Here comes mayhem: How The Com is rewriting the threat landscape

Posted: June 27, 2025 | Author: | Filed under: cybersecurity, Uncategorized | Tags: , , , , , , , , | Leave a comment
cyber attack

When it comes to the cyber-threat landscape, Russian actors are usually portrayed as the bogeymen. But over the past few months and years, a more disturbing picture has started to emerge. A different breed of hacker has stepped out of the shadows – technically proficient, native-English speaking and with an almost nihilistic penchant for violence and human misery.

Sometimes described as “The Com” or “Scattered Spider”, these loosely associated grassroots groups defy easy categorisation. The question is, with the likes of M&S, MGM Resorts, and Santander among their growing list of victims, how big a threat do they pose to CISOs?

Uncovering The Com

UK CISOs may have first heard the moniker “The Com” or “Com networks” following the publication of the latest annual report from the National Crime Agency (NCA) in March. In it, the agency warns of “sadistic and violent online gangs” comprised mainly of teenage boys engaging in acts of extremism, sexual violence and sadistic child abuse. Reports of this emerging threat increased six-fold between 2022 and 2024, with the NCA claiming that girls as young as 11 had been coerced by members into “seriously harming or sexually abusing themselves, siblings or pets”.

What has this got to do with enterprise cybersecurity? Curiously, Com network members are also blamed for data breaches, fraud, and malware/ransomware attacks. On paper, The Com seems far removed from the highly professionalised world of Russian cybercrime. Yet some of its supposed members use techniques that traditional threat actors would applaud and have been tied to some of the most damaging breaches on record.

Where does it all begin? According to Unit 221B researcher, Allison Nixon, the Com’s members were largely financially motivated until the early 2020s, when sextortion and high-value fraud also became popular. The “bottom-up social phenomenon” now venerates depravity, harm and misogyny – with youngsters recruited because of their naïvety, hunger for attention and money, and reduced exposure to legal jeopardy. However, although the worst acts of these networks are truly awful, they represent only a small percentage of total members, says Nixon.

High-profile arrests seem to be dampening down their worst excesses, she says. But the threat to enterprises remains undiminished, as recent attacks on UK retailers have shown.

The Com/Scattered Spider crossover

A detailed Brian Krebs investigation into the young men behind many of these attacks shows the strong links between Scattered Spider and Com networks. They include:

  • Connor Riley Moucka, a Canadian hacker blamed for the major breach of Snowflake accounts, who also goes by the monikers ‘Judische’ and ‘Waifu’. The latter corresponds to “one of the more accomplished SIM-swappers in The Com over the years”, according to Krebs
  • The ‘@Holy’ screen name, associated with a Telegram user who gave media interviews about the MGM hack. The same account was apparently active on a number of cybercrime channels focused on extorting young people into harming themselves or others, and recording it on video
  • Noah Michael Urban, a 19-year-old American indicted in January 2024 with a string of wire fraud and identity theft offences. His ‘King Bob’ and ‘Sosa’ monikers are linked to real-world violence-as-a-service offerings
  • Four other young men who, along with Urban, were indicted in November 2024 by US authorities for a string of attacks involving the phishing of IT helpdesks, data theft and crypto-based extortion
  • 22-year-old Tyler Buchanan, another member of the same group, who allegedly took part in a 2022 phishing campaign which resulted in the theft of 10,000 login credentials related to more than 130 companies
  • Conor Brian Fitzpatrick (aka Pompompurin), who pleaded guilty to operating the BreachForums criminal marketplace, and possessing child pornography back in 2023

A different way of doing things

According to a recent ReliaQuest report, Scattered Spider relies heavily on social engineering to achieve initial access, often using the off-the-shelf Evilginx tool to bypass multi-factor authentication (MFA). A recent analysis of over 600 publicly shared IOCs by the threat intelligence firm reveals that its phishing domains primarily target services such as single sign-on (SSO), identity providers (IdP), VPNs, and IT support systems.

The end goal is to harvest credentials from high-value users, including system administrators, CFOs, COOs, and CISOs. When Scattered Spider actors fail with initial phishing attempts, they double down, using vishing techniques to impersonate C-level executives. Typically, they make panicked helpdesk calls requesting password resets or enrollment of new MFA devices, ReliaQuest claims.

The report also warns MSPs in particular to be on their guard, as actors are keen on ‘one-to-many’ attacks. In a recent example, they breached an MSP and exploited vulnerabilities in the SimpleHelp remote management software to deploy ransomware across client networks, it claims.

SOCRadar CISO, Ensar Seker, tells Assured Intelligence that this new breed of threat actor presents new challenges to network defenders accustomed to facing more traditional adversaries.

“Scattered Spider and the Com network actors represent a distinct kind of threat compared to traditional Russian-speaking cyber criminal groups. What sets them apart isn’t necessarily technical sophistication, but their boldness, deep social engineering playbooks, and insider-like operational tempo,” he explains. “These groups frequently exploit identity and access mismanagement, leveraging SIM swapping, MFA fatigue attacks, and even targeting IT help desks to gain privileged access. Their tactics resemble those of APTs but are often executed with the agility and audacity of hacktivist crews, making attribution and defence more complex.”

ReliaQuest director of threat research, Brandon Tirado, agrees, explaining that Scattered Spider actors often cause significant damage within just eight hours of initial access – for example, by rapidly escalating privileges and abusing identity systems like Okta and Azure AD.

“In addition to their speed and expertise in social engineering, their potency lies in their fluency in English, which helps avoid tipping off the targeted organisation’s helpdesk, and their ‘scattered’ nature – operating as a loosely organised network rather than a centralised group,” he tells Assured Intelligence.

“This decentralised structure makes them more unpredictable and adaptable.”

Lessons for CISOs

The threat actor profile may be unusual, but ultimately, they are still focused on the same thing as any cyber criminal: making money. That’s why several notable Com attacks have seen actors work as affiliates for ransomware groups like ALPHV/Black Cat (MGM) and – more recently – DragonForce (M&S).

“CISOs should focus on proactive monitoring of third-party accounts, bolstering helpdesk defences with identity verification protocols, and enforcing adaptive MFA policies,” advises Tirado. “Compared to Russian cyber criminals, who often rely on longer dwell times, combating Scattered Spider requires faster detection, automated response playbooks, and real-time threat hunting to neutralise their rapid operations.”

SOCRadar’s Seker agrees that CISOs need to “double down on identity security” with phishing-resistant MFA, privilege access management and regular access audits, alongside specialised employee training.

“Defending against these threat actors demands a mindset shift. While traditional ransomware groups often follow a predictable path – initial access broker, lateral movement, exfiltration, and encryption – groups like Scattered Spider bypass many of these stages by targeting identity and session hijacking. This means the usual EDR, network segmentation, and backup combo isn’t enough,” he adds.

“These homegrown actors are loud, fast, and opportunistic. What they lack in stealth, they compensate for in adaptability. That makes real-time visibility into authentication events and faster incident response cycles non-negotiable.”

Bridewell CTO, Martin Riley, adds that preparedness is vital. “If we compare recent attacks, one retailer has been far worse hit, because it wasn’t able to ‘pull the plug’ on non-essential services that prevented the spread of the attack,” he tells Assured Intelligence. “Do you know your organisation and technology enough to understand what is an operational and defendable cybersecurity position? What can you turn off, what impact will it have on the business, and what must you keep?”

Qodea CISO, Adam Casey, argues that security leaders must also go beyond the technical to drive cultural change through continuous awareness training and testing.

“Security is a shared responsibility and CISOs need to be reinforcing that vigilance is expected from everyone within the organisation. The M&S cyber attack demonstrated how conventional cybersecurity layers weren’t even a factor. They manipulated ‘outsourced’ IT staff through impersonation, then went straight for the jugular by targeting leadership,” he tells Assured Intelligence.

“CISOs are also going to need to put a focus on their outsourced operations. Recent attacks have shown that a third-party risk management programme is essential – and needs to be rock solid.”

Whatever freakish confluence of societal factors originally fomented The Com, it’s here now. This is the reality CISOs need to adapt to, and a new threat to consider in their risk planning.

This article first appeared on Assured Intelligence.

Content Credentials: A novel approach to tackling deepfakes

Posted: April 8, 2025 | Author: | Filed under: cybersecurity, technology | Tags: , , , , , , | Leave a comment

Can you believe what you see online? Unfortunately for many people today, the answer is increasingly a resounding “no”. Deepfakes are bad news for many reasons. But for CISOs, they posed an outsized threat through the potential to amplify social engineering, business email compromise (BEC) and even social media scams.

There is certainly no silver bullet for a challenge that’s only set to grow as the technology behind deepfakes gets better and cheaper. But an initiative dubbed Content Credentials has already won many plaudits, including the NSA and the UK’s National Cyber Security Centre (NCSC). It could yet help society in general, and businesses in particular, to push back against a rising tide of online fakery.

Why we need it

Deepfakes have been circulating online for several years. These digitally altered or completely synthetic pieces of audio, video and image-based content were initially viewed with curiosity as fairly harmless, easy-to-spot fakes. But the technology has rapidly matured, supercharged by generative AI (GenAI), to the point where threat actors are now using it in everything from sextortion and online scams to child abuse material. The government is frantically looking for answers to what it describes as “a growing menace and an evolving threat”, citing figures that eight million fakes will be shared in 2025, up from 500,000 two years ago.

From a CISO perspective, there are several potential risks associated with malicious use of the technology, including:

Brand damage: Deepfake videos of CEOs and senior executives circulated online could be used to tarnish the corporate brand directly, in order perhaps to influence the stock price, or even to perpetuate investment scams and other fraud.

Direct financial loss: While the above scenario could also create significant financial risk, there are other more direct tactics threat actors can use to make money. One is by amplifying business email compromise (BEC) scams. Instead of sending an email to a finance team member, requesting a fund transfer, a cybercriminal could send manipulated audio or video impersonating a supplier or C-suite executive. The FBI has been warning about this for several years. BEC cost $2.9bn in 2023 alone, and the figure continues to rise.

Unauthorised access: Beyond BEC, deepfakes could also be deployed to amplify social engineering in an attempt to gain access to sensitive data and/or systems. One such technique spotted in the wild is the fake employee threat, which has already deceived one cybersecurity company. Faked images, or even video, could be used to add credibility to a candidate that would otherwise be turned away, such as a nation state operative or cybercriminal.

Account takeover/creation fraud: Cybercriminals are also using stolen biometrics data to create deepfakes of customers, in order to open new accounts or hijack existing ones. This is especially concerning for financial services firms. According to one study, deepfakes now account for a quarter of fraudulent attempts to pass motion-based biometrics checks.

The challenge is that deepfakes are increasingly difficult to tell apart from the real thing. And the technology is being commoditised on the cybercrime underground, lowering the barrier to entry for would-be fakers. There have even been warnings that deepfakes could be made even more realistic if large language models (LLMs) were trained with stolen or scraped personal information – to create an evil “digital twin” of a victim. The deepfake would be used as the front end of this avatar, who would look, sound and act like the real person in BEC, fake employee and other scams.

How Content Credentials works

Against this backdrop, many cybersecurity professionals are getting behind Content Credentials. Backed by the likes of Adobe, Google,  Microsoft and – most recently – Cloudflare,  the initiative was first proposed by the Coalition for Content Provenance and Authenticity (C2PA). Currently being fast-tracked to become global standard ISO 22144, it works as a content provenance and authentication mechanism.

A Content Credential is a set of “tamper-evident”, cryptographically signed metadata attached to a piece of content at the time of capture, editing or directly before publishing. If that content is edited and/or processed over time, it may accrue more Content Credentials, enabling the individual who has altered it to identify themselves and what they did. The idea, as the NSA puts it, is to create trust among content consumers through greater transparency, just as nutrition labels do with food.

The initiative is evolving as potential weaknesses are discovered. For example, recognising that trust in the metadata itself is paramount, efforts were made to enhance preservation and retrieval of this information. Thus, Durable Content Credentials were born, incorporating digital watermarking of media and “a robust media fingerprint matching system”.

Progress will take time

If the standard takes off, it could be a game changer, argues Andy Parsons, senior director for content authenticity at Adobe.

“We’ve seen great momentum for real-world applications of Content Credentials which includes being integrated into the recently launched Samsung Galaxy S25. They are also supported by all ‘big five’ camera manufacturers – Canon, Fujifilm, Leica, Nikon, and Sony – as well as by the BBC for BBC Verify,” he tells me.

“Where social media and other websites do not yet retain visible Content Credentials when content is posted on their platforms, we have released the Adobe Content Authenticity extension for Google Chrome to allow end users to view Content Credentials on any website.”

Cloudflare’s head of AI audit and media privacy, Will Allen, adds that it could be used as a “trusted authentication tool” to tackle BEC, social media scams and other deepfake content.

“This approach helps organisations filter out manipulated content, make informed decisions and reduce exposure to misinformation,” he tells me.

However, there are still limits to the initiative’s potential impact, especially given the growing speed, quality and accessibility of deepfake tools.

Although there’s is “active work underway” to support live video, according to Adobe’s Parsons, that support is not yet finalised. This could leave the door open for threat actors using real-time deepfake tools for BEC fraud. Trend Micro senior threat researcher, David Sancho, adds that until all sources watermark their content, the potential for a high rate of false negatives is amplified.

“Often, once you see it, you can’t unsee it. This is more relevant for disinformation campaigns, but also for some scams,” he continues. “The criminals may also be able to remove fingerprinting metadata from synthetic media.”

While Content Credentials offers a helping hand in the form of additional data points to study, it’s not a silver bullet.

“Instead, to stop BEC, a company needs to implement strong processes that force finance employees to double/triple check money transfers beyond a certain amount, especially out of working hours,” Sancho continues. “This makes BEC a much more difficult proposition for the criminal because they must fool two or three people, not only one.”

Cloudflare’s Allen admits that take up remains the key to success.

“The biggest challenge is adoption – making it easier for users to inspect and verify Content Credentials,” he says. “For this to be truly effective, verification needs to be effortless and accessible, wherever users encounter media – whether on social media platforms, websites, or apps.”

Adobe’s Parsons claims that its Content Authenticity Initiative (CAI) now has over 4000 members, but agrees that end-user awareness will be key to is success.

“The more places Content Credentials show up, the more valuable they become. We also need to help build more healthy assessment of digital content and grow awareness of tools that are available,” he concludes. “Therefore, ensuring people are better educated to check for credentials and to be sceptical of content without them becomes even more essential.”

This article was first published on Assured Intelligence.

How a cyber-Richter scale could benefit CISOs

Posted: March 20, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , | Leave a comment

The phrase “world leading” is almost comically overused. The British government misapplied it with a frequency that bordered on the absurd in its post-Brexit press statements, for example. Many corporate minnows have done the same in a bid to punch above their weight in global markets. But a new British non-profit initiative could genuinely lay claim to such a title.

The Cyber Monitoring Centre (CMC) aims to do what has never been done before: to classify cyber events impacting UK organisations on a simple 1-5 scale. The hope is that, in so doing, it could help insurers price coverage more accurately and CISOs to improve cyber resilience and incident response plans.

Why we need one

Like their global peers, UK firms are increasingly reliant on IT and OT systems to function. Yet this also exposes them to a growing risk of digital extortion, service disruption and data theft. Such events can cause severe financial and reputational damage, as well as impacting customers and citizens. Over the past year alone, UK organisations and end users have suffered significantly from the global CrowdStrike outage and a ransomware attack on NHS supplier Synnovis.

Yet up to now, there has been no standardised way to categorise such events.

“Up until now The National Cyber Security Centre’s (NCSC) incident management (IM) team, which is responsible for triaging and categorising incidents, has been where people have traditionally turned to gauge the impact of an attack,” explains Trend Micro UK cybersecurity director, Jonathan Lee. “Its system works by considering the severity of the incident and its potential impact on the UK which then informed its response. However, this approach is based around directing the NCSC’s own resources towards managing the most significant UK cyber incidents.”

There are several reasons why measuring cyber incident severity is a challenge, argues CyXcel CEO, Edward Lewis, who helped to lead the CMC as a director during its incubation year.

Unlike physical disasters – where financial loss, casualties, and recovery times are well understood – cyber incidents affect organisations in wildly different ways. A ransomware attack that cripples one company might barely touch another,” he tells me.

Additionally, many incidents never get disclosed – whether due to legal concerns, regulatory pressure, or reputational risk. Even when they are reported, organisations don’t always share the full extent of the damage. That makes building a reliable severity model tough.”

Lewis adds that traditional approaches have focused too much on direct costs rather than the wider consequences of a cyber incident.

“A cyber attack doesn’t just stop at the victim. Supply chains, financial markets and even critical infrastructure can all be impacted in ways that are hard to measure,” he says.

“The CMC cuts through this by establishing a common framework for measuring severity, aggregating data across sectors, and giving CISOs and policymakers a clearer, quantified picture of cyber risk.”

What the CMC will do

The CMC’s inspiration is the Saffir-Simpson hurricane wind scale, which was designed by a wind engineer (Herbert Saffir) and a meteorologist (Bob Simpson) as a simple way to describe the potential impact of hurricanes. The CMC calculates a score from 1-5 for each qualifying cyber event, based on its financial impact to the populace and the percentage of UK businesses affected to the tune of over £1,000.

The CMC says that losses due to business interruption, data restoration, incident response, extortion, and transfer of funds as well as “downstream impacts of a cyber event” will be included. However, costs due to “liability, any fines or regulatory costs, apology payments, loss adjustment costs, and impacts to individuals” will not be considered in the calculations as these aren’t often available in the immediate aftermath of an event. In any cases, these costs are often “a transfer of costs, rather than the true financial cost of an event”, it argues.

Although its still early days, the CMC has been operating in stealth mode for a year, honing and testing its methodology, and expanding the public and private data sources with which its Technical Committee makes its all-important final assessments.

These data sources include public data from the NHS and media reports, as well as impacted organisations, and partners across incident response, breach lawyers, cybersecurity vendors, insurance claims handlers, and industry associations. It also includes event polling and industry-specific panels from the British Chambers of Commerce, and ONS Business Insights Data & Analytics and Conditions Survey (BICS) respondents. Parametrix helps with cloud monitoring and outage data, while Cirium offers insight into the impact of an event on the UK aviation industry.

The CMC is also developing database of historical events and their impact, which will help with benchmarking, stress testing and to calibrate models going forward.

“When an event occurs, we analyse the event and group the impacted organisations into those that can be modelled in a similar manner (“Archetypes”). We then collect available event data and model the financial impact to each Archetype,” the CMC says. “Through 2024 we developed models for aviation, healthcare (Synnovis event), and for widespread events (CrowdStrike event).”

Better for insurers

Given its origins as proposal by global insurer CFC, it’s perhaps unsurprising that the centre’s output could be a major boost for the sector. It has been argued that the CMC’s cyber-event ranking system could help the industry price its policies more accurately, and improve how insurers cover “systemic incidents” which impact large numbers of businesses simultaneously. It may, for example, lead to simpler language in policies.

Assured director, Ed Ventham, is concerned the move could lead to more exclusions based on the CMC Scale, although he admits this could be better than vaguer scenario-specific exclusions which are more common today.

“We’re obsessed as an industry with systemic risk, and it feels like the sector has had a couple of lucky escapes of late,” he tells me. “But we’re generally supportive of better data being collected. I’m excited by the prospect of what the CMC will bring to the industry. There’s a good team and a lot of experienced people behind it.”

Driving black box thinking

Trend Micro’s Lee is enthused by the potential benefits for CISOs.

“It boasts all the hallmarks of the concept of ‘black box thinking’, something which has really benefited the airline industry and it is a very welcome development.Every breach should be seen as an opportunity to learn to be more resilient in the future,” he tells me.

“This culture of openness and a robust methodology of breach impact analysis goes some way to making it easier for CISOs to understand the practical steps that they could take. Ultimately, as is the mantra in the public sector, our nation needs to continuously measure and understand risk, and take a proactive approach to cybersecurity.”

CMC CEO, Will Mayes, agrees that the initiative will be a boon for CISOs, in helping them to think through incident response strategies more clearly.

“For example, if a category 5 event were to occur, their incident response or other providers may have limited capacity to support them individually, given the number of organisations impacted. A CISO should consider alternative response plans in these scenarios,” he tells me.

“The CMC also creates a common language for talking about cyber risks that will help everyone within the cyber ecosystem to communicate about events to non-experts. It will provide greater clarity and could be used by a CISO to talk to executives about potential events, and get buy-in for security investment.”

It may also help security leaders demonstrate compliance to regulators and benchmark risk posture more effectively, Mayes argues.

However, there are limitations. For one, it doesn’t take into account the potential human impact of cyber incidents such as the Synnovis breach, which led to at least two NHS patients suffering long-term harm, according to Trend Micro’s Lee.

“Indeed, former NCSC CEO, Ciaran Martin, who chairs the CMC Technical Committee, acknowledged this at the launch event. He said that, although the CMC model categorised the Synnovis supply chain attack as a category 2 incident, in societal and human impact terms he would describe it as one of the most impactful cyber-attacks the UK has experienced lately,” he says.  

“We should never forget the human impact that a cyber-attack can have in today’s digitally dependant world.”

CyXcel’s Lewis adds that the effectiveness of the modelling will depend on the quality of data fed in.

“The CMC’s success depends on getting enough organisations to share data. If participation is patchy, or companies hold back critical details, the output could be less reliable,” he says. “Cyber threats are also shifting constantly. The CMC will need to adapt and refine its models over time.”

Leading the way

Despite these challenges, Lewis describes the CMC as “a huge leap forward in cyber resilience”. So could the UK finally have a world-leading, world-first cyber initiative?

“Its success will depend on continued collaboration between government, industry, and cybersecurity professionals – ensuring its insights stay sharp and actionable,” Lewis concludes.

However, the CMC’s Mayes is less circumspect.

“We’ve already received interest and demand to replicate this approach in other countries,” he explains. “In response to demand from partners, we are actively exploring potential expansion to the US.”

Where the UK leads, others follow.

This article first appeared on Assured Intelligence.

What is PS21/3? Why time’s running out to comply with the UK’s DORA

Posted: March 11, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , , | Leave a comment

Plenty has been written about the need for financial services firms to enhance operational resilience. But most of those column inches have until now focused on the EU’s Digital Operational Resilience Act (DORA), which came into force in January – even if many UK banks may not yet be compliant. Arguably more important for a larger number of British financial services companies is the Financial Conduct Authority (FCA)’s new Policy Statement: PS21/3.

Alongside the Prudential Regulation Authority (PRA)’s Supervisory Statement SS1/21, it forms a series of exacting new requirements for the sector that must be in place by 31 March 2025. For any organisations thinking of quietly deprioritising these efforts, a “Dear CEO” letter from the FCA in early February should focus minds.

The bottom line is that the regulator expects compliance. Fortunately, ISO 27001 can help in-scope organisations to create the culture of operational resilience that the FCA, PRA and DORA demand.

Digital change means digital risk

Like most sectors, financial services has grown steadily more dependent on digital infrastructure to stay competitive and provide the seamless online experiences that customers crave. As of 2024, some 86% of UK adults used online banking, and the figure for this and mobile banking is set to continue climbing upwards over the coming years – thanks partly to the disruptive impact of fintech firms. The UK market for these businesses is set to be worth over $24bn (£19bn) by 2029.

The challenge with the growing pace of this digital transformation is the extra risk that comes with it. An increasing reliance on technology exposes banks and other firms to a greater risk of digital extortion, primarily from ransomware, while at the same time expanding the attack surface so that breaches become almost inevitable. That’s a potentially serious reputational and financial risk. According to the International Monetary Fund (IMF)’s Global Financial Stability Report, more than 20,000 attacks on the banking sector have caused losses exceeding $12bn (£9.5bn) over the past 20 years. Additionally, “extreme losses” have more than quadrupled since 2017 to $2.5bn (£2bn).

However, cyber risk does not always stem from malicious third parties. At the end of January, a major Barclays IT outage left countless customers high and dry, unable to pay taxes, bills and mortgage payments, or even access correct information on their accounts. The fallout has been predictably torrid for the high street lender, which at the time of writing had still not explained the cause of the incident.

What the FCA wants

That’s why the FCA for one appears to be keen to increase regulatory requirements around digital operational resilience in the sector. PS21/3 demands that banks, building societies, insurers, payment providers and others get the following in order before the end of March:

  • Identify the organisation’s most important business services and keep them regularly under review
  • Set impact tolerances for each of these services and regularly review them
  • Identify and document the people, processes, technology, facilities, and information needed to deliver key services. This includes any supplier relationships which could impact the organisation’s ability to remain within impact tolerance limits
  • Develop testing plans which describe how the organisation can remain within impact tolerances for each “important business service” – identifying plausible scenarios aligned to risks and vulnerabilities. This will help senior managers ensure vulnerability remediation plans are appropriately funded
  • Develop and test incident response plans
  • Deliver a self-assessment in line with handbook guidance to the relevant governing body. This should highlight the organisation’s journey to operational resilience, including an overview of vulnerabilities found, scenarios tested (plus their outcome), remediation plans, and the overall strategy for remaining within impact tolerances for all important business services
  • Regular horizon scanning to help understand new and emerging risks, and ensure the right controls are in place to detect, respond to and recover from operational disruptions

The FCA has already published some observations on current compliance efforts, which it says should help to guide financial services companies as they assess readiness and finalise PS21/3 plans. The regulator is particularly keen to ensure that third-party risk is continuously and actively managed by in-scope companies, including through testing where appropriate. And that remediation plans are fully funded. It also demands that complying organisations do not treat PS21/3 as a “once and done activity”, but instead embed its requirements into corporate culture.

How ISO 27001 can help

This is where ISO 27001 comes into its own. According to ISMS.online chief product officer, Sam Peters, there’s alignment between the standard and PS21/3 in multiple key areas, including:

Governance and Accountability

Both emphasise leadership accountability in setting and overseeing resilience strategies.

Impact Tolerance and Risk Management

Both require risk-based decision-making and setting risk thresholds to maintain resilience.

Testing and Scenario Analysis

Both require regular testing to assess and improve operational resilience so that organisations can handle disruptions effectively.

Third-Party Risk Management

Both require due diligence on third parties, although ISO 27001 provides a structured approach for managing supplier security risks.

Incident Reporting and Response

Both require incident response planning, although “ISO 27001 goes further by ensuring incident handling is documented, monitored, and improved over time,” according to Peters.

Continuous Improvement and Learning from Disruptions

Both emphasise learning from disruptions to continuously enhance resilience.

“Firms using ISO 27001 already have a solid foundation for meeting FCA resilience requirements, especially in risk management, incident response and continuous improvement,” says Peters. “By leveraging ISO 27001, financial services firms can strengthen compliance with FCA rules while enhancing their overall security posture and resilience.”

As mentioned, the new FCA rules also share core principles around operational resilience with DORA. This includes greater leadership accountability, third-party resilience, improved incident response, and “mapping critical services, identifying vulnerabilities, and setting risk thresholds,” says Peters. Although the two regimes differ in terms of scope and enforcement, this offers an opportunity for UK financial firms operating in the EU to align FCA operational resilience strategies with DORA’s, using ISO 27001 as a foundation.

This will ultimately “help streamline compliance efforts and reduce regulatory risks”, Peters concludes.

This article was originally published on ISMS.online.

How much do words matter? Why Interpol wants to stop talking about ‘pig butchering’

Posted: March 10, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , | Leave a comment

This article originally appeared on Assured Intelligence.

Cyber crime reporting is worryingly low. According to one estimate from the Crime Survey of England and Wales (CSEW) only 13% of fraud cases are reported to Action Fraud or the police by victims. National Trading Standards reckons the figure is more like 32%.

It means estimated victim losses of $652m (£801m) to romance and confidence fraud in 2023 are likely to be just the tip of the iceberg. That’s part of the reason why Interpol wants industry to do more to encourage victims to come forward. A good start, it argues, is to change the way we refer to victims of a particularly prevalent romance/investment scam hitherto known as “pig butchering”.

But can changing the way we refer to cyber crimes really have the desired effect? Or is the policing group overthinking things?

Romance baiting is the new pig butchering

Pig butchering derives its English moniker from the Chinese word “shazhupan”, which roughly equates to “killing pig game”. It refers to the way victims are often approached on dating sites by scammers, who then try to build a trusted relationship with them – “fattening them up” for the kill. Once the fraudster has won over hearts and minds, they will then suggest their victims invest in a fake crypto scheme or similar. By the time they realise it’s all a con, it’s too late for the victim. The animal has already been metaphorically slaughtered, and their hard-earned cash is gone.

Interpol’s argument is that using such language shames victims to the point where they may not be keen on coming forward. The policing group wants “romance baiting” to enter the cybersecurity lexicon instead.

“Words matter. We’ve seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognise that our words also matter to the victims of fraud,” says Interpol acting executive director of police services, Cyril Gout.

“It’s time to change our language to prioritise respect and empathy for the victims, and to hold fraudsters accountable for their crimes.”

Is Interpol right?

This isn’t the first time that a call has gone out to change specific cyber crime terminology. Back in 2020, the National Cyber Security Centre (NCSC) led a largely successful push to change “black/whitelist” to the more racially neutral “denylist/allowlist”. The terms “black hat” and “white hat” are far less common today for similar reasons. And the maintainers of programming language Python replaced terms “slaves” to “workers” or “helpers” and “master process” to “parent process”.

But does Interpol have a point about “pig butchering”? There’s certainly a case for saying that some cyber crimes can have a particular emotional impact on the individual, especially those where the victim has been betrayed by someone they thought could be trusted. It can cause distress, shame and feelings of helplessness. One victim of a historic dating scam even told researchers she felt like the experience was akin to being “mentally raped”.

Elisabeth Carter is an associate professor of criminology and forensic linguist at Kingston University London. She agrees that language can have a “huge impact” on victims and societal narratives.

“The terminology ‘pig butchering’ is used by criminals intent on harm. It is pejorative, dehumanising and it does harm victim reporting, victim self-identification, self-esteem, recovery, and harms societal narratives around fraud victimhood which also in turn feds into barriers to reporting,” she tells me.

“Language is the very way in which criminals engage with and attack victims, using this to create an alternate reality where victims believe they are making reasonable choices, but in fact are being exploited and harmed financially and psychologically. The terms we use when communicating with the public are therefore all the more important. Far from being a distraction or overthinking, language in relation to fraud should be considered and extremely carefully selected, and only done so with an evidence-based reasoning behind it.”

KnowBe4 lead security awareness advocate, Javvad Malik, agrees up to a point.

“Kudos to Interpol for recognising the power of words. They’re not wrong – language can indeed be a barrier to reporting crimes,” he tells me. “On one hand, changing terminology could potentially confuse the public. But if the current terminology is preventing victims from coming forward, then it’s worth solving the issue.”

The power (or not) of words

Kingston University’s Carter highlights other ways in which language can in subtle ways undermine the fight against cyber crime and fraud. Although the language, manipulation and silencing tactics used by fraudsters are similar to those of domestic abusers, many people still say victims “fell for fraud” – which implies they were in some way to blame for being tricked, she argues.

“We wouldn’t say ‘don’t fall for domestic abuse’”, Carter adds. “Similarly, ‘scam’ should be avoided, as it minimises the crime, which is fraud, and ‘money you lost’ should instead be ‘money that was stolen/taken from you.’”

However, others expressed scepticism over Interpol’s calls. Silvija Krupena has over two decades of experience in financial crime prevention and is currently director of the financial intelligence unit at RedCompass Labs. She tells me that Interpol should be focusing on policing crime, not language.

“These scams are bleeding hundreds of billions annually. Do we seriously believe terminology is what’s keeping victims from reporting?” she argues. “Changing the term now adds friction, inefficiency and confusion to an already overwhelmed industry. And for what? Victims aren’t holding back because of terminology – they’re devastated, afraid and focused on recovery, not word choice.”

Krupena adds that “romance baiting” is far from ideal as a replacement, as not all pig butchering fraud involves a romance element.

The bigger picture

It is, of course, difficult to calculate just how under-reported cyber crime is. But it’s not impossible. Victim support group The Cyber Helpline estimates that, while reporting rates for all crime is 79%, it drops to just 36% for cyber-related incidents. That’s bad news not just for the victims, but also UK PLC, because it means the perpetrators are more likely to continue operating with impunity – and may turn their attention to business targets.

If the government can’t even get a proper picture of how widespread specific crime types are, and who is committing them, it will hamper both efforts to design effective public policy, and the ability of law enforcers to track down specific offenders. It’s one of the reasons why the new Labour government has made mandatory incident reporting a key part of its forthcoming Cyber Security and Resilience Bill.

Yet there’s more to encouraging incident reporting, especially among individual victims, than changing the way certain crimes are referred to. Krupena wants to see “bold transnational awareness campaigns” focused on breaking the stigma that fraud victims are caught out because they are “stupid” in some way.  

“The campaigns should educate on red flags and warning signs, protecting both victims recruited by traffickers to run scams and those targeted by them,” she continues. “These efforts must start on social media, especially Meta platforms, and then telecommunication providers; the next biggest channel. Let’s go beyond wordplay and focus on what matters – education and prevention. That’s how we disrupt the cycle of cyber crime.”

According to Home Office research from over a decade ago which The Cyber Helpline claims is still relevant today, cyber crimes are also under reported because of a perception that the police can’t or won’t do anything to solve them. This in turn is influenced by a perception that digital offences are not ‘real’ crimes. Victims may also not consider themselves to be such if they’ve been refunded money stolen by fraudsters.

Yet here too language may have a part to play.

“We need to avoid saying ‘you will get your money back’, as it is not the victim’s money that is coming back; that money has gone to feed criminal enterprises,” Carter argues. “We need to instead say ‘you will be made financially whole’ or ‘you will be reimbursed’, because framing it as the victim getting their money back feeds into the wider misperception that once this is done there was no harm.”

In fact, fraud causes tremendous economic and societal harm. The proceeds of fraud are often reinvested into other nefarious activities, including cyber crime, drugs, gun running and even human trafficking. The challenge is so acute that one noted think tank has described fraud as a threat to national security. In this context, gaining a more accurate picture of the scale of the problem is the first step towards tackling it.

Why remote access software could be a backdoor into your network

Posted: March 10, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , | Leave a comment

This article first appeared on ISMS.online.

Remote access software has been a popular tool for IT administrators, managed service providers (MSPs), SaaS firms and others for many years. It offers an invaluable way to remotely manage and monitor multiple IT and OT endpoints from a single, centralised location. But by the same token, they provide a powerful way for threat actors to bypass corporate defences and remotely access victim networks.

Whether they’re remote access tools (RATs), remote monitoring and management (RMM) products or remote administration solutions, the risk is the same. It’s time to close down a potentially dangerous backdoor into corporate IT environments.

What are RATs?

Tools like Atera, AnyDesk, ConnectWise, and TeamViewer are well-known in the IT community. Although they’ve been used for years to help admins troubleshoot problems, set up and configure machines, patch endpoints, and more, RATs really came into their own during the pandemic. Yet just as attacks on remote desktop tools ramped up during that period, we also witnessed a growing interest in remote access software as a way to bypass security tools.

They’ve even been deployed in attacks targeting individuals, where the victim is socially engineered into downloading one to their PC or mobile device to provide a fraudster with access to their banking and other accounts. This happens frequently in tech support scams and, most recently, in a sophisticated government impersonation campaign designed to steal victims’ card details.

Why are RATs attractive?

It should come as no surprise that threat actors are targeting such tools in greater numbers. They offer a useful way to blend in with legitimate tooling and processes, in a similar way to living off the land (LOTL) attacks. Because remote access software is signed with trusted certificates, it won’t be blocked by anti-malware or endpoint detection and response (EDR) tooling. Other advantages for adversaries include the fact that remote access software:

  • May have elevated privileges, making initial access, persistence, lateral movement, access to sensitive resources and data exfiltration easier
  • Enables threat actors to carry out intrusions without needing to spend time and money developing malware like remote access Trojans (also abbreviated to “RATs”), which security tools may identify
  • Enables adversaries to bypass software management control policies and potentially even execute unapproved software on the targeted machine
  • Uses end-to-end encryption, enabling attackers to download files that corporate firewalls would otherwise stop
  • Can support multiple simultaneous attacks, for example, via a compromised MSP

How adversaries are targeting remote access

According to the US Cybersecurity and Infrastructure Security Agency (CISA), threat actors may either exploit vulnerable versions of remote access software or use legitimate compromised accounts to hijack the use of the tools. Alternatively, they could socially engineer victims into downloading legitimate RMM software or similar. In more sophisticated attacks, they may target a remote access software vendor and manipulate its software with malicious updates. They may also use PowerShell or other legitimate command line tools to covertly deploy an RMM agent on the victim’s machine.

Sometimes, threat actors also use remote access software in concert with penetration testing tools like Cobalt Strike or even remote access malware to ensure persistence. Once they have access to a target network/machine, they can use remote access software to:

  • Move laterally through the victim’s network
  • Find lists of other systems for lateral movement
  • Establish command and control (C2) channels

Such techniques are being used by both cybercrime groups and nation-state operatives for sophisticated data theft operations and ransomware attacks. They’ve been spotted targeting US government employees in financially motivated scams. One security vendor has also warned about the “excessive” use of non-enterprise grade RATs in OT environments, which ends up expanding organisations’ attack surface.

Its research reveals that 79% of firms have more than two such tools installed on OT network devices. Because these lack sufficient access controls and features such as multi-factor authentication (MFA), they’re exposed to hijacking by threat actors.

In the wild

There are numerous examples of RAT-based breaches with serious consequences over the past few years. They include:

  • In February 2024, vulnerabilities in unpatched ScreenConnect software were exploited in multiple organisations to deploy malware on servers and workstations with the remote access software installed.
  • In February 2022, CISA and the UK’s National Cyber Security Centre (NCSC) warned of a campaign by Iranian APT group MuddyWater which may have had both cyber-espionage and financial motives. The threat actors used ScreenConnect for initial access and lateral movement.
  • In January 2023, CISA warned of a campaign using ScreenConnect and AnyDesk to carry out a “refund scam” on federal government employees. The campaign used phishing techniques to persuade the victims to download the software as self-contained, portable executables, enabling them to bypass security controls.
  • In July 2024, a security vendor discovered a modified version of the open-source RMM tool PuTTY (renamed “KiTTY”) which could bypass security controls. The tactic enabled the threat actors to create reverse tunnels over port 443 to expose internal servers to an AWS EC2 box under their control to steal sensitive files.

How to mitigate remote access attacks

CISA lists a range of host and network-based controls and policy/architectural recommendations that could help build resilience against such attacks. These include:

  • Phishing awareness training for employees
  • Zero trust and least privilege approaches to identity and endpoint security
  • SecOps monitoring for suspicious activity
  • External attack surface management (EASM) for improved visibility into unknown and unmanaged assets
  • Multi-factor authentication (MFA) for remote access software
  • Auditing of remote access software and configurations
  • Application controls, including zero-trust principles and segmentation, to manage and control software execution
  • Continuous risk-based patching
  • Network segmentation to limit lateral movement
  • Blocking of inbound/outbound connections on common RMM ports and protocols
  • Web app firewalls (WAFs) to protect remote access software

However, the security agency also recommends organisations “maintain a robust risk management strategy based on common standards, such as the NIST Cybersecurity Framework”. Javvad Malik, lead security awareness advocate at KnowBe4, agrees.

“The NIST framework’s core functions provide a comprehensive approach to managing RMM tool risks,” he tells me.

“This includes maintaining an inventory of systems with RMM software, enforcing strong authentication, implementing behavioural analytics for anomaly detection, developing specific incident response playbooks, and ensuring business continuity plans account for RMM tool dependencies.” Malik adds that ISO 27001 can also help mitigate the risks of using remote access software.

“ISO 27001’s controls on access management, cryptography, operations security, and supplier relationships provide a solid foundation,” he explains. “For example, organisations can implement formal RMM tool access management processes, ensure encrypted remote sessions, and set up automated alerts for unusual activities.”

Ian Stretton, director of EMEA at cybersecurity consultants Green Raven, agrees that “successful cybersecurity is based on firm foundations such as ISO 27001”.

He tells me that one key tenet of such approaches is to deploy continuous monitoring backed by threat intelligence.

“This is brought into sharper focus by the adoption of AI by threat actors as a challenge to AI-based defence tools,” Stretton concludes.

“The deployment of tools such as anomaly detection systems that specifically monitor for suspicious behaviours in AI processes – such as misclassification, sudden shifts in decision-making logic or other behaviour – can aid in combating this type of AI-based threat.”

UK government security is foundering: here’s how to fix it

Posted: February 13, 2025 | Author: | Filed under: cybersecurity, technology, Uncategorized | Tags: , , , , , , , , | Leave a comment

This article first appeared on Assured Intelligence.

We knew it was bad, but not as bad as this. On January 29 the National Audit Office (NAO) released a bombshell report revealing, in gory detail, the challenges facing central government cybersecurity leaders. Blaming skills gaps and funding shortages for much of the malaise, it warns that the cyber-threat to government is “severe and advancing quickly”, urging immediate action to protect vital public services.

The spending watchdog did not pull its punches. But the gaps in cyber resilience it identifies are so pronounced that fixing them will be extremely challenging, especially with a self-imposed deadline of 2030.

A giant target

There’s no doubting the massive target central government has painted on its back. The National Cyber Security Centre (NCSC) warns of a “diffuse and dangerous” threat from hostile states as well as cybercrime groups. Hacking tools and easy-to-use pre-packaged services are freely available online, as are breached credentials, including those linked to .gov email domains. The use of generative AI tools to upskill threat actors in penetration testing, and innovative new techniques like IT impersonation are already accelerating and improving outcomes for adversaries.

This matters for central government in particular, given the huge number of citizens that rely on public services. The NAO report cites NCSC figures claiming that 40% of incidents managed by the agency between 2020 and 2021 targeted the public sector. Breaches at NHS provider Synnovis and the British Library show the devastating impact and cost these can have.

Yet despite the ambition outlined in the Government Cyber Security Strategy: 2022–2030, plans appear to have languished under the previous administration.

What’s gone wrong?

The headline-grabbing part of the report is all about visibility and resilience, and the work of the Government Security Group (GSG) – the Cabinet Office body that oversees central government security. It claims that a 2023-24 assessment by the government’s new cyber assurance scheme, GovAssure, found that 58 critical departmental IT systems had “significant” gaps in cyber resilience, creating “extremely high” risk.

“The data highlighted multiple fundamental system controls that were at low levels of maturity across departments including asset management, protective monitoring, and response planning,” the report notes. “GSG reported to ministers the implication of these findings: the cyber-resilience risk to government was extremely high.”

Edwin Weijdema, EMEA field CTO at Veeam, argues that asset management, protective monitoring and incident response planning are three “interconnected pillars” vital to cybersecurity.

“If you don’t know about it, you can’t secure it – so a thorough asset inventory is the first step to knowing exactly what needs protection,” he tells Assured Intelligence.

“Once you have this visibility, protective monitoring of those assets provides real-time detection of suspicious activity, helping to prevent small issues from turning into major breaches. Finally, a robust response plan ensures you’re ready to recover quickly when incidents occur, turning potential chaos into controlled chaos with a smaller blast radius and much less damage tied to it.”

According to the NAO, the GSG also failed to include legacy IT systems in the GovAssure audit because many of its recommended controls were apparently not applicable to such technology. That has unwittingly created a significant visibility gap at the heart of government.

“In March 2024, departments reported using at least 228 legacy IT systems. Of these, 28% (63 of 228) were red-rated as there was a high likelihood and impact of operational and security risks occurring,” the NAO report notes.

Other critical cybersecurity challenges and failings highlighted by the NAO include:

  • Until April 2023, the government did not collect “detailed, reliable data” about the cyber resilience of individual departments
  • The government has not improved cyber resilience quickly enough to meet its aim to be “significantly hardened” to cyber-attack by 2025
  • Departments still find it difficult to understand the roles and responsibilities of the cyber-related bodies at the centre of government
  • GSG has no effective mechanisms in place to show whether its approach to government cybersecurity is effective, or even a plan to make government organisations cyber resilient by 2030

The NAO also slams individual departments for failing to meet their responsibilities to improve resilience. It claims that leaders “have not always recognised how cyber risk is relevant to their strategic goals” and that boards often don’t even include any members with cyber expertise.

James Morris, CEO of the non-profit Cybersecurity and Business Resilience Policy Centre (CSBR), argues that there’s plenty to be done.

“Cyber resilience needs to be hardwired into the processes of central government departments and made a priority for their core strategic and operational work,” he tells Assured Intelligence

“It should also be identified as a core strategic priority for ministers and senior civil servants.  Each department should identify where skill gaps are putting resilience at risk and plans should be put in place to improve cyber resilience skills among existing staff.”

Too few skills, not enough money

However, at the heart of the problem appear to be both money and talent. A cyber directorate set up by the GSG to lead cybersecurity improvement across government apparently had 32% of posts unfilled when first established. In 2023-24, a third of security roles in central government were either vacant or filled by temporary staff, with the share of vacancies in several departmental security teams over 50%.

“There are only two real options: increase the supply of cybersecurity skills, or recognise that market rates are what they are for cybersecurity skills, and pay them. Better still, do both,” says Ian Stretton, director at consulting firm Green Raven Limited. “But these are long-term fixes that will take years to effect.”

Attracting talent is made harder when departments must compete with deep-pocketed private sector organisations for a limited number of skilled professionals. The government announced in 2021 a £2.6bn funding boost for cyber, of which it apparently allocated £1.3bn to departments for cybersecurity and legacy IT remediation. However, since 2023, departments have “significantly reduced” the scope of improvement programmes, the NAO says. As of March 2024, departments did not have fully funded plans to remediate around half of the government’s legacy IT assets.

How to sort out this mess

In the absence of funding, it will be a tough ask to meet the recommendations set out by the NAO (see boxout). However, it is possible, according to the experts Assured Intelligence spoke to.

“Central government departments can boost cyber resilience – even in the face of legacy IT – by focusing on three core principles: speed, skills and accountability,” argues Veeam’s Weijdema.

“Speed in detection is crucial because the sooner you spot a breach, the less time attackers have to move laterally, exfiltrate data or disrupt critical services. Continuous log monitoring, threat intelligence feeds, and anomaly detection tools should be in place to catch potential intrusions in near real-time. Equally important is the ability to respond swiftly. Well-defined processes and empowered teams prevent small issues from escalating into large-scale crises.”

Government must also recognise the high demand for security professionals and pay competitive salaries, as well as offering clear career progression, and investing heavily in training to plug the skills gap, Weijdema adds. Security teams should be held accountable for the outcomes of the measures they take, he says.

“Finally, regular drills and exercises – like red-team attacks or simulated breaches – will help to instil a culture of digital emergency response,” Weijdema continues. “Just as physical first responders train constantly for disasters, a cyber workforce should practice containing threats under realistic conditions. Such exercises refine tactics, highlight weaknesses and foster collaboration.”

Green Raven’s Stretton agrees that government must find the money to compete with the private sector on salaries, but warns that this alone will not be enough.

“Even if there were enough cybersecurity professionals to go around, current cyber-defence strategies revolve around building higher and higher walls. But this isn’t a sustainable approach to cybersecurity, and cyber pros know it,” he tells Assured Intelligence.

“The problem is the world is still thinking about cybersecurity like medieval monarchs used to think about castles: just dig deeper ditches and build higher ramparts and it’ll be fine. Instead, we need to get smarter and focus defensive resources on where we know they are going to be needed.”

By making the most of AI-powered cyber-threat intelligence, government bodies can get back on the front foot against their adversaries, Stretton argues.

“Rather than constantly reacting to general threats, knowing who is coming after your organisation, and with what ‘weapons’, means you can remove the blindfold and react to what poses the greatest threat,” he says. “It’s analogous to how the security services work: there aren’t enough of them to keep us safe by sheer force of numbers, so they use sophisticated intelligence-gathering to pre-empt attacks and intercept attackers.”

The fact that the NAO report has been published at all is a positive sign. It’s signifies the new government’s recognition of the growing cyber-threat facing Whitehall, and its desire to achieve key parts of the 2022-2030 strategy by the end of the year. However, whether it can match this ambition with results remains to be seen.

Routers are in the firing line: here’s how to protect your organisation

Posted: December 10, 2024 | Author: | Filed under: cybersecurity, Uncategorized | Tags: , , , , | Leave a comment

This article first appeared on ISMS.online.

Modems and routers aren’t the most glamorous of connected technologies. In fact, their ubiquity means that most organisations forget they’re even there. However, they also perform a critical function in enabling networked devices and machines to reach the public internet. Without them, most businesses would struggle to operate.

Yet because of their location at the edge of the network, routers are also an increasingly popular target. It doesn’t help that many are riddled with vulnerabilities and may not be updated as frequently as other critical devices. A report from Forescout released in October warns of 14 new firmware flaws in DrayTek routers.

It’s time to get serious about protecting corporate routers.

What’s Wrong with DrayTek?

According to Forescout, two of the 14 new vulnerabilities it discovered in routers from the Taiwanese manufacturer are rated critical: CVE-2024-41592 has a maximum CVSS score of 10, while CVE-2024-41585 is given a 9.1.

The former is a buffer overflow in the GetCGI() function of the DrayTek VigorConnect Web UI. It could apparently be triggered by a specially crafted and excessively long query string to any of the 40 CGI pages of the Web UI. This, in turn, could be used to achieve denial of services or, if chained with OS command injection bug CVE-2024-41585, to gain remote root access to the underlying host operating system.

That’s potentially far more serious, as it would provide an attacker with the “keys to the kingdom” – enabling complete remote control of the targeted router and, by moving laterally, other devices on the same network, says Forescout.

The popularity of DrayTek routers globally highlights network defenders’ challenges and the opportunity for threat actors. According to Forescout, over 704,000 routers were exposed to the internet – and therefore open to exploitation – when the report was compiled, including 425,000 in the UK and EU. Most are apparently intended for business use.

DrayTek had patched all the firmware vulnerabilities by the time the report was published. Still, there is no guarantee that customers will apply the updates before potential attempts to exploit them. The vendor is also by no means the only manufacturer whose products are at risk of compromise. In September, a joint advisory from several Five Eyes security agencies revealed the existence of a massive botnet of 260,000 hijacked devices, including routers from MikroTik, Ubiquiti, Telesquare, Telstra, Cisco, and NetGear.

Why Routers?

Modems and routers are clearly a popular target for threat actors. This is because they:

  • Are often riddled with unpatched vulnerabilities that could be exploited
  • They are often used by SMEs with fewer security resources and know-how, which may leave routers exposed
  • Are easy for hackers to scan remotely
  • May only be protected by factory default credentials
  • Provide a gateway to other devices on the same network and could, therefore, be used as an initial access vector for ransomware and data theft
  • They can be hijacked and used as bots in a larger botnet to launch DDoS attacks on others or disguise more sophisticated threat campaigns
  • Could be repurposed as command-and-control servers (if they’re high-performance routers)

End-of-life (EoL) or end-of-sale (EoS) devices are particularly at risk as patches/updates may not be available from the vendor. Forescout claims that 11 of the 24 impacted DrayTek models listed in its research were either EoL or EoS. Even if patches can be applied, they often are not. Almost two-fifths (40%) of those in the report are still vulnerable to similar flaws identified two years previously, according to Forescout.

“Routers can yield access to, or even control of, assets inside an organisation’s network. As the skeletons of the networks and sub-networks they form, they are a great resource for an attacker to infect,” Black Duck Software managing security consultant Adam Brown tells ISMS.online.

“Furthermore, they are administrated by individuals with the highest levels of security credentials, which, if breached, give bad actors the keys to the kingdom.”

This is not a theoretical threat. As well as the massive Chinese threat campaign highlighted above, we can point to the following:

Volt Typhoon: A Chinese state-backed APT group that exploited zero-day vulnerabilities in internet-connected network appliances like routers to compromise strategically important critical infrastructure networks in the US. The end goal, says the Cybersecurity and Infrastructure Security Agency (CISA), was to be primed and ready to launch destructive attacks in the event of a military conflict.

BlackTech: Another Chinese state APT group which targeted various organisations in the US and Japan. It targeted poorly protected routers in branch offices, allowing attackers to blend in with regular traffic as they pivoted to other devices in corporate headquarters. In some cases, the adversaries gained admin rights, enabling them to replace the firmware on the routers and/or switch off logging to hide their tracks.

Cyclops Blink and VPNFilter: Two sophisticated multi-year campaigns from Russia’s Sandworm group, which targeted small office/home office (SOHO) routers and other network devices. Deployment of the eponymous malware was described as “indiscriminate and widespread”, leading observers to speculate that the purpose was to create botnets capable of launching threat campaigns on other targets.

APT28/Fancy Bear: A prolific Russian threat group targeted Ubiquiti EdgeRouters as part of a broader campaign to “facilitate malicious cyber operations worldwide” – including by hosting spear phishing pages and custom attack tools.

How to Mitigate the Threat

Some US lawmakers want to investigate Chinese-made routers in a bid to mitigate Beijing’s cyber espionage threat. But this will do nothing to tackle the problem of routers made elsewhere being hijacked through stolen/brute-forced credentials or vulnerability exploitation. So, how can organisations better protect their routers? Some best practices will help.

An excellent place to start is tried-and-tested cyber-hygiene such as:

  • Regular patching of firmware as soon as updates are available, using automated update channels where possible
  • Replacing default passwords with strong, unique credentials
  • Turning off unused services and ports like UPnP, remote management, file sharing, etc
  • Promptly replacing EoL kit to ensure maximum protection from exploitation.

Black Duck Software’s Brown adds that Zero Trust security approaches would also help organisations mitigate router security risks, such as network monitoring for unusual traffic volumes and segmentation alongside least privilege access policies.

“Security architecture must be considered when deploying networks, and therefore routers, with care taken to ensure access to router consoles have appropriate security controls,” he adds. “Network trust zones must be considered, and a Zero Trust approach to architecture at all layers will help limit the blast radius should an incident occur.”

As the above examples highlight, powerful state-backed groups as well as sophisticated cybercrime entities are looking are primed to take advantage of security gaps to hijack routers and the networks they straddle. With SMBs in the crosshairs, it’s time to close this critical security gap.

Factory 4.0 and beyond: the challenges of operational technology security

Posted: November 3, 2023 | Author: | Filed under: Uncategorized | Tags: , , | Leave a comment

This article was first published on ISMSonline.

When a report revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products last year, experts hailed it as a wake-up call for the industry. The study highlighted an endemic problem with OT equipment: a need for more basic security-by-design best practices. The fact that three-quarters of those products assessed to contain vulnerabilities had valid security certifications should cause further nervousness among IT/OT managers.

The bottom line is that the issues highlighted in the report run so deep they’re unlikely to be resolved industry-wide anytime soon. That puts the onus on enterprise security programmes to ensure OT risk is managed with the same attention to detail as IT.

The What and Why of OT

Whereas IT systems manage information and applications, OT covers the hardware and software used to monitor and control the physical world. It could be anything from an ATM to an industrial control system (ICS), a factory robot to a programmable logic controller (PLC). The technology can be found most obviously on the factory floor. But it spans a huge range of industries beyond manufacturing, including healthcare, oil & gas, utilities, and transportation.

Historically, OT systems were not internet-connected, and devices tended to be purpose-built, running specialised software. That meant security was treated as an afterthought. However, most equipment has connectivity today, meaning remote attackers can probe it for vulnerabilities. At the same time, it often runs Windows or other commercial software. That makes it an attractive target.

Because OT controls physical processes, security breaches could enable attackers to sabotage or disrupt critical operations. Vulnerable endpoints may even be used as a stepping stone into IT networks for sensitive data theft. One 2022 report claims 83% of organisations suffered an OT breach in the previous 36 months. According to figures cited by McKinsey, the cost per incident of severe attacks can be as much as $140m. It’s not just financial risk organisations must consider. OT is also regulated by the NIS 2 Directive and its UK equivalent.

What Are The Risks?

The specialised nature of OT means that systems are exposed to certain cyber risks that may not apply to IT environments. They include:

  • Use of legacy, insecure communications protocols
  • Vendors that don’t pay enough heed to vulnerability management
  • Hardware lifecycles of 10+ years, meaning admins are forced to run outdated OSes/software
  • Patching challenges, as equipment often can’t be taken offline to test updates (even if they are available)
  • Equipment that’s too old to deploy modern security solutions to
  • Security certifications which don’t recognise severe defects, giving admins a false sense of security
  • Security-by-design issues that aren’t reported/assigned CVEs, meaning they fly under the radar
  • Siloed IT/OT teams, which can create gaps in visibility, protection and detection
  • Insecure passwords and misconfigurations (although this is also common in IT environments)

From a technical perspective, the Forescout report cited earlier highlights several categories of vulnerability in many OT products:

  • Insecure engineering protocols
  • Weak cryptography or broken authentication schemes
  • Insecure firmware updates
  • Remote code execution (RCE) via native functionality
  • How To Mitigate Risk From OT Systems

How To Mitigate Risk From OT Systems

As per IT security, defence in depth is the best way to mitigate OT cyber risk. According to Carlos Buenano, Principal Solutions Architect for Operational Technology (OT) at Armis, it starts with visibility of OT assets and then prompt patching.

Since it is very common for OT environments to have vulnerable assets, organisations need to create a comprehensive asset inventory of their network and have additional intelligence on what those assets are and what they are actually doing,” he tells ISMS.online. “Contextual data enables teams to define what risk each device poses to the OT environment and assess their business impact so that they can prioritise remediation of critical and/or weaponised vulnerabilities to reduce the attack surface quickly.

Here’s a quick checklist for organisations:

Asset discovery/management: You can’t protect what you can’t see. So, understand the full extent of OT in the enterprise.

Prompt patching and continuous scanning: OT assets should be continuously scanned for vulnerabilities once discovered. And a risk-based patching programme will ensure CVEs are prioritised effectively. Consider building a non-critical testing environment for patches. And if certain assets can’t be patched, consider alternatives, like virtual patching, network segmentation, SIEM and integrity monitoring.

Identity and access management: Deploy role-based access controls, follow the principle of least privilege and support multi-factor authentication (MFA).

Segmentation: Separate corporate from OT networks, and segment OT networks, to contain the spread of malware.

Threat prevention: Deploy controls such as intrusion detection (IDS), AV software and file integrity-checking tools to prevent and detect malware.

Encryption and backup: Protect OT data at rest and in transit and have backups to mitigate the impact of ransomware.

Breaking Down IT-OT Silos

As OT and IT systems converge in many organisations, threats once confined to IT, such as remote compromise, become more commonplace for industrial systems. Therefore, preventing, detecting and responding to such threats will require more interaction between IT and OT teams. OT teams can learn much from the experience IT has built up over the years regarding security controls, and both have a vested interest in business continuity.

“By working together, IT and OT teams can identify and mitigate cybersecurity risks that affect both IT and OT environments, thus protecting the organisation from cyber-attack,” Trend Micro UK & Ireland technical director, Bharat Mistry, tells ISMS.online. “Additionally, collaboration between the teams will improve the efficiency of security operations teams and ultimately help to reduce costs.”

From a compliance perspective, this may require the organisation to go beyond the limits of ISO 27001 and seek out complementary certifications in the OT space.

“We see frameworks like ISO 27001 used in enterprise IT and bespoke or tailored frameworks like IEC 62443 for OT,” Mistry explains. “On paper, there is some overlap between these, but in reality, these frameworks are start points and are often customised to suit the organisation’s environment.”

Ultimately, it’s in everyone’s best interests to work together, says Armis’s Buenano.

“From an organisational perspective, having a risk-based approach to vulnerability management must go hand in hand with OT and IT departments working together to help coordinate mitigation efforts,” he concludes. “Cross-departmental projects will help streamline process and resource management and achieve greater compliance and data security.”

The government’s new risk register is heavy on cyber. Is that a good or bad thing?

Posted: September 8, 2023 | Author: | Filed under: Uncategorized | Tags: , , , | Leave a comment

What are the chances of a catastrophic cyber incident occurring in the UK in the next two years? How many might die, or be maimed in such an incident? And how much might it cost the country? These are the kinds of unpleasant questions the government seeks to answer in its latest National Risk Register  (NRR).

Since 2008, the report has been published to help businesses running critical national infrastructure (CNI), and other organisations, to enhance their resilience to potential risks. The big difference between now and then is that cyber is now one of nine key “themes” examined in the report.  

I recently spoke to some experts to write an upcoming feature for Assured Intelligence.

What the NRR says

For the first time, the NRR was compiled from information in the National Security Risk Assessment (NSRA), a classified document written with help from government experts. It highlights potential cyber risk across multiple scenarios. These involve data theft and/or disruption to:  

  • Gas infrastructure
  • Electricity infrastructure
  • Civil nuclear facilities
  • Fuel supply infrastructure
  • Government
  • The health and social care system
  • The transport sector
  • Telecommunications systems
  • UK financial infrastructure
  • A UK retail bank

The NRR ranks the likelihood of such attacks happening in the next two years as a “4” on a scale of 1–5, with 5 being the most likely (>25%). That equates to a “highly unlikely” risk with a “moderate” impact. However, as mild as this sounds, even a moderate incident could lead to up to 1000 fatalities and casualties of up to 2000, with losses in the billions of pounds. By contrast, the estimated economic damage from cyber incidents in 2000 was pegged at £10-100m.

That’s a reflection of the digital world we live in, as is the mention of AI as a potential chronic risk (as opposed to the acute risks highlighted above). Chronic risks, the NRR says, are manifest over a longer period of time and can make acute risks “more likely and serious”.

Should we be concerned?

Egress VP of threat intelligence, Jack Chapman, believes the government has it about right.

“I agree with the government’s risk assessment and its accuracy based on historic threats. Obviously this strongly depends on the geo-political landscape and how it evolves,” he told me.

“However, there’s been an increase in digitalisation in this space, meaning the risks and impact are increasing. There’s also a far higher level of uncertainty with the government’s assessment in comparison to previous reports.”

However, it’s not all doom and gloom, as steps are being taken to mitigate these acute cyber risks and build resilience into CNI, he added.

“It’s important to note that more active work is being done around cybersecurity than ever before; from putting security-by-design at the heart of new projects, to the impact the NCSC is having in the sector to help mitigate this risk,” Chapman said.

How can CNI hit back?

The big question is how exactly can CNI providers enhance resilience? Arun Kumar, regional director at ManageEngine, believes AI may hold the key, in helping to identity threats “faster and more accurately” than humans. But he goes further.

“Regulation will also play a vital role in carefully managing the negative impact of AI. It’s important to maintain strong security practices such as compliance with NIST and GDPR regulations,” he told me.

“Change needs to be foreseen and carefully managed—striking a balance between utilising the benefits of AI and limiting the negative side. To this end, collaboration is also paramount, both internally and externally within the cybersecurity community, encompassing researchers, professionals, enterprises and policymakers.”

Other best practices could include enhanced password management, vulnerability scanning and prompt patching, and user education to ward off the threat of phishing. To that we could add several other best practices, outlined by the National Cyber Security Centre (NCSC) here. It’s a tall job for CNI firms on an increasingly tight budget. But the alternative is undoubtedly worse.

← Older Entries