Security vendors, businesses, and US government agencies need to work together to fight ransomware and protect critical infrastructure.

Cyber threats have a long reach. What seems like a low-level cyber incident can have a larger ripple effect, impacting millions of innocent people. A password breach that occurs in a private company, such as Colonial Pipeline, can end up taking down sections of the critical infrastructure, for example. The line between attacks on the public sector and private interests are blurring, and now, with new directives and initiatives from the Biden administration — along with new departments within federal agencies — the government seems committed to collaborating with companies to address emerging cyber threats.

Both government agencies and private vendors already see the value in building partnerships.

"Partnering with the private sector is critical for advancing our mission of accelerating commercial adoption of technology across many sectors, especially in cybersecurity," says Pat Gould, director of the Defense Innovation Unit (DIU) Cyber Portfolio.

The private-sector view is similar — the need to collaborate is critical, and it is about time that efforts are being made to facilitate such a partnership. Initiatives like the National Cybersecurity Strategy, for example, are bringing in private-sector security vendors to share threat information or provide solutions and tools that are beyond government scope.

Mick Baccio, global security advisor with Splunk, admits the ability to work together has been hindered by the private sector's inherent distrust of government, especially as administrations and congressional leadership change.

"Building credibility is tough to do in this atmosphere," says Baccio, "but thanks to a push by the current administration, the continuity that cybersecurity and the private-public partnership needed is finally in place."

Executive orders with guidelines to facilitate improved security across the supply chain, for example, can be canceled the moment a new president takes office. The Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agency's attempts to bake public-private cybersecurity efforts into its mission.

**Government's Role in Collaboration**

A few agencies are uniquely set up to focus on collaboration with the private sector. Beyond its high-profile work in keeping voting systems safe, CISA is responsible for securing critical infrastructure in cooperation with companies.

The FBI has worked closely with both public and private entities for years, but as cybercrime — particularly ransomware — ramps up, so too has the outreach from the FBI to the private sector.

Many other agencies also have similar security-related outreach built in, like the Department of Energy. Because many areas of the energy critical infrastructure are owned and operated by corporations, the department needs to build partnerships not only to keep the infrastructure safe but also to prevent disinformation and misinformation that could cause a national panic. (The Colonial Pipeline cyber incident is a prime example, when poor communication led to gas shortages on the East Coast two years ago.)

The Cybersecurity Collaboration Center (CCC), part of the National Security Agency, was established three years ago, and it signifies a shift in how the government works with private-sector vendors to share information and expertise to scale mitigations, according to the center's chief, Morgan Adamski.

"We're looking at the quality of our relationships over the quantity," Adamski said during a 2023 RSA Conference panel on public-private partnerships. She said CCC will share threat analytics with cybersecurity companies that have the broadest outreach, which could provide protection for billions of customers.

However, some argue that this trickle-down information sharing hampers security efforts.

"The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they'll have more threat intel to share," wrote Mike Wiacek, founder and CEO of Stairwell, in a Dark Reading article. "But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems."

**What Private Vendors Bring**

Innovation comes from small companies, which file more than 14 times more patents in the US than larger businesses and universities do. Government and large enterprises rely on strategic partnerships with smaller security vendors to build out their cybersecurity programs.

Government is more than federal agencies, says Merlin Cyber CEO David Phelps. States, counties, and especially municipalities don't have large budgets or staffing to manage cybersecurity needs.

"They need the outreach to the private sector to help address cybersecurity concerns," Phelps says.

Vendors may have a better — or at least different — view into the threat landscape and can work quickly to come up with the right tools or solution for a government entity at a more affordable rate than is charged to the private sector. Not only can community governments take advantage of the lower cost, but because they are using an approved government vendor, they now have federal oversight.

Having similar tools, knowledge base, threat landscape, and product behavior as businesses gives CISA a broader view of what's happening across a larger swath of the critical infrastructure.

"By actually having government entities of all sizes using the same platforms, threats will be a lot more visible as an ecosystem," says Phelps.

The value of having partnerships like this is having a private sector that has the flexibility and funding to investigate threats in ways that the government can't. Larger businesses within the private sector can invest in startups that are developing cutting-edge technologies. This agility and scalability are among the most important contributions the private sector provides.

**United Against Ransomware**

The fight against ransomware is a good example of a public-private collaboration. The FBI actively works with private vendors to not only identify ransomware, but also to defend against ransomware crime rings and nation-state actors. Partnering on this type of attack works well because ransomware attacks tend to have a lot of similarities.

"Because all of the actors use the same tools and services, all of our options increase," explained Cynthia Kaiser, deputy assistant director with the FBI, during the RSA panel.

For example, in 2019 government agencies learned that a global Russian-distributed botnet was using a US company to implant malware in millions of devices. The FBI worked closely with that company and different government agencies to find a solution to counter this malicious activity and cut off the command-and-control infrastructure of the global botnet before it could do any more damage.

When an incident occurs, the most vital pieces of information come from the victimized organization. The victims become partners with government agencies, sharing details about what happened and what they continue to see happening in their networks. The government agencies gather that information and help the companies put the threats into context.

"A key part of collaboration is that it is bidirectional, and it's critical that people come early and often to that trusted relationship to have the \[cybersecurity\] conversation," CCC's Adamski said.

Improving Cybersecurity Requires Building Better Public-Private Cooperation

The climate of concern around open source security and supply chain attacks may have caused a small story to become a big one.

Following a temporary suspension of all new users and package uploads, the Python Package Index (PyPI) repository is back up and running. Many noted that the culprit was the flooding of the site with a glut of malicious packages -- but a PyPI administrator noted that there was no unusual glut, simply fewer people than usual to address the usual glut.

PyPI is the official software repository for Python, serving over 700,000 users and over 450,000 projects, according to the site's homepage. Its popularity has attracted not just developers but hackers who like to upload malicious packages as a first step in supply chain breaches.

Beginning Saturday afternoon (UTC), PyPI temporarily suspended new user and project registrations. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the site's admins wrote in an incident report.

The statement raised eyebrows across the security community, with many news sites reporting the site as falling victim to either an anomalous wave of malicious activity or even an outright cyberattack. And, the research firm Checkmarx in a blog characterized the situation as part of an uptick in “actors publishing overwhelming amounts of malicious packages in several open-source registries.”

But Ee Durbin, director of infrastructure for the Python Software Foundation, tells Dark Reading that the actual circumstances of the shutdown were much less dramatic than they were made out to be.

"This weekend was just a matter of human capacity," Durbin says. "Effectively, there was just one PyPI admin available to handle reports out of the usual three, and they (I) needed a weekend."

As of the evening of May 21 (UTC), PyPI was once again operating as usual, with its administrative team available in force.

**Why We Worry About Open Source Software Repos**

At least some portion of the hubbub around PyPI's 30-hour shutdown can be explained by growing fears around the state of open source security.

"We've seen the number of attacks skyrocket over the past two years," says Peter Morgan, co-founder and CSO of Phylum. In the first quarter of 2023, Phylum analyzed 2.8 million packages published to popular repos like PyPI, npm, and Nuget, 18,016 of which executed suspicious code upon installation, 6,099 referenced known malicious URLs, and 2,189 targeted specific organizations.

Malicious packages run so rampant today that some hackers hardly feel the need to hide them anymore.

"More and more attackers are realizing how easy this is to do. It doesn't require any skill. You can download scripts off of the Internet and use them to pollute the open source supply chain," Morgan explains. "Also, it's costless. You don't need to spend any money. You can do it for free with anonymous accounts."

With software today, Morgan continues, "there are so many dependencies. All an attacker has to do is get one foot in the dependency chain to get a hold in your computer. So the defender \[has a\] massive disadvantage here. The attacker only has to win once."

By contrast, organizations that utilize open source software — read: _all_ organizations — have a far more difficult time defending against even such low-level attackers, prompting calls for better package inspection, the development of new tools to track dependencies, and software bills of materials (SBOMs).

Those in charge of maintaining the repos acknowledge these issues as much as anybody. "Regular caution should always be exercised when installing from a public index, whether in your projects or on the command line with 'pip install,'" Durbin says.

**Repos Make Changes to Battle Malicious Packages**

Historically, repositories have struggled to keep up with their far more numerous adversaries. To assuage concerns, though, Durbin tells of how "we have exciting developments that will allow for much more sustainable and potentially automated handling of malware reports coming soon."

The Python Software Foundation also recently added a security developer-in-residence role, meant to improve Python security at large. And just a couple of weeks ago, Durbin announced that PyPI will bring on a safety and security engineer, whose job will be to focus on PyPI's security in particular.

Supply chain security in years to come will turn on our ability to keep public repos clean and protect ourselves when they're not. "Everyone is very, very focused on finding things that have vulnerabilities," Durbin concludes, "but software vulnerabilities are not what attackers are using to break into computers today. They're creating malicious packages."

PyPI Shuts Down Over the Weekend, Says Incident Was Overblown

The technology conglomerate has until later this year to end its transfer of European user's data across the Atlantic.

Meta, owner of Facebook and Instagram, has been fined $1.3 billion (€1.2 billion) for violating the European Union's General Data Protection Regulation (GDPR) by the Irish Data Protection Commission, for the transfer of EU users' personal data to US servers.

This penalty is the biggest that's been dealt out after the European Union's strict data privacy policies went into effect in 2016; this fine far surpasses even Amazon's previously record-breaking $808 million (€746 million) tab in 2021 due to data protection violations.

Because the European Court of Justice nullified the Privacy Shield, the EU and the US continue to search for alternatives on a new data flow. Privacy Shield originally served as a data transfer mechanism under the GDPR, enabling participating companies to meet the EU requirements for transferring personal data to third countries. Though a replacement is expected later in the year, there are multiple multinational companies, including Meta, that illegally rely on the former agreement — specifically with the use of standard contractual clauses.

"The fine regarding a GDPR violation serves as a stark reminder of the importance of data protection in today's dominant digital landscape and the consequences organizations may face if they fail to meet these obligations," Eduardo Azanza, CEO of Veridas, said in a statement in response to the announcement. "The GDPR is designed to safeguard the rights and privacy of individuals. Thus, it's fundamental for organizations to respect these laws and regulations to not only maintain customer trust and confidentiality but to also avoid such public scrutiny and reputational damage."

Meta has a deadline of Oct. 12, 2023, to cease its reliance on standard contractual clauses for data transfers of users' private data.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations

The purchase gives IBM access to a new category of products called "data security posture management" for security data in cloud and SaaS repositories.

IBM's purchase of Polar Security for an undisclosed sum on May 16 has focused attention on an emerging market space that, until recently, didn't even have a formal name associated with it.

Polar is among an increasing number of startups — many based in Israel — that offer a new class of tools, built to accomplish "data security posture management (DSPM)." They help organizations discover, monitor, and secure sensitive data across hybrid and multi-cloud environments. To that end, IBM will integrate Polar's technology with its Guardium portfolio of data security products. 

The Polar acquisition is the company's fifth so far this year.

**Data Classification in the Cloud**

The key selling point of products from Polar and companies like it, is their ability to automatically classify discovered data in these environments (in addition to monitoring user access and discovering threats to the data) — so security teams can protect it better. Many of the technologies, including Polar Security's DSPM platforms, are agentless and have the claimed ability to automatically discover sensitive data in minutes and to classify them into categories such as PII, PHI, and PCI.

Gartner, which gave the category its name last year, describes DSPM products as enabling organizations to discover shadow data — structured and unstructured — in repositories across cloud service providers, data lakes, and SaaS environments. The analyst firm has predicted that more than 20% of organizations will deploy a DSPM capability by 2026 because of "urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”

IBMs purchase of Polar gives the company immediate access to technology that will help it compete in the market segment with a growing number of pureplay vendors, and vendors expanding into the space from other markets such as cloud security posture management and cloud DLP. Examples of pureplay DSPM vendors include Laminar, Cyera, and Dig, while Wiz, Varonis, Orca — and now IBM — are all vendors that have added DSPM to their technology portfolio over the past year.

**A Vibrant DSPM Market**

Richard Stiennon, chief research analyst at IT-Harvest, says his firm currently tracks over a dozen vendors in the market. "DSPM is a vibrant space with at least 16 players," Stiennon says. 

Polar, which launched in 2021, was in the middle of the pack with about 30 employees at time of purchase he notes, adding, "IBM Tech Fund had participated in the $8 million seed funding, so they have had visibility into Polar for at least 16 months." Among the larger vendors in the space are Wiz, Laminar with about 95 employees, and Cyera with a headcount of some 75, Stiennon says.

A lot of the enterprise interest in the space stems from growing concerns over data exposure in cloud and SaaS environments. Just like shadow IT is a problem, shadow data — or sensitive data in cloud databases, AWS S3 buckets, and other repositories stored across multiple environments — has become a real and pressing problem for many organizations.

"Sensitive data discovery and classification has become a top priority \[for organizations\]," says Justin Lam, an analyst with S&P Global Market Intelligence. A recent survey of technology decision makers that the analyst firm conducted showed that for many organizations, DSPM has become a top technology priority for 2023, he adds. 

"A lot of enterprises are waking up to the fact they need to find out what data they have in the cloud," Lam says. "How do I find out what it is, how risky it is, what kind of non-public info is out there in the cloud. These are all huge concerns."

**IBM's Cloud Security Investment: Triggering a Landgrab?**

Analyst firm Omdia expects the IBM acquisition of Polar to push other technology heavyweights into the space as well. As has often been the case with new technologies, a lot of the initial proponents of DSPM are startups. But that could change quickly as bigger players move into the space. 

"We have seen such landgrabs before — in data leak prevention in the mid-2000's, cloud access security brokers in the mid-2101's, and cloud security posture management later in the last decade," says Rik Turner, analyst with Omdia.

Turner describes the DSPM market as still largely immature or moving just beyond that phase. To date, it has been all about startups, many of them from Israel, raising early rounds of venture capital money and starting to evangelize about DSPM. Until Gartner came up with a name for the category, many of the players in the space were positioning themselves as providing cloud data posture management and DSPM together, he says.

IBM's purchase has raised the profile of DSPM as a technology and potentially puts other cyber industry majors in the market to buy one of Polar's competitors. Already, there are some rumors that Laminar is in talks with a potential buyer or two, Turner says. 

"Now, alongside the startups, we have not only Big Blue jumping in but also CSP vendors like Orca and Wiz, both of whom are adding some DSPM capabilities," Turner notes. "It may be too early to see IBM's acquisition of Polar as the tipping point, but if Laminar does indeed go to one of the bigger beasts, the land grab really will have begun."

IBM's Polar Buy Creates Focus on a New 'Shadow Data' Cloud Security Area

Techniques used in cyber warfare can be sold to anyone — irrespective of borders, authorities, or affiliations. We need to develop strategies to respond at scale.

The Russia-Ukraine war has taught us a lot about cyber warfare. After all, it's the first time ever that a world-class cyber power is simultaneously engaged in a kinetic war. But before we can fully grasp the lessons that have surfaced over the past year, we first have to understand what role cyber plays as part of active kinetic warfare, as well as the criteria that determines its effectiveness.

**Breaking Down Cyber in Warfare**

The main roles of cyber in warfare include: 1) espionage, 2) sabotage, 3) propaganda, and 4) disruptions usually caused by distributed denial-of-service (DDoS) attacks targeting government, electrical, and economic/financial institutions. I believe cyber warfare is two parts information warfare using cyber tactics and techniques and one part cyber warfare with actual destruction.

Cyberattacks with strategic or military implications can include the manipulation of software, data, knowledge, and opinion to degrade performance and produce political or psychological effects. Introducing uncertainty into the minds of opposing commanders or political leaders is a calculatable military objective. Manipulating public opinion to damage an opponent's legitimacy and authority in both domestic and international audiences also is valuable. Some actions may provide only symbolic effect aimed at a domestic audience, but this too is valuable for a nation at war.

So, how can we judge the effectiveness of cyber warfare attacks? My more than two decades of experience serving as an FBI agent taught me that the criteria for success in deploying cyber offensive tactics lies across five areas:

*   Creating chaos
*   Collecting intelligence
*   Driving narratives to shape opinions (disinformation)
*   Inflicting damage to data or ecosystems
*   Stealing/exfiltrating victim data for extortion and/or sale to criminal data brokers

**Cyber Warfare in the Russia-Ukraine Conflict**

Russia has largely been cited as an "aggressor" in its conflict with Ukraine. But it is important to remember that because cyber knows no boundaries, any country or hacktivist group can join the battle with impunity — it is one of the ways cyber is fundamentally different from traditional warfare, and a dynamic that both sides have benefited from and been victimized by.

Russia holds a broad definitional concept of information warfare, which includes intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems, and propaganda.

As used by the Russian military, cyber power is a key facet of hybrid warfare and is an important enabler in the Russian political strategy to oppose NATO's expansion and cohesion. Cyberattacks can be targeted specifically toward and with the purpose of eliminating key networks but also can be used as a tool to intensify the fog of war by sowing confusion within command-and-control networks. If local political and military leaders can't get ahead of and develop an accurate estimate of quickly developing events, critical hours or even days can be gained with which an adversary can create facts on the ground that cannot easily be reversed. As part of its military campaign, Russia used myriad cyberattacks against computers in Kyiv, Poland, the European Parliament, and the European Commission prior to rolling tanks across the Ukraine border.

Here are just a few examples of cyber warfare tactics used in the Russia-Ukraine conflict:

*   The Russians targeted Viasat, a US satellite communications company that provided support to the Ukrainian military, with malware designed to erase its data before disabling it. The Russians did not limit the malware's scope, and it affected other ground satellite components, causing hundreds of thousands of people outside of Ukraine to lose electrical power and Internet connection.
*   A cyberattack against the City Council of Odessa, a major Ukrainian port city situated on the Black Sea, was timed to coincide with a cruise missile attack that was meant to disrupt Ukraine's response to Russian forces attacking in the south.
*   Cyberattacks also have been launched against many parts of Ukraine's infrastructure and government and civilian networks, including hospitals.
*   Ukrainian military units have created bogus dating websites for Russian soldiers, coupled with social media platforms, to lure Russian troops to use their personal mobile devices — at which point Ukrainian troops triangulate their location so they can use a drone to drop a bomb on their geolocated positions.

Even though Russia is considered one of the most dangerous cyber-nation-state actors, the use of cyber warfare tactics against Ukraine leading up to and currently during their one-year-old unprovoked war shows that offensive cyber techniques, when used as a separate warfighting domain, does not necessarily offer magic solutions and miraculous shortcuts to achieving strategic military goals. Similar to when the Russian Army deployed cyberattacks against Georgia in 2008 and Syria after that armed conflict, when the Russia-Ukraine war ends, we will have another example for history to judge the effectiveness of Russian cyber-enabled warfare.

**Lessons Learned So Far**

Cyber warfare is real, and it is playing out in various theaters across the world — some visible, as in the Russia-Ukraine conflict, and others behind-the-scenes. There will be many lessons learned from these actions, but here are a few takeaways we have so far:

*   The effects of cyberattacks are difficult to contain when not coupled with kinetic military activity. The effects most always extend far beyond the intended target and can be used more as a strategic weapon as opposed to a tactical or precision weapon.
*   Attribution of cyberattacks is difficult and more easily denied. Cyber warfare sits in a gray zone, as it can be used by state and non-state actors, with fewer inhibitions than kinetic strikes.
*   With the use of non-state or patriotic proxies, cyberattacks are less manpower-intensive than kinetic attacks but certainly require more skills to prepare and execute and can be just as devastating to the victim's infrastructure.

There is no question that cyber power is being wielded as a strategic weapon alongside the use of kinetic force in the Russia-Ukraine conflict. And cyber warfare allows power and force to be democratized and sold on the Dark Web, available to anyone with technical skills — irrespective of borders, authorities, or affiliations. Because of this, we must start to think ahead of the threat and develop strategies to respond to these challenges at scale.

Cyber Warfare Lessons From the Russia-Ukraine Conflict

**Woburn, MA – May 19, 2023 –** Kaspersky researchers have provided further details on the CommonMagic campaign, which was first observed in March targeting companies in the Russo-Ukrainian conflict area. The new research reveals more sophisticated malicious activities from the same threat actor. The investigation identified that the newly-discovered framework has expanded its victimology to include organizations in Central and Western Ukraine. Kaspersky experts have also linked the unknown actor to previous APT campaigns, such as Operation BugDrop and Operation Groundbai (Prikormka).

In March 2023, Kaspersky reported a new APT campaign in the Russo-Ukrainian conflict area. This campaign, named CommonMagic, utilizes PowerMagic and CommonMagic implants to conduct espionage activities. Active since September 2021, it employs a previously unidentified malware to collect data from targeted entities. Although the threat actor responsible for this attack remained unknown at the time, Kaspersky experts have persisted with their investigation, tracing the unknown activity back to forgotten campaigns in order to gather further insights.

The recently uncovered campaign utilized a modular framework called CloudWizard. Kaspersky’s research identified a total of 9 modules within this framework, each responsible for distinct malicious activities such as gathering files, keylogging, capturing screenshots, recording microphone input, and stealing passwords. Notably, one of the modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access and smuggle activity logs, contact lists, and all email messages associated with the targeted accounts.

Furthermore, the researchers have uncovered an expanded victim distribution in the campaign. While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine.

After extensive research into CloudWizard, Kaspersky experts have made significant progress in attributing it to a known threat actor. They have observed notable similarities between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. These similarities include code similarities, file naming and listing patterns, hosting by Ukrainian hosting services, and shared victim profiles in Western and Central Ukraine, as well as the conflict area in Eastern Europe.

Moreover, CloudWizard also exhibits resemblances to the recently reported campaign CommonMagic. Some sections of the code are identical, they employ the same encryption library, follow a similar file naming format, and share victim locations within the Eastern European conflict area.

Based on these findings, Kaspersky experts have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard may all be attributed to the same active threat actor.  

"The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future."

Read the full report about the CloudWizard campaign on Securelist.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

*   Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
*   Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
*   For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
*   In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
*   As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine

In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.

Device diversity, cloud adoption, remote work, and the increasingly complex software supply chain have significantly expanded today's attack surface. But despite increased year-over-year investment in security operations, most organizations only have the resources to address 10% of the millions of issues present in their environments.

Security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to _their_ organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down barriers caused by existing data siloes.

Everything within the digital ecosystem creates data — from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management life cycle to explore the strengths, weaknesses, and opportunities for each resource.

**Silo 1: Cyber Asset Management**

There are ample approaches to creating a consolidated inventory of all assets and their associated risk posture: legacy spreadsheets, "traditional" network scanners and IT asset management tools, and cyber asset attack surface management (CAASM) platforms.

Depending on the approach, though, teams may only be looking at the "traditional" attack surface instead of considering everything that would be present in a typical multicloud, decentralized, and well-segmented modern network. While progress is being made in this category, it's still built off point-in-time, state-based insights. The lack of insight into attack behavior therefore impacts their overall effectiveness.

**Silo 2: Threat Detection and Response**

On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary's perspective through analyzing network, user, and machine behavior. Although the quality of data from security information and event management (SIEM) systems is considerable, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.

Additionally, threat detection and response platforms typically only monitor "known" assets for changes, whereas the greatest threat lies with the changes made to unknown assets. So, while these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations. Gartner predicts unpatchable attack surfaces will grow from less than 10% of the enterprise's total exposure in 2022 to more than half by 2026.

**Silo 3: Third-Party Intelligence**

There are several ways to gauge the potential impact and exploitability of vulnerabilities, such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities.

The greatest risk of relying only on third-party guidance is that it doesn't consider the organization's unique requirements. For example, security teams still have to decide which patches to prioritize in a group of "severely critical" vulnerabilities (e.g., those with a CVSS score of 9.0 or higher).

In this case, it's impossible to make an informed decision using these quantitative methods alone. Factors such as the location of the asset would help teams determine the exploitability of the vulnerability within _their own_ organization, whereas its interconnectivity would give teams an idea of the blast radius — or potential overall attack path.

**Silo 4: Business Insights**

From configuration management databases (CMDBs) to controls and dependency maps to data lakes, this list wouldn't be complete without internal business tracking systems. These resources are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping.

But as enriching as they are, custom databases require a heavy manual lift to not only implement, but also keep current. Therefore, due to the rate at which our environments change, they quickly become outdated, making it impossible to accurately survey security posture changes.

**Change Is Programmatic, Not Tool-Centric**

While each source listed above serves its own purpose and provides a unique layer of valuable insight, none serves as a single source of truth for navigating today's sophisticated threat landscape. That said, they're extremely powerful when they work together, revealing a comprehensive vantage point that enables teams to make better, more informed decisions.

Many of the valuable insights necessary to drive informed, risk-based decisions either get lost in the siloes of enterprise tech stacks or stuck between conflicting teams and processes. Although modern environments require equally progressive security, there isn't a single tool or team that can repair this broken process.

Security leaders need to align their cyber asset intelligence to their primary use cases. That may be through mapping their vulnerability prioritization process using third-party intelligence, business context, and asset criticality, or by targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.

Data Siloes: Overcoming the Greatest Challenge in SecOps

The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.

Most ransomware attackers use one of three main vectors to compromise networks and gain access to organizations' critical systems and data.

The most significant vector in successful ransomware attacks in 2022, for example, involved the exploitation of public-facing applications, which accounted for 43% of all breaches, followed by the use of compromised accounts (24%) and malicious email (12%), according to Kaspersky's recently released report, "The Nature of Cyber Incidents."

Both exploitation of applications and malicious emails declined as a share of all attacks compared with the previous year, while the use of compromised accounts increased from 18% in 2021.

Bottom line: Doubling down on the most common attack vectors can go a long way to preventing a ransomware attack. "A lot of companies are not the initial targets for attackers but have weak IT security and \[allowing them to\] be hacked easily, so cybercriminals take the opportunity," says Konstantin Sapronov, head of the global emergency response team at Kaspersky. "If we look at top three initial vectors, which together account for almost 80% of all cases, we can implement some defensive measures to mitigate them, and go a very long way to decreasing the likelihood of becoming a victim."

The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors made up the top three techniques — exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%) — but that ransomware actors tended to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.

Ransomware took off in 2020 and 2021, but leveled off last year — even dropping slightly. But this year, ransomware and a related attack — data leaks with a goal of collecting a ransom — appear to be increasing, with the number of organizations posted to data leak sites increasing in the first part of 2023, says Jeremy Kennelly, lead analyst for financial crime analysis at Mandiant.

"This may be an early warning that the respite we saw in 2022 will be short-lived," he says, adding that the ability to continue to use the same initial access vectors has helped attacks.

"Actors engaging in ransomware operations haven’t needed to evolve their tactics, techniques, and procedures (TTPs) significantly in recent years, as well understood strategies have continued to prove effective," Kennelly says.

**Unsurprising Trio: Exploits, Credentials, Phishing**

In December 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were commonly using five initial access vectors, including the three identified by both Kaspersky and Mandiant, as well as external remote services — such as VPNs and remote administration software — and third-party supply chain attacks, also known as trusted relationships.

Most compromises are either quick or slow: Quick attacks compromise systems and encrypt data in days, while slow ones are where threat actors typically infiltrate deeper into the network over months, possibly conducting cyber espionage and then deploying ransomware or sending a ransom note, according to Kaspersky's report.

Exploitation of public-facing applications and the use of legitimate credentials also tend to be harder to detect without some sort of application or behavioral monitoring, leading to longer dwell times for attackers, says Kaspersky's Sapronov.

"\[N\]ot enough attention is paid to application monitoring," he says. "Also, when attackers use \[exploitation\], they need to take more steps to reach their goals."

    

Exploitation is the top initial access vector and tends to lead to a quick ransomware attack or longer espionage. Source: Kaspersky

**Tip: Track Exploitation Trends**

Knowing the most common approaches attackers likely will take can help inform defenders. Companies should continue to prioritize vulnerabilities that have exploits in the wild, for example. By paying attention to the shifts in the threat ecosystem, companies can make sure that they are prepared for likely attacks, Mandiant's Kennelly says.

"Due to the velocity at which threat actors can weaponize exploit code to support intrusion operations, understanding which vulnerabilities are being actively exploited, whether exploit code is publicly available, and if a particular patch or remediation strategy is effective can easily save organizations from dealing with one or more active intrusions," he says.

But avoid putting too much emphasis on protecting against specific initial access vectors, as attackers continually adapt to defenses, Kennelly adds.

"The specific infection vectors that are most common at a given time should not broadly change an organization's defensive posture, as threat actors continually shift their operations to focus on whichever vectors prove most successful," he says. "\[A\] decrease in the prevalence of any given vector does not mean it poses a significantly lower threat — for example, there has been a slow decline in the proportion of intrusions where access was obtained via phishing, but email is still used by many high-impact threat groups."

3 Common Initial Attack Vectors Account for Most Ransomware Campaigns

As we share an increasing amount of personal information online, we create more opportunities for threat actors to steal our identities.

The digital world touches everything we do: work, shopping, even your wallet. And the one thing that keeps your digital life secure is your identity. So what makes up your digital identity? Digital identities are broadly defined and include everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a Web form when shopping online, every time you verify you're 21 or older, and every time you enter a password, you're sharing a part of your digital identity.

We are constantly disseminating the attributes of our digital identities across countless platforms, and this will only expand as we do more things online. However, with the broader adoption of digital platforms, there become more and more opportunities for threat actors to steal these attributes and hijack our digital identities.

**The True Threats of Digital Identity Theft**

In April, the National Council on Identity Theft Protection shared statistics from the first quarter of 2023, alarmingly showing that the Federal Trade Commission (FTC) has already received 5.7 million total fraud and identity theft reports.

So what happens when identity theft or fraud takes place? On the enterprise side, organizations that fall victim to data breaches, malware, or ransomware attacks could face legal repercussions and have to pay affected customers millions of dollars. In addition to monetary penalties, organizations also face reputational damages, which could result in massive business losses.

Individual victims of identity theft or fraud, on the other hand, may experience financial fraud or losses and spend considerable time and money dealing with the fallout. Additionally, some victims will be left with traumatic feelings of violation and anxiety or hypervigilance — similar to what a victim of a robbery may feel.

As we enter the era of Web3, the cybersecurity threats for victims of identity theft are worsening. Now that processes, appointments, and work life are digital, people are constantly sharing the attributes that make up their digital identity. What becomes very dangerous is people sharing their personally identifiable information (PII), such as their Social Security number, driver's license, and address, as this information is exactly what threat actors look for when breaching organizations.

Once threat actors gain access to digital identities and PII they can create synthetic identities — fictitious identities that are created using a mix of real and falsified information. These synthetic identities have the ability to disrupt people's lives and the way they do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. Additionally, ChatGPT can help fraudsters create more believable, native-sounding phishing campaigns, including emails and chat dialogue that trick or coerce users into giving up their authentication credentials.

**How to Stay Secure**

Last year, a Verizon report found that 82% of all breaches involved the human element, which includes social engineering attacks, misuse, and errors. So how do you prevent human error? Education. Empowering employees with the security basics they need and educating them as to what phishing, smishing, and vishing attacks look like can severely cut down on data breach risk. Organizations should also implement security standards for employees and ensure that these standards are taught during onboarding.

Similarly, the best way for consumers to stay secure is to educate themselves on social engineering attacks and remain vigilant when checking emails, text messages, and phone calls. There are plenty of free digital resources available for consumers that cover security basics, such as what to look for when opening a suspicious email, how frequently passwords should be reset, and what to do if you suspect your information has been compromised.

Customers should also be doing their own due diligence and checking to see what data organizations are collecting and what security is being used to protect that data. On the flipside, organizations need to implement responsible data storage practices by only holding onto data they can actually utilize, and having a centralized identity storage system. A centralized identity storage system will take care of internal mapping of various applications and ensure all digital identities are located in a centralized location, cutting down the propagation of these identities through multiple systems within the same organization.

Educating employees and cutting back on data storage are just two minimum standards for organizations. Additionally, organizations must implement secure systems and solutions such as systemized automation, biometrics, and other identity verification methods. This is where identity and authentication converge. Both parties, consumers and organizations, need to ensure there is trust. Consumers need to trust that organizations will keep their digital identity and data secure, while organizations need to trust that consumers are who they say they are.

**The Future of Digital Identities**

Awareness of digital identities is on the rise. It's promising that the US government has made a public statement announcing it plans to prioritize digital identity solutions, though the US remains behind other regions — specifically, the UK and EU.

In 2021, the EU introduced its digital identity framework proposal to create a sole "trusted and secure European e-ID." Additionally, this year European Parliament voted to move forward with creating an EU digital wallet to further protect European identities and transactions. Within the next few years we'll likely see the US follow in the footsteps of the EU and create a one-stop solution for digital identities.

My hope for the future of digital identities is that we create a seamless, trusted, and secure experience. To do this we'll need to implement a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. In this system, instead of sharing every piece of personal information, users would only be disclosing the minimum information required for individual tasks. This would create the ideal environment to build a digitally secure and trusted world.

Source

DARKReading