CISA/FBI warns US under cyber attack from Iran; Emotet returns; and high-severity vulnerabilities in Intel chips

Published 11/24/21, 9:30am

Cybersecurity news from the week of 11/15/21

Nation-state threat actors operating on behalf of Iran and targeting US interests dominated cyber news headlines last week. Industry researchers have also discovered that the notorious botnet Emotet has returned. And in other big news, the chip maker Intel has issued warnings about several high-severity vulnerabilities that could enable attackers to elevate privileges on devices.

• CISA/Microsoft issue warnings about Iran-linked attacks
• Destructive botnet Emotet making a comeback
• High severity vulnerability affecting Intel processors 

Cybersecurity news final thoughts

There were two additional stories in the news last week that offer insight into the challenges faced by organizations and security professionals. 

The first topic addresses an impending and extremely dangerous risk to organizations—the possibility of the creation of an “exploit-as-a-service” model. Recently released industry research into the world of dark web zero-days found that historically, the price of zero-day exploits on the dark web has been cost-prohibitive to many cybercriminals. (Researchers note that they observed threat actors claiming that zero-day exploits could sell for up to $10M). Thus, the purchase of zero-day vulnerabilities has usually been left to high-profile gangs, such as those in the business of ransomware or those with deep-pocketed, nation-state backers.

While the zero-day selling price is high, so too is the amount of time that goes into the selling process. Therefore, to expand zero-day accessibility, reduce time to market, and still make a tidy profit, researchers discovered that discussions are underway in dark web circles to have threat actors offer zero days ‘for lease’ to aspiring criminal organizations. Proponents of the model argue that developers will still be able to generate significant profits and, at the same time, test the effectiveness and viability of the zero-day.

In the other notable story from last week’s news, industry researchers conducted a survey among IT decision-makers and discovered that 90% believe their business would be willing to compromise cybersecurity in favor of productivity or other business goals. An additional 82% have been pressured to downplay the severity of cyber risk to the board. The report further states that IT decision-makers are self-censoring in front of boards for fear of sounding repetitive or negative. And only half of the IT leaders believe that the C-suite understands cyber risk. These findings align with other anecdotal reports that many business decision-makers view InfoSec as another overhead cost that cuts into a typical corporate agenda of making the business faster and more profitable.

With nation-states like Russia, Iran, China, and North Korea actively targeting businesses to conduct espionage and bring about disruption; almost-daily notices of significant system and device vulnerabilities; and dark web cybercriminals actively discussing the benefits of an ‘exploit-as-a-service’ model, it is hard to understand how any business—large or small—would be willing to compromise total operational and reputation integrity in favor of earning a just a few more dollars. It is almost like hearing that the bullion depository at Fort Knox has no more need of minefields, granite barriers, or razor wire because it isn’t profitable or productive.

Businesses must view information security as a critical and necessary component of success. Organizations also need to understand that preparing for the next threat or attack is crucial. Employing key security strategies and tools–such as zero trust and cloud security–as well as engaging in key processes such as disaster recovery evaluation and planning, risk assessment, security architecture evaluation, and business continuity planning can help block or mitigate the effects of an attack should one occur.

The route to improved security isn’t about one tool, technology, or task force. It’s a team effort involving executives, board members, internal and external security professionals, employees, and researchers all working together to better understand and combat cybercrime.