Ultimately, AI will protect the enterprise, but it's up to the cybersecurity community to protect "good" AI in order to get there, RSA's Rohit Ghai says.

Threat actors armed with artificial intelligence (AI) tools like ChatGPT can pass the bar exam, ace an Advanced Placement biology course, and even create polymorphic malware. It's up to the cybersecurity community to put AI to work to combat it.

RSA CEO Rohit Ghai used the opening keynote of this year's RSAC in San Francisco, Calif. to call on the cybersecurity community to use AI as a tool to work on the side of "good." First, that means putting it to work on solving cybersecurity's "identity crisis," he said.

To demonstrate, Rhai called up onto the screen a ChatGPT avatar, one he called "GoodGPT."

"Calling it 'good' is somehow personally comforting to me," he added. He then asked it basic cybersecurity questions.

While "GoodGPT" spat out a sequence of words culled from a veritable ocean of available cybersecurity data, he went on to explain there are critical cybersecurity applications for AI far beyond simple language learning, and it starts with identity management.

"Without AI, zero trust has zero chance," Ghai said. "Identity is the most attacked part of the attack surface."

It's no big secret the security operations center (SOC) is overwhelmed. In fact, Ghai said the industry average timeframe to identify and remediate an attack is about 277 days. But with AI, it's possible to manage access in the most granular terms, in real time, and at the data level, creating a framework that is truly based on the principle of least privilege.

"We need solutions that ensure identity throughout the user lifecycle," he added.

During this year's RSA, Ghai said there are at least 10 vendors selling AI-powered cybersecurity solutions positioned as a tool that will help human cybersecurity professionals. Ghai characterized the current pitch as AI-as-a-copilot. But that framing belies the reality, he warned.

"The copilot description sugarcoats a truth," Ghai said. "Over time many jobs will disappear."

The role of humans, he explained, will evolve into creating algorithms to ask important questions, along with supervising AI's activities and handling exceptions.

"It's humans who will ask those questions which have never been asked before," he said.

Ultimately, humans and enterprises will have to rely on AI to protect them.

"And the cybersecurity community can protect 'good' AI," Ghai added.

'Good' AI Is the Only Path to True Zero-Trust Architecture

Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.

Security researchers have revealed new details about how attackers are exploiting two flaws in the PaperCut enterprise print management system — used by more than 100 million customers worldwide — to bypass authentication and execute remote code. The flaws once again highlight the risk that enterprise printers and related systems, an often overlooked threat, pose to the overall security of organizations.

Researchers from PaperCut as well as security companies already have warned that attackers are exploiting the vulnerabilities — patched by PaperCut in a March 8 update to its PaperCut MF and NG products — to take over unpatched versions of the software. Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to its catalog of known exploited vulnerabilities on April 21.

The Zero Day Initiative tracks the flaws as ZDI-CAN-18987 and ZDI-CAN-19226; they also are being tracked as CVE-2023-27350 and CVE-2023-27351, respectively, by NIST's National Vulnerability Database. The flaws affect PaperCut MF and NG version 8.0 and later, on all OS platforms, according to PaperCut.

Researchers at Horizon3.ai released proof-of-concept exploit code for CVE-2023-27350 — the more dangerous of the two bugs with a CVSS rating of 9.8 versus its companion flaw's rating of 8.2 — on Monday.

**Abusing CVE-2023-27350**

The Horizon3.ai team also included a technical analysis of how attackers are abusing "the built-in 'Scripting' functionality for printers" to abuse the RCE exploit. The Device Scripting page of the system enables the administrator to develop hooks to customize printing across the enterprise using JavaScript-based scripts and executed in the context of the PrintCut service, which on Windows runs as NT AUTHORITY\\SYSTEM, researchers explained.

Though PaperCut's Web application's use of dynamic form fields based on the last request made developing a script to interact with the site less straightforward, they demonstrate how they were able to do so in a proof-of-concept exploit they released on GitHub.

CVE-2023-27350 exists within the SetupCompleted class and results from improper access control, according to its listing on the Zero Day Initiative website.

"An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM," according to the listing.

Meanwhile, CVE-2023-27351, also an authentication-bypass RCE bug affecting PaperCut NG, exists within the SecurityRequestFilter class as a result of improper implementation of the authentication algorithm, according to its listing on the Zero Day Initiative website.

**Uncovering the PaperCut Bugs**

Horizon3.ai's detailed analysis follows a warning by PaperCut on April 19 that the flaws found in PaperCut NG were under active attack, urging organizations to update to the latest version of the product.

The company said in an advisory that it received its first report from a customer of suspicious activity on their PaperCut server on April 17, though later analysis revealed that the activity may have started as soon as April 13.

Researchers from Trend Micro originally reported the issues to PaperCut, which has credited Piotr Bazydlo (@chudypb) for discovering CVE-2023-27351 and an anonymous researcher for discovering CVE-2023-27350.

PaperCut also acknowledged a security research team from security management firm Huntress — including Joe Slowik, Caleb Stewart, Stuart Ashenbrenner, John Hammond, Jason Phelps, Sharon Martin, Kris Luzadre, Matt Anderson, and Dave Kleinatland — for aiding the company's investigation of the flaws.

On April 21, the Huntress researchers revealed that attackers were exploiting the vulnerabilities to take over compromised servers using both the legitimate Atera and Syncro remote management and maintenance software tools.

"Based on preliminary analysis, both appear to be legitimate copies of these products and do not possess any built-in or added malicious capability," the Huntress researchers wrote.

While the threats are split into two CVEs, they both "ultimately rely on an authentication bypass that leads to further compromise as an administrative user within the PaperCut Application Server," the researchers wrote.

Once a threat actor uses a flaw or both flaws to bypass authentication, he or she "may then execute arbitrary code on the server running in the context of the NT AUTHORITY\\SYSTEM account," the researchers wrote.

Huntress researchers also observed post-exploitation evidence in the form of a Truebot payload installation that suggest exploitation of the PaperCut flaws could be a precursor to future Clop ransomware activity based on previous investigation of similar activity, according to Huntress.

Huntress security researcher Caleb Stewart also recreated a proof-of-concept exploit to demonstrate how CVE-2023-27350 could be exploited, a video of which is included in the post.

**Who's at Cyber-Risk**

PaperCut MF is print management software to support various devices and manage print configurations for printing across an enterprise network. PaperCut NG is companion software for detailed print-job tracking and reporting aimed at helping organizations cut printing paper waste.

The PaperCut print management system has more than a hundred million users in organizations worldwide to help companies minimize waste and facilitate printing across the enterprise, according to PaperCut. In the United States, state, local, and education (SLED) environments are among the typical organizations using the software.

A Shodan query for http.html:"papercut" http.html:"print" showed approximately 1,700 Internet exposed PaperCut servers, with education customers comprising 450 of those results, according to Horizon3.ai.

In its protected environments, Huntress researchers reported observing 1,014 total Windows hosts with PaperCut installed, with 9087 of those hosts spread across 710 distinct organizations vulnerable to exploit, they said.

Only three total macOS hosts, two of which were vulnerable, had PaperCut installed in the environments they observed, the researchers added, noting that they sent incident reports to all customers affected and recommended updates.

**Detection and Mitigation**

PaperCut included a list of indicators of compromise for its customers in its advisory and advised them to upgrade, assuring that there "should be no negative impact" from applying the security fixes.

However, if a customer can't upgrade to the latest version — which could be true particularly with an older application version — the company recommended that customers lock down network access to the affected server.

To do this, they can lock all inbound traffic from external IPs to the Web management port (port 9191 and 9192 by default) and block all traffic inbound to the Web management portal on the firewall to the server.

To mitigate CVE-2023-27351, customers also can apply "Allow list" restrictions to the server found under the Options > Advanced > Security > Allowed site server IP addresses by setting it to only allow the IP addresses of verified Site Servers on their networks, according to PaperCut.

Attackers Abuse PaperCut RCE Flaws to Take Over Enterprise Print Servers

A study found that ransomware threats are viewed as having the lowest overall perceived likelihood of attack on the edge.

Distributed denial-of-service (DDoS) is the attack method businesses are most concerned about, believing it will have the largest impact on the business.

That was among the chief findings of AT&T's "2023 Cybersecurity Insights Report," based on a survey of 1,418 participants. Theresa Lanowitz, head of cybersecurity evangelism at AT&T Business, calls the perceived risk and rise in concern for DDoS attacks surprising.

"With edge, the attack surface is changing, and taking down a large number of Internet of things (IoT) devices can have significant impact on the business," she says. "The near real-time data created and consumed by most edge use cases make DDoS attacks attractive. By its definition, a DDoS attack will degrade a network and response time."

She adds, "Those who have not invested in DDoS protection are indicating the timing is right to do so."

The study also found ransomware dropped to eighth place out of eight in perceived likelihood of attack type. Yet Lanowitz notes that over the past 24 months, organizations of all types and sizes have invested in ransomware prevention.

"However, ransomware criminals and their attacks are relentless," she cautions. 

Additional analysis suggests cyber-adversaries may be cycling with the rise and fall of different types of attacks.

"Operating systems embedded in edge IoT devices make it more expensive for a financially motivated adversary to target the device with ransomware," Lanowitz says. "It is far more time intensive to write and deploy destructive code for an IoT device running a derivative of a version of Linux than to target a Windows-based laptop."

She explains one of the most pleasantly surprising findings in the report is how organizations are investing in security for edge: Security budgets have become 22% of overall project budgets, equally distributed with strategy.

"We asked survey participants how they were allocating their budgets for the primary edge use cases," she says. "The results show that security is clearly an integral part of edge, and that security is being planned for proactively."

She points to survey results that indicate applications, and the much-needed security for ephemeral edge applications, are part of the broader plan for edge project budgets.

"The expected outcome of what the edge delivers is shifting how organizations budget, plan, and think about focusing on a digital-first business," Lanowitz adds.

Another surprising result from the survey is that globally, the likelihood of a compromise and impact to the business decreased by 28% and 26%, respectively.

"Perhaps this is a case of irrational exuberance, but our qualitative analysis proves that with the edge there is far more communication and collaboration," she says. "Communication, cross-functional work, the line of business leading edge investments, and the use of trusted advisors all play a role in more optimism regarding catastrophic security events."

She adds this also points to the eradication of silos in organization and the reality that teams need to work together.

"Edge computing, with its changing attack surface means the adversaries are seeing things differently," Lanowitz says. "Likewise, businesses must take that same view of an expanded attack surface, potential new threats, or potential increases in existing threats."

**DDoS Threat Persists as International Crackdowns Commence**

The report comes as DDoS attacks continue to make headlines, from German websites getting knocked offline temporarily by the Killnet DDoS to the Serbian government reporting that it staved off five attacks aimed at crippling Serbian infrastructure.

More recently, the pro-Russian hacktivist group KillNet, which launches its campaigns against countries supporting Ukraine, ramped up its daily DDoS attacks against healthcare organizations.

In November 2022, nearly 50 of the most popular platforms available for hire to launch distributed DDoS attacks against critical Internet infrastructure were shut down and their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

DDoS, Not Ransomware, Is Top Business Concern for Edge Networks

Organizations need to remain vigilant and not take the decline as reason to cut back their cybersecurity strategies.

Rising ransomware activity has dominated cyber conversations for the better part of the past decade. Global retail giants and thousands of educational institutions and healthcare providers have been among those to fall victim to rampant ransomware attacks. However, this past year, there has been a surprising number of reports that ransomware attacks are declining. Our recent research at Delinea found that only 25% of the 300 IT and security decision-makers surveyed said they were victims of ransomware in 2022, a significant decrease compared to previous years. Similarly, the recent "SonicWall Cyber Threat Report" showed a 21% decline in ransomware attack volume worldwide last year.

Could this be the light at the end of the tunnel we've all been longing for? While it may be too early to say for certain, there are a few key reasons why ransomware may be on the decline

**Why Is Ransomware Decreasing?**

The most obvious reason is that organizations have learned from their past mistakes and other previous ransomware victims and, as a result, have implemented stronger security tooling and controls to successfully deter or block ransomware attacks. This includes robust threat detection and response, identity and access management, and cloud security mechanisms.

It has also been reported that ransomware attacks may no longer be as fruitful financially as they once were. Research from Chainalysis found that ransomware payments declined substantially in 2022, as more victims refused to pay their attackers. Ransomware attackers extorted approximately $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before.

The dismantling of prominent ransomware-as-a-service cartel Conti could also account for the decline. Conti was responsible for many ransomware attacks in recent years, but disbanded in May 2022. However, since then, numerous splinter groups and other gangs have emerged, and therefore, Conti's disbandment likely made little impact on the decline. Government agencies around the world have also implemented various initiatives to control the mounting ransomware attacks, which may have caused a reduction in activity. In the US, the White House has created a multiagency ransomware task force and launched the Ransom Disclosure Act in support of reform.

Unfortunately, it's also possible that perhaps ransomware is not decreasing but that the number of companies reporting attacks is. While public companies and organizations that are subject to regulations are required to disclose cyber incidents that jeopardize consumers' personal and other sensitive information, not all have compliance regulations. As a result, they may opt to quietly pay a ransom and conceal the incident. Some ransomware gangs have adapted and moved to target countries that have less protection against ransomware, such as Central and South America, which both experienced some major ransomware incidents in 2022.

**The Danger of the Decline**

Whatever the reasons for the decline, it does not mean organizations are safe. It is critical that organizations do not use the decline as a reason to become complacent and cut back on security controls. Ransomware is, and will always be, a significant risk and concern.

Unfortunately, our report did show that companies are stagnating in their ransomware security controls — fewer organizations are implementing incident response plans and even fewer have budgets allocated specifically to ransomware. This could lead to an increase in attacks, as the focus is taken away from protecting against risks, which in the end amplifies the risk. Despite the decline, organizations must not lose focus, and take the proper steps to protect themselves from ransomware, or unfortunately, we may see an increase in ransomware attacks in 2023, as ransomware gangs are using this period to improve and enhance their variants.

**Protecting Against Ransomware**

One of the most important steps for organizations to take to protect themselves from ransomware is having an incident response plan in place. The plan should outline the steps to be taken in the event of a ransomware attack, including who to contact and what actions to take to prevent further damage. Organizations should also be performing frequent backups, and they should invest in cyber insurance policies that cover ransomware recovery and payments.

It is equally as important, though, that organizations also take a more proactive approach to cybersecurity and invest in the right technologies to prevent ransomware attacks, particularly identity and access controls. Following the principle of least privilege should not be an optional security strategy. By providing users only with the privileges they need, when they need them, attackers are forced to take greater risks, increasing the ability to be detected before they cause more damage. With limited privileges, even if ransomware does gain access to an organization, the damage can quickly be contained.

Unfortunately, we cannot predict the future. But we can hope we continue to see a decline in ransomware as time goes on. This is only possible, however, if organizations remain vigilant and do not take the decline in ransomware as a reason to cut back on their cybersecurity strategies.

The Decline in Ransomware: Does It Actually Increase Risks for Organizations?

The judges appreciated the scale of the problem the startup set out to solve: protecting the integrity of AI systems.

RSA CONFERENCE 2023 – San Francisco – CEO Chris Sestito started his three-minute pitch at Innovation Sandbox on Monday, April 25, with a deepfake video of himself telling the judges not to vote for HiddenLayer, the company he co-founded. Not only did the judges not accede to his request, they crowned the AI security startup as the "Most Innovative Startup 2023" at this year's RSA Conference.

HiddenLayer beat out second-place Pangea and eight other finalists in what host Hugh Thompson called "the most competitive contest yet." One of the judges, Shlomo Kramer, CEO and co-founder of Cato Networks, praised Pangea as addressing the "central category of security" with its block-based application security platform.

But the judges were won over by the importance of securing artificial intelligence (AI). Another judge, Christopher Young, Microsoft's executive vice president, called HiddenLayer's focus area "_the_ problem we're going to face in the next few years."

**What HiddenLayer Digs Up**

That problem is ensuring the health of a company's AI assets.

AI is being used in mission-critical, even life-or-death situations, such as autonomous driving and military analysis. However, AI can only learn from the data it is fed, which means attackers can feed it purposely bad data to get the AI to behave in an unexpected, unwanted manner. And once that training data pool has been poisoned, it's difficult or impossible to scrub — just ask Microsoft, which had to pull the plug on its chatbot Tay when some Twitter users purposely fed it objectionable content.

To guard against insidious techniques, such as data poisoning and adversarial transferability, HiddenLayer relies on AI to protect AI. It employs machine learning (ML) to monitor an ML system's inputs and outputs in order to discern anomalies that suggest adversarial attacks. Sestito called the approach "MLDR" — endpoint detection and response, but for machine learning.

**Judging the Top Competitors**

The competition's judging criteria is as follows: the problem a company sets out to solve, the originality of the solution, the strength of its team, and whether the approach has been validated by the market — that is, is the company making money?

The judges were almost all veterans of the contest: Kramer and Young both served last year, as did Niloofar Razi Howe, senior operating partner at Energy Impact Partners, and Paul Kocher, independent researcher and founder of Cryptography Research. New this year was Barmak Meftah, co-founder and general partner at Ballistic Ventures.

The 10 finalists this year (in reverse alphabetical order): Zama, Valence Security, SafeBase, Relyance AI, Pangea, HiddenLayer, Endor Labs, Dazz, Astrix Security, and AnChain.AI.

Pangea CEO and founder Oliver Friedrichs faced some pointed questions. Kocher flat out asked Friedrichs, "Can your team execute?"

Kocher, who Thompson calls "the Simon Cowell of Innovation Sandbox," asked AnChain.AI CEO and co-founder Victor Fang whether his company's focus on blockchain defense was betting on Web3 succeeding or being an "endless series of disasters."

Endor Labs CEO and co-founder Varun Badhwar earned laughs when he compared the use of open source in enterprise with his surprise twins: in both cases, you have more than you think you do, but at least his twins, unlike open source code, "weren't conceived by strangers on the Internet."

HiddenLayer Nabs Most Innovative Startup Crown at RSAC

Generating an SBOM is easy. It's generating one that's comprehensive and accurate that's hard.

Software is an important part of every business in 2023. And whether you are building it or deploying it, it's absolutely crucial you know more than the potential attackers do about the weak links in your software supply chain.

The future usefulness of software bills of materials (SBOMs) depends on their ability to conform to standards, account for the entire codebase, and allow for interoperability at enterprise scale — something our industry has struggled to do in a uniform way.

Generating an SBOM is relatively easy. But generating a comprehensive and accurate SBOM that conforms to standard specifications and allows enterprises to interoperate with them at scale can be difficult. That's why I coined the term "full Monty SBOM" to describe a comprehensive SBOM solution that provides the content and interoperability needed for its future utility for security, legal, and operational purposes. An SBOM that lacks this comprehensiveness could lead to invalid security or operational assumptions.

**Standardization**

For SBOMs to be universally exchanged and automatically read, their exchange format must conform to a standard specification.

The two standards that the industry is converging on are SPDX and CycloneDX. The goal of these standards is to establish uniformity in output, such that when two different SBOM generation tools are used to produce an SBOM of the same software, they produce the same results. These formats can be tailored to include, exclude, or link to certain information, such as licenses, copyrights, and vulnerabilities, depending on the use case and industry vertical.

It's important to note that SPDX and CycloneDX are just standards describing the structure of an SBOM file. They do not address accuracy or comprehensiveness. If your SBOM generation process or tool feeds garbage into the file, it will produce (nicely formatted) garbage out.

**Comprehensiveness**

In almost any software application, the biggest attack surface consists of open source components. These make up an average of 76% of a software application and are developed by individuals from around the world. Log4j is an example of how a single vulnerability in a single open source component can have a massive global impact. For most organizations, one of the highest priorities in securing their software supply chain and safeguarding information infrastructures is rapid identification and remediation of open source software vulnerabilities.

There is a knee-jerk reaction by many that an SBOM is just an open source software (OSS) inventory. Most software composition analysis (SCA) vendors will produce some type of SBOM that lists the OSS components, with varying levels of transitive dependencies. However, an OSS-only SBOM can leave an organization exposed through vulnerabilities within other types of code that make up its software supply chain.

But a comprehensive — or full Monty — SBOM reveals all of an application's ingredients, which includes custom code, open source components, and third-party non-OSS components. Since vulnerabilities can stem from all types of code and not just open source, this is critical.

**Interoperability**

SBOMs are static documents. Therefore, having one from a software supplier is of limited value if you can't do anything other than inspect it. The real value is in your ability to do something with it — that is, its interoperability — and incorporate it into other life-cycle risk management processes, such as patch management and deployment risk assessments, all at enterprise scale.

Let's look at three common things teams can do with an SBOM that's interoperable: merge, query, and monitor.

*   **Merge:** Automobile manufacturers will often need to aggregate multiple SBOMs produced by several different software vendors, using different standard formats, into a single system SBOM.
*   **Query:** If there is a new zero-day vulnerability in a widely used software component, you will want to query all your SBOMs to determine which of your many software applications contains that specific vulnerable software component. This can be technically daunting when you have thousands of apps that must be examined for about 60 new CVEs per day. Being able to query thousands of SBOMs from one single interface is a key element of interoperability and effective software risk management.
*   **Monitor:** With SBOMs that are designed to be interoperable, teams can integrate them with threat intelligence and vulnerability management systems so that, when a new zero-day vulnerability has surfaced, they can automatically inspect all their existing SBOMs for that specific vulnerability and notify its product life-cycle management system of the risk.

**Not a Silver Bullet**

A full Monty SBOM, albeit incredibly important, is just one small part of software supply chain risk management (SSCRM). Other factors include ensuring that custom code and OSS are free of security weaknesses and known vulnerabilities, that the software is compliant with regulations, and that the development pipeline is secure and tamper-resistant. You expect your food supply chain not to endanger your health; for example, you wouldn't eat cookies containing unknown ingredients, manufactured in a factory open to cross-contamination, in conditions that violated health regulations. So too, you need assurance that your software supply chain is safe for your enterprise.

Whether dealing with cookies or software, ensuring that the product is safe to consume is the outcome of many safety and security processes and periodic testing performed during manufacturing — not simply having an SBOM in place.

Building a Better SBOM

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

Researchers are unraveling the threads connecting two separate, but in some ways overlapping, Russian-language APTs.

Certain campaigns previously connected to the Russian advanced persistent threat (APT) Turla were actually conducted by what appears to be an entirely separate group researchers have named "Tomiris."

Turla (aka Snake, Venomous Bear, or Ourobouros) is a notorious threat actor with ties to the Russian government. Over the years it has utilized zero-days, legitimate software, and other means to deploy backdoors in systems belonging to militaries and governments, diplomatic entities, and technology and research organizations. In one case, it was even linked, through its Kazuar backdoor, to the SolarWinds breach.

Not everything is Turla, though. In a new blog post, researchers from Kaspersky have published evidence that certain attacks previously correlated with Turla were carried out by Tomiris, an entirely different group with different tactics, techniques, and procedures (TTPs) and affiliations.

"We strongly believe Tomiris is separate," says Pierre Delcher, senior security researcher at Kaspersky's GReAT. "It's not the same targeting, not the same tools, not the same sophistication as Turla."

**Separating Turla and Tomiris**

Attribution in cyberspace is difficult. "Highly skilled actors use techniques that mask their origins, render themselves anonymous, or even misattribute themselves with false flags to other threat groups to throw researchers off the track," explains Adam Flatley, former director of operations at the National Security Agency and VP of intelligence at \[Redacted\]. "Often we can only rely on a threat actor's operational security mistakes to find leads on their true identities."

Tomiris is a case in point. Kaspersky began tracking what now appears to have been Tomiris activity three years ago, in a DNS hijacking campaign against a Commonwealth of Independent States (CIS) government. The culprits' hallmarks appeared to be a mix of Russian APT soup. The Tomiris backdoor was discovered on networks alongside Turla's Kazuar backdoor, which itself had parallels to the Sunburst malware used in SolarWinds' breach.

Yet the details connecting Tomiris and Turla never quite lined up. "The implants they deployed were ... well, they sounded off, compared to what we knew about Turla," Delcher says. "So really, there was basically nothing in common, and even the targets were actually not fitting what we knew of past Turla interests."

Targeting is a major clue. "Tomiris is very focused on government organizations in the CIS, including the Russian Federation," Delcher explains, "whereas in the cybersecurity scene, some vendors associate Turla as a Russian-backed actor. That wouldn't make a lot of sense, if a Russian-sponsored actor targeted the Russian Federation."

As recently as this year, Mandiant published research about a Turla campaign in which it admitted, at one point, that there were "some elements of this campaign that appear to be a departure from historical Turla operations." The Kaspersky researchers have, with "medium confidence," assigned these findings to Tomiris operations.

**Connecting Turla and Tomiris**

All this isn't to say there's no connection at all between Tomiris and Turla.

In attacks between 2021 and 2023, Tomiris made use of KopiLuwak and TunnusSched — two of Turla's malicious tools. Because they had Turla's goods, Delcher says, "we strongly believe they might have been cooperating at some point, or they might still be cooperating right now."

Exactly how the groups connect is up for grabs. "They could be running an operation together," Delcher speculates, "or they could rely on a similar supply chain. They could have, for example, asked an independent developer to develop a backdoor, and the independent developer provided it to both Turla and Tomiris."

A more definitive answer will be hard to come by. "The only way to reliably and consistently get accurate attribution," Flatley bemoans, "is to use computer network exploitation techniques that are only legally allowed for government agencies to employ."

**Why This Matters to Businesses**

Distinguishing between threat actors isn't simply an educational exercise, Delcher says. It can help organizations better defend themselves.

For example, an organization affected by or otherwise worried about Turla might see the Kazuar malware and assume it's the work of that group.

"So, you grab all of the Turla IoCs, the technical intelligence, and address it with that assumption," Delcher says. "Of course, this is misguided because if they are not the same actors they won't use the exact same techniques, or the same implants. From the defender's perspective, you don't want to end up confused."

Diligent defenders will do well to pay attention to the subtle differences between groups, but certain principles apply across APTs.

"Elite threat actors will still take the easy way in if it exists, so reducing attack surface with things such as aggressive patch management and implementing MFA on every account possible still goes a long way," Flatley says. Prevention isn't enough against groups like this, though, so advanced detection capabilities and a plan for the worst case scenario are also necessary. "Visibility, married with a well-constructed and regularly practiced incident response plan, can greatly reduce the risk associated with threat actors of all levels."

Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers

JumpCloud integrates with Google Workspace to extend enterprise-quality security capabilities to small and midsize organizations.

**SUNNYVALE, Calif.****,** **April 24, 2023** **/PRNewswire/ --** Google Cloud today announced a series of new security alliances to bring more choice, capability, and simplicity to enterprise and public sector IT teams tasked with managing hybrid work at scale.

Google Workspace comes with industry-leading security built into its cloud-native, zero trust architecture. These capabilities combine threat defenses powered by Google AI, client-side encryption, data privacy controls, and simple access to Google Cloud cybersecurity products like BeyondCorp Enterprise and Chronicle Security Operations, to automatically stop the vast majority of online threats before they emerge—while also supporting customers' regulatory and sovereignty needs. Through its ecosystem of cybersecurity partners, Google Workspace can extend these capabilities further by combining them with tools from the industry's leading security companies, enabling customers to adopt comprehensive, secure collaboration solutions to meet their specific security needs as part of a single Google Workspace offering. 

"Global enterprises want to provide their workforces with more effective and secure ways of collaborating, with tools that increase productivity and avoid the vulnerabilities of legacy productivity solutions," said Sunil Potti, VP and GM of cloud security, Google Cloud. "Through its growing ecosystem of security partners, Google Workspace offers the most enterprise-ready platform for hybrid work, providing organizations with confidence and flexibility to work securely."

**Securing Enterprise Workforces with Okta and VMware**

Today, Google Cloud is extending the built-in identity, device, and access management capabilities of Google Workspace through new alliances with **Okta** and **VMware,** enabling large-scale businesses and public sector organizations to provide their workforces with FedRAMP-authorized collaboration and communication tools. Google Workspace works seamlessly with the enterprise-grade identity and access management capabilities in Okta Workforce Identity Cloud and the device and application management capabilities in VMware Workspace ONE, providing organizations with more choice and flexibility in how they enable safer collaboration for their workforce.

*   **Okta's Workforce Identity Cloud** brings Okta's leading identity and access management capabilities to Google Workspace customers, securely connecting employees, contractors, and business partners from any device and any location. Workforce Identity Cloud's flexible rules and policies ensure employees have just the right level of access they need to get their work done. With Okta, employees can use their Google Workspace credentials across more than 7,000 pre-built apps in the Okta Integration Network to reduce password sprawl for increased security.
*   **VMware Workspace ONE** extends VMware's industry-leading unified endpoint management and zero trust access capabilities to Google Workspace. IT teams can manage all Google Workspace apps through VMware's comprehensive platform, which provides users with quick and easy access to business applications and makes it simple for administrators to onboard devices, change configurations, push automated OS updates, and more, without requiring a combination of disjointed third-party solutions. Workspace ONE administrators can also access a collection of device-health dashboards and reports, along with multi-tenancy for management across geographies, organizations, and use cases.

"Identity is the connective tissue between a business's ecosystem of people and the technologies they need to be successful in hybrid and remote work," said Arnab Bose, chief product officer, Workforce Identity Cloud at Okta. "This partnership allows us to bring identity-powered security to Google Workspace customers while giving them an easy button to optimize their employee experiences and increase operational efficiency."

"The rapid shift to hybrid work has highlighted the need for IT teams to do more with less, while simultaneously balancing the increasing demands of security and productivity," said Renu Upadhyay, VP of product marketing, End-User Computing, VMware. "This VMware and Google Cloud partnership unlocks a transformative approach to end-user computing by creating an automated, unified, and secure experience across all endpoints, apps, and enterprise services, no matter where employees work."

**Helping Small and Midsize Organizations Replace Legacy Directory Services with JumpCloud**

**JumpCloud Open Directory Platform** provides customers with an alternative directory service to replace aging Microsoft Active Directory servers that is a modern, cloud-based solution. The platform works seamlessly with Google Workspace, enabling identity workflows and synchronization to thousands of applications, HRIS systems, and cloud infrastructure. It also combines these features with desktop and mobile device fleet management capabilities to ensure secure, frictionless access to applications and other resources from any operating system or location an employee chooses to work from.

"IT teams are looking for solutions that centralize access, device, and identity management. They need easier and more effective ways to secure how work happens," said Greg Keller, CTO and co-founder, JumpCloud. "The Google Cloud and JumpCloud solution gives IT teams a modern and affordable option to securely manage today's work on-prem, in the cloud or on the go. This offering provides IT teams, and channel IT solution providers, a more affordable, best in class alternative to expensive, legacy Microsoft packages."

**Google Workspace's Flexible, Secure Ecosystem**

Google Workspace is committed to offering more choice by providing organizations of any size with the ability to combine purpose-built security tools from its ecosystem of cybersecurity partners. New updates with JumpCloud, Okta, and VMware will build on existing offerings with CrowdStrike, which extends endpoint protection and Zero Trust through the CrowdStrike Falcon platform, and Palo Alto Networks, which extends endpoint protection and Zero Trust through Prisma Access and Cortex XDR. Over the coming year, deeper technical integrations with these partners will expand the joint capabilities available to Google Workspace customers, making it even easier to adopt Google Workspace for organizations with the most rigorous security and regulatory requirements.

Interested customers can learn more here.

**About Google Cloud**

Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology – all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

_VMware and Workspace ONE are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in_ the United States _and other jurisdictions._

SOURCE Google Cloud

Google Workspace Extends Enterprise-Grade Security and Device Management for Hybrid Work With Okta and VMware

Websites, cloud services, and API servers are seeing ever more automated traffic — aka bots — forcing companies to find ways to separate the digital wheat from the chaff.

Attackers are increasingly automated, with credential stuffing and automated application attacks surging, making the ability to detect, manage and mitigate bot-based requests increasingly important.

The sector focused on managing bots gained a new player last week, when Edgio — a company formed through a merger of Limelight Networks, Yahoo Edgecast and Layer0 — announced its own bot management offering. The service focuses on using machine learning and the company's Web security capability to allow granular policy controls, and joins other offerings from Web application firewall (WAF) providers and Internet infrastructure providers, such as Akamai, Cloudflare, HUMAN, and Imperva.

The service is not just about warding off increasingly automated attacks: Gaining the ability to see and manage so-called "good" bots — such as search bots and performance monitoring services — is just as important as preventing attacks from "bad" bots, such as credential stuffing attacks and application service attacks, says Richard Yew, senior director of product management for security at Edgio.

"Bot management means not just identifying and mitigating the bad bots, but also identifying and helping customers monitor good bots," Yew says. "You definitely need the security solution ... but you also want visibility to be able to monitor good bot traffic."

While human-originated requests continue to dominate overall Internet traffic, accounting for an increasing share of bandwidth, the total volume of bot requests have increased over time. In 2022, for example, the number of application and API attacks more than doubled, growing by 137%, according to Internet infrastructure firm Akamai. Another major source of bad bot traffic, credential stuffing attacks, accounted for a third (34%) of authentication events, according to authentication service provider Okta.

Requests from automated systems — and not humans — accounted for approximately 42% of all Internet traffic in 2021, the latest data available, according to data from Imperva. (Click here for a larger view of the above chart.)

**Are You a Good Bot or Bad Bot?**

The impact of bots on consumers can be obvious, but the impact of bots on businesses is not always so clear. While bots can hoard inventory, such as causing a shortage in Taylor Swift tickets or the Sony Playstation 5, other arguably legitimate uses include scraping data for competitive advantage or training machine learning systems. Still others are welcomed by most businesses, including search bots for which many companies try to optimize.

Dealing with bots often falls to security, but the threats extend to all facets of a business, says Sandy Carielli, principal analyst at Forrester Research.

"Bot management is not just about security being the decision-makers," she says. "If you're dealing with a lot of inventory-hoarding attacks, your e-commerce team is going to want to say in \[the response\]. If you're dealing with a lot of ad fraud, your marketing team will want to be in the room."

Bot management systems typically boil down to identifying the source of Web or API requests and then using policies to determine what to allow, what to deny, and which requests represent potentially interesting events or anomalies.

**Bots Focus More on APIs**

While the most common type of bot-based attack is credential stuffing, where the bots are used to attempt to use stolen credentials to log into a cloud service, the rise of API traffic has led to a variety of new attacks. Resource consumption attacks, which are a common form of denial-of-service attack, are now being ported to Web application programming interfaces (APIs).

By sending seemingly legitimate or outright fraudulent requests to an API server, an attacker could cause that server to process the request, which could be resource-intensive as more computational power is being made accessible through APIs. Because many of today's most expensive API calls are machine interfaces to machine learning systems, for example, attackers could run up a company's bill by using bots and APIs.

In a way, the bots — and defenses against them — are creating a circular economy, says Patrick Donahue, vice president of product at Cloudflare.

"It's interesting because essentially we're creating AI and machine learning systems to help other AI companies to keep their costs in check, so it's really like machine learning being used to stop machines from abusing other machine learning systems," he says.

**Close to the Edge**

Increasingly, bot management firms are pushing their technologies closer to the edge of the network, not just to protect clients but to catch attacks as soon as possible.

Edgio, as its name indicates, inspects traffic at the edge of the network and only allows "clean" traffic through its network. Requests enter through a point of presence (POP) close to the user — or the attacker — and exit through a POP close to the destination server or cloud service.

The benefit of such an architecture is that it stops attacks before they can impact other parts of the network, says Edgio's Yew.

"The advantage of us being close to the end user is that we're also close to the attacker because, let's face it, a lot of the attackers, they're just compromised devices," he says. "The same computer you use to watch TV and browse the Internet \[is\] probably the same device that's part of the zombie botnet launching any sort of bot attack. So it's very important to have a distributed infrastructure that allows us to run any workload with high performance and low latency."

The model mirrors what other vendors have done as well. Content delivery networks (CDNs), such as Akamai, Cloudflare and Fastly, also use edge servers to provide fast access to content and have adopted bot management features as well.

Source

DARKReading