Arctic Wolf has been tracking multiple intrusions where Cisco VPN account credentials were harnessed by Akira ransomware for initial access. In a recent Cisco PSIRT advisory, Cisco stated they were aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations. Our case data supports the observation that affected accounts did not have MFA enabled.

Threat actor groups maintain dark web shame sites to negotiate ransoms with their victims, name them, and leak their data as punishment for not paying. These sites serve as a major tool for threatening victims and securing ransom payments but are not a precise record of global cyber attacks. However, there’s a lot to learn from the dark web behavior observed in the first half of this year to help contextualize the current threat landscape.

There’s a sentiment that has, unfortunately, taken hold in the field of cybersecurity: Users are the weakest part of your environment. You can see why some may try to paint that picture. The statistics would seem to back it up: However, there’s a deeper truth hiding behind these statistics: It’s not the employees who are the weakest part of your security environment, it’s the training they receive.

On August 21, 2023, Ivanti published a knowledge base article on a critical authentication bypass vulnerability impacting Ivanti Sentry (CVE-2023-38035). For this vulnerability to be exploited, the System Management Portal which is hosted on port 8443 by default must be exposed to the internet. Successful exploitation of this vulnerability could lead to a remote unauthenticated threat actor making configuration changes to the server and the underlying Operating System (OS) as root.

On August 14th, 2023, cybersecurity company Tenable released a research advisory detailing two stack-based buffer overflow vulnerabilities, collectively tracked as CVE-2023-32560, impacting Ivanti Avalanche products version 6.4.0 and older. A threat actor could remotely exploit the vulnerabilities without user authentication by specifying long data type items to overflow the buffer.

On August 17th, 2023, Juniper Networks released out-of-band fixes for multiple vulnerabilities that could be chained together to achieve unauthenticated remote code execution (RCE) on SRX and EX series devices. The vulnerabilities impact the J-Web component of Junos OS, the operating system running on the devices.

When it comes to analyzing your attack surface, you’re probably assessing vulnerabilities, monitoring your firewall, tracking email security, and managing your identity and access management. But there is one part of the attack surface that often gets overlooked, and for that reason threat actors are targeting it with increased frequency, causing it to jump to the top of the initial access methods list: the human element.

Today’s cybersecurity landscape can be challenging. Cyber attacks are rising every year (50% of organizations suffered a breach in 2022), the skills gap continues to widen, and hackers are taking advantage of new techniques and new criminal networks like ransomware-as-a-service to launch sophisticated attacks. For organizations, it’s become harder to stay secure. The internal security operations center (SOC) isn’t feasible for many.

On August 4, 2023, security researchers published a blog detailing a critical remote code (RCE) vulnerability in PaperCut NG/MF print management servers (CVE-2023-39143: CVSS 8.4). CVE-2023-39143 could allow unauthenticated threat actors to read, delete, and upload arbitrary files on compromised systems, which results in RCE. Additionally, this vulnerability does not require user interaction.

As organizations across the globe grapple with the growing issue of cyber attacks — 2023 cybercrime costs are expected to hit $8 trillion — organizations are realizing that more than technical tools are needed to stay ahead of mounting threats. Even one mistake by an untrained employee can have serious consequences and result in a data breach.