The 2023 ransomware attack at the University of Manchester didn’t stop once the threat actors had successfully exfiltrated the personal identifiable information (PII) for faculty and staff, plus 250 GB of other data. When the university showed hesitation toward paying the ransom, they turned to a tactic that is becoming increasingly popular among cybercriminals — triple extortion.

Arctic Wolf has recently observed an uptick in detected password spraying for multiple Firewall and VPN appliances. This activity began on February 28, 2024. A variety of products are affected by this activity, including but not limited to devices from vendors such as Cisco, Palo Alto Networks, and WatchGuard. Further investigation revealed that authentication against web-based applications in general was being targeted as opposed to a selection of firewall vendors.

Active Directory (AD) is a mainstay for most organizations, especially as identity management grows for even small-to-medium businesses (SMBs) and once on-premises organizations digitize. But this widely adopted tool comes with major security risks.

On March 3, 2024, JetBrains published a blog post describing two authentication bypass vulnerabilities affecting the On-Premises Servers of TeamCity. An unauthenticated threat actor with HTTP(S) access to a TeamCity Server can exploit these vulnerabilities to bypass authentication and gain administrative control of a TeamCity Server. CVE-2024-27198 (CVSS 9.8): Alternative path issue in the web component of TeamCity that can lead to remote code execution (RCE). CVE-2024-27199 (CVSS 7.3)

On March 1, 2024, SolarWinds published a security advisory reporting that SolarWinds Security Event Manager (SEM) is vulnerable to a high severity vulnerability that allows an unauthenticated threat actor to achieve remote code execution (RCE), CVE-2024-0692. The vulnerability lies in the configuration of the AMF deserialization endpoints. Exploitation can occur due to insufficient validation of user-provided data, allowing untrusted data to be deserialized.

Arctic Wolf and SC Media surveyed an audience of more than 500 North American IT security professionals in the fall of 2023 and discovered that, among those who currently have cyber insurance policies, 47% of them have had coverage for 12 months or less. A significant increase among the insured reflects the kind of growth one might expect from an industry that has seen monumental change in just a few short years.

The past few years have been hard on cybersecurity professionals. An onslaught of new attack innovations and evolutions have raised the risk — and the costs — of an attack. More organizations than ever before are attempting to transfer a portion of that risk through cyber insurance. However, cyber insurance policies, once easy to get and robust in coverage, have become challenging to obtain, difficult to maintain, and costly to keep.

As the goals of securing as much ransom money and sowing as much discord as possible continues to grow, one of the most preferred methods threat actors have to accomplish these goals is to target the supply chain.

Endpoints are critical to the success of cyber attacks. While the definition what an endpoint is, exactly, has shifted over time, the threat has remained the same: Threat actors need a device to spread malware, encrypt assets, and harvest application credentials — they need an endpoint.

Let’s start with the good news. Law enforcement organizations around the world have stepped up their efforts to find, stop, and arrest ransomware operators, shut down dark web markets, and close crypto mixers and tumblers that help threat actors launder their funds.