The Gately Report: Zscaler Tracks New, Increasingly Dangerous Ransomware Group, Most Targeted Types of People
Universities are leaving students vulnerable to email-based attacks.
![ransomware detected ransomware detected](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt9b482edb54714e76/65241cfc1be3f571df2a537e/Ransomware-Detected.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Has Zscaler seen and is it seeing widespread adoption of zero trust security? Are there issues/obstacles that may be holding organizations back from adopting it? If so, how does Zscaler address those?
Zscaler’s Todd Meister: Zero trust security architecture is one of the fastest growing security approaches for cloud-based businesses. The reasons are simple. Legacy security and VPN products do not scale well or provide a modern level of security for remote users or cloud infrastructure. As cloud applications and services become more complex, lean-running security teams continue to turn to zero trust network access (ZTNA) products as a way to optimize security architecture without sacrificing user experiences, network flexibility, or role-and persona-based adaptability.
Cybercriminals continue to improve the way they detect, breach and exfiltrate sensitive data from vulnerable systems. For many of today’s largest businesses, adopting zero trust is no longer a security team exercise. It’s a critical business-level decision to future-proof against increasing operational risks.
CF: Zscaler recently unveiled new AI/ML capabilities for the Zscaler Zero Trust Exchange cloud-native platform. Is that providing new opportunities for partners to better serve their customers? If so, how?
TM: The new artificial intelligence/machine learning (AI/ML) capabilities that were introduced in June further enhance Zscaler’s Zero Trust Exchange security platform and help customers implement a security services edge (SSE) that protects against the most advanced cyberattacks without sacrificing users’ digital experience. Our partners can use these new capabilities to simplify adoption of zero trust architecture for their customers and provide access to AI-powered security features such as phishing prevention, segmentation and root-cause analysis.
CF: AWS has revamped its Security Competency Program and Zscaler is among launch partners. What will this mean for Zscaler and its partners?
TM: The updates to AWS Security Competency Program allow its infrastructure partners, including Zscaler, to more effectively reach AWS customers, and provide a higher degree of services and support than ever before. Via the AWS Marketplace CPPO program, we are able to leverage the partner ecosystem and best meet the needs of AWS customers. Our partner support teams are looking forward to better support joint Zscaler-AWS customers, and help more organizations adopt zero trust security infrastructure.
CF: Dell’Oro Group recently named Zscaler among top revenue-generating vendors in SSE. What’s driving demand for SSE? Are partners benefiting from Zscaler SSE?
TM: The value of SSE is in its ability to solve fundamental security challenges that organizations face from remote work, cloud migration, edge computing and adoption of digital transformation. As data becomes more distributed outside legacy on-premises data centers, it’s more important than ever to ensure that network security is able to support the move to the cloud. Zscaler partners are at the center of this transformational journey as they build, deploy and manage SSE solutions for their customers.
CF: What’s the status of Zscaler’s Summit Partner Program? Are any additions/enhancements coming this year?
TM: Our partner program has been a big hit this year and we’re excited to continue helping our customers achieve their security and digital transformation goals. My focus remains on three program priorities: simplicity, consistency and profitability. In FY23, Zscaler partners can expect continued investment in our go to market (GTM), enhanced deal registration benefits, partner program simplification, and consistency as it relates to engaging and working with our field sales organization.
CF: What’s your take on the current threat landscape? And how is Zscaler keeping its partners and customers safe?
TM: Today’s threat landscape is more dangerous for businesses than ever before. Based on reports from our Threatlabz security team, organizations are facing a 314% increase in cyberattacks over encrypted internet traffic and an 80% increase in ransomware, which includes a 120% increase in double-extortion attacks that encrypt and steal sensitive data. Phishing attacks are also on the rise with key industries like financial services, government and retail seeing annual attack increases of over 100%.
However, our customers have access to the largest in-line security cloud, which inspects over 240 billion data transactions daily and blocks 150 million daily attacks. This means they can create comprehensive incident response strategies, dramatically expedite threat investigation, and pinpoint potential malware to stop breaches and data loss. The Zscaler Zero Trust Exchange also provides an integrated platform to decrease attack surface risk and secure app-to-app, machine-to-machine, and user-to-app communications, lowering the threat to networks accessed by remote workers and cloud-based businesses.
CF: What can partners expect from Zscaler in the months ahead and into 2023?
TM: With over 7 billion security incidents and policy violations prevented every day, our partners know that Zscaler helps them guide their customers through the most stressful incidents as they secure their business in the cloud. Moving into the next year, our partners can expect enhanced sales and technical enablement offerings, access to additional marketing programs and campaigns, and continued investments in our global field sales and channel sales organizations.
In other cybersecurity news …
Casey Allen, Concentric‘s CIO, has come up with a list of five types of people who should be extra wary of cybercriminals.
It’s increasingly difficult to have any privacy as everyone has a digital footprint, from their company’s profile, to browser history and social media accounts. Everyone is vulnerable, but cybercriminals are extra-focused on these five types of people:
Journalists – Since 2021, threat groups have turned up their targeting of journalists to siphon data and credentials, as well as to track them. Those at established media organizations are increasingly at risk from hackers, companies or even governments, particularly where there is limited press freedom.
Frequent flyers – For those who are always traveling, for work or fun, using public Wi-Fi will put you in harm’s way. Additionally, in certain countries, increased surveillance can pose an additional cyber risk.
Influencers – When you put everything online, even if you think you’re protecting yourself, people can easily connect the dots. From your children’s first day of school photos, to where you’ve marked yourself as checked in, online activity can expose more than you’d think.
C-Suite – When the public learns that you’re a top earner, your risk of being targeted increases exponentially. It’s important to educate yourself, and your company’s staff, on best practices to keep everyone secure.
Crypto players – Since it’s still such new technology, crypto leaves significant room for vulnerabilities in the digital asset ecosystem.
Malicious actors have been taking advantage of open-redirect vulnerabilities affecting American Express and Snapchat domains to send phishing emails targeting Google Workspace and Microsoft 365 users.
That’s according to research published by Inky. It reveals that in both cases the phishers included personally identifiable information (PII) in the URL, allowing the actors to quickly customize the malicious landing pages for individual victims and disguised the PII by converting it to Base 64, turning the information into a sequence of random characters.
Open redirect, a security vulnerability that occurs when a website fails to validate user input, allows bad actors to manipulate the URLs of high-reputation domains to redirect victims to malicious sites. Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer. The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.
“Perhaps websites don’t give open redirect vulnerabilities the attention they deserve because they don’t allow attackers to harm or steal data from the site,” Inky said. “From the website operator’s perspective, the only damage that potentially occurs is harm to the site’s reputation. The victims, however, may lose credentials, data and possibly money.”
Ryan McCurdy is vice president of marketing at Bolster, a provider of automated digital risk protection.
“Seventy-five percent of companies worldwide have experienced some form of phishing attack as it’s one of the easiest tactics that hackers use to steal data from employees, customers and partners,” he said. “The main reason that phishing scams are so convincing is that they often mimic the look of a brand or a credible person down to a very fine detail. To make matters worse, they prey on human action bias, with a call to action stating that attention must be taken right now. Before clicking on any link sent to you, use a link-checking website such as www.checkphish.ai, a free phishing URL scanner to detect online scams in real-time. If you come across a suspicious link, scan it there before accessing it.”
The Synopsys Cybersecurity Research Center team identified a local privilege escalation vulnerability in Kaspersky VPN Secure Connection for Microsoft Windows.
Jonathan Knudsen is head of global research at Synopsys Cybersecurity Research Center. He said this vulnerability can be exploited to elevate privilege.
“This would typically be a second step in an attack,” he said. “The first step would be an attacker gaining access to a victim’s computer somehow, whether through social engineering or some other technique. If the victim’s computer had a vulnerable version of the Kaspersky VPN on it, the attacker could then use the vulnerability to gain administrative privileges, at which point the attacker would have full control over victim’s computer.”
A fully compromised computer would allow an attacker access to websites, credentials, files and other sensitive information that could be useful by itself or useful in moving laterally inside a corporate network, Knudsen said.
“We haven’t seen any exploitation of this vulnerability,” he said. “Most likely attackers will take note of it as a possible technique for elevation of privilege, after access has been gained to a victim’s computer.”
Kaspersky sent us the following statement:
“The Kaspersky team has closed a vulnerability in the Kaspersky VPN Secure Connection that allowed an authenticated attacker to trigger arbitrary file deletion in the system. It could lead to device malfunction or the removal of important system files required for correct system operation. To execute this attack, an intruder had to create a specific file and convince users to run ‘delete all service data and reports’ or ‘save report on your computer’ product features. To fix the vulnerability, the Kaspersky team recommends users check the app version they are running and install the latest one.”
The fall semester’s almost here. Ready to get hacked?
The top universities in the United States, the United Kingdom and Australia aren’t pursuing basic cybersecurity measures, therefore exposing students, staff and stakeholders to higher risks of email-based impersonation attacks.
That’s according to Proofpoint‘s latest research. It found that 97% of the top 10 universities across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. According to the analysis, universities in the United States are most at risk with the poorest levels of protection. That’s followed by the United Kingdom, then Australia.
These findings are based on domain-based message authentication, reporting and conformance (DMARC) analysis of the top 10 universities in each country. DMARC is an email validation protocol aimed at protecting domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination.
DMARC has three levels of protection — monitor, quarantine and reject — with reject being the most secure for preventing suspicious emails from reaching the inbox.
Ryan Kalembe is Proofpoint‘s executive vice president of cybersecurity strategy.
“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside health care,” he said. “This, unfortunately, makes these institutions a highly attractive target for cybercriminals. The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”
Garret Grajek is YouAttest‘s CEO. He said higher education isn’t the only sector at risk from email attack.
“The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has determined that the Kimsuky attack group, most likely commissioned by the North Koreans, have introduced a malware called ‘SHARPTEXT’ that doesn’t need your Gmail login credentials, let alone worry about two-factor authentication (2FA),” he said. “The malware allows the attacker to read the email that the user browses. It is these types of attacks and more that should convince enterprises their systems are under attack and should be assumed to be compromised. The big question this begs is, how deep and how long the exposure will be? Key to enterprise security is a zero trust architecture, coupled with strong identity governance, that limits access and adheres to the principle of least privilege.”
The fall semester’s almost here. Ready to get hacked?
The top universities in the United States, the United Kingdom and Australia aren’t pursuing basic cybersecurity measures, therefore exposing students, staff and stakeholders to higher risks of email-based impersonation attacks.
That’s according to Proofpoint‘s latest research. It found that 97% of the top 10 universities across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. According to the analysis, universities in the United States are most at risk with the poorest levels of protection. That’s followed by the United Kingdom, then Australia.
These findings are based on domain-based message authentication, reporting and conformance (DMARC) analysis of the top 10 universities in each country. DMARC is an email validation protocol aimed at protecting domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination.
DMARC has three levels of protection — monitor, quarantine and reject — with reject being the most secure for preventing suspicious emails from reaching the inbox.
Ryan Kalembe is Proofpoint‘s executive vice president of cybersecurity strategy.
“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside health care,” he said. “This, unfortunately, makes these institutions a highly attractive target for cybercriminals. The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”
Garret Grajek is YouAttest‘s CEO. He said higher education isn’t the only sector at risk from email attack.
“The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has determined that the Kimsuky attack group, most likely commissioned by the North Koreans, have introduced a malware called ‘SHARPTEXT’ that doesn’t need your Gmail login credentials, let alone worry about two-factor authentication (2FA),” he said. “The malware allows the attacker to read the email that the user browses. It is these types of attacks and more that should convince enterprises their systems are under attack and should be assumed to be compromised. The big question this begs is, how deep and how long the exposure will be? Key to enterprise security is a zero trust architecture, coupled with strong identity governance, that limits access and adheres to the principle of least privilege.”
The Zscaler ThreatLabz team is monitoring Industrial Spy, a relatively new ransomware group that emerged in April and has since racked up at least 37 victims.
Zscaler disclosed its findings on Industrial Spy ransomware in a blog. Key points about Industrial Spy include:
The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files.
The ransomware utilizes a combination of RSA and 3DES to encrypt files.
Industrial Spy lacks many common features present in modern ransomware families like anti-analysis and obfuscation.
The threat group is consistently adding roughly two to three victims per month on their data leak portal.
Todd Meister is Zscaler’s senior vice president of global partners and alliances.
Zscaler’s Todd Meister
“This group started out as a data extortion marketplace, where criminals bought and sold stolen internal data from large companies,” he said. “However, they now decided to start creating their own tools and tactics. So far, it appears that Industrial Spy are still establishing themselves, switching between traditional ransomware, when it only steals and ransoms data, and double-extortion ransomware, defined by the encryption, exfiltration and ransom.”
Industrial Spy Gets Results
What makes Industrial Spy so dangerous is that while the group lacks many common features present in modern ransomware, it’s already proven that it can achieve results, Meister said.
The group sells stolen data from two to three new companies every month on their data leak portal.
“This means that Industrial Spy can continue updating its ransomware with new features and threaten more organizations for a longer period of time,” Meister said.
Industrial Spy may continue to present a threat as long as it can continue breaching new organizations, he said.
Zscaler said many players come and go in the ransomware market and it’s difficult to determine the groups that will stay for the long term. However, this threat group is likely to stay at least in the near future. And more ransomware updates and features are likely to follow.
Scroll through our slideshow above for more from Zscaler and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like