Daily operations at some 15,000 automotive dealers remain impacted as CDK works to restore its dealer management system, following what appears to be a ransomware attack last week.

Source: Jonathan Weiss via Shutterstock

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

**Ransomware Attack?**

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

**Contingency Planning for SaaS Apps**

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

**The Rush to Repair**

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CDK Attack: Why Contingency Planning Is Critical for SaaS Customers

AppSec is hard for traditional software development, let alone citizen developers. So how did two people resolve 70,000 vulnerabilities in three months?

Source: David Grossman / Alamy Stock Photo

Application security (AppSec) programs are difficult to use and filled with vulnerabilities. Overloaded staff face an inadequate budget. Communication with developers is challenging. These sayings are so true, so ubiquitous, that they've become tropes. This is why meeting a team of two who managed to resolve 70,000 security vulnerabilities in three months made me gasp.

**70,000 Vulnerabilities? Really?**

Actually, they found 80,000, 70,000 of which they were able to fix within 90 days. These numbers do not indicate particularly vulnerable applications. They indicate taking a real look in the mirror, beyond the usual lines drawn in the sand between professional development and citizen development, which we sometimes call shadow IT.

Citizen developers are now embedded in every part of large enterprises. Yes, that includes yours. Last year, Microsoft announced that Power Platform, its popular low-code/no-code platform built into M365, had surpassed 33 million users, growing 50% year over year. These users work for the enterprise — your enterprise. They build critical applications, from finance to risk and customer care. It's a real boost to digital transformation, for the business and by the business (user).

**Citizen Development Security Challenges**

A few aspects of citizen development make building an AppSec program around it particularly challenging:

*   The scale of citizen development is between 10x and 100x that of professional development, whether you measure it in terms of numbers of developers, number of applications, or any other metric.
    
*   The variance of business units can be so big that it is easier to think of some business units as separate entities. Indeed, in a large enough corporation, some business units fall under different laws and regulation and have a different risk appetite.
    
*   Citizen developers, as business users, are not security-savvy. If you try to explain injection attacks to a business user, it would probably not be a fruitful conversation or a good use of anyone's time. Citizen developers should do what they do best: move the business forward.
    
*   Finally, the lack of process can be tricky — citizen development is all about moving fast. You edit right in production, adapt quickly, and move forward.
    

Fortunately, some standards have emerged that document and categorize the security vulnerabilities in low-code/no-code apps built by citizen developers.

**AppSec for Citizen Development**

The good news is that the unique challenges of citizen development force us to think outside of the box. Any manual review or process goes out the window. Blocking business users from developing software is never a real option, even when we pretend it is.

Building a successful AppSec program for citizen developers requires heavy reliance on automation and self-service. We need to design a process, think about the edge cases, and automate it completely. For example, when a developer says they have fixed an issue, can you retest to confirm? Is there a clear route for escalation and asking for exemptions? What happens when service-level agreements (SLAs) aren't met? We have answers to all of these questions for traditional AppSec, relying on the software development life cycle and years of working with developers. Though none of the established processes work as is with citizen development, we can use our learnings from pro developers to design a solution that does.

To build your program, start with the basics:

1.  Inventory. Know what you have, but don't stop there. Ask: Who is the owner for each app?
    
2.  Policy. Clarify your risk appetite. Which applications are outside of your accepted use cases? Which should never have been built?
    
3.  Security assessment and retesting. Know your risk, and have a way to automatically test whether this risk has been mitigated.
    
4.  Self-service. Provide clear documentation. Create a self-service portal where citizen developers can learn about issues and how to fix them, where they can ask for clarification or exemptions.
    
5.  Enforce SLAs. What happens if a vulnerability isn't fixed under an SLA? Take preventive action where possible.
    
6.  Track and report. Ensure you get and maintain executive tailwinds by keeping everything informed on progress.
    

The team I mentioned at the beginning of this article followed all of these points and more. They invested time in designing the process, down to its nooks and crannies. This gave them the confidence to hit "play" on the campaign and drastically reduce the security risk in their environment.

It's an incredible success — two employees, three months, 70,000 vulnerabilities, no business disruption. Those results may be exceptional, but you can achieve incredible results at your business as well.

**About the Author(s)**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

What Building Application Security Into Shadow IT Looks Like

In an incident with direct parallels to the recent Ticketmaster compromise, an Aussie live events giant says it was breached via a third-party cloud provider, as ShinyHunters takes credit.

Source: Jon Arnold Images Ltd via Alamy Stock Photo

The ShinyHunters cybercrime gang has claimed another victim, this time in Australia. The group recently posted information on a Dark Web forum that it says is for about 30 million users of Ticketek, Down Under's top live events ticketing organization.

Ticketek Entertainment Group (TEG) had already disclosed the breach in late May. According to a statement on its website, it noted that information had been heisted via an unnamed third-party cloud provider, with hackers making off with customer names, dates of birth, and email addresses. No user accounts were compromised, and payment information wasn't caught up in the incident, TEG stressed.

The circumstances are eerily similar to the Ticketmaster breach, which came to light at the beginning of June after ShinyHunters posted information impacting 560 million customers on the BreachForums underground market. That breach was also due to the compromise of a third-party cloud account, which was quickly revealed by researchers to be Snowflake.

Researchers subsequently determined that the Ticketmaster incident was part of a much broader cyber campaign against poorly secured Snowflake accounts that hit as many as 165 organizations, including Advanced Auto Parts and (most likely) Santander Bank. The attackers targeted low-hanging fruit: cloud accounts that lacked multifactor authentication (MFA), using credentials from previous breaches. Some of the passwords hadn't been rotated for three years, according to a recent analysis from Mandiant.

Despite researcher speculation, TEG has not confirmed a Snowflake connection nor ShinyHunters as the culprit for the cyberincident, though a 2022 case study (PDF) names the cloud provider as a technology partner for the ticketing giant. Neither company immediately returned a request for comment from Dark Reading.

**About the Author(s)**

30M Potentially Affected in Tickettek Australia Cloud Breach

The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

June 24, 2024

3 Min Read

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

The recent settlement between the US Securities and Exchange Commission (SEC) and Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), highlights significant issues within the realm of cybersecurity and corporate accountability. Below, we'll dissect the incident, scrutinize the involved parties' actions and responsibilities, and suggest practical measures to prevent future occurrences.

In 2018, a severe cyberattack on a subsidiary of ICE exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems. As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

The SEC's role in this scenario is crucial but paramount. It is responsible for regulatory oversight and enforcement, ensuring the market's integrity. The commission's proactive investigation and subsequent action against ICE demonstrate its unwavering commitment. However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

The primary gap lies in ICE's cybersecurity framework. Despite the known threats to financial institutions, ICE's subsidiary needed to prepare for a cyberattack. This highlights a broader issue within the industry, where cybersecurity is often deprioritized in favor of operational and financial concerns.

**An Inadequate Response**

The response to the cyberattack was inadequate. A well-prepared organization should have an incident response plan with immediate containment, investigation, and remediation steps. ICE's delayed and insufficient response allowed the attackers to exploit vulnerabilities extensively.

While the SEC's enforcement action is justifiable, it also reveals the pressing need for regulatory enhancements. The SEC should consider implementing more stringent guidelines and conducting regular audits to ensure financial institutions adhere to robust cybersecurity practices. This will help prevent similar incidents in the future.

Implementing a comprehensive cybersecurity strategy is necessary and practical for ICE and similar institutions. This includes regular vulnerability assessments, penetration testing, and advanced threat-detection systems. Adopting a zero-trust architecture, a security model that requires strict identity verification for every user and device attempting to access resources on a network, can significantly reduce the risk of unauthorized access, providing a practical and effective solution.

Human error is a critical factor in cybersecurity breaches. Regular employee training and awareness programs can reduce the risk of phishing and other social engineering attacks. Employees should be educated about the latest threats and the importance of following security protocols.

**Have a Clear Response Plan**

Organizations must develop and regularly update their incident response plans. These plans should outline clear steps for detecting, responding to, and recovering from cyberattacks. Regular drills and simulations can ensure that all stakeholders are prepared to act swiftly during a breach.

The SEC should consider implementing more rigorous cybersecurity requirements for financial institutions. Regular audits and compliance checks can ensure that these entities maintain high-security standards. Additionally, increasing penalties for non-compliance can serve as a stronger deterrent.

Financial institutions must unite and share information about threats and vulnerabilities. Establishing industry-wide forums or joining existing ones can help organizations stay informed about the latest cyber threats and best practices for mitigating them. This collaborative approach is not just beneficial but essential in the fight against cyber threats.

The $10 million settlement between the SEC and ICE is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks. While the SEC's actions highlight the importance of regulatory oversight, there is a clear need for enhanced cybersecurity measures, better incident response strategies, and more stringent regulatory requirements. By addressing these gaps, financial institutions can better protect sensitive information and maintain the integrity of the financial markets. 

Ensuring robust cybersecurity is a regulatory requirement and a fundamental aspect of modern business operations that demands continuous attention and improvement. Financial institutions must not establish only strong cybersecurity measures, but also regularly update and enhance them to keep pace with evolving threats.

**About the Author(s)**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

The NYSE's $10M Wake-up Call

After Sept. 29, 2024, organizations and individuals that continue using the vendor's products will no longer receive any updates or support.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

US businesses and consumers using Kaspersky's antivirus software products and services have until Sept. 29 to stop using them, following a Biden Administration ban earlier this week on sales of the company's technologies in the country over national security concerns.

Companies and individuals that continue to use Kaspersky products past that date will be doing so at their own — considerable — risk, because Kaspersky will no longer be able to offer any support or updates for its products after the deadline.

"It's a good time for CISOs along with other C-suite executives and board members to revisit their organizational use of the software and, frankly, to begin preparing for this to be a long-term aspect of government commercial cybersecurity regulation," says Andrew Borene, executive director at threat intelligence firm Flashpoint. "That means immediately evaluating the scope of any Kaspersky deployment, capturing current requirements, and identifying alternatives for delivering on those requirements once the ban takes full effect at the end of September."

**US Concerns About Kaspersky's Moscow Ties**

In a first-of-its-kind move, the US Department of Commerce, on June 20 formally banned Kaspersky from selling its products and services in the US, citing continued use of the company's software as presenting an "undue or unacceptable national security risk."

The Commerce Department's concerns have to do with Kaspersky being a Russian company and therefore apparently being obligated to turn over customer data to the government there, whenever asked for it.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive US information," the Commerce department said.

The ban marks the first time the Commerce Department has used its authority under a Trump Administration 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain (ICT).

As part of its action, the department also "designated" Kaspersky entities in Russia and the UK, meaning that US organizations and individuals are restricted from transacting business with them. In a related announcement, the US Department of Treasury placed similar restrictions on 12 key executives at Kaspersky, but notably not on the company's founder Eugene Kaspersky.

A Kaspersky spokesman described the Department of Commerce decision as likely motivated by the "current geopolitical climate and theoretical concerns rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services." Kaspersky will pursue all available legal options to fight the decision, the spokesman said in an emailed statement. He added, "Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interests and allies."

The US government decision does not impact Kaspersky's ability to continue selling its threat intelligence services or its cybersecurity training programs in the US, the statement noted.

**Death Knell for Kaspersky in the US?**

Even so, the US government's moves this week could effectively mean the end for Kaspersky in the country. In September 2017 the US Department of Homeland Security banned Kaspersky from selling to US federal civilian executive branch agencies over similar national security concerns. Though the company appealed that decision, the Federal Acquisition Regulation Council made it an official and permanent ban in September 2019. With this week's actions, the US government has formally blocked it from selling to US private sector companies and individuals as well.

"The US government has had its eye on Kaspersky for quite a while, so the ban is not particularly surprising," says Eric Parizo, an analyst with Omdia. The 2019 Executive Order bans the use of IT products and services that are owned or directed by a foreign adversary and pose an unacceptable risk to US national security, he says.

This week's US government action does not explicitly prohibit US individuals and organizations from using Kaspersky products after Sept. 29, 2024. But since the vendor cannot provide software updates for existing customers after that date, continued use of the product would represent a clear security risk, Parizo says. "In light of these events, it would be prudent for Kaspersky customers in the US to immediately seek alternatives." What heightens the urgency is the fact that Kaspersky's software products — like all anti-virus tools — have a lot of access to sensitive data on systems on which they are installed, he says.

**Countdown to Kaspersky Sunset**

Adam Maruyama, field CTO at Garrison Technology, recommends that companies which need to replace Kaspersky software make sure to catalog and identify unmanaged corporate devices that may be running the company's software. This includes looking at systems belonging to contractors on the corporate network as well as employees using personal devices at work.

"In the longer term, companies need to be conscious that a 'rip and replace' of antivirus software may not fully remove root-level access points from their systems, as antivirus programs often require root level access that is not easily removed by uninstallers," Maruyama cautions.

Given the concerns that the Commerce Department has raised about data theft and the potential weaponization of Kaspersky software, organizations should closely monitor network security suites and technical behavior of systems where Kaspersky was previously installed, he says.

The focus should be on anomalous behavior such as continued callbacks to Kaspersky or other unidentified servers. "For users with the highest levels of access to high-risk data and administrative privileges, organizations with a critical infrastructure mission may even want to consider replacing devices that previously used Kaspersky antivirus products to guard against residual risk," he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Kaspersky's US Customers Face Tight Deadline Following Govt. Ban

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Abstract Security Announces General Availability of its AI-Powered Data Streaming Platform for Security

Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st

PRESS RELEASE

June 18, 2024 – FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, today announced its 2024 Board of Directors.

Four new Directors and two incumbents have been named to join nine existing Board Directors. The Board oversees FS-ISAC’s global activity and coordinates with FS-ISAC’s Europe Board of Directors and UK Strategic Subsidiary Board. Kris Fador, Chief Information Security Officer for Bank of America, will serve as the Board’s Chair.

The newly elected Directors are:

*   Kristina Dorville, Chief Information Security Officer, Truist Insurance Holdings
    
*   Debbie Janeczek, Chief Security Officer, Technology Executive, Swift
    
*   Susan Koski, Chief Information Security Officer and Head of Enterprise Information Security, PNC
    
*   Bethany Netzel, Managing Director, Operational Resilience and Global Security, CME Group
    
*   The two re-elected incumbents are:
    
*   Kyle Davis, Cyber Fusion Center Principal, Target Corporation
    
*   Steve Sparkes, Chief Information Security Officer, Scotiabank
    

“FS-ISAC’s work is critical in educating the financial services industry on the latest cybersecurity threats and developing best practices to ensure the trust of clients, customers, regulators, investors and other key stakeholders,” said Kris Fador, Chief Information Security Officer for Bank of America. “It’s a privilege to chair this important organization and have this elite group of top security experts join the FS-ISAC Board of Directors to help strengthen the security of the global financial system.”

"The financial services sector is extremely dynamic and FS-ISAC provides critical information and intelligence sharing that strengthens our collective practices and resilience," said Bethany Netzel, Managing Director of Operational Resilience and Global Security at CME Group. "I am pleased to join the FS-ISAC board and work alongside other industry leaders to maintain our strong relationships and manage evolving risks."

Elections took place during a critical year for the financial services industry, marked by rapidly evolving technology and rising geopolitical tension. The deep cybersecurity and resilience expertise of the Board will directly support FS-ISAC’s work in real-time information sharing, strategic incident response, and managing emerging risks. 

“Through nearly a decade of working with FS-ISAC, I’ve seen first-hand the value of global information sharing in defending the sector from escalating cyber threats,” said Debbie Janeczek, Chief Security Officer, Swift. “We must employ a multifaceted approach that encompasses technical solutions, strategic preparation, and industry collaboration to defend against the changing threat landscape. I look forward to continuing my service of protecting the financial sector in this capacity.”

“With the increased use of digital technology in the financial services industry, the work of FS-ISAC is paramount to protecting financial institutions and their clients against global cyber threats,” said Steve Sparkes, EVP, Chief Information Security Officer and Enterprise Platforms, Scotiabank. “I am proud to have been re-elected to the FS-ISAC board, which brings together professionals in support of cyber resilience through the shared commitment of protecting client data.”

“The complexity of the risks facing the financial sector continues to grow, and our Board of Directors ensures our work evolves in accordance with the needs of our member firms and the people they serve,” said Steven Silberstein, CEO, FS-ISAC. “I welcome the new additions to the Board as we work together to reinforce trust in the global financial system.”

Board candidates submit applications to the Board Nominating Committee, who then nominate a slate chosen for leadership qualifications, demonstrated commitment to FS-ISAC’s work, and diversity of skillset, experience, sub-sector, geography, and background. The nominees are then elected by FS-ISAC’s membership. 

FS-ISAC thanks the Directors at the end of their term for their contributions and continued commitment to ensuring the security of the global financial services sector. 

Join the new Board of Directors at FS-ISAC’s Americas Fall Summit in Atlanta, October 27 – 30, 2024. To register, click here. 

About FS-ISAC

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization’s real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

FS-ISAC Announces Appointments to Global Board of Directors

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Inside China's civilian hacker army; outer space threats; and NIST 2.0 Framework secrets for success.

Source: Emre Akkoyun via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   France Seeks to Protect National Interests With Bid for Atos Cybersec
    
*   Multifactor Authentication Is Not Enough to Protect Cloud Data
    
*   Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
    
*   Catching Up on Innovation With NIST CSF 2.0
    
*   Space: The Final Frontier for Cyberattacks
    
*   Addressing Misinformation in Critical Infrastructure Security
    

**France Seeks to Protect National Interests With Bid for Atos Cybersec**

By Jai Vijayan, Contributing Writer, Dark Reading

By offering to buy Atos' big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

The government of France's recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company's vital importance to the country's defense interests.

It's a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. "It makes sense for the French government to upgrade its defenses," says Mike Janke, co-founder of DataTribe. "For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We'll see if this emerges as a trend."

Read more: France Seeks to Protect National Interests With Bid for Atos Cybersec

Related: Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group

**Multifactor Authentication Is Not Enough to Protect Cloud Data**

By Robert Lemos, Contributing Writer, Dark Reading

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Over the past month a ransom gang possibly related to ShinyHunters or Scattered Spider, stole reams of customer records from Ticketmaster and Santander Bank and put it up for sale, asking for millions for the data. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not be the use of stolen credentials and poor controls on multifactor authentication (MFA) for Snowflake cloud accounts.

But, while the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services can learn important lessons from the latest spate of cloud breaches, researchers stress.

Read more: Multifactor Authentication Is Not Enough to Protect Cloud Data

Related: Snowflake Cloud Accounts Felled by Rampant Credential Issues

**Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense**

By Robert Lemos, Contributing Writer, Dark Reading

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.

China's cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

Its civilian hackers have directly benefited China's cyber-offensive programs and are one example of the success of China's cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, in a new report.

"By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost," he says.

Read more: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense

Related: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia

**Catching Up on Innovation With NIST CSF 2.0**

Commentary by Jamie Moles, Senior Technical Manager, ExtraHop

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) provides an important roadmap for reexamining security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

1\. Building a New Approach to Securing Infrastructure: A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more.

2\. Investing to Fit Specific Business Needs: NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions.

3\. Developing an Organizationwide Approach to Security Hygiene: While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk.

Read more: Catching Up on Innovation With NIST CSF 2.0

Related: NIST Releases Cybersecurity Framework 2.0

**Space: The Final Frontier for Cyberattacks**

By Jai Vijayan, Contributing Writer, Dark Reading

A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race.

A distributed denial-of-service (DDoS) attack this week disabled electronic door locks across a major lunar settlement, trapping dozens of people indoors and locking out many more in lethal cold. The threat actor behind the attack is believed responsible for also commandeering a swarm of decades-old CubeSats last year and attempting to use them to trigger a chain reaction of potentially devastating satellite crashes.

Neither "incident" has happened, of course. Yet. But they well could, sometime in the not-too-distant future, and now is the time to start thinking about and planning for them.

Assessing capabilities in cybersecurity is never easy, and it’s even worse for the space domain because of the inherent national-security concerns that may classify much of that information. Space cybersecurity is shrouded in mystery from the start, which isn't surprising since space launches started as military missions.

But security by obscurity will not be an option for long.

Read more: Space: The Final Frontier for Cyberattacks

Related: The European Space Agency Explores Cybersecurity for Space Industry

**Addressing Misinformation in Critical Infrastructure Security**

By Roman Arutyunov, Co-Founder & Senior Vice President, Products, Xage Security

As the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is of paramount importance.

The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure. Some members of Congress even called for further investigation into the possibility of malicious code being involved.

The incident highlighted a general lack of awareness regarding the reality and scale of cyber-risks to critical infrastructure. While physical incidents capture headlines and public attention, silent, invisible attacks on critical infrastructure remain poorly understood.

Theorizing can distort public understanding of cyber threats, undermine trust in legitimate news sources, and complicate efforts to educate the public and stakeholders about the fundamental nature of cyber threats and the necessary precautions to mitigate them. The public's reaction to the Francis Scott Key Bridge collapse demonstrates the collective anxiety about cyber threats to critical infrastructure.

Read more: Addressing Misinformation in Critical Infrastructure Security

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid

PRESS RELEASE

DALLAS and TOKYO, June 18, 2024— VicOne, an automotive cybersecurity solutions leader, today announced that its xNexus and xZETA solutions are available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS). xNexus is a next-generation vehicle security operations center (VSOC) platform and xZETA is an automotive vulnerability and software bill of materials (SBOM) management system. These safeguard the automotive software supply chain with unique zero-day threat intelligence, providing accurate, contextualized, and actionable insights for risk assessment.

AWS customers will now have access to VicOne’s solutions directly within AWS Marketplace. VicOne provides AWS customers with the ability to streamline the purchase and management of xNexus and xZETA within their AWS Marketplace account. 

“In various ways, our listing in AWS Marketplace is another of our efforts to help automotive manufacturers to securely put in place all of the many high-quality solutions they need across a globally scoped software supply chain for SDVs (software-defined vehicles),” said Max Cheng, chief executive officer of VicOne. “By accessing VicOne solutions, customers, MSSPs (managed security service providers) and other partners can more efficiently and simply offer our products to protect the automotive software supply chain against zero-day vulnerabilities and cyberattacks.” 

xNexus integrates with VicOne’s in-vehicle VSOC sensor, leveraging a unique large language modeling (LLM) approach to provide customized reporting to support VSOC teams. xNexus provides VSOC teams with actionable and contextualized attack paths based on different stakeholders’ needs. The capabilities delivered by VicOne’s next-gen VSOC platform accelerate threat investigations, enable confident response to attacks, and effectively reduce the burden of chasing false alarms. 

xZETA is an automotive vulnerability and SBOM management system that scans vehicle software to identify zero-day, undisclosed, known, and customer-discovered vulnerabilities, along with CWE, malware, and advanced persistent threats. Through xZETA’s patent-pending VicOne Vulnerability Impact Rating (VVIR) technology, external and internal insights are integrated to prioritize high-risk vulnerabilities. This enables swift identification of high-risk issues and formulation of corresponding strategies. Information feeds back into Threat Analysis and Risk Assessment (TARA) results to ensure alignment with ISO/SAE 21434 processes and maintain continuous monitoring.

Services will be available in Japan as soon as it is ready.

To learn more about the VicOne solutions available in AWS Marketplace, please visit here.

About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit vicone.com.

You May Also Like

Source

DARKReading