Cybersecurity Snapshot: Malicious Versions of Cobalt Strike Taken Down, While Microsoft Notifies More Orgs About Midnight Blizzard Email Breach

Check out the results of a multinational operation against illegal instances of Cobalt Strike. Plus, more organizations are learning that Midnight Blizzard accessed their email exchanges with Microsoft. Meanwhile, Carnegie Mellon has a new report about how to fix and mitigate API vulnerabilities. And two new reports shed light on cyber insurance trends. And much more!

Dive into six things that are top of mind for the week ending July 5.

1 - Gov’t agencies take aim at illegal versions of Cobalt Strike

Hundreds of rogue versions of the Cobalt Strike pen testing tool were taken offline in late June after an international operation led by the U.K.’s National Crime Agency (NCA).

Cobalt Strike, a tool for adversary simulations and red team operations from Fortra, has been misused for years by hackers to carry out many high-profile cyberattacks.

NCA and its law enforcement partners took action against almost 700 illegal instances of Cobalt Strike hosted by 129 internet service providers in 27 countries, the NCA said this week. Almost 600 had been taken down by the end of June.

“Illegal versions of [Cobalt Strike] have helped lower the barrier of entry into cybercrime, making it easier for online criminals to unleash damaging ransomware and malware attacks with little or no technical expertise,” Paul Foster, the NCA's Director of Threat Leadership, said in a statement.

Participants in the joint operation included Europol and law enforcement agencies from Australia, Canada, Germany, the Netherlands, Poland and the U.S., as well as private sector organizations.

Fortra has released a new Cobalt Strike version with enhanced security features, according to the NCA.

For more information about the malicious use of Cobalt Strike by cyberattackers:

• “How Cobalt Strike Became a Favorite Tool of Hackers” (eSecurity Planet)
• “Here is why you should have Cobalt Strike detection in place” (CSO Online)
• “Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File” (Dark Reading)
• “Protecting against Cobalt Strike” (Medium)
• “Hackers love Cobalt Strike: It was spotted in nearly a quarter of 2021 intrusions. Here's how to spot its use” (The Stack)

2 - Microsoft notifies more customers their emails were accessed by Midnight Blizzard

More organizations are finding out that emails they exchanged with Microsoft were accessed by the cybercrime group Midnight Blizzard, which is affiliated with the Russian government’s intelligence service.

That’s according to a Bloomberg article published on June 27 that cites Microsoft officials and reports on email notifications reviewed by the news agency.

“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor,” a Microsoft spokesperson told Bloomberg in a statement.

Earlier this year, Microsoft disclosed it had been breached by Midnight Blizzard, saying that the hackers accessed email correspondence between Microsoft top executives and customers, including U.S. federal government agencies.

In the article, titled “More Microsoft Customers Learn Russian Hackers Saw Their Emails,” Bloomberg reported that Microsoft is now telling customers specifically which emails Midnight Blizzard accessed. Some of these customers are just finding out their emails were exfiltrated, while others already knew.

In an ironic twist, some customers who received the email notification from Microsoft thought it might be a phishing attempt, and expressed their concerns on social media sites like Reddit, according to Bloomberg.

In June, Microsoft President Brad Smith faced tough questions during his testimony before the House of Representatives’ Homeland Security Committee, which scheduled the hearing after a U.S. government report sharply criticized Microsoft’s cybersecurity practices.

That report, from the Cyber Safety Review Board (CSRB), focused on Storm-0558’s breach of Microsoft’s Exchange Online in mid-2023, and called it “preventable.” Storm-0558, a hacking group affiliated with the Chinese government, also stole emails from U.S. government officials during that breach.

For more information about Midnight Blizzard’s attack against Microsoft, check out these Tenable blogs:

• “CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack”
• “Midnight Blizzard swiped Microsoft’s source code, broke into its internal systems”
• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft”
• “CSRB on 2023 Microsoft cloud breach: It was preventable”

3 - Carnegie Mellon unpacks API bugs and risks

Broken authentication. Unrestricted resource consumption. Server-side request forgery. Improper inventory management. Third-party software integrations. Those are some of the 14 vulnerabilities and risks that can impact application programming interfaces (APIs) discussed in a new report from Carnegie Mellon University’s Software Engineering Institute.

Titled “Application Programming Interface (API) Vulnerabilities and Risks” and published in June, the report offers an introduction to APIs, including API endpoints and microservice architectures; and then proceeds to explain 11 vulnerabilities and three risks, offering suggestions to fix or mitigate them.

Recommendations include:

• Adopting a standard documentation process for APIs
• Automating the development process’ testing
• Securing the identity and access management system

For more information about API security best practices:

• “OWASP API Security Project” (OWASP)
• “12 API security best practices to protect your business” (TechTarget)
• “The importance of a good API security strategy” (Help Net Security)
• “5 best practices to ensure the security of third-party APIs” (CSO)
• “API Security Is the New Black” (Dark Reading)

4 - Insurer: Cyber insurance pricing drops

Despite factors like more frequent attacks and worsening geopolitical conditions, as well as attackers’ growing use of generative AI, the cost of cyber insurance has been falling since hitting a peak in 2022.

Specifically, cyber insurance pricing is down 15% since 2022, thanks to organizations’ improved cyber hygiene, which has helped mitigate attack risks, according to global insurance intermediary Howden.

“At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls,” reads Howden’s annual cyber report for 2024 titled “Cyber insurance: Risk, resilience and relevance.”

Howden’s Global Cyber Insurance Pricing Index (2014 to Q2 2024)

^{(Source: Howden’s “Cyber insurance: Risk, resilience and relevance” report, June 2024)}

For more information about cybersecurity insurance:

• “Shifting the Paradigm: Why the Cyber Insurance Industry Should Focus on Preventive Security” (Tenable)
• “A guide to getting the right cyber insurance” (SC Magazine)
• “Cybersecurity Preparedness Tied to Lower Insurance Premium Increases” (Health IT Security)
• “Should You Buy Cyber Insurance in 2024? Pros & Cons” (Techopedia)
• “How Cyber Insurance Can Work Better for Businesses in 2024” (Infosecurity Magazine)

5 - Report: Cyber insurance prompts security improvements

And continuing with this topic, another report has found that organizations that go through the process of getting cyber insurance feel incentivized to improve their cybersecurity posture.

Specifically, 97% of organizations with a cyber policy were motivated to invest in cybersecurity, according to Sophos’ “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders.”

Among those, 76% said the cybersecurity investments helped them obtain coverage, while 67% said it allowed them to get a better price. Thirty percent negotiated better policy terms, according to the report, based on a survey of 5,000 IT and cybersecurity leaders from 14 countries.

In addition, almost all (99%) of the organizations that boosted their cyber defenses for insurance purposes also saw other benefits. For example, they improved their cyber protections, freed IT resources and reduced alerts.

The report also found that only 1% of respondents that filed a cyber insurance claim got an insurance payout that funded 100% of their recovery costs. “The most common reason for the policy not paying for the costs in full was because the total bill exceeded the policy limit,” reads a Sophos statement about the report.

Reasons why cyber insurance did not cover the full incident cost

^{(Source: “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders” report from Sophos, June 2024)}

To get more details, check out:

• The report’s announcement “76% of Companies Improved Their Cyber Defenses to Qualify for Cyber Insurance, Sophos Survey Finds”
• The full report “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders”

6 - CISA updates guide for maritime transportation resilience

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new web-based tool to improve the usage of its Marine Transportation System Resilience Assessment Guide (MTS Guide).

The new Resilience Assessment Resource Matrix offers MTS Guide users a curated list of 100-plus tools, methods, data sources and examples so they can “better understand and plan resilience assessments of maritime infrastructure systems and functions,” CISA said in a statement this week. 

Marine transportation organizations can use the MTS Guide to assess the resilience of individual and networks of ports; and of the inland marine transportation system.

For more information about maritime cybersecurity:

• “OT Maritime Security: Stormy Waters or Smooth Sailing Ahead?” (Tenable)
• “Federal Government Looks to Boost Maritime Cybersecurity” (Government Technology)
• “White House seeks to strengthen ports’ cybersecurity” (Tenable)
• “Coast Guard Maritime Industry Cybersecurity Resource” (U.S. Coast Guard)