All posts by Jeremy Makowski

Geopolitics and Cyber Risk: How Global Tensions Shape the Attack Surface

Post Syndicated from Jeremy Makowski original https://www.rapid7.com/blog/post/geopolitics-and-cyber-risk-how-global-tensions-shape-the-attack-surface

Geopolitics has become a significant risk factor for today’s organizations, transforming cybersecurity into a technical and strategic challenge heavily influenced by state behavior. International tensions and the strategic calculations of major cyber powers, including Russia, China, Iran, and North Korea, significantly shape the current threat landscape. Businesses can no longer operate as isolated entities; they now function as interconnected global ecosystems where employees, suppliers, cloud workloads, supply chains, and data flows intersect across multiple jurisdictions, each with its own unique set of political risks.

A region considered low-risk last month could become a high-risk zone overnight if a diplomatic dispute escalates. An overseas development team could suddenly become vulnerable if that region experiences sanctions, stricter regulations, or state pressure on the workforce.

Many organizations still underestimate this dynamic reality, relying on static risk models that assume relatively stable attack patterns. However, geopolitical decisions and internal vulnerabilities are often the drivers of the most sudden and consequential changes in exposure. For example, the announcement of sanctions can trigger retaliatory cyberattacks, a military buildup can unleash destructive campaigns, and a trade or intellectual property dispute can lead to large-scale espionage.

Cybersecurity leaders must therefore integrate geopolitical intelligence directly into their operational decision-making and risk assessment processes, recognizing that political forces, rather than technical errors, are often the primary trigger for increased vulnerability.

Geopolitics as a core driver of cyber risk

Geopolitics plays a decisive role in shaping the scale, direction, and sophistication of cybercriminal and state-sponsored activity, fundamentally altering the threat landscape for organizations worldwide. Geopolitical tensions and sanctions often create conditions in which state-aligned hackers operate with greater freedom, using cyber operations as tools for espionage, economic survival, political retaliation, or strategic influence. Isolated or sanctioned states often turn to cybercrime as an alternative source of revenue.

North Korea, for instance, intensifies financially motivated campaigns, including cryptocurrency theft and extortion, when economic pressure mounts. Iran, facing recurring sanctions and political isolation, tends to respond with retaliatory or disruptive cyber operations targeting sectors and institutions associated with adversarial nations.

China’s cyber activity often peaks during moments of heightened competition over technology and strategic resources, driving expansive espionage campaigns aimed at industries like aerospace, telecommunications, AI, and energy. Russia, meanwhile, escalates disruptive or destructive cyber actions during geopolitical confrontations or military conflicts, leveraging malware, industrial system interference, and coordinated information operations.

These patterns demonstrate how cyber risk extends far beyond technical vulnerabilities: organizations become targets because of their nationality, sector, technology assets, or global partnerships.

How geopolitical tensions influence threat actor behavior

Geopolitical tensions influence the behavior of threat actors by altering their objectives, aggression levels, and operational trade-offs in ways that directly impact global organizations. Russian groups, for example, will shift from covert intelligence collection to overt disruption, employing destructive malware, DDoS attacks, and infrastructure sabotage to exert pressure. Chinese actors are known to intensify long-term espionage and supply-chain infiltration, targeting IP, cloud providers, security firms, and development environments.

Iran responds to sanctions or regional tensions with opportunistic retaliation through data wiping, defacements, and financially motivated attacks. And when facing economic strain, North Korea expands cybercrime, including cryptocurrency theft, extortion, software supply-chain poisoning, and high-level financial fraud.

For organizations, these shifts manifest internally as newly observed attack patterns, such as targeted phishing aimed at political or strategic sectors, the exploitation of vulnerabilities relevant to conflicts, or supply-chain attacks aligned with espionage objectives. The unifying pattern is that geopolitical tensions cause attackers to reprioritize, whereby espionage becomes a means of destruction, revenue generation becomes a national strategy, and symbolic retaliation becomes an operational necessity. Security teams that do not account for these geopolitical triggers risk misjudging the scale, intent, and urgency of incoming threat campaigns.

Indicators that cyber escalation is coming

A cyber escalation is rarely an isolated phenomenon; it is usually accompanied by political and technical warning signs that can herald a wave of attacks. On the political front, organizations should monitor events such as sanctions announcements, diplomatic expulsions, military mobilizations, sudden breakdowns in negotiations, strategic military strikes, or public accusations of espionage. For example, tensions with Russia are often followed by cyber influence campaigns. Retaliatory cyberattacks are also common following the imposition of sanctions on the Islamic Republic of Iran. Increased cyber espionage campaigns coincide with periods of strategic competition with China, and financially motivated attacks intensify after economic pressure is exerted on North Korea.

On a technical level, the first warning signs manifest in one or more of the following ways:

  • An increase in sector-specific phishing attacks linked to political events
  • The reactivation of known command and control infrastructures
  • The formation of new politically-motivated hacktivist collectives
  • Access intermediaries launching campaigns to sell access points in sectors linked to ongoing conflicts

Internally, organizations may sometimes observe unusual activity from cybersecurity teams, such as unexpected code updates from maintenance managers located in politically sensitive regions, vendor outages correlated with geopolitical developments, or authentication anomalies linked to regions near ongoing crises. The most important pattern to recognize is convergence: when political escalation, external surveillance, and internal anomalies appear within the same time frame, organizations must assume that threat conditions have shifted from background noise to active risk and immediately adopt a strengthened defensive posture.

Adjusting defensive posture during geopolitical instability

Harden identity infrastructure against state-grade threats.

Identity has become a frontline asset in geopolitical conflict. In today’s environment, the boundaries between hacktivism, cybercrime, and state-sponsored activities are increasingly blurred, with governments at times guiding or amplifying these operations. Credential compromise is often the entry point that enables these broader campaigns. To mitigate this risk, organizations should enforce universal, phishing-resistant MFA, regularly review and tightly govern privileged roles, particularly in sensitive geographies, and adopt just-in-time access to minimize standing privileges. These measures materially reduce exposure and strengthen resilience against sophisticated, geopolitically motivated threat actors.

Conduct targeted threat hunts

  • Russia — Russian threat actors place a strong emphasis on disruption and destruction, particularly during periods of geopolitical conflict. They commonly deploy wiper malware that deletes or corrupts files and often pretend it’s ransomware. Threat hunters should watch for sudden mass file changes, system reboots, or the use of admin-level command-line tools immediately preceding damage. Russia also has advanced capabilities for ICS/OT manipulation, meaning unusual access to industrial controllers or configuration changes can be a strong indicator of potential compromise. Additionally, their operations often support information warfare, so defenders should look for compromised media or government accounts, unauthorized website changes, and targeted spear-phishing attacks tied to political events.
  • China — China focuses on long-term, stealthy access rather than quick disruption. They are known for supply-chain compromises, so unusual activity from vendor accounts or anomalies in software updates should be investigated. They frequently abuse cloud identity platforms, making it essential to monitor for impossible travel logins, token theft, MFA fatigue, or suspicious OAuth applications. Chinese groups also invest heavily in credential harvesting, often trying to quietly collect usernames, passwords, and tokens over long periods. Threat hunters should look for password spraying, attempts to dump credentials, or lateral movement linked to service or personal accounts that generally don’t access sensitive systems.
  • Iran — Iranian threat actors tend to be opportunistic and politically reactive, relying heavily on broad phishing campaigns. Organizations should monitor for spikes in failed logins, newly created email forwarding rules, and look-alike phishing domains. Iran also frequently conducts website defacements, so signs such as unexpected CMS admin logins, unauthorized web content changes, or DNS tampering are essential to hunt for. While generally less sophisticated than Russia or China, they can still deploy destructive malware, meaning defenders should watch for scripts or tools that mass-delete or encrypt files, suspicious scheduled tasks, and activity involving commodity RATs or .NET tools.
  • North Korea — North Korea’s cyber operations are primarily financially motivated, with a strong focus on cryptocurrency theft. Threat hunters should monitor for unauthorized access to wallet systems, unusual outbound connections to cryptocurrency platforms, or abnormal API calls associated with blockchain activity. They also excel at social engineering, especially targeting finance, HR, and engineering staff by posing as recruiters or job candidates. Indicators include suspicious attachments, communication from personal email accounts, or new “contractor” accounts accessing code or financial systems. Once inside a network, their activity is typically driven by exfiltration, so large or stealthy data transfers, especially to cloud storage or foreign VPNs, are significant warning signs.

Reprioritize assets exposed to geopolitical pressure.

Identify systems and identities that become high-value targets during periods of geopolitical tension, especially those associated with sensitive regions or government-linked operations. Immediately harden them with faster patching, tighter segmentation, stricter east–west controls, and increased telemetry to concentrate defenses where state-aligned actors are most likely to strike.

Reduce external exposure on high-value frontiers.

Reduce the attack surface by removing access paths favored by advanced adversaries. Disable legacy VPNs, retire unmonitored jump servers, tighten SSO/IdP trust paths, and eliminate unnecessary remote-admin or broad cloud access routes. Reducing weak entry points raises the cost of initial access for foreign intelligence units.

Harden response capabilities

Incident response teams must prepare for an increased likelihood of destructive or politically motivated attacks. Organizations should test their data destruction and destructive attack plans, validate their disaster recovery timelines, and ensure the restoration of offline or immutable backups. Management must be kept informed of evolving geopolitical risks, and cross-functional teams, including cybersecurity, legal, communications, and operations, must conduct crisis simulation exercises. Rapid response structures, such as crisis management teams, should be ready to be activated to facilitate fast decision-making under pressure. These measures are intended to help ensure that the organization can respond effectively even in the face of significant stress or disruption.

Building a geopolitical cyber attack surface map

Building a geopolitical map of the attack surface enables organizations to anticipate how political conditions may impact cyber risk. This involves understanding how people, technology, and third-party relationships are geographically distributed, and how those distributions intersect with jurisdictions that may impose legal, operational, or conflict-related risks. A robust map also integrates geopolitical assessments with business impact and criticality, enabling organizations to see where instability or state control could affect privileged access, essential services, or sensitive data.

The following steps describe how to perform an attack surface mapping based on geopolitical events. These steps are not derived from any single framework or source; they are a practical blend of best practices for mapping infrastructure, assessing geopolitical exposure, identifying weak points, and prioritizing remediation.

  • Map Internal Workforce: Create an authoritative inventory of the physical locations of all employees with technical or elevated privileges. Include full-time staff, contractors, and outsourced teams. Use HR, IAM, and staffing records to ensure accuracy and maintain updates as personnel relocate or roles change.

  • Map Infrastructure: Create a comprehensive list of regions that host your cloud services, data centers, disaster recovery sites, and replication routes. Document which workloads reside where, how traffic moves between regions, and what operational responsibilities each location carries. Capture both primary and failover arrangements.

  • Map Vendor & Subcontractor: This step requires suppliers to disclose the actual countries where engineering, customer support, managed services, and subcontracted tasks are performed. Validate this information through audits, questionnaires, or contractual obligations. Record each operational footprint, not just corporate registration locations.
  • Geopolitical Risk Scores: Apply a standardized scoring model to each region (e.g., Matteo Iacoviello Geopolitical Risk (GPR) index, BlackRock Geopolitical Risk Indicator (BGRI), or Bloomberg’s geopolitical risk scores). Inputs may include government stability indicators, international sanctions status, regulatory pressures, history of state intervention, and exposure to espionage or cyber operations. Use a consistent scoring range.
  • Overlay Business Criticality: Cross-reference each region’s risk score with the operational value of what that region supports. Identify where highly sensitive systems, privileged roles, or essential processes are located in areas with higher risk. Highlight areas where disruption would impact business continuity or security posture.
  • Identify Regional Strategic Points: Look for dependencies where a single region hosts an excessive number of critical people, systems, or vendors. This includes cloud regions serving multiple core workloads, a subcontractor with a heavily centralized team, or a country where several key staff reside. Flag these for targeted risk discussions.
  • Prioritize Remediation Measures: Develop a ranked set of actions based on the combined geopolitical and business impact. Potential responses include redistributing workloads across safer regions, shifting privileged roles, tightening access controls, enhancing monitoring for at-risk locations, or preparing contingency plans for rapid relocation or provider transition.

Conclusion

Geopolitics is now a key driver of cyber risk, redefining attacker profiles, motivations, and the organizations targeted and/or affected by collateral damage. Many vulnerabilities in modern businesses stem not from technical misconfigurations, but from the geopolitical interconnectedness of global supply chains, cloud architectures, distributed teams, and open-source ecosystems.

Traditional cybersecurity controls remain essential, but are insufficient on their own as they fail to account for laws, political incentives, national strategies, and human vulnerabilities influenced by the world’s most active cyber powers. To manage this reality, organizations must integrate geopolitical analysis into every layer of their security decision-making process, consider geography as a key security variable, and develop the agility to proactively adapt their posture to the evolving global context.

Threat Landscape of the Building and Construction Sector Part Two: Ransomware

Post Syndicated from Jeremy Makowski original https://www.rapid7.com/blog/post/tr-building-construction-sector-threat-landscape-ransomware

In this second installment of our two-part series on the construction industry, Rapid7 is looking at the specific threat ransomware poses, why the industry is particularly vulnerable, and ways in which threat actors exploit its weaknesses to great effect. You can catch up on the first part here: Initial Access, Supply Chain, and the Internet of Things.

Ransomware and the construction industry 

The construction sector is increasingly vulnerable to ransomware attacks in 2025 due to its complex ecosystem and distinctive operational challenges. Construction projects typically involve a web of contractors, subcontractors, suppliers, and consultants, collaborating through shared digital platforms and exchanging sensitive documents such as blueprints, contracts, and timelines. 

While essential for project delivery, this interconnectedness creates numerous digital entry points that attackers can exploit, mainly as many firms rely on outdated software and insufficient cybersecurity protocols. Adding to the challenge, construction companies often operate under tight deadlines and financial constraints, leaving little room for prolonged IT outages or data recovery efforts. 

Ransomware attackers take advantage of this urgency, knowing that even short disruptions can halt entire job sites, delay multimillion-dollar projects, and damage reputations, making companies more likely to pay ransoms quickly.

Compounding the problem, many construction organizations lack dedicated cybersecurity staff and robust employee training, making them susceptible to phishing, weak passwords, and other basic attack vectors, as we talked about in part one of this series. The sector’s dependency on third-party vendors, who may have weaker security, amplifies the risk by widening the potential attack surface. 

Together, these factors make it difficult for construction firms to detect, prevent, and recover from ransomware incidents, leaving the industry facing financial losses, operational chaos, legal consequences, and growing pressure to modernize its approach to digital security.

TL1.png

Monthly comparison of ransomware attacks against the construction industry 2024 vs. 2025

The construction industry is ranked among the top 3 most attacked sectors in 2025.

TL2.png

Top 10 targeted sectors in 2025

The majority of attacks are against companies in the United States, followed by Canada, the United Kingdom, and Germany. 

TL3.png

Top 10 targeted countries in the construction industry in 2025

In 2025, the ransomware groups that targeted construction companies most frequently were Play, Akira, Qilin (AKA Agenda), SafePay, RansomHub, Lynx, DragonForce, Medusa, WorldLeaks, and INC Ransom. Notably, RansomHub is no longer active in its original form.    

TL4.png

Top ransomware groups targeting the construction industry in 2025

Why the construction sector is attractive to ransomware groups

The reasons why ransomware groups have zeroed in on this sector are diverse and include the following:

High-value, time-sensitive projects

Construction projects are high-stakes endeavors, often involving multi-million (or even billion) dollar budgets and strict delivery deadlines. Even a brief disruption, whether caused by ransomware, data breaches, or system outages, can lead to costly project delays and penalties. Attackers know this, and they exploit the sector’s reliance on tight timelines to extort higher ransoms, banking on the urgency to restore operations.

Complex, interconnected supply chains

Few industries are as dependent on an intricate web of subcontractors, vendors, and service providers. Each connection in this sprawling supply chain presents a potential vulnerability. A compromised partner can serve as a gateway for attackers, enabling threats like supply chain attacks and lateral movement across multiple organizations. Securing every link is a significant challenge, especially when third-party cybersecurity practices vary widely.

Low cybersecurity maturity

While sectors like finance and healthcare have long invested in cybersecurity, many construction firms are only beginning their journey. Legacy systems, limited IT budgets, and a traditional focus on physical rather than digital risks have left gaps in defenses. As a result, attackers often find weaker security controls, outdated software, and unpatched systems, making this sector a prime target.

Accelerated digitalization and IoT adoption

Adopting cloud platforms, Building Information Modeling (BIM), IoT sensors, and smart machinery is revolutionizing project management and delivery. However, each new digital innovation adds to the attack surface. IoT devices, in particular, often lack robust security controls, providing attackers with novel entry points that are difficult to monitor and defend.

Exposure of sensitive intellectual property

Construction firms handle more than just blueprints. Proprietary architectural designs, bid documents, financial plans, and sensitive client data are all highly valuable and highly sought after by cybercriminals. The theft or exposure of this information can have devastating consequences, from reputational damage and loss of competitive advantage to implications for critical infrastructure and national security.

Commonly exploited vulnerabilities

Commonly exploited vulnerabilities by the above-mentioned ransomware groups include:

  • CVE-2025-31324 – The SAP NetWeaver Visual Composer file upload flaw. It enables unauthenticated threat actors to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, leading to unrestricted malicious file upload and full system compromise.

  • CVE-2024-21887 – The Ivanti Connect Secure and Policy Secure command injection flaw enables authenticated administrators to execute arbitrary commands on the appliances by sending specially crafted requests.

  • CVE-2024-21762 is a Fortinet FortiOS out-of-bounds write flaw that allows threat actors to gain super-admin privileges, bypassing the authentication mechanism, leading to remote code execution (RCE).

  • CVE-2024-55591 – The Fortinet FortiOS and FortiProxy authentication bypass flaw enables threat actors to remotely gain super-admin privileges by making malicious requests to the Node.js websocket module. Attackers were observed leveraging the flaw to create randomly generated admin or local users and add them to existing SSL VPN user groups or newly created ones. In addition, they add or modify firewall policies and other settings and log into the SSL VPN using these rogue accounts to allow network tunneling.

  • CVE-2024-40711 – The Veeam Backup and Replication deserialization flaw allows unauthenticated threat actors to initiate RCE.

  • CVE-2024-40766 – The SonicWall SonicOS and SSLVPN improper access control flaw. It enables unauthorized threat actors to access resources and, under certain conditions, cause firewall crashes.   

What to do next

In 2025, the construction industry faces unprecedented digital opportunities and rising cyber risk. IoT, BIM, and cloud platforms have boosted efficiency but expanded attack surfaces, making firms vulnerable to ransomware, supply chain breaches, and IP theft. These risks, driven by fragmented supply chains, legacy systems, human error, and insecure devices, are systemic, not isolated. Cybersecurity must now be treated as a core pillar of project management, equal to safety, cost, and schedule, requiring board-level commitment and industry-wide collaboration.

To build resilience, firms should modernize legacy systems, secure supply chains, protect connected devices, and train all staff in cyber defense. Proactive measures like risk assessments, secure-by-design technologies, unified frameworks, and incident response playbooks must replace piecemeal defenses. By embedding security into daily operations and culture, the industry can turn cyber resilience into a competitive advantage, ensuring that innovation and protection move together to secure construction’s future.

Threat Landscape of the Building and Construction Sector, Part One: Initial Access, Supply Chain, and the Internet of Things

Post Syndicated from Jeremy Makowski original https://www.rapid7.com/blog/post/tr-building-construction-sector-threat-landscape-initial-access-supply-chain-iot

In 2025, the construction industry stands at the crossroads of digital transformation and evolving cybersecurity risks, making it a prime target for threat actors. Cyber adversaries, including ransomware operators, organized cybercriminal networks, and state-sponsored APT groups from countries such as China, Russia, Iran, and North Korea, are increasingly focusing their attacks on the building and construction sector. 

These actors exploit the industry’s growing dependence on vulnerable IoT‑enabled heavy machinery, Building Information Modeling (BIM) systems, and cloud‑based project management platforms. 

Ransomware campaigns designed to disrupt project timelines, supply chain attacks exploiting third‑party software and equipment vendors, and social engineering schemes targeting on‑site personnel pose substantial operational and financial risks. Compounding this, data privacy mandates and regulatory scrutiny have intensified globally, pressing construction companies to implement robust cybersecurity measures. 

In this two-part series, Rapid7 is looking at the threats the construction industry faces, how threat actors are entering their networks, and the most common vulnerabilities construction industry security professionals should remediate now. 

Initial access and data leaks 

The construction sector faces escalating cyber threats as rapid digital transformation and heavy reliance on third-party vendors expose firms to new vulnerabilities. Cybercriminals increasingly target construction companies for initial access and data leaks, exploiting weak security practices, outdated legacy systems, and widespread use of cloud-based project management tools. Attackers commonly employ phishing email messages, compromised credentials, and supply chain attacks, taking advantage of insufficient employee training and lax vendor risk management. 

Notably, gaining initial access to a corporate network can be resource-intensive, prompting many threat actors to seek more accessible routes: purchasing access from underground forums where intermediaries and brokers sell credentials to previously breached networks across all industries, including construction. Access types traded, such as VPN, RDP, SSH, Citrix, SMTP, and FTP, are priced based on the target’s size and network complexity. 

Once inside, cybercriminals leverage interconnected systems to move laterally and exfiltrate valuable data, including blueprints, contracts, financial records, and personal information. The complex, collaborative nature of construction projects and the frequent exchange of sensitive documents amplify the risk, making the sector a prime target for corporate espionage, financial gain, and extortion through ransomware. This evolving threat landscape underscores the urgent need for robust cybersecurity measures and comprehensive vendor risk management within the industry.

TL1.png

Construction company network access for sale on the dark web

TL2.png

VPN/RDP/Cpanel access to a construction company for sale on the dark web

Social engineering and phishing campaigns

Social engineering and phishing campaigns are particularly effective in the building and construction industry as attackers exploit the industry’s workflow and human vulnerabilities. Cybercriminals frequently use phishing emails, SMS messages, and phone calls to impersonate project managers, suppliers, or executives. These communications often appear urgent, requesting immediate payment, sensitive information, or login credentials, making them difficult for busy staff to ignore.

Common attack vectors

  • Vendor impersonation: Attackers pose as legitimate suppliers to request changes in payment details or deliver fake invoices, exploiting the sector’s reliance on a broad network of subcontractors and vendors.

  • Executive impersonation (“CEO fraud”): Criminals spoof senior management to pressure employees into transferring funds or divulging confidential information.

  • Malicious attachments and links: Phishing messages often contain fake contracts, blueprints, or project documents, which, when opened, compromise credentials or deploy malware.

  • Compromised trusted platforms: Attackers exploit open redirects or compromised accounts on construction management tools to distribute phishing links that bypass basic email security checks.

Due to several unique operational challenges, the building and construction sector is particularly vulnerable to social engineering and phishing attacks. A dispersed and mobile workforce, with employees often working remotely or across multiple job sites, makes it challenging to verify unexpected requests or consult with IT and security teams in real time. 

The urgency to complete high-value transactions under tight project deadlines can encourage employees to bypass verification procedures and overlook warning signs of suspicious communications. Additionally, the sector’s complex supply chains, which involve frequent interactions with unfamiliar subcontractors, provide ample opportunities for attackers to infiltrate ongoing conversations unnoticed. 

This risk is compounded by varying levels of cybersecurity awareness among employees, particularly in smaller firms where consistent training is less common. These factors make the industry an attractive target for attackers and highlight the critical need for enhanced employee awareness, rigorous verification processes, and sector-specific cybersecurity measures.

Supply chain and third‑party risks

The construction sector’s dependence on a vast network of subcontractors, vendors, and technology providers has intensified its exposure to supply chain and third‑party cyber threats. Construction projects often involve dozens, sometimes hundreds, of different partners, each bringing their systems and security practices to the table. Unlike more centralized industries, construction companies rarely have complete visibility or control over the cybersecurity standards of every third party involved. 

This lack of uniformity creates significant blind spots that attackers can exploit. For example, a breach within a third-party software update or a compromised equipment supplier can quickly propagate throughout an entire project, causing costly delays, data loss, or operational paralysis. 

With tight deadlines and complex, geographically dispersed operations, construction firms may deprioritize cybersecurity vetting in favor of speed and cost, further compounding their risk. Effective mitigation now demands ongoing risk assessments, precise contractual cybersecurity requirements for all partners, real-time monitoring, and a collaborative approach to incident response, ensuring vulnerabilities are identified and addressed before they can impact critical projects.

Emerging threats: The Internet of Things (IoT) and Building Information Modeling (BIM)

The rapid adoption of IoT‑enabled machinery and Building Information Modeling (BIM) has transformed the construction landscape, enhancing efficiency and collaboration across project teams. However, these advances have also created new and unique points of vulnerability. 

The sector’s use of connected devices such as smart cranes, on-site sensors, and drones often operate in environments where cybersecurity is not traditionally a primary concern, and where devices may be physically accessible to outsiders or not consistently updated. Many IoT devices lack built-in security features, making them easy entry points for cyberattacks that could disrupt operations or threaten worker safety. 

Similarly, BIM platforms that centralize and share sensitive design and project data are now high-value targets, as a single compromise can reveal blueprints, project timelines, and operational details to attackers. Construction firms are particularly at risk because project sites frequently change, IT resources may be stretched thin, and digital assets are constantly being moved and accessed by different parties. 

Protecting these new technologies requires a shift in mindset: from viewing cybersecurity as a back-office concern to treating it as an essential component of on-site and digital operations, including secure device management, strong access controls, regular updates, and robust encryption practices.

Key threats and vulnerable points in IoT and BIM for construction:

  • IoT device vulnerabilities:

    • Weak authentication: Many IoT devices use default or weak passwords, making unauthorized access easier.

    • Unpatched firmware: Devices often lack regular updates, leaving known vulnerabilities open to exploitation.

    • Physical access risks: Construction sites are less secure environments, allowing attackers to tamper with or steal devices.

    • Insecure communication protocols: Data sent between IoT devices and central systems may be unencrypted or poorly secured, exposing sensitive information.

  • BIM threats:
    Centralized data breaches: BIM platforms hold all project data in one place so that a single breach can expose blueprints, schedules, and operational details.

    • Unauthorized access: Weak access controls or shared credentials can let unauthorized users download, alter, or leak sensitive project files.

    • Third-party collaboration risks: Multiple subcontractors or vendors may have access to BIM, increasing the risk of compromised accounts or insider threats.

Taking proactive steps to enhance cybersecurity

As the building and construction industry digitalizes, strengthening cybersecurity has become a business-critical priority. The following strategies address the sector’s unique challenges and offer a roadmap for reducing cyber risk.

Elevate cybersecurity to a core business priority

Historically, cybersecurity has been an afterthought in many construction firms. To change this, leadership must treat cybersecurity as essential to project delivery and business continuity. This requires investing in dedicated IT security staff, integrating cybersecurity into board-level discussions, and establishing clear policies for digital risk management throughout the organization.

Secure the digital supply chain

Given the sector’s reliance on a complex network of subcontractors and vendors, assessing and strengthening supply chain security is crucial. Firms should require vendors to meet baseline cybersecurity standards, conduct regular audits of third-party security practices, and ensure that project documents and data are shared through secure and encrypted channels. Construction companies can reduce the risk of supply chain-based attacks by holding all partners to strong security protocols.

Upgrade and harden legacy systems

Outdated software and systems remain prime targets for cybercriminals. Construction companies must thoroughly assess their IT environments, identify and replace unsupported or vulnerable technologies, and maintain a regular schedule of software updates and patching. Modern firewalls and endpoint protection further help to close critical security gaps.

Protect IoT devices and smart technology

Securing these devices is essential with the rapid adoption of IoT sensors, connected machinery, and advanced project management platforms. This means changing default passwords, disabling unnecessary services, and keeping IoT devices on networks separate from core business systems. Ongoing monitoring for unauthorized access or unusual activity helps to detect and respond to threats targeting these new endpoints.

Foster a security-aware culture

Human error is still a leading cause of cyber incidents, so regular cybersecurity training should be mandatory for all employees and contractors. Staff should be equipped to recognize phishing attempts, follow secure password practices, and report security incidents. Construction firms can strengthen their defense by building a culture where everyone understands their role in protecting digital assets.

Safeguard sensitive data and intellectual property

Protecting sensitive information such as blueprints, bids, client data, and proprietary designs is crucial. Data should be encrypted at rest and in transit, with strict access controls and permissions. Regular data backups and recovery testing are also important, along with using secure platforms for managing and sharing documents. These measures help prevent unauthorized access, data loss, and reputational harm.

As the industry reckons with its expanding digital footprint, understanding and mitigating the unique tactics and motivations of these threat actors in 2025 is prudent and imperative for ensuring project continuity, workforce safety, and reputational resilience. 

In the concluding installment of this two-part series, Rapid7 will look at how ransomware actors exploit many of the same weaknesses mentioned here. Stay tuned.

Network Access for Sale: Protect Your Organization Against This Growing Threat

Post Syndicated from Jeremy Makowski original https://blog.rapid7.com/2022/08/22/network-access-for-sale-protect-your-organization-against-this-growing-threat/

Network Access for Sale: Protect Your Organization Against This Growing Threat

Vulnerable network access points are a potential gold mine for threat actors who, once inside, can exploit them persistently. Many cybercriminals are not only interested in obtaining personal information but also seek corporate information that could be sold to the highest bidder.

Infiltrating corporate networks

To infiltrate corporate networks, threat actors typically use several techniques, including:

Social engineering and phishing attacks

Threat actors collect email addresses, phone numbers, and information shared on social media platforms to target key people within an organization using phishing campaigns to collect credentials. Moreover, many threat actors managed to find the details of potential victims via leaked databases posted on dark web forums.

Malware infection and remote access

Another technique used by threat actors to gain access to corporate networks is malware infection. This technique consists of spreading malware, such as trojans, through a network of botnets to infect thousands of computers around the world.

Once infected, a computer can be remotely controlled to gain full access to the company network that it is connected to. It is not rare to find threat actors with botnets on hacking forums looking for partnerships to target companies.

Network Access for Sale: Protect Your Organization Against This Growing Threat

Network and system vulnerabilities

Some threat actors will prefer to take advantage of vulnerabilities within networks or systems rather than developing offensive cyber tools or using social engineering techniques. The vulnerabilities exploited are usually related to:

  • Outdated or unpatched software that exposes systems and networks
  • Misconfigured operating systems or firewalls allowing default policies to be enabled
  • Ports that are open by default on servers
  • Poor network segmentation with unsecured interconnections

Selling network access on underground forums and markets

Since gaining access to corporate networks can take a lot of effort, some cybercriminals prefer to simply buy access to networks that have already been compromised or information that was extracted from them. As a result, it has become common for cybercriminals to sell access to corporate networks on cybercrime forms.

Usually, the types of access that are sold on underground hacking forums are SSH, cPanels, RDP, RCE, SH, Citrix, SMTP, and FTP. The price of network access is usually based on a few criteria, such as the size and revenue of the company, as well as the number of devices connected to the network. It usually goes from a few hundred dollars to a couple thousand dollars. Companies in all industries and sectors have been impacted.

Network Access for Sale: Protect Your Organization Against This Growing Threat

Network Access for Sale: Protect Your Organization Against This Growing Threat

For these reasons, it is increasingly important for organizations to have visibility into external threats. Threat intelligence solutions can deliver 360-degree visibility of what is happening on forums, markets, encrypted messaging applications, and other deep and darknet platforms where many cybercriminals operate tirelessly.

In order to protect your internal assets, ensure the following measures exist within the company and are implemented correctly.

  • Keep all systems and network updated.
  • Implement a network and systems access control solution.
  • Implement a two-factor authentication solution.
  • Use an encrypted VPN.
  • Perform network segmentation with security interfaces between networks.
  • Perform periodic internal security audit.
  • Use a threat intelligence solution to keep updated on external threats.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

Post Syndicated from Jeremy Makowski original https://blog.rapid7.com/2022/03/15/cybercriminals-recruiting-effort-highlights-need-for-proper-user-access-controls/

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

The Lapsus$ ransomware gang’s modus operandi seems to be evolving. Following the recent data breaches of Nvidia and Samsung, on March 10, 2022, the Lapsus$ ransomware gang posted a message on their Telegram channel claiming that they were looking to recruit employees/insiders of companies in the telecommunications, software/gaming, call center/BPM, and server hosting industries.

This marks a departure from their previous attacks, which relied on phishing to gain access to victims’ networks. Now they are taking a more direct approach, actively recruiting employees who can provide them with VPN or Citrix access to corporate networks.

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

Additionally, the group appears to be taking requests. On March 6, 2022, Lapsus$ posted a survey on their Telegram channel asking people which victim’s source code they should leak next.

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

Following this survey, on March 12, 2022, the Lapsus$ ransomware gang posted a message on its Telegram channel in which they claimed to have hacked the source code of Vodafone Group.  The next day, March 13, they posted another message to say that they are preparing the Vodafone data to leak.

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

The Lapsus$ ransomware gang calls on people to join their Telegram chat group or contact them by email at the following address: [email protected].

Cybercriminals’ Recruiting Effort Highlights Need for Proper User Access Controls

Generally, cybercriminal groups exploiting ransomware infect employee computers by using techniques such as phishing or Remote Access Trojans. However, the Lapsus$ ransomware gang’s bold new approach to target companies from within is concerning and shows their willingness to expand their capabilities and attack vectors.

As a result, we recommend that companies increase the vigilance they exercise regarding their internal security policy. Regardless of whether Lapsus$ recruiting tactics prove successful, they emphasize the need for proper user access control. It is critical to ensure that employees with access to the company network have only the security rights they require and not more.

To learn more about Rapid7’s role-based access control capabilities, check out Solving the Access Goldilocks Problem: RBAC for InsightAppSec Is Here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.