Read: The Need for Digital Transformation in Finance

The April 2024 Option One Cybersecurity Briefing

By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity Threat News

U.S. Government Releases New AI Security Guidelines for Critical Infrastructure

The U.S. government recently announced new security measures targeting AI threats to critical infrastructure, The Hacker News reported. These guidelines are part of a broader initiative to understand and mitigate the risks AI poses in sixteen essential sectors.

The Department of Homeland Security (DHS) emphasized the importance of these measures, highlighting the dual threats AI systems face and present. The agency is also focusing on the ethical use of AI, ensuring it respects privacy and civil liberties.

Key areas covered include developing a culture of AI risk management, understanding specific AI risks, and creating strategies to address these risks effectively. The DHS urges organizations to be aware of their reliance on AI vendors and collaborate on risk mitigation.

This announcement followed a cybersecurity warning from the Five Eyes Intelligence Alliance about the vulnerabilities AI systems possess and their appeal to cybercriminals. One notable incident involved a flaw in the Keras 2 neural network library, which could allow attackers to compromise AI models.

Microsoft has reported that AI systems are susceptible to prompt injection attacks, where attackers manipulate AI to produce harmful outcomes.

“Critical infrastructure owners and operators should account for their own sector-specific and context-specific use of AI when assessing AI risks and selecting appropriate mitigations,” the DHS stated, emphasizing the tailored approach needed in AI risk management.

Vulnerability in R Programming Language Exposes Organizations to Supply Chain Risk

A serious vulnerability in the R programming language has been identified, posing a risk to organizations using this open-source tool for statistical computing and graphics, DarkReading reported. The flaw, known as CVE-2024-27322, has been rated with a severity score of 8.8 out of 10 and concerns the way R handles the deserialization of data.

This issue allows attackers to execute arbitrary code through specially crafted R Data Serialization (RDS) files. R is widely used in fields such as finance, healthcare, research, and AI, with its largest package repository, CRAN, hosting over 20,000 packages.

The vulnerability was discovered by researchers at HiddenLayer, who found that it could be exploited by loading malicious RDS files or packages, potentially allowing attackers to run harmful code on a victim’s device.

HiddenLayer’s Kasimir Schulz and Kieran Evans explained, “An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction.”

Thankfully, this has been addressed in the latest R version 4.4.0. However, the broad use of R and its package ecosystems, like CRAN and Bioconductor, indicates a large attack surface, with potentially vast implications for supply chain security. Schulz advises users to update to the newest R version and to only use trusted files and packages to mitigate these risks.

Over 850 Vulnerable Devices Secured Through CISA Ransomware Program

In 2023, the U.S. government launched the Ransomware Vulnerability Warning Pilot (RVWP) program, alerting entities about 1754 ransomware vulnerabilities. The program led to 852 devices being secured or removed, Infosecurity Magazine reported.

Government facilities received the most notifications, followed by healthcare, energy, and financial services sectors. Nearly half of the flagged devices were fixed or disconnected after warnings.

The program, initiated by the Cybersecurity and Infrastructure Security Agency (CISA), aims to prevent ransomware attacks by identifying and mitigating vulnerabilities. CISA employs various tools and works with affected entities for quick resolution, supporting broader efforts against ransomware threats.

Cybersecurity Tips

Sophos New Releases State of Ransomware 2024 Report

Sophos News has released details about the fifth annual report on ransomware by British security software and hardware company Sophos, according to a recent news brief. The report reveals how ransomware experiences have changed over the last year and presents insights into the business impacts of ransomware attacks.

Here are some of the key insights from the research:

  • 59% of organizations were hit by ransomware in 2023, a drop from 66% reported in both years previous.
  • Overall recovery costs (excluding ransom payments) have soared to $2.73 million, a 50% increase from last year.
  • 49% of an organization’s computers are impacted by a ransomware attack on average.
  • Only 4% of organizations that suffered attacks last year reported that 91% or more of their devices were impacted.
  • 56% of organizations that had data encrypted admitted that they paid the ransom to recover it. This is the first time a majority of organizations in the study reported paying ransom.
  • 68% of organizations reported using backups, a drop from 70% last year. Meanwhile, 29% said they use “other means” to get data back.
  • 47% of ransomware victims had data encrypted using more than one method, more than double the rate reported in 2023 (21%).
  • The average median ransom payment has increased 5-fold over the last year, from $400,000 to $2 million.
  • Only 24% say their ransom payment matched the original demand from attackers — 44% paid less and 31% paid more.

The report was based on findings from an independent, “vendor-agnostic” survey commissioned by Sophos. It included 5,000 OT and cybersecurity leaders across 14 countries. All the respondents represented companies with between 100 and 5,000 employees.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.