Modern networks teem with machine accounts tasked with simple automated tasks yet given too many privileges and left unmonitored. Resolve that situation and you close an attack vector.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY  
Over my 32 years in cybersecurity, one painful constant has been managing the risks associated with network service accounts.

Service accounts are supposed to be machine-to-machine accounts that perform repetitive and automated scheduled tasks without human interaction. Common examples of service accounts include running applications on operating systems, databases, automated backups, and network maintenance. They should have extremely limited access rights, disallow human interaction, and only perform their intended function.

Rare is the management model that addresses service account concerns adequately from a security perspective. Best practices reduce the ability of threat actors to use such accounts to move laterally within the enterprise, undetected by our monitoring systems.

**Trouble Points of Service Accounts**

Every organization has service accounts. Every organization would also like to have fewer accounts and better monitoring and control for the accounts they must have. Threat actors understand the security risks of service accounts and take advantage of:

*   Lack of visibility. Service accounts can have complex dependencies in processes, applications, database structures, and programmatic systems. These accounts can be exceedingly difficult, if not impossible, to monitor and properly secure.
    
*   Difficulty in monitoring. Since service accounts are not typically associated with a specific person, monitoring the logs can cause confusion and complicate incident investigations. This can result in networks being exposed to threat actor actions and lateral movements, while the malicious actors remain completely undetected as they move around in the network.
    
*   Complicated nature of evictions. If threat actors breach your network and you need to evict them, every single password must be changed over a brief period, some more than once. This is when service accounts can really become burdensome and complicated. To commit to an eviction, you must change every single service account password. If you do not have a good inventory and understand the functionality of all service accounts, you should not attempt an eviction. In such a case, the few service accounts you could not change will probably be used by the threat actors.
    

**Common Gaps in Knowledge**

Many times during an incident response engagement, I have seen the following tendencies among organizations with regard to service accounts:

*   No one knows how many service accounts exists or how they are used.
    
*   The passwords have not been changed in years, and no one knows how to change the password — or what will break if they do.
    
*   No one knows why a service account exists or who owns the account.
    
*   The organization doesn't have a process for monitoring and securing the service accounts.
    

This is why it makes sense that threat actors gravitate toward service accounts. Often, these accounts have unnecessary rights and access.

**Developing a Comprehensive Strategy**

Understanding the problem is just the first part of developing a comprehensive strategy. Let us now identify the steps to solving security issues concerning service accounts.

*   Inventory all the service accounts. This can be done programmatically, using PowerShell or Active Directory tools.
    
*   Once you have a good inventory, assign an owner to each service account. This brings human insight and accountability. You may find that some service accounts are no longer needed.
    
*   Determine the purpose of all service accounts. How is the account used, and what does it do?
    
*   Document this information very carefully.
    

Finally, now you can formalize your service account program in a way that brings more security and oversight. You could choose to add your service accounts into a privileged access management (PAM) system, which would be ideal. However, remember this can be a long and tedious endeavor. While it is worth the effort, do not think it is not going to require lots of time and effort.

Next, whether or not you used PAM, develop a formalized audit reconciliation program around the use of each service account. This will heavily depend on the service account owners. An organization should require every owner to attest to the continued need for the service account periodically — I did this every six months — and accept the risk associated with the account's continued use. When the account owner accepts the risks associated with the service account, they change the password for the account.

Ideally, you can automate this process by using software platforms designed to manage risks and assist organizations in governance, risk, and compliance (GRC) issues. In such a system, if the automated workflow does not get processed correctly, the service account will be automatically disabled. If the service then remains disabled for a set period, it will automatically be deleted. This brings accountability to the management of service accounts.

This comprehensive strategy will reduce risks around the usage of service accounts. The most important thing is that the strategy ensures all service accounts are documented and holds a specific person accountable for their continued usage. This accountability, along with routine password changes, will dramatically reduce risks and help reconcile this important and often overlooked security weakness.

**About the Author(s)**

Principal Consultant, Secureworks Incident Response Team

Patrick B Barnett is Principal Consultant within the Secureworks Incident Response Team. With more than 26 years of experience in IT and information security, Pat architects and implements custom cybersecurity solutions for networks across the globe and has managed over 1,000 cyber incident responses over the last 25 years. Pat is passionate about seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to any size event. Pat has a Master of Science degree in Computer Engineering and Business Administration and several post-graduate cybersecurity certificates from MIT and Stanford University. Pat holds the following certifications: CISSP, HISSP, PCI QSA, PCPIP, CISM, CEH, and CISA. Professional affiliations include ISSA, EC-Council, ISC2, and PCI DSS.

For Service Accounts, Accountability Is Key to Security

PRESS RELEASE

CAMBRIDGE, April 17, 2024 - Redgate, the end-to-end Database DevOps provider, has launched an enterprise version of its popular database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

Redgate Monitor Enterprise offers the most comprehensive and advanced capabilities for monitoring large, complex estates, optimizing performance, and ensuring security, compliance and high availability with a single, all-in-one tool.

“In delivering extended monitoring capabilities, Redgate Monitor Enterprise addresses the needs of large organizations, delivering on multiple challenges for those managing multi-platform database estates and allowing people to do far more, far faster,” said David Gummer, Chief Product Officer at Redgate. “Managing security and compliance can be an extremely manual task, often requiring additional tooling and absorbing significant time and resources. With the easy-to-use web-based dashboard built into Redgate Monitor Enterprise, IT leaders benefit from instant visibility into access rights and can significantly improve the efficiency of compliance auditing.”

Redgate Monitor launched as SQL Monitor in 2008 and has grown to become a favored database monitoring tool, offering instant problem diagnosis, customizable alerting, seamless scaling, and a single at-a-glance view of hybrid estates, whether on-premises or in the cloud. Redgate Monitor Enterprise builds yet further on that heritage and is tailored for larger organizations that require advanced features beyond typical monitoring.

Enhancing the proficiencies of DBAs and IT management

Redgate Monitor Enterprise gives those in IT management deliverable and demonstrable business advantages. It minimizes risk by enabling the shifting regulatory landscape to be navigated with ease and helps to avoid the cost of non-compliance. It builds and maintains trust with customers by preventing unauthorized access to sensitive information. It turns compliance into a strategic advantage by removing the administrative burden and freeing up resources for strategic projects. By doing so, it fosters positive relationships with regulatory bodies through transparent and effective communication and an always-on compliance posture.

David Gummer adds, “By helping zcontribute to security, making it everyone’s responsibility.”

“Redgate Monitor Enterprise's capability to gather permissions from all our servers and databases is going to save us so much time! Before, we had to use scripts - hundreds of lines of code. Now, we can just click a button to export this info and give it to our security team. They can check it against our rules, and we can get back to our main jobs. It's a big win for us,” added Redgate customer Patrick Meyer, DBA at Atruvia. 

Advanced enterprise capabilities:

Streamlined user permissions

Accessing a clear overview of user permissions and providing role-based access control is an ongoing headache for database management teams who want to give developers access to database environments yet remain compliant with both internal frameworks and external standards and regulations. The user permissions feature in Redgate Monitor Enterprise provides a streamlined approach to maintaining security and compliance across all environments by addressing the challenge of unauthorized changes and preventing unexpected issues during audits.

Its intuitive interface comprehensively tracks the past and present access rights of users, specifying the server, database, and level of permissions granted, along with identifying all users with access to a particular server. This data provides immediate actionable insights into access rights, speeding up the reporting process. It can also be exported, filtered and searched to meet specific administrative needs, easing the laborious, time-consuming process of access management, and providing full transparency for compliance reporting.

Simplified SQL Server configuration compliance

Many enterprises, particularly in highly regulated sectors, are expected to meet global standards when configuring their SQL Servers, wherever those servers are and on a constant, rolling basis. Redgate Monitor Enterprise centralizes database and server configuration checks from a single dashboard where all configurations can be reviewed and managed against recognized security benchmarks. This enables DBAs to ensure their SQL Servers meet every compliance requirement without having to manually sift through configurations. They can easily monitor configurations and generate reports, especially for large estates with numerous servers, significantly simplifying compliance efforts.

High Availability architecture support

Five 9s availability is a typical SLA for enterprises, with the expectation that applications and websites are operational 99.999% of the time. Redgate Monitor Enterprise fully supports High Availability architectures, enabling it to be installed within a resilient setup, ensuring continuous monitoring by having backup servers ready to take over in case of component failure. This is crucial for enterprises, for whom monitoring is production-critical, allowing them to maintain database visibility without interruption.

Comprehensive and seamless data API

The Data API in Redgate Monitor Enterprise allows direct queries to its data repository by adding a REST API layer for user access. It enables custom reports to be created and monitoring data to be integrated into broader IT infrastructures. This is particularly useful for large corporations with specific reporting needs or those wishing to seamlessly incorporate monitoring data into tools like Power BI dashboards.

Redgate Launches Enterprise Edition of Redgate Monitor

"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Source: Andrew Angelov via Shutterstock

Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed "Kapeka," appears linked to Sandworm, a prolific Russian state-backed threat actor that Google's Mandiant security group this week described as the country's primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

**Destructive Malware**

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow's sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector's network and in the process disabled some 87,000 sensors connected to these gateways.

"The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well," says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack's attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. "To restore \[Moskollector's\] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system."

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT environments in both countries.

But on several occasions, attacks involving tools spawned from the long-standing conflict between the two countries have affected a broader swath of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up impacting tens of thousands of systems worldwide in 2017. In 2023, the UK's National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) warned of a Sandworm malware toolset dubbed "Infamous Chisel" posing a threat to Android users everywhere.

**Kapeka: A Sandworm Replacement for GreyEnergy?**

According to WithSecure, Kapeka is a novel backdoor that attackers can use as an early stage toolkit and for enabling long-term persistence on a victim system. The malware includes a dropper component for dropping the backdoor on a target machine and then removing itself. "Kapeka supports all basic functionalities that allow it to operate as a flexible backdoor in the victim's estate," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure.

Its capabilities include reading and writing files from and to disk, executing shell commands, and launching malicious payloads and processes including living-off-the-land binaries. "After gaining initial access, Kapeka's operator can utilize the backdoor to perform a wide variety of tasks on the victim's machine, such as discovery, deploying additional malware, and staging next stages of their attack," Nejad says.

According to Nejad, WithSecure was able to find evidence suggesting a connection to Sandworm and the group's GreyEnergy malware used in attacks on Ukraine's power grid in 2018. "We believe Kapeka may be a replacement for GreyEnergy in Sandworm's arsenal," Nejad notes. Though the two malware samples do not originate from the same source code, there are some conceptual overlaps between Kapeka and GreyEnergy, just as there were some overlaps between GreyEnergy and its predecessor, BlackEnergy. "This indicates that Sandworm may have upgraded their arsenal with new tooling over time to adapt with the changing threat landscape," Nejad says.

**Fuxnet: A Tool to Disrupt and Destroy**

Meanwhile, Claroty's Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is meant for deploying on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting, and similar use cases.

"Once the malware is deployed, it will brick the gateways by overwriting its NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling the devices," Brizinov says.  

A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communications protocol for remotely reading gas, water, electric, and other meters. "One of the main purposes of Blackjack’s Fuxnet ICS malware \[is\] to attack and destroy the physical sensors themselves after gaining access to the sensor gateway," Brizinov says. To do so, Blackjack chose to fuzz the sensors by sending them an unlimited number of M-Bus packets. "In essence, BlackJack hoped that by endlessly sending the sensor random M-Bus packets, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and place them in an inoperable state," he says.

The key takeaway for organizations from such attacks is to pay attention to the security basics. Blackjack, for instance, appears to have gained root access to target sensor-gateways by abusing weak credentials on the devices. The attack highlights why it "is important to uphold a good password policy, making sure devices do not share the same credentials or use default ones," he says. "It is also important to deploy good network sanitization and segmentation, making sure attackers would not be able to move laterally inside the network, and deploy their malware to all edge devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Dangerous ICS Malware Targets Orgs in Russia and Ukraine

Once attackers have control over a workload in the cluster, they can leverage access for lateral movement both inside the cluster and to external resources.

Source: Sergey Novikov via Alamy Stock Photo

Known vulnerabilities in OpenMetadata's open source metadata repository have been under active exploit since the beginning of April, allowing threat actors to launch remote code execution cyberattacks against unpatched Kubernetes clusters, according to research from Microsoft Threat Intelligence.

OpenMetadata is an open source platform that operates as a management tool as well as a central repository for metadata. In mid-March, researchers published information on five new vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) that affected versions preceding v1.3.1, according to Microsoft's report.

And while many cybersecurity teams might have missed the advisory, adversaries picked up on the opportunity to break into vulnerable Kubernetes environments and leverage them for cryptocurrency mining, the vendor said.

"In this case, a vulnerable Kubernetes workload which is exposed to the Internet got exploited," Microsoft researcher Yossi Weizman explains. While the cybercriminals were engaged in crypto mining, he warns there's a wide range of nefarious activity an adversary can engage in once they're inside a Kubernetes cluster.

"In general (not specifically in this case), once attackers have control over a workload in the cluster, they can try to leverage this access also for lateral movement, both inside the cluster and also to external resources," Weizman adds.

OpenMetadata administrators are advised to update, use strong authentication, and reset any default credentials in use.

Active Kubernetes RCE Attack Relies on Known OpenMetadata Vulns

Users will need to download the latest version of Ivanti's Avalanche to apply fixes for all of the bugs.

Source: Alexander Tolstykh via Shutterstock

Ivanti has released 27 fixes for various reported vulnerabilities in its 2024 first-quarter release. None of the vulnerabilities are being actively exploited, according to the vendor.

The company recommends users download the Avalanche installer and update to the latest version of Avalanche 6.4.3, which will, in turn, apply all the fixes listed in the update.

Each of the vulnerabilities has a CVSS score, ranging from a 4.3, a vulnerability that can allow an authenticated remote attacker to view sensitive information in memory, to a 9.8, a heap overflow vulnerability in the WLAvalancheService part of Avalanche, prior to version 6.4.3, that allows a remote attacker to execute commands without authentication.

Ivanti urges its users to ensure that their MSSQL database password is readily available because it does not store the password. Users can download the Avalanche 6.4.3 release through Ivanti, along with information on next steps to take.

**About the Author(s)**

Ivanti Releases Fixes for More Than 2 Dozen Vulnerabilities

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

Source: Stuart Miles via Alamy Stock Photo

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.

There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.

However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to a blog post from Fortiguard Labs Threat Research.

"Recently, we observed multiple attacks focusing on this year-old vulnerability," which already was previously exploited by the in Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard's IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.

**Exploiting the TP-Link Flaw**

The flaw creates a scenario in which there is no sanitization of the "Country" field of the router's management interface, "so an attacker can exploit it for malicious activities and gain foothold," according to TP-Link's security advisory for the flaw.

"This is an unauthenticated command-injection vulnerability in the 'locale' API available via the web management interface," Lin and Li explained.

To exploit it, users can query the specified form "country" and conduct a "write" operation, which is handled by the "set\_country" function, the researchers explained. That function calls the "merge\_config\_by\_country" function and concatenates the argument of the specified form "country" into a command string. This string is then executed by the "popen" function.

"Since the 'country' field won't be emptied, the attacker can achieve command injection," the researchers wrote.

**Botnets to the Siege**

TP-Link's advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.

One is Agoent, a Golang-based agent bot that attacks by first fetching the script file "exec.sh" from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.

The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.

A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename "rebirth." The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.

"After establishing a connection with its C2 server, the malware receives a continuous 'PING' command from the server to ensure persistence on the compromised target," the researchers wrote. It then waits for various C2 commands to create DoS attacks.

The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker's C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet's execution file designed for the "x86\_64" architecture to determine its exploitation activity, they said.

A variant of Mirai also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.

"The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129," they explained.

Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.

The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.

**Patch & Protect to Avoid DDoS**

Botnet attacks that exploit device flaws to target IoT environments are "relentless," and thus users should be vigilant against DDoS botnets," the researchers noted. Indeed, IoT adversaries are advancing their attacks by pouncing on unpatched device flaws to further their sophisticated attack agendas.

Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices "to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors," the researchers wrote.

Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

Having a solid disaster recovery plan is the glue that keeps your essential functions together when all hell breaks loose.

Source: Aleksei Gorodenkov via Alamy Stock Photo

COMMENTARY

As the conflict in Ukraine enters its third year, the global community is confronted with the grim reality of modern warfare, where cyber operations have emerged as a pivotal battleground. Reflecting on past events and the ongoing crisis, it's evident that cyberattacks have become a constant threat, leaving no sector untouched and rendering the Ukrainian people and their systems vulnerable to relentless aggression.

In January 2022, as tensions loomed, I was tasked with outlining the potential consequences of a Russian attack on Ukraine to a private equity client with operations in the region. Little did we know that the scenarios we discussed would soon transition from hypothetical to harrowing realities.

Fast forward to 2024, and the dire situation persists. Recent cyberattacks targeting Ukrainian state agencies, including the state-owned energy company, and financial institutions such as Monobank, Ukraine's largest mobile-only bank, underscore the severity of the ongoing digital onslaught. The infiltration of Ukrainian telecommunications giant Kyivstar by Russian hackers further highlights the magnitude of the threat, leaving millions without vital services for days.

**How to Prepare for Cyber Warfare**

Amidst this turmoil, organizations must prioritize disaster recovery preparedness to mitigate risks and enhance resilience. Here are essential steps to consider:

1.  Safety of personnel: Beyond technical aspects, acknowledging the human impact of cyber warfare is paramount. With millions of Ukrainian people displaced and seeking refuge, ensuring the safety and well-being of your teams and their vulnerable families should be a top priority.
    
2.  Comprehensive backup strategies: Implementing robust backup solutions for critical data, systems, and networks is essential to restore operations swiftly in the event of a cyberattack. A multisite strategy ensures data survivability even in the face of unforeseen disasters.
    
3.  Cybersecurity training and awareness: Educating employees about cybersecurity best practices significantly reduces the likelihood of successful attacks, making every individual a frontline defender against cyber threats.
    
4.  Multilayered defense mechanisms: Adopting a multilayered approach to cybersecurity, including firewalls, intrusion detection systems, and endpoint protection, strengthens defenses and minimizes vulnerabilities.
    
5.  Incident response planning: Developing a comprehensive incident response plan enables organizations to react swiftly and effectively to cyber breaches, ensuring minimal disruption and damage.
    
6.  Collaboration and information sharing: Collaborating within the cybersecurity community and sharing threat intelligence and best practices bolsters defenses and adaptability against evolving threats.
    

When I reflect on the pre-war briefing on that cold January day in 2022, I recall how dark and macabre my presentation was. Nobody thought that what I was outlining could become reality. But it did. And even worse.

As we continue to witness the devastating impact of cyber warfare in Ukraine, it serves as a poignant reminder of the imperative for preparedness and resilience in the face of modern threats. By implementing proactive cybersecurity measures, prioritizing human safety, and fostering collaboration, organizations can defend against cyberattacks and uphold principles of sovereignty and stability in the digital age. It is essential for organizations to have a solid disaster recovery plan, as it is the glue that keeps your essential functions together when all hell breaks loose. Together, we can navigate the complexities of cyber warfare and work towards a future where technology protects and empowers all, even amidst conflict and adversity.

**About the Author(s)**

Independent Cybersecurity Consultant

Hadi Shavarini an independent cybersecurity consultant is a seasoned CISSP, with over 20 years of extensive Cloud Security experience across Data, Application, IAM, and Infrastructure domains, along with strategic cybersecurity expertise. As a Cybersecurity Consultant and virtual Chief Information Security Officer (vCISO), he specializes in delivering unparalleled advisory and cybersecurity services fortifying organizations' governance, risk, and compliance strategies. Hadi has demonstrated proficiency in steering cybersecurity initiatives across diverse industries, including financial services, healthcare, energy, manufacturing, tech, and retail. As a vCISO and trusted advisor, he excels in fostering strong client relationships, conducting cybersecurity evaluations, and guiding clients in implementing security frameworks and regulatory compliance. Hadi's leadership extends to his roles as CEO & Cofounder at Blue Robin Inc., and CEO & Cofounder at WebMedicPro. His expertise encompasses a wide range of IT solutions, project management, and strategic consultancy in cybersecurity and technology integration.

Preparing for Cyber Warfare: 6 Key Lessons From Ukraine

A native-first approach delivers better protections and a more efficient use of resources than best-of-breed solutions, benefiting cloud service providers and end-user customers alike.

Source: Rasi Bhadramani via Alamy Stock Photo

As companies increasingly migrate to public cloud platforms like Microsoft Azure, Amazon Web Services (AWS), and Google Cloud, many are opting to lift and shift their existing security toolsets in the process. Today, the average company deploys as many as 76 disparate security tools. This is commonly known as a best-of-breed approach.

However, the problem with a best-of-breed model is that it creates security and efficiency gaps for cloud workloads. Because third-party cloud security solutions rely on the visibility provided by the cloud service provider's (CSP) application programming interface (API), each one comes with its own unique set of limitations and blind spots. This makes it difficult for security engineers and analysts to accurately and efficiently triage and remediate threats.

By contrast, a native-first cloud security approach deploys seamlessly integrated first-party security solutions to drive greater cost and resource efficiencies, as well as increase overall security resiliency. Here are three reasons to prioritize a native-first approach over best-of-breed.

**Reduce Your Attack Surface**

One key argument for implementing a native-first cloud security approach over best-of-breed is that relying on multiple third-party security solutions can inadvertently expand an organization's attack surface. Each new tool introduces its own set of configurations, APIs, and potential vulnerabilities. If not properly managed, third-party tools can create additional opportunities for attackers to exploit weaknesses in the security infrastructure. In fact, cloud misconfigurations were responsible for 80% of data security breaches in 2023.

On the other hand, a native-first cloud security approach relies on first-party solutions and doesn't require any changes to the customer's cloud environment. That minimizes the risk of introducing additional weaknesses.

**Eliminate Security Blind Spots**

Another core benefit of a native-first cloud security model is that it eliminates the blind spots often seen with best-of-breed solutions. Third-party solutions often struggle to integrate with one another or with the specific cloud platform being used, which can lead to gaps in visibility and coordination — making it difficult to have a unified view of the security landscape. And because public cloud environments often rely on a variety of interconnected services and APIs, organizations run the risk of missing potential threats or vulnerabilities if their best-of-breed security tools are not designed to work seamlessly with these cloud-native services.

A native-first approach eliminates this issue because all of the CSP solutions are already designed to work together seamlessly. For example, a cloud container workload protection plan that natively integrates with Azure Kubernetes Services (AKS) and Azure Container Repository (ACR) would not require any changes to the protection plan when changes are made to the container-based solution. Similarly, a cloud-native application protection platform (CNAPP) integrating with Microsoft threat intelligence can ensure security teams can respond to security incidents in real time.

**Drive Greater Team Efficiencies**

Finally, taking a best-of-breed approach means that security teams are responsible for managing multiple security solutions from different vendors. This is complex and resource-intensive, requiring teams to understand the various interfaces, policies, and update schedules, while also managing crucial security configurations and responding promptly to emerging threats. Running multiple security tools concurrently can also lead to redundant system resources. This redundancy affects the overall performance of the cloud environment and increases operational costs without necessarily improving security effectiveness.

Under a native-first model, security teams only need to understand their CSP's services — thus cutting down on the initial learning curve required since the native solutions leverage other native services, such as dashboards and responses. Many CSPs are also designed to ensure the efficient use of customers' cloud resources, with much of the heavy lifting done within the CSP's control plane. 

Ultimately, a native-first cloud security approach delivers better protections and a more efficient use of resources than best-of-breed third-party solutions. And because CSPs are used to serving a wide range of customers and use cases, they can often offer more flexibility, innovation, and specialized security expertise than third-party vendors. By exploring available native-first security solutions to see what makes the most sense for their environments, organizations can take the first step toward a more secure and more efficient cloud-based future.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Why a Native-First Approach Is Key to Cloud Security

But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google's Mandiant.

Source: Militarist via Shutterstock

The formidable Sandworm hacker group has played a central role supporting Russian military objectives in Ukraine over the past two years even as it has stepped up cyberthreat operations in other regions of strategic political, economic, and military interest to Russia.

That's the upshot of the analysis of the threat actor's activities undertaken by Google Cloud's Mandiant security group. They found that Sandworm — or APT44, as Mandiant has been tracking it — to be responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022.

In the process, the threat actor established itself as the primary cyberattack unit within Russia's Main Intelligence Directorate (GRU) and among all Russian state-backed cybergroups, Mandiant assessed. No other cyber outfit appears as totally integrated with Russia's military operators as Sandworm is presently, the security vendor noted in a report this week that offers a detailed look at the group's tools, techniques, and practices.

"APT44 operations are global in scope and mirror Russia's wide ranging national interests and ambitions," Mandiant warned. "Even with an ongoing war, we have observed the group sustain access and espionage operations across North America, Europe, the Middle East, Central Asia, and Latin America."

One manifestation of Sandworm's broadening global mandate was a series of attacks on three water and hydroelectric facilities in the US and France earlier this year by a hacking outfit called CyberArmyofRussia\_Reborn, which Mandiant believes is controlled by Sandworm.

The attacks — which appear to have been more a demonstration of capabilities than anything else — caused a system malfunction at one of the attacked US water facilities. In October 2022, a group that Mandiant believes was APT44 deployed ransomware against logistics providers in Poland in a rare instance of deploying a disruptive capability against a NATO country.

**Global Mandate**

Sandworm is a threat actor that has been active for more than a decade. It's well known for numerous high-profile attacks such as the one in 2022 that took down sections of Ukraine's power grid just prior to a Russian missile strike; the 2017 NotPetya ransomware outbreak, and an attack at the opening ceremony of the Pyeongchang Olympic Games in South Korea. The group has traditionally targeted government and critical infrastructure organizations, including those in the defense, transportation, and energy sectors. The US government and others have attributed the operation to a cyber unit within Russia's GRU. In 2020, the US Justice Department indicted several Russian military officers for their alleged role in various Sandworm campaigns.

"APT44 has an extremely broad targeting remit," says Dan Black, principal analyst at Mandiant. "Organizations who develop software or other technologies for industrial control systems and other critical infrastructure components should have APT44 front and center in their threat models."

Gabby Roncone, a senior analyst with Mandiant's Advanced Practices team, includes media organizations among APT44/Sandworm's targets, especially during elections. "Many key elections of high interest to Russia are taking place this year, and APT44 may attempt to be a key player" in them, Roncone says.

Mandiant itself has been tracking APT44 as a unit within Russia's military intelligence. "We track a complex external ecosystem that enables their operations, including state-owned research entities and private companies," Roncone adds.

Within Ukraine, Sandworm's attacks have increasingly focused on espionage activity with a view to gathering information for Russian military forces' battlefield advantage, Mandiant said. In many cases, the threat actor's favorite tactic for gaining initial access to target networks has been through exploitation of routers, VPNs, and other edge infrastructure. It's a tactic that the threat actor has been increasingly using since Russia's Ukraine invasion. While the group has accumulated a vast collection of bespoke attack tools, it has often relied on legitimate tools and living-off-the-land techniques to evade detection.

**An Elusive Enemy**

"APT44 is adept at flying under the detection radar. Building detections for commonly abused open source tools and living-off-the-land methods is critical," Black says.

Roncone also advocates that organizations map and maintain their network environments and segment networks where possible because of Sandworm's penchant for targeting vulnerable edge infrastructure for initial entry and re-entry into environments. "Organizations should additionally be wary of APT44 pivoting between espionage and disruptive goals after gaining access to networks," Roncone notes. "For folks working in media and media organizations in particular, digital safety training for individual journalists is key."

Black and Roncone perceive APT44/Sandworm's use of hacking fronts like CyberArmyofRussia\_Reborn as an attempt to draw attention to its campaigns and for deniability purposes.

"We have seen APT44 repeatedly use the CyberArmyofRussia\_Reborn Telegram to post evidence from and draw attention to its sabotage activity," Black says. "We cannot conclusively determine if this is an exclusive relationship but judge that APT44 has the ability to direct and influence what the persona posts on Telegram."

Black says APT44 could be using personas such as CyberArmyofRussia\_Reborn as a way to avoid direct attribution in case they cross a line or provoke a response. "But the second \[motive\] is that they create a fake sense of popular support for Russia's war — a false impression that average Russians are self-assembling to join the cyber fight against Ukraine."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Sandworm' Group Is Russia's Primary Cyberattack Unit in Ukraine

Israel prepares for a response to Iran's April 14 drone and missile attack.

Source: Birgit Korber via via Alamy Stock Photo

Adding fuel to speculation that Israel may wage strategic cyberattacks on Iran in response to the April 14 aerial drone and missile attack, the Israeli Defense Forces (IDF) held simulated cyber and combat warfare drills.

Israel's Northern Command forces held the drills with the nation's cyber and technology units to test the combination of cyber and kinetic warfare in preparation to the nation's response to the Iranian attack, according to The Jerusalem Post.

Earlier this week, Israeli citizens received threatening text messages purportedly from an Iranian-backed hacking team warning that it has hijacked the nation's radar systems, stating: "You have only a few hours to fix the systems."

Israeli officials had not verified the group's claims.

**About the Author(s)**

Source

DARKReading