By Jonathan Munshaw
Threat Source newsletter
I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas.
We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals.
Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising.
This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance.
A report last week from Dark Reading indicated that cyber insurance costs are expected to rise over the next 12 to 24 months. This would be after premiums for these plans rose 50 percent in 2022, according to Bloomberg, though they largely held steady in 2023.
This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets.
This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too.
The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general.
As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter.
That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.
There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack.
The one big thing
Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024.
Why do I care?
This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings.
So now what?
The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo.
One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before. In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer)
A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies. The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup)
Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly)
Can’t get enough Talos?
- Talos Takes Ep. #169: What's new with CVSS 4.0, and does it really change anything?
- Best Practices for Handling Incident Response During a Merger and Acquisition
- Cisco Tech Beat Podcast: Talking Past, Current, and Future Cyber Threats with Nick Biasini
- Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
- Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93
MD5: 5800fc229e3a5f13b32d575fe91b8512
Typical Filename: client32.exe
Claimed Product: NetSupport Remote Control
Detection Name: W32.Riskware:Variant.27dv.1201
SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
MD5: 4c648967aeac81b18b53a3cb357120f4
Typical Filename: yypnexwqivdpvdeakbmmd.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201
SHA 256: 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971
MD5: 4c5fdfd4868ac91db8be52a9955649af
Typical Filename: N/A
Claimed Product: N/A
Detection Name: W32.581866EB9D-100.SBX.TG
SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH
SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
