A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

But just how the government differentiates its platform from similar private-sector options remains to be seen.

Source: Bits And Splits via Shutterstock

The US Cybersecurity and Infrastructure Security Agency (CISA) has given organizations a new resource for analyzing suspicious and potentially malicious files, URLs, and IP addresses by making its Malware Next-Gen Analysis platform available to everyone earlier this week.

The question now is how organizations and security researchers will use the platform and what kind of new threat intelligence it will enable beyond what is available via VirusTotal and other malware analysis services.

The Malware Next-Gen platform uses dynamic and static analysis tools to analyze submitted samples and determine if they are malicious. It gives organizations a way to obtain timely and actionable information on new malware samples, such as the functionality and actions a string of code can execute on a victim system, CISA said. Such intelligence can be crucial to enterprise security teams for threat hunting and incident response purposes, the agency noted.

"Our new automated system enables CISA's cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners," said Eric Goldstein, CISA's executive assistant director for cybersecurity, in a prepared statement. "It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure."

Since CISA rolled out the platform last October, some 400 registered users from various US federal, state, local, tribal, and territorial government agencies have submitted samples for analysis to Malware Next-Gen. Of the more than 1,600 files that users have submitted so far, CISA identified about 200 as suspicious files or URLs.

With CISA's move this week to make the platform available to everyone, any organization, security researcher, or individual can submit malicious files and other artifacts for analysis and reporting. CISA will provide analysis only to registered users on the platform.

Jason Soroko, senior vice president of product at certificate lifecycle management vendor Sectigo, says the promise of CISA's Malware Next-Generation Analysis platform lies in the insight it can potentially provide. "Other systems concentrate on answering the question 'has this been seen before and is it malicious'," he notes. "CISA's approach might end up being prioritized differently to become 'is this sample malicious, what does it do, and has this been seen before'."

Several platforms — VirusTotal is the most widely known — are currently available that use multiple antivirus scanners and static and dynamic analysis tools to analyze files and URLs for malware and other malicious content. Such platforms serve as a sort of centralized resource for known malware samples and associated behavior that security researchers and teams can use to identify and assess risk associated with new malware.

How different CISA's Malware Next-Gen will be from these offerings remains unknown.

"At this time, the US government has not detailed what makes this different from other open source sandbox analysis options that are available," Soroko says. The access that registered users will get to analysis of malware targeted at US government agencies could be valuable, he says. "Getting access to CISA's in-depth analysis would be the reason to participate. It remains to be seen for those of us outside of the US government if this is better or the same as other open source sandbox analysis environments."

**Making a Difference**

Callie Guenther, senior manager, cyber threat research at Critical Start, says it's possible that some organizations might initially be a bit cautious about contributing samples and other artifacts to a government-run platform because of data confidentiality and compliance issues. But the potential upside from a threat intelligence standpoint could encourage participation, Guenther notes. "The decision to share with CISA will likely consider the balance between enhancing collective security and safeguarding sensitive information."

CISA can differentiate its platform and deliver more value by investing in capabilities that enable it to detect sandbox-evading malware samples, says Saumitra Das, vice president of engineering at Qualys. "CISA should try to invest in both AI-based classification of malware samples as well as tamper-resistant dynamic analysis techniques … that could better uncover \[indicators of compromise\]," he says.

A larger focus on malware targeting Linux systems would also be a big improvement, Das says. "A lot of the current focus is on Windows samples from EDR use cases but with \[Kubernetes\] and cloud-native migration happening, Linux malware is on the rise and are quite different in their structure," from Windows malware, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Malware Analysis Platform Could Foster Better Threat Intel

Akamai joins a growing list of security vendors aiming to strengthen companies' DNS defenses.

Source: momius via Adobe Stock Photo

Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.

With the release of Shield NS53, Akamai joins a growing list of security vendors with DNS tools capable of defending against NXDOMAIN attacks. The new service extends Akamai's Edge DNS technologies in the cloud to on-premises deployments.

In an NXDOMAIN attack — also known as a DNS Water Torture DDoS attack — adversaries overwhelm the DNS server with a large volume of requests for nonexistent (hence the NX prefix) or invalid domains and subdomains. The DNS proxy server uses up most, if not all, of its resources querying the DNS authoritative server, to the point where the server no longer has the capacity to handle any requests, legitimate or bogus. More junk queries hitting the server means more resources — server CPU, network bandwidth, and memory — needed to handle them, and legitimate requests take longer to process. When people can't reach the website because of NXDOMAIN errors, that translates to potentially lost customers, lost revenue, and reputational damage.

NXDOMAIN has been a common attack vector for many years, and is becoming a bigger problem, says Jim Gilbert, Akamai's director of product management. Akamai observed 40% of overall DNS queries for its top 50 financial services customers contained NXDOMAIN records last year.

**Beefing Up DNS Protection**

While it is theoretically possible to defend against DNS attacks by adding more capacity — more resources means it takes larger and longer attacks to knock down the servers — it is not a financially viable or scalable technical approach for most organizations. But they can beef up their DNS protection in other ways.

Enterprise defenders need to make sure they understand their DNS environment. This means documenting where DNS resolvers are currently deployed, how on-premises and cloud resources interact with them, and how they make use of advanced services, such as Anycast, and DNS security protocols.

"There could be good compliance reasons that enterprises want to keep their original DNS assets on premises," says Akamai's Gilbert, noting that Shield NS53 allows enterprises to add protective controls while keeping existing DNS infrastructure intact.

Protecting DNS should also be part of an overall distributed denial-of-service (DDoS) prevention strategy, since many DDoS attacks begin with DNS exploits. Nearly two-thirds of DDoS attacks last year used some form of DNS exploits last year, according to Akamai.

Before purchasing anything, security managers need to understand both the scope and limitations of the potential solution they are evaluating. For example, while Palo Alto's DNS security services cover a wide collection of DNS exploits besides NXDOMAIN, customers get that broad protection only if they have the vendor's next generation firewall and subscribe to its threat prevention service.

DNS defenses should also tie into a robust threat intelligence service so that defenders can identify and respond quickly to potential attacks and reduce false positives. Vendors such as Akamai, Amazon Web Services, Netscout, Palo Alto, and Infoblox operate large telemetry-gathering networks that help their DNS and DDoS protection tools spot an attack.

The Cybersecurity and Infrastructure Security Agency has put together a series of recommended actions that includes adding multifactor authentication to the accounts of their DNS administrators, as well as monitoring certificate logs and investigating any discrepancies.

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

New Tool Shields Organizations From NXDOMAIN Attacks

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

CISO Corner: Securing the AI Supply Chain; AI-Powered Security Platforms; Fighting for Cyber Awareness

Though Federal Civilian Executive Branch (FCEB) agencies are the primary targets, CISA encourages all organizations to up their security, given the high risk.

Source: Wachirawit Lemlerkchai via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in response on April 11 to Midnight Blizzard, aka Cozy Bear, a Russian state-sponsored threat actor targeting Microsoft email accounts in its latest campaign.

The group is exfiltrating information from Microsoft corporate email systems to gain access to Microsoft customer systems. Microsoft and CISA have already determined which companies' correspondence has been exfiltrated so far and notified them accordingly.

"The initial access vector for the Midnight Blizzard attack was a Microsoft 365 password spray," said John Fokker, head of threat intelligence at Trellix, in an emailed statement. Researchers at Trellix have observed more than 120 of these kind of attacks in the first quarter of the year alone.

CISA's directive initially was issued solely to federal agencies on April 2. It required agencies to observe and analyze Microsoft email accounts to determine if they had been affected, reset compromised credentials, and secure any privileged Microsoft Azure accounts.

These requirements apply only to Federal Civilian Executive Branch (FCEB) agencies, since they seem to be Midnight Blizzard's biggest target. But CISA notes other organizations may also have been contacted and should seek assistance.

"Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multifactor authentication (MFA), and prohibited sharing of unprotected sensitive information via unsecure channels," CISA said in its statement.

Jen Easterly, CISA's director, also noted that this Microsoft compromise is just the latest malicious cyber activity in the Russian playbook, and that the emergency directive is intended to ensure that the networks and systems of federal civilian agencies are secure.

CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Source: Ole.CNX via Shutterstock

When a major vulnerability shakes up the cybersecurity world — such as the recent XZ backdoor or the Log4j2 flaws of 2021 — the first question that most companies ask is, "Are we affected?" In the absence of well-written playbooks, the simple question can require a great deal of effort to answer.

Microsoft and Google are investing heavily in generative artificial intelligence (GenAI) systems that can turn large security questions into concrete actions, assist security operations, and, increasingly, take automated actions. Microsoft offers overworked security operations centers with Security Copilot, a GenAI-based service that can identify breaches, connect threat signals, and analyze data. And Google's Gemini in Security is a collection of security capabilities powered by the company's Gemini GenAI.

Startup Simbian is joining the race with its new GenAI-based platform for helping companies tackle their security operations. Simbian's system combines large language models (LLMs) for summarizing data and understanding native languages, other machine learning models to connect disparate data points, and a software based expert system based on security information culled from the Internet.

Where configuring a security information and event management system (SIEM) or a security orchestration, automation, and response (SOAR) system could take weeks or months, using AI cuts the time to — in some cases — seconds, says Ambuj Kumar, co-founder and CEO of Simbian.

"With Simbian, literally, these things are done in seconds," he says. "You ask a question, you express your goal in natural language, we break into steps code execution, and this is all done automatically. It's self sufficient."

Helping overworked security analysts and incident responders streamline their jobs is a perfect application for the more powerful capabilities of GenAI, says Eric Doerr, vice president of engineering at Google Cloud.

"The opportunity in security is particularly acute given the elevated threat landscape, the well publicized talent gap in cybersecurity professionals, and the toil that is the status quo in most security teams," Doerr says. "Accelerating productivity and driving down mean time to detect, respond, and contain \[or\] mitigate threats through the use of GenAI will enable security teams to catch up and defend their organizations more successfully."

**Different Starting Points, Different 'Advantages'**

Google's advantages in the market are evident. The IT and Internet giant has the budget to stay the course, the technical expertise in machine learning and AI from its DeepMind projects to innovate, and access to a lot of training data — a critical consideration for creating LLMs.

"We have a tremendous amount of proprietary data that we've used to train a custom security LLM — SecLM — which is part of Gemini for Security," Doerr says. "This is the superset of 20 years of Mandiant intelligence, VirusTotal, and more, and we're the only platform that has an open API — part of Gemini for Security — that allows partners and enterprise customers to extend our security solutions and have a single AI that can operate with all the context of the enterprise."

Like Simbian's guidance, Gemini in Security Operations — one capability under the Gemini in Security umbrella — will assist in investigations starting at the end of April, guiding the security analyst and recommending actions from within Chronicle Enterprise.

Simbian uses natural language queries to generate results, so asking, "Are we affected by the XZ vulnerability?" will produce a table of IP addresses of vulnerable applications. The systems also uses curated security knowledge gathered from Internet to create guidebooks for security analysts that show them a script of prompts to give to the system to accomplish a specific task.

"The guidebook is a way of personalizing or creating trusted content," says Simbian's Kumar. "Right now, we are creating the guidebooks, but once ... people just start to use it, then they can create their own."

**Strong ROI Claims for LLMs**

The returns on investment will grow as companies move from a manual process to an assisted process to autonomous activity. Most GenAI-based systems have advanced only to the stage of an assistant or copilot, when it suggests actions or takes only a limited series of actions, after gaining the users permissions.

The real return on investment will come later, Kumar says.

"What we are excited about building is autonomous — autonomous is making decisions on your behalf that are within the scope of guidance you have given it," he says.

Google's Gemini also seems to straddle the gap between an AI assistant and an automated engine. Financial services firm Fiserv is using Gemini in Security Operations for creating detections and playbooks faster and with less effort, and for helping security analysts quickly find answers using natural language search, boosting the productivity of security teams, Doerr says.

Yet trust is still an issue and a hurdle for increased automation, he says. To bolster trust in the system and solutions, Google remains focused on creating explainable AI systems that are transparent in how they come to a decision.

"When you use a natural language input to create a new detection, we show you the detection language syntax and you choose to run that," he says. "This is part of the process of building confidence and context with Gemini for Security."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

The Race for AI-Powered Security Platforms Heats Up

Attacks on critical infrastructure are ramping up — but organizations now have the knowledge and tools needed to defend against them.

Sean Tufts, Managing Partner for Critical Infrastructure, Optiv

April 12, 2024

4 Min Read

Source: Andrii Yalanskyi via Alamy Stock Photo

COMMENTARY

Recent headlines around Volt Typhoon, a state-sponsored Chinese threat actor targeting US critical infrastructure, have caused alarm over attacker dwell time and put critical infrastructure security in the spotlight. The group targets network infrastructure devices to gain access to critical infrastructure organizations and then uses living-off-the-land techniques to lurk on victims' environments to position themselves for future attacks. Volt Typhoon has been known to target the communications, energy, water, and transportation sectors.

There's no question that critical infrastructure threats such as what we're seeing from Volt Typhoon are concerning and need to be taken seriously. Attacks on critical industries have the potential to cause widescale damage and disruption and can even put people's lives at risk — compromised water sources, gas lines, utilities and healthcare devices, for example, could have a life-threatening impact. Given the high stakes, critical infrastructure organizations need to strengthen security to keep people safe and the global economy working.

However, as someone who works on the front lines of critical infrastructure security, I believe that, rather than panicking about Volt Typhoon and the threats the group represents, we should focus on several positives:

*   Malware activity targeting critical infrastructure is custom and challenging. It takes many hands to build an effective package. We know this because we are unfortunately finding complex builds. The positive here, however, is that we are now looking for malware activity.
    
*   Many of the 16 CISA-defined critical infrastructure industries have matured their security defenses and are in a better position to defend against advanced threats than they were a few years ago. There is a long path to "secure," but we have better prevention and detection than we did in 2020.
    
*   It's not uncommon for malware to sit dormant for years until the time is right to strike. Knowing this, security operations center (SOC) teams have focused on threat detection, advancing their method for absorbing critical infrastructure, industry control system (ICS), and operational technology (OT) alerts, which has lowered malware dwell time and improved security overall.
    

**Focus Areas for Critical Infrastructure Sectors**

One of the biggest takeaways of the Volt Typhoon activity is that it's crucial for critical infrastructure organizations to conduct risk assessments frequently to see how threats against their company are changing and then use that intelligence to adapt their cybersecurity and cyber resilience strategies accordingly.

If you don't know a threat is there, you can't defend against it. And not all organizations are targeted with the same threats. Additionally, your biggest threat today may not be the greatest source of risk tomorrow. For all these reasons, frequently identifying and quantifying the unique risks to your organization is the first step to staying secure and cyber resilient.

Once the risk assessment is complete, you can then develop or refine your security plan accordingly. Because threats and business needs change all the time, this should be a living strategy. That said, there are a few security fundamentals that should always be prioritized, including:

*   Network segmentation: Divides the network into separate zones for different types of users and services. This approach helps contain attacks and limits the lateral movement of threats within the network.
    
*   Intrusion detection systems (IDS): Monitors network traffic for suspicious activity. This is important because traditional endpoint security tools aren't able to be installed on all network infrastructure devices.
    
*   Identity security: The optimal combination is secure remote access with privileged access management (PAM). The former allows users to safely connect to networks and prevents unauthorized access. The latter secures privileged user accounts that have high-level access to individual controllers in a critical site, so cyber attackers can't exploit them to move across the victim's environment.
    

**From Past to Present**

Five years ago, critical infrastructure security had very limited awareness, and headlines on activity from threat actors like Volt Typhoon would be alarming. We've come a long way since then, though — not only in recognizing risks to these sectors but also establishing cybersecurity benchmarks for keeping critical infrastructure organizations secure.

So, while it's true that attacks on critical infrastructure are ramping up, it's also true that organizations now have the knowledge and tools needed to defend against them. Organizations no longer need to be caught off guard. With risk assessments, security fundamentals, and advanced security strategies that target unique threats to the business, critical infrastructure organizations can build strong security programs that are able to withstand any type of attack and keep the organization cyber resilient.

**About the Author(s)**

Managing Partner for Critical Infrastructure, Optiv

Sean Tufts is a former NFL linebacker turned cybersecurity leader with more than 10 years of cyber experience and 15 years of ICS experience. As the managing partner for critical infrastructure at Optiv, he heads a business unit responsible for identifying, modernizing and securing critical infrastructure clients' most vital business functions and operational assets. Optiv's IoT/OT team delivers strategic end-to-end security expertise, underscored by Sean’s hands-on knowledge of cybersecurity best practices for industrial and critical settings, including energy, oil and gas, and healthcare. Prior to Optiv, Sean had a hand in developing more than 3,500 MW of wind energy farms for a private EPC. His operations experience allowed for a smooth transition over to General Electric in 2015, where he joined the recently acquired Wurldtech Cybersecurity team. In this role, Sean embedded cybersecurity programs into the rotating machinery controls for GE Power, GE O&G (BakerHughes) and GE Renewables.

Critical Infrastructure Security: Observations From the Front Lines

With stores of mega-corporate business intelligence, a Sisense compromise could potentially mushroom into supply chain cyberattack disaster, experts fear.

Source: GK Images via Alamy Stock Photo

While details are still emerging, the US federal government issued a password compromise warning to customers of business analytics platform Sisense and encouraged an immediate reset.

The advisory from the Cybersecurity and Infrastructure Security Agency (CISA) urges Sisense customers not only to reset credentials to the platform, but also for passwords to any other sensitive data potentially accessed through Sisense services.

The software-as-a-service (SaaS) platform uses what it calls "AI-driven analytics" to provide insights to more than 2,000 companies including Air Canada, Nasdaq, and ZoomInfo.

Sisense did not respond to Dark Reading's request for comment.

Sisense is an ideal target for threat hunters interested in launching advanced supply chain cyberattacks, according to Patrick Tiquet, vice president of security and architecture at Keeper Security.

"Attackers may seek to exploit their access to further infiltrate the connected networks of Sisense's customers, creating a ripple effect down the supply chain," Tiquet said, in a statement. "Customers of Sisense should follow CISA's guidance immediately and reset credentials and secrets that have been exposed to or used to access Sisense services."

**Sisense Supply Chain Attacks Possible**

The federal government's quick response is a sign the Sisense compromise is being taken very seriously, Sean Deuby, principal technologist with Semperis, explained in a statement, characterizing CISA's advisory as "ominous at best."

"As we know from recent breaches disclosed by MGM Resorts and Caesars Palace, the supply chain continues to be the most difficult arena to secure, and it's fertile ground for cyber adversaries," Deuby's statement continued. "And these two examples unfortunately pale in comparison to the damage caused by supply chain attacks such as WannaCry, SolarWinds, and Kaseya, which impacted tens of thousands of organizations and cost hundreds of millions in incident response and recovery costs."

In addition to password resets, Jason Soroko, senior vice president of product with Sectigo, recommends Sisense customers take a look at API password keys.

"The details around the Sisense breach are unknown; however, my recommendations for action would be to change passwords of any Sisense accounts, reset API keys used for services associated with Sisense, and look for any unusual activity from April 5 onwards," Soroko said in a statement.

Sisense Password Breach Triggers 'Ominous' CISA Warning

PRESS RELEASE

RESTON, Va. and TEL AVIV, Israel, April 11, 2024/PRNewswire-PRWeb/ -- Knostic, the world's first provider of need-to-know access controls for Generative AI, emerges today from stealth, having been named one of the top three finalists for the 2024 RSA Conference Launch Pad competition.

Organizations are rapidly adopting Large Language Models (LLMs) and tools such as Microsoft Copilot and Glean to create ChatGPT-like systems, but with their own institutional knowledge. Such systems also introduce business risks, primarily by exposing content outside of an employee's need-to-know, e.g., bonuses, sales revenue, and mergers and acquisition information. With Knostic, employees can access everything they need, but with answers shaped to just what they need to know in order to do their job per organizational policy.

"Microsoft Copilot, Glean, and other LLMs are akin to a race car engine. Data is the fuel. But who would want to drive fast without brakes? We are the brakes, giving enterprises the confidence to accelerate their adoption of LLMs, while ensuring the safety of their most valuable assets," said Sounil Yu, co-founder and CTO of Knostic.

Knostic's offering also helps organizations with the early adoption stage, understanding their exposure to need-to-know violations and the path towards safe implementation of LLM-based tools. Legacy approaches for data security such as permission-based access control fall short at the LLM age, and new approaches are needed.

Gadi Evron, co-founder and CEO of Knostic, further elaborated: "From a misfiled payroll spreadsheet and a sensitive presenter comment left in a template, or even secrets inferred from legitimately accessible content, LLMs accelerate the discovery of harmful, and potentially dangerous information to anyone who asks. Knostic goes beyond legacy permission models and shapes access based on actual user need-to-know."

Founded in late 2023 by cybersecurity veterans Gadi Evron (serial entrepreneur, previously from Citibank and PwC) and Sounil Yu (former Chief Security Scientist at Bank of America), Knostic raised a $3.3M pre-seed financing round, with participation from Shield Capital, Pitango First, DNX Ventures, and Seedcamp, as well as angel investors Kevin Mahaffey (Lookout), David Cross (Rain Capital), Bryson Bort (SCYTHE), Travis McPeak (Resourcely), Matthew Honea (Forward Networks), and others.

Raj Shah of Shield Capital: "Safety is a critical enabler for enterprise adoption of Large Language Models," said Raj Shah, Managing Partner at Shield Capital. "We are proud to be partnered with Gadi and Sounil who are building breakthrough solutions at Knostic.ai."

Admr. Mike Rogers(Ret.), former head of the NSA: "Knostic's unique approach around need-to-know personalization is what unlocks LLMs for enterprises, not to mention in the DoD space. I'm excited for the journey ahead."

About Knostic

Knostic is the world's first provider of need-to-know based access controls for Large Language Models (LLMs). With knowledge-centric capabilities, Knostic enables organizations to accelerate the adoption of LLMs and drive AI-powered innovation without compromising value, security, or safety.

For more details, visit https://www.knostic.ai/

Knostic Raises $3.3M for Enterprise GenAI Access Control

PRESS RELEASE

SAN JOSE, Calif. – April 11, 2024 – Cohesity today announced a deepening of its cyber resilience collaboration with IBM. The enhanced relationship will accelerate the development of essential cyber resilience capabilities to address organizations' critical need for increased data security and resilience across hybrid cloud environments. With this announcement, Cohesity completes its Series F financing, with IBM joining NVIDIA as a strategic investor.  

The most recent Cost of a Data Breach report sponsored by IBM Security shows the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over the previous three years. To help clients tackle this issue head-on, IBM has delivered Cohesity capabilities into IBM’s end-to-end cyber resilience platform, IBM Storage Defender, strengthening our customers’ ability to recover from data breaches and cyber-attacks.  

“IBM is a powerful partner in the enterprise cloud and IT infrastructure market. They bring decades of expertise to our relationship, in addition to their investment in our business to help fund incremental research and development to offer customers even stronger cyber resilience,” said Sanjay Poonen, CEO and President, Cohesity. “We’re thrilled that IBM is working with us as we continue to help combined customers detect threats rapidly and maintain operations during an attack to avoid business interruptions.”

“Data breaches continue to be one of the biggest threats organizations face to advancing business outcomes,” said Ric Lewis, SVP, Infrastructure at IBM. “We’re excited to deepen our collaboration with Cohesity to bring clients innovative end-to-end software-defined solutions designed to increase their cyber resilience and help avoid business interruptions.”

Cohesity’s collaboration with IBM has brought Cohesity DataProtect together with IBM's Storage Defender Solution to help their joint customers protect, monitor, manage, and recover data. Cohesity DataProtect is a high-performance, secured backup and recovery solution. It is designed to safeguard your data against sophisticated cyber threats and offers comprehensive policy-based protection for your cloud-native, SaaS, and traditional data sources. DataProtect converges multiple-point products into a single multicloud platform deployed on-premises or consumed as a service.

IBM Storage Defender leverages AI and event monitoring across multiple storage platforms through a single pane of glass to help protect organizations' data layer from risks like ransomware, human error, and sabotage. Additionally, IBM Storage Defender is anticipated to include a cyber vault and clean room features with automated recovery functions designed to help companies restore business-critical data in hours or minutes from what used to take days.  
Statements regarding IBM's or Cohesity’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only.

About Cohesity  
Cohesity is a leader in AI-powered data security and management. Aided by an extensive ecosystem of partners, Cohesity makes it easier to secure, protect, manage, and get value from data – across the data center, edge, and cloud. Cohesity helps organizations defend against cybersecurity threats with comprehensive data security and management capabilities, including immutable backup snapshots, AI-based threat detection, monitoring for malicious behavior, and rapid recovery at scale. Cohesity solutions can be delivered as a service, self-managed, or provided by a Cohesity-powered partner. Cohesity is headquartered in San Jose, CA, and is trusted by the world’s largest enterprises, including 44 of the Fortune 100.

Source

DARKReading