cyber insurance

TWiC: China Cyberattacks, ManageEngine Exploits, FBI Urges Barracuda Appliance Removal, Cyber Insurance

In this edition of This Week in Cybersecurity, we bring you a comprehensive overview of the latest developments and pressing concerns within cybersecurity. As threats continue to evolve, it is crucial to stay informed and prepared. Join us as we explore four pivotal topics that demand attention and action.

Hackers Exploit Barracuda Email Security Appliances: FBI Urges Immediate Removal

The FBI has issued a compelling alert urging the swift removal of compromised email security appliances manufactured by Barracuda Networks. This comes after Barracuda issued the same advice back in May, which was detailed in another nGuard Security Advisory. Despite patches designed to fix the exploited zero-day vulnerability (CVE-2023-2868), the FBI asserts that these patches have proven ineffective against suspected Chinese hackers. Organizations are strongly advised to remove all Barracuda Email Security Gateway (ESG) appliances promptly. This warning underscores the importance of vigilance and the evolving nature of cyber threats. To protect your organization from these attacks and stay informed of these new vulnerabilities as they are discovered, nGuard offers Vulnerability Scanning and Penetration Testing, along with Security Device Configuration Audit services that can help identify vulnerabilities, assess risks, and fortify your infrastructure against potential attacks.

Growing Concerns of Destructive Cyberattacks by China

Top U.S. cyber official, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Agency, has sounded an alarm about the potential for China to launch destructive cyberattacks on critical U.S. infrastructure in the event of escalated tensions. China’s hackers are reportedly positioning themselves for such actions, which represent a significant departure from their historical cyber espionage activities. nGuard has a wide range of experience helping organizations secure their critical infrastructure from Energy and Utilities, to Manufacturing, to Healthcare, to Government.

Cyber Insurance and the Nexus of Coverage and Protection

As cybersecurity evolves, the relationship between cybersecurity and insurance industries becomes increasingly intricate. Experts in the field gathered at the Def Con hacker conference to discuss the need for cyber insurance, its assessment, and its alignment with cybersecurity measures. Back in February, nGuard wrote about 5 new requirements that insurance companies need to issue policies. Security Awareness Training and Testing, Vulnerability Management, and 24/7/365 Monitoring were among the requirements listed. While cyber insurance offers financial protection, factors like calculating premiums and assessing risks are challenges that require attention. The role of cyber insurance as a motivator to enhance cybersecurity programs is emphasized, with a call to move quickly in preparing for potential cyberattacks.

Lazarus Hackers Exploit ManageEngine Vulnerability: New Threats Emerge

The North Korean state-backed Lazarus hacker group has capitalized on a critical ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to compromise an internet backbone infrastructure provider and healthcare organizations. In early 2023, Lazarus exploited the flaw in multiple Zoho ManageEngine products to infiltrate a U.K. internet backbone provider, deploying the “QuiteRAT” malware and unveiling the newly discovered “CollectionRAT” remote access trojan (RAT). QuiteRAT, a potent malware discovered in February 2023, showcases enhanced capabilities compared to its predecessor, MagicRAT. CollectionRAT, linked to the “EarlyRAT” family and the Andariel subgroup, boasts sophisticated features, including on-the-fly code decryption using the Microsoft Foundation Class framework. Lazarus’ evolving tactics, employing open-source tools and frameworks, pose challenges for attribution and defense strategies. To safeguard against emerging threats, nGuard offers comprehensive Penetration Testing and Vulnerability Management services to assess vulnerabilities, enhance security, and mitigate risks.

The evolving nature of cyber threats demands taking proactive measures and forming strategic partnerships. As highlighted in the topics covered, cybersecurity is ever-changing where staying informed, prepared, and collaborating with experts is critical. At nGuard, we offer a suite of solutions designed to assist organizations in navigating this complex landscape. From incident response and vulnerability management to proactive security assessments, we are ready to enhance your security posture. The key to cybersecurity success lies in constant adaptation and continuous improvement.

TWiC | SolarWinds Breach Update, Salesforce Data Leak, Merck $1.4B Cyber Insurance Denial Case

In this edition of This Week in Cybersecurity (TWiC), we have updates on the SolarWinds breach, Salesforce data leak and a $1.4 billion cyber insurance denial case involving Merck. The SolarWinds breach, which was discovered by the US Department of Justice six months earlier than originally reported, highlighted the importance of having an incident response plan and cybersecurity partner to help navigate the situation. Meanwhile, misconfigurations in Salesforce Community led to the exposure of sensitive data across various organizations. Finally, a New Jersey appellate court ruled that Merck is entitled to a $1.4 billion payout in a cyber insurance lawsuit, setting a precedent for cyber insurance coverage for non-military companies affected by cyberattacks originating from government or sovereign powers.

SolarWinds Breach Detected 6 Months Earlier Than Originally Reported

The SolarWinds breach, which saw Russian hackers insert a backdoor into the software maker’s systems, was discovered by the US Department of Justice (DoJ) six months earlier than previously reported. nGuard reported on the breach in January 2021, with a follow-up detailing additional vulnerabilities discovered in February. However, the scale and significance of the breach were not immediately apparent and the DoJ had engaged Microsoft and Mandiant to help determine whether the server had been hacked. Although suspicions were raised that the hackers had breached the DoJ server directly by exploiting a vulnerability in the Orion software, the investigation failed to find any vulnerability in SolarWinds’ code and even SolarWinds’ own engineers could not find any vulnerability in their code that could have led to the breach.

In December 2020, it was publicly announced that at least nine US federal agencies were among those affected by the SolarWinds campaign. The DoJ initially claimed that its chief information officer had discovered the breach on December 24. When breaches like this happen, it’s crucial to have an incident response plan and a cybersecurity partner to help triage the incident. For organizations that are dealing with high-impact events like this, nGuard offers a policy development and incident response serviceconsle that can help them navigate the situation.

One of the most important items for forensic analysis in the aftermath of a breach are logs. nGuard’s Managed Event Collection and Correlation service can help incident response engineers navigate the events and determine the root cause of a breach. However, it’s important to remember that prevention is always better than cure when it comes to cybersecurity. Organizations should make sure they have strong security measures in place, such as firewalls, anti-virus software, and regular patching to reduce the risk of a breach occurring in the first place.

Overall, the SolarWinds breach was a wake-up call on the importance of cybersecurity to organizations around the world. By working with experienced partners like nGuard, organizations can ensure that they are better prepared to detect and respond to breaches when they occur and reduce the risk of serious damage to their systems and reputation.

Salesforce Leaking Sensitive Data

Misconfigurations in Salesforce Community, the cloud-based software product that allows organizations to quickly create websites, have led to the exposure of sensitive data across a variety of organizations from state government, banking and health insurance. Customers can access a Salesforce Community website as either an Authenticated user, which requires a login or guest user, which does not require a login. The guest access role allows unauthenticated users to view specific content and resources without the need to log in. However, the misconfiguration in Salesforce Community allows an unauthenticated user to access records that should only be available after logging in, leading to unauthorized users accessing an organization’s private information and leading to potential data leaks. Organizations such as banks and healthcare providers have been leaking private and sensitive information from their public Salesforce Community websites without being aware of it. Until recently, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data including a Pandemic Unemployment Assistance program that exposed applicant’s full name, Social Security number, address, phone number, email and bank account number. Other organizations, such as Huntington Bank, have had similar issues. The problem arose in August 2021 when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data.

Salesforce provides several tools and information to help check for guest user access, user experience and best practices when configuring the guest profile.

nGuard has been conducting configuration security audits as a part of our wide array of security assessments for over 2 decades. Configuration security audits are system-level analyses of physical systems, network devices, cloud environments, or SaaS solutions like Salesforce where, as appropriate, looks for use of best practices to harden the device or system from unauthorized access or misuse. If you require assistance to check your Salesforce deployment for security best practices and hardening, contact nGuard today.

Merck Entitled to $1.4 Billion Payout in Cyber Insurance Lawsuit

Merck, the pharmaceutical company, may be eligible for a large insurance payout due to the high-profile NotPetya cyberattack according to a ruling by a New Jersey appellate court. The court ruled that the “hostile/warlike action” exclusion clause cannot be applied to a cyberattack on a non-military company, even if it originated from a government or sovereign power. In this case, the hack was tied to Russia as part of its aggression against Ukraine. Merck previously received a $1.4 billion payout after suing insurers who had denied coverage for the NotPetya attack and eight insurers disputed nearly $700 million in coverage in appeal. The case stemmed from a ransomware attack Merck suffered in June 2017 which the U.S. government later attributed the attack to Russia’s military intelligence operations.

Because cyber Insurance requirements continue to evolve, nGuard detailed some of the new requirements in a recent Security Advisory. Often, to be eligible for even the most basic level of coverage your organization needs to be doing security awareness training and testing, internal and external vulnerability scanning, and continuous monitoring.

TWiC | U.S. House Data Leak, ICS Attacks, FortiOS Vulnerability, Cyber Insurance

FBI Investigating Data Breach Affecting U.S. House of Representatives Members and Staff

The Federal Bureau of Investigation (FBI) is investigating a data breach affecting members and staff of the U.S. House of Representatives. The breach saw account and sensitive personal information belonging to them and their families stolen from the servers of DC Health Link, which administers their health care plans.

While US House Chief Administrative Officer Catherine L. Szpindor has said, “it was unclear how many people had been affected by the breach.” A sample of the data reportedly posted on a hacking forum showed details of around 170,000 people. The information included names, dates of birth, addresses, email addresses, phone numbers, and Social Security numbers. At least one threat actor has reportedly put the data up for sale.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious attacks by collecting and analyzing log data from various sources. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to an ongoing or potential attack. Should your organization fall victim to an attack like this, call nGuard to help with our Cyber Security Incident Response services.

New FortiOS and FortiProxy Critical Vulnerabilities

Fortinet has released patches to address 15 security flaws, including one critical vulnerability in FortiOS and FortiProxy that could allow an attacker to take control of affected systems. The buffer underwrite flaw (CVE-2023-25610) is rated 9.3 out of 10 for severity and was discovered by Fortinet’s internal security teams. The vulnerability could enable a remote, unauthenticated attacker to execute arbitrary code on the device or cause a denial-of-service attack. Fortinet has not yet seen any malicious exploitation attempts against the flaw, but users are urged to apply the patches quickly, as prior flaws in software have been actively abused in the wild. Workarounds include disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it. Just last week, nGuard wrote about another Fortinet critical vulnerability that was actively being exploited. As this continues to develop, nGuard has a number of solutions that can help your organization stay ahead of the curve, including internal penetration testing and vulnerability management.

Over 40% of Industrial Control Systems (ICS) Were Attacked in 2022

Over 40% of industrial control systems (ICS) computers globally experienced malicious attacks in 2022, according to Kaspersky research into telemetry statistics. The report highlighted growth in Russia, which saw a 9% increase in malicious activity in 2022, but Ethiopia was the top target overall with 59% of its ICS footprint seeing malicious activity.

Kaspersky noted that blocked malicious scripts and phishing pages targeting ICS were particularly common threats, seeing an 11% rise from 2021. The percentage of ICS computers experiencing malicious activity varied from 40.1% in Africa and Central Asia to 14.2% and 14.3% respectively in Western and Northern Europe. nGuard has been helping protect Industrial control systems, SCADA networks, and critical infrastructure for over 20 years with security assessments, penetration testing, incident response, and managed SIEM services.

Low-coverage Cyber Insurance Plans Help Meet Compliance and Contractual Requirements

As the cyber insurance market experiences a surge in claims for ransomware attacks, insurance carriers and brokers have started imposing tighter rules on the companies that can qualify for coverage, raising prices and reducing the amount of coverage offered per policy. nGuard recently wrote about requirements needed to obtain cyber insurance. Policy coverages have significantly dropped in recent times, with some as low as $5m, and some companies cannot purchase as much insurance as they would like. However, some contracts and compliance regulations require that a company have a cyber insurance policy, which can pose a problem for those that lose coverage. Basic policies are now available for more organizations to obtain affordable coverage, allowing them to avoid a breach of compliance and fulfill contractual obligations.

Attacking FortiNAC Devices: Experts Advise Updating

A serious vulnerability in Fortinet’s FortiNAC network access control suite (CVE-2022-39952) is now being exploited by hackers to add a cron job that starts a reverse shell on vulnerable systems as the root user. This unauthenticated file path modification vulnerability poses a major security risk for enterprises using the FortiNAC solution because it may be used to execute commands remotely.

Fortinet has already released security upgrades to remedy the issue, and has recommended that users update susceptible appliances to the most recent versions. As the corporation hasn’t offered any mitigation advice or workarounds, updating is the only option to prevent attacks. Researchers from cybersecurity firms, including Shadowserver Foundation, GreyNoise, and CronUp, have recently observed attacks on CVE-2022-39952 from a variety of IP addresses. This indicates that attackers have already started focusing on unpatched FortiNAC devices.

Horizon3 security researchers have created proof-of-concept (PoC) exploit code which allows hackers to add a cron task that starts a reverse shell on vulnerable systems. Fortinet had previously issued a warning in December 2022 to customers to patch FortiOS SSL-VPN appliances against an actively exploited security flaw (CVE-2022-42475), which was also used as a zero-day in attacks against targets associated with the government.

In reaction to what it called “sensationalized claims” about recent exploitation attempts aimed at a vulnerability in its FortiNAC network access control product, Fortinet has offered some crucial clarifications. The company emphasized that it is yet unclear how exploiting CVE-2022-39952 will actually affect users. However, FortiNAC users should be aware of the possible hazard, as knowledgeable threat actors have been known to attack Fortinet products.

FortiNAC administrators are highly advised to update their software right away to a version of the software that is not impacted by the CVE-2022-39952 vulnerability. This includes FortiNAC versions 9.4.1 or later, 9.2.6 or later, 9.1.8 or newer, and 7.2.0 or later. Organizations may stop hackers from using this important vulnerability to gain access to their corporate networks by heeding this advice.

At nGuard, we understand the importance of proactive security measures to protect our clients from the evolving threat landscape. That’s why we offer a range of security services designed to help detect vulnerabilities like the FortiNAC vulnerability, including internal penetration testing, vulnerability management, and strategic security assessments. Our team of experts can work with clients to develop and implement policies and procedures to ensure they can quickly identify and address security threats, and stay up-to-date on emerging vulnerabilities through our security advisories. By partnering with nGuard, clients can rest assured that they have access to the latest security technologies and expertise to help them stay one step ahead of the threats.

Are You Prepared for the New Cyber Insurance Requirements?

As cyberattacks increase worldwide, insurance companies are tightening their cyber insurance policy requirements. This is due to the 80% rise in ransomware attacks last year, leading to a large number of claims. Among the new provisions are the requirement for multi-factor authentication (MFA) for all admin access and the protection of all privileged accounts. However, identifying gaps in MFA and privileged account protection within a network can be challenging for organizations. In addition to MFA, there are several other requirements that stipulate detailed attestation when filling out a cyber policy questionnaire. A few of those requirements are:

Security Awareness Training and Testing
This process is designed to educate employees on cyber security threats and risks, and to test their understanding of these issues through interactive simulations and assessments. The goal is to raise awareness, increase knowledge, and promote safe online behavior within an organization. To reduce your risk of phishing attacks, nGuard has been conducting Security Awareness Training and phishing testing though our Social Engineering Assessment for years.
Vulnerability Management
A thorough vulnerability management program will identify, assess, and prioritize vulnerabilities in an organization’s systems and networks, and take action to remediate or mitigate these risks to prevent exploitation. This helps maintain the security and integrity of systems and data by staying on top of vulnerabilities as they are discovered. Conducting monthly or quarterly vulnerability scans on an ongoing basis will not only help meet insurance requirements but also keep your network secure. nGuard’s Vulnerability Management can help you manage your external environment, internal environment, and meet PCI requirements with ASV scanning.
24/7/365 Monitoring
A Security Information and Event Management (SIEM) system collects and aggregates log data from various sources within an organization and uses analytics and threat detection techniques to identify potential security incidents and enable security teams to respond promptly. SIEM provides centralized security visibility and event correlation. nGuard’s managed security team performs both manual and automated daily log analysis that proactively detects suspicious activity in your environment with our managed SIEM service called Managed Event Collection & Correlation. nGuard is adding artificial intelligence and machine learning to detect and respond to security threats in real-time via UEBA (User and Entity Behavior Analytics).
Secured, Encrypted, Offsite Backups
Offsite backups refer to the storage of backup data at a remote location, typically in a secure data center, separate from the primary data storage. This helps ensure that the data can be recovered in case of a disaster or cyberattack and protected against data loss while minimizing downtime. Offsite backups are an important component of a comprehensive disaster recovery plan. A Strategic Security Assessment utilizing the Center for Internet Security (CIS) 18 Critical Security Controls as the foundation can help bring the lack of controls like this and others to light.
Endpoint Detection & Response (EDR)
This real-time security solution will monitor and respond to security threats on endpoint devices such as computers and servers using artificial intelligence and machine learning to detect and isolate security incidents.

As insurance carriers adjust the requirements to obtain and maintain coverage, a thorough assessment can help organizations identify and close security gaps to help meet the new cyber insurance requirements and improve their overall security posture. nGuard has a number of solutions that can help meet and exceed the requirements needed to obtain and maintain cyber insurance.