For the foreseeable future, with the spigots closing shut, CISOs will need to find ways to do more with less.

It's always easier to upgrade an organization's defenses when times are flush and money's no object. But try getting your CFO to fund a new cybersecurity project when the boom goes bust.

Good luck with that.

In the immediate past, the security function received ample investment to add staff and equip teams with the latest and greatest security tools. But when uncertainty clouds the economic climate, companies rein in overall spending, reduce head count, and back away from investment projects not deemed essential. This is also when CISOs get put to the test. 

The security leaders of the organization don't have the luxury of sitting on their hands until the business cycle picks up again. Threat actors operate during good times and bad, and trust me, they will find –— and exploit — vulnerabilities that emerge from neglected defenses.

But for the foreseeable future, with the spigots closing shut, CISOs will need to find ways to do more with less.

**Dealing With a New Reality **

That sounds painful, but CISOs can handle the drill. Speaking as a former CSO, we're always under pressure to achieve more, especially when the cost of all that security overhead comes under scrutiny.  

CISOs now find themselves operating in a new environment. In short, the new reality imposes a new discipline.

For starters, security departments need to learn to be leaner than in previous years as the C-suite directs them to squeeze more out of their current technology deployments. The new marching orders will challenge their skills as business managers, forcing them to step beyond their comfort zone as technologists, perhaps for the first time. 

In practice, that may require them to reduce head counts while reviewing their security ecosystems to eliminate overlaps while amplifying supporting controls. They'll also need to demonstrate that the tools they're using are working as expected and that they're optimized by deploying the latest available intelligence.  

Some CISOs might want to push back. But savvy CISOs will recognize they need to demonstrate that they can run a smart operation, just as smartly as the rest of the other departments in the business.

If you want your organization's security to be fit, then accept the oversight and invite the new rigor coming from your board. Do the necessary advance work and be prepared to defend your asset deployment. That is just sound business practice. 

If you can explain how you're spending the company's dollars to secure the business and demonstrate that you're running an efficient operation, it pays off later on. When new threats do materialize and you make a case for a bigger budget, you'll be presenting to a more supportive and appreciative board.

When I was running cybersecurity at BT, I examined how we were set up and discovered that we had far more managers than doers. In other words, we were top-heavy with more tiers of management than was needed. So I restructured our operations to flatten the org chart, giving the employees more responsibilities and accountabilities across a broader base.

At first blush, that sounds as if I squeezed people harder than ever. But it was just the opposite. We were giving them broader, more enriched roles because the people that work in security have a real passion for what they do. All they ask is to be given the environment, the tools, and the data to do a great job. So my role was to promote that rationalization and make sure we were properly aligned to have the best-possible impact defending against attackers. And after expanding the responsibilities of the people in my security teams, guess what? They loved it.

**Winding Up Stronger Long Term**

Everyone has an innate immunity to change, but this is a moment where CISOs must step up to meet the challenge. With knowledge comes power: Not only will they learn a lot about the true capabilities of their own security organizations, but they'll also wind up more able to define future security strategy. 

Gaining a clear idea about your attack surface is a fundamental prerequisite if you hope to marshal your resources against the types of attacks heading your way. Do you have the right overlapping controls? Have you got controls that have been around for a long time? If so, are they still delivering value or have they become expensive albatrosses? If so, get rid of them and lighten up the operational costs on your teams, so you can double down on the things that matter. 

Next, consider what intelligence you have, and what you wish you had access to. If you're a CISO of a major financial institution, for example, might it be beneficial to know what threat intelligence other CISOs from competitor organizations are gathering? It might be counterintuitive to share information with rivals, but it's time to reframe our thinking around what's truly proprietary and what information we could all benefit from. Sharing threat intelligence through communities like Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and others is an effective way to bolster your defenses without having to start from scratch.

Elsewhere, have you made sure that your offboarding processes are working properly and limiting data access? Over the years, some employees may have aggregated access privileges that no longer make sense given their current jobs. That's a recipe for major trouble if they get compromised. 

Do all this so if (and when) you're ordered to make cuts, you can talk from a position of knowledge, and also ensure you're getting the most out of your existing investments. Remember, security doesn't live in products; it lives in intelligence and your ability to access and put that intelligence to work. Having done the requisite analysis, you'll be talking in business terms back to your board. That's a language they will understand and it will set you up to be stronger in the long term.

The CISO Mantra: Get Ready to Do More With Less

With the rise in cloud-based security concerns and other issues, organizations must improve data literacy across the enterprise.

**Question: How does data literacy enhance data security in the enterprise, and why is it important to enterprise security?**

**Sam Rehman, SVP and CISO, and Taryn Hess, Ph.D., Principal, Business Consulting, EPAM Systems:** The shift to cloud computing is perhaps the most significant tech trend of recent years, with the public cloud computing market expected to be worth more than $800 billion by 2025. From decreasing IT costs to increasing opportunities for innovation, the cloud holds many benefits for companies across every industry. However, many employees are unprepared to securely set up cloud applications or unaware of how poor configuration could affect data security. One of the main reasons why organizations struggle to secure their cloud environments is a companywide lack of data literacy.

In today's marketplace, a data-literate workforce — one that uses data as a company asset in decision-making, evaluates and questions data, knows how to find data, and confidently interacts with data to derive insights and tell a story about it — is critical to business success. In a 2022 survey by the Data Literacy Project, only 11% of respondents were fully confident in their data literacy skills. It is of the utmost importance that businesses engage in efforts to enhance data literacy, which will improve data security.

**Data Handling and Classification**

Fundamentally, data leaks are a result of insufficient data literacy. These incidents stem from someone not fully understanding the value of a particular data set and mishandling it by either sharing it with people who shouldn't have access or leaving it unprotected and exposed to hackers.

The consequences of not understanding and mishandling data can be costly, causing damage to brand reputation, and, should proprietary information be stolen, a company could lose market share to a competitor. Moreover, if an employee's potentially identifiable information (PII), such as their health records or religion, is leaked in a data breach, that person could be in danger.

From a data literacy perspective, everyone within a company should consider themselves a data security ambassador. Indeed, a sufficient understanding of the data an employee uses regularly will empower them to secure it properly. Of course, there are layers to data literacy within a business, as some roles require greater literacy than others — i.e., data scientists and architects compared with legal or HR personnel.

One of the main ways people can increase their data literacy is by learning data labels. In particular, people must be aware of a data set's classification and have adequate knowledge to handle that information accordingly.

Today, commercial businesses leverage data classifications similar to those the government uses, including public, internal, confidential, and restricted levels. Public data is nonsensitive information available to anyone via the company website. Internal data, such as the employee handbook, is reserved for those within the organization. Confidential data, like pricing or marketing materials, must remain limited to select teams. And restricted data, such as trade secrets or PII, is highly sensitive and could be disastrous should it be disclosed.

**Data Maturity Assessment and Culture Transformation**

Improving data literacy is a multifaceted process. To establish a baseline, brands can conduct a data maturity assessment or map data security competencies (knowledge, skills, and abilities) across every role in a company. Organizations can determine their data maturity by checking what isn't working, be it a lack of communication or misunderstanding from not speaking the same language, such as the same term meaning different things for different departments.

From there, businesses can build growth plans and create opportunities for everyone in the organization to upskill on data security based on their roles. Likewise, a data maturity assessment will reveal whether an organization needs to look outside of itself for talent.

Though the previous methods are critical to improving data literacy, almost 92% of executives rate culture as the greatest barrier, making it the top priority in this area. Shifting a culture to one that embraces data literacy can be tricky; however, by involving the right leaders and stakeholders, companies can ensure alignment across the enterprise.

Once leadership has bought in, organizations can engage everyone with data security through various means, including newsletters, project meetings, town halls, online learning, workshops, etc. Likewise, it's critical to drive awareness of potential threats, like phishing attacks, data loss, or cloud misconfiguration.

**Data Literary Undergirds All Security Efforts**

Although various strategies, such as deploying policy and encryption to protect cloud environments, are necessary to minimize the impacts of data breaches, companywide data literacy undergirds the effectiveness of such methods and must remain a priority. Indeed, data handling and proper attention to the different classifications will empower people to use data safely, driving innovation and business success.

How Does Data Literacy Enhance Data Security?

Microsoft's new AI assistant tool helps cybersecurity teams investigate security incidents and hunt for threats.

Microsoft has been leaning into its $10 billion investment in OpenAI by introducing AI assistants – all called Copilot – across its product portfolio. The latest one is Microsoft Security Copilot, to help security teams investigate and respond to security incidents.

Defenders are having a hard time dealing with a very dynamic security environment, and Microsoft Security Copilot is intended to make defenders’ lives better by using artificial intelligence to help them catch incidents that they may otherwise miss, improve the quality of threat detection, and speed up response, says Chang Kawaguchi, vice president and AI Security Architect at Microsoft. Security Copilot uses both OpenAI’s GPT-4 generative AI model and Microsoft’s proprietary security-based model to identify breaches, connect threat signals, and analyze data.

Security Copilot is intended to make “defenders’ lives better, make them more efficient, and make them more effective by bringing AI to this problem,” Kawaguchi says.

Security Copilot will ingest and make sense of huge amounts of security data – including the 65 trillion security signals Microsoft pulls every day and all the data being collected by the Microsoft products the organization is using, such as Microsoft Sentinel, Defender, Entra, Priva, Purview, and Intune. Analysts can summarize incidents, analyze vulnerabilities, and look up data on common vulnerabilities and exposures.

Analysts and incident response teams will be able to type what they are trying to understand into a text prompt – “/ask about” – and Security Copilot will return responses based on what it knows of the organization’s data. This way, security teams will be able to see connections between various parts of a security incident, such as a suspicious email, a malicious software file, or the different parts of the system that had been compromised, says Kawaguchi. The queries could be general, such as an explanation of a vulnerability, or specific to the organization’s environment, such as looking in the logs for signs that a particular Exchange flaw had been exploited. And because Security Copilot uses GPT-4, it can respond to natural language questions.

The analyst can see summaries of what happened and then follow prompts from Security Copilot to drill down deeper in the investigation. All these steps can be saved in a “pinboard,” which can be shared with other members of the security team as well as stakeholders and senior executives. All the tasks that have been completed are saved and readily accessible. There is also an automatically generated summary which will update as new tasks are completed.

“This is what makes this experience more of a notebook than a chat bot experience,” says Kawaguchi, noting that the tool can also create PowerPoint presentations based on the investigation that the security team can use to share the details of the incident afterward.

Security Copilot is not designed to replace human analysts, but to provide them with the information they need to move quickly and at scale during the course of an investigation, Kawaguchi says. Threat hunters can also use the tool to determine whether an organization is susceptible to known vulnerabilities and exploits by examining each asset in the environment, according to the company.

Forrester Senior Analyst Allie Mellen said in an email that Security Copilot was the first time a product focused on using AI to improve investigation and response. Previously AI tended to focus more on detection, Mellen said.

In a demo, Kawaguchi showed how Security Copilot can look at a cyberattack and figure out how the malware got into the network and infected the victim’s machine. Security Copilot can perform log analysis, display alert summaries, and generate graphs and other visualizations to show the sequence of events in the incident. The tool can also suggest steps for remediation and guidance.

If the information provided looks incorrect, or “off target,” there is a way to provide feedback immediately so that the model can learn. Security Copilot will continually improve as it learns from the company’s own data, as well as Microsoft’s extensive security research and visibility over the global threat landscape. However, the organization’s data will never be used to train the main Security Copilot algorithm, Kawaguchi says.

Microsoft has been flexing its AI-clout in recent weeks, going beyond Copilot in GitHub, which helps developers write code. A few weeks ago, the company announced Microsoft 365 Copilot, which allows users to use Copilot to do things like put together a PowerPoint presentation and write up articles in Word. Copilot in Dynamics 365 helps sales and customer success representatives engage with customers and prospects by sending natural-sounding messages, rather than relying on premade boilerplate messages.

Security Copilot is currently in private preview; Kawaguchi declined to specify a date for when it will be generally available, noting that it all depended on how organizations wind up using the tool. There are also long-term plans for extending Security Copilot to ingest information from other security vendors’ products.

“Security Copilot is poised to become the connective tissue for all Microsoft security products and, importantly, will integrate with third-party products as well,” Forrester’s Mellen said.

“We think that AI has the opportunity to change the game for almost all things that security folks do. We're starting with the investigation flow because this is the one where we think there's a massive amount of opportunity for efficiency and effectiveness,” Kawaguichi says.

Microsoft Security Copilot Uses GPT-4 to Beef Up Security Incident Response

A novel cyber threat against macOS users is being sold for $100 a pop on the Dark Web, and activity is ramping up.

An information-stealing malware that targets Apple's macOS operating system is making the cyberrounds, siphoning off documents, iCloud keychain data-like passwords, browser cookies, and more from unwitting Apple users.

Appropriately dubbed "MacStealer," it's going for just $100 per build on the cyber underground, so it's no surprise that "more MacStealer samples have been spreading recently," according to a recent Uptycs analysis on the threat.

The malware affects the Catalina version of macOS and subsequent versions that use Intel M1 and M2 CPUs. It also uses the encrypted Telegram messaging platform for command-and-control (C2), the researchers found.

To propagate, operators are looking for low-hanging fruit, hoping to harvest victims by luring them to download .DMG files, which are containers for macOS apps. Fake apps in app stores, piracy websites, or email attachments could all be potential conduits for infection.

"The bad actor uses a .DMG file to spread the malware. After a user executes the file, it opens a fake password prompt," Uptycs researchers explained in the post. "Once the user enters their login credentials, the stealer … \[compresses\] the data and sends it to C2 via a POST request using a Python User-Agent request. It deletes the data and ZIP file from the victim's system during a subsequent mop-up operation."

This is just the latest malware to target Macs in recent months. In February, pirated versions of Apple's Final Cut Pro video-editing software were found delivering a version of the XMRig cryptocurrency mining tool. And last year, a previously-unknown, macOS spyware called "CloudMensis" surfaced in a highly targeted campaign, exfiltrating documents, keystrokes, screen captures, and more from Apple machines.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacStealer Malware Plucks Bushels of Data From Apple Users

The NullMixer loader has compromised thousands of endpoints in the US, France, and Italy, stealing data and selling it to Dark Web data dealers, all without setting off alarm bells.

A new version of the NullMixer dropper includes polymorphic loaders from malware-as-a-service (MaaS) and pay-per-install (PPI) providers on Dark Web markets, and it's being used to target organizations in North America, as well as Italy and France.

The malware, a known threat, typically installs a suite of downloaders, banking Trojans, stealers, and spyware on victims' systems, all in one go. The new additions, however, make the threat even more dangerous, according to a detailed NullMixer analysis this week from Security Affairs, because the threat can adapt to whatever the specific environment is that it infects.

The analysis also explains how threat actors have been using search engine optimization (SEO) poisoning and malicious video tutorials to con IT staff into installing the new malware. In just one month, the newly enhanced NullMixer malware has established initial access into more than 8,000 endpoints, stealing data to sell it to brokers in underground markets.

Most victims are running Windows 10 Professional and Enterprise operating systems, the NullMixer report said, adding that the malware also seems to have successfully infected Windows Embedded IoT environments.

"The NullMixer package is including new polymorphic loaders by third parties MaaS and PPI service providers in the underground markets, and also pieces of controversial, potentially North-Korean linked PseudoManuscript code," the researchers explained about the latest NullMixer malware strain. "Our insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers' perspective."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month

A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.

The risk score for the average company worsened in the past year as companies fail to adapt to data exfiltration techniques and adequately protect Web applications.

Companies' effective data-exfiltration risk increased to 44 out of 100 (with 100 indicating having the riskiest posture) in 2022, from an average score of 30 in the previous year, indicating that the overall risk of data being compromised has increased. That's according to rankings by Cymulate, which crunched the data on 1 million pen tests, including 1.7 million hours of offensive cybersecurity testing within its production environments.

In its "2022 State of Cybersecurity Effectiveness" report, published on March 28, the firm noted that there are various persistent problems leading to increased risk. For one, while many companies are improving their adoption and the strictness of network and group policies, attackers are adapting to sidestep such protections, the report stated. 

And the basics continue to lag: The company found that four of the top-10 CVEs identified in customer environments were more than two years old. These include the high-severity WinVerifyTrust signature validation vulnerability (CVE-2013-2900), which can allow malicious executables to pass security checks, and a memory corruption vulnerability in Microsoft Office (CVE-2018-0798).

    

How Cymulate scores risk. Source: Cymulate

There is good news, however. Data from the security assessments indicates that companies have all improved risk scores for malware detection across major platforms, and many attacks are blocked by Web gateways. 

Overall, businesses need to treat cybersecurity like any other business process, with regular checks on controls, says Mike DeNapoli, director of technical messaging for Cymulate.

"Cybersecurity needs to become a process treated like any other business process, with checks and balances and regular review," he says. "The CFO would never permit the books to remain closed except for once per year, but the systems that house all that money as data routinely only get checked out during an annual pen-test, which has to change."

All of this comes against the backdrop that companies are increasingly focused on securing their entire attack surface, improving resiliency to cyberattacks, and preventing disruption of information systems. As a result, cybersecurity services and products that reduce complexity have become more popular while large technology firms have thrown their hat into the ring, such as Microsoft's launch of Defender External Attack Surface Management in August and IBM's purchase of ASM startup Randori in June. Time will tell if these trends will move the needle on risk.

    

While the exposure risk due to WAFs has dropped, data-exfiltration risk has increased. Source: Cymulate

Meanwhile, Cymulate's analysis of a year of offensive cybersecurity testing also found that cloud and email continue to provide rich sandboxes for hackers.

**Attacks Increasingly Coming From Popular Clouds**

Attackers have shifted some aspects of their attacks away from using popular file sharing services, such as Dropbox and Box to evade email attachment filters and other security technologies, to using more generic cloud infrastructure, such as Amazon and Azure. Businesses have a harder time blocking data from large, trusted service providers, which serve as the backbone for many large cloud services and websites, DeNapoli says.

"These metrics are applied to hundreds of attempts to remove data that should be considered 'controlled' from the organization," he says. "This increase means that organizations have less control over preventing business confidential, personally identifiable, and other controlled data from being removed from the organization in unauthorized ways."

The top most successful tactics used by simulated attackers in the Cymulate research included attacking users through their browsers in a drive-by compromise scenario, archiving and exfiltrating data, and transferring that data to a cloud account, such as AWS or Azure.

**"Email Defenses Are a Team Sport"**

Nearly half of the top 10 exposures uncovered by Cymulate's pen testing involved a lack of security for basic IT infrastructure. The simulations discovered that common issues included not recognizing phishing domains, a failure to configure DNSSEC, and a lack of two technologies — Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Sender Policy Framework (SPF) — that can help stop email-based attacks.

Overall, companies have been slow to deploy critical email security and integrity technologies, such as DMARC, SPF, and a third technology, Domain Keys Identified Mail (DKIM) — together which can help prevent phishing success and brand fraud. While companies which implement DMARC, DKIM, and SPF records can better protect against email-based attacks, the technology standards are only truly effective if both sides of an exchange are using them, DeNapoli says.

"We need to begin to recognize that email defenses are a team sport and implement our part of the processes so others can be safer," he notes. "The benefit is that as more and more organizations implement these processes, our organization also becomes safer."

The report also showed that different industries have different strengths and weaknesses. The education and hospitality sectors, for example, had the highest risk of data exfiltration, while protections against the most immediate threats were lowest in the technology sector. Both technology and government organizations had worse-than-average Web application firewall protection.

Millions of Pen Tests Show Companies' Security Postures Are Getting Worse

**SANTA BARBARA, Calif.-- (March 28, 2023) --** Bitwarden, the leading open source password manager trusted by millions, today launched the open beta of Bitwarden Secrets Manager, designed to centrally secure and manage highly sensitive authentication credentials within privileged developer and DevOps environments. 

Development teams work across applications and multi-cloud infrastructures, using different tools and platforms. This leads to distributed secrets – API tokens, keys, passwords, credentials, certificates, and more —  that are difficult to manage and control, or hard-coded into source code files. 

Existing solutions have steep learning curves and are unwieldy for many teams. The implications are serious: According to the GitLab Security Trends analysis, 18% of projects hosted on GitLab were vulnerable to leaked secrets. In a separate GitGuardian report, 5 million credentials and other secrets get leaked on GitHub every year. 

For developer, devops, and IT teams, Bitwarden Secrets Manager provides a singular, simple, and convenient way to secure, control, and manage secrets. The new offering, now in beta, builds on the same trusted open source, zero knowledge, and end-to-end encryption foundation featured in the company’s industry-leading password management offering. 

**Open Beta Program**

During beta, users can explore early features of Bitwarden Secrets Manager, which includes the ability to create, manage, and edit secrets and projects; SDK and CLI tools; GitHub Actions integration, and more. For more information about beta, please visit: https://bitwarden.com/products/secrets-manager/

**Enhance Enterprise Security With Bitwarden**

Bitwarden already protects millions of individuals and businesses by securing their online credentials and critical information. Today, Bitwarden extends its zero knowledge, end-to-end encryption model, setting new standards on how developers manage infrastructure secrets. Earlier this year, Bitwarden announced the acquisition ofPasswordless.dev, which lets developers easily integrate passwordless authentication and passkeys into their software. BitwardenPasswordless.devis also currently in beta. These new offerings underscore the Bitwarden commitment to help everyone stay more secure at work and at home. 

**About Bitwarden**

Bitwarden empowers enterprises, developers, and individuals to safely store and share sensitive data. With a transparent, open source approach to password management, secrets management, and passwordless innovations, Bitwarden makes it easy for users to extend robust security practices to all of their online experiences. Founded in 2016, Bitwarden is supported by a passionate global community of security experts and enthusiasts. The company is headquartered in Santa Barbara, California and has a globally distributed team. Learn more at bitwarden.com.

Bitwarden Announces Secrets Management With a Combination of Open Source, End-to-End Encryption, and Ease of Use

In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.

Cybercriminal group Kimsuky has evolved into a full-fledged, persistent threat, carrying out "unusually aggressive" social-engineering attacks aimed at gathering intelligence, and stealing and laundering cryptocurrency to support the North Korean government.

Researchers from Mandiant have tracked a number of changes to the activity of the group, which they call APT43, in a series of rapid-fire attacks against targets in the US, South Korea, and Japan, they revealed in a report published today.

Kimsuky, also tracked as Thallium, has been on various researchers' radar screens since 2018, and its previous activity has been widely reported. In earlier attacks, the group mainly focused on conducting cyber espionage against research institutions, geo-political think tanks, and — particularly during the height of the pandemic — pharmaceutical companies.

The group typically used spear-phishing campaigns to lure in users and then installed various public and non-public malware, including spyware, onto targeted devices, which were often Android-based smartphones. In fact, Kimsuky was identified as recently as earlier this month leveraging malicious Chrome browser extensions and Android app-store services to target individuals conducting research on the inter-Korean conflict.

Now, however, Mandiant researchers have found that APT43 is evolving in several ways.

**New Financial & Social Tactics**

For one, the group is now following in the shoes of other North Korean APTs and branching out beyond mere cyber espionage to steal cryptocurrency, the researchers have found. In addition to using the ill-gotten currency to fund the regime of Kim Jong-un, as other groups do, APT43 also uses it to bolster its own activities, they said.

The group is even going the extra step of laundering the crypto through legitimate cloud-mining services so it comes out as clean currency and is difficult to track — an activity that might be used by other groups, but has flown under the radar until now, the researchers said.

"The washing of funds and the 'how' has been the missing piece of the equation," notes Michael Barnhart, Mandiant principal analyst at Google Cloud. "We have indications that APT43 utilizes specific hash rental services to launder these funds by mining for different cryptocurrencies."

For a small fee, these services provide hash power, which APT43 uses to mine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer's original payments. This allows the APT to use stolen funds to mine for a different cryptocurrency, the researchers said. By spending very little, threat actors walk away with untracked, clean currency to do as they wish, Barnhart explains.

Moreover, APT43 — while technologically unsophisticated — relies on advanced and persistent social-engineering tactics in which threat actors create convincing fake personas and exhibit patience in building relationships with targets over several weeks without using malware, the researchers said.

"I've never seen an APT quite as successful with such novel techniques," Barnhart notes. "They pretend to be subject-matter experts or reporters and ask targeted questions — often with the promise of quoting the victim in a report or news article — and successfully gain feedback."

Indeed, in some instances, attackers successfully convinced targeted victims to send over proprietary, geopolitical analysis and research without deploying malware at all, the researchers said.

This deviates from standard procedure for most threat groups, allowing APT43 to expend little effort or resources in building malware and gaining the information they are seeking in a low-fi way — by merely asking victims for it, Barnhart notes.

**High Volume Cyberattacks, Shifting Targets**

APT43 has shifted its targets, and the malware it uses, in campaigns over the years in response to the demands of the North Korean government and the cyberespionage activities it requires of the group, according to Mandiant.

"APT43 ultimately modifies its targeting and tactics, techniques, and procedures (TTPs) to suit its sponsors, including carrying out financially-motivated cybercrime as needed to support the regime," the researchers said in the report.

For example, prior to October 2020, the group primarily targeted US and South Korean government offices, diplomatic organizations, and think tank-related entities with a stake in foreign policy and security issues affecting the Korean peninsula. Over the next year, however, the group shifted its focus to COVID-19 response efforts in North Korea by targeting health-related verticals and pharmaceutical companies in South Korea, the US, Europe, and Japan.

One notable difference that has emerged between the group and other North Korean threat actors is a recent shift to expand, targeting "everyday users" based on "the sheer velocity and volume of attacks," says Joe Dobson, Mandiant principal analyst.

"By spreading their attack out across hundreds, if not thousands, of victims, their activity becomes less noticeable and harder to track than hitting one large target," he says. "Their pace of execution, combined with their success rate, is alarming."

APT43 is aiming its high-volume activity at entities and organizations in government, business services, and manufacturing as well as think tanks and organizations in education and research related to geopolitical and nuclear policy in the US, South Korea, and Japan, the researchers said.

Given its advanced social-engineering tactics and tendency to go after both specific individuals and wider-net targets, researchers advised organizations that may be at risk to share with their employees "a greater understanding of cyber hygiene and heightened awareness," Barnhart says. "It's important to make personnel aware of this threat actor's TTPs," Barnhart says.

He adds that the APT's spoofed emails are highly convincing, which makes them difficult to spot, even for savvy users; thus, organizations at risk should be on high alert.

North Korea's Kimsuky Evolves into Full-Fledged, Prolific APT43

A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.

The sensitivity of voice-controlled microphones could allow cyberattackers to issue commands to smartphones, smart speakers, and other connected devices using near-ultrasound frequencies undetectable by humans for a variety of nefarious outcomes — including taking over apps that control home Internet of Things (IoT) devices.

The technique, dubbed a Near-Ultrasound Inaudible Trojan (NUIT), exploits voice assistants like Siri, Google Assistant, or Alexa and the ability of many smart devices to be controlled by sound. According to researchers at the University of Texas at San Antonio (UTSA) and the University of Colorado at Colorado Springs (UCCS), most devices are so sensitive that they can pick up voice commands even if the sounds are not in the normal frequency range of human voices. 

In a series of videos posted online, the researchers demonstrated attacks on a variety of devices, including iOS and Android smartphones, Google Home and Amazon Echo smart speakers, and Windows Cortana. 

In one scenario, a user might be browsing a website that is playing NUIT attack commands in the background. The victim might have a mobile phone with voice control enabled in close proximity. The first command issued by the attacker might be to turn down the assistant's volume so that responses are harder to hear, and thus less likely to be noticed. After that, subsequent commands could ask the assistant to use a smart-door app to unlock the front door let's say. In less concerning scenarios, commands could cause an Amazon Alexa device to start playing music or give a weather report.

The attack works broadly, but the specifics vary per device.

"This is not only a software issue or malware," said Guenevere Chen, an associate professor in the UTSA Department of Electrical and Computer Engineering, in a statement. "It's a hardware attack that uses the internet. The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address."

    

Using inaudible sounds played through a speaker, an attacker can issue commands to smart devices. Source: UTSA and UCCS

Attacks using a variety of audible and non-audible frequencies have a long history in the hacking world. In 2005, for example, a group of researchers at the University of California, Berkeley, found that they could recover nearly all of the English characters typed during a 10-minute sound recording, and that 80% of 10-character passwords could be recovered within the first 75 guesses. In 2019, researchers from Southern Methodist University used smartphone microphones to record audio of a user typing in a noisy room, recovering 42% of keystrokes.

The latest research appears to use the same techniques as a 2017 paper from researchers at Zhejiang University, which used ultrasonic signals to attack popular voice-activated smart speakers and devices. In the attack, dubbed the DolphinAttack, researchers modulated voice commands on an ultrasonic carrier signal, making them inaudible. Unlike the current attack, however, the DolphinAttack used a bespoke hardwired system to generate the sounds rather than using connected devices with speakers to issue commands.

**Defenses Against NUIT Cyberattacks**

The latest attack allows any device compatible with audio commands to be used as a conduit for malicious activity. Android phones could be attacked through inaudible signals playing in a YouTube video on a smart TV, for instance. iPhones could be attacked through music playing from a smart speaker and vice versa.

In most cases, the inaudible "voice" does not even need to have to be recognizable as the authorized user, said UTSA's Chen in a recent statement announcing the research.

"Out of the 17 smart devices we tested, \[attackers targeting\] Apple Siri devices need to steal the user's voice, while other voice assistant devices can get activated by using any voice or a robot voice," she said. "It can even happen in Zoom during meetings. If someone unmutes themselves, they can embed the attack signal to hack your phone that's placed next to your computer during the meeting."

However, the receiving speaker has to be turned up fairly loud for an attack to work, while the length of the malicious commands has to be less than 0.77 seconds, which can help mitigate drive-by attacks. And devices that are hooked into earbuds and headsets are less likely to be vulnerable to being used by an attacker, according to Chen.

"If you don't use the speaker to broadcast sound, you're less likely to get attacked by NUIT," she said. "Using earphones sets a limitation where the sound from earphones is too low to transmit to the microphone. If the microphone cannot receive the inaudible malicious command, the underlying voice assistant can't be maliciously activated by NUIT."

The technique is demonstrated in dozens of videos posted online by the researchers, who did not respond to a request for comment before publication.

Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds

IoT risk and security must get more attention from vendors and support from the marketplace.

The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.

As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.

As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.

**Market Forces vs. IoT Vendors**

So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.

By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.

So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.

There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.

**IoT Cost Points**

So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:

**1\. Qualified development personnel are hard to come by for IoT.** You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.

**2\. Hardware and software costs can range from small to huge sums of money.** The more complex the device and service, the higher the cost.

**3\. What is the connection model?** Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.

**4\. You must design a product UI!** If you intend to win on the merits of your product, a smooth user experience is a must.

**5\. What about security?** Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.

**Best IoT Security Development Steps**

While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?

Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.

However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.

**It's Time to Step Up**

What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.

Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.

Source

DARKReading