Cyber Risk Update 24 MAR 2023

Cyber risk update for the week of March 24, 2023.

According to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), multiple threat actors, including a nation-state actor, exploited CVE-2019- 18935, a critical vulnerability in Progress Telerik to breach an unnamed US federal agency. https://securityaffairs.com/143557/hacking/progress-telerik-bug-attacks.html
LockBit ransomware gang now also claims City of Oakland breach https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/
What to know after City of Oak Ridge offices close from malware attack https://www.oakridger.com/story/news/local/2023/03/21/city-of-oak-ridge-offices-closed-to-public-because-of-malware-attack/70035945007/

FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion https://www.hipaajournal.com/fbi-losses-to-cybercrime-increased-by-49-in-2022-to-10-3-billion/
In the second half of 2021 and throughout 2022, around 1 in 10 attacks by ransomware gangs did not involve file encryption, only data theft and extortion. (Palo Alto Networks’ Unit 42 team)
2022 Unit 42 Ransomware Threat Report https://start.paloaltonetworks.com/unit-42-ransomware-threat-report.html
Updated list of annual cybersecurity reports. https://www.learnsecurity.org/single-post/annual-cyber-reports

This was brought up at RSA Conference last year: Insurer Spots Cybersecurity Weakness With Model Simulating Catastrophic Attacks https://www.bloomberg.com/news/articles/2023-03-20/cyber-insurer-unveils-model-to-simulate-worst-case-cyberattack

Polish counter-intelligence has dismantled a Russian spy ring that gathered information on military equipment deliveries to Ukraine via the EU member. https://www.securityweek.com/poland-breaks-up-russian-spy-ring/
Lawmakers raised concerns that sensitive data could leak to adversaries through foreign-owned consumer technology. https://www.nextgov.com/cybersecurity/2023/03/senators-request-cyber-safety-analysis-chinese-owned-dji-drones/384211/
Chinese-Linked Hackers Deployed the Most Zero-Day Vulnerabilities In 2022 https://cyberscoop.com/mandiant-zero-day-vulnerabilities-china/
Researchers Uncover Chinese Nation State Hackers' Deceptive Attack Strategies https://thehackernews.com/2023/03/researchers-uncover-chinese-nation.html

From fire detection and predictive analysis to evaluation of vegetation moisture levels, AI has assumed center stage in California's fight against seasonal wildfires. https://www.zdnet.com/article/how-ai-is-saving-homes-and-lives-in-california-during-wildfire-season/
Microsoft adds OpenAI technology to Word and Excel https://www.cnbc.com/2023/03/16/microsoft-to-improve-office-365-with-chatgpt-like-generative-ai-tech-.html
Introducing Microsoft 365 Copilot – your copilot for work https://blogs.microsoft.com/blog/2023/03/16/introducing-microsoft-365-copilot-your-copilot-for-work/
Copilot is currently debuting with 20 enterprise customers, with the expectation of testing and tweaking the software. Microsoft said it expects to make it available to its larger user base in the coming months. It did not release details regarding whether the capabilities will come at an additional cost. https://www.washingtonpost.com/technology/2023/03/16/microsoft-office-ai-copilot/
The Urgent Need for AI in GRC and Security Operations: Are You Ready to Face the Future? https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-12/the-urgent-need-for-ai-in-grc-and-security-operations

14% Share of the 414 board seats filled among Fortune 500 companies last year went to people with cybersecurity experience, according to a study from recruiter Heidrick & Struggles. WSJ
CISA director urges top business leaders, board members to take cyber risk ownership https://www.cybersecuritydive.com/news/cisa-director-urges-businesses-own-cyber-risk/645932/