Tool used by Russia’s Federal Security Service

The Australian Cyber Security Centre has released a Joint Cybersecurity Advisory with its international partners on the Snake implant. The Snake implant is a sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets.

The Australian Cyber Security Centre has identified Snake infrastructure in over 50 countries; its targeting is purposeful and tactical, designed to collect intelligence from high-priority targets, such as government networks, research facilities, and journalists.

This Cybersecurity Advisory provides background on Snake’s attribution and detailed descriptions of the implant’s host architecture and network communications.

The technical information and mitigation recommendations provided are designed to assist network defenders in detecting Snake and associated activity. The Snake implant is considered the most sophisticated cyber espionage tool developed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes that route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets.

Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. We have identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake uses infrastructure across all industries, its targeting is purposeful and tactical.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists.

As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a North Atlantic Treaty Organization (NATO) country.

The FSB has victimised industries within the United States, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications.

This Cybersecurity Advisory (CSA) provides background on Snake’s attribution to the FSB and detailed technical descriptions of the implant’s host architecture and network communications. This CSA also addresses a recent Snake variant that has not yet been widely disclosed.

The technical information and mitigation recommendations in this CSA are provided to assist network defenders in detecting Snake and associated activity.

For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage. Introduction What is Snake? We consider Snake the most sophisticated cyber espionage tool in the FSB’s arsenal.

The sophistication of Snake stems from three principal areas. First, Snake employs means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture easily incorporates new or replacement components.

This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs, given its complexity.

Following open-source reporting by cybersecurity and threat intelligence companies on Snake tactics, techniques, and procedures (TTPs), the FSB implemented new techniques to evade detection. The modifications to the implant enhanced challenges in identifying and collecting Snake and related artifacts, directly hampering detection from both host- and network-based defensive tools.

The effectiveness of this type of cyber espionage implant depends entirely on its long-term stealth since the objective of an extended espionage operation involves remaining on the target for months or years to provide consistent access to important intelligence. The uniquely sophisticated aspects of Snake represent a significant effort by the FSB over many years to enable this type of covert access.

The FSB began developing Snake as “Uroburos” in late 2003. Development of the initial versions of the implant appeared to be completed around early 2004, with cyber operations first conducted using the implant shortly after that.

The name Uroburos is appropriate, as the FSB cycled it through nearly constant stages of upgrade and redevelopment, even after public disclosures, instead of abandoning it. The name appears throughout early versions of the code, and the FSB developers also left other unique strings, including “Ur0bUr()sGoTyOu#”, which have publicly returned to haunt them.

Unique features in early versions of Uroburos included a low-resolution image of a portion of a historical illustration of an Uroboros by the German philosopher and theologian Jakob Böhme. One approach to a tertiary backdoor used this image as the key. The same image had also been embedded in other Snake-related components. The image, blown up to a higher resolution, is shown right.

In addition, early FSB developers of the Snake implant left portions of unique code throughout the implant, which revealed inside jokes, personal interests, and taunts directed at security researchers. For instance, the “Ur0bUr()sGoTyOu#” string referenced above was replaced with “gLASs D1cK” in 2014 following some of the public cybersecurity reporting.

Snake operations have been attributed to an available unit within Center 16 of the FSB. This unit more broadly operates the numerous elements of the Turla2 toolset and has subunits spread throughout Russia reflecting historical KGB signals intelligence operations in the Soviet Union.

Snake has been a core component of this unit’s operations for almost as long as Center 16 has been part of the FSB.3 The extensive influence of Snake across the Turla toolset demonstrates its impact on practically every aspect of the unit’s modern era of cyber operations. Daily operations using Snake have been carried out from an FSB facility in Ryazan, Russia, with an increase in Snake activity during FSB working hours in Ryazan, approximately 7:00 AM to 8:00 PM, Moscow Standard Time (GMT+3).

The leading developers were Ryazan-based FSB officers known by monikers included in the code of some versions of Snake. In addition to developing Snake, Ryazan-based FSB officers used it to conduct worldwide operations; these operations differed from others launched from Moscow or other FSB sites based on infrastructure and techniques. While the development and re-tooling of Snake have historically been done by Ryazan-based FSB officers, Snake operations were also launched from an FSB Center 16-occupied building in Moscow.

According to the ACSC, the investigations have identified examples of FSB operators using Snake to their full potential and FSB operators who appeared unfamiliar with Snake’s more advanced capabilities. These observations illustrate the difficulty in using such an advanced toolset across the various geographically dispersed teams comprising this unit within FSB Center 16.

ACSC has been collectively investigating Snake and Snake-related tools for almost 20 years, and other operations by this unit since the 1990s. During that time, the FSB has used Snake in many different operations. They have demonstrated the value placed in this tool by making numerous adjustments and revisions to keep it viable after repeated public disclosures and other mitigations.

Snake’s code and multiple Snake-related tools have been either a starting point or a key influence factor for a diverse range of other highly prolific implants and operational tools in the Turla family. Most notably, this has included Carbon (aka Cobra)—derived from Snake’s code base—and the similarly Snake-adjacent implant Chinch (currently known in open sources as ComRAT).

ACSC has identified Snake infrastructure in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, including the United States and Russia. Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical. For instance, if an infected system did not respond to Snake communications, the FSB actors would strategically re-infect it within days.

Globally, the FSB has used Snake to collect sensitive intelligence from high-priority targets, such as government networks, research facilities, and journalists. As one example, FSB actors used Snake to access and exfiltrate sensitive international relations documents and other diplomatic communications from a victim in a NATO country.

Within the United States, the FSB has victimised industries, including education, small businesses, media organisations, and critical infrastructure sectors, including government facilities, financial services, critical manufacturing, and communications. Other Tools and TTPs Employed with Snake The FSB typically deploys Snake to external-facing infrastructure nodes on a network and, from there, uses other tools and TTPs on the internal network to conduct additional exploitation operations.

Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. Various mechanisms have been employed to gather user and administrator credentials to expand laterally across the network, including keyloggers, network sniffers, and open-source tools.

Typically, after FSB operators map out a network and obtain administrator credentials for various domains in the network, regular collection operations begin. In most instances with Snake, further heavyweight implants are not deployed, and they rely on credentials and lightweight remote-access tools internally within a network. FSB operators sometimes deploy a small remote reverse shell and Snake to enable interactive operations.

This triggerable reverse shell, which the FSB has used for around 20 years, can be used as a backup access vector or to maintain a minimal presence in a network and avoid detection while moving laterally.

Snake Architecture Snake’s architectural design reflects professional software engineering practices. Critical pathways within the implant are stacks of loosely coupled components that implement well-designed interfaces. In addition to facilitating software development and debugging, this construction allows Snake to use multiple components for the same purpose, choosing the specific component based on environmental considerations.

For example, Snake’s custom network communications protocols function as a stack. All implementations use encryption and transport layers, such as Snake’s custom HTTP or raw TCP socket protocol. Each Snake network protocol stack layer solely implements a specified interface for operability with the two adjacent layers.

The encryption layer and underlying transport layer thus function independently, so any custom Snake network protocol can employ an encryption overlay without any change to the encryption layer code.[4] This modularity allows Snake operators to choose the most logical network transport for the given environment without affecting Snake’s other functionality.

When using a compromised HTTP server as part of the Snake P2P network, the operators can ensure that all traffic to this machine follows the Snake custom HTTP protocol and blends effectively with legitimate traffic.

In the context of a compromised machine that legitimately allows secure shell (SSH) connections, Snake can utilise its custom raw TCP socket protocol instead of its custom HTTP protocol. All other layers of the Snake protocol stack, from the immediately adjacent transport encryption layer to the distant command processing layer, can and do remain entirely agnostic to the transport layer as long as it implements its interface correctly.

This architecture also allows the Snake developers to easily substitute a new communications protocol when they believe one has been compromised without necessitating any downstream changes in the code base.

Lastly, this design facilitates the development of fully interoperable Snake implants running on different host operating systems. Snake’s technical sophistication extends from the software architecture to lower-level software implementation.

Original versions of Snake were developed as early as 2003 before many of the modern programming languages and frameworks that facilitate this type of modular development were available. Snake is written entirely in C, which provides significant advantages in low-level control and efficiency but does not provide direct support for objects or interfaces at the language level and provides no assistance with memory management.

The developers of Snake successfully implemented the implant’s complex design in C with very few bugs, including careful avoidance of the common pitfalls associated with null-terminated strings and the mixing of signed and unsigned integers. Additionally, the developers demonstrate an understanding of computer science principles throughout the implant’s implementation.

This includes selecting and correctly coding asymptotically optimal algorithms, designing and utilising efficient custom encoding methodologies that closely resemble common encoding schemes, and securely handling the numerous possible errors associated with systems-level programming. Capitalising on Mistakes Although the Snake implant is a highly sophisticated espionage tool, it does not escape human error.

A tool like Snake requires more familiarity and expertise to use correctly, and in several instances, Snake operators should have used it more effectively. Various mistakes in its development and operation provided us with a foothold into the inner workings of Snake. They were key factors in developing capabilities that have allowed for tracking Snake and manipulating its data.

The FSB used the OpenSSL library to handle its Diffie-Hellman key exchange. The Diffie-Hellman key set created by Snake during the key exchange needs to be longer to be secure. The FSB provided the function DH_generate_parameters with a prime length of only 128 bits, which is inadequate for asymmetric key systems.

Also, in some instances of what appeared to be rushed deployments of Snake, the operators should have stripped the Snake binary. This led to the discovery of numerous function names, cleartext strings, and developer comments, as seen in the following figure.

Tags: ACSCRussia

The post ACSC issues joint Advisory on Russian ‘Snake’ Cyber Espionage Tool” appeared first on CIO Tech Asia.

HTML attacks can be tricky to detect

Businesses in Asia-Pacific could find themselves vulnerable to attack via HTML attachment, as the proportion of malicious files doubles in less than 12 months, according to the most recent Threat Spotlight from Barracuda, a trusted partner and leading provider of cloud-enabled security solutions.

Analysing millions of messages and files scanned by Barracuda’s security technologies in APAC and across the globe, the new report shows how in March 2023 just under half (45.7 per cent) of all HTML attachments scanned by Barracuda were malicious, more than double the proportion (21 per cent) reported in May last year.

HTML stands for Hypertext Markup Language and is used to create and structure content that is displayed online. It is also used in email communication – for example in automated newsletters, marketing materials, and more. In many cases, reports are attached to an email in HTML format (with the file extension .html, .htm or .xhtml, for example). Attackers can successfully leverage HTML as an attack technique in phishing and credential theft or for the delivery of malware.

According to Barracuda’s Threat Spotlight, not only is the overall volume of malicious HTML attachments increasing, but almost a year on from Barracuda’s last report, HTML attachments remain the file type most likely to be used for malicious purposes.

HTML attacks can be tricky to detect, as instead of hackers having to include malicious links in the body of an email, which would be detected, attackers instead work to embed HTML attachments within emails disguised as weekly reports and other generic work email types, as a way to trick users into clicking on phishing links. From there, user credentials can be phished by a third-party machine, whether via a phishing site or a phishing form embedded in the attachment.

“The security industry has been highlighting the trend of cybercriminals weaponising HTML for years – and evidence suggests it remains a successful and popular attack tool,” said Fleming Shi, Chief Technology Officer, Barracuda.

“Getting the right security in place is as important now as it has ever been. This means having effective, AI-powered email protection in place that can evaluate the content and context of an email beyond scanning links and attachments. Other important elements include implementing robust multifactor authentication or – ideally – Zero Trust Access controls; having automated tools to respond to and remediate the impact of any attack; and training people to spot and report suspicious messages.”

Tags: Asia PacificBarracudaHTML

The post Malicious HTML attachments double since 2022 appeared first on CIO Tech Asia.

Aims to skill and certify 100,000 women in Asia

Microsoft is initiating new partnerships under its Ready4Cybersecurity program in Asia to improve access to cybersecurity skills and careers for the historically and systemically underrepresented with a focus on young women.  Into its second year, Ready4Cybersecurity is committing to skill and certify 100,000 young women and underrepresented youths in cybersecurity by 2025, enhancing opportunities for employment in cybersecurity, filling the talent gap, and building a diverse cybersecurity workforce.

According to Microsoft’s Digital Defence Report, the volume of password attacks has risen to an estimated 921 attacks every second in 2022 – a 74 per cent increase in just one year. Cyberattacks often have devastating impacts – the average cost of a cyber breach has reached $US4.35 million. This has led to an increased demand for skilled cybersecurity professionals in the region.

To bridge the talent and skills divide, Microsoft’s Ready4Cybersecurity program, which is part of its global Cybersecurity Skilling Initiative, is specifically designed and curated to create alternative pathways to empower underrepresented youths that aspire to enter the cybersecurity industry.

There are a projected 3.5 million cybersecurity jobs to be filled globally in 2025, with a 350 per cent increase in demand for people with cybersecurity skills over an eight-year period.

Specifically, the opportunity for women to work in cybersecurity is huge, given that women make up only 25 per cent of the cybersecurity workforce globally. Through public-private partnerships, Ready4Cybersecurity will provide access to industry-recognized cybersecurity foundational and intermediate skills and certification to traditionally excluded populations to help them qualify for open roles – with 75 per cent of individuals trained to be women.

Since the launch of the Ready4Cybersecurity campaign in 2022, Microsoft has trained over 19,800 individuals from underserved communities, providing up to 18,300 cyberskilling initiatives. In the second year of the campaign, Microsoft will continue to work with its partners to skill and certify young women and underrepresented youths in cybersecurity to drive positive impact.

To achieve its commitments, Microsoft is taking a holistic approach to create a more diverse and inclusive cybersecurity workforce:

• Partnering with non-profits: Microsoft has partnered with non-profits who are in direct contact with the underserved communities, empowering non-profits to directly skill identified segments of the underserved populations, particularly young girls and women.
• Equipping the education systems: A key strategy to address the cybersecurity gap will be to equip educational institutions to effectively teach cybersecurity to the next generation of talent and inspire them to become defenders against cyber threats.
• Scaling with governments: Microsoft believes that the road to digital peace requires a collaborative effort that involves multiple stakeholders, including governments, tech companies, non-governmental organizations, and international organizations working together towards a common goal.
• Leveraging Microsoft’s customer and partner ecosystem: Microsoft has been closely partnering with its network of customers and partners to reassess hiring avenues and consider alternative pathways that focus less on paper qualifications and more on a skills-based approach.

To combat the rising threat of cybercrimes, a multi-stakeholder approach is needed. Microsoft aims to build capacities of more training organizations as well as non-profits to offer cybersecurity skilling to underserved groups.

Manju Dhasmana, Regional Philanthropies Director – Asia, Microsoft, said: “There is a pressing need to address the gender gap in the cybersecurity field where women make up only 25 per cent of cybersecurity professionals globally. We must recognize that a diverse cybersecurity workforce is key in the fight to defend cyberspace and boost cyber resilience. Addressing diversity gaps in the industry requires intentionality in program design and execution. We are committed to working with local education, non-profit, government and business organizations, through such programs as Ready4Cybersecurity, to develop partnerships and initiatives to improve access to cybersecurity skilling and to empower more women and underserved communities to pursue a career in this critical industry.”

Tags: AsiaMicrosoftReady4Cybersecurity

The post Microsoft expands access to cybersecurity skilling appeared first on CIO Tech Asia.

There is a danger in introducing additional regulation

Executive Summary

The AICD strongly supports Government and industry working together to ensure that Australia is a world leader in cyber security with citizens having confidence that our economy operates within a secure and trusted digital environment. A Government- industry partnership should focus on enhancing cyber resilience across the Australian economy with any new regulations being risk-based and developed with a strong appreciation of the potential compliance costs and impacts on innovation. There is a danger that introducing additional regulation, including at the board level, will result in a culture that prioritises being cyber compliant rather than cyber resilient.

Tags: AICDAustralia

The post 2023-2030 Australian cyber security strategy appeared first on CIO Tech Asia.

Macquarie Government welcomes enhanced cyber focus

Macquarie Government, part of Macquarie Telecom Group, has welcomed the Albanese Government’s release of the public version of the Defence Strategic Review (DSR) as the strongest indication yet of the importance of cybersecurity to Government and Defence capabilities.

The DSR, to which Macquarie contributed a detailed submission during public consultation, sets the agenda for ambitious, but necessary, reform to Defence’s posture and structure. The DSR notably places strong emphasis on cybersecurity as an important defensive and offensive capability within Defence, and hints at a new commitment by the Albanese Government to grow Australia’s sovereign industrial capability through the DSR’s updated uplift programs. Macquarie Government Managing Director Aidan Tudehope said, “the new regional strategic environment articulated in the DSR underscores the need to include cybersecurity in the Defence reform agenda given its horizontal effect across all five military domains, notwithstanding to Australia’s critical infrastructure and systems of national significance.

“Cyber is a form of power projection which can be used in advance of kinetic attacks, or to cripple critical national infrastructure. It is also a tool of statecraft that is used for coercion, as the DSR has rightly called out. To unilaterally deter offensive military action against Australia’s forces, and to protect Australia’s social and economic interests, high level cyber capability and the digital infrastructure that supports it, must be fundamental to Defence capability.

“The Prime Minister has rightly called out the ‘need to have greater control over our national sovereignty’,” said Tudehope. “In this context it’s important to call out local industries that are directly supporting Defence, including cyber security, ICT, and space. When these sectors are strong Australia is less vulnerable to global supply chain challenges and less reliant on our allies and partners for enabling capabilities during conflict.”

Macquarie also welcomed the recommendation for a biennial National Defence Strategy, particularly given the speed at which cyber threats continue to evolve. Macquarie’s cyber engineers now monitor between seven and eight billion cyber events every day, protecting nearly half of federal government agency personnel from cyberattacks.

Tudehope applauded the government’s recommendation to reform Defence capability procurement; specifically, to focus on ‘delivering timely and relevant capability’ and move away from ‘project management risk’ towards ‘strategic risk management’.

“This guidance will help Defence achieve the right balance of local-ally-partner capabilities to support the ADF war fighter. A balance that will ensure Australia is a capability contributor to AUKUS and not solely a capability consumer,” he said.

In conclusion, Tudehope said the DSR presents an opportunity for the Government and Defence to be bold in uplifting Australia’s sovereign industrial capability, and that doing so will provide national resilience through robust cyber security, data networks, and space capabilities with capacity to scale, just as the DSR calls for.

“The Defence Strategic Review has rightly articulated both the threat and the opportunity,” he said.

“We have, through the DSR, the opportunity for Australian primes to grow and thrive in partnership with our international partners, bolstering Australia’s security, creating jobs, and ensuring scientific and technological prowess that will improve knowledge, innovation and expertise for decades to come.”

Tags: Albanese governmentMacquarie

The post Macquarie defence strategic review appeared first on CIO Tech Asia.

Bad bot traffic overall increased even as people spent less time online

HUMAN Security, Inc. the global leader in protecting enterprises by disrupting digital fraud and abuse with modern defence — today announced the release of its 2023 Enterprise Bot Fraud Benchmark Report. The annual report provides insights into automated attack trends across enterprise use cases, including account takeover, brute forcing, carding, credential stuffing, inventory hoarding, scalping and web scraping.

Key takeaways from the report include:

• Bad bot traffic overall increased even as people spent less time online. Legitimate human traffic dropped 28 per cent YoY, but bad bot traffic increased 102 per cent YoY — meaning that the percentage of bad bots out of overall traffic has increased even faster.
• Automated attacks continued to grow. Web applications experienced a YoY increase in three common types of bot attacks. Carding attacks rose 134 per cent YoY, account takeover attacks rose 108 per cent YoY, and scraping rose 107 per cent YoY.
• Certain industries experienced more bot attacks than others. Bad bots accounted for 57 per cent of traffic to online businesses in the Media and Streaming industry. Just under 50 per cent of traffic to companies in the Travel and Hospitality industry (49 per cent) and the Ticketing and Entertainment industry (46 per cent) was automated.
• Bad actors conducted more bot attacks during top shopping periods. The holiday shopping season drew more automated attacks than the rest of the year; the peak day (October 25) saw 199 per cent more bad bot traffic than the yearly average.
• Enterprise attackers prefer to hide behind desktop devices. 25.7 per cent of malicious requests appeared to come from mobile, as compared to 61 per cent of legitimate requests.
• Attackers will utilize anonymizing proxy servers to look like normal human traffic. More than 68 per cent of worldwide malicious traffic came from U.S. proxy servers. That number drops to 47 per cent when looking only at traffic to non-U.S. applications and grows to 75 per cent for traffic to U.S. applications only.

“It’s clear that bots are a pervasive threat,” said HUMAN CISO Gavin Reid, “It is extremely easy for bad actors to conduct malicious bot attacks and fraud with minimal effort or risk.”

The report emphasizes why it is critical for companies to understand the full scope of the bot problem for their own organizations and customers. As cyber criminals continue to evolve and adapt, businesses must remain vigilant by taking proactive measures to protect their assets. Achieving this requires a comprehensive and collaborative approach leveraging the principles of modern defence and collective protection to tip the scales and win against attackers.

HUMAN’s annual Enterprise Bot Fraud Benchmark Report is based on data gathered from the Human Defence Platform, which verifies the humanity of more than 20 trillion digital interactions per week. That is 33 million every second. These unique insights empower organizations to better defend against bot attacks and fraud that pose significant risks to their revenue and brand reputation.

Tags: HUMAN securityPrnasia

The post An inside look at bot attacks and fraud trends appeared first on CIO Tech Asia.

Cybersecurity is a global issue

A system or network vulnerability exploited on the other side of the world can quickly cause implications across geographical boundaries, directly impacting the critical infrastructure Americans rely on for their way of life. For this reason, the CISA Global Strategy calls for capacity building with our international partners to make cyberspace safer and more secure for their citizens—and ours.

In March, CISA conducted a series of first-of-their-kind capacity-building engagements overseas in Thailand, the Philippines, and Indonesia. The cyber hygiene workshops focused on highly interdependent sectors, including national defence, banking, business, aviation, and shipping sectors.

During the workshops, CISA cybersecurity and vulnerability management experts covered information technology/operational technology (IT/OT), industrial control systems, threat actors, threat intelligence, cyber-attack frameworks, workforce development tools, and case studies of common attacks. Major themes that emerged during the workshops included the need to develop greater cooperation between IT/OT; raise awareness of phishing and other attack vectors within organizations; and develop the public sector cybersecurity workforce.

To advance these longstanding strategic partnerships in Southeast Asia, CISA and the U.S. State Department worked closely with Thailand’s National Cyber Security Agency (NCSA), the Philippine Department of Information and Communications Technology, and Indonesia’s National Cyber and Crypto Agency. Indonesia is the largest member state in the Association of Southeast Asian Nations (ASEAN), which develops mutually beneficial dialogues, cooperation, and partnerships on behalf of its member states. Indonesia is also home to the ASEAN secretariat. Thailand and the Philippines are long-time treaty allies of the United States, and many major American financial firms rely on core business processing, such as call centres and back-office operations, outsourced to the Philippines.

Thailand’s NCSA Secretary General Amorn Chomchoey expressed deep appreciation to CISA for the workshop, noting that it was his “dream” to enhance collaboration between his agency and CISA.

Fleur-de-lis Nadua, the Philippine Department of Information and Communications Technology planning officer, who leads the secretariat for the country’s National Cybersecurity Inter-Agency Committee added, “There’s so much to learn from CISA. What we worked on this week is very useful for Philippine cybersecurity and for protecting critical infrastructure.”

The workshops not only helped our international partners build their capacity to extend our collective defence, but also heightened our partnerships in Southeast Asia, helping us build a secure and resilient cyber ecosystem across the globe.

Tags: CISAIndonesiaThailandThe Phillipines

The post Building cyber hygiene capacity in Asia appeared first on CIO Tech Asia.

The EU is committed to ensuring that all European citizens and businesses are well protected

Today, the Commission has adopted a proposal for the EU Cyber Solidarity Act to strengthen cybersecurity capacities in the EU. It will support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, as well as reinforce solidarity, concerted crisis management and response capabilities across Member States. The Cyber Solidarity Act establishes EU capabilities to make Europe more resilient and reactive in front of cyber threats, while strengthening existing cooperation mechanism.  It will contribute to ensuring a safe and secure digital landscape for citizens and businesses and to protecting critical entities and essential services, such as hospitals and public utilities.

The Commission has also presented a Cybersecurity Skills Academy, as part of the 2023 European Year of Skills, to ensure a more coordinated approach towards closing the cybersecurity talent gap, a prerequisite to boosting Europe’s resilience. The Academy will bring together various existing initiatives aimed at promoting cybersecurity skills and will make them available on an online platform, thereby increasing their visibility and boosting the number of skilled cybersecurity professionals in the EU.

Under the European Security Union, the EU is committed to ensuring that all European citizens and businesses are well protected, both online and offline, and to promoting an open, secure, and stable cyberspace. Yet, the increasing magnitude, frequency and impact of cybersecurity incidents represent a major threat to the functioning of network and information systems and to the European Single Market. Russia’s military aggression against Ukraine has further exacerbated this threat, along with the multiplicity of state-aligned, criminal and hacktivist actors involved in current geopolitical tensions.

Building on a strong strategic, policy and legislative framework that is already in place, the proposed EU Cyber Solidarity Act and the Cybersecurity Skills Academy will further contribute to enhancing detection of cyber threats, resilience, and preparedness at all levels of the EU’s cybersecurity ecosystem.

EU Cyber Solidarity Act

The EU Cyber Solidarity Act will strengthen solidarity at Union level to better detect, prepare for and respond to significant or large-scale cybersecurity incidents, by creating a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.

To detect major cyber threats quickly and effectively, the Commission proposes the establishment of a European Cyber Shield, which is a pan-European infrastructure of composed of national and cross-border Security Operations Centres (SOCs) across the EU. These are entities tasked with detecting and acting on cyber threats. They will use state-of-the-art technology, such as artificial intelligence (AI) and advanced data analytics, to detect and share timely warnings on cyber threats and incidents across borders. In turn, authorities and relevant entities will be able to respond more efficiently and effectively to major incidents.

These centres could be operational by early 2024. As a preparatory phase of the European Cyber Shield, in April 2023 the Commission has selected, under the Digital Europe Programme, three consortia of cross-border Security Operations Centres (SOC), bringing together public bodies from 17 Member States and Iceland.

The EU Cyber Solidarity Act also includes the creation of a Cyber Emergency Mechanism to increase preparedness and enhance incident response capabilities in the EU. It will support:

• Preparedness actions, including testing entities in highly critical sectors (healthcare, transport, energy, etc.) for potential vulnerabilities, based on common risk scenarios and methodologies.
• Creating a new EU Cybersecurity Reserve consisting of incident response services from trusted providers pre-contracted and therefore ready to intervene, at the request of a Member State or Union Institutions, bodies, and agencies, in case of a significant or large-scale cybersecurity incident.
• Providing financial support for mutual assistance, where a Member State could offer support to another Member State.

Moreover, the proposed Regulation establishes the Cybersecurity Incident Review Mechanism to enhance Union resilience by reviewing and assessing significant or large-scale cybersecurity incidents after they have taken place, drawing lessons learned and where appropriate, issuing recommendations to improve Union’s cyber posture.

The total budget for all actions under the EU Cyber Solidarity Act is of EUR 1.1 billion, of which about 2/3 will be financed by the EU through the Digital Europe Programme.

EU Cybersecurity Skills Academy

The EU Cybersecurity Skills Academy will bring together private and public initiatives aimed at boosting cybersecurity skills at European and national levels, making them more visible and helping to close the cybersecurity talent gap of cybersecurity professionals.

The Academy will initially be hosted online on the Commission’s Digital Skills and Jobs platform. Citizens interested in pursuing a career in cybersecurity will be able to find training and certifications from across the EU in a single place online. Stakeholders will also be able to pledge their support to improve cybersecurity skills in the EU by initiating specific actions, such as to offering cybersecurity trainings and certifications.

The Academy will evolve to include a common space for academia, training providers and industry helping them to coordinate education programmes, trainings, funding, and monitor the evolution of the cybersecurity job market.

Certification Schemes for Managed Security Services

The Commission has also proposed today a targeted amendment to the Cybersecurity Act, to enable the future adoption of European certification schemes for ‘managed security services. These are highly critical and sensitive services provided by cybersecurity service providers, such as incident response, penetration testing, security audits and consultancy, to assist companies and other organisations prevent, detect, respond, or recover from cyber incidents.

Certification is key and can play an important role in the context of the EU Cybersecurity Reserve and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), facilitating also the cross-border provision of these services.

Next Steps

The European Parliament and the Council will now examine the proposed Regulation on the EU Cyber Solidarity Act, as well as the targeted amendment to the Cybersecurity Act.

The European Cybersecurity Competence Centre will organise a joint procurement of tools and infrastructures with the selected cross-border Security Operations Centres to build cyber detection capabilities.

The EU Cybersecurity Agency (ENISA) and the European Cybersecurity Competence Centre will continue working on cybersecurity skills, contributing to the implementation of the Cybersecurity Skills Academy, in line with their respective mandates, and in close cooperation with the Commission and the Member States.

The Commission proposes that the Academy takes the shape of a European digital infrastructure consortium (EDIC), a new legal framework to implement multi-country projects. This possibility will now be discussed with Member States.

It is also necessary to ensure that professionals undertake required quality trainings. In this regard, ENISA will develop a pilot project, exploring the set-up of a European attestation scheme for cybersecurity skills.

Tags: EU Cyber Solidarity ActEuropa

The post Towards stronger EU capabilities appeared first on CIO Tech Asia.

It’s critical for organisations to reduce the risk before a response is needed

Almost all IT and security leaders (96 per cent) globally are concerned their organisation will be unable to maintain business continuity following a cyberattack, according to a new study released today by Rubrik, the Zero Trust Data Security Company. “The State of Data Security by Rubrik Zero Labs: The Hard Truths of Data Security” provides a unique view into the data security landscape, what IT and security leaders experienced and struggled with in 2022, and the actions and steps they are taking to establish real cyber resilience.

Rubrik Zero Labs commissioned its second global study with Wakefield Research to gather insights from more than 1,600 IT and security leaders—half of which were CIOs and CISOs—across 10 countries. Supplemented by Rubrik telemetry, key findings of the report include:

Everyone is “Doing” Data Security, But Reality & Results Vary:

• Data security is becoming increasingly complex and the datasets that require securing are growing rapidly. Rubrik internal data revealed that on average, the growth of data secured in 2022 was 25 per cent (on premises grew 19 per cent, cloud grew 61 per cent, and SaaS data secured grew 236 per cent last year).
• More than half (56 per cent) of organisations currently employ at least one zero trust initiative.
• However, only 56 per cent of IT and security leaders developed or reviewed an incident response plan in 2022, and 54 per cent tested backup and recovery options.

Legacy Data Backups, the Last Line of Defence for Many, are Falling Short:

• 99 per cent of external organisations reported having backup and recovery technology, with 93 per cent encountering significant issues with their solution.
• Nine out of ten external organisations reported malicious actors attempted to impact data backups during a cyberattack, and 73 per cent were at least partially successful in these attempts.
• Nearly three quarters (72 per cent) of organisations reported paying a ransomware demand.
• Only 16 per cent of all global organizations recovered all their data via attacker decryption tools.

New and Constantly Evolving Problems Are Met with the Existing Challenges Pre-dating an Intrusion:

• Almost half (47 per cent) of IT and security leaders believe their 2023 cybersecurity budget is not enough of an investment.
• 27 per cent expect their IT and cybersecurity budgets to decrease in 2023.
• IT and security leaders will need to work at bringing their teams together with only 4 per cent stating there are no factors limiting the IT and security alignment requiring their attention this year.

“It’s clear organisations understand the gravity and impact of cyber incidents, but we also see a range of roadblocks from a lack of preparation, misalignment between IT and security teams, and over-reliance on insufficient backup and recovery solutions,” said Steven Stone, Head of Rubrik Zero Labs. “In the current era of cybersecurity, the best outcome is ensuring cyber resilience. Incidents are inevitable, so it’s critical to reduce the risk before a response is needed, and—at all costs—protect the crown jewel: the data.”

“The State of Data Security” comes from Rubrik Zero Labs, the company’s cybersecurity research unit formed to analyse the global threat landscape, report on emerging data security issues, and give organisations research-backed insights and best practices to secure their data against increasing cyber events.

Tags: ITRubrik Zero Labs

The post 16 percent of organisations recovered data from hackers appeared first on CIO Tech Asia.

Scammers steal over $USUS3bn from Australians

The latest Targeting Scams report has revealed Australians lost a record $US3.1 billion to scams in 2022, as government, law enforcement and the private sector look to improve collaborative efforts to support the community in the fight against scams.  This is an 80 per cent increase on total losses recorded in 2021.

The report compiles data reported to the ACCC’s Scamwatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE and other government agencies.

It shows that investment scams were the highest loss category ($US1.5 billion), followed by remote access scams ($US229 million) and payment redirection scams ($US224 million).

“Australians lost more money to scams than ever before in 2022, but the true cost of scams is much more than a dollar figure as they also cause emotional distress to victims, their families and businesses,” ACCC Deputy Chair Catriona Lowe said.

“As scammers become increasingly sophisticated in their tactics, it is clear a co-ordinated response across government, law enforcement and the private sector is essential to combat scams more effectively.”

“That’s why we continue to lend our expertise and support to prepare for the establishment of the Government’s National Anti-Scam Centre, with the ultimate aim of making Australia the hardest target for scammers,” Lowe said.

Reports to Scamwatch

Scamwatch received 239,237 scam reports last year, a 16.5 per cent drop on the number of reports received in 2021.

However, financial losses reported to Scamwatch in 2022 totalled more than $US569 million, a 76 per cent increase compared to losses reported in the previous year.

Despite fewer reports to Scamwatch, losses experienced by each victim rose by more than 50 per cent last year, to an average of almost $US20,000.

This is due, in part, to scammers using new technology to lure and deceive victims.

“Scammers evolve quickly and unfortunately, many Australians are losing their life savings,” Lowe said.

“We have seen alarming new tactics emerge which make scams incredibly difficult to detect. This includes everything from impersonating official phone numbers, email addresses and websites of legitimate organisations to scam texts that appear in the same conversation thread as genuine messages. This means now more than ever; anyone can fall victim to a scam.”

“There has been an explosion of reported losses to phishing scams in the past year, such as “Hi Mum” and Toll/Linkt text scams, which skyrocketed by 469 per cent to $US24.6 million in 2022,” Lowe said.

Collaborative efforts increase.

Millions of Australians became more vulnerable to scams in 2022, following a spate of large-scale, high-profile data breaches late last year.

“Scammers are the most opportunistic of all criminals. Unfortunately, the more information a scammer has about you, the more convincing they can be,” Ms Lowe said.

“In the weeks after the data breaches, there were hundreds of reports to Scamwatch, including reports of scammers impersonating government departments and businesses to carry out identity theft and remote access scams.”

“While this brought about unprecedented collaboration across government, law enforcement and industry to share information and disrupt scams, there is still more work to be done,” Lowe said.

“Unfortunately, there are still significant gaps between and within the key sectors – banks, telcos, and digital platforms; and between regulators that scammers exploit to steal money from customers. So, we would like to see initiatives that apply across the sectors, knowing that scammers will target the weakest link.”

The ACCC continues to advocate for a three-pronged approach to tackling scams.

“First, we need to stop scammers reaching consumers by disrupting phone calls, SMS, email, social media messaging or other ways in which scammers contact would-be victims. Second, we need to make sure consumers are supported with up-to-date information, so they have the best chance of spotting a scammer when contacted. Finally, we need effective measures in place to prevent funds being transferred to scammers,” Lowe said.

People experiencing vulnerability suffered record financial losses.

In 2022, Australians that may have been experiencing vulnerability or hardship reported record losses.

People with a disability reported financial losses of $US33.7 million, a 71 per cent increase compared to 2021.

Indigenous Australians also reported losses of $US5.1 million (up five per cent compared to 2021) to Scamwatch, while the median loss for Indigenous Australian scam victims rose to $US754, from $US650 reported in 2021.

People from culturally and linguistically diverse communities made 11,418 scam reports which resulted in losses of $US56 million, up 36 per cent compared to 2021.

“We are very concerned that people experiencing vulnerability continue to be disproportionally impacted by scams,” Lowe said.

“Our report shows that people from culturally and linguistically diverse communities were significantly over-represented in terms of financial losses across a range of scam-types, accounting for more than one quarter (27.9 per cent) of total losses associated with identity theft and about a third (32.7 per cent) of all losses to pyramid schemes.”

“This is a worrying trend that urgently needs to be addressed by both government and industry with input from consumer advocacy groups.”

“Traditional bank transfers remain one of the most reported payment methods to scammers. While some banks have made recent positive steps to protect their customers, we would welcome uniform measures across the sector, like the UK’s Confirmation of Payee, which matches an account number to the intended recipient across all banks,” Lowe said.

Small and micro business’ losses doubled in 2022

Scamwatch data shows that small and micro businesses lost $US13.7 million to scams in 2022, a 95 per cent increase compared to the previous year. The biggest contributor to these losses were payment redirection scams, also known as business email compromise.

More broadly, there was a 73 per cent increase in scam losses across the Australian business community last year, totalling $US23.2 million.

Top tips for avoiding scams

• Stop – take your time before giving money or personal information.
• Think – ask yourself if the message or call could be fake?
• Protect – act quickly if something feels wrong. Contact your bank and report scams to Scamwatch.

Tags: ACCCAFCXReportCyber

The post The ACCC calls for a united front appeared first on CIO Tech Asia.