April '24 Policyholder Newsletter

2024 is already breaking all the wrong ransomware records

It’s officially spring! A time for blooming flowers, longer days, and lots (and lots) of sneezing. Before leaving the house, don’t forget the essentials:

  • Layers
  • Allergy meds 
  • The latest ransomware intel from Corvus, compiled in one easily digestible report so you know exactly what your org is up against (it’s digital, so it won’t weigh you down)
  • An umbrella

Keep reading for more on cyber risk, updates to your Risk Dashboard, and the latest threats!

 

[BANNER] Threat Intel Corner

🍰 Fresh threat intel — crafted with data plucked straight from the dark web — is ready for you.

Here’s a preview of our Threat Intel findings:

2024 is just as record-breaking as 2023 so far

Q1 2024 has seen a 21% increase in ransomware victims posted to leaksites over Q1 2023, making it the most active first quarter ever recorded.

In-fighting and crime-fighting

High profile-ransomware gangs, LockBit and BlackCat/ALPHV, experienced significant disruptions, leading to a decline in their operations — but new ransomware gangs are filling the void (18 new leaksites emerged throughout Q1).

Medical specialists face a ransomware epidemic

Medical practices, such as specialists or family clinics, experienced the highest concentration of attacks with a 38% increase from Q4 2023.

A reflection on the ScreenConnect vulnerability

Due to our consistent communication with policyholders — we love landing in your inbox, when it counts! — policyholders applied patches at a 15% higher rate than other ScreenConnect users after 13 days.

[LINE GRAPH] Victims Posted to Ransomware Leak Sites

 

[BANNER] Risk Advisory Tips

As always, we’re eager to provide you with the most personalized security recommendations possible. Our latest addition to the Risk Dashboard allows you to add domains so we can understand your full exposure — and help you combat cyber risk from all angles.

Why did we add this capability? Much of what we understand about your risk first comes from our scan, which views your public-facing websites, any externally accessible software, and various domains associated with your organization. 

Based on how your organization sets up domains, our scan may not be able to locate them all solely on the primary domain provided in your insurance application. 

What this means for you: By sharing any additional domains with us, we’ll have access to a more accurate picture of your organization’s environment. That translates to more comprehensive security recommendations and tailored alerts for all associated domains, strengthening our partnership. 💪

To get more insights from us: 

  1. Head to the Environment tab on your Risk Dashboard, where you’ll see all domains associated with your primary domain.

  2. If you want us to include additional domains in future scans, click Add Domain and you’ll be prompted to fill out an email template. 

  3. We’ll add the domain(s) within X days and continuously monitor your org for emerging threats, now with even more accuracy.

[DIAGRAM] Environment Overview of CrowBar

 

[BANNER] Threat Alerts

The Corvus Scan is a powerful asset that enables us to identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation. 

We’ve gathered a monthly round-up of our alerts and threat intel updates below:

Palo Alto PAN-OS Vulnerabilities

CVE-2024-3400

Threat actors have begun exploiting vulnerabilities in Palo Alto GlobalProtect Products and exploit code is publicly available. If your organization has not already, we recommend taking mitigating action immediately as widespread exploitation is likely imminent. In addition, after reporting that temporarily disabling device telemetry would be adequate mitigation, Palo Alto now reports “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability”. Disabling device telemetry is not a sufficient mitigating action. Security patches are now available and should be applied as soon as possible. See our article here for more information.

CrushFTP Vulnerability

CVE-2024-4040

A vulnerability was announced this month in CrushFTP. Attackers can exploit this vulnerability, escape the VFS, and download system files. Additionally, research by Rapid7 confirmed that CVE-2024-4040 permits “administrator account access and full remote code execution”. These flaws impact CrushFTP v11 versions below 11.1, v10 versions below 10.7.1, and any current users of v9 or prior will have to upgrade. All instances should be updated to 10.7.1 or 11.1.0 or newer. Exploit code is now publicly available so it is essential that impacted organizations address this issue promptly. If your organization has not already, we recommend taking mitigating action immediately.

Ivanti

Connect Secure and Avalanche

In two separate advisories, Ivanti released details on vulnerabilities in its Connect Secure and Avalanche products. Security patches are available and should be applies as soon as possible.