Businesses nationwide are undergoing an identity crisis, and it’s not the existential, edgy kind.

Non-human identities (NHIs), digital credentials that enable machines and applications to interact with one another without human intervention, are outnumbering their human counterparts in organizations. According to a recent AppViewX report—which queried 367 IT, cybersecurity, DevOps, platform, and cybersecurity engineering professionals across North America—the average company manages about 20 times more NHIs than human ones.

However, security around NHIs has remained a large problem for businesses. The report, conducted in partnership with TechTarget’s Enterprise Strategy Group, claims that nearly 46% of professionals surveyed admitted that their organization experienced an NHI-related breach in the last 12 months.

A brewing problem. AppViewX VP of Product Marketing Christian Simko told IT Brew that security concerns around NHIs have been “percolating” for a long time and that the issue has garnered a lot more “mindshare” from security teams within the last year. Simko blamed the problem largely on a lack of visibility around the full scope of NHIs used across an organization.

Read the rest here.—BM

As if CAPTCHAs weren’t already perplexing enough (what if every square contains a bus?!)—now some of the human-verifying site tools come with malware.

Security researchers see at least a little cleverness in the threat actors’ recent corruption of a common, trusted site feature, and common keyboard commands.

“It’s weaponizing copy-and-paste, but it works,” John Hammond, principal security researcher at cybersecurity company Huntress, told IT Brew.

How it works. In September, Hammond shared his security operations team’s discovery of coded commands seeming “to come from absolutely nowhere,” according to a team notification shared in Hammond’s YouTube presentation.

An investigation of a targeted user’s browser history found an initial online redirect (an ad or popup, Hammond guessed), leading to a static page hosting a fake CAPTCHA, team notes read. “Verify that you are human,” the false CAPTCHA asks.

A user clicking “I am not a robot” then gets two instructions:

• Press the Windows button + R
• Press Control + V

Following these “verification steps” may show you’re human indeed—in a “to err” kinda way.

Read more here.—BH

Up, down, all around—2024 has been a chaotic year for ransomware attacks. While overall attacks have been higher than in 2023, a month by month view shows a more complicated picture.

After dropping below 2023 year over year (YoY) in June and July, ransomware attacks were up 14% in August and increased YoY from 335 attacks to 450, NCC Group reported in its latest Monthly Threat Pulse. Matt Hull, NCC Group’s global head for strategic threat intelligence, told IT Brew that he expects to see a rise in attacks as we come to the end of the year.

“We do seem to see a ramping up of activity in the run up to the Christmas holiday period, and whether we continue to see this increase right the way through to December is yet to be seen,” Hull said. “But September so far is looking like it could be heading that way as well.”

New kid. The report detailed how threat actor RansomHub continues to be a major vector of ransomware attacks, responsible for 16% of attacks for August. Industrials were the highest targeted sector.

Keep reading here.—EH