Cato Networks published the Q3 2024 Cato CTRL SASE Threat Report, which
provides insights into the threat landscape across several key areas: hacking
communities and the dark web, enterprise security and network security.
"Ransomware
is one of the most pervasive threats in the cybersecurity landscape. It impacts
everyone-businesses and consumers-and threat actors are constantly trying to
find new ways to make their ransomware attacks more effective," said Etay Maor,
chief security strategist at Cato Networks. "In the Q3 2024 Cato CTRL SASE
Threat Report, we highlight a trend of ransomware gangs recruiting pen testers.
We believe this is to test whether their ransomware works for future attacks."
Threat
actors recruiting pen testers for ransomware affiliate programs
In
closely monitoring discussions on RAMP (Russian Anonymous Marketplace), Cato
CTRL has observed threat actors seeking pen testers to join various ransomware
affiliate programs including Apos, Lynx and Rabbit Hole.
Any
good developer knows that software needs to be tested before deploying in
production environments. This is also true for ransomware gangs. They want to
ensure that their ransomware can be deployed successfully against
organizations.
Shadow AI
lurks in the background for organizations
Shadow
AI refers to the unauthorized or unsanctioned use of AI applications and tools
within an organization without the knowledge or approval of IT departments or
security teams. This phenomenon typically involves employees or departments
adopting AI solutions independently and bypassing formal vetting processes and
governance controls.
Out
of the hundreds of AI applications that Cato CTRL monitors, Cato CTRL tracked
10 AI applications used by organizations (Bodygram, Craiyon, Otter.ai,
Writesonic, Poe, HIX.AI,
Fireflies.ai, PeekYou, Character.AI and Luma AI) and observed various security
risks. The top concern is data privacy.
"Shadow
AI is a major threat that has emerged in 2024," said Maor. "Organizations
should be mindful of the unauthorized use of AI applications and the dangers of
letting employees inadvertently expose sensitive information."
TLS
attack attempts reveal TLS inspection not utilized enough
TLS
inspection allows organizations to decrypt, inspect and re-encrypt traffic.
However, TLS inspection can break applications and access to some domains. As
such, many organizations choose to forgo TLS inspection entirely or bypass
inspection for a large portion of their traffic.
Cato
CTRL found that only 45% of participating organizations enable TLS inspection.
Even then, only 3% of organizations inspected all relevant TLS-encrypted
sessions. This leaves the door open for threat actors to utilize TLS traffic
and remain undetected. Organizations must inspect TLS sessions to protect
themselves. In Q3 2024, Cato CTRL found that 60% of attempts to exploit CVEs
were blocked in TLS traffic. CVEs included Log4j, SolarWinds and ConnectWise.
When
TLS inspection is enabled, organizations are better protected. In Q3 2024, Cato
CTRL found that organizations who enabled TLS inspection blocked 52% more
malicious traffic than organizations without TLS inspection.