The Constantly Evolving Cyber Threat Landscape: Current Lessons for CISOs

Cybersecurity remains a top priority for executives across multiple industries, as threats continue to rise in volume and frequency – thereby increasing the risk businesses face.

As the threat landscape expands and new risks are discovered, chief information security officers (CISOs) can feel pressured to introduce new technologies and/or processes to combat emerging threats. However, chasing after threat-specific solutions will only deplete valuable time and resources that are ultimately unnecessary, as most threats across the cyber landscape can be mitigated with a well-designed cybersecurity program.

CISOs should resist chasing after supplemental solutions and should instead reinvest their efforts into strengthening the core elements of their cyber program to stay protected.

ACA Aponix analyzed the threat landscape from March 2022 to May 2023 to glean lessons from well-publicized cyberattacks that can help CISOs secure their organizations.

Researchers reviewed 20 of the most significant breaches during that timeframe based on the number of individuals impacted, the sensitivity of information accessed, the length of time it took to identify and control the incident, and if the breach required action steps to be taken by the affected individuals and/or cyber programs.

The findings reflect that while there is a lot of noise surrounding what is going on within the threat landscape, many of the threats – even the novel ones – could be mitigated with common best practices for cybersecurity programs.

ACA’s Aaron Pinnick: Fortify the foundation.

The threat landscape can be difficult to navigate because large incidents (such as Uber’s breach in September 2022) get a lot of news coverage and often result in C-suites, boards and investors asking CISOs if the firm is prepared to prevent a similar incident. However, many cyber programs are already equipped with the tools to prevent these threats.

In fact, 75% of the selected incidents for this study did not require new preventative methods to adequately combat the threat. Even the larger incidents were primarily caused by a lack of adequate vendor due diligence, slow recovery efforts, and other standard cybersecurity protocols. This is good news for CISOs, who can shift their efforts towards fortifying their cybersecurity program rather than worrying about the growing threat landscape.

Still, cybercriminals have utilized some truly novel tactics within the past year that CISOs should be aware of. These unique incidents would require CISOs to implement a new step/process, so we have conducted case studies on the three most novel and impactful of our list. Here we dive deeper into the Blank Image Attack, HardBit Ransomware, and AI Infospreader Malware.

Blank Image Attack

Description: A new phishing technique, the “blank image” allows hackers to hide empty SVG (scalable vector graphics) files inside HTML attachments that appear to be links to completed DocuSign documents. Those who are tricked into following the link are taken to the legitimate DocuSign landing page, but when they go to open the HTML attachment, the blank image attack begins. The image masquerades as a placeholder for malicious code, so although the user sees a blank image on their screen, the URL redirect code is running in the background. HTML attacks have become more common among cybercriminals because they are usually ignored by preventative technologies.

Uniqueness: Researchers at Avanan discovered the blank image attack in January 2023, but similar tactics using SVG files within HTMLs that contain malicious code had been reported in December 2022. The particularly unique concern about this attack is the utilization of DocuSign’s legitimate landing page as a vector to deploy their code. Hackers have long abused the assumed legitimacy of DocuSign and have created dummy websites and links for victims to click. However, as cyber programs and employee training have evolved to better help employees identify suspicious links, cybercriminals needed to get more creative to lure folks in.

Remediation: CISOs should consider blocking HTML/.HTM attachments from being opened/downloaded from external sources and ensure employees are trained to spot common signs of a phishing attempt. Employees should also never open a link from any source that they did not ask for and/or were not expecting. If they are unsure of the validity of the sender, they should reach out to the sender directly to confirm the authenticity of the information.

HardBit Ransomware

Description: A ransomware dubbed “HardBit” revamped its tactics to now negotiate ransomware payments based off the victim’s cyber insurance policy. Instead of requesting a specified ransom amount in exchange for decryption keys, HardBit contacts the victims via an open-source encrypted peer-to-peer messaging app, in which the victim has 48 hours to respond to the threat actor’s request that the victim disclose their cyber insurance details so they can draft a ransomware payment that will be covered by the insurance company. HardBit is differentiated from other ransomware groups because the encrypted data is more difficult to recover, so simply paying a ransom to regain the data could be tempting for businesses. While disclosing any information to cybercriminals in the event of a ransomware incident is not supported by law enforcement or cyber insurance companies, HardBit continues to try and convince victims that it is in their best interest to release this information.

Uniqueness: Multiple aspects of HardBit ransomware make it novel and difficult to combat. HardBit first infiltrates systems by adding itself to the Startup folder in Windows and adds itself to the Registry to disable the Windows Defender’s real-time behavioral monitoring. Once the business’ defenses are down, the HardBit ransomware opens files and overwrites the content with encrypted data of their own.

While other ransomware groups open and “delete” those files while ransoming the required encryption key, HardBit’s method makes data recovery more difficult. The increased difficulty of data recovery is what enables HardBit to then start a dialogue with businesses to request their cyber insurance details. This type of attack is one of the first of its kind in that cybercriminals are beginning to recognize that businesses are trying to mitigate risk through their cyber insurance policies and can benefit from them as well. Gathering details from business’ policies allows for cybercriminals to request payment that would be covered with cyber insurance, so businesses could be more willing to pay.

Remediation: Although HardBit’s ransomware strategy is novel, the prevention for this type of attack is not entirely new. Ransomware is effective when businesses do not have their critical data adequately secured, and/or do not have backups for the data. The best way for a CISO to prevent this type of attack is to ensure all critical business information is secured and backed up to a secondary location.

Furthermore, routinely updating software and hardware that has access to this data could provide an additional layer of protection. If your business experiences a ransomware attack, notify and work with law enforcement authorities and your cyber insurance company. Never divulge any cyber insurance information, or any business information for that matter, to cybercriminals!

Artificial Intelligence Infospreader Malware

Description: Cybercriminals are creating AI-generated YouTube videos that spread stealer-malware such as RedLine, Vidar and Raccoon. The YouTube videos appear as tutorials on how to download free (“cracked”) versions of Photoshop, Premiere Pro and other products that are only available through purchase. Five to 10 fake download videos are uploaded to YouTube every hour, and cybercriminals have been able to utilize Search Engine Optimization (SEO) tactics to have the videos appear at the top of the YouTube results list.

Uniqueness: AI skyrocketed in popularity with the introduction of multiple new software options in late 2022. Cyber programs have scrambled to create acceptable use policies to avoid employees creating more business risk by inputting potentially sensitive information into the platforms. One of the many dangers of AI is the ability to be very realistic and convincing – and that goes beyond scripting.

In this incident, cybercriminals have used AI-generated videos that contain malware which deploys when the video links are clicked. Hackers create these videos that appear to offer free, highly sought-after professional services, then further utilize SEO tactics to push their videos to the top of the viewing list to make it more likely that someone will access the video.

Remediation: As AI continues to grow in popularity, CISOs should work to create an acceptable use policy for employees to follow. Cybersecurity training should now include guidance on how to safely use AI software as well as guidelines on what information should not be input into AI programs. Beyond basic cybersecurity hygiene, folks should never trust links/videos that promise “free” versions of software that usually requires payment to access. Remember, there is always a cost for legitimacy!

Takeaways

The takeaway from these case studies is that even truly novel incidents do not require extensive updates to cyber programs to combat them. The threat landscape is largely growing in volume, not complexity, so CISOs do not need to overcomplicate their approach to mitigating cyber risks either.

Fortifying the foundation of your cyber program, and ensuring compliance with routine cyber hygiene practices, is effective against the majority of risks. Rather than chasing after all that is new in the threat landscape, CISOs can fall back on the following tried and true practices without sacrificing any performance:

1. Review the more novel tactics within this case study and evaluate if your cyber program would be able to effectively address them. If not, consider updating relevant technologies, system settings, etc. to mitigate these threats.
2. Evaluate the foundational components of your cybersecurity program and their effectiveness. Identify any gaps that may exist and begin working on remediation steps.
3. Establish clear criteria and escalation guidance to help your cybersecurity team evaluate if a novel threat requires changes or updates to the program and if the firm’s current controls are sufficient to mitigate the threat.

Aaron Pinnick is the Manager of Thought Leadership for ACA’s Aponix Program, where he creates research to ensure clients receive the latest and most critical information they need to manage risk and ESG responsibilities. Before joining ACA Group, he was a Managing Analyst for Ballast Research, providing government affairs leaders with insights into their reputation with policymakers; and a research director for Gartner’s Compliance and Ethics program. He holds a master’s degree in sociology from Texas A&M University and a bachelor’s in sociology from Minot State University.

This article is adapted from an ACA Group white paper, How to Effectively Utilize the Threat Landscape.