August '22 Corvus Policyholder Update

Implement MFA on the Policyholder Dashboard, what we can learn from the Cisco breach, and more.

Who doesn’t love a good souvenir? You had such a good time on your trip, and now you can think about it fondly every single time you look at your Mickey Mouse ears collecting dust. Unfortunately, threat actors also love collecting things from (your) vacation — your data and money. 

As tourism rebounds, a hacker tracked as TA558 is targeting hotels and firms in the hospitality industry with phishing campaigns. In July, the Marino Boutique Hotel in Lisbon, Portugal had its account hacked, which resulted in €500,000 stolen from hotel guests, plus their data and credit card details. Not so happy travels.

For more on the latest in cybersecurity trends and tips from the pros, keep reading:

LaurenWinchester-1Risk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester


Help us keep your data secure. 

Implement MFA the next time you log in to the Policyholder Dashboard. It’s optional, but as you probably could have guessed, we highly recommend it. You can use any free authenticator app on your smartphone to complete the process, such as Google Authenticator or Duo Mobile. How it works:

  1. Open your chosen authenticator app on your phone.
  2. Login on your laptop/desktop.
  3. Use your phone’s authenticator app to scan the QR code to complete the setup.
  4. Implement MFA!

💡 Need a Policyholder Dashboard refresher? Forget where to download your policy? Love clicking things?

Become an expert on all of our digital policyholder benefits — and find answers to all your burning questions, such as: “what are my recommendations in the Action Center based on?” and “how does your non-invasive security scan work?” Head to our new, interactive Policyholder Dashboard walkthrough.


CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz


Cisco recently disclosed details about a cyber attack it responded to in May 2022. While threat actors did not succeed in deploying ransomware, they successfully penetrated Cisco’s network. What went wrong and what can we learn?

  1. The hacker gained access to a Cisco employee's personal Gmail account. They accessed saved credentials for the Cisco VPN.
  2. The hacker bypassed MFA. Using a combination of MFA push spamming (sending multiple MFA prompts to the user's phone) and by impersonating Cisco IT support, they gained access to the VPN. 
  3. After connecting to the VPN, the hackers enrolled new devices for MFA. This removed the need to continuously spam the user and allowed threat actors to move laterally.

The takeaway: MFA is still one of the most effective information security controls on the market today. But it’s not a “set and forget” solution that prevents all attacks. Even when it works like it should, users are still vulnerable to social engineering. Never accept an MFA push notification unless you are the one sitting at the keyboard trying to log in. 

📌 Be mindful that MFA prompt bombing is on the rise. There’s no limitation to the amount of calls or push notifications you can send as MFA requests, which means it’s not impossible (or even unlikely) to get an unsuspecting employee to begrudgingly hit accept at 1 a.m. We would be remiss if we didn’t tell you not to store your VPN credentials (or any credentials) in your browser. Instead, opt for a password vault like 1Password.

Monthly Alerts


Threat Alerts

What to watch for this month. 


The Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

Zimbra Collaboration Suite Vulnerability

On August 11, 2022, two vulnerabilities in the Zimbra Collaboration Suite (ZCS) were added to the CISA Known Exploited Vulnerabilities Catalog as reports of widespread exploitation recently surfaced. Customers are advised to update all Zimbra Collaboration Suite servers to the latest version immediately. Read more on our guidance. 

Realtek System on a Chip (SoC) Exploit Code Released (CVE 2022-27255)

An exploit was released for the Realtek system on a chip (SoC), which is used in many routers and IoT devices. The exploit allows code to be executed on the device without authentication. A patch has been available since at least March 2022, but since the chip resides in a myriad of products across different vendors, it’s up to each vendor to make the patch available via firmware updates for its devices. SANS Institute Dean of Research, Dr. Johannes B. Ullrich, writes that although the exploit is a big deal, there is not much that can be done about it. As the devices in need of updates likely number in the millions, this may be an issue for a long time. If you believe any of your devices might be affected, make sure to check with your vendor and apply any firmware updates.

BlackByte Ransomware Releases Version 2.0

The group just released its second iteration, calling it BlackByte 2.0. Borrowing from the latest Lockbit release, BlackByte 2.0 sports a new leak site and some new extortion methods. Victims can now pay to extend the ransomware deadline or prevent publication of their data right on the site. However, victim data can be purchased by other visitors on the BlackByte site as well. The group accepts cryptocurrency in Bitcoin (BTC) or privacy-focused Monero (XMR). As yet, it’s unclear whether the latest iteration includes improved encryption capabilities. The gang worked to fix encryption bugs last year after researchers found a loophole and provided a free decryptor to victims.

Thanks for reading!

- The Corvus Team