Insights and Collaborations in Cyber Defense
Welcome to Trend Micro’s monthly newsletter, The Strategic CISO. Discover the latest and most popular blogs from the CISO Resource Center, a dedicated space for the latest strategic insights, best practices, and research reports to help security leaders better understand, communicate, and minimize cyber risk across the enterprise.
Our goal is to inform security leaders about best practices, the latest industry insights, and more. Let us know what you would like to see from The Strategic CISO newsletter.
Leveraging AI Can Simplify Management of The Entire Cyber Risk Lifecycle
We announced the availability of #AI-driven cyber risk management capabilities across its entire flagship platform, Trend Vision One™. This seamlessly integrates more than 10 industry technology categories into one offering, empowering security, cloud and IT operations teams to manage risk proactively.
The outcome: leveraging AI to simplify management of the entire cyber risk lifecycle including discovery, risk assessment, prioritization and remediation, which empowers users well beyond what can be achieved with legacy attack surface management tools. Corporate boards are increasingly considering cyber risk a part of broader business risk management strategy, as recent regulations zero in on organizations' cybersecurity posture and risk profile. Trend enables CISOs to communicate risk early and more effectively to business leaders and empowers overburdened IT teams to streamline workflows and centralize prioritization and remediation with an unprecedented degree of visibility.
Kevin Simzer, COO at Trend: “Industry demand for visibility across the attack surface isn’t new. This is why we see an increase in buzzwords like ‘platformization’. However, customers don’t want a stitched-together platform. They want true visibility and the ability to effectively assess risk. We’ve gone further still – enabling organizations not only to know where their most critical risks are, but also to mitigate and remediate them using industry-leading threat intelligence and AI. With adoption surging in the first six months, security leaders and the broader cybersecurity industry are clearly on board.”
Watch our video "Trend Vision One | Attack Surface Risk Management Explainer Trailer" to learn more and read the full story here.
Criminal Insights Disclosed Following LockBit Disruption
We released comprehensive threat intelligence findings in the wake of the law enforcement-led disruption of the #LockBit ransomware group. The unprecedented operation, known as Operation Cronos, marks a significant step forward in the global fight against cyber threats, impacting an entity responsible for an estimated quarter of all ransomware attacks worldwide. Operation #Cronos was different in several ways from many of the typical law enforcement takedowns of criminal groups. More than a mere setback for threat actors, it was a decisive strike that crippled their infrastructure, undercut their financial mechanisms, exposed affiliates, and fractured the trust within their own illicit networks.
This cumulative effort has helped to tarnish LockBit's reputation among its networks and the cybercrime community in general, making it inept in its attempts to regroup. Ringleader "Lockbitsupp" has also been banned from two popular underground forums: XSS and Exploit.
The group has been trying to rebuild New Onion leak sites launched a week after the operation, and Lockbitsupp is actively seeking brokers selling access to .gov, .edu, and .org TLDs—in what appears to be a reprisal for Cronos.
Key Achievements of Operation Cronos:
Reputational Damage to LockBit: Given its tarnished reputation, LockBit faces significant challenges in rebuilding its operations and affiliate networks.
Strategic Disruption of Infrastructure: The operation's in-depth approach has made LockBit's rebuilding and regrouping process difficult and time-consuming, delaying any potential resurgence.
Effective Deterrence: The insight into affiliate activities and the subsequent warnings have likely dismantled any of LockBit's affiliate programs, further weakening its operational capacity.
Enhanced Business Security: Trend customers stand to benefit from the operation's outcome and a reduced risk of being targeted by a significant player in the ransomware market.
Read the full story, "Trend Micro Discloses Criminal Insights Following LockBit Disruption, Leaving No Shadow for Threat Actors"
ZDI Sheds Light on Software Vulnerabilities
One of the biggest challenges for organizations in managing cyber risk is dealing with the volume of emerging threats against available security resources. Software companies and electric vehicle (#EV) manufacturers must triage and prioritize what vulnerabilities they fix, leading to an all-time high of known but unpatched problems. While the industry average time to respond and protect sits above 70 days, #ZDI research enables protection for Trend customers almost immediately.
Key highlights from #Pwn2Own Vancouver 2024:
Researchers disclosed 29 unique 0-day vulnerabilities and earned $1,132,500 in prizes
All major web browsers were compromised during the event
The Tesla Model 3 ECU was hacked with an over-the-air exploit
Researchers demonstrated the first ever Docker escape (when an attacker is able to break out of a container and gain access to the host system) at Pwn2Own
Disclosures made to the ZDI by researchers at Pwn2Own and independently year-round allow software developers to learn about vulnerabilities before cybercriminals find them. While this ultimately benefits enterprises, supply chains, infrastructure, and customers, ZDI research has shown that vendors are increasingly neglecting to respond to disclosures in a timely manner. Discovering and mitigating vulnerabilities in the real world has a direct correlation to reducing cyber risk across the board. Security teams at organizations of all sizes are increasingly overwhelmed by threats that exceed their purview, which can include threats to office equipment, industrial equipment, connected vehicles and EVs, and employees' home office devices such as smartphones, NAS devices, cameras, printers, routers and personal vehicles.
Pwn2Own pays bounties to researchers for the responsible discovery and disclosure of vulnerabilities in software and hardware that billions of people rely on daily. This research improves Trend's industry-leading threat intelligence and uncovers new software exploitation techniques. The contest also pushes the industry forward in the fight against cybercrime.
Learn more about Pwn2Own here, "Trend Micro Zero Day Initiative™ Sheds Light on Software Vulnerabilities: Customers Protected up to 70 Days Before Patches"
Trend Micro Assisted in The Fallout of LabHost
UK’s Metropolitan Police Service, along with fellow UK and international law enforcement, as well as several trusted private industry partners, conducted an operation that succeeded in taking down the Phishing-as-a-Service (#PhaaS) provider LabHost. This move was also timed to coincide with a number of key arrests related to this operation. In this entry, we will briefly explain what #LabHost was, how it affected its victims, and the impact of this law enforcement operation — including the assistance provided by Trend Micro.
In late 2021, LabHost (AKA LabRat) emerged as a new PhaaS platform, growing over time to eventually offer dozens of phishing pages targeting banks, high-profile organizations, and other service providers located around the world, but most notably in Canada, the US, and the UK. The popularity of the platform meant that at the time of the takedown, it boasted more than 2,000 criminal users, who had used it to deploy over 40,000 fraudulent sites leading to hundreds of thousands of victims worldwide. LabHost and all linked fraudulent sites were disrupted by the Metropolitan Police Service and replaced with messages announcing their seizure. This operation was carried out in partnership with the UK’s National Crime Agency, the City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the UK, and other international police forces in close collaboration with trusted private industry organizations.
In addition, from April 14 to April 17, international law enforcement made several arrests related to criminal users of this service. International law enforcement also contacted hundreds more, mentioning that it knew the details of their activities and leaving a warning that they remain under active investigation. Trend has been assisting in the investigation of LabHost along with the UK’s Metropolitan Police Service since June 2023.
During that time we have helped in the following:
Investigating the infrastructure hosting the criminal service
Investigating phishing pages associated with users of the service
Assisting with the triage and clustering of LabHost users
Launching individual investigations on several key users
This is in keeping with Trend’s guiding mission to make the world safe for the exchange of digital information, for both our customers and non-customers alike. We have been collaborating with law enforcement globally for decades and have formal partnerships with UK law enforcement going back almost 10 years, with several successful operations and arrests. Such partnerships help us not only to proactively protect our customer base with highly timely threat intelligence but also expand that impact to the wider internet userbase.
Learn more about our collaboration with law enforcement here, "The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider"
Our Collaboration with Interpol in Cracking Down Grandoreiro Banking Trojan
Trend Micro was one of the partners involved in Interpol’s operation to help Brazilian and Spanish law enforcement agencies (LEAs) analyze Grandoreiro #malware samples as part of their national cybercrime investigations. The Interpol-coordinated operation resulted in the arrest of five administrators behind a Grandoreiro operation, as announced by the Brazilian authorities.
Grandoreiro spreads through #phishing emails, malicious attachments, or links leading to fake websites. These emails often impersonate legitimate organizations, such as banks or financial institutions, to trick users into downloading and executing the malware. Once installed on a victim’s system, Grandoreiro operates as a typical banking trojan, aiming to steal sensitive financial information. Over time, Grandoreiro has undergone various updates and modifications, enhancing its evasion techniques and obfuscation methods to evade detection by antivirus software and security measures. These contributions are the latest in Trend’s long track record of successful collaborations with international law enforcement. Collaborations between law enforcement and the private sector provide security organizations and industry specialists the opportunity to share their expertise, resources, and years-long experience with LEAs such as Interpol to enhance their cybercrime combating efforts in effectively targeting and dismantling malicious actors.
Trend’s ongoing cooperation with I#nterpol has been instrumental in a series of prominent crackdowns throughout the years: These include the dismantling of the 16shop phishing kit and the disruption of African cybercrime networks during Africa Cyber Surge I and II in 2023, the apprehension of business email compromise (BEC) actors under Operation Killer Bee in 2022, and the capture of REvil and Cl0p syndicate members as part of Operation Cyclone in 2021. This partnership endures as Trend persists in its commitment to securing our increasingly connected world.
Find out more in our blog, "Trend Micro Collaborated with Interpol in Cracking Down Grandoreiro Banking Trojan"
Before you go:
Are you attending #RSAC this May? Check out our two speaking session at RSAC to learn more about: