Forescout’s Project Memoria, which has worked to uncover and, when possible, help to patch security vulnerabilities in devices, which in some cases are decades old – designed at a time far before the rise of the Internet of Things was even predicted. “Many of these pieces of software are 20, 30 or even more years old. Unfortunately, that means that they were designed in a different age for different requirements and they’re just not up to date with security nowadays,” said dos Santos. “Many of these vulnerabilities are kind of predictable in the sense that they’re repeated over and over again over different pieces of software,” he added. The aim of the year-long project has been to showcase the vulnerabilities in older devices and to push for connected devices to be built with IoT security in mind – and to prevent the same old vulnerabilities causing problems moving forward, particularly as the use of IoT devices continues to grow. “The expanded adoption of these types of technology by every type of organization, and their deep integration into critical business operations, will only increase their value for attackers over the long term,” warns the report.
MORE ON CYBERSECURITY More