Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.
The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.
"Sysrv-K scans the

Microsoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.

The tech giant, which has called the new version **Sysrv-K**, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.

"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities."

This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.

It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities Catalog.

A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a Telegram Bot.

Once infected, lateral movement is facilitated through SSH keys available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.

"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers noted last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems."

Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners

The 360° Assessment & Certification from MRG-Effitas can offer guidance to SMBs looking for a simple, effective cybersecurity product. 
The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

****Testing and certification****

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

*   In the Wild/Full Spectrum Test
*   PUA/Adware Test
*   Exploit/Fileless Test
*   Real Botnet Test
*   Banking Simulator Test
*   Ransomware Simulator Test
*   False Positive Ransomware Test
*   False Positive Test
*   Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, \[and\] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

****Ransomware simulations****

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.

****Performance****

Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

****Less “interpretation,” quicker answers****

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

Why MRG-Effitas matters to SMBs

A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme.
Glib Oleksandr Ivanov-Tolpintsev, who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being extradited to the U.S. in September

A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme.

**Glib Oleksandr Ivanov-Tolpintsev**, who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being extradited to the U.S. in September 2021.

The illegal sale involved the trafficking of login credentials to servers located across the world and personally identifiable information such as dates of birth and Social Security numbers belonging to U.S. residents on a darknet marketplace.

The unnamed site purportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the U.S. alone. Believed to have been operational from around October 2014, the underground marketplace was seized by law enforcement authorities on January 24, 2019, according to court documents.

This exactly coincides with the dismantling of the xDedic Marketplace following a year-long investigation on the same date by agencies from the U.S., Belgium, Ukraine, and Germany.

"The xDedic Marketplace sold access to compromised computers worldwide as well as personal data," Europol said at the time, adding, "users of xDedic could search for compromised computer credentials by criteria, such as price, geographic location, and operating system."

Victims spanned a wide gamut of sectors like governments, hospitals, emergency services, call centers, metropolitan transit authorities, law firms, pension funds, and universities.

"Once purchased, criminals used these servers to facilitate a wide range of illegal activity that included ransomware attacks and tax fraud," the U.S. Justice Department (DoJ) noted in a press statement.

Ivanov-Tolpintsev is said to have obtained the server usernames and passwords by means of a botnet that was used to brute-force and password spraying attacks, listing on sale these hacked credentials on the marketplace from 2017 through 2019 and netting $82,648 in return.

The sentencing comes as the DoJ awarded a jail term of at least five years to a trio of cybercriminals for conspiracy to commit fraud and aggravated identity theft.

"From at least 2015 through 2020, \[Jean Elie Doreus\] Jovin, Alessandro Doreus, and Djouman Doreus conspired to knowingly, and with intent to defraud, possess tens of thousands of counterfeit and unauthorized access devices—including the names, Social Security numbers, account numbers, usernames, and passwords of identity theft victims," the department said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Ukrainian Hacker Jailed for 4-Years in U.S. for Selling Access to Hacked Servers

By Deeba Ahmed
The 28-year-old Ukrainian national Glib Oleksandr Ivanov-Tolpintsev was arrested in Poland and extradited to the USA in 2020.…
This is a post from HackRead.com Read the original post: US Sentence Ukrainian to 4 Years for Brute-forcing and Selling Login Credentials

**The 28-year-old Ukrainian national Glib Oleksandr Ivanov-Tolpintsev** **was arrested in Poland and extradited to the USA in 2020.**

A Ukrainian national identified as Glib Oleksandr Ivanov-Tolpintsev in the press release from the US Department of Justice (DoJ) has been sentenced to four years in federal prison for stealing server login credentials and selling them on the Dark Web.

Polish police arrested the Chernivtsi, Ukraine resident from Korczowa, Poland, on 3rd October 2020 and later extradited him to the USA. He pleaded guilty in February 2022. The Tampa Division of the Federal Bureau of Investigation (FBI) investigated the case, and the trial was held in Florida.

**Accused Brute-Forced Thousands of Server Logins**

According to the DoJ’s press release, the 28-year-old Ivanov-Tolpintsev controlled a botnet to brute-force thousands of server logins, and after decrypting the credentials, he sold them on Dark Web.

Glib Oleksandr Ivanov-Tolpintsev

During the trial, the accused admitted obtaining a minimum of two thousand access credentials every week and listed them for sale between 2017 and 2019. He earned $82,000 through selling decrypted credentials, some of which belonged to businesses based in Florida.

**Stolen Credentials Used to Launch Ransomware Attacks**

The unnamed marketplace listed stolen server usernames/passwords and PII (personally identifiable information) of US residents, including dates of birth and Social Security numbers, and offered more than 700,000 stolen servers.

Furthermore, the investigation revealed that at least 150,000 impacted servers were based in the US and 8000 in Florida only, while users from across the world were impacted.

Possible victims include metropolitan transit authorities, emergency services, hospitals, state, federal, and local governments, call centers, pension funds, law firms, accounting firms, and educational institutions. Reportedly, threat actors used the access to the servers to carry out ransomware attacks or commit tax fraud.

**More Cyber Criminals Arrest News**

*   Ukrainian police arrest Cl0p ransomware gang members
*   FS.to pirate website shut down after Ukraine’s National Police Raid
*   Members of the infamous Egregor ransomware arrested in Ukraine
*   Husband and wife among ransomware operators arrested in Ukraine
*   Alleged Ukrainian Member of REvil Ransomware Gang Extradited to the US

US Sentence Ukrainian to 4 Years for Brute-forcing and Selling Login Credentials

Botnet operator had thousands of hacked credential listings, according to the DoJ

Botnet operator had thousands of hacked credential listings, according to the DoJ

A Ukrainian hacker has been sentenced to four years behind bars for selling stolen credentials online.

On Thursday (May 12), the US Department of Justice (DoJ) said that Glib Oleksandr Ivanov-Tolpintsev, from Chernivtsi, Ukraine, was sentenced to time in federal prison for operating a botnet designed to brute-force attack servers.

**DON’T MISS** Marcus Hutchins on halting WannaCry – ‘Still to this day it feels like it was all a weird dream’

Botnets are slave networks made up of compromised computers and other devices. Operators can direct these networks to slam online services with traffic, known as distributed denial-of-service (DDoS) attacks.

Furthermore, botnets can be commanded to attempt to crack credentials by automatically applying trial-and-error username and password combinations.

**Rogue operation**

According to the DoJ filing, Ivanov-Tolpintsev’s botnet was used to “decrypt numerous computer login credentials simultaneously”. At its peak, roughly 2,000 machines were targeted and compromised each week.

From 2017 to 2019, the cyber-attacker operated a store on the dark web and sold hacked credentials in their thousands. Businesses in Florida owned at least 100 servers listed by the 28-year-old.

Read about more of the latest cyber-attacks

The scheme was profitable – at least, until he was caught – and prosecutors estimate that the dark web store turned over a minimum of $82,648.

Ivanov-Tolpintsev was tracked to Korczowa, Poland, and was arrested by local law enforcement on October 3, 2020. He was then extradited to the US and pleaded guilty to conspiring to traffic in unauthorized access devices and computer passwords.

As part of his sentence, Ivanov-Tolpintsev must also forfeit his cybercrime proceeds.

The case was investigated by the IRS and the Tampa Division of the FBI.

**YOU MIGHT ALSO LIKE** Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

Ukrainian hacker jailed for selling account credentials on the dark web

By understanding how FaaS works and following best practices to prevent it, your business can protect its customers, revenue, and brand reputation.

The pandemic pivot to digital banking, shopping, and other services was an important health measure, but it created opportunities for organized fraudsters to grow their "business" and expand their offerings to include fraud-as-a-service (FaaS). FaaS takes several forms, all with the goal of making it easier for both experienced and novice criminals to commit fraud. Here's what merchants need to know about this trend and how to prevent FaaS attacks.  

**How Fraud-as-a-Service Works  
**There are two main components to FaaS: bots and brand impersonation. Neither tactic is entirely new. Fraudsters have been using bots for card-testing attacks for years, and brand impersonation is a classic scheme for phishing credentials and payment data.

Now, though, fraud "service providers" are going farther. Criminals can rent bot networks inexpensively to launch large-scale fraud campaigns against websites and to phish victims. However, two-factor authentication (2FA) can prevent thieves from breaking into accounts even with stolen data. SIM-swapping is one option for getting around 2FA, but it's time consuming and requires planning. So, criminals now offer OTP (one-time password) bot services. Fraudsters can plug in victims' names and financial institutions or favorite stores, and the bot handles the rest – phishing the victim for their one-time password so fraudsters can take over the related account – all for as little as 15 cents per bot call.  

**Detecting and Preventing Fraud-as-a-Service Attacks  
**The best practices that protect businesses from fraud are more important than ever . This is a good time to make sure your organization's anti-fraud program includes these elements:

**1\. Limit data entry attempts and velocity:** One of the telltale signs of a bot attack is the speed at which it moves. Bots can load up carts, check out, and place orders much faster than humans can. They can also repeatedly enter different passwords and one-time codes until they hit a match.

If your website allows customers to make unlimited attempts to enter their data correctly, setting a limit on the number of attempts before they're locked out can protect your store from bots. Likewise, flagging orders for velocity can help to separate busy shoppers who are reordering familiar items from botnets that are programmed to scoop up as many items as they can, as fast as possible.

**2\. Screen every order:** Because there are billions of compromised credentials available to fraudsters now, because FaaS scams are harvesting more credentials, and because FaaS bots can use those credentials to crack accounts at scale, businesses can no longer assume that returning customers are who they appear to be.

That means it's no longer safe to automatically approve orders from known customers. Every order needs to be screened for payment data as well as for device, geolocation, and behavioral biometrics to help validate the customer or flag the order as possible account takeover fraud.

**3\. Run batch analyses to detect fraud at scale:** Bot rental and compromised credentials allow fraudsters to get creative with their attacks on businesses. For example, a gang can target an online store with a spate of orders that appear to come from different customers using different payment methods. Each of these orders may pass muster with the fraud screening solution and get approved.

However, if the merchant also selects random orders for analysis as a group, the fraud solution may find patterns that indicate criminal activity. Maybe that burst of orders from different customers were all shipping to the same address. Or perhaps all of the cards they used to pay had the same bank identification number, indicating that the customers might be synthetic identities. Batch analysis can reveal these issues so that fraudulent orders can be canceled before items ship.

**4\. Avoid automatic declines:** Stopping fraud can only save a company money if it doesn't also stop good customers from completing their orders and coming back for repeat purchases. Automatic declines may seem like a way to save money and time on order decisioning, but this approach typically generates a high rate of false declines. A recent ClearSale five-country survey of online shoppers found that 40% won't ever go back to a website that declines their order. That represents a lot of lost customer lifetime value.

**5\. Use manual review:** The alternative to automatic declines is manual review by fraud specialists, who can distinguish between fraud and unusual but valid customer behavior. Manual review of flagged orders costs more than auto-declines up front, but the ROI includes more approved orders and less customer churn due to false declines.

**6\. Continuously train your ML:** Manual review results can and should feed the automated fraud solution's machine learning algorithms. This helps the AI get better at detecting sophisticated fraud and customer behavior that's not completely normal but also isn't fraudulent. This can result in fewer flagged orders and reduce the need for manual review over the long term.

**7\. Monitor brand mentions:** FaaS schemes often impersonate brands to trick consumers into sharing their credentials and even authentication codes. Every business should keep an eye out for social media accounts, websites, email campaigns, and even SMS campaigns that impersonate their brand. Depending on the channel, a company can report imposters to the platform, Web host, or Federal Communications Commission and alert their customers there's a scam operating under the company's brand.

FaaS shows how fraud continues to evolve, and how the technologies that make life more convenient for customers also make fraud easier for criminals. By understanding how FaaS works and following best practices to prevent it, your business can help protect your customers, your revenue, and your brand reputation.

How Can Your Business Defend Itself Against Fraud-as-a-Service?

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

May 11, 2022 — Like many things since 2020, Dark Reading News Desk has had to adapt. Instead of broadcasting live interviews with security researchers presenting at Black Hat, News Desk shifted to prerecorded interviews with the speakers. 

For Black Hat Asia 2022, Dark Reading News Desk is staying virtual, even as the conference goes hybrid. Black Hat attendees have the option to tune in virtually or attend in person at the Marina Bay Sands in Singapore. Dark Reading News Desk is keeping its virtual format.

News Desk interviewed some speakers presenting at Black Hat Asia 2022 about their sessions. These interviews will be available on-demand at Black Hat Virtual (under the show's "Dark Reading News Desk" tab) and right here on Dark Reading:

**DAY 1: Thursday, May 12**

Speakers from Binarly, Immune GmbH, and Red Hat discuss the complexity of the firmware ecosystem and the challenges of identifying and fixing flaws in hardware devices in "The Firmware Supply-Chain Security Is Broken: Can We Fix It?"

Watch the speakers try to distill the challenges in less than 15 minutes in this News Desk segment:  

No Black Hat is complete without at least one dissection of a cyber espionage operation. SideWinder (also known as RattleSnake and T-APT-04) is an aggressive threat actor that has been active since at least 2012. Details on the techniques and methods used by this advanced cyber espionage team will be part of "SideWinder Uncoils to Strike." Dark Reading editor-in-chief Kelly Jackson Higgins offers a sneak peak in this preview. 

Check out the News Desk segment:  

****DAY 2: Friday, May 13****

Trend Micro researchers discuss their discovery of a botnet infrastructure masquerading as an SMS phone-verified account service in "SMS PVA Services Fueled by Compromised Supply-Chain Mobile Botnets."

Watch the News Desk segment on this mobile threat:  

With the Russian invasion of Ukraine in February, the world has had a front-row seat to information warfare. A security expert with experience in security intelligence, policy, and Ukraine dissects what is happening in "The Virtual Battlefield in 2022: Russia-Ukraine War & Its Policy Implications."

Watch this News Desk segment with Very Good Security’s Kenneth Geers:  

It's a fact that every operating system has vulnerabilities, but it still takes many by surprise when there are "macOS Vulnerabilities Hiding in Plain Sight."

Watch Offensive Security's Csaba Fitzl describe what he found:  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

On the Air With Dark Reading News Desk at Black Hat Asia 2022

NEW YORK, May 11, 2022 /PRNewswire/ -- Six months after news broke about fake, 'bot-driven' student college enrollment in California's community colleges, global cybersecurity company CHEQ released new data suggesting that bot traffic on higher education websites continues to rise.

In December of 2021, the LA Times reported that a Pierce College professor discovered many of those registering for her classes online were bots rather than legitimately enrolled students. During that time, The California Community Colleges Chancellor's Office estimated that about 1 in 5 applications was "malicious and bot-related."

CHEQ's data tells a similar story, indicating that the issue of bot traffic in online higher education may be even larger than originally estimated. Specifically, throughout 2021, bot traffic coming from organic and direct sources hovered around 30%. So far in 2022, that number has jumped to 45% - showing a 50% overall increase. The bot traffic discovered includes malicious scrapers and web crawlers, automation tools, headless browsers and botnets. The data was collected as part of a global study into fake user and bot traffic trends online, conducted across over 50,000 websites.

_"Like with many other industries, higher-education is increasingly transitioning to online models of registration, enrollment, payment and virtual classrooms, opening the door to more online fraud and increased exposure to the Fake Web"_ said Guy Tytuniovich, CHEQ's CEO. _"When you also factor in the sheer size of the economy around higher-education, you realize why it's an appealing target for fraudsters and scammers, as we see in our most recent data."_

Through analyzing their data, CHEQ has found that higher education bot traffic is more common than bot traffic in many other industries. When it comes to organic and direct traffic, the gaming industry typically sees Invalid Traffic (IVT) rates of 15%, and the insurance industry sees 18%. This indicates that the education sector has consistently been a target for fraudulent activity, and may continue to see increases in attacks from fake users.

Fraudulent 'Bot-driven' College Enrollment up 50%, New Study Finds

Analysis finds 687 million exposed credentials and personally identifiable information (PII) among Fortune 1000 employees, and a 64% password reuse rate.

AUSTIN, Texas – May 10, 2022 – SpyCloud, the leader in account takeover and fraud prevention, today published its 2022 SpyCloud Fortune 1000 Identity Exposure Report, an annual analysis of identity exposure among employees of Fortune 1000 companies in key sectors such as technology, finance, retail and telecommunications.

Drawing on SpyCloud’s database of over 200 billion recaptured assets, researchers identified over 687 million exposed credentials and PII tied to Fortune 1000 employees, a 26% increase from last year’s analysis.

Analysis of this data showed a 64% password reuse rate, widespread use of easy-to-guess passwords, and a spike in malware-infected devices –– all sources of cyber risk for both employers and consumers who rely on businesses to safeguard their personal data. With remote work blurring the lines between work and personal device use, a larger attack surface compounds the risk of cyberattacks proliferating beyond compromised employee and consumer identities to penetrate corporate networks.

“In the last two years, most companies’ attack surfaces have expanded due to the new reality of a hybrid workforce.” said David Endler, co-founder and Chief Product Officer of SpyCloud. “Combined with facing a barrage of threats from malicious actors and the state of global affairs, there’s an urgent need for Fortune 1000 companies to shore up all threat vectors, starting with identifying and remediating compromised employee credentials and malware-infected devices.”

SpyCloud researchers identified credentials, PII and infected device data of 70,000 Fortune 1000 employees in recaptured botnet logs containing information siphoned using infostealer malware. An employee working from a malware-infected personal device creates risk for the enterprise, even with the use of complex passphrases and MFA. These high-severity exposures give criminals all the data they need to bypass authentication measures and impersonate employees, including passwords, system information, browser fingerprints, and web session cookies. Further, nearly 29 million malware-infected consumer devices were used to log into the consumer-facing sites of Fortune 1000 companies, exposing their credentials and PII to fraudsters.

“Malware infections on personal devices are the riskiest source of exposure because they are so difficult to detect and can drastically increase the attack surface for ransomware,” Endler said. “These attacks could not only lead to disastrous consequences for a company’s bottom line but could also significantly impact sectors such as critical infrastructure.”

**Critical Infrastructure and Technology Sectors Lag Behind**

The report showed that critical infrastructure companies were the worst offenders for bad password hygiene. Across four industries – aerospace and defense, chemical, industrial, and energy – elementary password hygiene issues were found, including the use of company names in the top three to five most used passwords.

While critical infrastructure employees exhibited the poorest password hygiene, the technology sector had the most severe exposure, with over 26 million breach records representing 139 million employee assets (credentials, PII, cookies, etc) –– comprising 21% of all exposed Fortune 1000 records (followed by financial services with 21 million records and nearly 120 million assets).

Technology companies also had the largest number of malware-infected devices across sectors, with nearly 70% of all infected consumer devices identified among the Fortune 1000 (20.6 million) and about 50% of all infected employee devices (approximately 34,000).

To defend against account takeover, malware, ransomware and other malicious cyberattacks, Fortune 1000 companies cannot bet solely on their employees to keep them safe and rather should think of users as consumers whose behavior expands the attack surface multi-fold.

To minimize exposure and safeguard data, enterprises need to enforce strong enterprise password policy with SSO where possible, create clear company policies on the use of business and personal devices, enforce multi factor authentication on critical accounts and mandate the use of password managers, as well as leverage continuous, actionable intelligence into their users’ exposure – especially in industries entrusted with a vast amount of sensitive consumer data such as technology, ecommerce, financial services, and critical infrastructure.

SpyCloud’s unique solutions, built on a foundation of recaptured data from breaches, malware-infected devices and other underground sources protect businesses and consumers from fraud and cyberattacks that stem from the use of stolen data by allowing companies to proactively monitor and remediate their exposures.

To download the full 2022 SpyCloud Fortune 1000 Breach Exposure Report, visit https://spycloud.com/resource/2022-fortune-1000-identity-exposure-report/.

To learn more about how SpyCloud helps organizations defend against fraudulent transactions, visit https://spycloud.com/.

**About SpyCloud**

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

SpyCloud Report: Fortune 1000 Employees Pose Elevated Cyber Risk to Companies

The Five Eyes nations comprising Australia, Canada, New Zealand, the U.K., and the U.S., along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication (SATCOM) provider that had "spillover" effects across Europe.
The cyber offensive, which took place one hour before the Kremlin's military invasion of Ukraine on February

The Five Eyes nations comprising Australia, Canada, New Zealand, the U.K., and the U.S., along with Ukraine and the European Union, formally pinned Russia for masterminding an attack on an international satellite communication (SATCOM) provider that had "spillover" effects across Europe.

The cyber offensive, which took place one hour before the Kremlin's military invasion of Ukraine on February 24, targeted the KA-SAT satellite network operated by telecommunications company Viasat, crippling the operations of wind farms and internet users in central Europe.

Viasat, in late March, disclosed that it had shipped nearly 30,000 modems to distributors to restore service to customers whose modems were rendered unusable.

"This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several E.U. Member States," the Council of the European Union said.

Calling it a deliberate and unacceptable cyberattack, the nations pointed fingers at Russia for its "continued pattern of irresponsible behavior in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine."

The U.S. State Department said the digital assaults against commercial satellite communications networks were orchestrated to disrupt Ukrainian military command-and-control capabilities during the invasion.

An analysis from cybersecurity firm SentinelOne published last month revealed that the intrusion aimed at Viasat involved the use of a data-wiping malware dubbed AcidRain that's designed to remotely sabotage tens of thousands of vulnerable modems.

Furthermore, the discovery unearthed similarities between AcidRain and "dstr," a third-stage wiper module in VPNFilter, a botnet malware previously attributed to Russia's Sandworm group.

Besides the Viasat attacks, Australia and Canada also blamed the Russian government for targeting the Ukrainian banking sector in February 2022, COVID-19 vaccine research and development in 2020, and interfering in Georgia's 2020 parliamentary elections.

The attribution comes as Ukraine has been at the receiving end of a number of destructive attacks directed at public and private sector networks since the start of the year, launched as part of Russia's "hybrid" warfare strategy in concert with ground warfare.

The U.K.'s National Cyber Security Centre (NCSC) noted that Russian military intelligence agencies were "almost certainly" involved in the deployment of WhisperGate wiper malware and the defacements of several Ukrainian websites in January 2022.

AcidRain and WhisperGate are part of a long list of data wiper strains that has hit Ukraine in recent months, which also includes HermeticWiper (FoxBlade aka KillDisk), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.

"Russian hackers have been waging war against Ukraine in the cyberspace for the past eight years," the State Service for Special Communication and Information Protection of Ukraine (SSSCIP) said in a statement, adding they "pose a threat not only to Ukraine, but to the whole world."

"Their purpose is to damage and destroy, to wipe out data, to deny Ukrainian citizens' access to public services as well as to destabilize \[the\] situation in the country, to spread panic and distrust in the authorities among the people."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#botnet