Threatonomics Newsletter: February in Review

Welcome to our monthly newsletter, Threatonomics, where we share learnings and insights into the dynamics shaping the cybersecurity and cyber insurance industries, with a particular focus on the economics of threats.

February presented a series of events illuminating the increasing cost of cyber threats and the critical importance of cyber resilience for businesses. This month, we witnessed the financial loss from a new Ivanti vulnerability, the volatility in cybersecurity stocks with the debate around platformization amidst longer sales cycles, and the successful takedown (but subsequent comeback) of LockBit affiliates - all demonstrating the continuous roller coaster of cybercrime. This is a great reminder of the importance of quantifying the return on your security controls and investing in insurance designed with proactive measures, so you have a clear roadmap to becoming resilient to material losses.

Recognizing the dynamic threat landscape, Resilience is proud to announce that it has acquired BreachQuest, an innovative incident response technology solution, to help clients proactively combat the rising threat around Business Email Compromise (BEC) and digital workspaces. Given that incident response continues to play an outsized role in the attack supply chain, we’ve used this edition of Threatonomics to highlight our talented Claims & IM team - on how they help clients respond post-incident, and how they help proactively prepare clients pre-incident with actionable insights around vulnerabilities like Ivanti.?

To understand the implications of all these recent events on your company policies and practices, continue reading.?

?? Insights on Cyber Resilience

• Five Predictions on the State of Cyber Claims in 2024. What's in store for cyber claims this year? Without a doubt, the domino effect of third-party vulnerabilities will remain a challenge for interconnected businesses. On top of that, the evolution of AI adds another layer of complexity for risk managers to navigate.
• Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response. Focusing on what you stand to lose drives everything in managing cyber risk. Despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world. What are we doing wrong?
• Why some cyber-attacks hit harder than others. The British Library has been hobbled for months by a cyber-attack and experts warn of similar damage ahead.
• When a wunderkind grows up. Cyber could change the insurance market profoundly. But first, it needs to overcome its own growth constraints.
• Resilience enhances incident response capabilities with BreachQuest acquisition. With the digital landscape evolving rapidly and risks escalating, this strategic move aims to enhance incident response mechanisms, particularly against Business Email Compromise (BEC) attacks, which have emerged as a significant concern.

How the Resilience Claims & Incident Management Team helped a Professional Services firm deal with a crippling ransomware attack

The professional services industry thrives on trust – trust with clients, trust with information, and trust in systems that secure it all. Yet, this trust can unravel in an instant, as evidenced by a prominent firm facing a crippling ransomware attack. Targeting shared network drives, this assault encrypted vital data crucial to their practice, placing their financial stability, client trust, and brand reputation at grave risk.

In the moment of their crisis, the client reached out to Resilience.?

Getting the key decision makers in the room - Within hours of the incident being reported, our in-house 24/7 Claim & Incident Management team, key stakeholders, including the client's executive team, outside privacy counsel, and cybersecurity experts, were connected and actively remediating the issues.

Identify the threat variant to mitigate-? A quick assessment by our in-house threat intelligence experts allowed us to swiftly identify the ransomware variant, enabling targeted response and negotiation strategies.

Continuously engage to prevent potential losses- Faced with the daunting decision of paying the ransom or risking the exposure of customer data, our team remained in constant contact with the client, swiftly connecting outside expert guidance on ransomware negotiation strategy with the client’s internal team. Ultimately, the initial demand was reduced by approximately 67%, mitigating potential financial losses.?

Going the extra mile for speedy claim resolution - Within a week, our client received a speedy resolution of their claim from Resilience. Recognizing the firm had coverage with another insurer, our claims expert went the extra mile to coordinate responses and ensure efficient processing.

Our team's ability to respond effectively to this ransomware attack and reduce potential losses is a testament to the power of the human-in-the-loop approach and proactive threat intelligence expertise.

In a time of crisis, it's about people working together, building trust, and finding solutions. By combining expertise, empathy, and swift action, we helped this professional services firm weather the storm and emerge stronger.

Client Quote:

“The knowledge and level of service provided was appreciated. The Resilience team was on top of things through the entire process giving us peace of mind through what could have been a traumatic event.” – COO

Real-World Insights from Incident Response Experts?

Threat of the Month: Ivanti

The latest Ivanti vulnerability allowed attackers to remotely access a vulnerable device without authentication to steal data and harvest credentials. Has your Ivanti product been breached??

Our US Claims Operations Leader, Amanda Bevilacqua, has provided a list of action items to help you determine whether you have been compromised.

1. In addition to patching, analyze your systems to make sure that there is no compromise.??
2. Analyze your network traffic and look for unusual amounts of data being exfiltrated from your system.
3. Look out for suspicious login activity, especially from locations where you would not expect an employee to be.
4. Look for signs of lateral movement within your VPN that are inconsistent with what you would expect.
5. Analyze your logs. Log clearing is a common tactic used by threat actors to cover their tracks, so missing logs raise a red flag.?
6. Leverage your EDR tools to monitor and investigate alerts.?
7. Act immediately if you think you have spotted indicators of compromise. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event.?
8. Consult with a digital forensic investigation firm and share the suspicious activity you’ve seen. If you are a Resilience client, connect with our Claims and Incident Management team as early as possible, and we can quickly help you determine what further actions to take.?

Other Threats to Track:

• Outages from cyberattack at UnitedHealth’s Change Healthcare extend to seventh day as pharmacies deploy workarounds. Change Healthcare’s systems are down for the seventh straight day after a cyber threat actor gained access to its network last week. Parent company UnitedHealth Group said most U.S. pharmacies have set up electronic workarounds to mitigate the impact.
• PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released a joint advisory warning critical infrastructure organizations that People’s Republic of China (PRC) state-sponsored cyber actors–specifically Volt Typhoon–have compromised the IT environments of multiple critical infrastructure organizations.? The agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on critical infrastructure IT to eventually disrupt Operational Technology (OT) machinery.
• New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group. Bitdefender researchers discovered a new backdoor that targets MacOS which has artifacts and IoCs suggesting a possible relationship with the BlackBasta and ALPHV/BlackCat ransomware operators.
• Mini PC maker ships systems with factory-installed spyware — AceMagic says issue was contained to the 'first shipment'. Researchers reported that AceMagic brand mini PCs were shipped with malware belonging to the Bladabindi and Redline families pre-installed.?
• Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown. Canadian Prime Minister, Justin Trudeau and the Innovation, Science and Economic Development Canada agency have targeted the Flipper Zero–a small hobbyist device used to analyze wireless communications–as part of a push to end an increase in sophisticated car thefts.??

Thank you for reading. Before you go...

Subscribe so you don’t miss our next issue. For more trends and insights from Cyber Resilience experts, follow our LinkedIn page for weekly blog posts, videos, and more!