Pro-Houthi OilAlpha uses spoofed Android apps to monitor victims across the Arab peninsula working to bring stability to Yemen.

An ongoing spyware campaign is targeting attendees of Saudi government-led negotiations on Yemen, along with humanitarian and reconstruction aid workers working toward Yemeni stability on behalf of the pro-Houthi movement.

Insikt Group researchers has been monitoring the activities of threat group OilAlpha since May 2022, which they reported has been using messenger applications like WhatsApp to social engineer targets into downloading a malicious Android application. The app comes loaded with remote access Trojans (RATs) like SpyNore and SpyMax, the researchers said.

Tellingly, OilAlpha uses infrastructure that the Insikt Group traced back to the Public Telecommunication Corporation (PTC), a business owned by the government of Yemen, and under the control of Houthi-aligned officials, the report added.

"The group's operations have reportedly included targeting persons attending Saudi Arabian government-led negotiations; coupled with the use of spoofed Android applications mimicking entities tied to the Saudi Arabian government, and a UAE humanitarian organization (among others)," the report said. "As of this writing, we suspect that the attackers targeted individuals the Houthis wanted direct access to."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Houthi-Backed Spyware Effort Targets Yemen Aid Workers

DNS rebinding attacks are not often seen in the wild, which is one reason why browser makers have taken a slower approach to adopting the web security standard.

Browser companies and network-security vendors have created a variety of defenses for the three-decades-old attack technique known as DNS rebinding, but protection remains spotty due to uneven acceptance and updated exploitation techniques.

DNS rebinding — which allows external malicious sites visited by an unsuspecting victim to access internal servers and services —is similar to cross-site request forgery, where an attacker can use a JavaScript component or Java applet to request resources from another site or network. DNS rebinding typically works by attracting a user to a malicious website and using the site's content and a short time-to-live (TTL) to force the browser to send a new domain name system (DNS) request, to which the attacker's site responds with an internal network IP address. The attack essentially allows an attacker to use a victim's browser to send requests to servers and devices on the internal network.

The attack, however, can be made harder to execute with a variety of defenses, including enforcing the Same-Origin Policy by pinning the domain name in the browser, looking for anomalous requests through the targeted user's DNS service, and adopting Local Network Access, a proposed Web security standard by the World Wide Web Consortium (W3C) that blocks DNS-based attacks. While these defenses work to make DNS rebinding attacks more difficult, they can be bypassed under some circumstances, NCC Group said in a recent report.

Because DNS rebinding exposes the attack surfaces of internal Web applications to malicious websites, the attack could be useful against enterprise targets as a way to gain access to credential data and resources hosted on internal networks, says Zhanhao Chen, a principal researcher for network security at Palo Alto Networks.

"In the real world, the attacker can build a website with a DNS rebinding script and trick the victim to open it in their browser," he says. "Once the malicious website is open on an employee's browser, the attacker can manipulate or steal information from internal Web applications that are vulnerable."

**DNS Rebinding Attacks Face Difficult Defenses**

Every browser does some form of DNS pinning, preventing the assigning of new network addresses for a specific website or host name for a certain time period, such as an hour. DNS-based security services, such as Cisco's Umbrella, also prevent anomalous changes in DNS data using suspicious response filters, which identify potential attacks and stop them.

The W3C's Local Network Access spec, previously called "Private Network Access," places a barriers between global, local, and internal addresses, such as the loopback address for the local host, and forces services to gain permission to explicitly access the local network.

In the latest analysis published by NCC Group, however, Roger Meyer, a technical director at NCC Group, argues that the defenses still are not complete. Using the 0.0.0.0 address, which can access Linux and Mac OS systems' internal IP address, for example, bypasses the current Local Network Access protections, Meyer says.

"Usually, that specific 0.0.0.0 IP address is non-routable and should not work as an IP address. You should not be able to even use it for accessing anything, but it just works on Mac OS and Linux devices," he says.

NCC Group opened up a bug report with Google, an early adopter of the Local Network Access specification, to get the issue fixed in the Chromium codebase, Meyer says.

**Bolstering Defenses**

DNS rebinding attacks are not often seen in the wild, which is one reason why browser makers have taken a slower approach to mitigating the issue. Another is that companies do not want to break internal applications, whose developers may rely on the ability to handle cross-origin requests.

If Web application developers adopt the HTTPS encrypted Web protocols as a general rule, they can prevent their applications from being used in a DNS rebinding attack, says Palo Alto Networks' Chen.

"This kind of mitigation depends on the developer of internal services, \[so\] it is not scalable," he says. "As third-party Web applications populate in both home and enterprise environments, it's more difficult for the network owners to identify and fix all potentially vulnerable servers."

While DNS rebinding is not as common as other widely spread threats, such as DNS tunneling, domain-generation algorithms, DNS amplification denial-of-service attacks, and DNS hijacking, many Web applications remain vulnerable to DNS rebinding, and attackers are actively exploiting it, Chen says. Palo Alto Networks noted that seven DNS-binding-related CVEs were released in 2021 and nine in 2022, and the company continues to see attack traffic in the wild.

Companies can help bolster their defenses by using DNS services that detect attacks and help remote employees protect their at-home environments. Because an attacker needs to either know information about the victim's environment or know they are using common devices or applications, those common services should be hardened against attack, NCC Group's Meyer says.

"There are ways to discover if there are vulnerable services on the network or on employee devices, so the company could scan the network to find those vulnerable services," he says. "There are intrusion detection systems or other kinds of security software that can look for services listening on developer machines or any other employees' systems, and any services that are listening on a localhost are potentially vulnerable to DNS rebinding."

Rebinding Attacks Persist With Spotty Browser Defenses

The mobile phone and MacBook giant also rejected nearly 1.7 million app submissions last year in an effort to root out malware and fraud.

The Apple App Store supports more than 36 million registered Apple developers, but not all of those coding partners are benign. In a report on App Store safety this week, the computing giant noted that last year it booted nearly a half-million (428,000) developer accounts from the platform for carrying out fraud and abuse.

Apple said that in all, it prevented more than $2 billion in potentially fraudulent transactions in 2022, rejecting nearly 1.7 million app submissions for privacy violations, spammy or misleading features, or containing hidden or undocumented capabilities.

It also dismantled 282 million customer accounts for fraud and blocked nearly 105,000 Apple Developer Program enrollments for suspected malicious activities before they could submit apps to the App Store. And it detected and blocked more than 147 million fraudulent ratings and reviews.

**Enterprise App Bust**

On a separate note, in the last 30 days, Apple said that it blocked close to 3.9 million attempts to install or launch apps distributed illicitly through the Developer Enterprise Program, which allows large organizations to deploy internal apps for use by employees.

"Apple performs a number of safety checks on every app before it makes its way onto the App Store," the mobile behemoth noted in its App Store misuse report. "On average, the team reviews over 100,000 app submissions a week, with nearly 90 percent of them receiving a review within 24 hours."

The stats come hard on the heels of a similar report from Google, in which it said it banned 173,000 developer accounts from Google Play in 2022.

Despite best efforts, both Apple and Google have wrestled with malicious apps making their way into their official app stores. Cybercriminals are constantly improving their tactics, including submitting benign apps to make it past filters, which they update later with malicious functionality. App stores catch up to such tricks eventually (Google has implemented AI patrols, for instance), but it continues to be a game of whack-a-mole to root out the offenders.

"Apple's work to keep the App Store a safe and trusted place for users and developers is never done," Apple asserted in its report. "As bad actors evolve their dishonest tactics and methods of deception, Apple supplements its antifraud initiatives with feedback gleaned from a myriad of channels — from news stories to social media to AppleCare calls — and will continue to develop new approaches and tools designed to prevent fraud from harming App Store users and developers."

Apple Boots a Half-Million Developers From Official App Store

It's as they say: Teams is only as strong as its weakest links. Microsoft's collaboration platform offers Tabs, Meetings, and Messages functions, and they all can be exploited.

Researchers have identified several ways hackers can leverage Microsoft Teams functionalities to phish users, or deliver malware directly to their computers without their knowing it.

Using tabs in the Teams user interface, bad actors could potentially trigger a malicious payload, or redirect users to malicious sites while hardly leaving any trace, according to a report this week from Proofpoint. Additionally, through meeting invites or messages, hackers could replace legitimate URLs with malicious ones — again, without any obvious means for users to suss out the difference before it's too late.

"These risky Teams functionalities provide a nearly ideal attack platform for threat actors to target victims without being detected," the researchers tell Dark Reading.

Crucially, all of the proposed scenarios require an attacker to already have a compromised account or session token on hand. But as the researchers are quick to point out, hackers have long been targeting and cracking enterprise Teams environments.

According to the report, around 60% of Microsoft 365 tenants were subject to at least one successful account takeover incident in 2022. Teams, for its part, was the tenth most-targeted sign-in application last year, with 39% of targeted organizations experiencing at least one unauthorized, malicious login attempt.

**Teams' Tabs Problem**

Rarely do tabs evoke fear. Only, perhaps, when we've got too many of them open at once.

Unlike browsers, however, Teams tabs can point to applications, websites, and files. For example, the default "Files" tab — first and foremost in any channel or chat window — is associated with SharePoint and OneDrive. And users can create tabs, of course — say, by pinning a particular web domain to a new tab.

A malicious user could do the same with a malicious domain, but that's just the beginning. Using undocumented API calls, a hacker could rename and reposition a malicious tab to break Teams' conventions.

In theory, a hacker could create a tab pointing to a malicious URL, rename it "Files," and reposition it to supersede the legitimate "Files" tab in a user's chat window.

"This could be extremely attractive for attackers," the researchers wrote, "seeing as, by design, a website tab's URL is not displayed to users unless they deliberately visit the tab's 'Settings' menu."

But why go through the trouble? Alternatively, a hacker could simply point their tab to a malicious file. If the user is accessing Teams via the desktop or Web client, Teams will automatically download the file to the user's device, no questions asked.

**Modifying Links in Meetings and Messages**

Tabs aren't the only Teams functionalities malicious actors could hone in on.

Take meetings. With API calls, an attacker could sabotage auto-generated meeting links in calendar invites, swapping them out with malicious ones. Because meeting links tend to be busy — not so simple as www.\_\_\_\_.com — victims may have a difficult time telling the difference.

A malicious actor might also manipulate hyperlinks in chat messages, modifying the underlying URL to point somewhere malicious.

Proofpoint's researchers speculated that, "given that Teams API allows for the rapid and automatic enumeration and editing of links included in private or group chat messages, a simple script run by attackers could weaponize countless URLs within seconds," retroactively.

**Teamwork, to Make Teams Work**

Teams is a hugely popular communications platform, where business users often share highly sensitive information and documents. Thus, the consequences of compromise can be high.

"We have seen thousands of organizations experience Teams account takeover," the researchers explain, "which subsequently led to financial fraud, brand abuse, sabotage, data theft, and other risks. According to multiple studies, the average cost of an account takeover incident can cost thousands to millions of dollars."

The solutions, by contrast, can be simple. "Organizations can make informed decisions when there is greater transparency about the inherent risks of first party applications," the researchers say.

For instance, "it should be easier for 'hidden' URLs, which are inaccessible to the average user, to be viewed. Alternatively, adding and strengthening security measures to prevent automatic redirection to unwanted websites and block automatic file downloads would also help mitigate vulnerabilities."

When reached for comment, Microsoft offered the following response to Proofpoint:

"Microsoft encourages users to observe security best practices in Microsoft Teams and to adopt industry-standard best practices for security and data protection including embracing the Zero Trust Security model and adopting robust strategies to manage security updates, antivirus updates, and authentication. More information on Zero Trust Security is available at https://aka.ms/zerotrust."

Microsoft Teams Features Amp Up Orgs' Cyberattack Exposure

Pending new SEC rules reinforce how integral cybersecurity is to modern business operations, and will help close the gap between security teams and those making policy decisions.

Cybersecurity is no longer a fringe issue for businesses. What was once a siloed function, there out of necessity more than anything, is now woven into the fabric of any successful business. Any business still treating its cybersecurity initiatives as a side project is setting itself up to fail.

The Security and Exchange Commission (SEC) has laid to rest any doubts about the importance of cybersecurity with new regulations around how boards of directors should approach it. The regulations, which are in the process of being finalized, will require companies to openly report any serious cybersecurity attack and explain who on their board is responsible for dealing with it. The regulations also will require businesses to include board of directors' cybersecurity experience and credentials as part of any public disclosure. This is yet another indication of how integral cybersecurity is becoming to modern business operations.

**Growing Downtime Costs**

In 2021, more than two-thirds (66%) of businesses were hit by a ransomware attack, according to a survey by Sophos. That's a 78% increase from the previous year, with damages incurred totaling costs of around $20 billion. These costs aren't just down to ransom payments, but also include the downtime and disruption targeted businesses endure. In the Information Technology Industry Council's Hourly Cost of Downtime Survey, more than 40% of companies reported that hourly downtime costs ranged from $1 million to $5 million USD, not including any legal fees, fines, or penalties — which publicly traded companies who fall short of cybersecurity standards can be subject to.

The evolving threat landscape — combined with new regulatory frameworks like that put forward by the SEC — means that cybersecurity cannot be an afterthought or a bolt-on. It must be core to business operations, and that means it needs a seat at the boardroom table. However, according to a recent analysis of data by the CAP Group, 90% of boards are _not_ ready for the new SEC cyber regulations.

**Failure to Prepare Is Preparing to Fail**

The cybersecurity ecosystem has progressed in leaps and bounds in recent years. Once a siloed function of business, using reactionary tactics to chase down and isolate threats, it now has a proactive, networkwide presence that often leverages threat intelligence, penetration testing, and AI to bolster cyber resilience. However, most cybersecurity teams are still heavily focused on addressing technical-level threats, which are then used to inform security policy and mitigate risk. This leaves a gap of understanding between security teams and those authoring policies and making decisions higher up the chain.

This gap is a vulnerability. Most cybersecurity teams lack the tools or functionality needed to contextualize threats in a way that can be acted upon by other business, operational, and financial personnel. If this "disconnect" between business objectives and cyber resiliency continues, businesses will leave themselves exposed regardless of how thorough their cybersecurity initiatives are. 

**Closing the Communication Gap**

It's the responsibility of chief information and security officers to evaluate threats and understand to what extent they might threaten their organization, so that action can be taken in line with new security regulations. This means that threats need to be contextualized and communicated as part of an overall enterprise risk management strategy involving finance, compliance, operational, and management teams, as well as board members. 

To achieve this, CISOs will need to step out of their technical jargon comfort zone and communicate threats and their potential impact to other C-suite executives in a way that can be easily interpreted and understood.

This will mean evolving security initiatives into broader risk-mitigation initiatives. Machine learning-powered risk mitigation can play a significant role in helping businesses contextualize cyber threats. By analyzing large volumes of data and detecting patterns that may not be immediately visible to human analysts, machine learning algorithms can identify potential security threats so that businesses can take proactive measures to deal with them.

For example, machine learning algorithms can analyze user behavior data to identify patterns that deviate from normal usage patterns, such as repeated failed login attempts or access attempts from unusual locations or devices. By identifying these anomalies, businesses can take proactive measures to identify a potential attack, such as locking user accounts or implementing additional authentication measures. 

Another area where machine learning can be useful in the context of cyber-threat mitigation is in predicting the likelihood of future attacks. By analyzing historical attack data and identifying common characteristics of successful attacks, algorithms can identify potential attack vectors and help businesses prioritize their security efforts accordingly. This might involve analyzing patterns in the frequency and severity of attacks, as well as the methods and techniques used by attackers. This information can then be used to develop predictive models that can help businesses anticipate future threats and take measures to not only mitigate them, but identify and communicate about them with those at the top.

It's vital that publicly traded companies have a firm understanding of their risk posture and vulnerability. With directors now being held responsible for their company's cybersecurity infrastructure, it's even more vital that director-level teams can quickly and easily understand this vulnerability and any potential breaches. This can be achieved through a combination of new, machine learning-powered solutions, advisory hires that can "translate" and parse the potential fallout of threats, and CISOs taking a more consultative and advisory approach in how they deal with cyber threat resilience.

Cybersecurity is no longer a fringe issue — it has a seat at the boardroom table, and if businesses can't fill that seat, they need to make sure the person sitting there is as well-informed as possible.

Talking Security Strategy: Cybersecurity Has a Seat at the Boardroom Table

Cobalt's fifth edition of "The State of Penetration Testing Report" taps into data from 3,100 pen tests and more than 1,000 responses from security practitioners.

We live in a digital world, so there’s no shortage of threats facing organizations today. Cobalt recently released its fifth annual "State of Penetration Testing 2023" report, which provides valuable insights into the vulnerabilities and threats companies are encountering. As new technologies emerge, the risks associated with data breaches and cyberattacks continue to grow. This data underscores what many security practitioners know to be true: The importance of staying up to date with the latest security trends and implementing proactive measures to protect against these threats is critical.

One of the key takeaways from the report is the prevalence of Web application vulnerabilities. These vulnerabilities, which include things such as SQL injection and cross-site scripting, are a major source of risk for many organizations. In fact, Cobalt found that Web application vulnerabilities accounted for over 40% of all vulnerabilities discovered in 2022. This is a significant increase from the previous year, and highlights the need for organizations to prioritize their Web application security efforts.

Another major vulnerability we’re seeing is the use of insecure protocols. The report found that many organizations continue to use outdated, insecure protocols like FTP and Telnet, despite the known risks associated with these protocols. This is concerning, as these protocols are easily exploited by attackers and can result in significant data breaches. The known solutions exist, yet the prevalence of the issues remain.

Additionally, the threat posed by social engineering attacks ranks highly as a pitfall across companies of all sizes. Social engineering attacks, which include things such as phishing and spear-phishing, are an ever-growing concern for organizations. These attacks rely on psychological manipulation to trick individuals into divulging sensitive information or performing actions that could compromise security. We found that social engineering attacks accounted for 20% of all reported security incidents in 2022, making them a significant threat to organizations regardless of size.

**What Can Organizations Do to Protect Against These Vulnerabilities and Threats?**

One of the most important things companies can do is focus on proactive security measures. This includes things like regular vulnerability scanning, penetration testing, as well as the implementation of robust security protocols and procedures like consistent employee cyber training. You are only as strong as your weakest link.

Regular vulnerability scanning and penetration testing are essential for identifying potential vulnerabilities in an organization's network and applications. By regularly scanning for vulnerabilities, organizations can proactively identify and remediate security risks before they can be exploited by attackers. Additionally, penetration testing can help organizations to better understand their overall security posture, and identify potential weaknesses before they can be exploited by malicious actors.

In addition to regular scanning and testing, organizations should also prioritize the implementation of robust security protocols and procedures. This includes things like the use of strong passwords and two-factor authentication, as well as secure protocols like SSH and HTTPS. Moreover, organizations should develop and implement a comprehensive security policy that outlines the steps that employees should take to protect sensitive data and systems.

Finally, it is important for organizations to remain vigilant when it comes to social engineering attacks. This means providing regular training to employees on how to identify and avoid these types of attacks, as well as implementing robust security protocols to protect against phishing and other social engineering tactics before they reach employees.

Overall, the new "State of Penetration Testing 2023" report highlights the need for organizations to remain vigilant when it comes to the risks associated with data breaches and cyberattacks. By implementing proactive security measures and staying up to date with the latest security trends, organizations can protect themselves against these threats and ensure the safety of their sensitive data and systems. With the continued evolution of technology and the increasing sophistication of attackers, it's more important than ever for organizations to prioritize their security efforts and take a proactive approach to protecting against vulnerabilities and threats.

**About the Author**

    

Andrew Obadiaru is the chief information security officer at Cobalt, which provides a pentest-as-a-service (PtaaS) platform that is modernizing the traditional, static pentesting model. Andrew is responsible for maintaining the confidentiality, integrity, and availability of Cobalt's systems and data. Andrew has 20+ years in the security and technology space, with a history of managing and mitigating risk across changing technologies, software, and diverse platforms.

How to Protect Your Organization From Vulnerabilities

It's still unclear when systems for Pennsylvania's largest media outlet will be fully restored, as employees were told to stay at home through Tuesday.

The city of Philadelphia's largest newspaper couldn't publish its Sunday edition last week due to a weekend cyberattack that caused the largest disruption to its production in 27 years. It's still affecting daily operations, with no end in sight.

Staff of the Philadelphia Inquirer also were told to stay at home through at least May 16 due to ongoing disruptions, as the media company and third-party cybersecurity experts continue to work to restore systems after the attack, according to a report that the newspaper published on its website that detailed the incident.

The Inquirer continues to publish and update stories to Inquirer.com, "though sometimes slower than normal," the article by the Inquirer's Jonathan Lai said. Moreover, management still isn't sure when the paper's systems will be fully restored, said Inquirer publisher Lisa Hughes, who answered Dark Reading's emails through a spokesperson.

The largest disruption occurred within print production, which left readers without a physical copy of their Sunday paper, and management and employees were unsure if they could publish on May 15. They did eventually manage the latter, but Monday's print edition was without its classified and obituary sections, which will only reappear in the paper again on May 17, according to the article.

The incident — in which threat actors exploited a undisclosed vulnerability present on the paper's system — so far has been the greatest publication disruption to the Inquirer since the blizzard of Jan. 7-8, 1996. It also came at an inopportune time for the news organization, just days before a key election that occurred yesterday in the city's mayoral race.

The halt in production harks back to a major 2019 cybersecurity incident against Tribune Publishing, which owns several major US newspapers — including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times — and affected production and delivery of those papers.

"We appreciate everyone's patience and understanding as we work to fully restore systems and complete this investigation as soon as possible," Hughes said, according to the article. "We will keep our employees and readers informed as we learn more."

**Attack Timeline**

Inquirer management and staff still are not clear about when the attack began, though the first alert to suspicious activity occurred on Thursday, May 11, when Cynet, a vendor that manages the Inquirer's network security, noticed something was amiss.

The paper operated normally through May 11-12, but on the morning of Sunday, May 14 employees could not access the paper's content-management systems and had to put in place workarounds to post to Inquirer.com over the weekend, according to the article.

Though specifically what type of attack occurred or who is behind it has not been divulged by the paper, it's clear by the extent of the disruption that it blindsided the media company, part of a sector that's becoming an increasingly attractive target for cyber criminals, noted one security expert.

Indeed, the disruption in the wake of the attack is a stark reminder of the potential consequences of cyber threats and the urgent need for all organizations to have "robust cybersecurity measures," noted Justin Rapacz, senior vice president of managed services at Netrix, a global provider of cybersecurity, cloud, and IT services.

"Comprehensive cybersecurity measures are no longer optional; they're a necessity — this includes firewalls, intrusion detection systems, and antivirus software, complemented by regular updates and patches to eliminate potential vulnerabilities," he says in an email to Dark Reading.

**Stronger Cybersecurity Measures Needed**

The attack on The Inquirer is not the first time the media outlet has been targeted by cybercriminals. Employees also have been targeted by spear-phishing campaigns that impersonated Hughes and other management, she said in her responses for Lai's article.

And while one of the most basic cornerstones of security that an organization can take these days is multi-factor authentication (MFA), the Inquirer's Hughes acknowledged that the paper has not so far required MFA across its key systems. That said, the effectiveness of MFA is diminishing as cybercriminals become more sophisticated, Netrix's Rapacz notes.

"Having MFA is no longer enough," he says. "The rise of hardware tokens represents the next step in MFA. These devices significantly reduce the risk of interception and duplication, providing an added layer of security and making them a more effective and secure form of MFA in the face of evolving cyber threats."

Organizations also should practice regular penetration tests and an effective vulnerability management process to identify and address security weaknesses before they can be exploited by cybercriminals, Rapacz says.

"Proactive cybersecurity measures, such as continuous monitoring and regular security audits, can go a long way in preventing cyberattacks," he says.

While Hughes said that The Inquirer has invested significantly in digital security in recent years — including monitoring and regular security audits from Cynet — the vulnerability that was exploited in the attack had not previously been flagged for investigation.

The incident also serves as a reminder of how important it is for organizations in general to develop "solid incident response and business-continuity plans," Rapacz adds, as they "can help minimize downtime and maintain operations in the event of a cyberattack."

Sunday Paper Debacle: Philadelphia Inquirer Scrambles to Respond to Cyberattack

Three pieces of advice to startups serious about winning funding and support for their nascent companies: Articulate your key message clearly, have the founder speak, and don't use a canned demo.

It was a great honor to serve as one of five judges for this year's RSAC Innovation Sandbox competition — the premier place to pitch your early-stage cybersecurity startup. Congratulations to the top two contenders, with Hidden Layer winning the award and Pangea Cyber taking the No. 2 spot. Keep an eye on these companies — and all this year's top 10 finalists.

Over the 17 years it's been running, the RSAC contest's 170 top 10 finalists have been involved in 75 acquisitions and received nearly $12.5 billion in investments. Last year, Talon Cyber Security and its Secure Enterprise Browser won the top honor, propelling the startup into new markets and catching the attention of many CISOs in the Fortune Global 2000. In earlier years, Phantom Cyber won the contest when its founder and CEO, Oliver Friedrichs, gave an unforgettable pitch — and just two years later, the company was acquired by Splunk. (Friedrichs is now founder and CEO of Pangea.)

As a venture capitalist, serving as a judge has reminded me of the incredible people in our industry and the remarkable innovations that will not only create new categories but also put a real dent in the cybersecurity challenges that enterprises face today.

As a new judge, I didn't exactly know what to expect, but it was a rewarding experience. I was impressed with the other judges and the varied and interesting perspectives they each brought to the table. My co-judges were Christopher Young, executive VP of business development, strategy, and ventures at Microsoft; Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Shlomo Kramer, co-founder and CEO of Cato Networks; and Paul Kocher, an independent security researcher and founder of Cryptography Research.

Together we spent untold hours watching the pitch videos that contestants sent in. (I'd love to say how many, but I'm not at liberty to do so. I can tell you it was a _lot_ of them.) This was time consuming, but truly inspiring to see what people are working on and building toward in this industry.

**Giving a Voice to Future Trends**

I'm a true believer in the mission of the RSAC Innovation Sandbox, which is a stage to highlight the brightest startups every year. With 45,000 peers now attending the annual RSA Conference, the contest provides an important forum for early-stage companies to talk about how they're shaping our industry. For companies that typically have very little visibility, this type of opportunity — at such a critical time — can also really accelerate their fundraising and future.

One thing that struck me from listening to all those pitches is how important it is to be able to articulate your key messages in just three minutes. As a VC, I'm used to listening to pitches that run anywhere from 30 minutes to two hours. The RSAC Innovation Sandbox contestants must give their spiel and convince the judges why they should win in the time it would take to compose a short email. The pitches we saw ran the gamut from fast-talking and fact-filled to entertaining and fun. But my three pieces of advice to future contestants that are serious about winning would be:

*   **Cover the basics — and land them.** State the problem you're solving; explain what makes your solution unique; discuss the size of the addressable market; and talk about your early market traction. These are the key things judges want to hear to show you have a shot at success.

*   **Have your founder be your leader — always.** Judges want to know how the company got started and the founder or founders' vision for their company. A few of the pitches were delivered by salespeople, engineers, or just someone other than the founder. But founders are the soul of the company, and the best people to tell the story.

*   **Don't use a canned demo.** This is possibly your one opportunity to tell your story in front of a panel of carefully selected experts, and you want to make it worth their while. I would say one out of every five of the pitches were canned demos. This isn't a webinar. Don't treat it like one.

**Innovation Trends**

Now, back to the topic of innovation. Two big trends stood out to me this year.

*   **AppSec is back and better than ever.** We're seeing a big shift right now in how software engineers view application security. Developers are becoming more security-aware and are organically adopting tools that help them shift-left and address security at the beginning of the development process. There were a number of Sandbox finalists providing developer solutions for identifying security vulnerabilities faster and more accurately. The industry has been talking about building security into the fabric of software forever and now it's finally happening.

*   **The future is now.** Web3 is emerging as a new technology architecture for decentralized blockchain technologies and token-based systems such as crypto. One finalist offers a security operations center that protects Web3 digital assets. And, of course, we had plenty of representation from companies focused on artificial intelligence and machine learning in response to increasingly sophisticated cyberattacks.

After serving as a judge in this year's RSAC Innovation Sandbox, one thing is clear: The future is bright — and secure.

For more information on the Top 10 RSA Innovation Sandbox finalists, Dark Reading published a comprehensive overview.

I Was an RSAC Innovation Sandbox Judge — Here's What I Learned

In part three of this three-part series, Microsoft dissects these twinned threats and what organizations can do to reduce or eliminate their risk.

Every year, Microsoft releases the "Microsoft Digital Defense Report" as a way to illuminate the evolving digital threat landscape and help the cyber community understand today's most pressing threats. Backed by intelligence from trillions of daily security signals, this year's report focuses on five key topics: cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency.

In this article, we break down part three of the report on nation-state threats and the rise of cyber mercenaries. Read on to learn how you can better protect your organization from this growing trend.

**3 Core Nation-State Trends**

Nation-state threats took center stage in 2022 with the launch of Russia's cyber war on Ukraine. This behavior has continued into 2023. We're also seeing nation-state actors elsewhere increase activity and leverage advancements in automation, cloud infrastructure, and remote access technologies to attack a wider set of targets. More specifically, here are three core nation-state threat trends that emerged in 2022.

**Increased Focus on IT Supply Chains**

In 2022, we saw nation-state cyber threat groups move from exploiting the software supply chain to exploiting the IT services supply chain. These actors often targeted cloud solutions and managed services providers to reach downstream customers in government, policy, and critical infrastructure sectors, such as what we saw in the Nobelium attacks. Over half (53%) of nation-state attacks targeted the IT sector, nongovernmental organizations (NGOs), think tanks, and the education sector.

**Emergence of Zero-Day Exploits**

As organizations work to collectively strengthen their cybersecurity posture, nation-state actors are pursuing new and unique tactics to deliver attacks and evade detection. One prime example is the identification and exploitation of zero-day vulnerabilities. Zero-day vulnerabilities are a security weakness that, for whatever reason, have gone undiscovered. While these attacks start by targeting a limited set of organizations, they are often quickly adopted into the larger threat actor ecosystem. It takes only 14 days, on average, for an exploit to be available in the wild after a vulnerability is publicly disclosed.

**Cyber Mercenaries On the Rise**

Private-sector offensive actors are growing increasingly common. Also known as cyber mercenaries, these entities develop and sell tools, techniques, and services to clients — often governments — to break into networks and Internet-connected devices. While often an asset for nation-state actors, cyber mercenaries endanger dissidents, human rights defenders, journalists, civil society advocates, and other private citizens by providing advanced surveillance-as-a-service capabilities. Rather than being developed for defense and intelligence agencies, these capabilities are offered as commercial products for companies and individuals.

**Responding To Nation-State Threats**

The sophistication and agility of nation-state attacks is only going to continue to grow and evolve. It's up to organizations to stay informed of these trends and evolve their defenses in parallel.

*   **Know your risks and react accordingly:** Nation-state groups' cyber targeting spanned the globe in 2022, with a particularly heavy focus on US and British enterprises. It's important to stay up to date on the latest attack vectors and target areas of key nation-state groups so that you can identify and protect potential high-value data targets, at-risk technologies, information, and business operations that might align with their strategic priorities.
    

*   **Protect your downstream clients:** The IT supply chain can act as a gateway to the digital ecosystem. That's why organizations must understand and harden the borders and entry points of their digital estates, and IT service providers must rigorously monitor their own cybersecurity health. Start by reviewing and auditing upstream and downstream service provider relationships and delegated privilege access to minimize unnecessary permissions. Remove access for any partner relationships that look unfamiliar or have not yet been audited. From there, you can implement multifactor authentication and conditional access policies that make it harder for malicious actors to capture privileged accounts or spread throughout a network.
    

*   **Prioritize patching of zero-day vulnerabilities:** Even organizations that are not a target of nation-state attacks have a limited window to patch zero-day vulnerabilities, so don't wait for the patch management cycle to deploy. Once discovered, organizations have, on average, 120 days before a vulnerability is available in automated vulnerability scanning and exploitation tools. We also recommend documenting and cataloging all enterprise hardware and software assets to determine risk and decide when to act on patches.
    

_**Read more:**_ _**Key Cybercrime Trends (Part 1)**_ _**and**_ _**Trends In Device and Infrastructure Attacks (Part 2)**_

Microsoft Digital Defense Report: Nation-State Threats and Cyber Mercenaries

Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.

The Wemo Mini Smart Plug V2, which allows users to remotely control anything plugged into it via a mobile app, has a security vulnerability that allows cyberattackers to throw the switch on a variety of bad outcomes. Those include remotely turning electronics on and off, and the potential for moving deeper into an internal network, or hop-scotching to additional devices.

Used by consumers and businesses alike, the Smart Plug plugs into an existing outlet, and connects to an internal Wi-Fi network and to the broader Internet using Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, essentially offering a way to make old-school lamps, fans, and other utility items "smart." The app integrates with Alexa, Google Assistant, and Apple Home Kit, while offering additional features like scheduling for convenience. 

The flaw (CVE-2023-27217) is a buffer-overflow vulnerability that affects model F7C063 of the device and allows remote command injection, according to researchers at Sternum who discovered it. Unfortunately, when they tapped the device maker, Belkin, for a fix, they were told that no firmware update would be forthcoming since the device is end-of-life.

"Meanwhile, it's safe to assume that many of these devices are still deployed in the wild," they explained in an analysis on May 16, citing the 17,000 reviews and the four-star rating the Smart Plug has on Amazon. "The total sales on Amazon alone should be in the hundreds of thousands."

Igal Zeifman, vice president of marketing for Sternum, tells Dark Reading that's a low estimate for the attack surface. "That's us being very conservative," he notes. "We had three in our lab alone when the research started. Those are now unplugged."

    

The Wemo Smart Plug turns regular lamps and such into "smart" devices.

He adds, "If businesses are using this version of the Wemo Plugin inside their network, they should stop or (at the very least) make sure that the Universal Plug-n-Play (UPNP) ports are not exposed to remote access. If that device plays a critical role or is connected to a critical network or asset, you are not in great shape."  

**CVE-2023-27217: What's in a Name?**

The bug exists in the way the firmware handles the naming of the Smart Plug. While "Wemo mini 6E9" is the default name of the device out of the box, users can rename it as they wish using what's designated in the firmware as the "FriendlyName" variable — changing it to "kitchen outlet" for example or similar.

"This option for user input already had our Spidey senses tingling, especially when we saw that changing the name in the app came with some guardrails, \[specifically a 30-character limit\]," Sternum researchers noted. "For us, this immediately raised two questions: 'Says who?' and 'What happens if we manage to make it more than 30 characters?'"

When the mobile app didn't allow them to create a name longer than 30 characters, they decided to connect directly to the device via pyWeMo, an open-source Python module for the discovery and control of WeMo devices. They found that circumventing the app allowed them to get around the guardrail, in order to successfully input a longer name.

"The restriction was only enforced by the app itself and not by the firmware code," they noted. "Input validation like this should not be managed just on the 'surface' level."

Observing how the overstuffed 'FriendlyName' variable was handled by the memory structure, the researchers saw that the metadata of the heap was being corrupted by any name longer than 80 characters. Those corrupted values were then being used in subsequent heap operations, thus leading to short crashes. This resulted in a buffer overflow and the ability to control the resulting memory re-allocation, according to the analysis.

"It's a good wake-up call about the risk of using connected devices without any on-device security, which is 99.9% of devices today," Zeifman says.

**Watch Out for Easy Exploitation**

While Sternum isn't releasing a proof-of-concept exploit or enumerating what a real-world attack flow would look like in practice, Zeifman says the vulnerability isn't difficult to exploit. An attacker would need either network access, or remote Universal Plug-n-Play access if the device is open to the Internet.

"Outside of that, it's a trivial buffer overflow on a device with an executable heap," he explains. "Harder bastions have fallen."

He noted that it's likely that attacks could be carried out via Wemo's cloud infrastructure option as well.

"Wemo products also implement a cloud protocol (basically a STUN tunnel) that was meant to circumvent network address traversal (NAT) and allow the mobile app to operate the outlet through the Internet," Zeifman says. "While we didn't look too deeply into Wemo's cloud protocol, we wouldn't be surprised if this attack could be implemented that way as well."

In the absence of a patch, device users do have some mitigations they can take; for instance, as long as the Smart Plug is not exposed to the Internet, the attacker would have to obtain access to the same network, which makes exploitation more complicated.

Sternum detailed the following common-sense recommendations:

*   Avoid exposing the Wemo Smart Plug V2 UPNP ports to the Internet, either directly or via port forwarding.
*   If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.

**IoT Security Continues to Lag**

As far as broader takeaways from the research, the findings showcase the fact that Internet of Things (IoT) vendors are still struggling with security by design — which organizations should take into account when installing any smart device.

"I think this is the key point of this story: This is what happens when devices are shipped without any on-device protection," Zeifman notes. "If you only rely on responsive security patching, as most device manufacturers do today, two things are certain. One, you will always be one step behind the attacker; and two, one day those patches will stop coming."

IoT devices should be equipped with "the same level of endpoint security that we expect other assets to have, our desktops, laptops, servers, etc.," he says. "If your heart monitor is less secure than the gaming laptop, something has gone horribly wrong – and it has."

Source

DARKReading