Cyber budgets fail to meet expectations | Cyber Intelligence Briefing: 21 November

Top news stories this week

1. Slow rise. S-RM report reveals cyber budgets stalling at three percent growth.
2. Snitch. BlackCat files SEC complaint against MeridianLink for failing to disclose breach. 
3. Don’t get bitten. CISA and the FBI publish advisory urging organisations to defend against Scattered Spider. 
4. Major haemorrhages. DP World and Toyota are latest victims of critical Citrix Bleed vulnerability.
5. Time to patch. Microsoft addresses five zero-day vulnerabilities and Fortinet patches critical command injection bug. 
   
6. A high price to pay. Clorox CISO steps down as Royal Mail and Rackspace breaches cost millions.
   
7. New highs. UK’s National Cyber Security Centre records all-time high in reported cyber attacks.
   

Listen to the Cyber Intelligence Briefing

1. Cyber budgets fail to meet expectations

Our annual Cyber Security Insights Report reveals that cyber budgets for large organisations fell short of expectations. In 2023, globally, the average cyber budget grew to USD 27.1 million, up 3.1% from USD 26.30 million in 2022. Meanwhile in the US, budgets only grew by 1%. The rise falls short of last year's anticipated increase of 5%, which would have seen budgets reach USD 27.6 million.

So what?

The appetite for more budget amongst those responsible for cyber security comes after a year of rising operational costs – as a result of wider economic turbulence – and a growing cyber threat following rapid advancements in generative AI. Cyber security departments told us they want more budget to upskill employees (42%) and recruit additional skilled personnel (41%) to accommodate this rising threat.

2. BlackCat files SEC complaint against MeridianLink over breach

BlackCat/ALPHV has reported one of its victims to the US Securities and Exchange Commission (SEC) for failing to comply with new rules that require listed companies to disclose significant cyber security incidents within four business days. The ransomware gang claims it breached listed software company MeridianLink on 7 November, but has jumped the gun as the new requirements only come into effect next month.

The news comes as the SEC faces criticism over the new rules, which some Republicans in the US Congress are seeking to overturn.

So what?

Threat actors are always looking for novel extortion tactics. How the SEC will react to malicious complaints filed by ransomware gangs once the rules come into force remains to be seen.

3. Joint CISA and FBI advisory highlights the danger of Scattered Spider

The FBI and CISA have released a threat advisory on the Scattered Spider ransomware group, prompted by attacks against large US organisations such as MGM Resorts and Caesars Entertainment, and growing frustrations over the FBI’s response to the gang’s activity. The advisory details how the threat group utilises social engineering techniques for initial access, exfiltrates data, and encrypts files with Blackcat/ALPHV ransomware.

So what?

Mitigation measures should be followed, with security controls regularly tested and validated to help protect against a Scattered Spider attack.

4. Citrix Bleed likely exploited in cyber attacks on DP World and Toyota 

The Medusa and LockBit ransomware groups have continued their mass-exploitation of the Citrix Bleed vulnerability. Security researchers found that Australian port operator DP World, which has suffered a major attack, was vulnerable to Citrix Bleed. Toyota Financial Services, who Medusa hit last week, also appears to have been vulnerable.

So what?

Large organisations can often struggle to implement patches in a timely manner due to internal policies around changes, but threat actors will not hesitate to capitalise on unpatched infrastructure.

5. Time to patch

Microsoft has addressed 58 bugs and five zero-day vulnerabilities in this month's Patch Tuesday. Three of the zero-day vulnerabilities patched are being actively exploited in the wild.

Separately, Fortinet has released security updates to fix a critical command injection flaw in FortiSIEM (CVE-2023-36553), which could allow a threat actor to execute malicious commands remotely.

So what?

Organisations should keep their systems up to date with the latest security patches.

6. Clorox, Royal Mail, and Rackspace count costs of breaches

Royal Mail and Rackspace have revealed that they incurred over GBP 10 million in costs due to their respective ransomware attacks earlier this year. Both organisations attributed these expenditures to remediation efforts and other ongoing expenses. Separately, the CISO of Clorox has resigned in the aftermath of a major cyber attack that caused the company to lose almost USD 500 million in revenue.

So what?

A ransomware tabletop exercise is crucial for organisations to minimise disruptions by testing and refining response plans, identifying weaknesses, and enhancing overall preparedness against potential cyber attacks.

7. NCSC records all-time high in incident reports

Britain's National Cyber Security Centre (NCSC) registered 2,005 voluntarily reported cyber attacks this year, marking a 64% increase from the previous year. Many incidents were caused by threat actors exploiting application vulnerabilities, such as a critical remote code execution vulnerability CVE-2023-3519 which affected Citrix's NetScalers. The review also notes 327 incidents involving data exfiltration/extortion, indicating an 18.5% rise from last year.

So what?

Threat actors are increasingly capitalising on vulnerabilities in applications to carry out breaches on companies. Ensure your organisation has robust patching procedures in place to mitigate against this.