By investing in a strong future cybersecurity workforce, we can prevent future attacks on US critical infrastructure before they occur.

Our K–12 schools are under cyberattack. From 2016 to 2022, public K–12 schools in the United States fell victim to more than 1,600 cyber incidents, including ransomware, phishing, and denial-of-service (DoS) attacks. Recently, schools in Minnesota, New Hampshire, and North Carolina were shuttered as a result. These attacks have caused considerable disruption to students and educators caught in the crosshairs.

We are nearing the end of National Cybersecurity Education Month, an effort led by Senator Jacky Rosen (D-NV), to increase awareness of cybersecurity education and its role in improving US national security. Now more than ever, we have a responsibility to stop cyber incidents on schools before they begin. This starts with K–12 cybersecurity education.

Many schools lack funding for sophisticated cyber protections and IT talent to protect infrastructure, making them easy targets. The federal government has taken notice. The Cybersecurity & Infrastructure Security Agency (CISA) now provides recommendations on the key steps K–12 schools to effectively reduce cybersecurity risk.

This underscores the importance of preventing cyberattacks on schools from happening in the first place by investing in K–12 cybersecurity education and the next generation of cybersecurity professionals.

The nation continues to face a systemic cyber talent workforce shortage, with more than 750,000 open cybersecurity positions. At the same time, less than half of students nationwide are learning about cybersecurity in the classroom. CISA Director Jen Easterly emphasized that addressing the cybersecurity talent gap begins by engaging students at all levels of education, as well as more women, girls, and minorities in cybersecurity.

There is infrequent and unequal access to K–12 cybersecurity education, as students in small and high-poverty districts are significantly less likely to be exposed to the subject.

Here are three key steps educators and school leaders can take to ensure that all students — regardless of socioeconomic status or ZIP code — have access to cybersecurity education.

**1\. Continue Cybersecurity Education for Teachers**

Teachers are central to empowering students in every subject, but this isn't possible unless we empower teachers with the skills and confidence to teach cybersecurity. Through professional development and readily available resources, educators can learn core cybersecurity concepts and become cyber literate. Armed with the skills and tools to teach cybersecurity, educators can inspire students to succeed in our 21st-century workforce.

**2\. Integrate Cybersecurity Education and Standards Into Existing Curriculum**

Introducing cybersecurity concepts in the classroom can seem daunting, but thanks to existing resources, educators don't need to start from scratch. Educators can use no-cost cybersecurity lessons to integrate cybersecurity into their curriculum, regardless of the subject they teach. Additionally, the national K–12 Cybersecurity Learning Standards provide another road map for educators to ensure students have not only a foundational understanding of cybersecurity, but also the skills and knowledge needed to pursue cybersecurity careers in greater numbers. Designed to be comprehensive, easy to use and easy to find, the standards are available to states, districts, and all educators at no cost.

**3\. Partner on Cybersecurity With Colleges and Universities**

When presenting K–12 students with a potential new career path, it's important to provide examples of what pursuing cybersecurity can lead to. Establishing partnerships and mentorship programs between K–12 schools and higher education institutions that offer cybersecurity degree programs help students envision pursuing cybersecurity in college and as a career.

Building a pipeline of future cyber professionals starts with ensuring that all K–12 students have equitable access to cybersecurity education and the skills to pursue careers in the field. Dedicated educators and school leaders are essential to making this a reality. By investing in a strong future cybersecurity workforce, we can prevent future cyberattacks on US critical infrastructure, like our K–12 schools, before they occur.

Preventing Cyberattacks on Schools Starts With K–12 Cybersecurity Education

**MARLTON****, N.J.** **,** **June 23, 2023** **/PRNewswire/ --** Between 2.5 to 2.7 million consumers are being notified that their Social Security numbers and other confidential information were compromised when hackers were able to exploit a vulnerability in software used by a vendor of Genworth Financial, Inc.

The data breach lawyers at Console & Associates, P.C. are investigating claims on behalf of Genworth Financial policyholders and anyone else affected by the breach, hoping to fully inform them of the risks they face in the wake of the breach as well as their legal rights.

The sensitive personal data of at least 2.5 million Genworth Financial policyholders has been compromised. Now, their full names, Social Security numbers and other personal information may be in the hands of criminals who can use the stolen data to carry out various schemes, such as identity theft and other frauds.

On June 22, 2023, Genworth Financial filed a Form 8-K with the Securities and Exchange Commission describing a third-party data breach affecting consumers nationwide. Genworth notes that the incident stemmed from a third-party vendor's use of the managed file transfer software, MOVEit.

Evidently, Genworth Financial was notified by its vendor, PBI Research Services, that a vulnerability in the MOVEit file-transfer software, created by Progress Software, allowed hackers to download confidential policyholder data.

According to the notice, the data breach affected an estimated 2.5 million policyholders and other customers.

The list of sensitive information that was exposed includes names, Social Security numbers, and other personal information.

If you receive a data breach notice from Genworth Financial, you could now be at risk of identity theft—and the life-changing financial and legal consequences that follow in its wake.

Genworth Financial may offer those who were affected by the breach with complimentary credit monitoring and identity restoration services. And while victims should enroll in this service immediately, it is not sufficient to protect them from the risks of a data breach.

**What to Do if You Receive a Genworth Financial Data Breach Letter**

Individuals who receive a data breach letter from Genworth Financial should take all necessary steps to protect themselves. (See our Guide for Victims of Data Breach for more details at https://www.myinjuryattorney.com/consumer-privacy-data-breach-lawyers/if-your-information-has-been-compromised-in-a-data-breach/.) Additionally, data breach victims should consider speaking with a data breach attorney as soon as possible. Those consumers who receive a data breach letter from Genworth Financial may be entitled to financial compensation.

If you wish to discuss this data security incident, or if you have any questions regarding your rights following the Genworth Financial data breach, please contact Console & Associates, P.C. at (866) 778-5500. Interested parties and potential plaintiffs can also learn more about this data breach and potential lawsuit at https://www.myinjuryattorney.com/genworth-financial-data-breach-investigation/.

Anyone who has received a Notice of Data Breach letter may contact the firm to learn more about their rights.

Genworth Financial Reports Data Breach Leaking SSNs Belonging to 2.7M Policyholders and Customers

CEO says SEC penalties related to the 2020 SolarWinds supply chain attacks are unwarranted and is ready to mount a defense to any legal actions against the company or its employees.

The Security and Exchange Commission (SEC) has issued a notice to SolarWinds executives that it intends to bring enforcement actions against them for their role in the 2020 SolarWinds cyber incident. But neither SolarWinds as an organization nor its current or former employees seem prepared to go down without a fight.

In response to a Wells Notice issued by the SEC, SolarWinds CEO Sudhakar Ramakrisha sent an internal email to employees vowing to fight any legal action taken by the regulator.

"Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company," Ramakrishna told employees in the email provided to Dark Reading. "We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves."

While Ramakrishna goes on to cast the SEC's actions as a distraction to the organization's goals, a SolarWinds spokesperson tells Dark Reading that the SEC's actions against the company and its executives will ultimately hurt the wider cybersecurity community by discouraging disclosures to avoid facing penalties.

"We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers," the spokesperson added in an emailed statement. "Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure."

Although a Wells Notice like the one issued to SolarWinds executives this week isn't legally required, it's a common practice of the SEC to issue one ahead of enforcement, according to Cornell Law School, and it offers the opportunity for the target to submit a written statement to the regulator ahead of any decision being handed down.

Last November, the SEC issued a similar Wells Notice directed at SolarWinds, alleging the organization violated laws related to the breach disclosure as well as controls and procedures related to the infamous cyberattack.

"SunBurst \[SolarWind's preferred name for the incident\] was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before," the company spokesperson added. "SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure."

SolarWinds Execs Targeted by SEC, CEO Vows to Fight

A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.

_Editor's Note: This article was updated on 7/3/2023 to clarify that_ _CVE-2021-40539_ _was patched in Sept. 2021._

The recently discovered Chinese state-backed advanced persistent threat (APT) "Volt Typhoon," aka "Vanguard Panda," has been spotted using a two-year old critical vulnerability in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. And it's now sporting plenty of previously undisclosed stealth mechanisms.

Volt Typhoon came to the fore last month, thanks to joint reports from Microsoft and various government agencies. The reports highlighted the group's infection of critical infrastructure in the Pacific region, to be used as a possible future beachhead in the event of conflict with Taiwan.

The reports detailed a number of Volt Typhoon's tactics, techniques, and procedures (TTPs), including its use of internet-exposed Fortinet FortiGuard devices for initial intrusion, and the hiding of network activity via compromised routers, firewalls, and VPN hardware.

But a recent campaign outlined by CrowdStrike in a recent blog post suggests that Volt Typhoon is flexible, with the ability to customize its tactics based on data gathered through extensive reconnaissance. In this case, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along.

These previously unknown tactics enabled "pervasive access to the victim's environment for an extended period," says Tom Etheridge, chief global professional services officer for CrowdStrike, which didn't reveal details on the victim's location or profile. "They were familiar with the infrastructure that the customer had, and they were diligent about cleaning up their tracks."

**Volt Typhoon's Evolving Cyber Tactics**

CrowdStrike researchers' spidey senses tingled when suspicious activity seemed to be emanating from its unidentified client's network.

The then-unrecognized entity appeared to be performing extensive information-gathering — testing network connectivity, listing processes, gathering user information, and much more. It "indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for \[Windows Management Instrumentation\]," the researchers wrote in their blog post.

It turned out, after some investigating, that the attacker — Volt Typhoon — had deployed a webshell to the network a whole six months prior. How did it go unnoticed for so long?

The story began with CVE-2021-40539, a critical (9.8 CVSS score) remote code execution (RCE) vulnerability in ADSelfService Plus, discovered and patched back in Sept. 2021. ManageEngine software, and ADSelfService Plus in particular, has been critically exposed on a number of occasions in recent years (CVE-2021-40539 isn't even its most recent critical 9.8 CVSS RCE vulnerability — that title goes to CVE-2022-47966).

With initial access, the attackers were able to drop a Web shell. Here was where the more interesting stealth began, as the researchers observed "the webshell was attempting to masquerade as a legitimate file of ManageEngine ADSelfService Plus by setting its title to ManageEngine ADSelfService Plus and adding links to legitimate enterprise help desk software."

The group proceeded to siphon administrator credentials and move laterally in the network. It took a cruder, manual approach to covering its tracks this time around, going to "extensive lengths to clear out multiple log files and remove excess files from disk," the researchers explained.

The evidence tampering was extensive, nearly eliminating all traces of malicious activity. However, the attackers forgot to erase the Java source code and compiled Class files from their targeted Apache Tomcat Web server.

"If it wasn't for that slight slip up that was reported in the blog, they probably would have gone unnoticed," Etheridge says.

**How to Defend Against Volt Typhoon Cyberattacks**

Thus far, Volt Typhoon has been observed targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. It's most notable, however, for seeking out critical infrastructure in the United States and Guam — a strategic point of American defense of Taiwan against China.

According to Etheridge, some of the same principles in this case study could be equally applied to a critical infrastructure breach. "Operational technology (OT)-type environments are typically targeted through IT infrastructure first, before the threat actor moves to the infrastructure," he points out. "Certainly the tactics that we see them deploying would be concerning from a critical infrastructure perspective."

To meet the threat of Volt Typhoon, Etheridge says, one major point is identity management.

"Identity is a huge challenge for a lot of organizations. We've seen a huge uptick in advertisements for stolen credentials, and stolen credentials are leveraged quite extensively in the incidents that we respond to each and every day," he says. In this case, being able to leverage stolen credentials was key to Volt Typhoon's remaining under the radar for so many months.

Etheridge also emphasizes the importance of threat hunting and incident response. Nation-state threat actors are notoriously impossible to stop entirely, but organizations will be better prepared to mitigate the worst possible consequences, he says, if they're able "to understand when something is going on in your environment, and being able to take corrective action quickly."

China's 'Volt Typhoon' APT Turns to Zoho ManageEngine for Fresh Cyberattacks

Identity threat detection and response adds user entity behavioral analytics to fraud detection, creating a powerful tool for real-time protection.

The advantages of using proactive approaches to identify threats before the attackers can cause too much damage are clear to enterprise security teams. One such approach, identity threat detection and response (ITDR), focuses on finding and mitigating threats by monitoring user behavior and detecting anomalies.

ITDR involves continuous monitoring of user identities, activities, and access patterns within an organization's network. Security teams use ITDR tools to detect and respond to potential threats and unauthorized access attempts in real time.

ITDR typically involves the following key components:

*   **Data collection:** Gathering user activity data from various sources, such as log files, network traffic, and application usage.
*   **User profiling:** Creating a baseline of normal user behavior patterns, including access habits, data usage, and time spent on specific tasks.
*   **Anomaly detection:** Comparing current user activities with the established baseline to identify deviations that may indicate potential threats or unauthorized access attempts.
*   **Alerting and response:** Notifying IT security teams of suspicious activities and providing them with the necessary information to investigate and remediate threats.
*   **Continuous improvement:** Updating user behavior baselines and refining detection algorithms as users and threats evolve.

ITDR is not an entirely new concept, as it builds upon established methodologies such as fraud detection and user entity behavioral analysis (UEBA).

Fraud detection refers to the process of identifying and preventing fraudulent activities, such as unauthorized transactions or account takeovers, in industries like banking and finance. Fraud detection systems analyze vast amounts of data, including user behavior, transaction patterns, and historical trends, to identify anomalies that may signal fraud. By detecting potential fraud early, organizations can mitigate financial losses and protect their customers' trust.

Similarly, UEBA is a security approach that focuses on detecting and preventing insider threats by monitoring user activities within an organization's network. UEBA solutions analyze user behavior patterns — such as login times, data access, and system usage — to identify deviations that may indicate malicious intent or compromised accounts. By detecting potential insider threats early, organizations can prevent data breaches and minimize damage to their reputation.

**How ITDR, Fraud Detection, and UEBA Are Similar**

At their core, ITDR, fraud detection, and UEBA share the common goal of identifying and mitigating potential threats by monitoring user behavior and detecting anomalies. While their specific applications may differ, they all leverage advanced analytics, machine learning algorithms, and continuous monitoring to achieve this goal. Here are some key similarities between these approaches:

*   **Centered on data:** All three methodologies rely on the collection and analysis of large volumes of data to detect potential threats. This includes user activities, access patterns, and historical trends, which are used to create a baseline of normal behavior and identify deviations.
*   **Real-time monitoring and detection:** ITDR, fraud detection, and UEBA solutions continuously monitor user activities and analyze data in real time to detect potential threats as they occur. This enables organizations to respond quickly to incidents and minimize damage.
*   **Anomaly detection and alerting:** These methodologies employ advanced analytics and machine learning algorithms to identify anomalies that may signal potential threats. Upon detection, IT security teams are alerted, enabling them to investigate and remediate incidents.
*   **Emphasis on adapting and evolving:** ITDR, fraud detection, and UEBA solutions are designed to adapt and evolve as user behavior and threat landscapes change. By continuously updating behavior baselines and refining detection algorithms, these systems remain effective in detecting new and emerging threats.
*   **Focus on prevention:** These approaches emphasize proactive threat detection and response, aiming to identify potential incidents before they can cause significant harm. By focusing on prevention, organizations can reduce the impact of security breaches and protect their valuable assets.

**Risks and Rewards of Moving to ITDR**

As the cybersecurity landscape continues to evolve, the need for innovative and proactive security solutions becomes increasingly apparent. Heidi Shey, principal analyst at Forrester Research, predicted two serious risks CISOs will encounter in implementing ITDR. First, a C-level executive to be fired for their firm's use of employee monitoring, which can violate data protection laws like GDPR. Second, a Global 500 firm will be exposed for burning out its cybersecurity employees, who are expected to be available 24/7 through major incidents, stay on top of every risk, and deliver results in limited timeframes.

Finally, Shey also predicted that at least three cyber insurance providers will acquire a managed detection and response (MDR) provider in 2023, continuing the trend that Acrisure started in 2022. These MDR acquisitions will give insurers high-value data about attacker activity to refine underwriting guidelines, unparalleled visibility into policyholder environments, and the ability to verify attestations. Such moves will change cyber insurance market dynamics and the requirements for coverage and pricing, which should help push security measures like ITDR into common use.

ITDR is not a radical departure from established cybersecurity methodologies, but rather an extension and refinement of existing practices. By recognizing the common threads between ITDR, fraud detection, and UEBA, organizations can build on their existing security investments and expertise to create a more comprehensive and robust security posture.

ITDR Combines and Refines Familiar Cybersecurity Approaches

Integration provides threat intel teams with an early warning system for geopolitical events that could trigger cyberattacks.

**London, UK – 21 June 2023** – Silobreaker, a leading security and threat intelligence technology company, has announced its enhanced geopolitical threat intelligence capabilities with RANE (Risk Assistance Network + Exchange) at Infosecurity Europe, 20-22 June 2023. The tie-up will see Silobreaker integrate global risk intelligence company RANE's Enterprise Geopolitical Intelligence into its own threat intelligence platform, providing cyber threat intelligence (CTI) teams with real-time information about world events that could heighten the risk of cyberattacks.

With the addition of RANE's geopolitical threat intelligence, analysis and forecasting capabilities, Silobreaker's platform will provide CTI teams with vital context into highly complex, interconnected events, allowing them to take proactive steps to reduce their organisations' exposure to risks impacting business productivity, resiliency and continuity.

The integration allows users to seamlessly access RANE reports, country risk scores and the full resources of Silobreaker's data source-agnostic platform. CTI teams can easily retrieve RANE's geopolitical intelligence and pivot between it and other finished intelligence sources, or data from millions of open and dark web sources, to contextualise results and meet complex intelligence requirements. With automated data collection and processing at scale — and fully customisable dashboards and rich reporting capabilities — Silobreaker enables organisations to make intelligence-led decisions quickly and from one place, maximising the value of their threat intel investments.

"In recent years, there's been a blurring of the lines between geopolitical events and cyber activity. Today, if you want to defend against the latter, you absolutely need to know about the former," said Kristofer Mansson, CEO of Silobreaker. "With RANE's geopolitical threat intelligence integrated into our platform, organisations have access to an early warning system of the events that cross over with the most pressing current cyber threats — emphasising the importance of multi-disciplinary intelligence for mitigating the most serious risks."

Also debuting at Infosec Europe is Silobreaker's new **Vulnerability Alert**. Scheduled for launch on 21 June, this weekly alert enables users to stay informed about significant developments for patch prioritisation. Users can keep up to date on actively exploited vulnerabilities and zero-days, including exploit maturity and attack complexity. It will also offer valuable insights into trending critical and high-severity vulnerabilities, and deliver the top stories from Patch Tuesday and the week’s major campaigns. 

Silobreaker has recently been recognised as a Representative Vendor in the 2023 **Gartner® Market Guide for Security Threat Intelligence Products and Services (May 2023)**. The company's Cyber Threat Intelligence, Physical Risk Intelligence, Strategic and Political Intelligence and Brand Threat Protection are among the products and services listed.

To see a demo of the Silobreaker-RANE integration live, join us at the Silobreaker stand (Z40) at Infosecurity Europe, ExCel, London, 20-22 June 2023.

**Objectivity Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organisation and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Silobreaker**

Silobreaker is a SaaS platform that enables threat intelligence teams to produce high-quality and relevant intelligence at a faster pace. We do this by bringing together all the steps of the intelligence cycle in one place; from the management of cyber, physical and geopolitical PIRs to the automated collection and processing of structured and unstructured data from open, deep and dark web and finished intelligence sources; to the analysis, production and dissemination of intelligence. This helps intelligence teams work more efficiently to identify and prioritise threats and supports decision-makers to act faster to mitigate risk, protect revenue and drive business results.  Learn more at www.silobreaker.com

**About RANE**

RANE is a global risk intelligence company that provides risk and security professionals with critical insights and analysis to better anticipate, monitor, and respond to emerging threats. For more information about RANE, visit 

Infosecurity Europe brings together information security professionals attending from every segment of the industry, as well the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at https://www.infosecurityeurope.com.

Silobreaker Unveils Geopolitical Threat Intelligence Capabilities With RANE at Infosecurity Europe 2023

It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.

The US National Security Agency (NSA) is urging systems administrators to go beyond patching in order to protect Windows 10 and 11 machines from the BlackLotus bootkit malware.

BlackLotus burst on the scene last fall when it was spotted for sale on the Dark Web for $5,000. It has the dubious distinction of being the first in-the-wild malware to successfully bypass to Microsoft's Unified Extensible Firmware Interface (UEFI) Secure Boot protections.

UEFI is the firmware that's responsible for the booting-up routine, so it loads before the operating system kernel and any other software. BlackLotus — a software, not a firmware threat, it should be noted — takes advantage of two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, aka Baton Drop, CVSS score 4.4; and CVE-2023-24932, CVSS score 6.7. These were patched by Microsoft in January 2022 and May 2023 respectively.

But the country's top technology intelligence division warned that applying the available Windows 10 and Windows 11 patches is only a "a good first step."

"Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)," according to a BlackLotus mitigation guide (PDF) released by the NSA this week. "Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot."

That means that bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints. It's an issue that Microsoft is addressing with a more comprehensive fix planned for release in early 2024, but until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening up user executable policies, and monitoring the integrity of the boot partition. An optional advanced mitigation is to customize the Secure Boot policy by adding DBX records to all Windows endpoints.

"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum, in the advisory.

And indeed, the advisory offers extensive hardening advice, but fully implementing the NSA's guidance is a process unto itself, notes John Gallagher, vice president of Viakoo Labs.

"Given the manual nature of NSA's guidance, many organizations will find that they don't have the resources needed to fully remediate this vulnerability. Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix," he says.

**BlackLotus, A First-of-its-Kind Bootkit**

Executing malware like BlackLotus does offer cyberattackers several significant advantages, including ensuring persistence even after OS reinstalls and hard drive replacements. And, because the bad code executes in kernel mode ahead of security software, it's undetectable by standard defenses like BitLocker and Windows Defender (and can indeed turn them off entirely). It also can control and subvert every other program on the machine and can load additional stealthy malware that will execute with root privileges.

"UEFI vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions," says Gallagher. "The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them."

It all sounds pretty dire — an assessment of which many systems administrators agree. But as the NSA noted, most security teams are confused about how to combat the danger that the bootkit poses.

"Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat," according to the NSA guidance. "Other organizations believe there is no threat, due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."

The NSA didn't provide an explanation for why it's issuing the guidance now — i.e., it didn't issue information about recent mass exploitation efforts or in-the-wild incidents. But John Bambenek, principal threat hunter at Netenrich, notes that the NSA piping up at all should indicate that BlackLotus is a threat that requires attention.

"Whenever the NSA releases a tool or guidance, the most important information is what they aren't saying," he says. "They took the time and effort to develop this tool, declassify it, and release it. They will never say why, but the reason was worth a significant diversion from how they usually operate by saying nothing."

NSA: BlackLotus BootKit Patching Won't Prevent Compromise

Unknown senders have been shipping smartwatches to service members, leading to questions regarding what kind of ulterior motive is at play, malware or otherwise.

The US Army's Criminal Investigation Division (CID) is warning service members to look out for unsolicited smartwatches arriving in the mail, which likely carry risks of malware and allowing unauthorized access to sensitive systems.

When used, the smartwatches are able to auto-connect to the local Wi-Fi network, and can also connect to cellphones, thus allowing access to a user's data. The snooped information can be private and used to exploit a victim, the advisory warned, and it's possible that these watches also carry malware that could allow a threat actor to access, save, or transfer data such as banking information, account information, or personal contacts. 

"Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This 'surprise smartwatch' tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information," said Melissa Bischoping, director of endpoint security research at Tanium, in an emailed comment. "As the adage goes, if it's too good to be true, it probably is, and if you're not paying for the product, you ARE the product."

Alternatively, these mystery smartwatches sent from unknown senders could also be used for a practice known as "brushing," in which presumably counterfeit products are sent via mail to random individuals so that companies can write positive reviews in the name of the person they sent the product to.

Should anyone, military personnel or otherwise, receive a product such as this, the CID advises recipients not to turn it on and to report it to local counterintelligence, or through its "Report a Crime" portal, where individuals can also submit tips.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Suspicious Smartwatches Mailed to US Army Personnel

Exploiting a flaw in how the app handles communication with external tenants gives threat actors an easy way to send malicious files from a trusted source to an organization's employees, but no patch is imminent.

A bug in the latest version of Microsoft Teams allows for external sources to send files to an organization's employees even though the application typically blocks such activity, researchers have found. This give threat actors an alternative to complex and expensive phishing campaigns to deliver malware into target organizations — but Microsoft won't be addressing it as a priority.

Researchers Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde\_sec) from JUMPSEC Labs' Red Team discovered a way to exploit the Microsoft Teams External Tenants feature to slip malware into files sent to an organization's employees, thus bypassing nearly all modern anti-phishing protections, they revealed in a blog post published this week.

"This vulnerability affects every organization using Teams in the default configuration," Corbridge wrote in the post. "As such it has huge potential reach and could be leveraged by threat actors to bypass many traditional payload delivery security controls."

Teams is Microsoft's widely used hosted messaging and file-sharing app, which already was used by an estimated 91% of Fortune 100 organizations before the Covid-19 pandemic, according to Microsoft financial data. During the pandemic, the use of Teams expanded even further, as many organizations came to rely on it to communicate and collaborate with their remote workforce.

Though Teams is typically used for communication between employees within the same organization, Microsoft's default configuration for teams allows users from outside the company to reach out to its employees, the researchers said. This is where the opportunity arises for threat actors to exploit the app to deliver malware, they said.

This can be done by bypassing client-side security controls that prevent external tenants from sending files —which in this case, would be malicious — to internal users, the researchers explained.

**How the Microsoft Teams Exploit Works**

The vulnerability lies in a capability that allows any Microsoft Teams allows user with a Microsoft account to reach out to what are called "external tenancies," the researchers explained. In this case, these tenancies would be any business or organization using Microsoft teams, which each have their own tenancy.

"Users from one tenancy are able to send messages to users in another tenancy," Corbridge explained. "When doing so, an 'External' banner appears alongside the name."

Though some employees might not click on a message from an external source, many would, something that Corbridge said the researchers already proved as part of a red-team engagement aimed at gaining an initial foothold in a client's environment.

"This is especially true if the malicious party is impersonating a known member of your organization and has purchased and registered a brand-impersonation domain, as red teams often do," he noted in the post.

Though external tenants in Teams are blocked from sending files to staff in another organization — unlike their ability to send files between employees in a single organization or tenancy — Corbridge said he and JUMPSEC's head of offensive security Tom Ellson were able to bypass this control within 10 minutes.

"Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request," Corbridge explained in the post. "When sending the payload like this, it is actually hosted on a SharePoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link."

The researchers tested their technique in a mature client environment during a red-team exercise last month and confirmed that it "allowed for a much more simple, reliable, and user-friendly payload delivery avenue than traditional phishing journeys," he wrote.

**A Dangerous & Impactful Collaboration App Bug**

The bug provides a "potentially lucrative avenue" for threat actors because of how straightforward it is for them to deliver malware to organizations without the need to craft socially-engineered email messages with malicious links or files and hope employees take the bait and click on them, Corbridge wrote.

Threat actors can easily buy a domain similar to a target organization's and register it with Microsoft 365, thus setting up a legitimate Teams tenancy and not having to build complex phishing infrastructure and then rely on employees already savvy to phishing tactics to make a mistake, he said.

By exploiting the flaw, a malicious payload is served via a trusted Sharepoint domain as a file in a target's Teams inbox. "As such, the payload inherits the trust reputation of Sharepoint, not a malicious phishing website," Corbridge wrote.

Threat actors can even use social engineering and start a conversation with an employee, which can lead to participation in a Teams call, the sharing of screens, and more, allowing them to conduct even more nefarious activity or even deliver the payload themselves, he added.

**No Patch Coming: Mitigations & Protections**

The researchers reported the vulnerability to Microsoft, which validated its legitimacy but said "it did not meet the bar for immediate servicing," Corbridge wrote.

To mitigate the bug themselves, organizations can review if there is a business requirement for external tenants to have permission to message staff and, if this is not the case, to remove the option to do so in Microsoft Teams Admin Center > External Access.

If an organization does require communication with external tenants but has only a handful of organizations with which employees regularly communicate, administrators can also use this field to change the Team security settings to only allow communication with certain allow-listed domains, the researchers said.

If neither of these mitigation options is viable for an organization, administrators can try educating staff on the possibility of productivity apps such as Teams, Slack, Sharepoint, and others for launching social-engineering campaigns similar to the ones found in email messages to help them avoid compromise.

Organizations can also use Web proxy logs to provide alerts or at least baseline visibility into staff members accepting external-message requests, Corbridge added.

"The difficulty, at present, is turning this into a useful piece of telemetry with usernames, and the message in question," but can provide some idea of how common this transaction is within an organization for potential mitigation, he acknowledged.

Microsoft Teams Attack Skips the Phish to Deliver Malware Directly

For line-of-business execs, the fear of grinding mission-critical systems to a halt overrides the fear of ransomware. How can CISOs overcome this?

Dirk Hodgson, the director of cybersecurity for NTT Australia, tells a story. He once worked with a company that did scientific measurements. The highly specialized firm used highly specialized equipment, and one large piece of equipment cost them $2 million when purchased years ago.

The hardware did not cause any issues, and the manufacturer routinely replaced parts and performed maintenance, as per their contract. The security problem was the operating system, which was Windows XP. The company went to the manufacturer and asked if it could upgrade the OS to a current and supported OS.

Not a problem, replied the manufacturer. The company merely has to buy a new multimillion-dollar system, and that will come with a current OS. As for updating the OS on the current machine? The manufacturer declined.

"That thousand-dollar upgrade would require a multimillion-dollar investment," Hodgson says. "Legacy software is definitely a big problem."

For decades, security executives have battled legacy systems. The fight has gotten more intense as the threat landscape has grown more complicated, tangled up in remote workers, partners, IoT, and cloud integrations. There are many technological ways to try to mitigate the legacy threat — isolation, virtualization, replication in a sandbox, etc. — but none of those deal with corporate politics and the fear of letting security teams touch legacy systems at all.

**Uptime Issues Take Priority for Line-of-Business**

The issues with legacy systems fall into two distinct buckets: cybersecurity issues and uptime issues. For the line-of-business (LOB) executive, the uptime issue — the fear that touching anything in the legacy environment could cause the system to crash — is far more frightening. And because these legacy systems usually operate quite well day to day, the business executive sees zero reason to toy with them.

The LOB also often legitimately worries that they won't have the capabilities to restore the system if it does crash because the people who wrote the code are long gone, the vendor who manufactured the hardware may no longer be in business, and the documentation for the software is either nonexistent or woefully inadequate.

Worst of all, legacy systems are often truly mission-critical, such as those running assembly lines. Those systems crashing could easily halt production for an indeterminate period, and worse, could trigger cascading failures across connected systems.

"The big surprise about legacy systems is that since they have been around for so long, almost everything else is connected to them," says Michael Smith, field CTO at Vercara. "So you have this huge Gordian knot of dependencies that make it nearly impossible to upgrade or decommission that legacy system, and you have to do a lot of network and log analysis to understand what other systems are connecting to them and when."

**Bubble Wrap Doesn't Work for Everything**

"Business executives are right to be cautious when allowing security teams to touch mission-critical legacy systems," says Eoin Hinchy, founder and CEO of Tines. "Security teams should instead focus on reducing the attack surface area of legacy systems. In other words, wrap them in bubble wrap."

Although the bubble-wrap concept is a popular means of dealing with legacy, it doesn't always work. And therein lies the real conundrum. Not only does this effort still sometimes fail, but there is no reliable way of predicting such a failure.

"One of the challenges with legacy is that is an accumulation of a technical debt that amasses over time," says David Burg, cybersecurity leader for Ernst & Young Americas. "When they were built, (developers) were working with the institutional knowledge that existed at that time. The documentation of architecture, interoperability, and dependencies and such were likely never documented. People come and go."

Beyond the traditional security risks, NTT Australia's Hodgson points out that system certification is another complicating factor. "A system is certified to a particular level. If patched, there is a reasonable chance that it will work fine, but you might lose that accreditation that you bought," he says.

And many of these specialized systems are physically difficult to replace even if the LOB chooses to do so. "Consider medical facilities installing MRI machines. They have to be craned in, you have to install lead in the walls," Hodgson says. "You are going to be keeping that for a very long time."

**What CISOs Want**

This brings the debate to a conflict between ideal and practical. From the board/CEO/CISO perspective, the ideal would be to replace all of the legacy systems with modernized systems that can effortlessly support today's cybersecurity and compliance requirements. But even if the enterprise is willing to spend the money to make that switch, it may simply not be practical.

"For many legacy system applications, data access, calculation, and even communications performance cannot be easily matched in a PC environment, if at all," says Bob Hansmann, senior product marketing manager for security at Infoblox. "The work to migrate/rewrite Cobol, Fortran, RPG II, and other applications to PC platforms is mountainous and hard to cost-justify. And even if the code is migrated, it needs to be heavily tested and modified for performance — as in speed and accuracy — often due to how different PC hardware is from mainframe and mini hardware."

The lack of actionable documentation is a critical factor in updating legacy systems, but the problem is not limited to legacy. Today's developers — whether it's a software vendor creating apps for wide distribution or an enterprise developer creating homegrown software — still do not document code in any usable way. Thus, the next generation of legacy systems may suffer from the same problems.

**Build Documentation Into Future Legacy**

Ayman Al Issa, the industrial cybersecurity lead at McKinsey, labels the lack of actionable documentation today "a major issue."

"We don't see good documentation at all," he says. "It's a cultural issue. They don't see the value of documentation. This includes maintenance issues and any change to the system. They are simply not documented. People are lazy about documenting everything."

Al Issa suggests that companies need to create their own documentation based on the teams managing the systems. But to avoid the single-point-of-failure problem, "they need to do a rotation of duties so that there's not only one person who can operate the systems," he says.

In theory, management should insist that proper documentation happen, but instead, managers are pressured to deliver. Once the developer completes Project A, do they insist that the developer spend a week documenting everything, or do they tell the developer to move onto the next project, which is what the developer wants to do anyway?

Burg says the only viable fix is to incorporate strong document requirements into the DevSecOps process: "We have to make this contemporaneous documentation or it won't happen."

Source

DARKReading