1st April: EU vulnerabilities ++ A third of UK businesses suffer attacks every week ++ Lapsus$ continues breaches

EU institutions face cybersecurity vulnerabilities

On March 29, 2022, the European Court of Auditors (ECA) stated that EU institutions need more protection against cyber-attacks. Their interconnected networks put them at greater risks now than ever before, yet the systems have “not achieved a level of cyber-preparedness commensurate with the threats.”

The warning by the European Court of Auditors covers the wide range of EU bodies — from the executive arm based in Brussels to specialist agencies located across Europe. Cyberattacks against EU bodies are increasing, with major incidents rising to more than tenfold between 2018 and 2021, according to the Luxembourg-based ECA. The sensitive information processed by EU bodies makes them attractive targets for hackers, according to the report, which said the risks have grown because of remote working since the beginning of the COVID-19 pandemic.

An example cited is the cyberattack on the European Medicines Agency (EMA) in late 2020, when the EU was pushing to authorize the first COVID-19 vaccines. “Sensitive data was leaked and manipulated in a way designed to undermine trust in vaccines.”

The European auditors said Tuesday that EU organizations were failing to enact some “essential” cybersecurity controls and underspending in this area. The auditors also alleged a lack of “systematic” cybersecurity training and information sharing. Shortcomings at EU agencies include an inconsistent approach towards cybersecurity, the lack of cybersecurity good practices and inadequate funds and resources. The ECA also urged more resources to support the Computer Emergency Response Team of EU bodies (CERT-EU), saying “its effectiveness is compromised by an increasing workload, unstable funding and staffing, and insufficient cooperation from some” of the organizations.

“The EU must step up its efforts to protect its own organizations,” Bettina Jakobsen, a member of the ECA, said in a statement. “Such attacks can have significant political implications.”

“Since EU bodies are strongly interconnected, a weakness in one can expose others to security threats. (…) Binding cybersecurity rules should be introduced and the amount available to the Computer Emergency Response Team should be increased,” the report continued. The ECA said the varying level of cybersecurity preparedness at EU agencies posed a problem for their overall security, and therefore urged the European Commission to promote more cooperation among EU bodies and the EU Agency for Cybersecurity to focus more on EU agencies with less experience in this area. “A weakness in one can expose others to security threats.”


Third of UK businesses suffer cyber-attacks every week

The Cyber Security Breaches Survey 2022 report from the UK Department for Digital, Culture, Media and Sport (DCMS) revealed the frequency of cyber-attacks is rising, with the number of businesses experiencing breaches remaining at similarly high levels as in 2021. Organizations are encouraged to be vigilant of cyber threats and follow the reports guidance.

Businesses and charities are being urged to strengthen their cyber security practices now as new figures show the frequency of cyber-attacks is increasing: In the UK, almost a third of charities and two in five businesses reported cyber security breaches in the last 12 months. Amongst those attacked, 26 per cent of charities and 31 per cent of businesses stated that they are being attacked on a weekly basis. The newly provided data also shows, that two in five businesses use a managed IT provider, yet only 13 per cent of them review the security risks posed by their immediate suppliers.

UK Cyber Minister Julia Lopez said: “It is vital that every organization take cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk. No matter how big or small your organization is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.” To ensure safety, small businesses should therefore adopt the Cyber Essentials scheme to protect against the most common cyber threats such as phishing attacks and use the Small Business Guide to improve cyber security practices. Larger organizations should use the Board Toolkit to get company executives to act on cyber resilience and charities should follow the Small Charity Guide to boost cyber security operations.

Over the past 12 months attention on the cyber security of supply chains and digital services increased, as a wave of high-profile attacks hit UK firms.

82 per cent of UK senior managers see cyber security as a ‘very high’ or ‘fairly high’ priority. This is the highest figure seen in any year of the annual survey.

The government is planning to strengthen the cyber resilience of critical businesses by updating the Network and Information Systems (NIS) Regulations which set out cyber security rules for essential services such as energy, digital infrastructure, healthcare, transport, and water.

As part of the UK’s National Cyber Strategy, the government is committed to protecting the citizens and businesses from lurking cyber threats. Investments of £2.6 billion are being made to enhance cyber skills of admins and staff and to expand the country’s offensive and defensive cyber capabilities.


Lapsus$ continues streak of successful breaches – despite series of arrests by UK authorities

Since its emergence in December 2021, the Lapsus$ extortion organization has been making headlines for their attention-grabbing attacks. They have successfully breached the IT security systems of famous, influential corporations such as Microsoft, Samsung, Ubisoft, Nvidia, Vodafone, Okta and most recently Globant. It is strongly advised that security and network admins become familiar with the tactics used by this group, as not even arrests of the Lapsus$ mastermind last week can stop their streak.

As part of last week’s News of the Week, we reported about the success and danger of the Lapsus$ extortion gang. The headlines made by the fairly new organization are not stopping though, with the group attacking Globant this week, a software development consultancy based in Luxembourg.  The firm says it has worked with over thirty major clients in the public and private sectors. The screenshots shared by Lapsus$ show a folder listing for what appears to be different firms from across the world, including Arcserve, Facebook, DHL, Stifel and Banco Galicia among others.

This attack may come as a big surprise to the people aware of the group’s actions, as they suffered a major set-back last week. According to the City of London Police, seven people between the ages of 16 and 21 have been arrested in connection with an investigation into the hacker group. For the time being all have been released, but are under thorough investigation. The presumed mastermind behind Lapsus$, who goes by the online alias “White”, is expected to be amongst those under investigation.

Lapsus$ caused further chaos as Okta, which was attacked by the gang in January 2022, disclosed the cyber incident just last week. The company’s stock price dipped by almost 20% within days, with trust seemingly plummeting. Okta had previously stated it was investigating claims of a hack after Lapsus$ members shared several screenshots in a Telegram chat implying they were behind the attack. Initially, Okta’s CEO Todd McKinnon labeled this incident an “attempt” by threat actors to compromise the account of a support engineer. However, it later became clear that 2.5% of Okta’s customers — 366 to be exact — were indeed impacted by the incident. The company now stated that they are “greatly disappointed by the long period of time that transpired between our notification (…) and the issuance of the complete investigation report,” said David Bradbury, Okta’s Chief Security Officer. “Upon reflection, (…) we should have moved more swiftly” to understand the attacks implications.

The hacker group Lapsus$ uses ransomware attacks trying to pressure the victim companies. Twitter is usually the first platform where attacks are disclosed by the gang, sometimes just hinting they are behind the security breach in question.

Luckily, Microsoft provided an overview of Lapsus$’s tactics, techniques, and procedures, after having experienced an attack themselves. According to the report, the threat actors focus “their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships.”

It is strongly advised that security and network admins become familiar with the tactics used by this group and prepare their systems, by ensuring further MFA implementation and recovery plans in case of breaches.

Oxford police arrests teenagers in relation to Lapsus (cybernews.com)
Okta: We made a mistake delaying the disclosure (bleepingcomputer.com)
Delaying the Lapsus hack disclosure mistake Okta (computing.co.uk)
Lapsus claims Globant breach (computing.co.uk)
DEV-0537 criminal actor targeting organizations – Report (microsoft.com)
Oktas investigation of the compromise (okta.com)

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.