Integration provides threat intel teams with an early warning system for geopolitical events that could trigger cyberattacks.

**London, UK – 21 June 2023** – Silobreaker, a leading security and threat intelligence technology company, has announced its enhanced geopolitical threat intelligence capabilities with RANE (Risk Assistance Network + Exchange) at Infosecurity Europe, 20-22 June 2023. The tie-up will see Silobreaker integrate global risk intelligence company RANE's Enterprise Geopolitical Intelligence into its own threat intelligence platform, providing cyber threat intelligence (CTI) teams with real-time information about world events that could heighten the risk of cyberattacks.

With the addition of RANE's geopolitical threat intelligence, analysis and forecasting capabilities, Silobreaker's platform will provide CTI teams with vital context into highly complex, interconnected events, allowing them to take proactive steps to reduce their organisations' exposure to risks impacting business productivity, resiliency and continuity.

The integration allows users to seamlessly access RANE reports, country risk scores and the full resources of Silobreaker's data source-agnostic platform. CTI teams can easily retrieve RANE's geopolitical intelligence and pivot between it and other finished intelligence sources, or data from millions of open and dark web sources, to contextualise results and meet complex intelligence requirements. With automated data collection and processing at scale — and fully customisable dashboards and rich reporting capabilities — Silobreaker enables organisations to make intelligence-led decisions quickly and from one place, maximising the value of their threat intel investments.

"In recent years, there's been a blurring of the lines between geopolitical events and cyber activity. Today, if you want to defend against the latter, you absolutely need to know about the former," said Kristofer Mansson, CEO of Silobreaker. "With RANE's geopolitical threat intelligence integrated into our platform, organisations have access to an early warning system of the events that cross over with the most pressing current cyber threats — emphasising the importance of multi-disciplinary intelligence for mitigating the most serious risks."

Also debuting at Infosec Europe is Silobreaker's new **Vulnerability Alert**. Scheduled for launch on 21 June, this weekly alert enables users to stay informed about significant developments for patch prioritisation. Users can keep up to date on actively exploited vulnerabilities and zero-days, including exploit maturity and attack complexity. It will also offer valuable insights into trending critical and high-severity vulnerabilities, and deliver the top stories from Patch Tuesday and the week’s major campaigns. 

Silobreaker has recently been recognised as a Representative Vendor in the 2023 **Gartner® Market Guide for Security Threat Intelligence Products and Services (May 2023)**. The company's Cyber Threat Intelligence, Physical Risk Intelligence, Strategic and Political Intelligence and Brand Threat Protection are among the products and services listed.

To see a demo of the Silobreaker-RANE integration live, join us at the Silobreaker stand (Z40) at Infosecurity Europe, ExCel, London, 20-22 June 2023.

**Objectivity Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Silobreaker**

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace. We do this by bringing together all the steps of the intelligence cycle in one place; from the management of cyber, physical and geopolitical PIRs to the automated collection and processing of structured and unstructured data from open, deep and dark web and finished intelligence sources; to the analysis, production and dissemination of intelligence. This helps intelligence teams work more efficiently to identify and prioritise threats and supports decision-makers to act faster to mitigate risk, protect revenue and drive business results.  Learn more at www.silobreaker.com

**About RANE**

RANE is a global risk intelligence company that provides risk and security professionals with critical insights and analysis to better anticipate, monitor, and respond to emerging threats. For more information about RANE, visit 

Infosecurity Europe brings together information security professionals attending from every segment of the industry, as well the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at https://www.infosecurityeurope.com.

Silobreaker Unveils Geopolitical Threat Intelligence Capabilities With RANE at Infosecurity Europe 2023

It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.

The US National Security Agency (NSA) is urging systems administrators to go beyond patching in order to protect Windows 10 and 11 machines from the BlackLotus bootkit malware.

BlackLotus burst on the scene last fall when it was spotted for sale on the Dark Web for $5,000. It has the dubious distinction of being the first in-the-wild malware to successfully bypass to Microsoft's Unified Extensible Firmware Interface (UEFI) Secure Boot protections.

UEFI is the firmware that's responsible for the booting-up routine, so it loads before the operating system kernel and any other software. BlackLotus — a software, not a firmware threat, it should be noted — takes advantage of two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, aka Baton Drop, CVSS score 4.4; and CVE-2023-24932, CVSS score 6.7. These were patched by Microsoft in January 2022 and May 2023 respectively.

But the country's top technology intelligence division warned that applying the available Windows 10 and Windows 11 patches is only a "a good first step."

"Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)," according to a BlackLotus mitigation guide (PDF) released by the NSA this week. "Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot."

That means that bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints. It's an issue that Microsoft is addressing with a more comprehensive fix planned for release in early 2024, but until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening up user executable policies, and monitoring the integrity of the boot partition. An optional advanced mitigation is to customize the Secure Boot policy by adding DBX records to all Windows endpoints.

"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum, in the advisory.

And indeed, the advisory offers extensive hardening advice, but fully implementing the NSA's guidance is a process unto itself, notes John Gallagher, vice president of Viakoo Labs.

"Given the manual nature of NSA's guidance, many organizations will find that they don't have the resources needed to fully remediate this vulnerability. Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix," he says.

**BlackLotus, A First-of-its-Kind Bootkit**

Executing malware like BlackLotus does offer cyberattackers several significant advantages, including ensuring persistence even after OS reinstalls and hard drive replacements. And, because the bad code executes in kernel mode ahead of security software, it's undetectable by standard defenses like BitLocker and Windows Defender (and can indeed turn them off entirely). It also can control and subvert every other program on the machine and can load additional stealthy malware that will execute with root privileges.

"UEFI vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions," says Gallagher. "The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them."

It all sounds pretty dire — an assessment of which many systems administrators agree. But as the NSA noted, most security teams are confused about how to combat the danger that the bootkit poses.

"Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat," according to the NSA guidance. "Other organizations believe there is no threat, due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."

The NSA didn't provide an explanation for why it's issuing the guidance now — i.e., it didn't issue information about recent mass exploitation efforts or in-the-wild incidents. But John Bambenek, principal threat hunter at Netenrich, notes that the NSA piping up at all should indicate that BlackLotus is a threat that requires attention.

"Whenever the NSA releases a tool or guidance, the most important information is what they aren't saying," he says. "They took the time and effort to develop this tool, declassify it, and release it. They will never say why, but the reason was worth a significant diversion from how they usually operate by saying nothing."

NSA: BlackLotus BootKit Patching Won't Prevent Compromise

Unknown senders have been shipping smartwatches to service members, leading to questions regarding what kind of ulterior motive is at play, malware or otherwise.

The US Army's Criminal Investigation Division (CID) is warning service members to look out for unsolicited smartwatches arriving in the mail, which likely carry risks of malware and allowing unauthorized access to sensitive systems.

When used, the smartwatches are able to auto-connect to the local Wi-Fi network, and can also connect to cellphones, thus allowing access to a user's data. The snooped information can be private and used to exploit a victim, the advisory warned, and it's possible that these watches also carry malware that could allow a threat actor to access, save, or transfer data such as banking information, account information, or personal contacts. 

"Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This 'surprise smartwatch' tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information," said Melissa Bischoping, director of endpoint security research at Tanium, in an emailed comment. "As the adage goes, if it's too good to be true, it probably is, and if you're not paying for the product, you ARE the product."

Alternatively, these mystery smartwatches sent from unknown senders could also be used for a practice known as "brushing," in which presumably counterfeit products are sent via mail to random individuals so that companies can write positive reviews in the name of the person they sent the product to.

Should anyone, military personnel or otherwise, receive a product such as this, the CID advises recipients not to turn it on and to report it to local counterintelligence, or through its "Report a Crime" portal, where individuals can also submit tips.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Suspicious Smartwatches Mailed to US Army Personnel

Exploiting a flaw in how the app handles communication with external tenants gives threat actors an easy way to send malicious files from a trusted source to an organization's employees, but no patch is imminent.

A bug in the latest version of Microsoft Teams allows for external sources to send files to an organization's employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive phishing campaigns to deliver malware into target organizations — but Microsoft won't be addressing it as a priority.

Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde\_sec) from JUMPSEC Labs' Red Team discovered a way to exploit the Microsoft Teams External Tenants feature to slip malware into files sent to an organization's employees, thus bypassing nearly all modern anti-phishing protections, they revealed in a blog post published this week.

"This vulnerability affects every organization using Teams in the default configuration," Corbridge wrote in the post. "As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls."

Teams is Microsoft's widely used hosted messaging and file-sharing app, which already was used by an estimated 91% of Fortune 100 organizations before the Covid-19 pandemic, according to Microsoft financial data. During the pandemic, the use of Teams expanded even further, as many organizations came to rely on it to communicate and collaborate with their remote workforce.

Though Teams is typically used for communication between employees within the same organization, Microsoft's default configuration for teams allows users from outside the company to reach out to its employees, the researchers said. This is where the opportunity arises for threat actors to exploit the app to deliver malware, they said.

This can be done by bypassing client-side security controls that prevent external tenants from sending files —which in this case, would be malicious — to internal users, the researchers explained.

**How the Microsoft Teams Exploit Works**

The vulnerability lies in a capability that allows any Microsoft Teams allows user with a Microsoft account to reach out to what are called "external tenancies," the researchers explained. In this case, these tenancies would be any business or organization using Microsoft teams, which each have their own tenancy.

"Users from one tenancy are able to send messages to users in another tenancy," Corbridge explained. "When doing so, an 'External' banner appears alongside the name."

Though some employees might not click on a message from an external source, many would, something that Corbridge said the researchers already proved as part of a red-team engagement aimed at gaining an initial foothold in a client's environment.

"This is especially true if the malicious party is impersonating a known member of your organization and has purchased and registered a brand-impersonation domain, as red teams often do," he noted in the post.

Though external tenants in Teams are blocked from sending files to staff in another organization — unlike their ability to send files between employees in a single organization or tenancy — Corbridge said he and JUMPSEC's head of offensive security Tom Ellson were able to bypass this control within 10 minutes.

"Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request," Corbridge explained in the post. "When sending the payload like this, it is actually hosted on a SharePoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link."

The researchers tested their technique in a mature client environment during a red-team exercise last month and confirmed that it "allowed for a much more simple, reliable, and user-friendly payload delivery avenue than traditional phishing journeys," he wrote.

**A Dangerous & Impactful Collaboration App Bug**

The bug provides a "potentially lucrative avenue" for threat actors because of how straightforward it is for them to deliver malware to organizations without the need to craft socially-engineered email messages with malicious links or files and hope employees take the bait and click on them, Corbridge wrote.

Threat actors can easily buy a domain similar to a target organization's and register it with Microsoft 365, thus setting up a legitimate Teams tenancy and not having to build complex phishing infrastructure and then rely on employees already savvy to phishing tactics to make a mistake, he said.

By exploiting the flaw, a malicious payload is served via a trusted Sharepoint domain as a file in a target's Teams inbox. "As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website," Corbridge wrote.

Threat actors can even use social engineering and start a conversation with an employee, which can lead to participation in a Teams call, the sharing of screens, and more, allowing them to conduct even more nefarious activity or even deliver the payload themselves, he added.

**No Patch Coming: Mitigations & Protections**

The researchers reported the vulnerability to Microsoft, which validated its legitimacy but said "it did not meet the bar for immediate servicing," Corbridge wrote.

To mitigate the bug themselves, organizations can review if there is a business requirement for external tenants to have permission to message staff and, if this is not the case, to remove the option to do so in Microsoft Teams Admin Center > External Access.

If an organization does require communication with external tenants but has only a handful of organizations with which employees regularly communicate, administrators can also use this field to change the Team security settings to only allow communication with certain allow-listed domains, the researchers said.

If neither of these mitigation options is viable for an organization, administrators can try educating staff on the possibility of productivity apps such as Teams, Slack, Sharepoint, and others for launching social-engineering campaigns similar to the ones found in email messages to help them avoid compromise.

Organizations can also use Web proxy logs to provide alerts or at least baseline visibility into staff members accepting external-message requests, Corbridge added.

"The difficulty, at present, is turning this into a useful piece of telemetry with usernames, and the message in question," but can provide some idea of how common this transaction is within an organization for potential mitigation, he acknowledged.

Microsoft Teams Attack Skips the Phish to Deliver Malware Directly

For line-of-business execs, the fear of grinding mission-critical systems to a halt overrides the fear of ransomware. How can CISOs overcome this?

Dirk Hodgson, the director of cybersecurity for NTT Australia, tells a story. He once worked with a company that did scientific measurements. The highly specialized firm used highly specialized equipment, and one large piece of equipment cost them $2 million when purchased years ago.

The hardware did not cause any issues, and the manufacturer routinely replaced parts and performed maintenance, as per their contract. The security problem was the operating system, which was Windows XP. The company went to the manufacturer and asked if it could upgrade the OS to a current and supported OS.

Not a problem, replied the manufacturer. The company merely has to buy a new multimillion-dollar system, and that will come with a current OS. As for updating the OS on the current machine? The manufacturer declined.

"That thousand-dollar upgrade would require a multimillion-dollar investment," Hodgson says. "Legacy software is definitely a big problem."

For decades, security executives have battled legacy systems. The fight has gotten more intense as the threat landscape has grown more complicated, tangled up in remote workers, partners, IoT, and cloud integrations. There are many technological ways to try to mitigate the legacy threat — isolation, virtualization, replication in a sandbox, etc. — but none of those deal with corporate politics and the fear of letting security teams touch legacy systems at all.

**Uptime Issues Take Priority for Line-of-Business**

The issues with legacy systems fall into two distinct buckets: cybersecurity issues and uptime issues. For the line-of-business (LOB) executive, the uptime issue — the fear that touching anything in the legacy environment could cause the system to crash — is far more frightening. And because these legacy systems usually operate quite well day to day, the business executive sees zero reason to toy with them.

The LOB also often legitimately worries that they won't have the capabilities to restore the system if it does crash because the people who wrote the code are long gone, the vendor who manufactured the hardware may no longer be in business, and the documentation for the software is either nonexistent or woefully inadequate.

Worst of all, legacy systems are often truly mission-critical, such as those running assembly lines. Those systems crashing could easily halt production for an indeterminate period, and worse, could trigger cascading failures across connected systems.

"The big surprise about legacy systems is that since they have been around for so long, almost everything else is connected to them," says Michael Smith, field CTO at Vercara. "So you have this huge Gordian knot of dependencies that make it nearly impossible to upgrade or decommission that legacy system, and you have to do a lot of network and log analysis to understand what other systems are connecting to them and when."

**Bubble Wrap Doesn't Work for Everything**

"Business executives are right to be cautious when allowing security teams to touch mission-critical legacy systems," says Eoin Hinchy, founder and CEO of Tines. "Security teams should instead focus on reducing the attack surface area of legacy systems. In other words, wrap them in bubble wrap."

Although the bubble-wrap concept is a popular means of dealing with legacy, it doesn't always work. And therein lies the real conundrum. Not only does this effort still sometimes fail, but there is no reliable way of predicting such a failure.

"One of the challenges with legacy is that is an accumulation of a technical debt that amasses over time," says David Burg, cybersecurity leader for Ernst & Young Americas. "When they were built, (developers) were working with the institutional knowledge that existed at that time. The documentation of architecture, interoperability, and dependencies and such were likely never documented. People come and go."

Beyond the traditional security risks, NTT Australia's Hodgson points out that system certification is another complicating factor. "A system is certified to a particular level. If patched, there is a reasonable chance that it will work fine, but you might lose that accreditation that you bought," he says.

And many of these specialized systems are physically difficult to replace even if the LOB chooses to do so. "Consider medical facilities installing MRI machines. They have to be craned in, you have to install lead in the walls," Hodgson says. "You are going to be keeping that for a very long time."

**What CISOs Want**

This brings the debate to a conflict between ideal and practical. From the board/CEO/CISO perspective, the ideal would be to replace all of the legacy systems with modernized systems that can effortlessly support today's cybersecurity and compliance requirements. But even if the enterprise is willing to spend the money to make that switch, it may simply not be practical.

"For many legacy system applications, data access, calculation, and even communications performance cannot be easily matched in a PC environment, if at all," says Bob Hansmann, senior product marketing manager for security at Infoblox. "The work to migrate/rewrite Cobol, Fortran, RPG II, and other applications to PC platforms is mountainous and hard to cost-justify. And even if the code is migrated, it needs to be heavily tested and modified for performance — as in speed and accuracy — often due to how different PC hardware is from mainframe and mini hardware."

The lack of actionable documentation is a critical factor in updating legacy systems, but the problem is not limited to legacy. Today's developers — whether it's a software vendor creating apps for wide distribution or an enterprise developer creating homegrown software — still do not document code in any usable way. Thus, the next generation of legacy systems may suffer from the same problems.

**Build Documentation Into Future Legacy**

Ayman Al Issa, the industrial cybersecurity lead at McKinsey, labels the lack of actionable documentation today "a major issue."

"We don't see good documentation at all," he says. "It's a cultural issue. They don't see the value of documentation. This includes maintenance issues and any change to the system. They are simply not documented. People are lazy about documenting everything."

Al Issa suggests that companies need to create their own documentation based on the teams managing the systems. But to avoid the single-point-of-failure problem, "they need to do a rotation of duties so that there's not only one person who can operate the systems," he says.

In theory, management should insist that proper documentation happen, but instead, managers are pressured to deliver. Once the developer completes Project A, do they insist that the developer spend a week documenting everything, or do they tell the developer to move onto the next project, which is what the developer wants to do anyway?

Burg says the only viable fix is to incorporate strong document requirements into the DevSecOps process: "We have to make this contemporaneous documentation or it won't happen."

Why Legacy System Users Prioritize Uptime Over Security

Black Hat Asia 2023 showed that cybersecurity is nascent among organizations in Asia with opportunities for improvement.

Cybersecurity maturity is observed to be nascent among organizations in Asia, with opportunities to make headway in the race to build digital resilience. In May 2023, Black Hat Asia provided insight into cybersecurity trends in the region, raising questions about data exposure, privacy, and data minimization.

In Asia, a dizzying array of security breaches leading to sizeable data exposure rendered citizens in the region numb.

Consider a series of purported data leaks in Malaysia. In May 2022, an alleged information data leak of approximately 22.5 million Malaysians born between 1940 and 2004 was said to have been stolen from the National Registration Department (NRD) and sold on the Dark Web for $10,000. Various reports mentioned that the information was possibly siphoned from the NRD through the API of MyIdentity, a centralized data-sharing platform used by government agencies. However, the Home Minister of Malaysia stated that the personal details did not originate from the NRD.

In December 2022, more suspected data leaks popped up, including one that involved almost 13 million accounts from Astro (the country's satellite television and IPTV provider), the Election Commission of Malaysia, and Maybank. These reports led to Communications and Digital Minister Fahmi Fadzil calling for CyberSecurity Malaysia and the Personal Data Protection Department to launch further investigations. All three organizations claimed that the data leak allegations are false.

In China, another alleged case in July 2022 claimed the compromise of the Shanghai National Police (SHGA) database, which contains "1 billion Chinese national residents and several billion case records, including:­ name, address, birthplace, national ID number, mobile number, all crime/case details," by an anonymous hacker, ChinaDan, as announced on Breach Forums. Reuters could not confirm the authenticity of the post, but, arguably, the shock value is clear.

Over in Indonesia, citizens classified the nation as an "open source country," referring to the frustrating regularity with which data breaches and exposures occur. In September 2022, an attacker under the pseudonym "Bjorka" hacked into 1.3 billion Indonesian SIM registrations, exposing mobile phone numbers, national identity numbers, telecommunications providers, and more. In a tweet posted on Sept. 10, Bjorka claimed to have done so to demonstrate how easy it was "to get into various doors due to a terrible data protection policy, primarily if it is managed by the government." The spillover effects will see citizens facing an onslaught of spam calls, spear-phishing, and other social engineering methods leveraged with the exposed data.

**More Than Simple Data Shows**

Omdia's Security Breaches Tracker found that 14% of the 4,998 announcements since 2019 originated from the Asia & Oceania region, but Omdia asserts that there are more than those announced. Most security breaches in the region target governments, IT firms, manufacturing, retail, and professional services industries. The top country-level targets include India (20%), Australia (18%), Japan (12%), China (10%), and Singapore (7%), among many others.

Consistent with global trends, data exposure is the main outcome (68% of incidents since 2019) following breaches in the Asia & Oceania region. Apart from malicious hacking, organizations in this region are often compromised due to accidental exposure (19%), ransomware (13%), supply chain attacks (10%), and phishing (7%). With accidental exposures and phishing, the emphasis on human factors cannot be downplayed. The Security Breaches Tracker found that 24% of breaches were from sloppiness or negligence, while 5% originated from accidents, indicating plenty of opportunities for organizations to shore up cybersecurity awareness.

The recurring breaches affecting personally identifiable information (PII) raise questions about what organizations in this region are doing to raise defenses and safeguard systems. Among the growing suite of product offerings enabling threat detection, incident response, and continuous monitoring from leading security vendors, what areas are organizations looking to invest in? Additionally, how is end-user security awareness promoted and encouraged among enterprises in the region to address one of the major causes of security breaches? These remain opportunities for organizations in this region to prioritize proactive cybersecurity strategies.

**Virtue of the Minimum**

Black Hat Asia also raised the concept of data minimization — a crucial point in the discourse of collecting only what you need to fulfill a specific purpose. Under the General Data Protection Regulation (GDPR) in the European Union (EU) and the UK, the concept is included under Article 5, which covers the essential principles of data protection when processing personal data. "Not holding on to more" in the case of collecting data may prove to strengthen the case for data protection.

Evidently, alerting governments, organizations, and businesses to the importance of a layered approach to cybersecurity will take significantly more than one or two large compromises. Governance, regulations, and serious fines — beyond merely a slap on the wrist — will help reinforce the responsibility of taking greater care with data management, supported with adequate tools that help complete the proactive approach to cybersecurity.

Black Hat Asia 2023: Cybersecurity Maturity and Concern in Asia

The impending regulations highlight the increasing importance of enhanced network security and regulatory compliance across the government sector.

There are kinks in the chain — the supply chain. And after several high-profile cybersecurity breaches over the past few years, the federal government continues to crack down on potential risks with new rules and regulations that affect government agencies and contractors.

The proposal of a new Federal Acquisition Regulation (FAR) rule — which would mandate contractors and service providers supporting US government agencies to meet enhanced cybersecurity requirements, along the lines of the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program — is the latest representation of this.

Currently, anyone handling sensitive information for the government is obligated to meet 15 basic cybersecurity requirements. However, the proposed changes aim to elevate cybersecurity standards and align them closer to the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is already a requirement for Department of Defense (DoD) contractors that handle sensitive government information. However, it's still unclear how compliance will be measured and monitored. If it tracks with the DoD CMMC program, there could be a mix of third-party assessment requirements and self-reporting.

Although these new expanded compliance measures will improve cyber and data security in the federal supply chain, many government agencies still face their own challenges. They operate on legacy systems and outdated network infrastructures, which may not meet modern, stringent security and compliance reporting requirements. Add in the rise of remote work and the use of external networks and devices and you risk having multiple access points that are less secure. Ensuring the integrity of the entire ecosystem, due to the interconnected nature of federal networks and reliance on contractors and third-party vendors to correctly and securely handle government data, is one part critical and one part challenging.

**Zero-Trust Networking**

The new requirements to move toward zero-trust networking are bringing to light just how much ground government agencies must make up. One of the biggest obstacles is the need for continuous monitoring. Network security requires an ongoing process to detect threats, vulnerabilities, and potential breaches. Many agencies lack the resources, tools, and expertise to effectively monitor their networks in real-time and respond promptly to emerging threats.

How should government contractors and agencies prepare for their respective security and compliance requirements?

1.  **Prioritize all network devices.** It's become a habit to assess for vulnerabilities only at the perimeter. Our recent study of cybersecurity professionals across US military, federal government and critical national infrastructure revealed that 96% of organizations prioritize configuring and auditing firewalls but not routers or switches. This means that only 4% assess switches and routers, leaving these devices exposed to potentially significant and unidentified risks. According to zero-trust best practices, it is essential to assess all these devices to prevent lateral movement across networks.
2.  **Segment networks.** Implementing network segmentation can mitigate the impact of a potential breach by compartmentalizing sensitive information and limiting lateral movement within the network. By segregating networks based on access levels and data classification, organizations can reduce the possible attack surface and minimize the impact of a breach.
3.  **Utilize compliance audits and assurance automation tools.** This is one way for contractors and agencies to prepare for audits. Regular assessments should be conducted to identify vulnerabilities, assess risks, and ensure compliance with network security requirements. These assessments can identify gaps in network security controls and allow for prompt remediation. Using tools that provide exact technical fixes for misconfigurations is also essential.

The impending proposal of a FAR rule that introduces CMMC-like regulations for all contractors who handle sensitive government information highlights the increasing importance of enhanced network security and regulatory compliance across the federal supply chain. While this will help reduce the cybersecurity risk from contractors, US government agencies still have to address their own challenges in meeting current security and compliance requirements, starting with the steps above. This means that contractors and federal agencies must be proactive and stay ahead of the regulatory curve.

Protecting sensitive government information is paramount, and can be done by aligning cybersecurity requirements and incorporating established frameworks, such as NIST. By leveraging automation tools to perform security and compliance audits and through implementing principles supporting a zero-trust mindset, contractors and agencies can successfully adapt to the evolving cybersecurity landscape and contribute to a safer ecosystem.

How Government Contractors & Agencies Should Navigate New Cyber Rules

Many organizations are unwittingly exposing users of their code repositories to repojacking when renaming projects, a new study shows.

Millions of enterprise software repositories on GitHub are vulnerable to repojacking, a relatively simple kind of software supply chain attack where a threat actor redirects projects that are dependent on a particular repo to a malicious one instead.

The issue has to do with how GitHub handles dependencies when a GitHub user or organization changes the name of a project or transfers its ownership to another entity, researchers at Aqua Security said in a report this week.

**Name-Change Risks**

To avoid breaking code dependencies, GitHub creates a link between the original repo name and the new one so all projects that are dependent on the original repo get automatically redirected to the newly renamed one. However, if an organization fails to adequately protect the old username, an attacker could simply reuse it to create a trojanized version of the original repository so that any projects that relied on the repo will once again start downloading dependencies from it.

"When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," Aqua researchers said in a blog this week. "However, it is possible for anyone to create the old username and break this link."

Researchers at Aqua recently decided to investigate the prevalence of repositories on GitHub that are vulnerable to such repojacking, or dependency repository hijacking, as some security researchers refer to the threat.

**Widely Prevalent Issue**

What Aqua discovered was twofold: millions of such repositories — including those belonging to companies such as Google and Lyft — are present on GitHub; and tools are easily available to attackers to find these repos and hijack them. One of these tools is GHTorrent, a project that maintains a nearly complete record of all public events, such as commits and pull requests, on GitHub. Attackers can use GHTorrent to harvest the GitHub names of repositories that organization previously used. They can then register the repo under that old username, recreate the repository, and deliver malware to any project that uses it.

Any project that directly references a GitHub repository is vulnerable if the owner of the repository changes or deletes the username for their repository.

"We have presented a significant dataset that attackers can utilize to harvest the names of previous repositories belonging to organizations," says Yakir Kadkoda, security researcher at Aqua Nautilus.

"Organizations should not assume that their old organization names will remain undisclosed," warns Kadkoda. "It is crucial for them to claim and keep their old usernames on GitHub and scan GitHub URLs and references in their code to identify any repositories that could potentially be claimed by an attacker."

**Bypassing Protections**

Kadkoda says GitHub has attempted to address this issue by preventing the creation of usernames and repositories that were previously owned and now redirect to other projects. GitHub also implemented a mechanism several years ago to retire popular repository namespaces as a means of mitigating this threat. "However, several bypasses have been discovered in the past few years," he says. During Aqua's study, its researchers found several examples of repositories where the protection implemented by GitHub did not apply. "Therefore, users cannot fully rely on these defenses at this point," he says.

Aqua's blog pointed to a GitHub vulnerability that Checkmarx discovered last year as one example of the ways available to attackers to bypass GitHub's attempts to protect against repojacking. The flaw involved a mechanism called "popular repository namespace retirement" and affected all renamed usernames on GitHub, including over 10,000 packages on package managers such as Swift, Packagist, and Go. "Repojacking is a technique to hijack renamed repository URLs traffic and routing it to the attacker's repository by exploiting a logical flaw that breaks the original redirect," Checkmarx said in a report on the vulnerability. "A GitHub repository is vulnerable to repojacking when its creator decided to rename his username while the old username is available for registration."

Organizations can mitigate their exposure to the repojacking threat by scanning their code, repositories, and dependencies for GitHub links, Kadkoda says: "They should check if those links directly refer to GitHub projects or if there are redirects pointing to repositories under other usernames or repo names than the original links." In these instances, organizations should attempt to claim the available username to prevent attackers from doing so. "Additionally, organizations should always maintain their old usernames on GitHub," he says.

Millions of Repos on GitHub Are Potentially Vulnerable to Hijacking

While there's plenty of upside to rolling out deception technologies, it's not clear if 
cybersecurity leaders — or their organizations — are ready for them.

INFOSEC23 — London — Deception technologies can offer a better method to detect attackers in your network, but questions remain on how much security leaders know about their maturity and capabilities.

In a discussion at Infosecurity Europe, panelist Debi Ashenden, a professor in cybersecurity from Adelaide University, described deception technologies as relatively immature. She said deception had "come out of the idea of honeypots" and while organizations may be on the cusp of seeing deception technologies mature, the technology lacks good use cases or reference customers willing to discuss their experience with deception.

Gonzalo Cuatrecasas, CISO of Nordic industrial manufacturer Axel Johnson International, said when technology is embraced, "it's got to be mature enough to do \[the job it is intended for\], otherwise it is halfway tech that gets \[stuck\] in the middle."

**The Latest Cool Trend?**

Lewis Woodcock, senior director of cyber operations for shipping concern A.P. Møller – Mærsk, said the challenge is for customers to fully understand what their underlying goals are. "I worry deception technology is the latest cool trend, but organizations need to stop and think \[about\] what they are trying to achieve."

While Ashenden said deception technology can also be very resource-intensive and that many CISOs don't understand why they need it, Woodcock wondered what an action plan for dealing with an attacker would look like, once deception technology got activated. That's not an endgame that many organizations are prepared to address or manage.

Ashenden also said there are questions on where in the network or SOC to deploy deception technology and that more work is needed to determine how this emerging technology fits into the cybersecurity portfolio. Cuatrecasas added that deception users should "be prepared to make decisions, as what you find may be something that we do not know about."

**What You Need to Implement**

As for implementation tips, Woodcock said familiarity and experience with threat intel could simplify deception rollout and management. He also recommended having an environment that looks real to an attacker — as if the network is very locked down and one server is open — as it is a giveaway to the attacker about what is going on. "Know your objectives, how an adversary will perceive it, and how you will respond," he said.

Ashenden recommended discussing with senior management what the technology will achieve and what it offers the wider organization, not to mention a strong business rationale for buying and using.

Deception Technologies Have a Maturity Problem

Scammers are setting out lures for people looking for work. If a position sounds too good to be true, it probably is.

The economic downturn is already a devastating blow to job seekers everywhere. Now scammers are taking advantage of the situation by ramping up their methods of swindling people.

Job scamming is a threat to job seekers all over the world. For example, the Better Business Bureau (BBB) reported an increase in job scam complaints in the United States and Canada in the past several years. Singapore job seekers lost $660 million SGD ($495 million USD) in 2022 alone. And in the UK, 10,000 people were approached on LinkedIn and Facebook by "foreign spies and malicious actors" to steal information.

Phishing attacks and malware are the primary methods of scamming job seekers, according to a February Trellix report. Scammers create fake websites, often employing typosquatting. A fake site uses a real name like Indeed that's slightly misspelled (such as "Indeeed") or extends the URL in hopes the job seeker will not notice the base domain name. These sites appear legitimate but are used to steal passwords and financial information.

Another method of stealing sensitive information is to ask a job seeker to download a file or click on a link that contains malware. Some of the malware Trellix identified include the Trojans Emotet, Cryxos, and Agent Tesla.

Gabriel Friedlander, founder of security training site Wizer, says these job opportunities offer great pay and remote work flexibility as a lure to steal Social Security numbers or send fake checks for equipment purchases to get that person's bank information.

**Who's Most Vulnerable**

Job scams can affect people of any gender, race, ethnicity, or age. Because many people seek employment quickly to prevent income gaps, they may have their guards down and be more prone to being scammed.

Similar to a romance scam, people become emotionally invested in finding the right job, says Roger Grimes, KnowBe4's data-driven defense evangelist. Even those trained to seek out scammers can get caught up in a scheme, he ads.

"It's just human behavior," Grimes says. "We want to trust people, and you start to give them the benefit of the doubt."

**How to Fight Off Scams**

Legitimate job companies will never ask for money to purchase equipment, training, or background checks. Always be skeptical of companies like these, and you're far less likely to be scammed.

If things are moving too fast, it's most likely a fake job. Most jobs aren't offered after just one remote interview. Also, be wary of companies that want to move conversations outside of typical platforms like LinkedIn.

"Be reasonable," Friedlander says. "Does this job make sense? Is this too good to be true? Here's the thing with scammers, in general: Their problem is time. They have to close the deal fast. Everything is just rapidly happening because they have to close before they get detected."

The BBB recommends calling or going directly to a company website, especially if the job description is vague. Other tips include not clicking any links, downloading any files, calling numbers, or replying to email addresses that are given.

LinkedIn is rolling out new measures to ensure people are who they say they are. However, one of the verification tools requests government identification. This can be problematic for some people, including transgender or nonbinary individuals who have changed their names but are unable to do so on official documents.

**Learn From the Experience**

Once a job seeker has been scammed, they are less likely to keep pursuing job opportunities, one study noted. They tend to blame themselves or their lack of savviness to detect scams.

"The people that I've talked to that had been scammed, they feel utterly broken," Grimes says. "It can be really tough on them, just because they were trusting people."

Job seekers should stay guarded to ensure they aren't scammed again. But instead of being discouraged, they should use this to drive them forward in their job search.

"Once you know the magic, then you can't unsee it," Friedlander says. "That's all it is. You just need to be aware of the trick."

Source

DARKReading