The restaurant chain hasn't provided any information regarding what led to a widespread IT outage, and customers and employees are asking for answers.

Source: Judith Collins via Alamy Stock Photo

Panera Bread customers and employees reported experiencing outages with the restaurant chain's ordering system, mobile apps, loyalty programs, and more on March 22.

Although the IT disruption slowed operations for a time, Panera Bread stores were able to remain open. Two weeks later, systems, websites, and customer service lines are back online.

Though some employees reportedly complained about the lack of transparency regarding the situation, Panera has not released any further information regarding the outage on its website. The company also did not respond to Dark Reading's request for comment.

Some customers, those with personal information linked to Panera loyalty accounts, are concerned about a data leak.

"My biggest concern hasn't been losing free drinks and a gift card balance, but personal data in a hack," a user with the handle "bartolish" wrote in the r/Panera subreddit.

Cybersecurity expert Sean Deuby, principal technologist, Semperis, said he wouldn't rule out ransomware as the cause of the Panera outages.

"While the details on the countrywide IT outage experienced by Panera Bread are coming in slowly, it wouldn't surprise me to find out they've been hit with a ransomware attack," Deuby said in a statement. "Hopefully, Panera store backup data offline and has a robust response and recovery plan in place to deal with this threat."

Panera Bread Fuels Ransomware Suspicions With Silence

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Dealing with a Ramadan cyber spike; funding Internet security; and Microsoft's Azure AI changes.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards
    
*   Global: Cybersecurity Threats Intensify in the Middle East During Ramadan
    
*   Funding the Organizations That Secure the Internet
    
*   How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
    
*   Microsoft Beefs Up Defenses in Azure AI
    
*   Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed
    
*   Why Cybersecurity Is a Whole-of-Society Issue
    

**How CISOs Can Make Cybersecurity Awareness a Long-Term Priority for Boards**

Commentary by Shaun McAlmont, CEO, NINJIO Cybersecurity Awareness Training

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — including when it comes to earning long-term support for awareness training from their boards. Winning strategies include communicating cybersecurity concepts in an engaging and non-technical way, and showing board members that cybersecurity programs offer significant ROI.

This column lays out five ways that CISOs can show boards that it's time to prioritize cybersecurity:

1.  Know how to communicate with non-technical audiences. Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, for instance.
    
2.  Focus on the entire cyber-impact chain. Cyberattacks can lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce.
    
3.  Stress the human element. CISOs stress that 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.
    
4.  Outline how awareness-training programs can be measured. CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.
    
5.  Secure long-term support. Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale.
    

Read more: How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Related: CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

**Cybersecurity Threats Intensify in the Middle East During Ramadan**

By Alicia Buller, Contributing Writer, Dark Reading

How security teams in the region fortify their defenses amid short-staffing — and increased DDoS, phishing, and ransomware campaigns — during the Muslim holy month.

The ninth month of the Muslim calendar is observed around the world, as followers take the time to reflect and practice fasting, and cybersecurity teams often operate with skeletal staffing. Ramadan is also a period where Muslim shoppers tend to up their spending on specialty foods, gifts, and special offers.

All of this also creates a perfect storm for bad actors to conduct fraudulent activities and scams. Endpoint-protection firm Resecurity has observed a significant increase in cyber malevolence during Ramadan, which began on March 10. The company estimates the total financial impact from these cyberattacks and cyberscams against the Middle East has reached up to $100 million so far during this year's Ramadan.

Middle East-based companies can step up cybersecurity with extra vigilance and outsourced support amid shortened working hours and increased ecommerce activity.

"Many organizations proactively enhance their outsourced contracts during this period, particularly focusing on bolstering 24/7 security operations," says Shilpi Handa, associate research director of security, Middle East, Turkey, and Africa (META) at IDC, adding that deploying a remote and diverse workforce is particularly advantageous during Ramadan as around-the-clock security shifts can be fully covered by a mix of Muslim fasters and non-Muslim staff.

Read more: Cybersecurity Threats Intensify in the Middle East During Ramadan

Related: Middle East Leads in Deployment of DMARC Email Security

**Funding the Organizations That Secure the Internet**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

There's no single entity responsible for maintaining and securing the Internet. Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding, or by subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

"Key components of the Internet are maintained by volunteers, nonprofits, and NGOs, and others who work with razor-thin budgets and resources," said Kemba Walden, president of Paladin Global Institute and former US acting national cyber director. "Consider this: The underpinnings of our digital infrastructure, the infrastructure that enables civil society to thrive in our economy today and to grow, rest on a network of volunteers, nonprofits, NGOs and others."

An initiative called Common Good Cyber is finding new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Ideas include creating joint funding organizations; federated fundraising for nonprofits; inventorying who is doing what to support the Internet's infrastructure; and a hub or accelerator to provide resources to the groups securing the Internet.

Read more: Funding the Organizations That Secure the Internet

Related: Neglecting Open Source Developers Puts the Internet at Risk

**How Soccer's 2022 World Cup in Qatar Was Nearly Hacked**

By Jai Vijayan, Contributing Writer, Dark Reading

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, during which the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

But it's the "what else could have happened" that's the really scary part: The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup.

Read more: How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

Related: NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII

**Microsoft Beefs Up Defenses in Azure AI**

By Jai Vijayan, Contributing Writer, Dark Reading

Microsoft adds tools to protect Azure AI from threats such as prompt injection, as well as to give developers the capabilities to ensure generative AI apps are more resilient to model and content manipulation attacks.

Amid growing concerns about threat actors using prompt injection attacks to get generative AI (GenAI) systems to behave in dangerous and unexpected ways, Microsoft's AI Studio is rolling out resources for developers to build GenAI apps that are more resilient to those threats.

Azure AI Studio is a hosted platform that organizations can use to build custom AI assistants, copilots, bots, search tools, and other applications, grounded in their own data.

The five new capabilities that Microsoft has added — or will soon add — are Prompt Shields, groundedness detection, safety system messages, safety evaluations, and risk and safety monitoring. The features are designed to address some significant challenges that researchers have uncovered recently — and continue to uncover on a routine basis — with regard to the use of large language models (LLMs) and GenAI tools.

"Generative AI can be a force multiplier for every department, company, and industry," said Microsoft's chief product officer of responsible AI, Sarah Bird. "At the same time, foundation models introduce new challenges for security and safety that require novel mitigations and continuous learning."

Read more: Microsoft Beefs Up Defenses in Azure AI

Related: Forget Deepfakes or Phishing: Prompt Injection is GenAI's Biggest Problem

**Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed**

By Jai Vijayan, Contributing Writer, Dark Reading

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

Read more: Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Related: Feds to Microsoft: Clean Up Your Cloud Security Act Now

**Why Cybersecurity Is a Whole-of-Society Issue**

Commentary by Adam Maruyama, Field CTO, Garrison Technology

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

We are drowning in vulnerabilities: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, said simply that "we've made it easy on" attackers through poor software design. But it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

As CISA articulated in its Secure by Design initiative, secure coding by vendors is the first step to creating technologies that are both secure and usable. But businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. In particular, by increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes.

Meanwhile, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. And, the final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens through things like multifactor authentication.

Read more: Why Cybersecurity Is a Whole-of-Society Issue

Related: NIST Wants Help Digging Out of Its NVD Backlog

CISO Corner: Ivanti's Mea Culpa; World Cup Hack; CISOs &amp; Cyber Awareness

The infamous payment-skimmer cybercrime organization is exploiting CVE-2024-20720 in Magento for a novel approach to stealing card data.

Source: Tawan Chaisom via Alamy Stock Photo

Magecart attackers have a new trick: Stashing persistent backdoors within e-commerce websites that are capable of pushing malware automatically.

According to researchers at Sansec, the threat actors are exploiting a critical command injection vulnerability in the Adobe Magento e-commerce platform (CVE-2024-20720, CVSS score of 9.1), which allows arbitrary code execution without user interaction.

The executed code is a "cleverly crafted layout template" in the layout\_update database table, which contains XML shell code that automatically injects malware into compromised sites via the controller for the Magento content management system (CMS).

"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," Sansec said in an alert. "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."

Sansec observed Magecart (a long-running umbrella organization for cybercrime groups that skim payment card data from e-commerce sites) using this technique to inject a Stripe payment skimmer, which captures and exfiltrates payment data to an attacker-controlled site.

Adobe resolved the security bug in February in both Adobe Commerce and Magento, so e-tailers should upgrade their versions to 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7 to be protected from the threat.

**About the Author(s)**

Magecart Attackers Pioneer Persistent E-Commerce Backdoor

Large language models require rethinking how to bake security into the software development process earlier.

Large language models require rethinking how to bake security into the software development process earlier.

Source: Chroma Craft Media Group via Alamy Stock Photo

Question: What do we really know about large language model (LLM) security? And are we willingly opening the front door to chaos by using LLMs in business?

Rob Gurzeev, CEO, CyCognito: Picture it: Your engineering team is harnessing the immense capabilities of LLMs to "write code" and rapidly develop an application. It's a game-changer for your businesses; development speeds are now orders of magnitude faster. You've shaved 30% off time-to-market. It's win-win — for your org, your stakeholders, your end users.

Six months later, your application is reported to leak customer data; it has been jailbroken and its code manipulated. You're now facing SEC violations and the threat of customers walking away.

Efficiency gains are enticing, but the risks cannot be ignored. While we have well-established standards for security in traditional software development, LLMs are black boxes that require rethinking how we bake in security.

**New Kinds of Security Risks for LLMs**

LLMs are rife with unknown risks and prone to attacks previously unseen in traditional software development.

*   Prompt injection attacks involve manipulating the model to generate unintended or harmful responses. Here, the attacker strategically formulates prompts to deceive the LLM, potentially bypassing security measures or ethical constraints put in place to ensure responsible use of the artificial intelligence (AI). As a result, the LLM's responses can deviate significantly from the intended or expected behavior, posing serious risks to privacy, security, and the reliability of AI-driven applications.
    
*   Insecure output handling arises when the output generated by an LLM or similar AI system is accepted and incorporated into a software application or Web service without undergoing adequate scrutiny or validation. This can expose back-end systems to vulnerabilities, such as cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), privilege escalation, and remote code execution (RCE).
    
*   Training data poisoning occurs when the data used to train an LLM is deliberately manipulated or contaminated with malicious or biased information. The process of training data poisoning typically involves the injection of deceptive, misleading, or harmful data points into the training dataset. These manipulated data instances are strategically chosen to exploit vulnerabilities in the model's learning algorithms or to instill biases that may lead to undesired outcomes in the model's predictions and responses.
    

**A Blueprint for Protection and Control of LLM Applications**

While some of this is new territory, there are best practices you can implement to limit exposure.

*   Input sanitization involves, as the name suggestion, the sanitization of inputs to prevent unauthorized actions and data requests initiated by malicious prompts. The first step is input validation to ensure input adheres to expected formats and data types. The next is input sanitization, where potentially harmful characters or code are removed or encoded to thwart attacks. Other tactics include whitelists of approved content, blacklists of forbidden content, parameterized queries for database interactions, content security policies, regular expressions, logging, and continuous monitoring, as well as security updates and testing.
    
*   Output scrutiny is the rigorous handling and evaluation of the output generated by the LLM to mitigate vulnerabilities, like XSS, CSRF, and RCE. The process begins by validating and filtering the LLM's responses before accepting them for presentation or further processing. It incorporates techniques such as content validation, output encoding, and output escaping, all of which aim to identify and neutralize potential security risks in the generated content.
    
*   Safeguarding training data is essential to prevent training data poisoning. This involves enforcing strict access controls, employing encryption for data protection, maintaining data backups and version control, implementing data validation and anonymization, establishing comprehensive logging and monitoring, conducting regular audits, and providing employee training on data security. It's also important to verify the reliability of data sources and ensure secure storage and transmission practices.
    
*   Enforcing strict sandboxing policies and access controls can also help mitigate the risk of SSRF exploits in LLM operations. Techniques that can be applied here include sandbox isolation, access controls, whitelisting and/or blacklisting, request validation, network segmentation, content-type validation, and content inspection. Regular updates, comprehensive logging, and employee training are also key.
    
*   Continuous monitoring and content filtering can be integrated into the LLM's processing pipeline to detect and prevent harmful or inappropriate content, using keyword-based filtering, contextual analysis, machine-learning models, and customizable filters. Ethical guidelines and human moderation play key roles in maintaining responsible content generation, while continuous real-time monitoring, user feedback loops, and transparency ensure that any deviations from desired behavior are promptly addressed.
    

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

You May Also Like

How Do We Integrate LLMs Security Into Application Development?

Improving security in the applications that drive the digital economy is a necessary undertaking, requiring ongoing collaboration between the public and private sectors.

Neatsun Ziv, CEO & Co-Founder, Ox Security

April 5, 2024

4 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

The recent publication "Back to the Building Blocks: A Path Toward Secure and Measurable Software" by the White House Office of the National Cyber Director (ONCD) provides additional detail and strategic direction supporting the National Cybersecurity Strategy released in March 2023. The strategy intends to shift a much greater share of responsibility for cybersecurity to software vendors, service providers, and other entities that develop software applications. This latest report provides a more specific direction by emphasizing an aggressive shift to memory-safe programming languages with software development practices.

**The Memory Safety Imperative**

Traditional programming languages are frequently the weak link in software development, with memory safety vulnerabilities leading to significant incidents. Despite comprehensive code reviews and other security measures, these vulnerabilities persist, accounting for up to 70% of security issues in these languages. A shift toward memory-safe programming languages, as advised by the Cybersecurity and Infrastructure Security Agency's (CISA) road map, is a critical step toward developing software that is secure by design.

**Navigating Legacy System Complexities**

One of the most daunting challenges in this strategic shift is addressing the legacy systems developed in C and C++. These legacy systems are not only numerous but often critical to the operations of many organizations. Rewriting these systems in modern, memory-safe languages can be expensive and complex, resulting in the downtime of critical business processes.

Moreover, memory safety vulnerabilities are primarily observed at the operating system level, affecting significant platforms like Microsoft and Linux. This categorization of issues at the runtime level, rather than the application level, underscores the broader challenge in cybersecurity: the pursuit of advanced security measures must be balanced against the practicalities and costs of implementing these changes, especially for established systems.

**Economic and Technical Considerations**

Many organizations face formidable costs associated with overhauling older systems. Changing coding protocols is not only a technical decision but also a strategic one to ensure the security of the digital infrastructure of the future. As a result, decision-makers considering when to undertake the transition must evaluate the immediate financial and operational impacts versus the long-term benefits.

Fortunately, technological innovations have already been developed that can reduce the cost and disruption of transitioning to safer code. For instance, code analysis tools can analyze legacy applications and semi-autonomously identify instances where C or Python code runs without proper isolation. And because of recent advances in compiler technology, even worst-case unsafe coding practices can be protected if written in an older language. These developments should significantly lessen the barriers to adopting safe coding practices for organizations of any size.

**A Collaborative Effort Toward a Secure Future**

Policymakers and vendors must collaborate closely to balance enhancing security with maintaining essential software services. Embracing memory-safe programming languages, as recommended by the ONCD, is a crucial step in this journey and is integral to advancing our collective cybersecurity. 

Several industry leaders have already made significant investments in memory-safe languages. Examples include: 

*   Mozilla's Rust programming language: With its emphasis on memory safety, Rust offers a solid alternative to traditional programming languages that marries security and performance.
    
*   Microsoft's investment in Rust: Recognizing that older languages have limitations, Microsoft has embraced Rust and used it in several new projects where memory safety was a concern.
    
*   Google's memory safety efforts: Google has invested considerable resources into finding and mitigating memory safety vulnerabilities and has called for using memory-safe languages in new developments. Last week, Google released a new research report, "Secure by Design: Google's Perspective on Memory Safety," advocating for a secure-by-design strategy. The report focuses on adopting languages with robust memory safety features and acknowledges the limitations of evolving C++ to meet these standards.
    

**Moving Forward: Practical Steps to Meet the ONCD Recommendations**

The path in the latest ONCD report is challenging, but rich with opportunity. It demands practical steps from all actors within the software development and cybersecurity ecosystems, including:

*   Education and training: Organizations must commit to teaching their teams about memory-safe languages and secure development practices, ensuring that developers can make the necessary changes.
    
*   Gradual transition plans: Organizations should create plans for transitioning legacy systems to memory-safe and manageable languages. They should address the most critical areas first and phase the project slowly to minimize operational disruption.
    
*   Leveraging automation tools: Organizations should use modern code analysis tools and compilers that automatically find and remediate unsafe code practices while reducing the burden of manual processes.
    
*   Policy and governance: Organizations must develop explicit governance constructs that bake in memory safety and secure development practices throughout the software development lifecycle.
    
*   Community and collaboration: Importantly, organizations should reach outside their walls and the broader tech community in forums, partnerships, and open source projects to share the knowledge, challenges, and solutions around memory safety that come with this journey.
    

Improving security in the applications that drive the digital economy is a lofty and complex but necessary undertaking requiring ongoing collaboration between the public and private sectors. The ONCD's latest report is a solid next step in articulating the strategy; however, more will is needed to realize the vision. Transitioning to memory-safe coding languages for new applications and updating legacy code are enormous challenges. However, progress is being made with recent advancements in software analysis and compiler technologies and commitments demonstrated by many global technology leaders.

**About the Author(s)**

CEO & Co-Founder, Ox Security

Neatsun Ziv is the CEO and Co-Founder of Ox Security, the end-to-end software Active ASPM Platform. Prior to that, he was the VP of Cyber Security at Check Point, where he oversaw all cyber initiatives. His team was one of the first to respond to SolarWinds, NotPetya, and other major attacks, working closely with Interpol, Local CERT, and other enforcement agencies. Neatsun is a passionate and seasoned entrepreneur with vast cybersecurity experience. He served in the IDF Cyber Intelligence Unit and is a frequent speaker at global forums, including RSA and CPX, among others. Neatsun holds a B.Sc. from Israel's Open University (honors) and an MBA from the Technion (Magna Cum Laude).

White House's Call for Memory Safety Brings Challenges, Changes &amp; Costs

Cloud-native application protection platforms (CNAPPs) sidestep siloed security and embed security into the earliest stages of application development.

Source: John Williams RF via Alamy

Multicloud security is an enormously complex undertaking, requiring security teams to correlate thousands of daily security alerts across disparate platforms to efficiently and accurately respond to emergent threats. Rather than relying on a series of third-party point solutions — which often struggle to integrate and communicate with one another — to protect your multicloud environment, we recommend prioritizing native security solutions that can embed seamlessly within your environment.

A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their life cycles. Originally coined by Gartner, this all-in-one platform connects traditionally siloed security and compliance capabilities into a single user interface. At their core, CNAPPs allow security teams to embed security into the earliest stages of the application development process and deploy more robust protections for cloud workloads and data.

There are many use cases where a cloud-native solution will have a natural edge over third-party solutions. We have picked a few common scenarios to showcase capabilities that are hard to replicate with a customized or third-party solution. This list is meant to be representative, not exhaustive.

**1\. Monitoring Your Cloud Management Layer**

The cloud management layer is a crucial service connected to all of your cloud resources. That also makes it a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Since cloud service providers (CSPs) do not allow integration with this layer, the capabilities provided by third-party solutions are severely limited and rely solely on the availability of logs/events, like Azure Diagnostics and AWS CloudTrail.

**2\. Detecting Near Real-Time Threats With Zero or Minimal Impact on Workloads**

As you leverage more native architecture patterns, your usage of native storage, like object storage and native SQL, will grow. As a result, these services often represent an attack target.

Because CSPs do not allow native integration with these services, organizations often struggle to detect malware as soon as an object is uploaded to a storage account without introducing latency or further risks to their workloads. We also see this same issue present when trying to detect sensitive data across databases and object stores without allowing access to a third-party solution. Native cloud security offerings do not have these limitations.

**3\. Inherent Coverage of Workloads as You Scale or Modernize**

Native solutions are deployed at the account or subscription level, integrate natively with other cloud services, and cover a vast variety of usage patterns. Often, these solutions do not require any agent and are push-button. When cloud architecture teams decide to migrate from a virtual machine-based deployment to one that's container-based, organizations can rest assured that the workload is protected from the start.

**4\. Integrating with Your Native Pipelines**

When organizations deploy cloud workloads, they can integrate the native solution at the code repository level. This ensures they are checking appropriate risks at each level — for example, code scanning as part of code merges or image scanning on push. Native solutions also allow organizations to manifest validation before container deployment.

**5\. Maintaining Your Access-Related Blast Radius**

When organizations deploy a third-party solution, that solution requires its own set of roles that need to be monitored. Users will also most likely need to be managed within the third-party solution itself. This adds additional monitoring requirements for security teams that are not needed when deploying native solutions. Because native solutions already integrate with other cloud services and leverage predefined roles, security teams don't need to worry about any additional risks being introduced into their environments.

As we have seen, CNAPPs have a unique value proposition for integrating in your cloud security portfolio, either as the primary solution or as a complement to your existing cloud security posture management (CSPM).

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Reconsider Your CNAPP Strategy Using These 5 Scenarios

A Babuk variant has been involved in at least four attacks on VMware EXSi servers in the last six weeks, in one case demanding $140 million from a Chilean data center company.

Source: Don McBailey/Stockimo via Alamy Stock Photo

What appears to be a fresh variant of the Babuk ransomware has emerged to attack VMware ESXi servers in several countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The variant calls itself "SEXi," a play on its target platform of choice.

According to CronUp cybersecurity researcher Germán Fernández, PowerHost CEO Ricardo Rubem issued a statement confirming that a new ransomware variant had locked up the company's servers using the .SEXi file extension, with the initial access vector to the internal network as yet unknown. The attackers requested $140 million in ransom, which Rubem indicated would not be paid.

SEXi's emergence stands at the crossroads of two major ransomware trends: the rash of threat actors who have developed malware based on the Babuk source code; and a lust for compromising tantalizingly juicy VMware EXSi servers.

**IX PowerHost Attack Part of Wider Ransomware Campaign**

Meanwhile, Will Thomas, CTI researcher at Equinix, uncovered what he believes to be a binary related to that used in the attack, dubbed "LIMPOPOx32.bin" and tagged as a Linux version of Babuk in VirusTotal. At press time, that malware has a 53% detection rate on VT, with 34 out of 64 security vendors flagging it as malicious since it was first uploaded on Feb. 8. MalwareHunterTeam spotted it back on Valentine's Day, when it was being used without the "SEXi" handle in an attack on an entity in Thailand.

But Thomas further discovered other, related binaries. As he tweeted, "SEXi ransomware attack on IXMETRO POWERHOST linked to broader campaign that has hit at least three Latin American countries." These call themselves Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on Feb. 9); and Formosa (used in an attack in Mexico on Feb. 26). Concerningly, at press time all three registered zero detections in VT.

Together, the findings showcase the development of a novel campaign using various SEXi iterations that all lead back to Babuk.

**Shadowy TTPs Emerge in SEXi Attacks**

There's no indication of where the malware operators originate from or what their intentions are. But slowly a set of tactics, techniques, and procedures are emerging. For one, the binaries' nomenclature comes from place names. Limpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and Formosa was a short-lived republic located on Taiwan in the late 1800s, after China's Qing Dynasty ceded its rule over the island.

And, as MalwareHunterTeam pointed out on X, "maybe interesting / worth to mention about this 'SEXi' ransomware that the communication method specified by the actors in the note is Session. While we\['ve\] seen some actors using it even years ago already, I \[don't\] remember seeing it in relation to any big/serious cases/actors."

Session is a cross-platform, end-to-end encrypted instant messaging application emphasizing user confidentiality and anonymity. The ransom note in the IX PowerHost attack urged the company to download the app and then send a message with the code "SEXi"; the earlier note in the Thai attack urged the Session download but to include the code "Limpopo."

**EXSi Is Sexy to Cyberattackers**

VMware's EXSi hypervisor platform runs on Linux and Linux-like OS, and can host multiple, data-rich virtual machines (VMs). It has been a popular target for ransomware actors for years now, partly because of the size of the attack surface: There are tens of thousands of ESXi servers exposed to the Internet, according to a Shodan search, with most of them running older versions. And that doesn't take into account those that are reachable after an initial access breach of a corporate network.

Also contributing to ransomware gangs' growing interest in EXSi, the platform doesn't support any third-party security tooling.

"Unmanaged devices such as ESXi servers are a great target for ransomware threat actors," according to a report from Forescout released last year. "That's because of the valuable data on these servers, a growing number of exploited vulnerabilities affecting them, their frequent Internet exposure and the difficulty of implementing security measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yielding target for attackers since it hosts several VMs, allowing attackers to deploy malware once and encrypt numerous servers with a single command."

VMware has a guide for securing EXSi environments. Specific suggestions include: Make sure ESXi software is patched and up-to-date; harden passwords; remove servers from the Internet; monitor for abnormal activities on network traffic and on ESXi servers; and ensure there are backups of the VMs outside the ESXi environment to enable recovery.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

SEXi Ransomware Desires VMware Hypervisors in Ongoing Campaign

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Source: garagestock via Shutterstock

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

**A Thorough Overhaul**

"We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers," Abbott said, in his statement. "We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices."

Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.

In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

The disclosure followed a similar incident less than two weeks ago that involved two bugs in Ivanti's Standalone Sentry and Neuron's for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the company's remote access products, which attackers, including advanced persistent threat actors such as "Magnet Goblin," have exploited in mass fashion. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and not reconnect the devices until fully remediated.

Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivanti's customers. "Based on conversations I'm having, especially with Fortune 500 clients, I honestly think it's a bit of too little, too late," he says. "The time to publicly make this commitment was more than a month ago." There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivanti's many other products, he says.

**A Fresh Set of 4 Bugs**

The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.

The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.

The steady stream of bug disclosures has raised questions about the risk that Ivanti's products pose to more than 40,000 customers worldwide, with some expressing their frustration on forums such as Reddit. Just two years ago, Ivanti's press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun offering incentives — including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can "mitigate risk" from Ivanti's products.

**Acquisition Related Problems?**

Eric Parizo, an analyst with Omdia, says at least some of Ivanti's challenges have to do with the fact that the company's product portfolio is the sum of numerous past acquisitions. "The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven," he says.

 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. "I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases," he says. "Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

Initial access brokers are using the new downloader malware, which emerged just after QBot's 2023 disruption.

Source: Yuri Arcurs via Alamy Stock Photo

At first, analysts thought the downloader was a variant of well-known malware IcedID — but it turns out Latrodectus is something new altogether.

The malware is being used by initial access brokers (IABs) in email threat campaigns, and researchers behind the discovery at Proofpoint and Team Cymru S2 Threat Research Team predict Latrodectus will continue gaining momentum among threat actors. That's due in large part to its ability to evade sandbox detection, the researchers said.

"After initialization the malware will check its environment to confirm that it is not running in a sandbox by confirming the amount of running processes on the device, then checking to make sure it is running on a 64-bit host, and lastly the malware looks to see if the host has a valid MAC address," according to a statement from Adam Neel, threat detection engineer at Critical Start. "These sandbox evasion techniques can slow down researchers and defenders from analyzing samples of Latrodectus."

First discovered in late 2023, there's been a distinct uptick in threat activity using the new loader throughout February and March, the report warned.

Although it's not a variant of IcedID, the researchers found Latrodectus — named after a string of code found during analysis — does have similar characteristics, leading the team to conclude both were created by the same developers.

The first group using Latrodectus in November 2023 was TA577, and it has been relying on it almost exclusively since mid-January 2024, the report said. Prior to picking up Latrodectus, the adversary group was using IcedID, it added.

In February, researchers discovered another group, TA578, was distributing Latrodectus in a campaign that sent threats of legal action for copyright infringement as phishing lures.

**Is Latrodectus Downloader the New QBot?**

The new Latrodectus downloader is positioned to fill the void left by the takedown of QBot malware (also known as Qakbot) in the summer of 2023, according to a statement by Ken Dunham, cyber threat director at Qualys Threat Research Unit.

"TA577 and other actors are affiliated with Qbot and now, a new malware campaign, Latrodectus," Dunham explained. "It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023."

Awareness of Latrodectus actively being used in email campaigns, along with vigilance, will help enterprises defend against the upgraded downloader, experts advise. The new Latrodectus report provides tactics, techniques, and procedures to help.

"It is possible that this is not the last form of Latrodectus and it could continue to grow and differentiate itself from IcedID more in the future," Neel added. "Latrodectus is currently being distributed via email campaigns, so the need for phishing awareness continues to be incredibly important."

Malicious Latrodectus Downloader Picks Up Where QBot Left Off

Latest campaign underscores wide-ranging functionality and staying power of a decade-old piece of information-stealing malware.

Source: David Chapman via Alamy

More than 11,000 Australian companies were targeted in a recent wave of cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries that came with a malicious attachment. Victims who were tricked into opening the attachment exposed their Windows PCs to Agent Tesla infections.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by a variety of threat actors, including cybercriminals and spies, according to researchers at Check Point Software.

Alexander Chailytko, cybersecurity, research, and innovation manager at Check Point, says threat actors have "developed a level of trust" in Agent Tesla's capabilities.

"Its reliability, coupled with its diverse range of functionalities for data exfiltration and information theft, makes it a preferred choice among cybercriminals," Chailytko explains.

The malware offers a range of data exfiltration methods and stealing capabilities that target the most commonly used software, ranging from browsers to FTP clients. Recent updates to the malware offer tighter integration with platforms such as Telegram and Discord, which makes it easier for crooks to run hacking campaigns.

Agent Tesla was in the news last year, when cybercriminals exploited a 6-year-old Microsoft Office remote execution flaw to sling Agent Tesla.

**Anatomy of an Agent Tesla Hack**

An analysis by security researchers from Check Point published in a blog post this week offered one of the most detailed inspections of the methodology of an Agent Tesla-based phishing campaign to date. Their work offers a postmortem on a high-volume series of attacks launched in November 2023 against mostly Australian and American targets.

Check Point said a threat actor dubbed "Bignosa" first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles a variety of options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

Once Agent Tesla was "protected" this way, Bignosa converted the malicious .NET code into an ISO file with a ".img" extension before attaching the resulting file to the spam emails.

Next, Bignosa connected to the newly configured machine via a remote access network protocol connection, created an email address, logged in to webmail, and launched the spam run using a pre-prepared target list. According to Check Point, "a few successful infections" hit Australia in a first wave of the attack.

**Down Under**

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by the presence of a mailing list file named "AU B2B Lead.txt" on their machines.

"This suggests a deliberate effort to compile and target email addresses linked to Australian business entities, potentially for the purpose of infiltrating corporate networks with the goal of extracting valuable information for financial exploitation," Check Point's Chailytko says.

Bignosa also worked with another more proficient cybercriminal, who immodestly goes by "Gods," in a campaign to hack into Australian and US-based businesses, the researchers found.

Gods offered advice to Bignosa on the content of malicious spam text, according to Jabber chat logs uncovered by the security researchers.

Like with other cybercriminals, the duo struggled with elements of their cybercrime campaign, according to evidence uncovered by Check Point.

In multiple instances, Bignosa wasn't able to clean his machine from the Agent Tesla test infections, so the hapless hacker had to call on remote access from Gods for assistance.

Check Point said it believes that Bignosa is Kenyan and Gods is a Nigerian with a day job as a Web developer.

**How to Block Agent Tesla Infections**

The Agent Tesla-based spear-phishing campaign highlighted by Check Point underscores the still-prevalent threat posed by the mature malware.

Businesses should maintain up-to-date operating systems and applications by promptly installing patches and utilizing other security measures. Commercial spam filtering and blocklist tools can help minimize the volume of junk traffic that appears in user inboxes, according to Check Point.

Even so, end users must exercise caution when encountering unexpected emails containing links, particularly from unfamiliar senders. According to Check Point, that's where regular employee training and education programs can bolster cybersecurity awareness.

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Source

DARKReading