S&P Highlights Inadequate Remediation as a Significant Risk

Each week, ISMG compiles notable cybersecurity incidents and data breaches from across the globe. This week, S&P Global Ratings highlighted that inadequate vulnerability remediation presents a material risk factor. Furthermore, OnePoint Patient Care in the U.S. and the French ISP Free reported significant data breaches, while a Russian court sentenced members of the REvil ransomware group. Additionally, the Five Eyes alliance released new security guidelines aimed at assisting small businesses in bolstering their defenses against cyber threats.

S&P Global Ratings released findings indicating that Poor corporate vulnerability remediation can significantly elevate material risk. Their analysis examined vulnerability data from over 7,000 rated companies and revealed that 40% of them remedy known system flaws infrequently. This infrequency can be particularly dangerous given the potential for long-standing vulnerabilities, such as Log4Shell, which remains a favorite target for cybercriminals.

The dataset reviewed by S&P included vulnerabilities dating back over 20 years, some affecting unsupported software. Alarmingly, these flaws were reportedly left unaddressed for months, granting attackers ample time to exploit them. According to S&P, the latest Verizon Data Breach Investigations Report indicates that exploitation of vulnerabilities surged nearly threefold in 2023, marking a concerning growth trend in the cyber threat landscape.

While not all vulnerabilities carry the same weight in terms of exploitation risk, organizations can leverage the Exploit Prediction Security Score for insights into the likelihood of an attack. S&P’s findings showed that the rated corporations maintained an average EPSS score of 0.33, suggesting low exploitation probability for their vulnerabilities. However, some firms fared worse, with an unnamed entity reporting an EPSS score exceeding 0.9, indicating a high likelihood of being targeted.

S&P cautioned that poor management of vulnerabilities might reflect a broader issue of ineffective cybersecurity governance, which should be considered when assessing overall corporate risk management strategies.

OnePoint Patient Care, a provider of hospice pharmacy services based in Arizona, has disclosed a significant data breach affecting approximately 800,000 individuals. The organization detected suspicious activity within its network on August 8, leading to the confirmation of unauthorized access to sensitive personal and health information. Information potentially exposed includes names, addresses, medical record numbers, diagnoses, and prescription details, with some individuals’ Social Security numbers also at risk.

The ransomware group known as INC Ransom claimed responsibility for the breach, alleging on its dark web leak site that it had encrypted and exfiltrated data from OnePoint in September.

French internet service provider Free, a subsidiary of Iliad Group, has confirmed a data breach that impacted customer information for 22.9 million mobile and fixed-line subscribers. While the company reported that passwords, payment card details, and communication content were not compromised, the breach targeted a management tool. Free asserted there was no operational impact on its services.

Data from the breach is reportedly for sale on criminal forums, with one actor, known as “drussellx,” claiming to offer a dataset that includes sensitive information from over 19 million customers.

A Russian court recently sentenced four members of the infamous REvil ransomware group following a crackdown on the organization in early 2022. The sentences range from 4.5 to 6 years, with some time already served. This prosecution occurred separately from other detained members of REvil, which gained notoriety for high-profile cyberattacks, prompting action from Russian authorities after U.S. pressure.

The accused individuals have only been charged under Russian law for crimes such as payment card fraud and the distribution of malicious software, following a significant halt in U.S.-Russia cooperation after the invasion of Ukraine.

In an effort to bolster the cybersecurity posture of small businesses, particularly technology startups, the Five Eyes intelligence alliance, which includes agencies from the U.S., U.K., Canada, Australia, and New Zealand, published new security guidelines. These recommendations are primarily aimed at mitigating hacking threats from state-sponsored actors, with a specific emphasis on protecting intellectual property from adversaries such as China.

The “Five Eyes Secure Innovation” guidelines encourage businesses to implement fundamental security practices, such as designating security personnel, managing asset inventories, and overseeing data shared with third-party services. The guidance also addresses defenses against unauthorized access from both criminal groups and competing firms.

In Summary