July '22 Corvus Policyholder Update

How to improve your Corvus Score, threat actors circumventing MFA, and more.

FOMO — the fear of missing out — hits hardest in the summer. While everyone is sharing pictures and stories from their grand vacations, you wonder what you’d have to do to score an invite. Good thing you’re always welcome to hang with the Corvus Threat Intel team, where you’ll find the latest updates surrounding the threat landscape. This week, learn more about updates from Microsoft, fresh research on attack vectors, and good news from the Department of Justice.

For more tips and trends in cybersecurity, keep reading from our experts:

LaurenWinchester-1Risk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester


Q: “How can I improve my Corvus Score?” 

A: “Start with the vCISO Action Center on your Policyholder Dashboard.”

The vCISO Action Center provides you a tailored prioritized list of recommendations based on the Corvus Scan findings and your responses to the Security Questionnaire. The most critical issues — those with the highest likelihood to increase your Corvus Score and your security posture — will be at the top. 

We know that security isn’t always a straight path and is unique to each environment. Having worked with thousands of policyholders on their cybersecurity journey, we can recommend best practices to improve your score, as these have had the highest impact for other organizations in the past. Two notable recommendations that can positively impact your score include:

  • Patch Critical Vulnerabilities. Ensure all software is patched to the latest versions. This comes from a strong patch management program to ensure that software is patched quickly when new versions are released.
  • Secure Remote Access. Assess your external footprint to ensure that only the systems and network ports required for business functionality are publicly accessible. Additionally, consider implementing Zero Trust Network Access (ZTNA) for secure remote access. This emerging technology minimizes your external footprint and securely ties authentication to your users.

We’ve got more tips (not tricks) up our sleeve. For the rest of our updated guidance on improving your Corvus Score, read our full article in the Knowledge Nest.

📌 If you haven’t filled our Renewal Process Survey, please do so! Let us know how we can continue to improve the Corvus policyholder experience. 


CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz


A threat actor used a single phishing campaign to target more than 10,000 organizations since September 2021, reports Microsoft. The approach seen here uses a fake Microsoft log-in page, which permits threat actors to steal their victim’s credentials and session cookie. By doing so, threat actors are able to bypass certain forms of MFA altogether — the attacker moves freely after, authenticated as you from the last time you logged in. 

How Cookie Hijacking Works. When you sign into Gmail, close the tab, and reopen it, all while staying logged in, you can thank the session cookie for your convenience. Unfortunately, that same perk applies to threat actors when successfully using the adversary-in-the-middle (AiTM) phishing approach.

The Lowdown on MFA. Let’s make it clear: you are much, much better protected with MFA than without. Like all cybersecurity, it’s not the end-all-be-all of your risk mitigation efforts. Cookie hijacking isn’t new, in fact, it’s been around for decades — but it’s just one approach that threat actors are using to circumvent a relatively reliable first line of defense. Not all MFA is created equal, for example, the US government has discouraged SMS and voice-call based MFA since 2017. We recommend implementing phishing-resistant alternatives such as FIDO2 hardware keys. These solutions typically combine something you have, like your smartphone or a physical dongle, and something specific to the user like a fingerprint or facial scan.

💡 As we continue to strengthen our security measures against cybercriminals, they are forced to get creative. You can read our blog post for a roundup of recent, innovative threats.

Monthly Alerts


Threat Alerts

What to watch for this month. 


The Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

“Questions for Confluence" App Vulnerability

On July 20, 2022, Atlassian issued a security advisory for a critical vulnerability, CVE-2022-26138, identified in the “Questions for Confluence” Support app within Atlassian's Confluence Server and Confluence Data Center servers. The default user account password for the Confluence support app "Questions for Confluence" was leaked. Read our guidance on mitigation steps here. 

Palo Alto GlobalProtect Vulnerability

Corvus Threat Intel has observed ransomware groups actively exploiting an old critical Palo Alto device vulnerability, CVE-2020-2021. The vulnerability allows a threat actor to bypass authentication to access the network. Find more guidance here.

Cisco Nexus Dashboard Vulnerabilities

Cisco released an advisory on multiple critical vulnerabilities in the Cisco Nexus Dashboard. These vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. Cisco has released software updates that address these vulnerabilities. Find more guidance here.

Jenkins Security Advisory

Jenkins, the company behind the popular open source automation server, released a security advisory detailing a total of 34 vulnerabilities affecting 25 different plugins. These vulnerabilities range from low to high severity. At the time of this writing, fixes are available for some of the published vulnerabilities. Find more guidance here.

North Korea Using Ransomware Groups to Target Small Businesses, Healthcare

In separate reports, CISA and the Microsoft Threat Intelligence Center linked the Maui and H0lyGh0st ransomware gangs to North Korean nation-state actors. The two groups are targeting small businesses and the healthcare sector, respectively. Experts believe that these financially motivated cybercrimes are being propagated to support the country’s struggling economy.