Digital transformation has been a catalyst for growth for many organisations, but it has also opened them up to more cyberattacks. To address the growing attack surfaces, one key priority is to improve cyber threat detection and response capabilities, which can be burdensome to operate, maintain and optimise.
In this factsheet, learn how the Ensign Managed Detection &amp; Response (MDR) solution can help your organisation effectively detect and respond to threats through:&nbsp;
<ul type="disc">
<li>Highly contextualised and actionable cyber threat intelligence </li>
<li>High level of automation </li>
<li>Full spectrum visibility</li>
</ul>

Learn how Ensign's Managed Detection & Response solution can help your organisation effectively detect and respond to cyber threats.

Driven by the Industrial Internet of Things (IIoT), the convergence of IT and OT has brought about radical changes and improvements in gathering data that helps organisations in their decision-making, as well as in monitoring their performance and environments. But while such efficiencies increase, so do the associated risks due to the expanding OT ecosystems&rsquo; attack surfaces.
In the recent webinar, &ldquo;Securing Today&rsquo;s OT Environments&rdquo;, Ensigns&rsquo; panel of experts shared their real-world experiences and expertise on the subject, as well as the best practices for mitigating the evolving threats.
The topics of the webinar included:
<ul type="disc">
<li>OT Cyber Threat Landscape</li>
<li>Adoption of security best practices and international standards</li>
<li>How to formulate a cohesive IT and OT cybersecurity strategy</li>
<li>Steps to enhance your cybersecurity maturity</li>
<li>Emergence of Industrial IoT and its impact on cybersecurity</li>
</ul>

Gain insights into the risks resulting from the expansion of OT ecosystems’ attack surfaces, and the best practices for mitigating them.

As the digital world struggles to deal with the onslaught of more prevalent and pernicious threats, the pressure on the Banking, Financial Services &amp; Insurance (BFSI) industry to perform has never been greater. To drive growth and increase customer trust, financial institutions are taking advantage of various platforms such as mobile, cloud, and social&mdash;exposing them to further cybersecurity risks.
As customers continue to move away from physically transacting with banks and other institutions, more enhanced investment in securing mobile and web-based services must be seriously considered to keep up with customer behaviour and expectations.
Read the ebook and learn more about:
<ul type="disc">
<li>Digitalisation trends </li>
<li>The industry&rsquo;s cybersecurity risks and threats </li>
<li>MAS&rsquo; proposed cybersecurity guidelines </li>
<li>How to manage risks</li>
</ul>

Download our eBook to find out how the BFSI industry is adopting disruptive technology, and the cyber risks arising from it.

In 2019, the number of cyber threats continued to rise, compromising and putting the spotlight on some critical infrastructure sectors and high-profile organisations. Find out the top threat attack vectors enterprises faced, as well as the most targeted industries in Singapore the previous year.

Find out the top threat attack vectors enterprises faced in 2019.

Commentary: Ng Yeok Chong, Ensign InfoSecurity&rsquo;s Head of Infrastructure Security
Both industrial Internet of Things (IIoT) and operational technology (OT) belong to the category of cyber-physical systems (CPS) as they share an infrastructure that straddles between the physical and digital world. As such, the cyber risks that these systems are exposed to will continue to grow as more IoT devices become connected to the OT systems. This greatly expands organisations' digital attack surfaces that threat actors can exploit to infiltrate critical infrastructures. At the same time, many OT systems are traditionally designed to focus on safety and reliability, with very little consideration on security by design. Consequently, the confluence of OT and IT systems introduces a plethora of vulnerabilities to IoT/OT infrastructures, and exposes them to an unprecedented level of cyber risk.
The CPS&rsquo; vulnerability to cyber attacks, and the huge damage these attacks can potentially inflict on the physical world make these systems very attractive targets to certain groups of threat actors. Any successful cyber attack against IIoT and OT systems can result in grave, real-world consequences, including the loss of lives, safety failures, service disruptions and production downtime.
In 2020 alone, Israel&rsquo;s water management facilities were hit by two cyber attacks, where the command and control systems of wastewater treatment plants, pumping stations, and sewage were compromised. Honda Motor also experienced a cyberattack that brought global operations to a halt, including the car factories in Ohio and Turkey, as well as at motorcycle plants in India and South America.
Evidently, organisations will need to adopt new cyber security approaches to mitigate the IIoT and OT risks and strengthen their security posture. It begins with formulating a long-term, effective strategy that embraces a fundamental Zero-Trust mindset for users of IIoT and OT systems, and other devices.
Creating a Zero Trust architecture requires organisations to have an in-depth understanding of all IIoT and OT systems on the network, including the identity of every device that touches the network, business context, traffic flows and resource dependencies. This enables organisations to make context-based segmentation decisions that would reduce business risk without unduly impacting availability. Organisations can consider using agentless device visibility and continuous network monitoring for IIoT and OT devices to achieve this.&nbsp;
Organisations should also look at enforcing privileged access to critical IT and OT infrastructure; and segment IIoT devices and OT systems into appropriate zones and conduits to reduce the impact radius in the event of a cyber breach. Additionally, organisations should look at containing vulnerable devices, legacy applications and operating systems that cannot be patched or taken offline within separate zones to reduce the attack surface.
&nbsp;

Ng Yeok Chong, Ensign InfoSecurity's Head of Infrastructure Security highlights the importance of protecting cyber-physical systems against cyber attacks.

Ensign Labs has detected an increase in malware activities targeting Banking, Financial Services and Insurance (BFSI) companies, through our proprietary Automated Malware Analysis Platform. From February 2020, our team of analysts observed a rise in Ursnif attributed detections, which spiked 5 times since March 2020.
The highlights of the advisory include:
<ul>
<li>Spike in Ursnif trojan activity; BFSI sector most targeted, accounting for 63.4% of detection alerts </li>
<li>Threat behaviour and techniques of the Ursnif trojan by mapping to the MITRE ATT&amp;CK framework </li>
<li>Conclusion and recommendations</li>
</ul>

Ensign Labs’ proprietary Automated Malware Analysis Platform has detected a spike in malware activities targeting BFSI companies.

While the world&rsquo;s economy slows down, and business operations globally come to an alarming halt, opportunistic cybercriminals are thriving and targeting enterprises, more particularly those from the healthcare sector. In an interview with CNA, Ensign's Senior Vice President of Technology and Capabilities, Lee Shih Yen, spoke about the rise of cyberattacks in the healthcare industry, and how the threat landscape has evolved as a result of the Covid-19 pandemic.
Watch the interview here:&nbsp;<a href="https://www.channelnewsasia.com/watch/rise-cyber-attacks-across-all-sectors-march-april-healthcare-tops-list-attacks-video-1469336" data-sf-ec-immutable="">CNA-Interview</a>&nbsp;

Ensign's Senior Vice President of Technology and Capabilities, Lee Shih Yen, spoke about the rise of cyberattacks in the healthcare industry in an interview with CNA.

Singapore's healthcare sector was the top sector targeted during Covid-19, and suffered a 182-fold surge in phishing attacks from January to April 2020, compared to the same period last year.&nbsp;
The spike of attacks is not surprising, and relentless cyber attacks are expected to persist. The pandemic has put potential victims in a much vulnerable state of mind which cyber actors easily exploit through social engineering tactics. Social distancing measures have also brought about a growing dependence on smart medical devices and equipment which poses greater risk, especially if devices are inadequately secured.
Lee Shih Yen, Senior Vice President of Ensign Labs, weighs in on the subject, &ldquo;It&rsquo;s really back to basics to deal with this new wave of attacks.&rdquo; He recommends greater attention to 3 key areas:
<ul type="disc">
<li>Medical devices and wearables must address HIPAA&rsquo;s compliance requirements </li>
<li>Identity management and external device authentication via Multi-Factor Authentication (MFA) system to accurately verify patients and health providers </li>
<li>Security training and awareness for patients using virtual medicine</li>
</ul>

“Relentless” cyberattacks are expected to persist. New and hastily built healthcare
infrastructure are particularly at risk, according to cybersecurity
firm, Ensign InfoSecurity.

D&rsquo;Crypt, an Ensign InfoSecurity subsidiary, has developed contact tracing technologies that can help organisations monitor and minimise the spread of Covid-19 in their workplace. The technologies, BluePass and BlueGate, is currently being trialled by an Asia-based urban and infrastructure consulting firm at their worksites.&nbsp;
<a href="https://www.straitstimes.com/singapore/new-contact-tracing-device-and-check-in-system-on-trial-at-worksite" target="_blank" rel="noopener" data-sf-ec-immutable="">Read more about BluePass and BlueGate here.</a>
D&rsquo;Crypt is a provider of world-class engineering and cryptographic capabilities. As a subsidiary of Ensign, it works together with the wider Ensign portfolio of bespoke service offerings to provide advanced cybersecurity solutions to secure enterprises and sectors&nbsp;against advanced threats in today&rsquo;s digital economy.&nbsp;<a href="/about-ensign/the-ensign-difference" target="_blank" rel="noopener" data-sf-ec-immutable="">Find out more.</a>

D’Crypt has developed contact tracing technologies to help organisations monitor and minimise the spread of Covid-19.

As businesses in the banking and finance industry transform and introduce more digital platforms to interact with clients, cyber risks have increased in tandem, especially during this unprecedented pandemic period.&nbsp;
In a recent interview with&nbsp;Thomson Reuters, Ensign&rsquo;s Senior Vice President of Technology &amp; Capabilities, Lee Shih Yen, shared key findings of the Ensign Cyber Threat Landscape Report 2020, and explained why the finance sector remains a lucrative target for cybercriminals.&nbsp;
Here are some highlights from the interview:
<ul type="disc">
<li>Top cyber threats faced by organisations in 2019</li>
<li>2020 cybercrime trends, and rise in COVID-19 themed phishing attacks</li>
<li>Insights on how to overcome cybercrime challenges</li>
</ul>

In a recent live interview with&nbsp;MONEYFM 89.3, our resident expert &ndash; Low Chee Juee (Vice President of Consulting), shared key findings of the Ensign Threat Landscape Report 2020. Listeners of the&nbsp;Prime Time&nbsp;show learnt more about the top threat vectors and most targeted industries in 2019, and how enterprises can protect themselves as the cyber threat landscape continues to evolve rapidly. He also discussed the potential risks arising from the current pandemic situation, as well as the rollout of 5G.
Here are some highlights from the interview:
<ul type="disc">
<li>Sharing of the top cyber threat vectors and most targeted industries in 2019</li>
<li>Details on APT32 &ndash; the largest threat actor in the region</li>
<li>The evolution of cyber attacks in today&rsquo;s climate</li>
<li>Practices that organisations should adopt in the face of digitalisation and rise of 5G</li>
<li>Essential cyber security strategy practices</li>
</ul>

Our resident expert, Low Chee Juee, shared key findings of the Ensign Threat Landscape Report 2020 in an interview with MONEYFM 89.3.

Ensign has observed a pattern of abnormal queries on public DNS servers through its DNS Anomaly Behavioural Model, a proprietary tool of Ensign Labs team. The anomalies included sharp spikes of DNS requests within a short time-frame, and a sequence of suspicious DNS queries with no subsequent TCP/UDP traffic upon resolution of the domain name. Our team of analysts investigated the anomalies further, and the details of the analysis can be found in this report.
Highlights from the advisory include:
<ul>
<li>Insights on the suspicious DNS requests</li>
<li>Details of the public web storage site housing the DNS queries</li>
<li>Network profile analysis</li>
<li>Conclusion and recommendations</li>
</ul>

Ensign Labs' DNS anomaly behavioural model detects suspicious DNS queries.

The Ensign Cyber Threat Landscape Report 2020&nbsp;provides detailed insights into the&nbsp;most prevalent threats observed in Singapore&rsquo;s&nbsp;cyber landscape. Through detailed analysis of key&nbsp;security insights and threat intelligence&nbsp;information, the report identifies the cyber threats&nbsp;and trends that Singapore faced in 2019. It also offers threat insights based on the stages of the&nbsp;MITRE ATT&amp;CK&reg; framework, as well as the best&nbsp;practices for safeguarding against cyber threats.
<div>
Highlights from the report include:
<ul>
<li>Details on the top cyber attack vectors</li>
<li>Insights into the most targeted industries</li>
<li>Top threat attack sources</li>
<li>Threat insights based on the stages of the MITRE ATT&amp;CK&reg; framework</li>
<li>Analysis of the most active attack groups in 2019</li>
<li>Best practices and recommendations</li>
</ul>
<a style="color: blue;" href="/services/services-listings/ensign-cyber-threat-intelligence
">CLICK HERE</a>&nbsp;to find out more about the Ensign Cyber Threat Intelligence service.
</div>

Gain detailed insights into the most prevalent threats observed in Singapore’s cyber landscape in 2019.

<div>
The&nbsp;COVID-19 pandemic has made the&nbsp;collection of personal data on&nbsp;health status, physical movement, personal contacts, and in some cases, spending and behavioural patterns a necessity in contact tracing efforts. As employees progressively return to worksites, organisations are now implementing contact tracing measures,&nbsp;albeit with certain cyber risks,&nbsp;to collect, store and manage the personal data to prevent a &lsquo;second-wave&rsquo; of infections. &nbsp; In this featured editorial &lsquo;Data Security in a Post-COVID-19 World&rsquo;, Teo Xiang Zheng,&nbsp;Head of Advisory at Ensign Consulting, shares about the&nbsp;cybersecurity challenges arising from contact tracing applications and data management, and how organisations can implement a robust data security strategy to mitigate the&nbsp;risk of a data breach. &nbsp; Highlights from the&nbsp;featured editorial include:
<ul>
<li>Types of contact tracing solutions and their associated cybersecurity challenges in data management </li>
<li>Hard truths about technology vulnerabilities and cyber supply-chain risks </li>
<li>Practical recommendations for organisations to secure data in this new digital age</li>
</ul>
</div>
<div>&nbsp;</div>

Learn how organisations can overcome the cybersecurity challenges arising from contact tracing applications and data management.

Managing cyber risks is an increasingly challenging task for organisations in today&rsquo;s disrupted landscape. Besides protecting systems and networks from evolving cyber threats, organisations also need to assure their customers, partners and regulatory authorities of the security, integrity and resilience of their digitalised and interconnected operations and processes. In an interview with CybersecAsia, Lim Minhan, Director for Assurance in Ensign Consulting shares his thoughts on how Purple Teaming can help organisations address the challenges ahead.
Read the interview here:&nbsp;<a href="https://ensign.global/3oBxTau" data-sf-ec-immutable="">https://ensign.global/3oBxTau</a>&nbsp;

In a CybersecAsia interview, Lim Minhan, Director for Assurance in Ensign Consulting shares why Purple Teaming is an effective threat adversarial approach in today’s evolving environment.

Today&rsquo;s exponential growth in data is unlikely to go away anytime soon. In fact, it looks set to escalate, which makes the amendments to the PDPA timelier than ever. The Cybersecurity Guide on the Personal Data Protection (Amendment) Bill provides insights into the PDPA, and the steps Singapore organisations can take to better manage their sensitive data, and mitigate the risks.&nbsp;
Highlights of the ebook include:
<ul type="disc">
<li data-list="0" data-level="1">Strengthening consumer trust through organisational accountability </li>
<li data-list="0" data-level="1">Ensuring effectiveness of enforcement </li>
<li data-list="0" data-level="1">Enhancing consumer autonomy </li>
<li data-list="0" data-level="1">Supporting data use for innovation </li>
<li data-list="0" data-level="1">Ensign&rsquo;s recommendations</li>
</ul>

Download our ebook to find out the key changes of the amendment bill and their impact on Singapore organisations.

Situation
Singtel, a major internet service provider in Singapore, shared on its website on 11 February 2021 that a nearing end-of-life third-party file-sharing system provided by Accellion called FTA (File Transfer Application) has been illegally accessed by unidentified hackers. There is an alleged SQL injection vulnerability on Accellion FTA that an adversary can exploit to install a web shell on the victim&rsquo;s system. A web shell is a malicious script that typically includes different functionalities such as file listing, downloading of files and clean-up on compromised system. An adversary can make use of the web shell to gain control of the server to perform various activities on the file sharing server leading to a potential data breach.
Our Actions
<ul type="disc">
<li data-list="1" data-level="1">We have reviewed the indicators of compromise, and our SOCs have been tasked to support affected clients in threat identification as required.&nbsp;</li>
<li data-list="1" data-level="1">We do not operate any Accellion systems and are reviewing the use of file transfer type applications within our organisation.</li>
<li data-list="2" data-level="1">Deep analysis will be conducted to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) as information becomes available - these insights will be shared when ready.</li>
</ul>
Our Recommendations
<ul type="disc">
<li>For organisations who are using the Accellion FTA, we recommend that you apply the latest fixes and patches&nbsp;to Accellion FTA.&nbsp;If an update or migration is not possible, we advise you&nbsp;to disable and isolate systems hosting the FTA software.&nbsp;</li>
<li>Ensure that your anti-virus, endpoint protection and firewall applications are updated with the latest definition so that your systems can be protected against new cyber threats.&nbsp;</li>
<li>Perform application and network log reviews to identify possible data exfiltration such as abnormal file size transfer or unusual network connections.&nbsp;</li>
<li>Assess the need to store, handle or transfer sensitive and personal data (e.g. customer database or CVs of job applications) on web and/or publicly accessible servers.</li>
<li data-list="0" data-level="1">Please refer to the following links for more in-depth recommendations:</li>
<ul type="circle">
<li data-list="0" data-level="2">Guidepoint:&nbsp;<a href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.guidepointsecurity.com%2Faccellion-fta-targeted-by-file-downloading-web-shell%2F&amp;data=04%7C01%7Cjeslyn_teo%40ensigninfosecurity.com%7C720ffbd4f5d14117a20908d8ce52ddce%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637486202614175751%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=FZie4IWn7FpfEX9rvlz4r7k0gGaieIqRCiS4ozs4asg%3D&amp;reserved=0" data-sf-ec-immutable="">https://www.guidepointsecurity.com/accellion-fta-targeted-by-file-downloading-web-shell/</a></li>
</ul>
</ul>
As investigations are underway, we are expecting additional malware and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional recommendations.
If you suspect that you could have been affected by the incident, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at&nbsp;<a href="mailto:marketing@ensigninfosecurity.com" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>&nbsp;for more information.&nbsp;

Ensign's plans and procedures in response to the recent breach involving Accellion.

The Situation On 9 February 2021, Palo Alto&lsquo;s threat intelligence team Unit 42 disclosed the discovery of BendyBear &ndash; a highly sophisticated cyber espionage tool. BendyBear is alleged to have similarity in code behaviour and features as that of the WaterBear malware family, which was used by cyber espionage group BlackTech. BendyBear is an updated version designed to work with modern 64-bit systems. It uses anti-forensic techniques and the malicious payload is loaded in memory, thus making it challenging to detect. Its main function is to download more malicious payloads from attacker&rsquo;s controlled command and control (C2) server.&nbsp;
Our&nbsp;Commitment We expect more updates on BendyBear, and will continue to keep a close watch and provide relevant insights and recommendations to the community. Throughout this festive period, Ensign continues to be available to clients who require assistance on any cyber-related matters. Our Actions
Ensuring our customers are secured - Security of our clients is key
<ul type="disc">
<li>Our SOCs have updated our detection capabilities based on the latest IOCs published, and we have compressed our in-house SOC processes to review and update such detection rules to keep pace with the rollout of such information.</li>
<li>We continue to maintain timely patch updates for our critical systems to ensure that we eradicate known vulnerabilities in our environment.&nbsp;</li>
<li>Our SOCs have been tasked to support clients who may be affected in threat identification, if&nbsp;required.&nbsp;</li>
</ul>
&nbsp;Enhanced Monitoring
<ul type="disc">
<li>We are stepping up our SOC operations to keep tabs of the evolving situation, and handle any response actions required.&nbsp;</li>
<li>Deep analysis is ongoing to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) - these insights will be shared when ready.&nbsp;</li>
</ul>
&nbsp;Our Recommendations
<ul type="disc">
<li>Review and update existing security rulesets with relevant indicators of compromise to identify suspicious activities.</li>
<li>Review network logs to identify TCP port 443 traffic that does not conform to proper SSL or any other known applications.</li>
<li>Where feasible, block unknown outbound TCP traffic in security policies.</li>
<li>Keep up with software updates, and mitigate identified critical vulnerabilities.</li>
<li>Enhance perimeter and endpoint defence with whitelisting, behaviour analysis and sandboxing techniques using advanced endpoint &amp; network security solutions.</li>
<li>Please refer to the following links for more in-depth information on BendyBear:</li>
<ul type="circle">
<li>Palo Alto :&nbsp;<a href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.paloaltonetworks.com%2F2021%2F02%2Fu42-bendybear%2F&amp;data=04%7C01%7Cjeslyn_teo%40ensigninfosecurity.com%7Cc83a17f4a67c4e6a92ab08d8cef5df68%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637486902710791189%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4WhMTgp5iKmA1M6AjpNyxxSk5J%2Bs2YFJqbJppyVIHnw%3D&amp;reserved=0" data-sf-ec-immutable="">https://blog.paloaltonetworks.com/2021/02/u42-bendybear/</a></li>
<li>Palo Alto :&nbsp;<a href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fbendybear-shellcode-blacktech%2F&amp;data=04%7C01%7Cjeslyn_teo%40ensigninfosecurity.com%7Cc83a17f4a67c4e6a92ab08d8cef5df68%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637486902710801144%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UY8gKjxfb5Pxmro5lUZx4XK7YTJThMOgBawJQz931tI%3D&amp;reserved=0" data-sf-ec-immutable="">https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/</a></li>
</ul>
</ul>
We are expecting additional IOCs and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional information.
If you suspect that you could have been affected by the malware, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme.&nbsp;&nbsp;Contact us at&nbsp;<a href="mailto:Marketing@ensigninfosecurity.com" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>&nbsp;for more information.
&nbsp;

Ensign's plans and procedures in response to BendyBear.

As financial institutions (FIs) increasingly adopt new technologies, they also expose themselves to new risks that cyber criminals readily exploit. Possessing sensitive data that&rsquo;s highly valued, FIs continue to be the main targets of attacks. In light of this, the Hong Kong Monetary Authority (HKMA) released the Cybersecurity Fortification Initiative (CFI) 2.0.&nbsp;
Ensign InfoSecurity&nbsp;has produced a guide that provides insights into the key changes in the CFI 2.0 and the Cyber Resilience Assessment Framework (C-RAF), as well as how Ensign can help FIs implement them.

This eBook expands on the key changes to HKMA’s CFI 2.0, and the C-RAF, as well as highlights how Ensign can help FIs benefit from them.

The Ensign Cyber Threat Landscape Report 2021 provides insights into the most prevalent threats we observed in 2020 in Asia Pacific, more specifically in Singapore, Malaysia, Hong Kong and South Korea. It also presents the cybersecurity outlook for 2021.
Highlights from the report include:
<ul>
<li>Covid-19-themed and phishing threats</li>
</ul>
<ul>
<li>Top threat activities observed across the MITRE ATT&amp;CK Tactics, Techniques and Procedures</li>
</ul>
<ul>
<li>Top malware groups</li>
</ul>
<ul>
<li>Top threat actor group</li>
</ul>
<ul>
<li>Cybersecurity outlook&nbsp;for&nbsp;2021</li>
</ul>
<ul>
<li>Conclusion and key learnings</li>
</ul>
&nbsp;
&nbsp;

Gain insights into the attackers’ tactics, techniques, and procedures, as well as detailed accounts of their impact on Asia-Pacific organisations in 2020.

We would like to share with you the plans and procedures we've put in place in response to the cyber attack campaign&nbsp;operated by threat actor group, NOBELIUM.&nbsp;
The Situation &nbsp;Microsoft Threat Intelligence Center (MSTIC) has uncovered an evolving and sophisticated wide-scale malicious email campaign operated by NOBELIUM, the group behind last year's SolarWinds supply chain attack. It was observed that the campaign operated since January 2021 with the group evolving its attack tactics in delivering the malicious package.&nbsp; Like most phishing tactics, the attackers attempt to lure users into opening the e-mail, followed by either opening a malicious file or clicking a malicious link.&nbsp;An example of&nbsp;this&nbsp;nature&nbsp;included e-mails purportedly originating from the USAID government agency with a lure referencing foreign threats to the 2020 US Federal Elections. It contained a malicious link that would result in a redirection request to download an ISO file&nbsp;on&nbsp;to&nbsp;the victims system. The ISO file contained both decoy and malicious files.&nbsp;If&nbsp;an&nbsp;unsuspecting victim&nbsp;opened&nbsp;the malicious files, the malware infection&nbsp;would&nbsp;begin, providing persistent remote access to the attackers.&nbsp; Interestingly,&nbsp;the phishing message and delivery method were&nbsp;not the only evolving factors&nbsp;in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.&nbsp; The History NOBELIUM, a group connected to Russia, has historically targeted government&nbsp;and non-government&nbsp;organisations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. In this case, Microsoft&nbsp;reported&nbsp;at least a quarter of targets work with international development, humanitarian, and human rights work. The phishing attack has so far targeted some 3,000 accounts at more than 150&nbsp;organisations&nbsp;across multiple&nbsp;industries&nbsp;based in the United States and Europe. The victims span 24 countries, though most attacks were aimed at the US.&nbsp; The following industries&nbsp;have been&nbsp;observed&nbsp;being&nbsp;targeted thus far:&nbsp;
<ul type="disc">
<li>NGOs&nbsp;</li>
<li>Research Institutions&nbsp;</li>
<li>Government Agencies&nbsp;</li>
<li>International Agencies&nbsp;</li>
</ul>
&nbsp;&nbsp;&nbsp;
Microsoft further noted that this campaign differs significantly from NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor&rsquo;s tradecraft and possible experimentation following widespread disclosures of previous incidents.&nbsp; Ensign Posture &amp; Monitoring Ensign has stepped up monitoring operations for our clients for both cloud and on-premise infrastructure. Our Managed Detection and Response platform and our proprietary machine learning analytics can detect and block malicious artifacts. Coupled with network layer defence, our protection controls prevent applications or users from accessing malicious sites. We have performed rounds of checks to verify security configurations and patches are up-to-date.&nbsp; Our Recommendations&nbsp;
<ul type="disc">
<li>Keep systems fully patched.</li>
<li>Scan your environment for indicators of compromise (IOC) &ndash; see Microsoft Reference below.</li>
<li>Turn on cloud-delivered protection in your anti-virus software to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.&nbsp;</li>
<li>Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft anti-virus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.).&nbsp;</li>
<li>Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the Internet.&nbsp;</li>
<li>Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.&nbsp;</li>
<li>Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.&nbsp;</li>
<li>Enable multifactor authentication (MFA) to mitigate compromised credentials.&nbsp;</li>
<li>Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes (assess impact before enabling).&nbsp;</li>
<li>Regularly conduct security awareness training Ensign will continue to provide updates on the incident and inform you of additional recommendations.&nbsp;</li>
</ul>
 If you require further cybersecurity advice or services, please contact us at&nbsp;<a href="mailto:marketing@ensigninfosecurity.com" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>. References:&nbsp; <a href="https://beta.darkreading.com/attacks-breaches/solarwinds-attackers-impersonate-usaid-in-advanced-email-campaign" data-sf-ec-immutable="">https://beta.darkreading.com/attacks-breaches/solarwinds-attackers-impersonate-usaid-in-advanced-email-campaign</a> <a href="https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/" data-sf-ec-immutable="">https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/</a> <a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" data-sf-ec-immutable="">https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/</a>
&nbsp;

Ensign’s plans and procedures in response to the NOBELIUM threat actor group’s cyber attack campaigns.

The Situation
Multiple firmware vulnerabilities had been discovered in the Dell BIOSConnect feature available on multiple models of consumer and business laptops, desktops, tablets, including devices protected by Secure Boot and Secured-core PCs. Normally, this feature is used to update the system firmware or perform OS recovery, however vulnerabilities that exist, would enable an attacker to remotely execute code in the pre-boot environment.
Dell recommends that users disable and avoid using BIOSConnect firmware update, OS recovery, and HTTPS boot features manually from the BIOS setup menu or the Dell Command Control remote system management tool. When available, customers should apply the BIOS updates for their system via an executable from the OS after manually checking the hashes against those published by Dell other than BIOSConnect. The History
Firmware attacks targeting enterprises are up over the past two years and they have become a&nbsp;hot target for cybercrime as operating systems become more secure, attackers are increasingly shifting their attention to firmware, which is less visible, more fundamental and rarely well protected
The TrickBot malware which has been around since 2016, and evolving over time had in 2020, added a module&nbsp;to inspect devices for firmware vulnerabilities that could enable attackers to read, write, or erase the UEFI/BIOS firmware. In 2019, Asus computers were also targeted by hackers (now known as ShadowHammer) in the form of a malicious firmware update. In October 2018, a rare&nbsp;firmware rootkit&nbsp;was detected targeting diplomats and nongovernmental organisations. Russian advanced persistent threat group Sednit deployed the first firmware-level rootkit&nbsp;seen in the wild.
What we are seeing are attacks based on exploiting hardware designs and what differentiates this type of attacks is that consumers don&rsquo;t have any control over the hardware design and manufacturing. The shift in attackers focus are becoming more prevalent as OS becomes more secure and firmware remains less visible and rarely well protected.&nbsp;
 Ensign Posture &amp; Monitoring
Ensign InfoSecurity provides a complete inventory and health check for enterprise firmware and hardware components.
In addition, with regular vulnerability scanning of these components, we enable any organisation to extend its visibility and security beyond the traditional endpoints.
Ensign has in place a well-defined enterprise security vulnerability management framework where configuration and patches are dutifully tested and rolled out as they become available. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Ensign has also stepped up monitoring operations and will advise clients of any anomalies detected from the monitored event logs.
 Our Recommendations
<ul type="disc">
<li>For those using Dell hardware that are not enterprise-managed:</li>
<ul type="circle">
<li>Immediately disable Dell BIOSConnect, OS recovery, and HTTPS boot features feature from the BIOS setup page</li>
<li>Do not run &ldquo;BIOS Flash Update &ndash; Remote&rdquo; until the system is updated with a remediated version of the BIOS</li>
<li>Patch Dell&rsquo;s firmware via an executable from the OS after manually checking the hashes against those published by Dell</li>
</ul>
</ul>
(Refer to Dell&rsquo;s webpage for detailed info at&nbsp;<a href="https://www.dell.com/support/kbdoc/en-au/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature" data-sf-ec-immutable="">https://www.dell.com/support/kbdoc/en-au/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature</a>)
<ul type="disc">
<li>For those using Dell hardware that are enterprise-managed:</li>
<ul type="circle">
<li>Inform respective IT team to see if you are affected and await further instructions for the fix </li>
</ul>
<li>Know your assets to increase your visibility into your network</li>
<ul type="circle">
<li>Use device discovery and find affected devices on your network for remediation/mitigation</li>
<li>Put in place a hardware and software inventory tracking system </li>
</ul>
<li>Implement a stringent vulnerability and patch process especially for Internet connected systems </li>
<li>Keep systems fully patched at all levels, OS, application and firmware</li>
</ul>
<ul>
<li>Enable platform security features such as Secure Boot and BIOS Admin Password </li>
<li>Regularly conduct vulnerability scanning </li>
<li>Scan your environment for indicators of compromise (IOC) where available</li>
</ul>
Ensign will continue to provide updates on the incident and inform you of additional recommendations. We can help you to secure your firmware/hardware security. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take&nbsp;preemptive&nbsp;measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at&nbsp;<a href="mailto:marketing@ensigninfosecurity.com" target="_blank" rel="noopener" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>&nbsp;for more information.&nbsp; References:
<a href="https://eclypsium.com/2021/06/24/biosdisconnect/" data-sf-ec-immutable="">https://eclypsium.com/2021/06/24/biosdisconnect/</a>
<a href="https://www.bleepingcomputer.com/news/security/dell-supportassist-bugs-put-over-30-million-pcs-at-risk/" data-sf-ec-immutable="">https://www.bleepingcomputer.com/news/security/dell-supportassist-bugs-put-over-30-million-pcs-at-risk/</a>
<a href="https://cromwell-intl.com/cybersecurity/hardware.html" data-sf-ec-immutable="">https://cromwell-intl.com/cybersecurity/hardware.html</a>
<a href="https://www.csoonline.com/article/3410046/hardware-and-firmware-vulnerabilities-a-guide-to-the-threats.html" data-sf-ec-immutable="">https://www.csoonline.com/article/3410046/hardware-and-firmware-vulnerabilities-a-guide-to-the-threats.html</a>
<a href="https://www.techrepublic.com/article/microsofts-new-security-tool-will-discover-firmware-vulnerabilities-and-more-in-pcs-and-iot-devices/" data-sf-ec-immutable="">https://www.techrepublic.com/article/microsofts-new-security-tool-will-discover-firmware-vulnerabilities-and-more-in-pcs-and-iot-devices/</a>

Hardware / Firmware Vulnerabilities discovered in over 100 Dell models.

The Situation&nbsp;
On Friday&nbsp;2&nbsp;July&nbsp;2021, Kaseya reported that&nbsp;its VSA Remote Monitoring and Management Software has been compromised to distribute&nbsp;REvil&nbsp;ransomware to multiple managed services providers running the software, potentially infecting unspecified numbers of their 40,000 installed customer base.&nbsp;
The malware appears to have been delivered through an automatic update of the Kaseya VSA client management and monitoring software.&nbsp; According to&nbsp;Kaseya,&nbsp;it&nbsp;affects only Kaseya VSA software running on on-premise servers while SaaS versions remain unaffected.&nbsp; Kaseya has issued a security advisory warning its customers to immediately shut down their on-premise VSA servers to prevent the attack from spreading.&nbsp;
Managed Malware Delivery&nbsp;
The&nbsp;researchers&rsquo;&nbsp;current&nbsp;breakdown of the attack has shown that the outbreak was delivered via a malicious update payload&nbsp;sent to&nbsp;VSA servers, and in&nbsp;turn,&nbsp;to the VSA agent applications running on managed Windows devices.
This was achieved using a zero-day exploit of the server platform&nbsp;for&nbsp;which&nbsp;Kaseya was rushing&nbsp;out a patch.&nbsp;This vulnerability gave REvil cover in several ways: It&nbsp;allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code&mdash;reflected in<a title="https://helpdesk.kaseya.com/hc/en-gb/articles/229014948-Anti-Virus-Exclusions-and-Trusted-Apps" href="https://helpdesk.kaseya.com/hc/en-gb/articles/229014948-Anti-Virus-Exclusions-and-Trusted-Apps" target="_top" data-sf-ec-immutable="">&nbsp;anti-malware software exclusions that Kaseya require</a>s&nbsp;for&nbsp;setting up its&nbsp;application and agent &ldquo;working&rdquo; folders. Anything executed by the Kaseya Agent Monitor&nbsp;was therefore ignored because of those exclusions&mdash;which allowed REvil to deploy its dropper without scrutiny.
More details on the anatomy of attack can be found at:
<a title="https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" href="https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/" data-sf-ec-immutable="">https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/</a>
The History&nbsp;
REvil recruits affiliates to distribute the&nbsp;ransomware&nbsp;for them and are thought to be based in&nbsp;Russia&nbsp;due to the fact that the group does not target Russian&nbsp;organisations.&nbsp;&nbsp;
Ransomware code used by REvil resembles the code used by&nbsp;DarkSide, suggesting that DarkSide could be a partner of REvil.&nbsp;REvil and Darkside use similarly structured ransom notes and the same code to check that the victim is not located in a&nbsp;Commonwealth of Independent States&nbsp;(CIS) country.&nbsp;
Cybersecurity experts believe REvil is an offshoot from a previous notorious, but now-defunct hacker gang, GandCrab.&nbsp;This is suspected due to the fact that REvil first became active directly after GandCrab shutdown, and that the ransomware both share a significant amount of code.&nbsp;
Ensign's Posture&nbsp;
Ensign has stepped up monitoring and checks to ensure the security of our clients.&nbsp;&nbsp;Ensign&rsquo;s managed detection and response and AI-based cyber analytics can help&nbsp;clients detect&nbsp;and prevent the execution of ransomware.&nbsp; Our Managed Security Services are unaffected by the compromise of Kaseya VSA. &nbsp;Ensign will continue to provide updates on the incident and inform you of additional recommendations.
 Our Recommendations&nbsp;
<ul type="disc">
<li>Users of Kaseya VSA to&nbsp;immediately&nbsp;shut down&nbsp;your VSA server until further notice from Kaseya, meanwhile existing customers are encouraged to get the &ldquo;Compromise Detection Tool&rdquo; by sending an email&nbsp;<a href="mailto:support@kaseya.com" data-sf-ec-immutable="">support@kaseya.com</a>&nbsp;to begin recovery process if impacted</li>
</ul>
<ul type="disc">
<li>Scan your endpoints/network for indicators of compromise (IOC) -&nbsp;<a href="https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/" data-sf-ec-immutable="">https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/</a> -&nbsp;<a href="https://www.joesandbox.com/analysis/809013#iocs" data-sf-ec-immutable="">https://www.joesandbox.com/analysis/809013#iocs</a> -&nbsp;<a href="https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt" data-sf-ec-immutable="">https://github.com/pgl/kaseya-revil-cnc-domains/blob/main/revil-kaseya-cnc-domains.txt</a>&nbsp; </li>
<li>Enable tamper protection for Windows Defender because the ransomware attempts to disable Windows Defender -&nbsp;<a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide" data-sf-ec-immutable="">https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide </a></li>
<li>Take reference from CISA recommendations to review your&nbsp;systems,&nbsp;and apply mitigating measures to reduce the risk of compromise by ransomware&nbsp;&nbsp; </li>
<li>Implement security solutions to segregate and protect your environment (e.g.&nbsp;firewalls, proxies, web filtering, mail filtering, endpoint detection and response)&nbsp; </li>
<li>Maintain a ransomware-resilient backup strategy with at least a copy&nbsp;offline </li>
<li>Keep systems fully patched&nbsp;</li>
</ul>
Please contact us for further assistance if required, or for further advice on how to strengthen your security posture against similar incidents.&nbsp; Contact us at&nbsp;<a href="mailto:marketing@ensigninfosecurity.com" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>&nbsp;for more information.&nbsp;&nbsp;
References:&nbsp;
<a href="https://www.kaseya.com/potential-attack-on-kaseya-vsa/" data-sf-ec-immutable="">https://www.kaseya.com/potential-attack-on-kaseya-vsa/</a>&nbsp;
<a href="https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack" data-sf-ec-immutable="">https://us-cert.cisa.gov/ncas/current-activity/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack</a>&nbsp;
<a href="https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/" data-sf-ec-immutable="">https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/</a>&nbsp;
<a href="https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/" data-sf-ec-immutable="">https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/</a>&nbsp;
<a href="https://www.theverge.com/2021/7/2/22561252/revil-ransomware-attacks-systems-using-kaseyas-remote-it-management-software" data-sf-ec-immutable="">https://www.theverge.com/2021/7/2/22561252/revil-ransomware-attacks-systems-using-kaseyas-remote-it-management-software</a>&nbsp;
<a href="https://www.itnews.com.au/news/kaseya-supply-chain-ransomware-attack-hits-msp-customers-566858" data-sf-ec-immutable="">https://www.itnews.com.au/news/kaseya-supply-chain-ransomware-attack-hits-msp-customers-566858</a>&nbsp;

Situation
A cyber attack on Friday has crippled critical infrastructure in the US.&nbsp; It caused&nbsp;Colonial Pipeline, the source of nearly half the US East Coast&rsquo;s fuel supply&nbsp;to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. &nbsp;The relatively new ransomware group known as&nbsp;DarkSide&nbsp;targeted attacks against their information technology (IT) network. Currently, there is no indication that their operational technology (OT) networks have been directly affected by the ransomware.
Like other ransomware platforms, DarkSide adheres to the current best practice of double extortion, demanding separate sums to unlock any files and servers, and promise to destroy any data stolen from the victim.
After gaining an initial foothold in the network, the attackers collect files and credentials, and exfiltrate them. They then use PowerShell to download the ransomware binary and proceed to move laterally with the main goal of conquering the Domain Controller (DC). After exfiltrating all sensitive information, they then distribute the binary to other assets in the environment, encrypting sensitive data such as finance, private information and partners documents for maximum damage.
&nbsp;
Background
First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims.&nbsp;DarkSide says it targets only big companies, and forbids affiliates from attacking certain industries, including healthcare, funeral services, education, public sector and non-profits.
DarkSide has shown itself to be ruthless with victim companies that have deep pockets. In January 2021, a negotiation was observed between the DarkSide crew and a $15 billion U.S. victim company that was hit with a $30 million ransom demand.
A cyber threat intel vendor had assessed (finding at &ldquo;moderate&rdquo; confidence) that some of the criminals behind DarkSide hail from another ransomware outfit called &ldquo;REvil,&rdquo; a.k.a. &ldquo;Sodinokibi&rdquo;. REvil&nbsp;is widely considered to be the newer name for GandCrab, a ransomware-as-a-service offering that closed shop in 2019 after bragging that it had extorted more than $2 billion.
&nbsp;
Ensign Posture &amp; Monitoring
Ensign provides advanced cybersecurity services which can detect and prevent the execution of ransomware such as this incident. &nbsp;Ensign has stepped up monitoring operations, and will advise clients of any anomalies detected from the monitored event logs.&nbsp; We have performed rounds of checks to verify security configurations are up-to-date.
&nbsp;
Our Recommendations
<ul>
<li>CII asset owners and operators to adopt a heightened state of awareness</li>
<li>Keep systems fully patched</li>
<li>Regularly backup files remotely</li>
<li>Implement security solutions to segregate and protect your environment (e.g. firewalls, proxies, web filtering, mail filtering, endpoint detection and response)</li>
<li>Scan your endpoints for indicators of compromise (IOC) -&nbsp;<a href="https://otx.alienvault.com/pulse/60821a187be8d208269c103c" data-sf-ec-immutable="">https://otx.alienvault.com/pulse/60821a187be8d208269c103c</a></li>
<li>Take reference from CISA recommendations to review your systems and apply mitigating measures to reduce the risk of compromise by ransomware &ndash;&nbsp;<a href="https://us-cert.cisa.gov/sites/default/files/2021-05/AA21-131A_DarkSide_Ransomware.pdf" data-sf-ec-immutable="">https://us-cert.cisa.gov/sites/default/files/2021-05/AA21-131A_DarkSide_Ransomware.pdf</a>. &nbsp;&nbsp;</li>
</ul>
&nbsp;
Ensign will continue to provide updates on the incident and inform you of additional recommendations. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take&nbsp;preemptive&nbsp;measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at&nbsp;<a href="mailto:marketing@ensigninfosecurity.com" target="_blank" rel="noopener" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>&nbsp;for more information.&nbsp;
&nbsp;
References:
<a style="color: blue;" href="https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/" data-sf-ec-immutable="">https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/</a>
&nbsp;
<a style="color: blue;" href="https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware" data-sf-ec-immutable="">https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware</a>
&nbsp;
<a style="color: blue;" href="https://www.hstoday.us/subject-matter-areas/infrastructure-security/darkside-ransomware-cisa-fbi-advisory-on-best-practices-for-preventing-business-disruption-from-ransomware-attacks/" data-sf-ec-immutable="">https://www.hstoday.us/subject-matter-areas/infrastructure-security/darkside-ransomware-cisa-fbi-advisory-on-best-practices-for-preventing-business-disruption-from-ransomware-attacks/</a>

Ensign's plans and procedures in response to Darkside Ransomware.

The Situation
On 2 March 2021, Microsoft released several security updates for Microsoft Exchange Server 2013, 2016 and 2019 to address vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that have been used in limited targeted attacks. These vulnerabilities can allow an attacker to gain unauthorised access to mailboxes and perform remote code execution.&nbsp;
Microsoft has detected multiple Zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actors exploited these vulnerabilities to access Exchange Server and install additional malware to facilitate long-term access to victim environments. Webshell was used as a technique to escalate and maintain persistent access on an already compromised exchange server. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to&nbsp;HAFNIUM, based on observed victimology, tactics and procedures. On 4 March and 5 March 2021, Microsoft provided more resources to help customers investigate and identify threats coming from HAFNIUM through indicators of compromise provided in the links below:
<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734917315%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TdB8qfUdtIZVWSnjEiH2GVpJIiitsu5XByL1tohtzv4%3D&amp;reserved=0" data-sf-ec-immutable="">https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/</a>
<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%23scan-log&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734927266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=amIA%2FZzYdJ5v0Ia9tnqTR4r2ZtuJ%2FsZUrWh8Ketwfi0%3D&amp;reserved=0" data-sf-ec-immutable="">https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log</a>
&nbsp;
Ensign Posture &amp; Monitoring
Ensign has performed rounds of checks to confirm that the flaw does not affect our infrastructure.&nbsp;
Ensign has also stepped up monitoring operations, and will advise clients of any anomalies detected from the monitored event logs.
 Our Recommendations
<ul type="disc">
<li>Check patch levels and install security patches to fix the vulnerabilities on affected exchange servers. If installation of security patches is not possible, implement IIS Re-Write Rules and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services as interim mitigation.</li>
<li>Scan exchange log files for indicators of compromise.</li>
<li>Perform threat hunting on affected servers and network to identify possible compromised system in your organisations.</li>
<li>Harden current security controls (e.g. Endpoint Detection and Response, Firewall, NIDS) to identify and block malicious activities and suspicious outbound traffic to blacklisted C2 infrastructure.</li>
<li>Take reference from CISA recommendations to review your systems and apply mitigating measures on the Microsoft Exchange Server Vulnerabilities (CISA recommendations &ndash;&nbsp;<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fus-cert.cisa.gov%2Fncas%2Falerts%2Faa21-062a&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734927266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=fnJ8jpaNsErkNB6k%2BiRkw%2F6dJ1QPz1B9Pt5iNcfMh8Y%3D&amp;reserved=0" data-sf-ec-immutable="">https://us-cert.cisa.gov/ncas/alerts/aa21-062a</a>).</li>
</ul>
Ensign will continue to provide updates on the incident, and inform you of additional recommendations. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at <a style="color: blue;" href="mailto:marketing@ensigninfosecurity.com" target="_blank" rel="noopener" data-sf-ec-immutable="">marketing@ensigninfosecurity.com</a>;for more information.
 References:
<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734937229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=FVmNhB8cJQomph2mXLlAm1Jh5Hfb1ZUbNJEh18crreU%3D&amp;reserved=0" data-sf-ec-immutable="">https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/</a>
<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734937229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=5tJQoHaB%2BJqIA0%2FWPOUd3VVRUwNuL6cnB%2F2lSdHTsMk%3D&amp;reserved=0" data-sf-ec-immutable="">https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/</a>
<a style="color: blue;" href="https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.volexity.com%2Fblog%2F2021%2F03%2F02%2Factive-exploitation-of-microsoft-exchange-zero-day-vulnerabilities%2F&amp;data=04%7C01%7CLeonardo_Jamorabo%40ensigninfosecurity.com%7Cc2a188ad82bc41db136008d8e1e31582%7Cd5cb08f4d38848b2bc028ecce3c63fce%7C1%7C0%7C637507712734947177%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=lSzPM0%2FyEYY9P7GnGD%2BDyVoDA11y2s1F8lWLl5v1blQ%3D&amp;reserved=0" data-sf-ec-immutable="">https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/</a>

Ensign's plans and procedures in response to the Microsoft exchange server vulnerabilities which compromised over 20,000 organisations.

The Monetary Authority of Singapore released the revised Technology Risk Management Guidelines (MAS-TRMG) in January 2021&nbsp;to establish stronger governance, and strengthen cyber resiliency in the financial sector. It&rsquo;s aimed at combating the industry&rsquo;s evolving cyber threats, and minimising risks to supply chains.&nbsp;This guide discusses the key changes in the revised MAS-TRMG, and Ensign&rsquo;s recommendations.
&nbsp;Highlights of the eBook include:
<ul type="disc">
<li>12 key changes of the revised MAS-TRMG</li>
<li>What financial institutions need to look out for</li>
<li>How Ensign can help</li>
</ul>
&nbsp;Download our eBook to find out more.
&nbsp;

Download the eBook to find out more about the 12 key changes of the revised MAS-TRM Guidelines, along with Ensign’s recommended approach.

The Situation
A recently disclosed critical security vulnerability (CVE-2021-44228) in a logging software, Apache log4j2, is one of the most serious cyber security vulnerabilities in recent years. Apache log4j is widely used in many applications across many organisations.&nbsp; All organisations must act quickly to identify and contain the risks, detect attack attempts and remediate their systems because it is widely used and easily exploitable.
Since the disclosure, the vulnerability has been observed to be under active exploitation by cyber attackers. Many organisations across various sectors are vulnerable because the use of log4j is ubiquitous and the vulnerability is easy to exploit. Financially motivated attackers were among the first to exploit targets, and it is highly anticipated that there will be increased exploitation attempts leading to monetisation activities. This includes data theft and ransomware deployment.

Ensign's plans and procedures in response to the Apache Java Logging Library Log4j 2 Critical RCE Vulnerability.

Hackers have evolved their tactics from email phishing, to now include smishing with a high level of realism, as part of their delivery methods in their cyber attack campaigns. In September 2021, The Singapore Police Force also reported at least 150 victims falling for similar scams.
Through Ensign&rsquo;s Smishing Protection, we protect organisations, and their consumers, from such attacks. Download the factsheet to learn more about:
<ul type="disc">
<li>The Ensign Smishing Protection approach </li>
<li>Our novel and unique data science technique in detecting phishing and smishing </li>
<li>Benefits and value to your organisation</li>
</ul>

Learn more about Ensign Smishing Protection, and how we can protect you against smishing attacks.

With the ever-evolving threat landscape, cyber threats and tactics are becoming more sophisticated and damaging. The COVID-19 pandemic has also accelerated digitisation across organisations, enlarging their attack surfaces and extending cybersecurity further away from corporate infrastructures.&nbsp;Are organisations able to deal with the rapid changes on their own? Download this eBook to learn more about&nbsp;the&nbsp;deciding factors for&nbsp;outsourcing your security monitoring to a Managed Security Services Provider.

Get a better understanding of some key points before deciding to outsource your security monitoring to a Managed Security Services Provider.

It is critical for organisations to double down on immediate actions required to identify systems surrounding the Apache Log4j vulnerability. The initial Apache Log4j vulnerability (CVE-2021-44228) on 9 Dec 2021, which was assigned a maximum CVSS score of 10.0, led to the massive reconnaissance and exploitation activity by threat actors leveraging on the bug. Ensign has published this supplementary threat advisory to complement the&nbsp;<a href="/analysis-and-insights/34" data-sf-ec-immutable="">Threat Advisory: Apache Java Logging Library Log4j Critical RCE Vulnerability</a>. In this advisory, we answer the top three questions about the impact of the Log4j vulnerability:
<ol>
<li>Why the urgency to mitigate and remediate Log4j vulnerability? </li>
<li>Why is there so much patching to do? </li>
<li>Do we need to scan our systems using various Log4j scanners?</li>
</ol>

Gain a better understanding of how and why organisations are doubling down on immediate actions surrounding the Log4J vulnerability.

Is your organisation ready to handle cybersecurity incidents such ransomware attacks and data breaches? In the event of a real security incident, it can cost not only operational downtime, but also reputational and financial loss. Given the speed and relentless manner cyber attacks are conducted, time is of the essence when remediating intrusions to prevent further harm.
&nbsp;
Ensign has certified digital forensic investigators and incident responders to help organisations minimise the impact of cyber incidents. Download our factsheet to learn more about:
<ul style="padding-left: 20px;">
<li>Our approach to the use of cyber threat intelligence and automation to improve speed in incident response </li>
<li>Threat hunting and incident response for OT/ICS and Cloud environments</li>
</ul>

Learn how Ensign leverages on cyber threat intelligence and automation to improve its speed in incident response. Ensign’s Digital Forensic and Incident Response factsheet gives you an overview of how best you can apply threat hunting and incident response for OT/ICS and Cloud environments.

The unfortunate truth about cyber attacks is&nbsp;that, sometimes, they are successful. This could be due to organisations&rsquo; lack of cybersecurity controls, inadequate cyber hygiene practices, poor cyber crisis management, or the lack of resources in&nbsp;combating highly&nbsp;resourced and sophisticated threat actors. This was the case of a&nbsp;BlackCocaine&nbsp;ransomware attack which occurred in a banking and financial software company.
&nbsp;
The Ensign Hunt and Incident Response Operations (HIRO) team was activated to investigate.&nbsp;It provided support to the targeted company, deploying&nbsp;containment measures to mitigate the impact of the breach. Download the case study to learn more.

This case study looks into a BlackCocaine ransomware attack that hit a banking and financial software company. Gain insights into how Ensign’s Hunt and Incident Response Operations (HIRO) team deployed containment measures to mitigate the impact of the breach.

Data scientists from Ensign&rsquo;s Labs presented their research&nbsp;entitled&nbsp;&ldquo;TypoSwype: An Imaging Approach to Detect Typo-Squatting" during the IEEE NTMS 2021 Conference. The study highlights considerations pertaining to keyboard distances, a main vulnerability exploited by typo-squatting techniques.&nbsp; The study also aims to address the lack of a widely accepted approach for keyboard distances by leveraging on state-of-the-art image recognition techniques.

Ensign Labs’ research highlights how TypoSwype can detect Typo-Squatting.

Drawing insights from the 2021 Threat Landscape Report, Ensign&rsquo;s VP of Engineering, Kok Leong, singles out cyber supply chain attacks and ransomware attacks to be among key threats that will persist in 2022. He adds that organisations ought to recognise the importance of taking additional steps to mitigate any form of elevated cyber risks.&nbsp;
He also discusses Ensign&rsquo;s approach in the cybersecurity industry, as well as the direction Ensign is taking in the coming year.&nbsp;
Read all about it in this interview with CyberNews:&nbsp;<a style="color: blue;" href="https://ensign.global/36j8Yo1" target="_blank" rel="noopener">here </a>

From key threats to watch out for to Ensign doubling down on its R&D efforts, Chan Kok Leong, Ensign’s VP of Engineering shares it all in an interview with CyberNews. He also talks about Ensign’s cybersecurity journey, and how the company aims to forge ahead.

Ransomware&nbsp;attacks have come to greater notoriety in recent times. The&nbsp;DarkSide incident, in particular, compromised a US-based critical infrastructure, causing a widespread disruption to its services, and lives of many. This has reportedly gained the perpetrators a huge amount of payout. Other prominent&nbsp;ransomware&nbsp;attacks in 2021 included attacks on AXA Insurance that was reported in May 2021, and Kaseya in July 2021.
Ransomware&nbsp;perpetrators are also evolving their tactics, techniques and procedures in their cyber operations. These include the Ransomware-as-a-Service model, and double extortion approach used by cyber criminals, which results in increased success rates that puts organisations at greater risk.
&nbsp;
&nbsp;Download the&nbsp;Ensign Anti-Ransomware&nbsp;Suite to learn more about:
&nbsp;
<ul>
<li>The&nbsp;increasing sophistication and advancement of&nbsp;ransomware&nbsp;campaigns </li>
<li>Ensign&rsquo;s defence approaches to curb&nbsp;ransomware&nbsp;threats from materialising </li>
<li>Recommendations to prevent, detect, and respond to ransomware attacks</li>
</ul>

Ensign's Anti-Ransomware Suite equips organisations with capabilities to prevent, detect, and respond to advanced ransomware threats.

Changes to the&nbsp;Personal Data Protection&nbsp;Act (PDPA)&nbsp;came into effect on 1 Feb 2021, with enhanced measures for greater organisational accountability and consumer protection, while giving organisations the confidence to use data for innovation and business growth.&nbsp;
To reduce&nbsp;the&nbsp;risk of data breaches,&nbsp;in line with PDPA&rsquo;s requirements,&nbsp;organisations should adopt a holistic approach for securing sensitive data.&nbsp;
Watch&nbsp;the&nbsp;on-demand video and download&nbsp;the&nbsp;factsheet&nbsp;to find out how&nbsp;Ensign&rsquo;s Data Loss Prevention (DLP) Programme&nbsp;can help facilitate such an approach.
Some&nbsp;key highlights:
<ul>
<li>Overview of Ensign&rsquo;s&nbsp;DLP&nbsp;Programme</li>
</ul>
<ul>
<li>Adopting the&nbsp;DLP&nbsp;Process Lifecycle enhances data security in all 5 areas of Identify, Protect, Detect, Respond and Recover framework.</li>
</ul>
<ul>
<li>Success stories and use cases</li>
</ul>

Ensign’s DLP Programme helps secure data in-use, data in-motion, and data at-rest across endpoints, networks, storage and the Cloud.

The Personal Data Protection (Amendment)&nbsp;Bill, which was introduced on 2 Nov 2020, aims to help businesses securely harness data for new business opportunities and, at the same time, strengthen their data security practices needed in the ever-evolving cyber threat environment.
Under the Amendment Bill, new sets of regulations will be imposed, such as the Mandatory Data Breach Notification that requires organisations doing business in Singapore to report the occurrence of any notifiable data breach to the PDPC within 72 hours. The maximum financial penalty for failing to provision data protection will also be raised to 10% of an organisation's annual turnover in Singapore or SGD1,000,000, whichever is higher.
&nbsp;
Jointly organised by Ensign and SMU School of Law, to learn more about:
<ul type="disc">
<li>Legal implications of the Personal Data Protection (Amendment)&nbsp;Bill</li>
<li>Key policy changes and their impact to organisational procedures</li>
<li>How to manage and respond effectively to data breach incidents​​​​​​​​​​​​</li>
</ul>

Learn about the legal implications of the PDPA Amendment Bill, key policy changes and the impact to organisational procedures, as well as how to manage and respond effectively to data breach incidents.

Learn how data can be&nbsp;an indispensable tool in the fight against phishing. Gain insights into the role data science plays in detecting threats already entrenched in the digital environment. To find out more, read Frontier Enterprise&rsquo;s article featuring Ensign&rsquo;s Vice-President of Data Science, Quek Han Yang. Click here to read more:&nbsp;<a style="color: blue;" href="https://www.frontier-enterprise.com/data-a-key-weapon-in-your-cybersecurity-arsenal/utm_source=website&amp;utm_medium=article&amp;utm_campaign=frontier%20enterprise%20article" data-sf-ec-immutable="">https://www.frontier-enterprise.com/data-a-key-weapon-in-your-cybersecurity-arsenal/?utm_source=website&amp;utm_medium=article&amp;utm_campaign=frontier%20enterprise%20article</a>

In a Frontier Enterprise article, Ensign’s Data Science Vice-President, Quek Han Yang, elaborates on the role that data plays in building a proactive cybersecurity posture.

Threat actors often target privileged access because it leads to the most valuable and confidential information, such as customer identities, financial information, and personally identifiable information. Without proper controls in place, internal and external threat actors can exploit gaps in your IT environment and gain access to your critical data.
<div>Learn how Ensign System Integration&rsquo;s Access &amp; Identity services can help protect your crown jewels through its Design &amp; Build Services, as well as Managed Security Services &amp; Support Services. Some benefits of engaging these services include:</div>
<div>&nbsp;</div>
<div>&bull; Protection against insider threats</div>
<div>&bull; Ability to recover quickly from cyber attacks</div>
<div>&bull; Compliance to data privacy regulations</div>

Critical data such as customer identities, financial information, and personally identifiable information are prime targets for cyber threat actors. Find out how Ensign can help you protect your crown jewels.

The constantly evolving threats leave many organisations unable to predict the adversaries&rsquo; next move. To turn things around, it is critical for organisations to gain a deep understanding of their cybersecurity posture and how they can effectively respond to attacks. Through Red Teaming exercises, Ensign enables organisations to be in a better position to defend against the onslaught of attacks. Employing cyber criminals&rsquo; tactics, techniques and procedures, Ensign can test and improve organisations&rsquo; level of readiness against real-world cyberattacks. Read the factsheet and learn more about: &bull; Adversarial Emulation &bull; Vulnerability assessment &amp; Penetration Testing &bull; Key areas of typical Red Teaming Exercise With constantly evolving threats, organisations are often left unprepared for any incident. Ensign helps develops their readiness through multi-faceted training exercises using real-world cyberattack scenarios.

Learn more about
Ensign’s Red Teaming Services

Cybersecurity remains a prevailing concern as enterprises double down on technology adoption since the COVID-19 pandemic hit. Managed Security Services Vice President at Ensign InfoSecurity, Roland Lau tells the Business Times why cybersecurity is not only a business enabler, but also a collective responsibility between organisations and their vendors. He also shares some foundational steps to consider when building a long-term strategy for resiliency.
Read more here:&nbsp;<a class="" href="https://www.businesstimes.com.sg/international/asean/cybersecurity-collective-responsibility-and-business-enabler" data-sf-ec-immutable="">https://www.businesstimes.com.sg/international/asean/cybersecurity-collective-responsibility-and-business-enabler</a>

In a Business Times article, Roland Lau, Vice President, Managed Security Service, Ensign Infosecurity shares why cybersecurity is a collective responsibility and business enabler for enterprises.

<h3>The Situation</h3>
A widespread campaign by a nation-state actor involving SolarWinds was uncovered by FireEye recently. The campaign used a trojanised version of SolarWinds Orion updates, which was digitally signed between March and May 2020, and uploaded to the SolarWinds&rsquo; update website. At least two top vendors were breached, and this incident has serious implications to the cybersecurity industry, its supplier chains and organisations using the affected products.
<h3>Our Commitment</h3>
The situation is fast evolving as details of the breach are being announced and more affected parties are made known. Ensign will continue to keep a close watch and provide relevant insights and recommendations to the community. Throughout this year-end festive period, Ensign continues to be available to clients who require assistance on any cyber-related matters.
&nbsp;

Ensign's plans and procedures in response to the recent breach involving SolarWinds.

Situation
There are important cyber implications arising from the ongoing Russia-Ukraine conflict.&nbsp;In the lead up to the invasion, a wave of destructive data-wiper attacks and disruptive distributed denial-of-service (DDoS) attacks have reportedly hit Ukraine&rsquo;s government, military, and economy. These cyber attacks could spill over to unintended victims beyond Ukraine.&nbsp;For instance, the 2017 NotPetya malware attacks targeting Ukrainian organisations eventually spread and hit many organisations worldwide including pharmaceutical giant Merck and FedEx&rsquo;s European subsidiary TNT Express.
The ongoing Russia-Ukraine conflict is not the first military conflict where cyber attacks were seen alongside conventional military actions. The 2008 Russian invasion of Georgia saw similar tactics. The current Russia-Ukraine conflict remains unresolved; hence, it is also unclear if&nbsp;these ongoing cyber attacks may also directly target key countries opposing or supporting either side of the Russia-Ukraine conflict.
In response, organisations need to be prepared for the spillover of destructive and disruptive cyber attacks.&nbsp;All organisations should take&nbsp;proactive actions to enhance their security posture, increase vigilance, and be prepared for an incident response.
&nbsp;

Ensign’s recommendations on the proactive actions organisations can take to reduce the likelihood and impact of a potentially damaging cyber attack.

The Russia-Ukraine conflict has escalated to the cyberspace, drawing partisan response and actions coming from supporters of the warring nations. The tension has spilt over beyond the area of conflict, and organisations siding with either side must be prepared for potential disruptions to their operations, and other repercussions.
&nbsp;
This Executive Brief contains a comprehensive summary of the threat assessment resulting from observations on the conflict from January to 25 March 2022. It summarises the observed&nbsp;attacks&rsquo; effects and their implications. We have provided recommendations that organisations and businesses can consider to prevent being part of the collateral damage from the conflict.
&nbsp;
This Executive Brief supplements the earlier published technical threat advisory, which can be accessed&nbsp;<a style="color: blue;" title="https://www.ensigninfosecurity.com/analysis-insights/content/2022/02/26/impact-of-cyber-attacks-amidst-ukraine-crisis" href="/analysis-and-insights/41" target="_blank" rel="noopener" data-sf-ec-immutable="">here</a>.

This Executive Brief summarises the observed attacks’ effects and their implications. We have provided recommendations that organisations and businesses can consider to prevent being part of the collateral damage from the conflict.

The cybersecurity landscape has become even more daunting in 2020, with events in the recent months posing numerous challenges for organisations. Escalating political tensions, increasing healthcare concerns with COVID-19, and accelerated digitalisation efforts to support remote work and contactless transactions have dramatically transformed digital attack surfaces, impacting technology transformation processes.&nbsp;
Prepared by Teo Xiang Zheng, Head of Advisory, Ensign Consulting, this report aims to provide insights into the threats and trends observed by Ensign InfoSecurity in the global cyber environment 2020. These include an increase in threat actor activities, incidents of compromise due to expanding digital attack surface, exploitation of the COVID-19 situation and cyber supply chain, as well as threat actor attention paid to contact tracing solutions.
Highlights of the report include:
<ul>
<li>Summary of the observed threats and trends</li>
<li>Cybersecurity implications arising from the COVID-19 pandemic</li>
<li>Suggestions on how to mitigate the threats</li>
</ul>

Learn about the threats and trends observed by Ensign InfoSecurity in 2020, as well as suggestions on how to mitigate them.

Ensign has released the Cyber Threat Landscape Report 2022. In this third edition, we expanded our coverage to include our unique insights into the observed global, and regional threats in 2021. We also leveraged our presence in Singapore, Hong Kong S.A.R., Malaysia, and South Korea to provide perspectives on territory-specific threats.
We adopted the Threat-informed Defence approach, using the MITRE ATT&amp;CK Framework (Version 10) and MITRE Engage Framework (Version 1.0) to harmonise the taxonomy of the observed threats, and the defensive engagement activities.
Download the report to gain insights into:
&nbsp;
<ul>
<li>Top cyber threat trends</li>
<li>Territorial threat profiles</li>
<li>Outlook of the threat landscape in 2022</li>
<li>Cyber defenders&rsquo; course of action</li>
<li>Key recommendations for leaders</li>
</ul>

Ensign Cyber Threat Landscape Report 2022 showcases an expansion of coverage to include insights into global, regional, and territory-specific threats in 2021, more specifically in Singapore, Hong Kong S.A.R., Malaysia, and South Korea. It also discusses recommendations on how organisations can prepare for any eventuality arising from such threats.

Taking advantage of the rapid adoption of digital technology and accelerated use of digital payments, cyber threat actors are increasingly targeting payments and payments-related infrastructure. Amidst this landscape, the PCI Security Standards Council (PCI SSC) issued Version 4.0 of the PCI DSS on March 31, 2022, shifting the standard's focus to outcome-based requirements.
&nbsp;
Download this eBook to find out how to remain PCI DSS compliant.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to 
encourage and enhance payment card account data security, as well as facilitate the broad adoption of consistent data security measures globally.

Find out more on how PCI DSS develops a baseline of technical and operational requirements 
designed to protect account data. 

Commentary by Lee Joon Sern, Lead Data Scientist, Ensign Labs
Artificial Intelligence (AI), particularly Machine Learning (ML), has been gaining renewed interest in the last decade. This interest has been facilitated largely by the significant and exponential growth in its computational power to potentially address computationally-intensive, hard problems that might have been insurmountable in the past. With this increased processing power becoming more readily available, many industry players are avidly looking at how breakthroughs in AI and ML can be applied to their respective domains. These breakthroughs can improve and optimise business processes or procedures, as well as develop new products and solutions.
While AI and ML bring about a new dawn of positive transformation, these techniques can also be used for harmful purposes. This is especially so in the cyberspace, as cyber attackers are constantly finding new ways to mount attacks on organisations. In today&rsquo;s environment, it is all about combatting intelligence with intelligence. As organisations employ AI or ML for cyber defence, so do malicious entities for cyberattacks.

Ensign InfoSecurity’s Lead Data Scientist, Lee Joon Sern weighs in on the current threat landscape and the importance of empowering cyber systems with artificial intelligence and machine learning.

The use of technology in ship operations and management is placing&nbsp;maritime organisations at a risk of cyber-attacks. The ramifications of these cyber-attacks are wide-ranging, stemming from ship collisions to possible cargo losses, pollution, and even disruption in port operations.
&nbsp;
In this opinion piece on Seatrade Maritime, Ensign&rsquo;s Head of Advisory, Teo Xiang Zheng, explains measures maritime organisations can take to shore up their cyber defences. These include leveraging the cyber community for cyber threat information, bolstering organisations&rsquo; cybersecurity hygiene, or even reviewing and revising crisis management plans and playbooks.&nbsp;
&nbsp;
Click <a style="color: blue;" href="https://www.seatrade-maritime.com/opinions-analysis/bracing-rising-tide-cyber-threats-against-maritime-industry" target="_blank" rel="noopener">here </a>to read more about what Xiang Zheng had to say.

Maritime organisations face increasing cyber threats as they leverage on technology in their operations and management processes. Ensign’s Head of Advisory,   
Teo Xiang Zheng explains how maritime organisations can shore up their cyber defences in this opinion piece on Seatrade Maritime.

Robust defences for cyber supply chains have proved pivotal in navigating an ever evolving threat landscape. However, any weak link in supply chains could also be detrimental as threat actors may exploit this as a point of entry. Our Head of Advisory from Hong Kong,&nbsp;Marco&nbsp;Sin&nbsp;spells out four key cyber strategies your organisation can take to isolate supply chain cyber risks. He touches on four key points that could prove instrumental in containing them:&nbsp;
&nbsp;
<ul style="padding-left: 20px;" type="disc">
<li>Implementing third-party risk assessment and monitoring services</li>
<li>Adopting a proactive cybersecurity posture&nbsp;</li>
<li>Establishing an incident response playbook</li>
<li>Maintaining good cyber hygiene practices.</li>
</ul>
&nbsp;
Click <a style="color: blue;" href="https://www.cybersecasia.net/tips/four-key-cyber-strategies-to-isolate-supply-chain-risks?utm_source=hootsuite&amp;utm_medium=social_media&amp;utm_term=&amp;utm_content=&amp;utm_campaign=CybersecAsia" data-sf-ec-immutable="">here </a>to find out more

Vulnerabilities in Log4J, SolarWinds, and Kaseya serve as a reminder for organisations to double down on defences of the supply chains. In this CybersecAsia feature, our Head of Advisory from Hong Kong, Marco Sin, spells out four key cyber strategies your organisation can take to isolate supply chain cyber risks.

The spate of ransomware attacks globally has resulted in disruptions in services and businesses across various sectors. Global economic losses from these attacks have also exceeded millions of dollars. In this opinion piece on Cybersecurity ASEAN, Ensign&rsquo;s Lead Data Scientist, Lee Joon Sern, explains how Artificial Intelligence is important in the fight against ransomware attacks. He also covers specific examples such as how AI-Powered cyber defences can tackle ransomware attacks, how to prepare for response and recovery of systems, as well as how ransomware attacks can gravely affect businesses. &nbsp;
&nbsp;
Click <a style="color: blue;" title="https://cybersecurityasean.com/expert-opinions-opinion-byline/importance-artificial-intelligence-fight-against-ransomware?utm_source=website&amp;utm_medium=article&amp;utm_campaign=Joon+Sern+Byline+on+Importance+of+AI+Against+Ransomware+Attacks&amp;utm_id=Joon+Sern+Byline+on+Importance+of+AI+Against+Ransomware+Attacks" href="https://cybersecurityasean.com/expert-opinions-opinion-byline/importance-artificial-intelligence-fight-against-ransomware?utm_source=website&amp;utm_medium=article&amp;utm_campaign=Joon+Sern+Byline+on+Importance+of+AI+Against+Ransomware+Attacks&amp;utm_id=Joon+Sern+Byline+on+Importance+of+AI+Against+Ransomware+Attacks" data-sf-ec-immutable="">here</a> to read more.

Ransomware attacks are on the rise globally. Ensign’s Lead Data Scientist, Lee Joon Sern, explains the importance of Artificial Intelligence in combating these threats. He touches on how AI-Powered cyber defences work at the different stages of a ransomware’s cyber kill chain.

Cyber supply chain attacks&nbsp;are&nbsp;likely to aggravate in the near future.&nbsp;This comes in the wake of the COVID-19 pandemic, as businesses ramp up efforts to go digital to meet evolving demands, as well as the increased adoption of 5G technology.&nbsp;Yet&nbsp;many organisations remain under prepared to face these threats. Teo Xiang Zheng, Ensign Consulting&rsquo;s&nbsp;Head&nbsp;of Advisory, shares his thoughts on the need to step up safeguards not only within the organisations&nbsp;but also across their cyber ecosystems. Click <a style="color: blue;" href="https://bizq.sbf.org.sg/2021/02/getting-serious-about-protecting-personal-data/" target="_blank" rel="noopener">here </a>to read more.

Ensign Consulting’s Head of Advisory, Teo Xiang Zheng tells itnews why organisations need to step up and extend their cybersecurity practices across their cyber ecosystems.

Changes to the Singapore&rsquo;s Personal Data Protection Act aim to help firms build consumer trust in their data usage, and strengthen their data security practices. Teo Xiang Zheng, Ensign's Head of Advisory, weighs in on the rationality behind the amendments, and what businesses could do to step up, and roll with the changes.
&nbsp;
Read more <a style="color: blue;" href="https://ensign.global/2Pn26NS" target="_blank" rel="noopener">here.</a>

Ensign InfoSecurity’s Head of Advisory, Teo Xiang Zheng shares with BizQ what the recent changes to the Personal Data Protection Act could mean for businesses.

Changes to the&nbsp;Personal Data Protection&nbsp;Act (PDPA)&nbsp;came into effect on 1 Feb 2021, with enhanced measures for greater organisational accountability and consumer protection, while giving organisations the confidence to use data for innovation and business growth.&nbsp;
To reduce&nbsp;the&nbsp;risk of data breaches,&nbsp;in line with PDPA&rsquo;s requirements,&nbsp;organisations should adopt a holistic approach for securing sensitive data.&nbsp;
Download&nbsp;the&nbsp;factsheet&nbsp;to find out how&nbsp;Ensign&rsquo;s Data Loss Prevention (DLP) Programme&nbsp;can help facilitate such an approach.
&nbsp;
Some&nbsp;key highlights:
<ul>
<li>Overview of Ensign&rsquo;s&nbsp;DLP&nbsp;Programme</li>
</ul>
<ul>
<li>Adopting the&nbsp;DLP&nbsp;Process Lifecycle enhances data security in all 5 areas of Identify, Protect, Detect, Respond and Recover framework.</li>
</ul>
<ul>
<li>Success stories and use cases</li>
</ul>

<div>Attack techniques employed by highly-resourced and nation-state threat actors are increasingly becoming more sophisticated. Advanced malware are now polymorphic, highly evasive, and have the ability to bypass traditional signature-based detection tools. Organisations may not even realise that their networks have been compromised, and when they do, it is usually too late.</div>
<div>&nbsp;</div>
<div>The Ensign Advanced Analytics team designs and builds cyber analytics solutions, powered with AI/ML and automation, augmented with threat intelligence, to provide behavioural-based threat detection capabilities. Our services enable organisations to:</div>
<div>&nbsp;</div>
<div>&bull; Detect and respond to advanced cyber threats</div>
<div>&bull; Leverage Security Orchestration &amp; Automation to bring greater value in threat investigation</div>
<div>&bull; Synergise all security appliances and solutions in a single pane of glass</div>

Cyber threats are becoming more advanced and sophisticated, and have the ability to bypass traditional detection tools. Ensign Advanced Analytics provides capabilities of advanced threat detection using artificial intelligence and machine learning behavioural models.

Updated as of 22 April 2022 1800hrs
This advisory is an update to the threat advisory on <a style="color: blue;" href="/analysis-and-insights/41" data-sf-ec-immutable="">The Cyber Implication of the Ukraine Crisis</a>,&nbsp;which was&nbsp;supplemented&nbsp;with the&nbsp;<a title="/analysis-and-insights/43" href="/analysis-and-insights/43" data-sf-ec-immutable="">Executive Brief on&nbsp;The Cyber Impact of Russia-Ukraine Conflict</a>.
As the Russia-Ukraine conflict continues to escalate, the resulting geopolitical instability has exposed&nbsp;organisations&nbsp;both within and beyond the region to increased cyber threat activity.
A joint cybersecurity advisory has been released (20 Apr) by the cybersecurity agencies of the United States, Britain, Australia, Canada, and New Zealand (<a style="color: blue;" title="https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" data-sf-ec-immutable="">https://www.cisa.gov/uscert/ncas/alerts/aa22-110a</a>).&nbsp;Together,&nbsp;they form the Five Eyes intelligence-sharing alliance which calls for critical infrastructure network defenders to prepare for potential cyber threats, including destructive (wiper) malware, ransomware, DDoS attacks, and cyber espionage.&nbsp;&nbsp;
Considering the heightened cyber threat activity, it is important that&nbsp;organisations&nbsp;prioritise reviewing and strengthening their cybersecurity postures&nbsp;and defences. We have collated a list of notable cyber threat incidents, and our recommendations to help organisations prepare for potential cyber threats.

As the Russia-Ukraine conflict continues to escalate, the resulting geopolitical instability has exposed organisations both within and beyond the region to increased cyber threat activity. Learn more about notable cyber threat incidents, and some recommendations to facilitate proactive actions in response to the conflict-related threats.

Cyber threats loom larger than before as organisations adopt a hybrid working model, coupled with the need for digital transformation powered by cloud and automation. This in turn sees organisations expand their attack surfaces, which will also result in an increased exposure to cyber threats. The Ensign-IDC Infobrief&nbsp;draws information from Ensign&rsquo;s 2021 Cyber Threat Landscape Report to help CISOs better address cyber risks for their organisations. Download the Infobrief now as we zoom into what stands at the top of the CISO&rsquo;s security agenda. These include:
&nbsp;
<ul style="list-style-position: inside;">
<li>Engendering the trust of the customers by securing customer data, privacy, and experience</li>
<li>Empowering employee flexibility and productivity while meeting security needs</li>
<li>Adopting a secure-by-design hybrid architecture&nbsp;</li>
<li>Developing a trusted secure ecosystem</li>
</ul>

The Ensign-IDC Infobrief looks into the CISO’s (Chief Information Security Officers) agenda. Gain insights into how CISOs are able to better address cyber risks, and understand the importance of an intelligence-led approach to fend off the cyberthreat onslaught.

The Cyber Security Agency of Singapore (CSA) has published the CCoP 2.0 for Critical Information Infrastructure which came into effect on 4 July 2022, superseding the previous versions of the code. Its aim is to establish stronger governance and strengthen cyber resiliency in the 11 CII sectors. Download this eGuide to learn more about the 16 key changes in the revised CCoP, and the recommended approaches and solutions to meet the requirements

Learn more about the key changes in the revised Cybersecurity Code of Practice, and how Ensign can help Critical Information Infrastructure Owners manage cyber risks, and become compliant with the new code

Ensign InfoSecurity is the 1st Singapore headquartered organisation to be a Research Sponsor

Ensign Cyber Threat Landscape Report 2022

Gain insights into the top cyber threat trends, as well as the detailed territorial threat profiles in APAC in 2021

Stay vigilant to secure your data assets, and protect your brand

Ensign Smishing Protection

Learn more about our approach to disrupt attacks upstream, and by leveraging our proprietary data science in Smishing detection.

Ensign Cyber Threat Intelligence

Preempt threats to reduce risks of a cyber breach

Ensign Managed Security Services

Operates intelligence-led advanced detection, threat hunting and response services

Ensign Consulting

Provides insights on how organisations can enhance their security posture across their cybersecurity lifecycles

Ensign Systems Integration

Architects and deploys advanced cybersecurity solutions that bolster defences

Ensign Labs

Performs deep research to develop next-generation solutions for enhanced early warning detection capabilities

Ensign's Cybersecurity Guide on Cybersecurity Code of Practice (CCoP 2.0) for Critical Information Infrastructure (CII)

Learn more about the key changes in the revised Cybersecurity Code of Practice, and how Ensign can help Critical Information Infrastructure Owners manage cyber risks, and become compliant with the new code

Securing The Payments Industry For Enhanced Consumer Confidence

Bracing For the Rising Tide of Cyber Threats Against the Maritime Industry

Maritime organisations face increasing cyber threats as they leverage on technology in their operations and management processes. Ensign’s Head of Advisory, Teo Xiang Zheng explains how maritime organisations can shore up their cyber defences in this opinion piece on Seatrade Maritime.

Follow us

Services

Service Highlights

About Ensign

Cyber Insights

Contact Us

Ensign InfoSecurity is the 1st Singapore headquartered organisation to be a Research Sponsor

Ensign Cyber Threat Landscape Report 2022

Gain insights into the top cyber threat trends, as well as the detailed territorial threat profiles in APAC in 2021​

Stay vigilant to secure your data assets, and protect your brand

Ensign Smishing Protection

Learn more about our approach to disrupt attacks upstream, and by leveraging our proprietary data science in Smishing detection.

Ensign Cyber Threat Intelligence

Preempt threats to reduce risks of a cyber breach

Ensign Managed Security Services

Operates intelligence-led advanced detection, threat hunting and response services

Ensign Consulting

Provides insights on how organisations can enhance their security posture across their cybersecurity lifecycles

Ensign Systems Integration

Architects and deploys advanced cybersecurity solutions that bolster defences

Ensign Labs

Performs deep research to develop next-generation solutions for enhanced early warning detection capabilities

Ensign's Cybersecurity Guide on Cybersecurity Code of Practice (CCoP 2.0) for Critical Information Infrastructure (CII)

Learn more about the key changes in the revised Cybersecurity Code of Practice, and how Ensign can help Critical Information Infrastructure Owners manage cyber risks, and become compliant with the new code

Securing The Payments Industry For Enhanced Consumer Confidence

Bracing For the Rising Tide of Cyber Threats Against the Maritime Industry

Maritime organisations face increasing cyber threats as they leverage on technology in their operations and management processes. Ensign’s Head of Advisory, Teo Xiang Zheng explains how maritime organisations can shore up their cyber defences in this opinion piece on Seatrade Maritime.

Follow us

Services

Service Highlights

About Ensign

Cyber Insights

Contact Us

Malaysia

Hong Kong

South Korea

Indonesia

Gain insights into the top cyber threat trends, as well as the detailed territorial threat profiles in APAC in 2021