CISOs need to be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape.

As someone who has been in the cybersecurity industry for nearly two decades, I find it refreshing to see federal entities are putting more focus on the changes that need to happen to keep organizations secure. With the Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and White House all releasing updated cyber guidelines and policies, a newfound — and much-deserved — sense of urgency and importance has been placed around cyber defenses, preparedness, and skilled talent.

Similarly, the long-anticipated proposed new cybersecurity requirements from the US Securities and Exchange Commission (SEC) allude to an impending incident disclosure rule and proof of cybersecurity expertise on company boards. While we await the final language, I believe these requirements are a step in the right direction for up-leveling transparency and communication, ultimately emphasizing how cybersecurity is a business imperative across all industries.

But with one important caveat.

As much as the added pressure from the SEC and other government agencies on timely reporting and disclosure is a needed force for change, many organizations aren't equipped to handle this level of oversight and reporting. Many security leaders currently lack the means to gather evidence to share with boards and executive leadership, resulting in fewer than 60% flagging breach readiness and incident response results. What's more, more than half of security leaders (55%) agree their cybersecurity team doesn't have the data needed to demonstrate readiness to properly respond to cyber threats.

**The Search for Better Approaches**

To comply with government guidelines, organizations must invest in more effective ways of building and proving cyber capabilities across teams through practical exercises. Organizations must make a paradigm shift in their approach to cybersecurity that comprises the following actions:

**1\. Provide specific metrics to prove resilience and capabilities.** Despite proof points and actionable metrics laying the foundation of nearly every other business function, measurement is practically nonexistent when it comes to identifying faults and strengths of organizations' cybersecurity postures. To advance an organization's cyber resilience, cybersecurity teams need better methods to assess and prove their capabilities and resilience, especially when you consider most cybersecurity leaders can agree their organization's board is placing more pressure on their cybersecurity team to prove cyber resilience.

Without metrics to gauge efficacy, how do leaders know whether costly training investments in training are worthwhile? So while teams have the right risk management tools and conduct breach readiness assessments, they aren't sufficiently assessing or training for resilience.

**2\. Move away from technological "spot solutions."** As the threat landscape continues to evolve, most security leaders are turning to more tech tools to add to their ever-growing tech stacks to prove their cybersecurity strength to key stakeholders. Implementing "spot solutions" is likely to leave holes in an organization, making it vulnerable to attackers. There are tools available that combat nearly every security challenge these days, but a plug-and-play approach isn't the most effective system.

Chief information security officers (CISOs) should consider consolidating their tools to mitigate complexity. Even so, a streamlined solution can't be the sole line of defense. One of Gartner's predictions for 2023 is that challenges confronting CISOs will evolve beyond technology, cybersecurity, and controls — and instead anticipates there will be a focus on the human element. Security tech solutions must be coupled with a battle-tested and capable workforce to be effective in responding to cyber threats if — and when — they do happen.

**3\. Put your people first in your approach to effective cybersecurity.** Adopting a people-centric, proactive cybersecurity approach puts organizations in a better position to combat cyber threats and prove resilience to boards and company leadership. While organizations may be investing in traditional cybersecurity training methods like certifications, table-top exercises, and classroom work, these tactics are largely insufficient to combat current cyberattacks, particularly with the recent surges in ransomware and generative AI technologies. I'm not alone in thinking this — despite the increase in training investments, 80% of cyber leaders don't believe their teams have the capabilities to respond to future attacks.

To address the ongoing staffing challenges and talent gap, cyber leaders should reevaluate hiring practices. HR and hiring managers are over-relying and overemphasizing certifications, rejecting qualified applicants or creating a costly barrier to entry for early career and diverse security talent.

To meet these new expectations, CISOs must be better equipped with strategic metrics and proof points to better align their organization for defense against the ever-changing threat landscape. Our current approach to cyber readiness and resilience needs some work — but it's promising to see that cybersecurity and its leaders are finally getting its seat at the head of the table. The sheer concept of multiple federal entities making a concerted effort to emphasize the need for communication and proof is promising momentum in the right direction.

Moving the Cyber Industry Forward Requires a Novel Approach

As business email compromise attacks continue to grow and become increasingly sophisticated, is your secure email gateway providing sufficient protection?

Email has always been an attractive target for cybercriminals in search of a money grab. Over the years, we’ve seen email attacks of all flavors — from basic spam and virus attacks, to mass phishing emails containing malware, to today’s attack du jour: business email compromise (BEC).

These attacks have evolved far beyond the Nigerian prince or CEO gift card scams typically associated with BEC. Now, cybercriminals are implementing increasingly sophisticated tactics — including vendor impersonation, spoofed domains, and local translations — to secure their payday.

And the rise of generative AI tools like ChatGPT has added even more power to attackers' arsenals, upleveling their ability to write more convincing emails at even greater scale. By inputting specific information about their targets, or snippets of previous conversation history, generative AI can help threat actors become better at engaging in highly realistic conversations with their victims.

Whether their endgame is convincing a target to pay a fake invoice, reroute payments to a different bank account, or share access to sensitive information, BEC attacks are confronting organizations of all sizes and across all industries, and costing billions of dollars. And even though employees are more aware of these scams, losses from BEC are continuing to increase year over year — costing $2.7 billion in 2022 alone.

Why? Because cybercriminals are getting smarter, and the tools put in place to stop them simply aren’t working like they should.

**The SEG Challenge**

Despite the rate at which BEC tactics are evolving, traditional secure email gateways (SEGs) have been slow to keep up. That’s because they’re designed to block attacks based on detection of known threat signatures, like malicious attachments or links and bad sender domains. This worked well when high-volume malware campaigns were common, but as savvy cybercriminals discovered how the SEG worked, they quickly learned how to outwit it.

Today, even inexperienced, non-technical hackers can bypass SEG detection, simply by sending text-based, socially engineered emails that omit traditional indicators of compromise — blending right in with ordinary inbox content. And not only does SEG miss sophisticated attacks, it also requires manual management that can drain the productivity of security teams that need to be focused on managing the most critical cybersecurity incidents.

So, how do you stop these BEC attacks, without requiring more time and resources from your team? One strategy to consider is replacing the SEG entirely.

**Behavioral AI to Better Secure Inboxes**

But if you’re going to sunset your SEG, what do you replace it with?

The problem with the SEG model is that it looks for known-bad indicators of compromise, which are constantly changing. What if you flipped this approach on its head — instead, learning what known-normal activity looks like to spot deviations that might indicate a potential attack?

This is how behavioral AI-based email security works. By ingesting behavioral signals across the email environment — like each user’s typical sign-in times and locations, the colleagues and vendors they ordinarily interact with, and the tone and language they tend to use in their emails among thousands of other signals — behavioral AI creates a system that learns and dynamically monitors baseline behaviors.

Any variation from the norm, no matter how subtle or novel, may indicate a social engineering attack — and can be remediated automatically before it reaches the target’s inbox.

**SEG Displacement in Action**

The benefits of swapping a SEG for a behavioral AI approach have been proven, too. Let's take a look at a couple examples.

Healthcare providers are appealing targets for cybercriminals that are after patient data, and the resulting data breaches are the costliest of any industry, especially given their hefty regulatory penalties.

Elara Caring, one of the largest home healthcare providers in the US, experienced this threat firsthand, when advanced phishing emails were bypassing its SEG, leaving employees struggling to decipher whether emails were authentic or attacks. Upon transitioning to a behavioral AI-based model, Elara Caring’s security team stopped hundreds of attacks in the first 90 days alone, including credential phishing attacks, attempts to trick the payroll team into directing paychecks to fraudulent accounts, and executive impersonation attacks.

Behavioral AI also helps organizations recoup inefficiencies caused by the SEG. At Saskatoon Public Schools, the largest school division in Saskatchewan, Canada, the security team was spending half a day or more on manually remediating attacks. After implementing behavioral AI-based security, in three months, the team detected and auto-remediated more than 25,000 attacks, saving the team hundreds of hours each month.

SEGs have served their purpose well, but as email attacks become more sophisticated by the day, it’s time for a new approach. The organizations that can modernize their email security accordingly will be in the best position to protect against the threats of today and what’s to come.

Sixty-five percent of Abnormal customers no longer use an SEG. Visit this page for more information about companies that have displaced their SEGs.

**Author the Author**

    

Mike Britton is the CISO of Abnormal Security, where he leads information security and privacy programs. Prior to Abnormal Security, Mike spent six years as the CSO and Chief Privacy Officer for Alliance Data. He brings 25 years of information security, privacy, compliance, and IT experience from a variety of Fortune 500 global companies. He holds an MBA with a concentration in Information Assurance from the University of Dallas.

Why Your SEG Could Be Your Email Security Achilles' Heel

Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.

Attackers may have exploited a flaw in Fortinet's FortiOS SSL-VPN in "a limited number of cases" that affected users in government, manufacturing, and critical infrastructure sectors.

Fortinet issued a fix for the vulnerability, tracked as CVE-2023-27997/FG-IR-23-097) and rated as critical, that it's urging customers to apply as they "monitor the situation," the company said in a blog post published this week.

Exploitation of the flaw can produce "data loss and OS and file corruption" for victims, which is why it's imperative for customers affected to update systems, according to Fortinet.

"If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release," Carl Windsor, Fortinet's senior vice president, product technology, wrote in the post. "If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading."

The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.

Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

"This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases," Windsor wrote.

**Potential Links to Volt Typhoon**

Though attackers used a previously identified Fortinet vulnerability — FG-IR-22-377/CVE-2022-40684 — in the recently discovered Volt Typhoon campaign against US criticial infrastructure targets, Fortinet so far is not conclusively linking CVE-2023-27997 to this series of attacks, the company said in the post.

However, Fortinet claimed this does not preclude its use in the campaign, whether it's currently being exploited, or if attackers will leverage it in the future.

"Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," Windsor wrote.

Discovered by Microsoft, Volt Typhoon is a series of attacks in which China-sponsored threat actors established persistent access within telecom networks and other critical infrastructure targets in the US.

Volt Typhoon attackers used CVE-2022-40684 — an authentication bypass vulnerability found in Fortinet FortiOS and FortiProxy — for initial access, Fortinet confirmed. Indeed, Internet-facing Fortinet devices are a popular target for various threat actors as a way to gain a foothold into enterprise networks.

Specifically, Fortinet researchers discovered admin accounts named "fortinet-tech-support" and "fortigate-tech-support" in customer devices related to the Volt Typhoon campaign, the company said.

"Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as 'living off the land' to evade detection," Windsor wrote.

**Mitigations Beyond Patching**

While applying product updates is the key way to avoid compromise, Fortinet made other suggestions to help affected organizations resolve the issue. One is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one exploited by Volt Typhoon, the company said.

Minimizing the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible can also help companies avoid being targeted in attacks that exploit existing vulnerabilities, according to Fortinet.

Fortinet: Patched Critical Flaw May Have Been Exploited

It's time to include messaging tool security in your cloud security program. Good first steps include tightening filter parameters on Slack and Teams.

Today, an increasing number of large enterprises, from financial institutions to healthcare, are using messaging and collaboration tools. According to a report by industry analyst firm International Data Corporation (IDC), worldwide revenue in the collaboration applications market grew 28.4% year over year in 2021 to $29.1 billion. "This growth was driven by a series of factors including companies expanding collaboration to more people, the purchase and integration of multiple solutions to better meet corporate needs, and price increases and/or feature upgrades." Yet these apps can instill a false sense of security, putting millions of users at risk for cyberattacks.

**Redefine What Makes a Trusted Environment**

When it comes to messaging security, organizations tend to have a myopic view that it's only about "email, email, email." True — email is far from dead. In fact, business email is increasing and remains the main incursion vector. Yet more sophisticated attacks are happening over Teams and Slack. People just don't realize it because they view these apps as internal tools and aren't taking the necessary steps to secure these platforms.

Let me explain. Access tokens, the keys to the Slack platform, tie together the scopes and permissions your app has obtained that allow it to read, write, and interact. I've seen attacks that target, exfiltrate, and abuse specific tokens. Let's say I steal your Slack token and send a message, as you, to all your colleagues and make them click on a link or download and execute something. Your device will never know about it. Slack will know that I'm coming from a different IP address, but it's a script that I executed. It's nothing that anybody else would see.

With Slack, you can impersonate another user or create a new app. With that I can use it as the a user or the app and write messages to everyone in the organization, messages like, "Click on this link," "Hey, here's the executable for you to update a Windows computer with the second half of this year's security updates," OR, "Hey, please reset my password" or whatever. Your colleagues — or whoever received this message — believe they're in a trusted environment, so they're more inclined to follow the instruction or click on that link or download that executable.

**Build Messaging Security into Overall Cloud Program**

Today, attackers are more likely to succeed when abusing messaging tools versus email because emails have a lot of safeguards in place, from spam and malware filters to sender authentication standards. In addition, email users are frequently warned by the FBI, security awareness training programs, their preferred retailers, banks, and other organizations to follow basic common sense security protocols such as, "Don't trust emails when they ask for urgent things." For messaging tools, however, there is little security guidance.

The wake-up call to the risks that these apps present will be when an organization goes through its logs and realizes the Slack token was compromised — something they don't have visibility into today. Instead, they'll only be able to realize that something weird was happening in their organization. Efforts by collaboration software providers to incorporate security features into their products are still in their infancy. Companies need more than basic malware scanning as zero-day malware or social engineering is still being missed.

Organizations need to include these messaging tools as part of their overall comprehensive cloud security strategy. In the meantime, below are a few immediate countermeasures you can take:

● **Don't federate with everybody.** If Company B wants to interact with Company A on Slack or another messaging app, you need to establish a relationship, also known as a federation. If you put a security flag in place, there's a handshake that happens that confirms: "Yes, both of us want to participate." It's not a one-way relationship that can be established.

Federate with the partners that you want to partner with, but don't be open to everybody. Build a workflow so that you can initiate a federation with interested parties, but not everybody can federate with your tenants.

● **It's the intention.** Just because you feel secure in Slack or in Teams doesn't mean you're secure. Just as we have learned with business email compromise, you should question the intention of the sender of the message to ensure their request is legitimate.

● **Watch that executable.** People still exchange executables on Slack and Teams, including malicious executables. Leverage  the filter capabilities built into Slack and Teams to only allow document exchange, no code exchange.

The intimate nature of these messaging tools may foster a false sense of security. In addition to the steps mentioned above, be sure to also continue to build a culture of security at your organization that educates your users on the potential risks these tools may pose. Your business depends on it. 

● **Enhance behavioral analytics and monitoring.** Leverage tools like CASB to inspect what users or apps are posting. This not only helps fend off common risks like malicious files or sensitive requests, but it also provides visibility into behaviors that are out of norm to then allow remediation.

How Popular Messaging Tools Instill a False Sense of Security

By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors in the future.

As the war in Ukraine extends into its second year, Russian threat actors have expanded the scope of their war-related espionage. This is part of a larger trend in which Russia is leveraging hybrid warfare tactics, such as cyber weapons, influence operations, and military force, in an attempt to overrun Ukrainian defenses. 

While most Russia-backed propaganda campaigns aimed at Ukraine have had little impact, Russian state-affiliated cyber and influence actors have not been deterred. These groups continue to seek alternative strategies inside and outside Ukraine. In the first six weeks of this year alone, Microsoft Threat Intelligence analysts found indications of Russian threat activity against organizations in at least 17 European nations. Many of these intrusions targeted the government sector.

By examining the lessons learned from Russian state operations and Ukraine's resilience, security leaders can create a broader playbook for defending against authoritarian aggression in the digital space. 

Moscow has relied heavily on cyber weapons and influence operations to access and conduct attacks on desired targets throughout the duration of its hybrid war. Its methods span a broad range of attack vectors, but three notable trends have emerged over the course of the conflict.

**Using Diverse Means To Gain Initial Access**

Russian threat actors have leveraged everything from exploiting Internet-facing applications to backdoored pirated software and ubiquitous spear-phishing to gain initial access to targets within and outside of Ukraine.

Seashell Blizzard (formerly Iridium), for example, has backdoored pirated versions of Microsoft Office to gain access to targeted organizations in Ukraine. The actor is also responsible for uploading a weaponized version of Windows 10 to Ukrainian forums, exploiting demand for low-cost versions of the software to gain access to government and other sensitive organizations in Ukraine.

Russian threat actors are also actively abusing technical trust relationships, targeting IT providers to reach more sensitive targets downstream without immediately triggering alerts. Hacker groups Forest Blizzard (formerly Strontium) and Secret Blizzard (formerly Krypton) both attempted to access an IT provider in Poland that counts sensitive sectors among its client base. Midnight Blizzard (formerly known as Nobelium), the same actor behind the SolarWinds intrusion, regularly attempts to compromise diplomatic organizations worldwide and foreign policy think tanks by first compromising cloud solutions and managed services providers that serve those organizations.

**Weaponizing 'Fact-Checking' To Spread Kremlin-Aligned Narratives**

Russian influence actors will often attempt to gain credibility by using the language and techniques associated with fact-checking to spread false claims. Social media accounts purporting to be fact-checking entities, like the Telegram channel War on Fakes, spread claims of "Ukrainian fakes" and allegedly "debunked" reports of Russian attacks on civilian and critical infrastructure. In reality, these operations attempt to turn the truth on its head and spread Russian propaganda.

**Spreading Leaked Information To Target Political Opponents**

Pro-Russian actors consistently spread purportedly leaked information online to target political figures and governments supportive of Kyiv. While this is not a new tactic for Russia, hack-and-leak operations have become increasingly prevalent during the war. These operations can be more effective than other types of influence operations because leaks are often difficult to authenticate or debunk, making them an effective tool to amplify existing divisions and tensions by allegedly exposing sensitive information.

Throughout the course of the war, Russia's destructive cyberattacks and influence operations have been used to sporadically amplify military operations in Ukraine. While Kremlin-backed digital operations have not yet successfully deterred Ukrainian resistance or degraded foreign support to Ukraine, there are many indicators we might look for to detect Russian escalation in the digital space. By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors moving forward.

Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine

The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.

Microsoft’s Patch Tuesday security update for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.

Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not disclose any zero-days, vulnerabilities that are already under active attack.

**Prioritizing Patches for Critical Bugs**

The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.

The critical elevation of privilege vulnerability in Microsoft SharePoint Server (CVE-2023-29357) was one of the bugs chained together in a successful exploit during the Pwn2Own competition, Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDI's team had not yet tested the workaround but said that the "best bet is to test and deploy the update as soon as possible."

The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015) all have the same base severity score of 9.8 — and this is the third month that Microsoft is addressing critical severity flaws in PGM. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.

The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed. Mitigations should not be considered substitutes for patching, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.

The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and the denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).

**Prioritize the "More Likely" to Be Exploited Ones, Too**

There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them "more likely" to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.

Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (CVE-2022-41082 was a zero-day flaw disclosed last September and patched in November, and CVE-2023-21529 patched in Feburary). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called "ProxyNotShell" flaws in Exchange Server and has been used in ransomware attacks in the past.

Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.

Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.

Microsoft Fixes 69 Bugs, but None Are Zero-Days

**SAN FRANCISCO, June 12, 2023** – Cycode, the leading application security platform, today announced the launch of Cimon, a seamless solution that enhances the security of CI/CD pipelines to prevent software supply chain attacks such as those that targeted SolarWinds and Codecov.  

CI/CD pipelines currently lack visibility, making them the most sensitive link in the SDLC, and many organizations have thousands of unmonitored pipelines prone to supply chain attacks. Cimon stops these attacks by utilizing the innovative solution of eBPF (extended Berkeley Packet Filter), a technology that provides visibility into the build system, including thwarting malicious behavior, with minimal disruption.

With this visibility, Cimon can inspect - network connections, running processes and file modifications within the CI pipeline — to learn standard behaviors. This knowledge enables Cimon to detect and prevent abnormalities, including real-time threats and zero-day attacks.  

"We offer free and easy integration with many CI/CD tools for organizations to secure their pipelines without delay time or errors," said Ronen Slavin, co-founder and CTO of Cycode. "As Cimon saves time in vulnerability and threat response procedures, teams can implement and adopt security measures without worry of error or exhaustion."

With Cimon, organizations can expect: 

● **Prevention of CI Attacks:** With low effort and seamless integration, users remain protected against all possible attacks on the CI pipeline, including zero-day attacks 

● **Instant Threat Detection:** Cimon prevents attacks such as malicious package installation, typosquatting, repojacking, dependency confusion, dependency hijacking and other dependency attacks 

● **Easy Integration:** Cimon is developer friendly and is easily integrated with popular CI/CD tools, comprehensive documentation requiring minimal configuration and integration with the development environment, such as GitHub 

Cimon is the new superhero for organizations' CI/CD pipelines and is free to use. More information about Cycode and Cimon is available online. 

**About Cycode**

Cycode's modern approach to application security enables organizations to effectively secure their cloud-native applications with cost-efficient use of tooling and staff across the SDLC. The Cycode platform makes AppSec tools better through its Knowledge Graph, which provides complete context of the SDLC to improve accuracy and reduce mean-time-to-remediation (MTTR). Cycode merges the top eight AppSec tools into the industry’s most advanced and comprehensive AppSec platform. By correlating data across these tools Cycode offers new capabilities, like Pipeline Composition Analysis which identifies vulnerable dependencies and security issues missed by legacy tools like SCA and SAST — across the entire SDLC; pinpoints vulnerable dependency locations; and prioritizes threats by exploitability.

Cycode Launches CI/CD Pipeline Monitoring Solution (Cimon) to Prevent Supply Chain Attacks

Threat actors have grown increasingly sophisticated in applying social engineering tactics against their victims, which is key to this oft-underrated cybercriminal scam's success.

Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing business worldwide more than $50 billion in the last 10 years — a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.

The agency's Internet Crime Complaint Center (IC3) 2022 report on BEC found that US business have lost more than $17 billion to these types of scams between October 2013 and December 2022, with global businesses counting losses of nearly $51 billion for the same period, according reports that the IC3 receives from organizations.

The number of organizations that have reported falling victim to BEC in the US alone over these years is 137, 601 across all 50 states — a number that's likely higher as it represents only the incidents that have been reported to the FBI, security professionals say. This means the total losses attributed to BEC for companies not just in the US but also globally is probably a lot higher than reported numbers as well, they say.

Despite organizations' overall increased awareness of and defense against BEC — which has been an attack vector for more than a decade — it continues to represent a thriving cybercriminal activity.

Security professionals attribute BEC's continued dominance in the cyber threat landscape to a number of reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam, Oren Falkowitz, field chief security officer for Cloudflare, tells Dark Reading.

"Successful BEC is not about being clever, it is about authenticity and achieving legitimacy in the eyes of the victim," Falkowitz says in an email. "Part of seeming legitimate is following physical events and trends in the news closely — which end up being leveraged and having resonance in cyberspace."

One example of this is the IC3's call-out of an uptick in attacks on the real estate sector, which reported a loss of $446.1 million to BEC in 2022. While this represented only a slight increase over a reported loss of $430.5 million from that sector in 2021, that figure showed nearly a doubling of BEC losses in real estate from 2020, during which real-estate organizations reported a loss of $258.4 million, according to the IC3.

This surge in BEC attacks on real estate appears to be continuing due to struggles in that sector, of which threat actors have noted and are taking advantage, Falkowitz says. "BEC having a nexus to the real estate sector in this year's report could be traced back to the commercial real estate crunch and the repurposing of cities," he says.

**Silent, But Deadly**

BEC is a type of attack in which threat actors use deception and impersonation to compromise legitimate business or personal email accounts to conduct an unauthorized transfer of funds or otherwise defraud a victim by obtaining access to personally identifiable information (PII) related to financial accounts.

Due to its inherent nature, BEC is well known for causing major financial loss not only for companies but also individuals. However, the rise in notoriety of ransomware over the past couple of years has allowed BEC attackers to fly somewhat under the radar while significantly boosting their impact, another contributing factor to its rise, notes one security expert.

"While ransomware has been grabbing the headlines over the past two years, BEC has quietly said 'hold my beer,' while surpassing itself as the most prolific and costliest form of cybercrime," Mika Aalto, co-founder and CEO at enterprise security awareness firm Hoxhunt**,** says.

He cited the Verizon DBIR reported released last week, which found that the cost and incidence of BEC doubled over 2022. In fact, the security industry's focus on ransomware may have actually contributed to BEC's rise during this time, as law enforcement have pursued ransomware gangs, imposing sanctions and leading to tightened cyber-insurance policies, while "BEC remains low-risk and highly profitable," Aalto says.

The rise of social engineering in general as a successful tactic by cybercriminals also is adding to the insidious and robust nature of BEC, security professionals say. In fact, another notable finding of Verizon DBIR report is that phishing and "pretexting," — i.e., impersonation of the sort commonly used in BEC attacks — dominated social-engineering scene last year. In 2022, pretexting gambits — which add to the perceived legitimacy of BEC attacks — nearly doubled since the year before and now represent 50% of all social engineering attacks, the report found.

"Social engineering is all about trust, and by gaining access to someone's account — usually someone in a position of authority — and masquerading as that person, the attacker lowers the barrier of trust immensely as they manipulate victims into ill-advised activities," Aalto notes.

**How the Enterprise Can Respond**

The continued success of BEC means these attacks are here to stay, which means organizations will be forced to respond with even stronger security measures, security experts say.

"The problem isn't going away," concurs Avkash Kathiriya, senior vice president of research and innovation at threat intelligence management firm Cyware. "While enterprises have made significant progress, they are still vulnerable to social engineering, while smaller businesses and individuals are being targeted by increasingly sophisticated scams."

Due to the key success factor of these scams — exploitation of the human element and weak points in an organization's security infrastructure — it is "particularly challenging to defend against using traditional security measures alone," observes Igor Volovich, vice president of compliance strategy at compliance firm Qmulos.

For this reason, he advises that organizations move towards continuous monitoring and assessment of their internal security controls in real time, which will allow them to "promptly detect control anomalies or failures that can lead to successful BEC incidents," he says.

"This approach provides organizations with the agility to respond swiftly to emerging threats, reducing the window of opportunity for scammers to exploit vulnerabilities, converging the timelines between security, compliance, and risk management to deliver a unified, real-time picture of enterprise risk posture," Volovich says.

Generative AI — which BEC attackers are increasingly using in the form of ChatGPT and other technologies to help them craft socially engineered messages — could also be leveraged by organizations to defend against attacks, says Patrick Harr, CEO at anti-phishing firm SlashNext.

"IT security pros need to implement AI capabilities which combine natural language processing, computer vision, and machine learning with relationship graphs and deep contextualization to thwart sophisticated multi-channel messaging attacks," he says.

Organizations should also strengthen workforce education efforts to help employees identify malicious campaigns and messages — which typically employ fake social media profiles, blogs, email accounts, and the like to establish trust and rapport — leveraged by BEC attackers, Harr adds.

Indeed, as BEC attacks commonly originate from phishing campaigns or social engineering methods, "it's paramount that organizations foster a robust cyber awareness training culture," concurs Jay Gohil, risk manager at Cowbell, a provider of AI-powered cyber insurance.

Analysis: Social Engineering Drives BEC Losses to $50B Globally

Mandiant's ongoing investigation of UNC3886 has uncovered new details of threat actors' TTPs.

A Chinese cyber-espionage group that researchers previously have spotted targeting VMware ESXi hosts has quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines (VMs).

Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been following for some time and whom they reported on last year. They disclosed the vulnerability to VMware, which released a patch addressing the flaw on Tuesday.

**Authentication Bypass Zero-Day**

The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.

The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host.

Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and sophisticated attack chain that its researchers have been unraveling over the past several months.

In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors — collectively dubbed VirtualPITA and VirtualPIE — on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor's logging service and to execute arbitrary commend between guest VMs on the same hypervisor.

Mandiant's analysis at the time showed the threat actor required admin-level privileges on the ESXi hypervisor to deploy the backdoors. But it found no evidence of UNC3886 actors leveraging any zero-day vulnerability to break into the ESXi environment or to deploy the weaponized VIBs.

**New Details on Threat Actor's Tactics and Methods**

The security vendor's continuing investigation of UNC3886's campaign — summarized in a technical report this week — uncovered new details on the threat actor's tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines. Mandiant's research also showed UNC3886 actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. "This … enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place," Mandiant said.

Mandiant's report this week goes into the technical details on the entire attack chain beginning with the threat actor gaining privileged access to an organization's vCenter server and retrieving service account credentials for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs and then exploiting CVE-2023-208670 to execute commands for transferring files to and from guess VMs.

The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.

"To enable connections to many ESXi hosts at once, UNC3886 targeted vCenter servers, each \[of which\] administrate multiple ESXi hosts," says Alex Marvi, a consultant at Google Cloud's Mandiant. "Each ESXi host creates a service account called the 'vpxuser' when it is initially connected to a vCenter server. UNC3886 was seen harvesting this vpxuser account on vCenter servers so they could connect with administrative rights to all connected ESXi hosts." Once connected to the ESXi hosts, the threat actor leveraged CVE-2023-20867 to run commands and transfer files on running guest machines without the need for the guest’s credentials, he says.

**Previously Unseen Techniques**

The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that Mandiant has not seen utilized by other attackers in the past, Marvi says. "This should help organizations detect and respond to this attack path, regardless of the exact malware being deployed or commands being used."

Mandiant has assessed UNC3886 as a threat actor that is particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its primary targets have been in the US and on organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to switch up attacker paths and tactics when needed. He points to a novel set of malware tools the threat actor deployed on Fortinet devices as evidence of its abilities and access to resources needed to carry out highly sophisticated attacks.

"UNC3886 has shown itself to be a flexible, yet highly capable threat actor, which will modify open source projects to complete their mission," he says. "I would argue that this group’s TTPs are more dynamic than unique, built around the exact needs to either regain access or persist in an environment with whatever they are given access to."

Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs

Threat actors have created over 3,000 domains, some as old as two years, to lure in customers to false, name brand websites for personal financial gain.

Threat actors have been impersonating more than 100 apparel, clothing, and footwear brands such as Nike, New Balance, and Vans to lure customers as part of a malicious phishing scam since June 2022.

The threat research team from Bolster.ai identified more than 3,000 registered domains and around 6,000 sites carried out by threat actors with the intent to target the customers of these popular brands to steal account credentials and financial information. Other brands that have been affected include Doc Martens, Miu Miu, Converse, and Etsy, an American e-commerce company that hosts countless small businesses on its site.

As the height of its campaign activity between November 2022 and February 2023, the malicious actors were adding around 300 new fraudulent sites on a monthly basis, the researchers said. The attackers followed a simple naming convention for these domains: combining the brand name with a city or country, followed by a generic top-level domain such as .com.

Many of the domains were old, some even two years old, which helped boost the success of this scam. The older a domain name, the less likely they are to be flagged by security tools as being malicious. Old domains also help boost global malvertising campaigns because those sites have time to be indexed by Google, tend to rank higher in search terms, and can lure in users who assume that a page ranking high in search must be credible. 

**Notable for Fraud Risk**

These domains were traced back to Autonomous System number AS48950, (which refers to IP prefixes run by network operators) — and the domains' IP addresses are hosted by Packet Exchange Limited and Global Colocation Limited. Both Internet service providers are known for fraud risk, according to Bolster.ai. 

Companies can mitigate these risks by training employees to be aware and take note of the signs for impersonation attempts and phishing scams, using cybersecurity software to block attempts to begin with, and even using artificial intelligence (AI) to automate these processes.

Source

DARKReading