The US government launched a self-attestation form asking software developers to affirm their software was developed securely. Compliance starts today for software used in critical infrastructure.

Source: miniartkur via Alamy Stock Photo

Starting June 11 — today — US government contractors providing software that is considered part of the critical infrastructure will need to fill out a form asserting that their software followed secure-by-design principles and that each component was under their scrutiny in the form of software bills of material (SBOMs). The Cybersecurity and Infrastructure Agency's (CISA) published the Secure Software Development Attestation Form back in March, though a recent study at RSA Conference by supply chain security management company Lineaje suggested that many vendors are not ready.

When asked whether they were prepared to meet the deadline for federal cybersecurity attestation, only about 20% of the respondents said they were, Lineaje said. Even worse, only 16% said their company had incorporated SBOMs into software development — a key part of compliance.

In May 2021, after widely publicized incidents such as the SolarWinds saga and the Log4j exploit, US President Joe Biden put government contractors on notice that they needed to start meeting tougher standards for cybersecurity practices. President Biden's Executive Order on Improving the Nation’s Cybersecurity (EO 14028) set a roadmap for making the US government more secure by making its systems, and all the software on them, traceable and auditable.

That resulted in the Secure Software Development Attestation Form, which a CEO or authorized designee must sign to swear that their company "presently makes consistent use of the following practices, derived from the secure software development framework (SSDF)," including "maintaining provenance" of all components and instituting a vulnerability reporting system. The form is available for download as a fillable PDF or as an online form through the Repository for Software Attestations and Artifacts portal.

For all other software — those not deemed critical — vendors don't have to start with self-attestation until Sept. 11.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Process to Verify Software Was Built Securely Begins Today

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

A threat actor has accessed data belonging to at least 165 organizations using valid credentials to their Snowflake accounts, thanks to no MFA and poor password hygiene.

Source: Ulrick-T via Alamy Stock Photo

A Mandiant investigation of recent account compromises at Snowflake, a data warehousing platform, has confirmed that all of them resulted from a failure by customers to implement multifactor authentication (MFA) and proper access control to their accounts.

According to Mandiant, part of Google Cloud, a financially motivated threat actor that it is tracking as UNC5537 appears to have systematically accessed accounts belonging to at least 165 Snowflake customers, using valid account credentials obtained from elsewhere.

**Compromised Credentials the Sole Factor**

The attacker has stolen data from the accounts and has either attempted to extort victims with it or has made the data available for sale on cybercrime forums. Though Mandiant has not named any victims, other security vendors have identified Ticketmaster and Santander Bank as being among the many victims of the massive campaign.

"Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment," the security vendor said. "Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

Mandiant has assessed that UNC5537 aggregated credentials for Snowflake accounts from multiple previous information stealer campaigns. In several incidents that Mandiant investigated, the credentials that the threat actor used to access Snowflake customer accounts were obtained from spy Trojans installed on contractor systems. Such credentials are often available for sale and for free on the Dark Web and multiple other sources, Mandiant said.

Significantly, many of the credentials that UNC5537 used to access Snowflake accounts haven't been rotated in at least a couple of years. In one instance, the threat actor leveraged a credential from a November 2020 information stealer campaign to access the associated Snowflake account, meaning the victim had not updated that credential for the past four years at least.

"UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure," Mandiant stressed. "The affected customer instances did not require MFA, and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations."

**The Growing Information-Stealer Threat**

Mandiant's findings are another reminder of the enormous and growing exposure to organization from credential theft, and the booming market for information stealers. In recent years, the trend has heightened calls from security experts about the need for organizations to implement MFA and best practices like using zero-trust models and limited allow lists to control access to data in the cloud.

"Mandiant assesses MFA would have prevented compromise of Snowflake accounts in this campaign," says Austin Larsen, senior threat analyst at Mandiant. "Mandiant has not identified evidence of the actor being able to bypass MFA" in any of the observed incidents.

Larsen says Snowflake's status as a multicloud data warehousing platform that organizations use to store and analyze large amounts of structured and unstructured data, likely made it a good target for the attackers. "Often these databases contain valuable and sensitive information, which is an attractive target for financially motivated actors," he says. "This increases the likelihood of the threat actor monetizing this data via extortion and/or sale through underground forums."

Interestingly, while the compromise of Snowflake accounts has received a lot of attention, Mandiant has identified non-Snowflake customers as well that UNC5537 has targeted going back at least six months, Larsen adds.

Jason Soroko, senior vice president of product at Sectigo, says that while Mandiant's Snowflake findings should be on billboards, the message itself has been repeated a countless number of times, continuing to fall on deaf ears.

"We must implement stronger forms of authentication than passwords and move past even needing MFA," he says. "We have already learned these lessons many times. We have also heard the excuses why doing this is so difficult. Nothing will change until the will to do the right thing exists."

Julianna Lamb, chief technology officer and co-founder of Stytch, says companies that continue using passwords as a form of authentication need to ensure proper controls over their use. This means not permitting password reuse and by making it was easy as possible for users to generate string passwords.

She also recommends that organizations monitor sites such as HaveIBeenPwned’s database to ensure that users aren’t using a breached password. "It’s also important to invest in multiple layers of protection beyond passwords, such as bot prevention measures to identify when bots are on-site and being used for credential stuffing, and implementing two-factor authentication."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Snowflake Cloud Accounts Felled by Rampant Credential Issues

VoIP gear, hypervisors, medical equipment, building automation, printers, and more pose broad risk to organizations, with many facing danger from a combo of IT, IoT, and OT all at once. This listicle breaks it down.

Source: NicoElNino via Alamy Stock Photo

For nearly every organization, the cyberattack threat landscape is made up of a mix of IT, Internet of Things (IoT), and operational technology (OT) like HVAC systems, offering plenty of "ways in" for cyber threat actors. Plus, the medical field has its own specialized set of IoT equipment, extending the targeting options for would-be bad guys even further.

To help organizations assess where danger might be lurking this modern, complex device landscape, Forescout Research–Vedere Labs examined nearly 19 million devices to determine which categories represent the greatest risk to organizations. The findings are based on the potential for misconfiguration, the number of vulnerabilities found, exposure to the Internet, and the potential impact to an organization in the case of compromise.

Baseline data points include the fact that IT devices still account for most vulnerabilities (58%), but that the category is down from 78% in 2023. IoT vulnerabilities, however, were up a whopping 136%, increasing the percentage of known bugs from 14% last year to 33% today.

Overall, the most vulnerable device types are: wireless access points (WAPs), routers, printers, voice-over-IP (VoIP) devices, and IP cameras. The most-exposed unmanaged gear includes VoIP devices, networking infrastructure, and printers.

Meanwhile, the top three riskiest verticals are: technology, education, and manufacturing. Healthcare had the biggest decline in risky devices for 2024, but the most-problematic devices in the Internet of Medical Things (IoMT) are all new entries for this year, indicating that this is a swiftly changing landscape.

Overall, it's important to take a holistic view when risk-assessing one's environment, according to Forescout.

"It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks," according to Forescout's report, out today, which includes a proof-of-concept attack dubbed "R4IoT" that starts with an IP camera, moves to a workstation (IT), and disables programmable logic controllers (PLCs).

 "Modern risk and exposure management must encompass devices in every category to identify, prioritize and reduce risk across the whole organization," according to the firm. "Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack."

Here's a breakdown of 2024's most-risky connected devices:

**IT Devices**

IT endpoints have traditionally been the category most targeted by cyberattackers for initial access, but since the beginning of 2023, network infrastructure devices have outpaced endpoints in terms of riskiness, according to Forescout — largely due to increase in the number of vulnerabilities found and exploited in this category.

*   Thus, routers and wireless access points top the list of riskiest IT devices, followed by servers and computers, then hypervisors.
    

The hypervisors that host virtual machines (VMs) have become a favorite target for ransomware gangs since 2022 because they allow attackers to encrypt several VMs at once. Also, they're typically unmanaged and do not support traditional endpoint protection agents.

**The Internet of Things (IoT)**

The list of the riskiest IoT devices includes one new entry: network video recorders (NVRs).

"NVRs sit alongside IP cameras on a network to store their recorded video," according to the report. "Just like IP cameras, they are commonly found online and have significant vulnerabilities that have been exploited by cybercriminal botnets and advanced persistent threats (APTs)."

*   The "riskiest" list is rounded out with some usual suspects, with the top five being: network-attached storage (NAS), VoIP, IP cameras, printers, and NVRs.
    

NAS devices have been a growing target for ransomware actors thanks to a series of bugs and the valuable data they store; VoIP and IP cameras are commonly exposed on the Internet without proper defenses like strong passwords. But Forescout pointed out that printers are less well-known as conduits for cyber threats — a potentially catastrophic oversight.

"Printers include multifunctional printing and copying devices used in the connected office," researchers explained in the report. "They also include specialized devices for printing receipts, labels, tickets, wristbands and other uses. Printers are also often connected to sensitive devices, such as point of sales systems and conventional workstations with privileged users."

**Operational Technology**

With the Cybersecurity and Infrastructure Security Agency (CISA) issuing regular alerts regarding the rising tide of threats like Volt Typhoon to the OT footprint in the US, this is one area that organizations should prioritize for defense improvements, Forescout researchers noted.

*   The riskiest devices in this sector are: uninterruptible power sources (UPS), distributed control systems (DCS), PLCs, robotics, and building management systems.
    

The issues are myriad. For instance, UPSes, which are involved in power monitoring and data center power management, are often left with default credentials in place. Plus, the consequences of an attack could include power loss in a critical location or tampering with voltage to damage sensitive equipment.

Meanwhile, the PLCs and DCSes responsible for controlling industrial processes are "critical and insecure-by-design … often allowing attackers to interact with them and even reconfigure them without the need for authentication," according to the report.

Robots have become ubiquitous in electronics and automotive manufacturing, and they're on the rise for logistics and in the military. Still, they suffer from outdated software, default credentials, and lax security postures.

"Attacks on robots range from production sabotage to physical damage and human safety," the researchers warned.

And last but not least, building automation and management systems, including things like smart lighting, HVAC, elevator operations, surveillance, door locks, and more, present a big risk to companies. Forescout warned that attacks could "render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage management workstations for initial access … they are often found exposed online even in critical locations."

**Internet of Medical Things (IoMT)**

Forescout's IoMT device breakdown contains all new devices this year, and includes a mix of IT equipment and dedicated embedded devices, all of which could pose enormous risk to patient safety and personal health information (PHI).  

*   The riskiest IoMT devices include: medical information systems, electrocardiograph machines, DICOM workstations, picture archiving and communication systems (PACS), and medication-dispensing systems.
    

Medical information systems store and manage clinical data; they also connect to electronic health records and billing information. In addition to the criticality of the data, thousands of these systems are exposed online, according to the researchers.

Meanwhile, "electrocardiographs are risky because of their fundamental role and large impact in acute patient care. A peer-reviewed study showed that data breach remediation efforts in hospitals led to a 2.7 minute delay in performing ECGs, thus increasing patient mortality by 0.36%." They're the third most-vulnerable IoMT device in the dataset, after medication-dispensing systems and infusion pumps.

Furthermore, DICOM workstations and PACS used in medical imaging tend to run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and are often unencrypted, "which could allow attackers to obtain or tamper with medical images, including to spread malware," according to the report.

And finally, medication-dispensing systems are the second most-exposed IoMT device type in the dataset, the researchers warned, and their disruption can affect patient care.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

A Look at the Riskiest Connected Devices of 2024

Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

Source: basiczto via Shutterstock

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

**What's Accelerating Tokenization**

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

**How Tokenization Hides Data**

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

**Vaulted or Vaultless Tokenization?**

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, \[but\] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tokenization Moves Beyond Payments to Personal Privacy

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the country's paper of record has not yet confirmed the nature of the data accessed.

Source: Michele D'Ottavio via Alamy Stock Photo

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.

The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including "basically all source code belonging to the New York Times Company."

Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has verified part of the data as legitimate, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as "URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention."

For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didn't verify the granular details of the incident.

“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available," says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. "The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

**Source-Code Leaks Have Wide-Ranging Implications**

If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.

"The very nature of source code means that malicious actors could examine it for vulnerabilities to exploit in cyberattacks," noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. "Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies."

Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.

"What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code," he said. "If they were in the network just to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made."

Even if the data affected is less impacting than many fear, the incident is the latest, along with the recently revealed Ticketmaster breach, to showcase issues in securing third-party cloud assets.

This is a developing story.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

New York Times Internal Data Nabbed From GitHub

London cops make arrests in connection with scam SMS messages, purportedly from official organizations, being sent out from bespoke phone mast.

Source: Roger Bamber via Alamy Stock Photo

London police have made two arrests in connection with what the law-enforcement agency claims is a first-of-its-kind crime — bypassing mobile networks' security to send flurries of malicious text messages by standing up a homemade cellphone tower.

Commonly referred to as "smishing," using SMS text messages as phishing lures is nothing new, but the addition of the homemade tower the accused used as a "text message blaster," according to the cops, is a novel approach.

“The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on," said temporary Detective Chief Inspector David Vint, head of the Dedicated Card and Payment Crime Unit (DCPCU), in an announcement of the arrests.

The cybercriminals reportedly sent thousands of text messages posing as banks and other organizations in an attempt to harvest data from victims, the London police explained.

**About the Author(s)**

Smishers Stand Up Fake Phone Tower to Blast Malicious Texts

If passed, APRA will be a giant leap forward for the rights and freedoms of Americans.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

April 7 was quite a moment for Americans. That was when two US lawmakers shared draft legislation of a soon-to-be unveiled bill called the American Privacy Rights Act, or APRA. According to the International Association of Privacy Professionals (IAPP), if it becomes law, the American Privacy Rights Act "would introduce a significant shift in how organizations collect, process and share personal information, and set a high bar for data minimization practices.

To date, corporate privacy professionals whose operations are in scope of the US have needed to treat the region essentially as 50 countries since, generally, each state has its own set of laws and regulations on the subject. Complex if you deal with one or two states, unmanageable if you deal with 50.

Let's set the scene: The United States has, historically, addressed the privacy of its citizens at the state level, reserving broader rule for specific industries such as medical (HIPAA), financial, and trade (FTC). You quickly can see how this legislative patchwork left significant gaps in the processing of personal data outside very specific use cases. Europe suffered a similar lack of cohesion for many years, until the implementation of the General Data Protection Regulation (GDPR) in 2018, and the world watched closely to see if unified laws spanning dozens of geographies could actually work.

Six years later, it is safe to say that the processing and protection of personal information across Europe is unrecognizable from what it once was, and in the interim period, we've even seen the birth of revolutionary data laws in California and other states. A standard for data subjects' rights and what they expected was emerging in a place where we were generating and using — as well as valuing and relying upon — an exponentially increasing amount of data.

**The US Needs Federal Privacy Laws**

There are a number of reasons why the US wants, and needs, privacy laws at a federal level: consistency, manageability, interstate operability, trade with other regions such as Europe and Australia, and to enable technologies such as open banking to move forward. To date, states including California, Kentucky, Maryland, and others have been left with no choice but to enact local laws in order to compete in a marketplace where data privacy is a key player and differentiator among those vying for business. 

APRA, which at the time of this writing is still in draft form, follows in the footsteps of GDPR and the ePrivacy Directive, with provisions for data processing principles, subject's rights, consent to marketing, and data security.

This is still very early days, and in addition to the unclear timing (typically, an election year would preclude these types of proposals), there are more than a few obstacles still to overcome, including the same challenges that were evident in 2022, such as state law preemption and Private Right of Action.

Relevant stakeholders (think big tech, privacy groups, state governors, etc.) will each have their own perspectives, priorities, and questions, all of which will take time to come to an agreement on, if at all possible. It's worth noting that, unlike legislation in other countries, APRA attempts to consider both the interests of the data subject as well as those of the business and its operational abilities. This is untested waters, though, so it will be very interesting to see if, and how, that would work in real life.

In summary, APRA is a giant leap forward for the rights and freedoms of American subjects. I know we have been here before (two years ago), but this feels different — with people reenergized, reinvigorated, and excited by it. US lawmakers will be feeling pressure from different angles, not least from large enterprises that are losing opportunities to other regions where legislation enforces the notion of putting personal information front and center. Watch this space: I think good things are coming.

**About the Author(s)**

Group Data Protection Officer, GlobalSign

Richard Hancock is Group Data Protection Officer of GlobalSign, where he utilizes a strong technical background to provide clear and practical steer and guidance in addressing problems with a long, proven track record of creating, implementing, managing and reviewing data protection programs and framework, aligning with industry standards, and meeting a plethora of ever changing, culturally different global legislative landscapes. He spent many years helping enterprises implement PKI solutions, ranging from 1 or 2 SSL certificates through to custom-written API modules for automated process handling. Over the past decade, he has used that skill set to develop and implement data governance regime and data protection legislation compliance, encompassing not just General Data Protection Regulation (GDPR) and ePrivacy but also many domestic laws, as well as both federal and state level regulations within the US. He continues to lead the way in strategic thinking and best practice deployment in the identity verification, digital signing, and data encryption sector.

Is a US Nationwide Privacy Law Really Coming?

The threat environment will continue to grow in complexity. Now is the time for organizations to streamline how they manage and mitigate overlooked vulnerabilities.

Source: Stephen Parker via Alamy Stock Photo

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

**Short-Sighted Business Choices**

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

**Risky Technical Choices**

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

**Smarter Choices for Security Teams**

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.

**About the Author(s)**

Vice President of Research, Coalition

Tiago Henriques has had a rich career across the cybersecurity industry as an entrepreneur, CEO, pen tester, security analyst and auditor. In 2015 he founded BinaryEdge, a cybersecurity company specializing in enterprise infrastructure scanning and attack surface management. Since Coalition's acquisition of BinaryEdge in 2020, Tiago led customer security efforts across the organization as Director of Engineering for Security, recently becoming Vice President of Research.

Making Choices that Lead to Stronger Vulnerability Management

While cyberattacks drop slightly during the week of the Islamic pilgrimage, organizations in Saudi Arabia and other countries with large Muslim populations see attacks on the rise.

Source: ESB Professional via Shutterstock

The final month of the Islamic calendar, Dhu al-Hijjah, began on June 7, marking the countdown for millions of Muslims to the Hajj pilgrimage, and also a time when cybercriminals and cyber-espionage actors see increased opportunity amid reduced vigilance and slimmed staffing.

While many of the cyberattacks are focused on pilgrims as consumers of travel services, a variety of businesses — from banks to e-commerce sites — are at greater risk of data theft and denial-of-service attacks, according to experts. On June 3, for example, cyberthreat actors announced a data leak on an underground forum that allegedly contained the personal information of 168 million users from "The Hajj and Pilgrimage Organization in Iran," according to cybersecurity firm Kaspersky.

The attacks highlight the two aspects of how cyberattackers see the Hajj season: as an opportunity to take advantage of pilgrims, but also as a time of reduced resources for security teams, making business and government agencies vulnerable, says Amin Hasbini, head of global research and analysis team for the Middle East, Turkey, and Africa region at Kaspersky.

"Companies in the Middle East and other regions need to exert extra caution during holiday seasons such as Hajj — the absence of certain employees needs to be accounted for to ensure smooth operations and maintaining security efficiency and productivity," he says. "Overall, it’s challenging for companies to have the right resources available and ready, in addition to the right policies and plans to complete the handover transition correctly, creating weaknesses that could be abused by threat actors."

The Hajj, which starts on the eighth day of the Islamic month and lasts four to six days, marks nearly a week of religious holidays for the Middle East and for an estimated 2 billion Muslims worldwide.

While Kaspersky sees threats affecting Saudi Arabia and other countries in the region drop by as much as 30% during the week of the Hajj, cyberattacks then quickly rebound. In 2022, for instance, when Saudi Arabia once again opened the annual Hajj pilgrimage to the world following the COVID-19 pandemic, cyberattacks doubled to more than 2 million during the month of Dhu al-Hijjah, which officially starts with the appearance of the new crescent moon.

While Saudi Arabia did not report data on cyberattacks in 2023, other countries have seen similar increases in attacks, says Shilpi Handa, associate research director for security at IDC's Middle East, Turkey, and Africa group.

"Annually, there's a significant surge in cybersecurity incidents reported by multiple security organizations in the Middle East," she says. "Similar findings are reported all over the region after the conclusion of Hajj each year."

**Cyber Scams**

The cyber threats linked to the Hajj pilgrimage typically begin early in the year, as cybercriminals aim to take advantage of Muslim adherents planning to make the trip to Saudi Arabia. Attackers use fake travel agencies, social media scams, or attacker-controlled online registration sites to entrap unsuspecting victims. Saudi Arabia's Ministry of Hajj and Umrah, which manages services and infrastructure around the pilgrimages, launched a government platform, Nusuk, that connects prospective pilgrims with legitimate operators and sites, which has significantly reduced fraud.

However, advanced threat actors have used messages and notifications about the Hajj as a way to lure employees into opening links and attachments in email. From January to May 2024, for example, an India-linked threat group — alternatively known as Sidewinder and Rattlesnake — has used Hajj-related emails to target users in Asia and Africa, according to Kaspersky.

The problem for many companies is that employees often use their business email in Web forms, or expose themselves to threats through social media, says Shawn Loveland, chief operating officer for Resecurity, a global cybersecurity service provider with clients in the Middle East.

"It's concerning how many employees use their business email on personal websites," he says. "If their PII gets scammed, now the threat actors know where you work. ... Employers should be helping to educate their employees about online fraud, because in addition to protecting the employee, it will protect the business."

As part of its effort to combat fraud, Resecurity detected and blocked more than 630 social media accounts publishing scams targeting people preparing for Hajj season, the company stated in a report on Hajj-related fraud.

**Defending With Reduced Head Count**

Saudi Arabia has taken the threat seriously. The country's National Cybersecurity Authority (NCA) conducted a comprehensive cyber exercise with more than 200 agencies represented by more than 600 officials and specialists, with a specific focus on cybersecurity during the Hajj season.

The exercise, which the country also conducted the previous year, leaves it well-prepared to handle potential cyber incidents, IDC's Handa says.

"Drills are \[being\] conducted across the region to counter cyberattacks," she says, with the government "establishing a 24/7 cyber-operations room to monitor and analyze cyber threats and share results with national agencies, allocating cyber-incident response teams, and conducting assessments to measure the cyber-risks of sensitive assets."

Businesses should take a page from Saudi Arabia's playbook, says Kaspersky's Hasbini. While attacks typically drop off for the week around the Hajj, security teams are also short-staffed, often leaving response times slower. Planning to identify and respond to incidents under such restrictions makes for good preparation.

"While the risk of mistakes by an insider is lower when employees of an organization are out of office, we see a bigger risk if the responsibilities of employees in the IT or IT security departments ... are mishandled or simply ignored, opening up weaknesses for attackers to abuse," he says.

Companies should be clear in their delegation of duties when there is a shortage of cybersecurity specialists and establish clear protocols for communications, Hasbini says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading