Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cyber Insurance and Ransomware

The cyber insurance landscape is changing rapidly, partly in response to changes in the ransomware market. Premiums are rising in response to rising claims, making insurance a much more expensive way to share cyber risk. And as we reported last week, the most sophisticated ransomware operators are now engaging in 'big game hunting' - targeting larger corporations with deeper pockets, and demanding a larger ransom to make up for increasing number who simply refuse to pay.

Another complicating factor was last year's decision by Lloyds of London to ask its cyber insurance clients to amend their policies, starting from March 2023, to exclude coverage for attacks sponsored by government entities. This followed a 2021 New Jersey Superior Court Ruling which found in favour of pharma giant Merck after ther insurer refused coverage for the NotPetya attack, claiming it was an act of war (a standard exclusion in most policies). The court found that while cyber-attacks can be acts of war, Ace American had not updated the exclusion clause to reflect this, and that Merck therefore had every right to anticipate that the exclusion policy applied only to traditional forms of warfare. The Lloyds decision makes this quite explicit - and with increasing activity from state-sponsored and state-affiliated threat actors, some victims may be in for a rude shock when they claim on their policies.

There is also some research to suggest that cyber insurance introduces a moral hazard effect on ransomware, as insurance companies often recommend paying the ransom, rather than having to pay higher costs of complex recoveries. This frustrates any attempt to disrupt the ransomware operators' business model - in fact, their massive revenues are funding the development of even more sophisticated malware - and also drives premiums higher.

A 2022 Forrester report estimated that a typical data breach would lead to $US2.4 million in incident response costs (with detection, analysis and eradication requiring a median of 27 days, and a further 10 days for recovery). However, a survey of 450 security professionals in North America, by BlackBerry and insurer Corvus, revealed that only 55% have cyber insurance, and less than 20% have coverage in excess of $600,000, which was the median ransomware demand in 2021 - now consider that the median ransomware payment obtained by Cl0p - the most successful ransomware operator - was almost $US2 million.

The BlackBerry/Corvus study found that only 10% of all businesses surveyed have ransomware coverage limits above the 2021 median ransomware demand amount (of $600,000), while only 14% of SMB's with fewer than 1,500 employees had a higher limit.

Looking at these figures, we can only suggest that it would be smart to invest into defensive controls - principally application safelisting, but also MFA, EDR and SETA - to avoid falling victim to a ransomware attack, rather than sinking the money into cyber insurance premiums, which are bound to rise even further in the coming months.

Specops Software, Strengthening Password Security may Lower Cyber Insurance Premiums, Bleeping Computer (sponsored content), 18 July 2023. Available online at https://www.bleepingcomputer.com/news/security/strengthening-password-security-may-lower-cyber-insurance-premiums/.

Adobe ColdFusion Vuln Exploits in the Wild

Yesterday, we covered security updates from several firms, including Adobe, which had released updated for several versions of ColdFusion. Only a day later comes a new security bulletin featuring three new vulnerabilities:

• CVE-2023-38204, an insecure deserialization vulnerability with a CVSS score of 9.8
• CVE-2023-38205, an access control vulnerability which can lead to remote code execution (CVSS score: 7.5)
• CVE-2023-38206, a second access control vulnerability (CVSS score: 5.3)

The result is yet another update for the vulnerable versions of ColdFusion. Adobe's security bulletin reveals that the firm is aware of limited attacks in the wild, attempting to exploit CVE-2023-38205; fortunately, the more serious CVE-2023-38204 is so far not in play. If you were holding back on this update, don't! And if you updated yesterday, it's time to do it all over again.😠

Adobe, Security updates available for Adobe ColdFusion, security bulletin APSB23-47, 14 July 2023. Available online at https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html.

Wicked Panda Spies on Android

A report from cloud security vendor Lookout attributes two long-standing pieces of surveillance malware, called WyrmSpy and DragonEgg, to the Chinese state-sponsored APT Wicked Panda, also known as APT41, Wicked Spider, Double Dragon, BASIUM and Winnti. The firm has been tracking the spyware since 2020, with the latest example found in April 2023.

Wicked Panda has been active since 2012 and engages in a surprisingly wide range of activities. It is known to target both governments and tech companies, engaging in cyber-espionage on behalf of the Chinese Communist Party, using malware unique to the Chinese government. However, it also engages in cybercrime for profit, attacking online gaming sites in particular, and essentially funding itself. This raises an interesting question - how would an insurance company respond to a claim for an attack by this group?

The FBI has placed five members of Wicked Panda on its 'most wanted' list, following indictments for a range of charges, including unauthorized access to protected computers, aggravated identity theft, racketeering, fraud, money laundering, wire fraud and access device fraud.

While Wicked Panda has historically target Internet-facing web sites, the fact that they are exploiting end-user mobile devices indicates the value of the data that they can disclose.

Balaam, Kristina and Justin Albrecht, Lookout Attributes Advanced Android Surveillanceware to Chinese Espionage Group APT41, blog post, 19 July 2023. Available online at https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.