January '24 Policyholder Newsletter

Active ransomware gangs are up 34% (and other findings from our Q4 Ransomware Report)

We aren’t just full-time cybersecurity experts — we are also proud trendsetters. Below, we’ve compiled our “ins” and “outs” for 2024:

In:

• Observing ransomware leak sites: our Threat Intel team plans to keep up their habit of tracking the dark web — read the latest 

• Proactive risk mitigation: your Risk Dashboard helps prioritize your security efforts, year-round — login now to see recommendations for your organization!

Out:

• Ransomware lulls: the ransomware economy is alive and thriving (unfortunately)
• Decaf: we’re going to need ALL the extra energy in 2024

For more on the latest from Covus and the threat landscape, keep reading...

Our Q4 Ransomware Report is live! Some key takeaways include:

1. If all your friends joined a ransomware gang, would you?

   • Our data points to yes, if the right proprietary encryptors leak first. After a string of financial successes this year, ransomware groups are splitting up or forming brand new operations — resulting in 34% more active gangs from Q1 to Q4.

2. Ransomware was down in Q4 — but hold off on celebrating.

   • Q4 2023 was still a 69.52% increase YoY, and 2023 was a record-breaking year overall. Law enforcement successfully disrupted malware networks and ALPHV/BlackCat, resulting in only a temporary slowdown before attacks returned to their original levels.

3. Threat actors are like NYC rats: resilient.

   • As mentioned above, the law intervened and took down the Qakbot malware network, disrupting several prolific gangs. But threat actors have quickly pivoted to other malware strains, such as “Pikabot” and “DarkGate.”

4. Did you study? Our patching capabilities are being tested.

   • Last year, we saw an intense pivot to mass exploits: VMware, GoAnywhere, and MOVEit (to name a few). In Q4, ransomware gangs LockBit and Medusa exploited a critical flaw in CitrixBleed, resulting in several high-profile cases. This suggests that the reliance on exploiting external vulnerabilities isn’t going anywhere.

Cyber threats are always evolving. We regularly update the Risk Dashboard so you have the most up-to-date insights.

Most recently, we’ve included updates in the Action Center to notify you if we catch third-tracking technology, like pixel, embedded in your organization’s website. Due to ongoing legal and regulatory scrutiny related to tracking technologies, we recommend carefully evaluating their use.

Your Risk Dashboard is a live cyber prioritization tool. How it helps:

1. Personalized threat updates

   • We keep tabs on new critical vulnerabilities. If one is likely to impact your organization, you’ll find an alert on your Dashboard and in your inbox.

2. Up-to-date findings

   • Every month, we rescan your organization’s external IT to make sure there are no red flags. Your Action Center is a great place to find big and small actions — the name is literal! — that you can take to reduce your risk.

3. Direct communication with us

   • As you look into any issues we find, you can let us know where you stand in the remediation process. Or tell us if you think we got it wrong. Someone from Risk Advisory will be happy to talk through it.

The Corvus Scan is a powerful asset that enables us to identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation.

We’ve gathered a monthly round-up of our alerts and threat intel updates below:

GoAnywhere Vulnerability Advisory | January 2024

CVE-2024-0204

You may remember GoAnywhere vulnerabilities from almost a year ago that were exploited by the CL0P ransomware gang in mass attacks. Another critical security flaw has been reported this month in the GoAnywhere managed file transfer (MFT) solution. This tool is often used by companies to transfer encrypted files securely. Attackers can exploit this vulnerability to bypass authentication and create a new admin user. From there, it is easy for an attacker to use the newly created admin account to access and steal sensitive data or take other malicious actions. Given a history of attackers quickly exploiting similar flaws in mass-exploitation campaigns, it is critical that impacted organizations patch to at least version 7.4.1. immediately. See our article here for more information.

Confluence Data Center Vulnerability Alert | January 2024

CVE-2023-22527

Within days of being disclosed, a new vulnerability in Confluence Data Center and Server is being exploited by attackers. This flaw affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5, which no longer receives backported fixes in accordance with Atlassian’s Security Bug Fix Policy. Affected organizations should update to the most recent fixed version to avoid becoming victims. See our knowledge article here for more information.

Ivanti Connect Secure Vulnerability Alert | January 2024

CVE-2023-46805 & CVE-2024-21887

On January 10, 2024, Ivanti issued a security advisory for two critical security vulnerabilities (CVE-2023-46805 & CVE-2024-21887). The vulnerabilities affect Ivanti Connect Secure and Ivanti Policy Secure gateways, products commonly used to facilitate secure remote access. Although security patches are forthcoming, Ivanti has published guidance to mitigate the risk until a patch is released. These actions should be taken immediately to prevent unauthorized access. See our knowledge article here for more information.