The threat group behind the SolarWinds supply chain attacks is back with new tools for spying on officials in NATO countries and Africa.

As part of its ongoing invasion of Ukraine, Russian intelligence has once again enlisted the services of hacker group Nobelium/APT29, this time to spy on foreign ministries and diplomats from NATO-member states, as well as other targets in the European Union and Africa.

The timing also dovetails with a spate of attacks on Canadian infrastructure, also believed to be linked to Russia.

The Polish Military Counterintelligence Service and the CERT team in Poland issued an alert on April 13, along with indicators of compromise, warning potential targets of the espionage campaign about the threat. Nobelium, as the group is designated by Microsoft, also named APT29 by Mandiant, isn't new to the nation-state espionage game, the group was behind the infamous SolarWinds supply chain attack nearly three years ago.

Now, APT29 is back with a whole new set of malware tools and reported marching orders to infiltrate the diplomatic corps of countries supportive of Ukraine, the Polish military and CERT alert explained.

**APT29 Is Back With New Orders**

In every instance, the advanced persistent threat (APT) begins its attack with a well-conceived spear-phishing email, according to the Polish alert.

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents."

The message would then direct the recipient to click on a link or download a PDF to access the ambassador's calendar, or get meeting details — both send the targets to a malicious site loaded with the threat group's "signature script," which the report identifies as "Envyscout."

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish authorities added. "This makes the malicious file more difficult to detect on the server side where it is stored."

The malicious site also sends the targets a message reassuring them they downloaded the correct file, the alert said.

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, tells Dark Reading about the campaign. "This espionage campaign meets all of the criteria for success."

One phishing email, for instance, impersonated the Polish embassy, and, interestingly, throughout the course of the observed campaign, the Envyscout tool was tweaked three times with obfuscation improvements, the Polish authorities noted.

Once compromised, the group uses modified versions of Snowyamber downloader, Halfrig, which runs Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, the Polish alert said.

"We are seeing an increase in these attacks where the bad actor uses multiple stages in a campaign to adjust and improve success," Harr adds. "They employ automation and machine learning techniques to identify what is evading detection and modify subsequent attacks to improve success."  
Governments, diplomats, international organizations, and non-governmental organizations (NGOs) should be on high alert for this, and other, Russian espionage efforts, according to Polish cybersecurity authorities.

"The Military Counterintelligence Service and CERT.PL strongly recommend that all entities that may be in the actor's area of interest implement configuration changes to disrupt the delivery mechanism that was used in the described campaign," officials said.

**Russian-Linked Attacks on Canada's Infrastructure**

Besides warnings from Polish cybersecurity officials, over the past week, Canada's Prime Minister Justin Trudeau made public statements about a recent spate of Russian-linked cyberattacks aimed at Canadian infrastructure, including denial-of-service attacks on Hydro-Québec, electric utility, the website for Trudeau's office, the Port of Québec, and Laurentian Bank. Trudeau said the cyberattacks are related to Canada's support of Ukraine.

"A couple of denial-of-service attacks on government websites, bringing them down for a few hours, is not going to cause us to rethink our unequivocal stance of doing whatever it takes for as long as it takes to support Ukraine," Trudeau said, according to reports.

The Canadian Centre for Cyber Security boss, Sami Khoury, said at a news conference last week that while there was no damage done to Canada's infrastructure, "the threat is real.""If you run the critical systems that power our communities, offer Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't do without, you must protect your systems," Khoury said. "Monitor your networks. Apply mitigations."

**Russia's Cybercrime Efforts Rage On**

As Russia's invasion of Ukraine wages on into its second year, Mike Parkin with Vulcan Cyber says the recent campaigns should hardly be a surprise.

"The cybersecurity community has been watching the fallout and collateral damage from the conflict in Ukraine since it started, and we've known Russian and pro-Russian threat actors were active against Western targets," Parkin says. "Considering the levels of cybercriminal activity we were already dealing with, \[these are\] just some new tools and new targets — and a reminder to make sure our defenses are up to date and properly configured."

Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks

Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.

Extended IoT devices (xIoT) stand as a perennial favorite for cyberattackers seeking to move laterally and establish persistence within enterprise networks. They've got everything the bad guys need for a foothold: They're grossly under secured, they're present in large numbers (and in sensitive parts of the network), and, crucially, they're typically not well monitored.

In an upcoming session at RSA, security researcher and strategist Brian Contos will walk his audience through the ways that these devices can be used to create very broad attacks against enterprise resources, along with what security strategists should be doing to counter the risk.

"I'll be doing some xIoT hacking demonstrations, because everybody likes to see things broken into," says Contos, chief strategy officer for Sevco Security. "But in the xIoT world it's quite easy to compromise, so I won't focus on that but instead on how it can be used as a pivot point to attack on-prem devices, in-cloud devices, to steal sensitive data, maintain persistence, and evade detection."

His goal is to show the entire life cycle of the attack in order to demonstrate the weighty ripple effects that are in the offing from leaving xIoT devices unmanaged and unmonitored in enterprise environments.

**The Prevalence of xIoT Insecurity**

As Contos explains, xIoT devices typically fall into three device categories that all proliferate significantly in business environments. The first are the enterprise IoT devices like cameras, printers, IP phones, and door locks. The second are operational technology devices like industrial robots, valve controllers, and other digital equipment that control physics in industrial settings. The third — and often least remembered — are general network devices like switches, network attached storage, and gateway routers.

"The thing all of these devices have in common is that they're all purpose-built devices, created for one specific purpose," he notes. "They're network connected, and you can't install any additional 'stuff' on them. So, you can't put a firewall or an IPS, or antimalware on them. So, all of the traditional IT controls don't necessarily fit well in this world of xIoT."

He says his research over the last couple years has shown that in the typical enterprise network, there are usually three to five xIoT devices per employee floating around. In some industries — such as oil and gas or manufacturing, that number can scale upward to more like five to six devices per employee. So a manufacturing company with 10,000 employees could easily be looking at 50,000 of these devices on their network.

"And what you're going to find is that about half of those are running a default password, which takes all of a half a second for me to look up on Google," he says. "If I Google, 'What's the default password on an APC UPS system, it will tell me the default username is 'apc' and the default password is 'apc.' And I can tell you from experience, I have yet to have ever seen an APC UPS system in the wild that doesn't have 'apc-apc' as the username and password."

On top of that, he explains that more than half of xIoT devices are also running critical-level CVEs that require little to no hacking expertise to leverage remotely and gain root privileges on the devices.

"Because of the volume, if you don't get into the first 1,000 to 2,000 devices, chances are you are going to get into the next 1,000 to 2000," he says.

**The Lessons Learned**

Contos' hacking demonstrations will dive into how a different device from each of the xIoT device categories can be used for a myriad of attack purposes, from turning off power to destroying an asset, and exfiltrating sensitive data to expanding attack reach across a network. He will share information on xIoT hacking tools that nation-state actors have built and explain how the threat actors are putting serious money into investing in these kinds of attacks.

"I want the audience to understand how easy it is and to understand this is a risk that requires some focus within their organization," he says.

As a part of the discussion, Contos will discuss countermeasures that include solid asset management, identity management, and patch management around xIoT, as well as compensating controls like segmentation and MFA in order to harden the xIoT attack surface. He also says he hopes to explain that defenses shouldn't be planned "in a bubble." This is not the kind of security measure that should be developed by a special task force that's removed from cloud security and other security groups, in other words.

"This should all be integrated because all of these devices touch each other," he says. "It should be part of one larger approach."

Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement

Google has opened up its software-dependency database, adding to the security data available to developers and toolmakers. Now developers need to use it.

Developers interested in gauging the security of open source components have an abundant number of choices, but they still have to choose to use the information to audit the components in their applications, experts say.

On April 11, Google announced its deps.dev API service, which includes security metadata that covers more than 5 million components across five software ecosystems, including the main open source repositories for Go, Java, Python, JavaScript, and Rust. The data is accessible through both the company's deps.dev website and a dataset that can be queried through a new API.

Developers can use the information to help choose packages, integrated development environments (IDEs) could offer security metrics as a developer works, and application-security tool makers could add the information to the list of sources they use to offer verdicts on the security and maintainability of open source software components, says Nicky Ringland, product manager for Google's Open Source Security Team.

"It could also mean looking at reporting after the fact ... and perhaps discovering some dependency challenges that they need to address," she says. "Ultimately, being able to check a potentially very large set of dependencies across multiple language ecosystems for security or licensing issues, automated and at scale ... is a powerful tool that we hope will benefit the whole ecosystem."

The Google deps.dev service's release comes as software developers, application security firms, and the US government work to find ways to improve the security of the open source software ecosystem. The exploitation of vulnerabilities in the Log4j logging package for Java — which is expected to be an "endemic vulnerability," according to the US Department of Homeland Security's Cyber Safety Review Board (CSRB) — underscores the importance of not only minimizing vulnerabilities in open source packages, but also eliminating the use of vulnerable packages.

A variety of efforts are already underway to give open source projects more tools to improve security and communicate their own dependencies, but developers must make security a priority and use information to know which components to download, says Brian Fox, co-founder and chief technology officer of software security firm Sonatype. The firm discovered that when a developer "consumes" a software component that has a vulnerability, 96% of the time a fix was already available.

"In other words, the problem is not really about our open source projects doing a good job. The Log4j team turned a patch over Thanksgiving weekend — in days, right — probably faster than most companies would have been able to do the same for a commercial project," he says. "We need to do a better job. Organizations that are consuming open source are doing a terrible job of making these decisions."

**A Feast of Dependency Data**

Google's deps.dev service adds another source for developers to search for information on open source components, but it is far from the only one. Sonatype revamped its OSS Index in 2018, modernizing the service to provide access to security and maintenance data on millions of software projects from 14 different ecosystems, such as the RubyGems package system for Ruby and the RPM Package Manager for Linux, in addition to the five covered by Google.

Other services, such as OpenText's Debricked, also offer a view into their own dependency datasets, tagging the projects and offering measures of popularity, contributor activity, and security.

The data should allow any developer to make better decisions but also give toolmakers another source of data to improve their guidance for software programmers, says Google's Ringland.

"Our intent for the API is that it is usable for anything from quick one-off scripts to complex tooling, like editor plug-ins or build system integrations," she says. "We see real appetite for this data — in everything from IDEs to CI/CD systems to audit dashboards — and are excited to be bringing critical security information to developers, CISOs, open source maintainers, and more."

Endor Labs, which focuses on helping developers make better choices using software dependency data, already uses deps.dev as one of its sources, but it lauded the more streamlined database access. Endor Labs pairs such data with extensive analysis to minimize false positives, such as when an application uses an open source library but not the vulnerable functions in that library.

The company also intends to make its own dependency information more accessible through DroidGPT, a ChatGPT-based service that makes risk data searchable in a conversational way, says Varun Badhwar, CEO and co-founder of Endor Labs. The goal is to reduce the amount of work to select and manage open source dependencies because selecting the wrong ones can create a great deal of future work — otherwise known as technical debt.

"Technical debt is typically created when developers are asked to constantly patch and fix vulnerabilities in open source code, despite most of that code not actually being in use," Badhwar says. "The way to reduce technical debt with OSS is by selecting better dependencies and prioritizing risk that actually matters."

**SBOM + Dependency Data = Better Software Security**

The dependency data will really start to be useful as developers and toolmakers begin combining the data with the software bill of materials (SBOMs) that are increasingly being created by development tools.

SBOMs can help organizations and development teams by illuminating their use of open source libraries, such as whether they are using five different encryption libraries or 12 loggers, says Sonatype's Fox.

"They have that shock moment when they realize they're using a dozen, 15 different components that all do the same thing," Fox says. By combining SBOMs and security data, "I can look at the whole entirety of my portfolio and start reasoning about it."

Adding security data to that allows companies to make better choices about how to streamline their software selection, and tools — such as the publicly available Security Scorecard — or commercial services can help, Endor Labs' Badhwar says.

"As the effort starts to span multiple teams and requires much engineering effort, and as they look to start reducing development effort on false positive security alerts, companies will find better ROI with \[these\] tools," he says.

Software-Dependency Data Delivers Security to Developers

Focusing on what customers and partners need from a company can help CISOs show the real financial benefits of improving cybersecurity.

Security has historically been seen as a cost center, which has led to it being given as little money as possible. Many CISOs, CSOs, and CROs fed into that image by primarily talking in terms of disaster avoidance, such as data breaches hurting the enterprise and ransomware potentially shutting it down.

But what if security presented itself instead as a way to boost revenue and increase market share? That could easily shift those financial discussions into something much more comfortable.

For example, Apple touted its investments into the secure enclave to claim that it offers users better privacy. Specifically, the company argued that it couldn't reveal information to federal authorities because the enclave was just that secure. Apple turned that into a powerful competitive argument against rival Android creator Google, which makes much of its revenue by monetizing users' data.

In another scenario, bank regulations require financial institutions to reimburse customers who are victimized by fraudsters, but they carve out an exception for wire fraud. Imagine a bank realizes that covering all fraud — even though it is not required to do so — could be a powerful differentiator that would boost its market share by supporting customers better than competitors do. How can the bank afford to do this? It increases security investments to the point where the projected fraud losses are materially less than the projected increase in revenue.

Or look at the case of a cloud provider, which could differentiate itself from most major cloud providers by improving uptime performance by focusing on reducing DDoS attack damage. Even further afield, an agriculture company that invested in better security could improve trust and bring in more partners, thus expanding into lucrative new markets. A wide range of companies can make the case for improving overall business performance by improving cybersecurity.

**Case Study: Brokering Cyber Insurance**

Another example of leveraging security to explicitly boost revenue comes from Marsh McLennan, a $10 billion business that bills itself as the world's largest insurance broker.

One of the biggest recent trends in cybersecurity insurance are insurance companies refusing to insure many enterprises because the enterprise does not have security that meets the strict requirements of that insurer. Although this does limit their potential losses, it also immediately threatens insurance companies' revenue because of the loss of premium income.

To maximize the number of companies that it can deliver to insurance companies, and thereby maintain its own revenue, Marsh evaluates companies. When a company's security profile isn't sufficient, Marsh taps its security company partners to bring that potential client's security profile up to where it qualifies for a policy with the insurance company. That's good for the company because it is able to get insurance and enjoy better security, it's good for the insurance company because it gets the premium revenue, and it's good for Marsh, which makes a proper and successful referral.

"We look at the client relationship as a holistic life cycle. Placing insurance is our bread and butter," says Katherine Keefe, leader of cyber incident management at Marsh. "Our clients need support in readiness: how to prepare, how to develop an incident response plan \[or\] tabletop exercises. We provide them with tools and solutions and support cyber preparation."

**Shifting From Defense to Growth**

Stephen Boyce, a director at Magnet Forensics, argues that when enterprise security executives focus on what prospects care about, and therefore help with revenue and market share, it can be the single most effective way to improve the security posture.

"What it does is create a shift in the relationship dynamic between the CISO and the CFO, and potentially the rest of the C-level team," Boyce says.

This does indeed have the potential to change the relationship dynamic, but SailPoint CISO Rex Booth stresses that such a change can only happen if the enterprise is ready for it. And, he adds, many are not yet.

"For way too long, security has been \[focused\] on conflict, where it should be an enabling function. And that does require a shift in the relationship dynamic of the CISO — a role that has traditionally been seen as purely risk reduction," Booth says. "This needs to happen at the proportion of companies that are mature enough to take their CISO and dual-hat them into not only a security role, but a revenue-generating role. Some are migrating in this direction, but most organizations are not there yet."

**Proving Value by Improving the Business**

Still, Booth says there are pros and cons at play. The argument against such a change — or at least slowing it way down — is that security departments today are severely underbudgeted, which means they are understaffed and find it difficult to properly defend the enterprise. That suggests that attempts to support sales will further dilute their attention and make a bad situation potentially worse.

The counter to that is that underbudgeted security operations are likely to always be underbudgeted. By making periodic moves to help sales — maybe just once or twice a year — it could illustrate to the CFO, the COO, the CEO, and the board the potential for using security to help with the bottom line. And, in theory, that could meaningfully contribute to security being budgeted a little better, which itself could be a huge help in defending the enterprise.

That is even more critical given that the core efforts of security are often difficult to prove from a value ROI perspective.

"If I do everything right from a security perspective, there's no way for me to tell the board, 'I saved you $2 million because of those ransomware events that never happened,'" Booth says.

The goal should go beyond getting prospects to convert to customers and increasing market share and needs to include customer retention, argues Bob Hansmann, cyber-risk and security product marketing leader for Infoblox.

"The enterprise needs to make sure that the services are not just up and available, but that they run smoothly," Hansmann says. "And security is the unit that is best positioned — in terms of experience, talent, and tools — to make that happen."

Security Is a Revenue Booster, Not a Cost Center

An "open" Internet faces challenges from autocratic governance models. Policymakers should instead think about creating an Internet that's equitable, inclusive, and secure.

In policy circles, we often hear about the need for a "free," "open," and "secure" Internet. This was most recently the case with the White House's Declaration for the Future of the Internet. Ideally, users benefit from all three properties. However, fundamental tradeoffs between them force us to look for other goals. These three properties present a "trilemma" — and we must choose _only two_.

As a supposedly "open" Internet faces challenges from autocratic governance models, policymakers should think instead about creating an "equitable, inclusive, and secure" Internet — criteria I believe are actually achievable with policy interventions.

"Free," "open," _and_ "secure"? Those are all slippery notions, but they have traditionally been operationalized by three properties.

"Free" has been understood to mean "permissionlessness" — anyone can send anything to anyone.

"Open" has been understood to mean common carriage. Common carriers (traditionally Internet service providers or ISPs) cannot filter content. This notion has been referred to as "net neutrality" in US policy debates.

"Secure" has been understood to mean reasonable protection against attack: Internet users should enjoy reasonable protection against both unfocused attacks (like distributed denial of service, or DDoS) and targeted ones (like ransomware).

    

Source: Nick Merrill

To understand this trilemma, let's start by understanding how security is achieved on the Internet today. Content distribution networks (CDNs) — like Cloudflare — use AI to defend against both large-scale and targeted threats. Due to their efficacy, CDNs have grown in their importance: Per recent estimates, CDNs now deliver three-quarters of traffic directly to users.

However, CDNs are not common carriage: Algorithms inspect content and make a judgment about whether to allow or block it. Let's call this strategy "secure with AI."

Could we have protection against cyberattacks _and_ common carriage? Yes: We could use cryptographic identities to authenticate traffic. Traffic could then be common carriage, and end users could decide which identities to accept (or reject) traffic from. The problem? In such a world, we lose the "free" or permissionless Internet, creating a scenario I call "secure with ID."

**Toward an Inclusive and Equitable Internet**

Which world do we prefer?

Let's start with the secure with AI world. We sacrifice common carriage: "Stop worrying and love the algorithm." Can AI be made inspectable, regulatable, and directly accountable to policymakers, and also be robust against attacks? These questions would guide us in understanding the workability of this approach.

Now, let's look at the other side: secure with ID. We regain common carriage but open up new avenues for discrimination. A properly engineered system should obfuscate users' exact identity (e.g., one's name), but will reveal which authority granted that identity (e.g., "Is this person American?").

In navigating these two worlds, inclusion and equity must be our north star.

Imagine you live in Ghana. As research on this topic reveals, people from countries like Ghana are regularly prevented from accessing websites, thanks to AI-powered "security" measures from CDNs. How can we make a democratically governed Internet more inclusive while retaining our democratic values?

In the "secure with AI" world, we would need Ghanaians (and others from countries in which connectivity is fast-rising) to sit at the table in which algorithms are governed.

In the "secure with ID" world, we would need to give Ghanaians robust digital identities — not only to hand Ghanaians identities,but to make these identities legible and usable in actual practice, and to give Ghanaians a say in how those identities work.

Which is harder? Which is more inclusive in practice? Which does a better job of assuring a democratic Internet, one subject to the will of the broadest number of people — not in theory, but in practice?

**Looking Over the Horizon**

Artificial intelligence, quantum communication, bioengineered pathogens: Various near-future technologies will require strict governance and sharp policy thinking.

These threats are — and I'll use a technical term here — scary. Here's where I take solace: If we can manage to govern the Internet, we'll find ourselves many steps closer to managing technology broadly.

The Internet governs the way technologies communicate with one another. As we govern transportation by placing roads and skies under publicly accountable institutions, we can govern technology — particularly AI — by placing Internet infrastructure under the right kinds of public accountability.

Democracy can find an answer here, and that answer will propel us closer to a model of democratically accountable technology.

What does that accountability actually look like? Answers to this question will help shape the future. Will our children, and their children, fear technology, or control it? Will they be watched over by technologies — by technocrats — or will they do the watching?

The Internet Reform Trilemma

To report or not report? While more than half of all companies have suffered a data breach, 71% of IT professionals say they have been told to not report an incident, which could mean legal jeopardy.

While an increasingly number of regulations have made the reporting of data breaches mandatory, a majority of IT professionals in the United States say they have been told to keep quiet about an incident, potentially running afoul of legal requirements.

In a survey released last week, 42% of the more than 400 IT and security professionals surveyed — and 71% of those in the United States — maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in 10 of those surveyed have acquiesced and not reported the breach, according to the "2023 Cybersecurity Assessment Report," published by cybersecurity firm Bitdefender.

The pressure to keep silent on a potential breach of data not only puts companies at risk of fines and penalties but could place workers at risk as well. In reality, the decision to disclose a breach or not should rest with the executive teams, says Martin Zugec, technical solutions director at Bitdefender.

"If I'm an IT administrator, and maybe security is not even my full-time job, it's really hard for me to say if we do have the requirement to disclose or not," he says. "So the responsibility for security should start with executives, with the leadership of the company, and they should be involved in the decision to disclose."

The impetus to not report a breach is certainly not new. In 2018, for example, a similar survey found that 84% of cybersecurity professionals expected timely notification of a breach, but only 37% of the same group put an emphasis on the expeditious notification of a breach to their customers. In perhaps the most notorious example, a jury found Joe Sullivan, the former CSO of Uber, guilty of obstruction of justice and a related charge last year for his cover-up of a data breach in 2016.

**Regulatory Chaos Leads to Problems in United States**

While an increasing number of regulations require that companies disclose, those regulations are unfortunately not consistent. That's especially true in the United States, where a large company will find itself having to comply with 50 jurisdictions, federal regulations, and industry-specific regulations, says Bryan Cunningham, former deputy legal adviser to Condoleezza Rice when she was national security adviser, and now an adviser with Theon Technology. To boot, many companies have customers in Europe, which places them under requirements of the GDPR.

"There are sometimes instances of data handling where it's literally impossible to comply with the European Union laws and US laws at the same time," he says. "So the internal people at these companies are torn in a bunch of different directions."

The European Union's integrated approach to data security creates a consistent blanket of requirements compared with the United States and its hodgepodge of state, federal, and industry regulations regarding privacy and data protection — which perhaps leads to better disclosure stats.

Three-quarters of respondents in the US (75%) experienced a data breach in the last 12 months, while 51% of respondents in the United Kingdom, 49% in Germany, and even fewer in Italy, Spain, and France experienced a data breach. Yet, compared with the 71% of respondents in the United States who were instructed to keep a breach quiet, just 44% of respondents in the United Kingdom said the same, 37% in Italy, and less than 35% in Germany, Spain, and France, according to the "2023 Cybersecurity Assessment Report."

"We need to make it much clearer who's supposed to do what and when, which is why I believe that initiatives like the GDPR are making us, as a whole society, much safer," Zugec says. "The model of individual responsibility that we have it set up today \[in the US\], we are running into its limits."  

**Penalties Depend on Jurisdiction, Details**

The penalty for failing to report a data breach varies widely by the jurisdiction and the specifics of the case, says Kevin Tunison, data protection officer for Egress, an email security provider. In the case of Uber's security chief, Sullivan, the company paid hackers $100,000 through a bug bounty program to keep quiet about the breach, and the CEO approved of the action.

"There must be disagreement in a healthy culture to debate whether an incident is reportable — if everyone agreed, there would be no need for data protection legislation," Tunison says. "Lastly and most importantly, human error is no longer an excuse a business can fall back on. It is the responsibility of every organization to take reasonable and cost-effective steps to avoid the avoidable."

In the US, the criminal code, Title 18, has a variety of potential charges that could be leveled against a person who hindered a data breach investigation, including by not reporting the original incident as required. In the EU, of the 27 countries signed onto the GDPR, 10 have prison terms as a potential penalty for criminal liability.

"Depending on the jurisdiction(s) the company operates in, the risks can be as significant as life in prison," Tunison says.

The good news is that companies appear to be changing directions, especially in the wake of the Sullivan case. While small and midsize enterprises may not have received the memo because they typically are not the target of enforcement actions and lawsuits, the largest firms around the world are starting to work with governments and asking for more homogenous regulations, says Theon Technologies' Cunningham.

"I think there is a pretty significant cultural shift among certainly publicly traded companies and regularly regulated companies, that the days of being able to bury this stuff are over," he says. "Even the wisdom of doing that has been completely reevaluated."

Majority of US IT Pros Told to Keep Quiet About Data Breaches

A novel credential harvester compromises SMTP services to steal data from a range of hosted services and providers, and can also launch SMS-based spam attacks against devices using US mobile carriers.

Threat actors are selling a novel credential harvester and hacktool via a Telegram channel, which can exploit numerous Web-based services to steal credentials. It also has the bonus ability to launch SMS-based spam attacks that target US-based mobile devices as well, the researchers have found.

Researchers from Cado Security uncovered the Python-based credential stealer, called Legion, which has links to both the AndroxGh0st malware family and another previously discovered malware, they revealed in a blog post published today.

Legion's primary means of attack is to compromise misconfigured Web servers running content management systems (CMS), PHP, or PHP-based frameworks, such as Laravel, the researchers noted. Once installed, it contains several methods for retrieving credentials from the servers: by targeting the Web server software itself, scripting languages, or frameworks on which the server is running. The malware attempts to request resources from these known to contain secrets, parses them, and saves the secrets into results files sorted on a per-service basis, the researchers said.

"One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based Web applications," wrote Matt Muir, threat intelligence researcher at Cado Security, in the analysis. "The malware maintains a list of likely paths to this file, as well as similar files and directories for other Web technologies."

Legion then marches on to steal credentials from myriad Web-based sources and services —such as email providers, cloud service providers, server-management systems, databases, and payment platforms like Stripe and PayPal, the researchers said. And Legion can brute-force credentials to Amazon Web Services (AWS), which is consistent with similar functionality in AndroxGh0st, according to analysis of that malware by researchers at Lacework, Muir said. 

In addition to credential theft, Legion includes traditional hacktool functionality that can exploit well-known PHP vulnerabilities to register a Webshell or remotely execute malicious code, Muir tells Dark Reading.

"It is an SMTP abuse tool primarily, but it relies on opportunistic exploitation of misconfigured Web services to harvest credentials for said abuse," he says. "It also bundles additional functionality traditionally found in more common hacktools, such as the ability to execute Web-server-specific exploit code and brute force account credentials."

As mentioned, one unique aspect of the malware is that along with stealing credentials and general hacking, it also can automatically send SMS spam messages to mobile network users based in the United States, including subscribers to AT&T, Boost Mobile, Cingular, Sprint, Verizon, and more. This feature is one not often, if ever, seen in a credential harvester, the researchers noted.

This function is fairly basic: It retrieves the area code from the website www.randomphonenumbers.com, then tries different combinations of numbers to find a workable phone number.

"To retrieve the area code, Legion uses Python's BeautifulSoup HTML parsing library," Muir wrote. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential-harvesting modules, he added.

**Widespread Malware Distribution via Telegram**

A public Telegram group with more than 1,000 members to which Cado researchers gained access is distributing Legion, which also has a dedicated YouTube channel containing tutorial videos on the malware, the researchers said.

The malware is also being advertised by other Telegram groups to reach about 5,000 users in total. These combined factors indicate that Legion already has a loyal following and is likely a for-purchase offering under a perpetual license model, Muir said.

"While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high," he wrote in the post. "Related research indicates that there are a number of variants of this malware, likely with their own distribution channels."

While the researchers have not identified the definitive source of Legion, several Indonesian-language comments on the YouTube channel suggest that the developer may be Indonesian or based in Indonesia, and references to user with the handle "my13gion" in the Telegram group also offer clues to its source, they said.

Moreover, in a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky, with a profile suggesting that this user is located in Indonesia. Still, it's not clear if Rizky is the developer behind Legion, or if his code just happens to be found in the sample analyzed by Cado, the researchers said.

**How to Mitigate & Assess Legion's Cyber-Risk**

Researchers included a list of indicators of compromise (IoCs), as well as a list of targeted US mobile carriers in the blog post to help organizations or device users know if they've been compromised by Legion or could be a target of the malware, respectively.

Given the malware's reliance on misconfigurations in Web servers or frameworks to access systems, Cado recommends that organizations and other users of these technologies review existing security processes and ensure that secrets are appropriately stored. Moreover, if credentials are stored in a .env file, this file should be outside Web server directories so that it's inaccessible from the Web, the researchers said.

Organizations using cloud providers such as AWS and Microsoft Azure should also keep in mind their shared-responsibility obligations under the terms of use for those platforms to ensure their Web servers are configured properly, Muir says. A compromise by the malware "would likely fall under the user's remit in a shared responsibility context," he says.

Additionally, AWS users should also be aware of Legion's targeting of the platform's identity access management (IAM) and simple email service (SES) in its attempt to gain AWS credentials. To mitigate this risk, organizations should look out for user accounts that show a change in the IAM user registration code to include an "Owner" tag with the hardcoded value "ms.boharas," which is a hallmark of the malware, the researchers said.

Legion Malware Marches onto Web Servers to Steal Credentials, Spam Mobile Users

There are plenty of AD objects and groups that should be considered tier zero in every environment, but some will vary among organizations.

Organizations trying to improve the security of their Active Directory environments face a simple problem: Attackers have too many options. The average enterprise AD environment has thousands or tens of thousands of attack paths, which are chains of misconfigurations that allow an attacker with initial access to a low-privileged user to escalate privilege, move laterally to a high privilege user, and then take over the domain. While fixing every misconfiguration may not be possible, security and identity and access management administrators can absolutely make meaningful progress towards securing AD. But they need a way to prioritize their work to do so successfully.

The first step in prioritizing attack paths is focusing on those that lead to any tier-zero asset. Tier-zero assets are the vital systems in AD or Azure AD that, if compromised, allow an attacker to give themselves access to any system they want. Whatever an attacker is trying to do, whether that's deploying malware, stealing sensitive information or establishing persistence, getting control of a tier-zero system will allow them to do that.

This raises the question of what systems are included in tier zero. The term comes from Microsoft's Enhanced Security Administration Environment (ESAE - Retired) model and means the set of objects with full control over the environment _and_ any objects with control over those objects. The ESAE model has been retired and replaced with Microsoft's Enterprise Access Model, which recommends the same advice and now refers to this sensitive group as "control plane." However, neither model includes a list of systems considered to be part of tier zero.

Here's what my colleagues and I who research AD security consider tier zero assets. There are many AD objects and groups that should always be considered tier zero in every environment, but some will vary from organization to organization. The final tier zero group will be custom to each organization.

**Group One: Domain Control Groups**

First, we include objects that maintain full control of a domain or have the (effectively) irrevocable ability to gain access to those groups. Remember to inspect any privileged group membership in AD to identify any nested groups, since group permissions are inherited. For example, if one group is nested within a second group that is included in domain controllers, all members of both groups will have those privileges.

In Active Directory, these include the domain head object, built-in administrator accounts, domain admins; domain controllers; schema and enterprise admins; enterprise domain controllers; key and enterprise key admins; and administrators overall.

In Azure, tier zero includes the default roles that maintain full control of an Azure tenant or have the effectively irrevocable ability to gain access to those roles. These include tenant objects, global administrators, privileged role administrator, and privileged authentication administrators.

**Group Two: Key Identity Systems

Next, tier zero should include the computers and service accounts associated with the following systems. These will almost always be tier zero, but the process for identifying them will vary depending on the environment.

First are the public key infrastructure/Active Directory certificate services, including root certificate authority (CA) server and subordinate CAs. Second is Active Directory federation services, but note that Web application proxy servers should be in a separate AD forest (DMZ or extranet network) and are not considered tier zero. Third are Azure AD Connect servers and accounts, including servers with pass-through authentication that is enabled. Privileged access management systems such as Thycotic or CyberArk, and group policy object administration tools such as Quest GPO admin or advanced group policy manager should be considered tier zero as well.

As we've said, tier zero should be customized for each organization. The computers and services accounts associated with anything else that a specific organization considers to be tier zero, such as privileged access workstations, should be included with the systems listed above. Enterprise read-only domain controllers and read-only domain controllers can be considered tier zero or tier one, depending on certain conditions.

****Group Three: Systems With Code Execution Ability**

Finally, tier zero should include systems that have code execution ability (or other privileged control) on the tier zero systems listed above. For example, if domain controllers are managed from Microsoft System Center Configuration Manager (SCCM), compromising SCCM allows the attacker to execute code on domain controllers. SCCM is, in this case, an indirect path to full control over the environment and, therefore, a tier-zero system. This attack requires more sophistication but is still a viable option for an adversary and organizations should be prepared for this possibility.

There are often many systems in this category and identifying them all can be a significant project. It's recommended that organizations work in phases; first identify all the objects and accounts listed above, draw the tier-zero boundary around them, and then move on to identify systems with code execution ability over them.

Once an organization has identified these assets, they can focus their security resources on protecting them and better assess which attack paths to focus on closing. It's practically impossible to close every possible avenue of attack in an enterprise network, but prioritizing their efforts allows defenders to eliminate the most dangerous ones that lead to tier-zero assets and reduce their overall exposure significantly.

How to Define Tier-Zero Assets in Active Directory Security

With deps.dev API and Assured OSS, Google is addressing the common challenges software developers face in securing the software supply chain.

In a bid to reduce software supply chain risks in the open source software ecosystem, Google launched a free API service providing dependency data and security-related information on over 5 million software components across different programming languages.

Attackers are increasingly injecting malicious code into widely used open source components or dependencies to compromise software projects. According to Mandiant’s M-Trends 2022 report, 17% of all security breaches start with a supply chain attack. This attack vector is the second most common method used. The most common is using exploits targeting vulnerabilities in code.

The free deps.dev API allows developers to find out information about the packages they are thinking of using, such as what versions are available, software license being used, and which dependencies are included in the package. The information comes from the security metadata collected by Google's Open Source Insights team. The metadata comes from multiple sources for 5 million packages with 50 million versions found in the Go, Maven (Java), PyPI (Python), npm (JavaScript), and Cargo (Rust) public registries.The metadata includes transitive dependency graphs, license information, security advisory impact reports, and OpenSSF Security Scorecard information.

Support for NuGet (.NET framework) packages is on the roadmap, Google said.

"Software supply chain security is hard, but it’s in all our interests to make it easier," the Google Open Source Security Team said in a blog post. "Every day, Google works hard to create a safer internet, and we’re proud to be releasing this API to help do just that and make this data universally accessible and useful to everyone."

As part of the company’s efforts to improve open source software security, Google Cloud also announced general availability for the Assured Open Source Software (Assured OSS) service for Java and Python ecosystems. Assured OSS allows organizations to incorporate the same open source packages Google secures and uses into their own developer workflows. When the service was originally announced in May 2022, it launched with 278 packages. Now it contains over 1,000 Java and Python packages, including projects such as TensorFlow, Pandas, and Scikit-learn.

Many organizations maintain private repositories of commonly used packages instead of always connecting to public repositories. While there are benefits to this approach, it also puts the onus of regularly updating the packages in the local repository whenever the official package is changed onto the organization. Many developers wind up pulling outdated and vulnerable versions of open source packages as a result.

Using this service would help reduce risk as Google is actively scanning these packages to find and fix vulnerabilities. The vulnerabilities are fixed and “quickly contributed back upstream to limit the exposure time and blast radius,” Google Cloud’s group product manager of security and privacy Andy Chang wrote in the announcement.

The service provides Assured SBOMs (Software Bill of Materials) so that organizations know what dependencies are included in those packages. That way, if a vulnerability is disclosed in a dependency, organizations using the service would have a easier time finding out if they are impacted, even if the dependency is buried deep down in the software.

Google Tackles Open Source Security With New Dependency Service

**MOUNTAIN VIEW, Calif., April 11, 2023** – Menlo Security, a leader in browser security, today shared results from the CyberEdge Group’s 10th Annual Cyberthreat Defense Report (CDR). This year’s report, sponsored in part by Menlo Security, highlights the growing importance of browser isolation technologies to combat ransomware and other malicious threats. This continues to be critically important as the research revealed that 78% of ransomware attacks include threats beyond data encryption.

Threat actors know today’s employees spend most of their time working in their web browser, making it both a critical business asset and an attractive attack vector if not properly protected. More than half (51%) of respondents use some form of browser or Internet isolation to protect their organizations, with another 40% planning to deploy this type of technology in the next 12 months. Furthermore, 33% of respondents noted that browser isolation is a key element of their cybersecurity strategy for protecting against sophisticated attacks such as ransomware, phishing and zero-day attacks.

This growing focus on browser security is validated by CDR findings that four in five respondents said that when victimized by ransomware attacks, which are often delivered through the browser, they faced the consequences of multiple threats if they did not pay the ransom. These multi-level attacks included threats to publicly release exfiltrated data (40%), notify customers/media of a data breach (42%) or commit a DDoS attack against the organization (42%).

“Evasive web threats, including Highly Evasive Adaptive Threats (HEAT), often come through the web browser and easily bypass multiple layers of detection in prominent security technology, resulting in malware, compromised credentials, and, many times, ransomware,” said Mark Guntrip, senior director of cybersecurity strategy at Menlo Security. “The CDR shows that the risk of ransomware delivered via a HEAT attack is becoming even more serious, with multiple threats in one payload. Preventing it is critical and browser isolation technologies are a highly effective way to do so.”

This year’s CDR notes browser isolation as an up-and-coming technology that allows employees to perform activities such as accessing websites, opening emails and downloading documents in an isolated environment in the cloud. Because the browser session is isolated, any malware, ransomware or other threats are unable to reach corporate systems, negating the effectiveness of even sophisticated attacks.

“It’s exciting to see browser isolation technologies embraced by CDR respondents, in part because they’re designed to improve security without affecting the end user’s experience at all,” said Steve Piper, founder and CEO of CyberEdge Group. “We think that we’ll all be hearing more about the importance of this type of technology in the future.”

**About the CDR**

In November 2022, 1,200 IT security decision makers and practitioners completed a 27-question online survey. Each participant was employed by a commercial or government entity with a minimum of 500 employees. Participants came from six geographic regions: North America, Europe, Asia Pacific, the Middle East, Latin America, and Africa. The CDR gauges perceptions about cyberthreats and ascertains future plans for improving security and reducing risk. It empowers IT security professionals to benchmark their company’s security posture, operating budget, product investments, and best practices against peers in their industry and geographic region.

**About CyberEdge Group**

CyberEdge Group is an award-winning research and marketing consulting firm serving the diverse needs of information security vendors and service providers. Headquartered in Annapolis, Maryland, with 60+ consultants based across North America, CyberEdge works with approximately one in every six IT security vendors. The company’s annual Cyberthreat Defense Report provides information security decision makers and practitioners with practical, unbiased insight into how enterprises and government agencies defend their networks in today’s complex cyberthreat landscape. For more information, visit www.cyber-edge.com. The CyberEdge Group name and logo are trademarks of CyberEdge Group, LLC in the United States and other countries. All other trademarks and service marks are the property of their respective owners.

**About Menlo Security**

Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s patented Isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions. The company is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.

Source

DARKReading