The quest to keep data private while still being able to search may soon be within reach, with different companies charting their own paths.

Source: Mick House via Alamy Stock Photo

A truly private Internet search — where databases can be queried while keeping search terms and results private — remains a work-in-progress as companies try to balance speed and security.

Companies developing private search technologies focus on making static data more usable through encryption or secure enclaves, where no data is revealed or leaked in the process of querying, retrieval, and transit. Such a technology would function like traditional search where the search engine cannot read the query or use the search results to serve up ads.

"Private Internet search is a sort of holy grail, in a sense," says Vinod Vaikuntanathan, a professor of computer science at MIT and the chief cryptographer at Duality Technologies, which is building its own secure search technology.

**MongoDB & Queryable Encryption**

Customers want to control their data, and are looking at more secure ways to incorporate tools such as search, which is especially important in regulatory environments, says Kenn White, security principal at MongoDB.

"A lot of European customers are concerned about GDPR. We have got a lot of banks and investment banks that care about compliance, ISO, and PCI, but they really care about risk ... they are really focused on breaches," White says.

The latest version of MongoDB, version 7.0, which was released last year, introduces a secure search technology called queryable encryption, which White says "is enhanced so you can do an exact match."

The previous version of MongoDB, 6.0, had a technology called field encryption, in which critical information such as credit card or Social Security numbers were encrypted. An encrypted search query is sent to the encrypted database, and a secure response is sent back. No logs were maintained or plaintext data exposed, and hackers would not have access to encrypted data.

The newer MongoDB 7.0 has made the secure search capabilities more flexible, which is important for searches for more targeted information, such as anonymized financial data or electronic health records.

"We're now enhancing that so that you can do things like encrypted range searches," White says. "You will be able to do prefix and suffix or any text field that contains a certain word but again, where the database is still completely encrypted. It has no idea what you are asking for."

**Fortanix & Generative AI**

In another approach, Fortanix is introducing secure search offerings for searches via generative AI. Fortanix is protecting the AI query prompts, the context, and the augmented retrieval process where companies may use private and public data built into a large language model, says Richard Searle, vice president of confidential computing at Fortanix.

Private AI search is different from conventional search; it retrieves data from constantly learning systems known as vector databases, which is built on relationships between data. There are many considerations in encrypting and securing data compared to traditional search, which extracts data from static databases.

Fortanix's technology is based on confidential computing, which is a hardware-based secure enclave where data is transported for processing. The technology is based on a zero-trust architecture rooted in the hardware, which only grants permission to access the information to validated applications.

For example, Fortanix is working with providers to validate AI models within a secure enclave. The partners will determine whether that model is safe to deploy before executing or exchanging data with it.

"That's particularly relevant where you are taking an open-source model, maybe from a GitHub repository, and there's the potential that it has embedded malware," Searle says.

Fortanix also has plans for a product featuring confidential data collaborations, in which customers can anonymize data to be deployed in secure enclaves. Third parties can use applications within the secure enclave without accessing underlying information. The data is decrypted in the secure enclave, processed, encrypted, and transported out, which makes exfiltration difficult. The customers control cryptographic keys.

"That can be used by an application that is consuming that data either to train a model, or just a standard SQL search, or maybe some analytics," Searle says. "We provide the orchestration for that workload, using an intuitive templated workflow."

**Duality & Lattice-Based Encryption**

Duality is building its own security layer based on a lattice-based encryption scheme. As Vaikuntanathan explains, the technology involves putting encrypted data in a box, which is then sent to the database owner. The database owner breaks it down into smaller boxes of 1s (which implies a match) and 0s (which means not a match), then uses complex mathematics to repackage the response into an encrypted box, which can then be decrypted by a user.

"If you think about the database as being a bunch of numbers, what I'm doing is actually selecting the right row in the database. Of course, I do not know what I am doing in this whole process — I only had the encrypted query. And when I finish this process, I have a box which contains the result, encrypt it, send it back to you," says Vaikuntanathan.

Duality's box is transported via TLS, but the lattice approach suits search better because it allows for computation on encrypted data. The technology has a performance advantage over the widely used AES, which requires data to be decrypted before running search queries.

**Many Paths, One Destination**

Private search is not just about encryption or data privacy algorithms, though; it is more about how the data is processed and where it is exposed during the computation for search queries, says Alex Matrosov, CEO of Binarly.

The challenge will be to prove that the search is truly private. This proof can be difficult with the complexity of the modern computing stack, which includes CPUs, GPUs, and memory, Matrosov says.

"The question of the private Internet search is complicated because even if you try to guarantee that in theory and prove on the paper, the real implementations will be where all the failures will happen," Matrosov says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Private Internet Search Is Still Finding Its Way

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

PRESS RELEASE

Intel 471, a global provider of cyber threat intelligence (CTI) solutions, today announced that the company acquired Cyborg Security, founded in 2019, to provide organizations with advanced threat hunting capabilities and expertise. With this acquisition, Intel 471 is setting the standard for intelligence-led threat hunting by cementing CTI as a key requirement to enable accurate hunts and proper measurements for operational success, ensuring return on investment for customers’ threat hunt programs. 

“We are excited to add Cyborg Security’s innovative platform and approach to threat hunting to our solution portfolio," said Jason Passwaters, CEO and Co-Founder of Intel 471. “Our customers have grown to rely upon Intel 471’s expertise to unlock the power of cyber threat intelligence and support all aspects of their business. This acquisition is a natural extension of our leadership by including advanced behavioral threat hunting packages that are fully customized to the client’s environment. Customers will benefit from the HUNTER Platform fueled by our premier cyber threat intelligence to streamline the hunt process, improve their team’s efficiency, and stay ahead of emerging threats.”

The convergence of CTI and threat hunting practices across the cybersecurity industry is evidenced by the rapid adoption of complementary use cases, defined methodologies, and a growing trend to integrate the two within the same organizational construct and budget. Economic buyers and practitioners alike increasingly recognize the need for intelligence-led threat hunting as a core component of their overall cybersecurity program. Intel 471 is well-positioned to meet these emerging security requirements with the merging of Cyborg Security and its innovative Hunter Platform into its solution portfolio.

“Intel 471 is a company that embraces the same values as Cyborg Security. Our organizations were built by practitioners – threat hunters, threat intelligence analysts, and security researchers who appreciate the importance of defending the threat landscape,” said David Amsler, CEO and Founder of Cyborg Security. “Threat hunting requires continuous monitoring of the threat landscape, which includes ever-evolving cyber adversary behaviors, TTPs and targeted technologies, as observed across various phases of the attack lifecycle. Intel 471’s CTI prowess and data contextualization deliver those relevant and timely insights. Together, our capabilities provide enterprises the tools and systems to deliver best-in-class threat hunting.”

For more information, please visit: https://intel471.com/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

You May Also Like

Intel 471 Acquires Cyborg Security

PRESS RELEASE

SAN FRANCISCO, April 30, 2024 /PRNewswire-PRWeb/ -- Cobalt, the pioneers of Pentest as a Service (PtaaS) and leading provider of offensive security solutions, today announced its sixth annual State of Pentesting Report. In addition to a deep dive into pentesting trends, this year's report uncovers an industry deeply grappling with how to both use and protect from AI amidst significant resource and staffing constraints.

Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications. As part of the report, Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year (from Cobalt State of Pentesting Report 2022), aligning with increases in Common Vulnerabilities and Exposures (CVE) records. Additionally, findings indicated that the median time to fix vulnerabilities also increased in comparison to previous years.

In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change. Some of the most critical findings include:

*   Challenges In the Eye of the AI Storm: The study highlights the push-pull relationships cyber security teams have with AI. A huge majority (86%) cite their teams have adopted AI-powered tools on their teams, while on the flip side, seven in ten respondents also cite an increase in threats coming from AI. This aligns with the growth Cobalt experienced in its business. Throughout 2023, Cobalt performed an increasing number of pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience. The most common vulnerabilities uncovered included prompt injection (including jailbreak), model denial of service, and prompt leaking (sensitive information disclosure). Despite the increased investment, many teams (59%) worry they are still trailing behind the AI threat.
    
*   Short Staffing Shifts From Concerning to Significant Risk: The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels. Thirty-one percent of respondents said their organization conducted layoffs during the past six months, and ⅓ of those agree their organization faces greater cyber risk due to those departures. Most concerning is that there are no signs of a strong staffing recovery. Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year. Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year. This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.
    
*   C-Suite Pressures: As attacks rise, C-suite executives are increasingly finding themselves at the top of the accountability and liability food chains. It's clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it's impacting their physical health. Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats. Among all groups surveyed, they are the most concerned about AI adoption (33% more than non-C-suite respondents). Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.
    

"With cybersecurity teams strained by staffing shortages and concerns rising about AI's potential to enhance cyberattacks, the importance of pentesting as a proactive measure is key," said Caroline Wong, Chief Strategy Officer at Cobalt. "Our data reinforces the actions we as an industry need to take: prioritizing talent acquisition, exercising caution in AI integration to safeguard against evolving threats, and leveraging pentesting."

"Enterprises today not only face digital threats but the personal toll that these challenges take on their executives," said Chris Manton-Jones, CEO at Cobalt." As leaders, it is crucial to understand that cybersecurity is not just about securing our digital assets but also about ensuring the safety of our entire organization, including ourselves. This is where Cobalt can help make a difference. We close the gaps with security expertise and provide scalable offensive security testing across the entire attack surface. It adds a community of trusted security experts to your team and takes your security program to the next level."

Cobalt will be discussing the report at its booth #4324 in Moscone North Expo during RSA. Visit https://www.cobalt.io/ to learn how Cobalt can help your organization and to download the full 2024 State of Pentesting Report.

About Cobalt   
Cobalt combines talent and technology with speed, scalability and resilience. Our award-winning Pentest as a Service (PtaaS) model empowers organizations to keep pace with their evolving attack surface and agile software development lifecycles. Thousands of customers and hundreds of partners rely on Cobalt's modern SaaS platform and exclusive community of more than 400 trusted security experts to secure applications, networks, and devices. We deliver security testing that supports business drivers, maximizes internal resources, and creates stronger security programs so that organizations can operate fearlessly and innovate securely.

You May Also Like

Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity Industry Needs

Unmanaged and unknown Web services endpoints are just some of the challenges organizations must address to improve API security.

Source: Wright Studio via Shutterstock

Organizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.

Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Application and security teams need to find such APIs and ensure each one is either documented or decommissioned to mitigate the significant risk they present, says Rupesh Chokshi, senior vice president, application security at Akamai.

**The Risk From Unmanaged APIs**

Chokshi is scheduled to present a talk on the topic at the upcoming RSA Conference 2024 in San Francisco next week. In a presentation titled "The Secret Life of APIs: Latest Attack Data Shows What Your APIs are Doing," Chokshi identifies shadow APIs as one of several postural — or implementation-related — issues that organizations must prioritize when tackling API security.

One of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, Chokshi says. The first step to enabling better API security is to discover these shadow endpoint and either eliminate them or incorporate them into the API security program, he notes.

API security has become an increasingly pressing challenge for IT and security leaders. In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes and boost operational efficiencies. APIs have also played a central role in enabling digital transformation initiatives by giving companies a way to modernize legacy applications, adopt cloud services, and engage more efficiently with customers, partners, and other third parties.

**The API Proliferation Challenge**

The resulting proliferation of APIs has significantly expanded the attack surface at many organizations and exposed them to greater risks, Chokshi says. He points to research from Akamai earlier this year that found that 29% of all Web attacks in 2023 targeted APIs. Common attack vectors included SQL injection, cross-site scripting, session hijacking/session manipulation, and data harvesting attacks. Attackers targeted organizations in certain sectors more frequently than others. More than 44% of all Web attacks in the e-commerce sector, for instance, targeted APIs. Similarly, nearly 32% and 19% of the Web application attacks that business services organizations and healthcare organizations, respectively, encountered last year targeted application programming interfaces.

Chokshi says the API security challenges that most organizations encounter fall under two broad categories: postural and runtime related. Postural issues result from implementation weaknesses, such as those related to shadow APIs. An October 2022 research report from Cequence Security identified more than 31% of all malicious requests — or some 5 billion of 16.7 billion — targeted unknown and unmanaged APIs.

Other common postural problems include unauthenticated resource access, sensitive data in the URL, overly permissive cross-origin resource sharing, and excessive client errors, which can include issues like improper authentication.

The most common runtime problems — or active threats — that organizations typically encounter include unauthenticated attempts to access sensitive API resources; API activity with unusual JSON payloads, like unexpected data types; unexpected or malformed data as part of API requests; and data scraping attempts.

Given the rapidly evolving nature of the API threat landscape, organizations need to ensure they have proper visibility over their API environment, Chokshi notes. In addition to detecting and decommissioning shadow APIs, organizations need to maintain an inventory of their APIs. They also need to harden their API posture by, for instance, correcting flaws in API code and addressing misconfiguration issues; bolstering threat detection and response capabilities; and establishing an API threat hunting capability.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Shadow APIs: An Overlooked Cyber-Risk for Orgs

Some customers found that they had the ability to cancel a stranger's flight to another country after opening the app, which was showing other individuals' flight details.

Source: Stonemeadow Photography via Alamy Stock Photo

Qantas, the flagship Australian airline, is investigating a privacy breach after its customers were able to see other individuals' boarding passes, flight details, and frequent flyer information.

Josh Withers, a Qantas customer, said he was able to see another passenger's name and flight details when he opened the Qantas app. Each time he re-opened the flight portal, the app would pull up a different customer's flight information. Other passengers reportedly had the ability to cancel passengers' flights to Europe via the app.

The airline reports that there was "no indication of a cyber security incident," though it also said its investigation is pointing to a technology issue that could potentially have caused system changes leading to this privacy breach.

Qantas was able to resolve the issue roughly three hours after it was discovered but is urging the customers that were affected to remain vigilant of social engineering scams using the exposed information.

**About the Author(s)**

Qantas Customers' Boarding Passes Exposed in Flight App Mishap

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.

Source: David Fleetham via Alamy Stock Photo

A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.

The packet-sniffing malware — dubbed "Cuttlefish" by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.

"Any data sent across network equipment infiltrated by this malware is potentially exposed," according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.

"To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources," according to the post. "By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials."

Cuttlefish also has a secondary function that gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space that's associated with communications on an internal network. It can also interact with other devices on the LAN and move material or introduce new agents.

**Cuttlefish's Unique Malware Behavior**

Cuttlefish's capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking "has seldom been observed;" however, campaigns such as ZuoRat, VPNFilter, Attor, and Plead exhibited similar behavior, according to Black Lotus Labs.

Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.

"We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR \[extended detection and response\] or network segmentation," according to the blog post.

The malware's combination of targeting networking equipment that's frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.

**Turkish Telcos & Links to HiatusRAT**

Cuttlefish has been active since at least last July, with its latest campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers (a segment that's frequently targeted by cyberespionage malware), accounting for about 93% of infections, or 600 unique IP addresses.

There also have been "a handful" of non-Turkish victims, including IP addresses of clients likely associated with global satellite phone providers, and potentially a US-based data center, according to Black Lotus Labs.   

Researchers found links — specifically, code similarities and embedded build paths — to HiatusRat, thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. However, so far Black Lotus Labs has not found shared victimology, surmising that the two malware clusters are operating concurrently.

**Infection Process and Execution**

While the researchers have not determined the initial infection vector, they did track the path of Cuttlefish once the targeted device was exploited, they said. The threat actor first deploys a bash script that gathers certain host-based data to send to the command-and-control server (C2). It also downloads and executes Cuttlefish in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.

"This agent implements a multi-step process that begins with installing a packet filter for the inspection of all outbound connections and use of specific ports, protocols, and destination IP addresses," according to the post. "Cuttlefish constantly monitors all traffic through the device and only engages when it sees a particular set of activities."

The C2 sends updated and specified rules of engagement through a configuration file after it receives the host-based enumeration from the initial entry. The rule set directs the malware to hijack traffic destined to a private IP address; if heading to a public IP, it will initiate a sniffer function to steal credentials if certain parameters are met.

**Defending Against Router Attacks**

Aside from including a list of indicators of compromise (IoCs) in its post, the researchers also had separate advice for both corporate network defenders and those with SOHO routers to avoid and detect compromise by Cuttlefish.

Enterprise organizations should look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. They also should encrypt network traffic with TLS/SSL to prevent sniffing when retrieving or sending data located remotely, such as when using cloud-based services or performing any type of authentication, the researchers advised.

Organizations that manage these types of routers should ensure that devices do not rely upon common default passwords, as well as that the management interfaces are properly secured and not accessible via the Internet. Inspection of SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries, as well as routinely power-cycling these devices to help remove malware samples in-memory can also help organizations avoid compromise. Enterprises also should implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.

Consumers with SOHO routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as retiring and replacing routers that reach their end of life and thus support from their respective vendors.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Cuttlefish' Zero-Click Malware Steals Private Cloud Data

With mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% — to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic.

When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.

Cybersecurity is critical to protect and safeguard the integrity of confidential data and can make or break an M&A deal. Having worked across a range of industries in my career, from banking and finance to healthcare, technology, and government, I've witnessed firsthand the cybersecurity challenges associated with managing M&As. Each M&A transaction I've been involved with has been far more complex than initially envisioned and took longer than anticipated to complete. This is especially true when it comes to integrating the technology stack.

**Understanding Cybersecurity in M&A**

Merging with or acquiring a company with a poor cybersecurity posture makes it much easier for cybercriminals to launch an attack. A data breach not only carries severe financial consequences, including legal fees and financial penalties, it also can be extremely damaging to an organization's reputation.

Without effective prevention and mitigation of cyber-risks, organizations could lose the trust of customers, partners, and investors, jeopardizing the deal. This is why cybersecurity must be a key consideration right from the beginning of the M&A lifecycle — not after it has happened. Regulators are also ramping up scrutiny of M&A deals and issuing significant fines for non-compliance. In many states and countries, rules such as the EU's General Data Protection Regulation (GDPR) protect personal data when it is transferred between entities.

**M&A Cybersecurity Checklist**

Leveraging more than 25 years of experience in risk, governance, and cybersecurity, I've put together this checklist to help organizations safeguard their digital assets before, during, and after a merger and acquisition:

*   Conduct early due diligence. Both entities must collaborate to assess the target company's current cybersecurity practices, internal IT infrastructure, and incident history to identify any weaknesses and security vulnerabilities. They might even want to bring in external auditors and cybersecurity experts specializing in M&A transactions.
    

*   Adopt risk metrics. Before making a plan, both entities must agree on an accepted level of risk and how this risk will be measured. Standardized risk metrics ensure that risk stays within the agreed levels, facilitating communication and collaboration at all levels of leadership in the new organization.
    

*   Establish a cybersecurity team. Create a dedicated team, bringing together experts from both entities to work together on addressing and managing potential cyber-risks. This will ensure that security practices are consistent across the entire new organization.
    
*   Develop a risk mitigation strategy. Based on the early assessment, the cybersecurity team can determine what procedures, processes, and technologies must be implemented to enhance the target company's cybersecurity posture before the entities combine. This plan should also clearly outline company policies and the roles and responsibilities across both entities for managing cybersecurity.
    

*   Plan for IT integration. Security measures are essential when integrating IT systems and networks. These include reviewing and enhancing current security architecture, implementing security policies, and testing for any security vulnerabilities. Adopting new tools and technologies to safeguard data during the integration process may be necessary.
    

*   Check for third-party risks. If external vendors are involved in the M&A process, ask them to detail their processes around managing and monitoring cybersecurity risks. The assessment must ensure vendor practices align with the target company's cybersecurity standards.
    

*   Establish identity and access governance and management. Implement strong controls so only authorized people can access sensitive information, digital assets, data, or systems — with different access levels depending on roles and responsibilities. This will help prevent or minimize hacking, fraud, internal data breaches, and human error.
    

*   Create an incident response plan. If a data breach occurs, organizations need a plan to minimize disruption to the business. It's essential to back up critical databases and store them off of the network to ensure data can still be accessed. The incident response plan should be printed out or distributed among staff so everyone knows what to do during a cyberattack.
    

*   Ensure ongoing monitoring. Cybersecurity doesn't end when the deal closes, and the post-M&A period can be a particularly vulnerable time for companies — so it's essential to be vigilant. That's why organizations need mechanisms for continuous 24/7 monitoring of systems and networks and real-time threat detection to identify security vulnerabilities and potential breaches.
    

*   Train employees. Ensure all employees of both entities involved in the merger or acquisition receive comprehensive and regular training about cybersecurity best practices. It's vital to communicate that each person can help play a part by watching out for threats and promptly reporting them. Consider conducting cybersecurity drills to prepare staff for what a cyberattack might look like.
    

**About the Author(s)**

CISO, Gathid

As the Chief Information Security Officer and an Executive Director of Gathid Ltd., Craig Davies is passionate about helping organizations strengthen access management without completely overhauling their people, processes, physical infrastructure, and technology. He has spent more than 25 years in cybersecurity, working in a number of fields, including infrastructure operations, security architecture and software, web development, and operations. As the first CEO of AustCyber, he negotiated agreements with states and territories to establish innovation notes across the country and set out a plan to make Australia a global force in the cybersecurity market.

The Cybersecurity Checklist That Could Save Your M&amp;A Deal

MOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.

Security bugs are having a cybercrime moment: For 2023, 14% of all data breaches started with the exploitation of a vulnerability, which is up a jaw-dropping 180%, almost triple the exploit rate of the previous year.

Let's put this in context, though. The MOVEit software breach, which wreaked supply chain havoc on companies across every sector, accounted for a large chunk of the increase in using exploits as an initial access method, and likely drove overall breach volumes up as well.

That's according to Verizon Business' 2024 Data Breach Investigations Report (DBIR), which analyzed a record 30,458 security incidents, out of which 10,626 were confirmed breaches — as a stat in itself, that's more than double the numbers from a year ago.

**Organizations Still Lack Security Maturity**

The DBIR, released today, detailed just how far patching can go in heading off a data breach. It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus. That's about the same percentage as last year, indicating that practitioners are not having much success when it comes to patching the human vulnerability.

In all, a picture in this year's DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with "experiencing a cyber incident."

"It can be a bit overwhelming for CISOs, particularly in environments where the security maturity of the organization is not as high as they would like," Suzanne Widup, distinguished engineer in threat intelligence at Verizon Business, tells Dark Reading. "But seeing organizations (large and small) still falling down in some of the basics is disheartening."

She adds, "Sometimes it takes the stakes being raised to get the attention of the appropriate people to affect change, sadly. What began with the data breach reporting laws has moved into serious consequences to company officers being codified into laws and regulations. But the bottom line is most organizations are not in business to worry about security. It has been an add-on after the fact for so long."

Other trends in the DBIR underscore the fact that teams need to address their cyber risk as a priority, and soon: A full 15% of breaches in the past year came from the supply chain, including issues with data custodians, vulnerabilities in third-party code, malicious packages in software repositories, and so on. That is an eyewatering 68% increase from 12 months previous, indicating that adversaries have copped to the fact that this is a tough area for security teams to get their arms around.

**MOVEit Moves the Cybercrime Needle**

Using the MOVEit bug was like shooting proverbial fish in a barrel — the world suddenly became a target-rich environment in the middle of last year for the Cl0p extortion gang and those cybercriminals that followed in its footsteps.

MOVEit Transfer is a managed file transfer app from Progress Software that organizations use to exchange sensitive data and large files both internally and externally. Progress claims thousands of customers for MOVEit, including major brands such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Cl0p reportedly spent two years developing the MOVEit file transfer zero-day exploit, first discovered and disclosed on May 31, 2023, by researchers after months of surreptitious attacks. Within a week of its public debut, CVE-2023-34362 was under mass exploitation by an array of threat actors; within a month, it had been used to breach at least 160 confirmed victims, including whales like Avast parent company Gen Digital, British Airways, Siemens, and UCLA. By the end of September 2023, it was linked to breaches at 900 different universities.

This MOVEit bonanza, which accounted for 8% of the breaches in Verizon Business' data set, had a ripple effect on several metrics in the DBIR, including a finding that 32% of all breaches involved some type of extortion technique (the MOVEit attacks involved stealing information and holding it for ransom) and the bump in supply chain breaches. And the DBIR found that the spike in the use of exploits for initial access was driven primarily by the increasing frequency of zero-day vulnerabilities by ransomware actors — a category that fits MOVEit to a T.

It should be noted, however, that zero-day use was up even outside of MOVEit: "The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises," said Chris Novak, senior director of cybersecurity consulting at Verizon Business, in a media statement.

And finally, 32% of breaches had an extortion or ransom element, with an average loss of $46,000 per company per incident.

**Challenges in Large-Scale Vulnerability Management**

Dovetailing with the increase in the use of bugs for initial access, Verizon Business also found that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Cybercriminals are a bit more johnny-on-the-spot: The median time for how long it takes for mass exploitations of the CISA KEV to develop on the Internet is just five days.

This "n-day" gap is one that threat actors have looked to exploit for years. But given the increasingly broad resources available to track and prioritize vulnerability patches, and the high stakes that now come with suffering a data breach (i.e., new mandatory SEC disclosure rules and personal liability for the CISO), it's clear that security teams need to make a coherent effort to move the needle on this risk.

"Time to patch the critical vulnerabilities getting faster would be welcome news," says Widup. "Having a background as a system admin, though, I do understand the necessities of testing the patches on complex environments to make sure you don't break production systems and cripple the organization. But at least working on that metric would be a good place to start."

One potential answer to getting off the patch-management hamster wheel is gaining more visibility into the attack surface, she advises.

"It's a bit like the tree falling in the forest — these software vulnerabilities exist whether or not someone finds them, and if we have more people looking for them by whatever means or motives, then we see them exploited (maliciously) or submitted to bug bounty programs (as a security researcher), which just means they are coming to light then," she explains. "The real action item for security teams is to do vulnerability scanning of the software that is deployed in their environments to see if they can find and report problems before they are found by someone with malicious intentions."

She also notes that considering vulnerability rates when bringing new platforms into the environment can help close the n-day gap simply by restricting the attack surface. "\[This means\] having security standards as part of the software vendor selection process, to make sure that the vendor is cognizant of the risks to their own organization and that of their customers. It may be that the best choice of a software vendor from a risk perspective is the one that follows the \[tenets\] of Secure by Design."

The overall lack of timely patching has had a surprise halo effect, according to the report: Despite the hype around AI risks, Verizon Business found little evidence that AI-enabled cybercrime was about to deliver organizations a data-breach Waterloo.

"While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach," said Novak.

**Humans Still the Weakest Cyber Link**

The DBIR found one trend that saw almost no change, ready for filing under "no surprise there": Most breaches (68%) involve a "non-malicious human element" who falls for phishing, misconfigures something, or otherwise makes a mistake. In other words, it's us. The problem is us.

And we fail fast, too. It takes less than 60 seconds for a mark to fall to a phishing routine, according to Verizon Business' phishing test results. The median time to click on a malicious link after an email is opened is 21 seconds, and then only another 28 seconds before the victim is obliviously entering their data into an attacker-controlled form.

Falling for social-engineering attacks in general is costly, too: The analysis found that the median loss in the past two years for business email compromise (BEC) scams is $50,000.

There was one slight glimmer of hope in the data-crunching: One-fifth (20%) of users identified and reported phishing in simulation engagements, and 11% of users who clicked on a decoy email went on to report it.

"So we did see some improvement in people not falling for the phish in simulations, and then those who have fallen for it, at least realizing it fairly quickly and reporting it," Widup explains. "It is vital to make sure that people can easily and quickly report when they have made a mistake, and not to discourage them with punishments. It is also important to have multiple layers of controls in place so that if someone does fall for a social attack, it doesn't necessarily mean a breach."

**Supply Chain Threats Accelerate to Warp Speed**

For the first time, Verizon is specifically breaking out supply-chain breaches as its own metric, which, as previously mentioned, are up significantly in volume in the last year.

"The threat actors are definitely turning towards compromising the larger third-party software companies, and it makes a lot of sense from their perspective if you think about it," says Widup. "They can compromise one vendor, and gain access to a large number of downstream victims in the form of their customer base. If they use the same kind of processes that push code updates, like we saw with SolarWinds, they have the opportunity to push malware to those systems without having to do the work of going into each of their environments. It's definitely more bang for their buck in terms of resources and effort expended. Then they can decide which of these newly compromised systems they want to leverage for further attacks."

The DBIR defines these as breaches that occur through a third-party "custodian," such as a managed service provider (common in the MOVEit cases); entry via a business partner (i.e, the HVAC incident that led to the 2013 Target breach); physical breaches in a partner company facility or even partner vehicles used to gain entry to a target; SolarWinds and 3CX-style breaches where software development processes and updates were hijacked; and vulnerabilities in open source or third-party software.

"This metric ultimately represents a failure of community resilience and recognition of how organizations depend on each other," according to the report's authors. "Every time a choice is made on a partner (or software provider) by your organization and it fails you, this metric goes up."

They added, "We recommend that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. In a time where disclosure of breaches is becoming mandatory, we might finally have the tools and information to help measure the security effectiveness of our prospective partners."

**Time to Shore Up the Security Basics**

For companies looking to take the DBIR findings to heart and take action, the report includes CIS Critical Security Controls for consideration in the sections where they apply.

"If they haven't already, I would recommend taking a look at them and all of the CIS Critical Security Controls as well, since their recommendations are tailored to the security maturity level of the organization," advises Widup. "It's a very helpful place to go for developing a security strategy, and we'd love to see more organizations adopting this or some other formal security methodology towards making their environments more secure. We break our metrics down into organizational size, industry, and regions to help our readers determine which threats they are most likely to face, and to point them in a direction where they can get some help with deciding how to increase their ability to defend against those threats."

The DBIR's focus on real-world metrics will hopefully be a tool for security teams to use to bring the stakes into focus for business owners and the board, she adds.

"People use the DBIR metrics to bring the threat from the theoretical 'this bad thing might happen to us' into the reality of 'this is already happening to other organizations of a similar size and in the same industry, and we need to address it now,'" she explains. "Breaches are not going away anytime soon, and any organization that thinks they are flying under the radar is in for a rude awakening. It is not a matter of if. It is a matter of when."

**For more information on the DBIR and what it means for your organizations, don't miss "Anatomy of a Data Breach: What to Do If It Happens to You," a free Dark Reading virtual event scheduled for June 20. Verizon's Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.**

Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of Breaches

As the social media giant celebrates its two-decade anniversary, privacy experts reflect on how it changed the way the world shares information.

SourceL Skorzewiak via Alamy Stock Photo

In the 20 years since then-Harvard University student Mark Zuckerberg launched Facebook, there has been a profound shift in our understanding of privacy and security in the digital age. Facebook's path to becoming a digital town square has been fraught with challenges as the company — and the rest of the world — balanced the human desire to share information with the expectation of personal privacy.

In February, Zuckerberg went before a Senate committee and made apologies to parents who blame social media for what they say was its role in their children's death by suicide or from drug overdoses. Zuckerberg has appeared before congressional committees multiple times over the years to address concerns about the platform's impact. The issue of privacy, security, and Facebook has been a long-standing lightning rod, says Martin J. Kraemer, a security awareness advocate at KnowBe4 who has a doctorate in cybersecurity.

"Facebook's fundamental purpose, centered around the systematic collection of information, naturally conflicts with privacy and data protection laws," Kraemer says.

The social media company's missteps over the years have shaped the broader discussions and regulations around data privacy. In fact, it is that tension between social connectivity and privacy rights that prompted the need for robust data protection measures, influencing the creation of significant legal frameworks, like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The Cambridge Analytica scandal in 2016 was a watershed moment for many, as the company's decision to grant third-party entities with unethical access to user data underscored the potential for personal data to be weaponized against democratic processes. This incident, according to Kraemer, was a direct catalyst for the CCPA and marked a decisive turn in how policymakers and the public at large perceived and prioritized online privacy and data security.

"Cambridge Analytica was the first time the dangers of mass data collection and processing became a tangible reality for the public," Kraemer says.

**The 'Attention Economy': Your Data Up For Sale**

Facebook has also been a key player in the development of the "attention economy," says Justin Daniels, a faculty member at IANS Research. Its creation catalyzed a shift toward the sale of user data as a commodity sold to the highest bidder under the guise of a "free" service.

"Their algorithm, designed to keep you on the site with things that you emotionally respond to, has resulted in the following: Information is available everywhere, yet the facts prove elusive, and anyone who disagrees with you becomes your adversary," Daniels says. "Our need to have convenience above all has made privacy and security afterthoughts for too many people."

The platform's initial slow response to recognize its role in disseminating misinformation, as evidenced by Zuckerberg's later retracted comments on the 2016 election, underscores the company's significant impact, Daniels says. Resulting state laws in Texas and Florida, targeting big tech, highlight a legislative response to privacy concerns directly influenced by Facebook's actions. Facebook's long-standing stance of neutrality as mere "engineers" has also allowed misinformation to proliferate, causing harm and dividing communities, he says.

Looking ahead, Daniels foresees a challenging future for online privacy and security, particularly with the advent of AI.

"If you connect the dots, you see that we are paying the price in privacy and security for Congressional inaction on the digital economy," he says. "They basically let the private sector innovate without any rules. Since big tech business models depend on collecting personal information, they are never going to voluntarily limit themselves, as data collection is critical to their business model. They are the richest companies in human history and now have great influence. An AI black swan event will be the culmination of this lack of regulatory oversight."

**A Privacy-Free Future?**

Like Daniels, AJ Nash, VP and Distinguished Fellow of Intelligence at ZeroFox, also thinks the quest for profitability, driving platforms like Facebook to maximize user engagement, comes at the expense of user privacy. Social media companies are neither legally accountable for user content, thanks to Section 230(c)(1) of the Communications Decency Act, nor are they obligated to adhere to First Amendment principles, he notes. That means policy changes within these platforms are primarily motivated by either the pursuit of growth or forced with governmental mandates, such as GDPR.

"If the user base shrinks or engagement drops as a result of user concerns regarding censorship, mis/dis/malinformation, privacy, or security \[for example\], social media platforms will likely be motivated to address those concerns with new policies," Nash says. "Beyond that, the only motivation any private corporation — including social media platforms — has for making any policy changes will likely be when they are required to do so by a government with the authority to enforce such mandates."

And as anyone working in security knows, social media's extensive data collection practices have also become a goldmine for attackers, enabling crimes ranging from theft to influence campaigns designed to sway public opinion — underscoring the complexity of securing user data against cyber threats on social sites that are designed to be, well, social.

"I recently read that 1.4 billion social media accounts are hacked every month, showing that hackers aren't reluctant to attack users directly," Nash says. "Social media platforms can \[and do\] collect an impressive amount of information about their users, including name, age, gender, location, IP address, devices used, hobbies/interests, shopping tendencies, political views, and individual or group pattern of life analysis … the list goes on. Most \[if not all\] social media platforms have reportedly been compromised at least once."

In light of this near-constant onslaught of attacks, Nash thinks there will be a shift toward resignation and skepticism among users. The concept of privacy also will be increasingly viewed as untenable in the face of the Internet and social media's expansion, he says.

"I think we've reached a point where most people believe they've been compromised and are becoming numb to — and skeptical of — the idea that their privacy can be protected," Nash says. "The two youngest generations seem largely less concerned with privacy than their predecessors. Social media probably played a significant role in all of this. As people spent more time on these platforms over the last two decades, they have grown accustomed to the news of data leaks, while becoming more interested in the potential benefits of less privacy than the associated risks. To be frank, I think we are nearing — if not already at — the dawn of a post-privacy world."

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Source

DARKReading