21 November 2023

8 min read

Cyber budgets fail to meet expectations | Cyber Intelligence Briefing: 21 November

November 2023
Cyber Briefing News

 

Top news stories this week

  1. Slow rise. S-RM report reveals cyber budgets stalling at three percent growth.
  2. Snitch. BlackCat files SEC complaint against MeridianLink for failing to disclose breach. 
  3. Don’t get bitten. CISA and the FBI publish advisory urging organisations to defend against Scattered Spider. 
  4. Major haemorrhages. DP World and Toyota are latest victims of critical Citrix Bleed vulnerability.
  5. Time to patch. Microsoft addresses five zero-day vulnerabilities and Fortinet patches critical command injection bug. 
  6. A high price to pay. Clorox CISO steps down as Royal Mail and Rackspace breaches cost millions.
  7. New highs. UK’s National Cyber Security Centre records all-time high in reported cyber attacks.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

 

1. Cyber budgets fail to meet expectations

Our annual Cyber Security Insights Report reveals that cyber budgets for large organisations fell short of expectations. In 2023, globally, the average cyber budget grew to USD 27.1 million, up 3.1% from USD 26.30 million in 2022. Meanwhile in the US, budgets only grew by 1%. The rise falls short of last year's anticipated increase of 5%, which would have seen budgets reach USD 27.6 million.

So what?

The appetite for more budget amongst those responsible for cyber security comes after a year of rising operational costs – as a result of wider economic turbulence – and a growing cyber threat following rapid advancements in generative AI. Cyber security departments told us they want more budget to upskill employees (42%) and recruit additional skilled personnel (41%) to accommodate this rising threat.


2. BlackCat files SEC complaint against MeridianLink over breach

BlackCat/ALPHV has reported one of its victims to the US Securities and Exchange Commission (SEC) for failing to comply with new rules that require listed companies to disclose significant cyber security incidents within four business days. The ransomware gang claims it breached listed software company MeridianLink on 7 November, but has jumped the gun as the new requirements only come into effect next month.

The news comes as the SEC faces criticism over the new rules, which some Republicans in the US Congress are seeking to overturn.

So what?

Threat actors are always looking for novel extortion tactics. How the SEC will react to malicious complaints filed by ransomware gangs once the rules come into force remains to be seen.


3. Joint CISA and FBI advisory highlights the danger of Scattered Spider

The FBI and CISA have released a threat advisory on the Scattered Spider ransomware group, prompted by attacks against large US organisations such as MGM Resorts and Caesars Entertainment, and growing frustrations over the FBI’s response to the gang’s activity. The advisory details how the threat group utilises social engineering techniques for initial access, exfiltrates data, and encrypts files with Blackcat/ALPHV ransomware.

So what?

Mitigation measures should be followed, with security controls regularly tested and validated to help protect against a Scattered Spider attack.


4. Citrix Bleed likely exploited in cyber attacks on DP World and Toyota 

The Medusa and LockBit ransomware groups have continued their mass-exploitation of the Citrix Bleed vulnerability. Security researchers found that Australian port operator DP World, which has suffered a major attack, was vulnerable to Citrix Bleed. Toyota Financial Services, who Medusa hit last week, also appears to have been vulnerable.

So what?

Large organisations can often struggle to implement patches in a timely manner due to internal policies around changes, but threat actors will not hesitate to capitalise on unpatched infrastructure.


5. Time to patch

Microsoft has addressed 58 bugs and five zero-day vulnerabilities in this month's Patch Tuesday. Three of the zero-day vulnerabilities patched are being actively exploited in the wild.

Separately, Fortinet has released security updates to fix a critical command injection flaw in FortiSIEM (CVE-2023-36553), which could allow a threat actor to execute malicious commands remotely.

So what?

Organisations should keep their systems up to date with the latest security patches.


6. Clorox, Royal Mail, and Rackspace count costs of breaches

Royal Mail and Rackspace have revealed that they incurred over GBP 10 million in costs due to their respective ransomware attacks earlier this year. Both organisations attributed these expenditures to remediation efforts and other ongoing expenses. Separately, the CISO of Clorox has resigned in the aftermath of a major cyber attack that caused the company to lose almost USD 500 million in revenue.

So what?

A ransomware tabletop exercise is crucial for organisations to minimise disruptions by testing and refining response plans, identifying weaknesses, and enhancing overall preparedness against potential cyber attacks.


7. NCSC records all-time high in incident reports

Britain's National Cyber Security Centre (NCSC) registered 2,005 voluntarily reported cyber attacks this year, marking a 64% increase from the previous year. Many incidents were caused by threat actors exploiting application vulnerabilities, such as a critical remote code execution vulnerability CVE-2023-3519 which affected Citrix's NetScalers. The review also notes 327 incidents involving data exfiltration/extortion, indicating an 18.5% rise from last year.

So what?

Threat actors are increasingly capitalising on vulnerabilities in applications to carry out breaches on companies. Ensure your organisation has robust patching procedures in place to mitigate against this.

 

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.