40% of IT security pros say they've been told not to report a data leak
Plus: KFC, Pizza Hut owner spills more beans on ransomware hit... latest critical flaws... and more
In Brief More than 40 percent of surveyed IT security professionals say they've been told to keep network breaches under wraps despite laws and common decency requiring disclosure.
That's according to Bitdefender's 2023 Cybersecurity Assessment report, which was published this month. According to responses from large companies in the US, EU, and Britain, half of organizations have experienced a data leak in the past year with America faring the worst: three quarters of respondents from that side of the pond said they experienced an intrusion of some kind.
To further complicate matters, 40 percent of IT infosec folk polled said they were told to not report security incidents, and that climbs to 70.7 percent in the US, far higher than any other country. When told to keep mum about breaches, 30 percent of the total global respondents said they followed through and obeyed those orders when they knew it should have been reported. In the US, that number climbs to 54.7 percent of the total.
Globally, 54.3 percent of respondents said they were worried their organization was at risk of legal action due to incorrect handling of a security breach. Unsurprisingly, that number also spikes among US respondents, 78.7 percent of whom said they were worried their companies were open to legal action due to a bad breach response.
Despite those worrying statistics, a whopping 94 percent said they're still confident in their organization's ability to respond to cybersecurity threats. Is this a massive blindspot, negligence - or what? According to Bitdefender, it's simply par the course for a cybersecurity industry stretched to the breaking point.
"The findings in this report depict organizations under tremendous pressure to contend with evolving threats such as ransomware, zero-day vulnerabilities and espionage, while struggling with complexities of extending security coverage across environments and ongoing skills shortage," said Andrei Florescu, deputy GM and SVP of product at Bitdefender Business Solutions Group.
We note that the survey involved 400 IT pros, so bear that relatively small sample size in mind.
Latest critical vulnerabilities
It was all quiet on the critical vulnerability front for most of this past week, though the US government's CISA body changed all that with a pair of alerts, then a bunch of serious ICS issues showed up, and the pre-Easter week finished with a trio of Veritas backup bugs that are being exploited in the wild.
First, the new industrial control system threats:
- CVSS 9.9 out of 10 in severity - multiple CVEs: A series of vulnerabilities in Hitachi Energy MicroSCADA SDM600 software could allow a remote attacker to take control over affected products.
- CVSS 9.9 - multiple CVEs: mySCADA myPRO software contains vulnerabilities that could allow an authenticated user to inject arbitrary commands.
- CVSS 9.8 - CVE-2020-6967: Rockwell Automation says all versions of its FactoryTalk Diagnostics software contain a deserialization bug that could let an attacker execute arbitrary commands.
- CVSS 9.1 - CVE-2022-25359: Several versions of ScadaFlex II SCADA Controllers contain a software vulnerability that could allow an unauthenticated remote attacker to overwrite, delete or create files
- CVSS 8.8 - multiple CVEs: Several models of Korenix Jetwave industrial switches contain command injection vulnerabilities that could give a remote attacker control of the switches OSes and cause a denial-of-service
And those Veritas vulnerabilities being exploited in the wild:
- CVSS 9.8 - CVE-2021-27877: SHA-based authentication is no longer used in Veritas Backup Exec software, but hasn't been disabled, and an attacker could remotely exploit it to gain access to an agent and execute privileged commands.
- CVSS 8.8 - CVE-2021-27878: While TLS is the preferred authentication method in Veritas Backup Exec, SHA can be leveraged by an attacker to self-authenticate with elevated privileges and command execution capabilities.
- CVSS 8.1 - CVE-2021-27876: SHA authentication in Veritas Backup Agent has a similar issue to Exec, and it's being exploited, too.
Sneaky Rorschach ransomware appears
A ransomware strain first identified early this year has reared its head in the US, says Checkpoint.
Dubbed "Rorschach" because "each person who examined [it] saw something a little bit different," said Checkpoint, this particular strain of ransomware is a nasty one not only for how well it disguises its presence, but also for how it uses DLL side-loading by exploiting legitimate software manufactured by Palo Alto Networks, the Cortex XDR Dump Service Tool, to gain a foothold.
According to Checkpoint, Rorschach shares a number of similarities with Babuk and LockBit ransomware strains, but still appears to be novel, "sharing no overlaps that could easily attribute it to any known ransomware strain."
Rorschach is partly autonomous, highly customizable, and is one of the fastest-encrypting ransomware samples Checkpoint says it's ever seen. Prior to its arrival on US shores, Rorschach was also tracked as BabLock in Europe, where Group-IB said it managed to stay under the radar by not operating a dedicated website publicizing its leaks and asking for relatively small ransoms.
Palo Alto Networks said it's readying a version of Cortex XDR Dump Service Tool that won't be vulnerable to the malware's exploitation.
Speaking of ransomware... Back in January, Yum! Brands, which oversees the KFC, Taco Bell, and Pizza Hut fast-food chains, was hit by a strain of data-bothering malware, causing about 300 restaurants in the UK to close for a day. The American corporation's IT systems were infected, and information exfiltrated by intruders.
Now the biz, which runs or franchises at least 55,000 eateries employing 36,000 people worldwide, has sent out security breach disclosure notices, alerting people that their personal information, including names, driver's license numbers, and other ID card details, was swiped in the attack.
According to Yum!, customer info was not affected, and that the above data belonged to staff.
And finally, Russians face outing and sex toy drama
Two interesting cases popped up over the weekend relating to Russia and Ukraine.
The volunteer Ukrainian group InformNapalm has published documents that a crew dubbed Cyber Resistance claimed were swiped from the compromised email account of Ukrainian-born GRU officer Lieutenant Colonel Sergey Alexandrovich Morgachev, who you may remember from the FBI's most wanted list. He's wanted on charges of interfering with the 2016 US elections, conspiracy to commit computer crimes, and money laundering.
There's some surprising data in this email leak. There are numerous references to Cobalt Strike-based attacks, not to mention a parsimonious salary. All the stolen emails have reportedly been shared with the FBI and other interested parties.
The group also ordered sex toys on Morgachev's credit card, the same tactic it reportedly used against a pro-Russian war blogger Mikhail Luchin, who had been trying to raise funds for drones to be used in Putin's invasion of Ukraine.
"So instead of drones, Mikhail will now send to the invaders trucks of dildos, strap-ons and other things useful to every Russian that we ordered and paid for with his card on AliExpress," the Cyber Resistance crew bragged.
Luchin said he had failed to get a refund, and vowed to use the hack to his advantage.
"I will open a sex shop here, make 300 per cent profit and buy three times more drones," he argued. "It would be good to have a Kalibr missile." ®