Monthly Archives: July 2023

Complying With EU Taxonomy Regulations to Enhance Risk Management

Findings.co discusses how to comply and leverage the eu taxonomy to enhance risk management efforts

In today’s fast-paced regulatory landscape, businesses face the daunting task of complying with new regulations all the time. Recently, organizations have been faced with dealing with the EU Taxonomy regulations. With an increasing demand for sustainable practices and transparent reporting, organizations need to learn and adapt quickly to avoid falling behind their competitors. Leveraging the EU Taxonomy in risk management can drive data-driven decision making by providing a structured framework to assess and manage sustainability-related risks and opportunities.

The constantly evolving regulatory environment has made Taxonomy compliance a critical challenge for businesses. To meet investor expectations, consumer preferences, and regulatory requirements, organizations must navigate through complex sustainability criteria and efficiently report their compliance efforts. Make sure to read on to see how Findings can help – especially when it comes to staying compliant with the EU Taxonomy Regulation.


Understanding the Regulatory Demands

The EU Taxonomy sets guidelines and criteria for determining the environmental sustainability of economic activities. Compliance with this regulation is critical for many businesses operating within the European Union, aiming to foster a greener and more sustainable economy. These significant updates and changes will impact the way businesses assess and report their sustainability practices. It is crucial for organizations to understand these updates, ensuring compliance while mitigating the risk of penalties and reputational harm.

Leveraging Risk Management for Data Driven Decision Making

By implementing a robust risk management framework revolving around taxonomy, organizations can stay ahead and ensure compliance. Leveraging the EU Taxonomy in risk management drives data-driven decision making by providing a standardized and science-based framework to assess sustainability risks and opportunities. By integrating financial and sustainability data, companies can make informed choices that align with the EU’s environmental objectives, attract green investments, and proactively respond to changing regulatory landscapes.

Here are some of the key ways taxonomy can influence data driven decision making:

  1. Identifying Taxonomy-Eligible Activities: The first step in using Taxonomy for risk management is to identify the company’s Taxonomy-eligible activities. By mapping all activities against the Taxonomy’s criteria, businesses can determine which of their operations contribute to environmental sustainability. This helps in recognizing areas where the company aligns with the EU’s sustainability goals and where there may be potential risks due to misalignment.


  1. Environmental Risk Assessment: With the Taxonomy’s defined criteria for environmental sustainability, businesses can conduct a more rigorous environmental risk assessment. This assessment will go beyond traditional financial risks to include the evaluation of ecological impacts. It allows companies to identify areas where they might face future regulatory or reputational risks due to non-compliance or unsustainable practices.



  1. Data-Driven Eligibility and Alignment Scoring: The Taxonomy requires companies to link their financial data to sustainability assessments. This means companies need to gather data on their operations and expenditures related to Taxonomy-eligible activities. By collecting and analyzing this data, businesses can score their eligibility and alignment with the Taxonomy’s environmental objectives. Data-driven scoring provides a more objective and transparent view of a company’s sustainability performance.



  1. Risk Mitigation Strategies: Armed with data on eligibility and alignment, companies can develop risk mitigation strategies. For instance, they can focus on increasing investments and efforts in Taxonomy-aligned activities, which not only contribute to sustainability but also enhance their attractiveness to green investors. Simultaneously, they can work on transitioning away from activities that are not aligned with the Taxonomy to reduce exposure to future risks.



  1. Regulatory Compliance: The EU Taxonomy is likely to expand to cover more sectors and objectives in the future. By leveraging the Taxonomy in risk management, companies can proactively prepare for upcoming regulatory changes. They can stay ahead of the curve by identifying potential future Taxonomy-eligible activities and aligning their strategies accordingly. Findings recently announced two features, Assessment AI and Audit AI, which revolutionize the labor-intensive compliance landscape by enhancing efficiency and responsiveness for all stakeholders worldwide. For more in-depth information that’s easy to digest, check out the linked videos.



  1. Reporting and Transparency: Using the Taxonomy for risk management facilitates better reporting and transparency. Companies can disclose their Taxonomy-aligned activities, eligibility scores, and risk mitigation strategies in their sustainability reports. This enhances credibility and helps investors and stakeholders make informed decisions based on reliable data

  1. Continuous Improvement: The data-driven approach to Taxonomy integration allows companies to track their progress over time. By regularly assessing their eligibility and alignment, businesses can set benchmarks, monitor improvements, and continuously optimize their sustainability efforts.

By implementing a comprehensive Taxonomy risk management framework and leveraging Findings, organizations can proactively address the challenges posed by the EU Taxonomy regulation. This approach ensures compliance, mitigates risks, and unlocks opportunities for sustainable growth and competitive advantage. With automated risk identification and mitigation features, organizations can confidently make data-driven decisions while navigating the complex regulatory landscape, reinforcing their commitment to sustainability. Stay ahead, embrace Taxonomy risk management, and shape a sustainable future for your organization.

 

Discover Our Compliance Solutions Today

 

 

A Cheat Sheet of EU Sustainability Regulations

Findings.co cheat sheet of EU Sustainability Regulations

Staying Compliant in 2023

Sustainability reporting regulations have become increasingly important for businesses worldwide. The European Union (EU) is at the forefront of this movement, implementing regulations to enhance the consistency, accuracy, and transparency of sustainability reporting. Below, I will provide a comprehensive overview of some of the most critical EU sustainability regulations to keep in mind in 2023. Sustainability measures have become an integral part of business operations, irrespective of the size of the company. Companies can no longer ignore the growing number of sustainability reporting laws and regulations emerging globally. Navigating this complex landscape can be daunting, with terms like SFDR, CSDR, and NFRD, among others. To help you stay informed, I will highlight key EU sustainability regulations that are important to note in 2023.


EU Taxonomy

The EU Taxonomy is a classification system that establishes a list of economic activities considered sustainable. It aims to combat greenwashing and assist investors in selecting environmentally conscious investments. The EU Taxonomy evaluates investments based on their contribution to climate change mitigation and adaptation, alignment with circular economy principles, impact on pollution, and effect on water and biodiversity. Large companies began reporting their alignment with the EU Taxonomy on January 1, 2023. For a more in depth explanation of EU taxonomy, check out our free eGuide below!

 


Sustainability Disclosure Requirements (SDR)

Originating from the UK Financial Conduct Authority (FCA), the Sustainability Disclosure Requirements (SDR) regulation aims to address concerns about greenwashing, where firms make exaggerated or misleading sustainability claims about their investment products, leading to potential consumer harm and reduced trust in sustainable investments. The proposals focus on building transparency and trust by introducing labels to help consumers navigate the market and ensure that sustainability-related terms in product naming and marketing are accurate and proportional to the product’s sustainability profile. The consultation targets FCA-regulated firms, industry groups, consumer groups, policymakers, academics, and other stakeholders. This initiative is part of the FCA’s commitment to promote trust and integrity in ESG-labeled instruments and products as outlined in the ESG Strategy and Business Plan, contributing to the Government’s Roadmap to Sustainable Investing. 


EU Sustainable Finance Disclosure Regulation (SFDR)

The Sustainable Finance Disclosure Regulation (SFDR), implemented by the European Parliament, focuses on enhancing transparency in the sustainable investment market. It aims to prevent misleading environmental claims (greenwashing) and increase investment in sustainable products for a transition to a low-carbon economy. The SFDR categorizes investment products into three groups based on their degree of sustainability. It requires asset managers and investment advisers to disclose how they address Sustainability Risks and Principal Adverse Impacts and the three categories of products go into “Article 6,” “Article 8,” and “Article 9” based on their sustainability considerations. The regulation rolled out in two phases, with core disclosures effective in March 2021 and enhanced disclosures in January 2023. Regulators continue to provide guidance on these disclosures as industry understanding evolves. 


Corporate Sustainability Reporting Directive (CSRD)

The Corporate Sustainability Reporting Directive (CSRD) expands on the existing Non-Financial Reporting Directive (NFRD) to address structural weaknesses in current ESG regulations. CSRD came into force on January 5, 2023, requiring approximately 50,000 companies to report on sustainability, including a broader set of large companies and listed SMEs. The new rules aim to provide investors and stakeholders with the necessary information to assess investment risks related to climate change and sustainability issues. 

Companies subject to the CSRD will have to report according to European Sustainability Reporting Standards (ESRS), which will be developed by the EFRAG and tailored to EU policies while aligning with international standardization initiatives. The directive also mandates companies to have their sustainability information audited and introduces digitalization of sustainability information. 

The CSRD will be implemented in the 2024 financial year, and companies will need to comply with the new reporting requirements for reports published in 2025. The European Commission has also opened a public feedback period on draft sustainability reporting standards, considering feedback received before finalizing the standards for scrutiny by the European Parliament and Council. These new regulations represent a significant step towards promoting sustainability and responsible business practices within the EU corporate landscape.


Corporate Sustainability Due Diligence Directive (CSDDD)

The Corporate Sustainability Due Diligence Directive (CSDDD) is a pending EU proposal that will require large EU companies and non-EU companies with large EU undertakings to exercise due diligence across their business lines and value chains. It aims to prevent human rights and environmental violations. The draft proposal was approved by the EU Parliament on June 1, 2023, and negotiations with member states will follow. Due diligence obligations may come into effect as early as 2025.

The rules will apply to specific categories of companies. Firstly, large EU limited liability companies will be affected, categorized into two groups. Group 1 includes approximately 9,400 companies with 500 or more employees and a net turnover of over EUR 150 million worldwide. Group 2 comprises about 3,400 companies operating in high-impact sectors, such as textiles, agriculture, and mineral extraction, with at least 250 employees and a net turnover of over EUR 40 million worldwide. For Group 2, the rules will be applicable two years later than for Group 1. Additionally, non-EU companies will also come under scrutiny. Approximately 2,600 companies in Group 1 and 1,400 in Group 2, active within the EU and generating turnover thresholds aligned with the mentioned criteria, will be subject to the new rules. It’s important to note that micro companies and SMEs will not be directly affected by these proposed rules. However, supporting measures for SMEs will be provided, which may have indirect effects on them.


Streamlined Energy and Carbon Reporting (SECR)

The Streamlined Energy and Carbon Reporting (SECR) policy, introduced by the UK Government, requires organizations to include energy consumption and carbon emission data in their annual reports. It aims to expand reporting to a broader range of companies and promote energy efficiency initiatives to reduce carbon footprints. The SECR applies to large UK companies, including quoted and unquoted companies, as well as limited liability partnerships. The reports must include information on energy use, greenhouse gas emissions, and energy efficiency measures undertaken. 


Circular Economy Action Plan

The Circular Economy Action Plan is an initiative by the European Commission to promote a circular economy, reducing pressure on natural resources, and achieving climate neutrality and biodiversity conservation by 2050. Really, the goal is to make sustainability a norm. The plan aims to strengthen the eco-design of products, increase recycling rates, reduce landfilling, and promote sustainable consumption and production practices. It includes measures such as extended producer responsibility, eco-design requirements, and waste reduction targets. The plan was published in March 2020 and will be implemented gradually over the coming years. To achieve these objectives, the European Commission plans to implement all 35 actions listed in the plan. Additionally, a monitoring framework has been established to assess progress towards a circular economy and its benefits. This framework includes indicators to monitor material efficiency, consumption within planetary boundaries, and support the European Green Deal’s climate neutrality goals.


EU Emissions Trading System (EU ETS)

The EU Emissions Trading System (EU ETS) is a key policy instrument in the EU’s efforts to combat climate change. It is a cap and trade system operating in EU countries, Iceland, Liechtenstein, and Norway. It aims to limit greenhouse gas emissions from various sectors, including the energy industry, manufacturing, aviation, and maritime transport. The system covers approximately 40% of the EU’s total greenhouse gas emissions and is set to include emissions from maritime transport starting in 2024. Under the cap and trade principle, a cap is placed on the total amount of greenhouse gasses that covered operators can emit. This cap is reduced over time to ensure overall emissions decrease. Operators buy or receive emissions allowances within the cap, and they can trade these allowances with others. This creates a market for emissions allowances, encouraging emission reductions and investments in low-carbon technologies. Operators must surrender enough allowances to cover their emissions annually, and failure to do so results in heavy fines. If an operator reduces its emissions, it can keep the extra allowances for future use or sell them to others needing more allowances. 

The EU ETS covers various sectors, including electricity and heat generation, energy-intensive industries like steel and cement production, aviation within the European Economic Area, and maritime transport. Participation is mandatory for certain-sized companies in these sectors, with exceptions for some small installations under certain conditions.


Stay Compliant!

For businesses operating within the European Union, adhering to these sustainability regulations is not only a legal obligation in many cases, but also an opportunity to play a crucial role in building a sustainable and resilient future. Compliance with these regulations is essential to demonstrate a commitment to environmental responsibility, social well-being, and corporate governance best practices. As companies strive to meet these regulatory requirements, it is vital to establish robust systems and processes for accurate and transparent sustainability reporting. By doing so, businesses can effectively manage risks associated with non-compliance, foster trust with stakeholders, and seize the potential advantages of sustainable practices, including increased attractiveness to environmentally conscious investors and consumers.

The regulations discussed in this cheat sheet, including SDR, SFDR, EU Taxonomy, CSRD, CSDDD, SECR, Circular Economy Action Plan, and EU ETS, cover a wide range of environmental, social, and governance aspects. It is important for companies to familiarize themselves with these regulations, and monitor updates. embracing sustainability and staying compliant with the EU’s evolving sustainability regulations is not merely a box-ticking exercise but an ongoing commitment to creating a positive impact on the planet and society. 



Learn About Our ESG Solutions

An Introduction to the EU Taxonomy Regulation

An explanation of what is the eu taxonomy regulation?

In Brief:

  • The EU Commission introduced the Action Plan on Sustainable Finance in 2018 to guide investments towards sustainable projects and fulfill climate and energy targets.

  • The EU Taxonomy Regulation was implemented as part of the Action Plan to establish a universal terminology and classification system for sustainable economic activities.

  • The Taxonomy Regulation defines six environmental objectives, including climate change mitigation, circular economy transition, and biodiversity protection.

  • The Taxonomy Regulation imposes reporting obligations on certain entities, amending the Non-Financial Reporting Directive and the Sustainable Finance Disclosure Regulation.

In March 2018, the EU Commission introduced the “Action Plan on Sustainable Finance” with the objective of guiding investments towards sustainable projects and endeavors. One of its main purposes The goal is to reach a climate-neutral economy in the EU by 2050, with a reduction of 55% already implemented in 2030.was to fulfill the goals outlined in the European Green Deal. The initial key step of this plan involved establishing a universal terminology and precise definition for activities that can be deemed “sustainable” in the economic realm. In pursuit of this objective, the EU Commission implemented a classification system known as the “Taxonomy Regulation” or “EU Taxonomy.” This system provides a comprehensive list of economically sustainable activities that align with the six environmental objectives specified by the Commission: climate change mitigation, climate change adaptation, preservation and responsible use of water and marine resources, transition to a circular economy, prevention and control of pollution, and protection and restoration of biodiversity.


Simplifying the EU Taxonomy

With its extensive document spanning hundreds of pages, the EU Taxonomy Regulation might appear intimidating at first glance. However, understanding its core concepts is essential. At its core, the Taxonomy serves as a classification system for economic activities, defining which activities are considered environmentally sustainable. It addresses the issue of greenwashing by enabling market participants to confidently identify and invest in sustainable assets. Additionally, the regulation introduces new disclosure obligations related to the Taxonomy for companies and financial market participants. Central to the Taxonomy Regulation is the definition of a sustainable economic activity. To qualify as sustainable, an activity must meet two criteria: contribute to at least one of the six environmental objectives outlined in the Taxonomy and avoid significant harm to any other objectives, while respecting human rights and labor standards.

 
taxonomy blog1 infograph (1)

 

 

Taxonomy Reporting Requirements

While primarily serving as a classification tool, the Taxonomy Regulation imposes reporting obligations on certain entities. It amends the disclosure requirements in the EU’s Non-Financial Reporting Directive (NFRD) and the Sustainable Finance Disclosure Regulation (SFDR).

Under the NFRD, non-financial undertakings must disclose the proportion of turnover derived from Taxonomy activities, as well as the proportion of their capital and operating expenditure associated with these activities (Article 8 disclosure). The proposed Corporate Sustainability Reporting Directive (CSRD) will expand this requirement to a broader list of entities.

The SFDR requires entities falling under its scope to disclose information on the alignment of their products with the Taxonomy. This includes products with sustainable investment objectives (Article 9 SFDR) and those with environmental or social characteristics (Article 8 SFDR). Entities that do not consider the EU criteria for environmentally sustainable activities must make a statement to that effect (Article 7 SFDR).

 

Strategic Preparation for a Greener Future

The EU Taxonomy Regulation is a vital tool in driving the transition to a sustainable economy and achieving climate neutrality. By providing clarity on sustainable economic activities, it helps combat greenwashing and encourages investments in environmentally friendly assets. As the Taxonomy evolves and becomes integrated into various policy measures, its impact on financial markets and corporate practices will likely expand. Staying informed about the Taxonomy and its reporting requirements will be crucial for businesses and investors seeking to align with sustainable objectives and contribute to a low-carbon future.

As companies prepare to meet the EU Taxonomy requirements, they can benefit from early preparation, including eligibility assessments, alignment analyses, and designing data collection processes. By embracing these measures, companies can position themselves as drivers of sustainable change and contribute substantially to the EU’s environmental objectives.

Data Breaches and Cyber Attacks Round Up: June 2023

Findings.co data breaches and cyber attacks in review june 2023

In a world where technology reigns supreme and cyber crime lurks around every digital corner, organizations find themselves locked in a never-ending battle to protect their precious data. From the daring MOVEit vulnerability that left organizations trembling, to the turbulence in the airline industry caused by data breaches, and even a ransomware attack on a tech titan. Buckle up and get ready to explore these hair-raising incidents that prove cybersecurity is no joke in the fast-paced digital age. It’s time to dive into the data breaches and cyber attacks that organizations faced in June 2023. 



MOVEit:


Recently, a significant incident involving the MOVEit vulnerability and data extortion has had a global impact on numerous organizations. Exploiting a vulnerability in Progress Software’s widely-used MOVEit file transfer application, criminals targeted organizations, particularly those within supply chains utilizing the app, resulting in data breaches and the theft of customer and/or employee data.


In more detail, Progress Software Corporation, a company specializing in software and services for user interface development, devops, and file management, issued a warning to its customers regarding a critical vulnerability called CVE-2023-34362. The vulnerability affects the MOVEit Transfer and MOVEit Cloud products, which provide a secure and convenient way to store and share files within teams, departments, companies, and supply chains. MOVEit Transfer’s web-based front end, designed to simplify file sharing and management through a web browser, was discovered to have a SQL injection vulnerability. This vulnerability occurs when an HTTP request sent to a web server is improperly converted into a database query, leaving the server open to manipulation. Attackers can inject malicious commands through URLs, potentially leading to data loss or unauthorized access. Progress Software released patches for the affected versions of MOVEit, but unauthorized commands may have been injected before the patch, resulting in data compromise. To mitigate the risk, Progress recommends ensuring that all instances of MOVEit software are patched, disabling the web-based interfaces if patching is not immediately possible, monitoring logs for suspicious activities, and adopting secure programming practices such as input sanitization and parameterized queries to prevent SQL injection attacks.



Additional Victims of the MOVEit Hack:


The total number of impacted organizations has come to over 130, affecting over 16 million individuals. Brett Callow, a threat analyst at cybersecurity firm Emsisoft, has so far identified around 138 organizations that have fallen victim to the campaign, resulting in the compromise of personal information for over 15 million people. It is expected that these numbers will rise as more victims come forward. The cybercrime group, believed to have ties to Russia and known for their use of the Cl0p ransomware, has claimed responsibility for the attack. They boast being the sole threat actor aware of the MOVEit zero-day exploit before it was patched. Recently, they have started naming organizations that have refused to pay their ransom demands or engage in negotiations. 


Their list includes notable entities such as Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, AbbVie, Kirkland & Ellis, and K&L Gates. Siemens Energy and Schneider Electric have confirmed being targeted. UCLA acknowledged the exploitation of the vulnerability but clarified that it does not classify the incident as a ransomware attack, likely because no file-encrypting malware was employed and there is no evidence of other system compromises on campus. Government organizations, including the US Department of Energy and the Health Department, have also been affected. The New York City Department of Education, the Oregon DMV, the National Student Clearinghouse, and associated schools have reported being victims as well. The cybercriminals, however, claimed on their website that they have deleted data from over 30 government-related organizations as their focus is purely financial and not interested in such entities. Gen Digital, the parent company of renowned cybersecurity brands including Avast, Avira, AVG, Norton, and LifeLock, has also officially acknowledged that the personal information of its employees was compromised during the recent MOVEit ransomware attack. 


As you can tell, this recent MOVEit data breach has had a domino effect.  The personal information of approximately 769,000 retired members of CalPERS, the California Public Employees’ Retirement System. The breach also affected 415,000 members and beneficiaries of CalSTRS, the California State Teachers’ Retirement System. The breach was reported by CalPERS after their third-party vendor, PBI Research Services, discovered a vulnerability in their MOVEit Transfer Application. The vulnerability allowed unauthorized access to sensitive data such as names, dates of birth, Social Security numbers, and even the names of family members of the affected members. CalPERS is the largest public pension fund in the United States, serving over 2 million members in its retirement system and more than 1.5 million in its health program. CalSTRS, on the other hand, is the second-largest public pension fund in the country and the largest retirement system for teachers, serving more than 947,000 members.


American Airlines:


American Airlines and Southwest Airlines, two major global airlines, have recently reported data breaches resulting from a security incident involving Pilot Credentials, a third-party vendor responsible for managing pilot applications and recruitment portals for multiple airlines. Both airlines were notified about the incident on May 3, clarifying that the breach was limited to the systems of the third-party vendor and did not impact their own networks or systems. The unauthorized individual behind the breach gained access to Pilot Credentials’ systems on April 30 and stole documents containing information submitted by certain applicants during the pilot and cadet hiring process.


American Airlines stated that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009 affected individuals. The compromised data included personal information such as names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. It’s worth noting that American Airlines has experienced previous data breaches, including one in September 2022 resulting from a phishing attack and another in March 2021 due to a breach in SITA’s Passenger Service System, which affected multiple airlines globally.



Taiwan Semiconductor Manufacturing Company (TSMC):


The world’s largest contract chipmaker, has confirmed a data breach after being targeted by the LockBit ransomware gang. The gang, linked to Russia, listed TSMC as a victim and demanded a $70 million ransom. TSMC stated that the breach did not impact its business operations or compromise customer information. The incident originated from a cybersecurity breach at one of TSMC’s IT hardware suppliers, Kinmax Technology. TSMC terminated its data exchange with Kinmax and assured that customer information remains secure. Kinmax also apologized for the incident and indicated that other customers may have been affected. The breach follows recent arrests related to LockBit ransomware attacks. Taiwan Semiconductor Manufacturing Company (TSMC), a major semiconductor supplier for Apple, recently attributed a data breach and subsequent $70 million ransom demand from the LockBit ransomware group to a third-party IT hardware supplier. TSMC confirmed the security incident but refrained from disclosing the specific data accessed or held for ransom by LockBit actors. The company assured that the breach did not impact its business or customer information. TSMC identified the third-party supplier as Kinmax Technology, an Hsinchu-based systems integrator known to collaborate with various technology companies. It remains uncertain if other customers were affected by the attack.


The National Hazard Agency, a subgroup of LockBit, set a deadline of August 6 for TSMC to pay the ransom, threatening to publicly release the stolen data. The threat actors also claimed to possess “points of entry” to TSMC’s network, along with login credentials, which are valuable to cyberattackers. TSMC reported robust financial figures for 2022, making it an enticing target. Following the incident report, TSMC conducted a thorough review of its hardware components and security configurations, discontinuing data exchange with Kinmax and reinforcing security measures. The company emphasized its commitment to raising security awareness among suppliers and ensuring compliance with its security requirements.


Kinmax, the implicated IT supplier, downplayed the breach, stating that the intruder accessed system installation preparation information in the engineering test environment, which was unrelated to customers’ actual applications. Kinmax expressed regret and extended apologies to affected customers, mentioning enhanced security measures implemented to prevent future incidents.


TSMC’s breach highlights the growing trend of third-party compromises leading to data breaches in various organizations. It coincides with reports of organizations falling victim to the Cl0p ransomware gang due to a vulnerability in the widely used MOVEit Transfer app by Progress Software. The Biden administration’s cybersecurity executive order in May 2021 has underscored the significance of securing IT supply chains.


Microsoft:


In early June 2023, Microsoft encountered a surge in traffic that affected the availability of some services. To address this issue, Microsoft promptly launched an investigation and began monitoring ongoing Distributed Denial-of-Service (DDoS) activity conducted by a threat actor known as Storm-1359. These attacks seem to rely on the utilization of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. No evidence suggests that customer data has been accessed or compromised during these recent DDoS attacks. The focus of these DDoS attacks was primarily on layer 7 rather than layer 3 or 4. To enhance customer protection against similar DDoS attacks, Microsoft has fortified its layer 7 defenses by optimizing the Azure Web Application Firewall (WAF). While these measures have proven effective in mitigating most disruptions, Microsoft consistently evaluates the performance of its defenses and incorporates lessons learned to further refine and enhance their effectiveness.


Customers are advised to review the technical details and recommended actions provided in this blog to bolster the resilience of their environments and mitigate the impact of comparable attacks.


Technical Details:

Microsoft’s assessment reveals that Storm-1359 possesses a collection of botnets and tools that enable the threat actor to launch DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears to be primarily focused on causing disruption and gaining publicity.


Storm-1359 has been observed employing different types of layer 7 DDoS attack traffic, including:


HTTP(S) flood attack: This attack exhausts system resources by inundating them with a high volume of SSL/TLS handshakes and HTTP(S) requests. The attacker distributes a large number of HTTP(S) requests from different source IPs across the globe, overwhelming the application’s backend and depleting compute resources (CPU and memory).


Cache bypass: This attack attempts to bypass the Content Delivery Network (CDN) layer, potentially overwhelming the origin servers. The attacker sends a series of queries against generated URLs, causing the frontend layer to forward all requests to the origin instead of serving cached content.


Slowloris: In this attack, the client establishes a connection with a web server, requests a resource (e.g., an image), but intentionally fails to acknowledge or accepts the download slowly. This forces the web server to keep the connection open and retain the requested resource in memory.


Recommendations – Layer 7 DDoS Protection Tips:


To mitigate the impact of layer 7 DDoS attacks, Microsoft recommends that customers consider the following measures:


Utilize layer 7 protection services like Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to safeguard web applications.


When using Azure WAF:


Employ the bot protection managed rule set, which provides defense against known malicious bots. For more information, refer to the configuration instructions for bot protection.

Block IP addresses and ranges that you identify as malicious. Examples of how to create and use custom rules can be found in the provided resources.

Consider blocking, rate limiting, or redirecting traffic from outside or within defined geographic regions to a static webpage. Refer to the examples in the provided resources for more information on creating and using custom rules.

Create custom WAF rules that automatically block and rate limit HTTP or HTTPS attacks with known signatures.


DMPS:


Des Moines Public Schools is currently contacting approximately 6,700 individuals to inform them about a data security event that occurred earlier this year. This incident, which occurred in January, involved a cyberattack on the school district and may have led to the potential exposure of personal information belonging to those affected. 


The cyberattack on DMPS also involved a ransom demand. However, in accordance with the advice of cybersecurity experts and considering the best interests of the school district and community, no ransom has been or will be paid in response to this attack.


And speaking of schools, the university of Manchester also recently disclosed a breach. In the week starting on June 6th, the University received news of a cyber incident, where unauthorized individuals gained access to certain systems and likely copied data. Our dedicated team of experts, both internal and external, is diligently working day and night to address this incident and determine the extent of the data accessed. Our main focus is to swiftly resolve this situation and promptly inform those affected. We are allocating all possible resources towards achieving these objectives.



Cybersecurity is Essential:


The incidents surrounding MOVEit, American Airlines, TSMC and Microsoft serve as stark reminders of the importance of cybersecurity in our fast-paced digital age. These incidents underscore the serious and ongoing nature of cybersecurity threats, reminding organizations to remain vigilant, strengthen their defenses, and prioritize the safeguarding of valuable data in the digital landscape. 





Discover How Findings Can Help



Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!