In targeting Apple users, LockBit is going where no major ransomware gang has gone before. But it's a warning shot, and Mac users need not worry yet.

The infamous LockBit ransomware gang has developed a version of their malware for macOS devices — the first ever foray into Apple's territory by a major ransomware group.

LockBit is one of the world's most prolific ransomware-as-a-service (RaaS) operations, known for its ivolvement in high-profile attacks, sophisticated malicious offerings, and some grade-A PR.

The first evidence that the gang has been experimenting with macOS was published by the MalwareHunterTeam ransomware repository on April 15. "As much as I can tell," a tweet read, "this is the first Apple's Mac devices-targeting build of LockBit ransomware sample seen ... Also is this a first for the 'big name' gangs?"

Shortly thereafter, vx-underground — a malware research site — added a wrinkle to the story. "It appears we are late to the game," it tweeted. "The macOS variant has been available since November 11th, 2022."

Ransomware for Mac may raise alarm bells, though a closer examination of the binary reveals that it's not quite ready for prime time.

"For now, the impact to the average Mac user in the enterprise is essentially zero," Patrick Wardle, founder of the Objective-See Foundation, tells Dark Reading. He pulled a sample apart in an analysis published April 16.

However, he adds, "I think this should be looked at as a harbinger of things to come. You have a very well funded and motivated, large ransomware group that's saying: 'Hey, we're setting our sights on on macOS.'"

Will Mac users be ready when ransomware finally comes for them?

**LockBit on Mac**

Saturday's discovery may be best characterized as Windows malware with macOS lipstick.

In unpacking the code, Wardle discovered multiple strings related to Windows artifacts — like autorun.inf, ntuser.dat.log, and so on. The lone component indicating its OS intentions was a variable called "apple\_config."

"This is the only instance (I found) of any macOS specific references/customizations," Wardle noted in the analysis, appending that "(The rest of the malware's binary simply looks like Linux code, compiled for macOS)."

There were other signs, too, that the developers hadn't yet completed their project. For example, the code was signed "ad-hoc" — a stand-in for, say, a stolen Apple Developer ID. This could be a placeholder for future RaaS customers, but for now, Wardle explains, "this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS won't let it run."

Suffice it to say: LockBit hasn't breached the Apple dam just yet. But that doesn't mean Mac users can relax.

**Ransomware Is Headed for Macs**

Never before has one of the big name ransomware outfits — Conti, Clop, Hive, et al — developed ransomware for Mac computers. There may be one reason, above all, for why that is.

"Look at, traditionally, who the targets are for large ransomware attacks. It's the enterprises: hospitals, packaging facilities, these more traditional companies," Wardle points out. "They are generally Windows-based."

Slowly, though, Apple devices have been spreading in enterprise environments. A 2021 survey data from JAMF indicated that Apple's tablets are the go-to choice for businesses, iPhones represent about half of all smartphones in business settings, and the "average penetration" of macOS devices in the enterprise was around 23%, as compared with 17% two years prior.

"The pandemic and the work from home really spurred that," Wardle postulates. "A lot of people have Mac computers. And as the younger generation enters the workforce — they are more comfortable with the Apple ecosystem."

Following from that, he adds, "hackers who are very opportunistic are realizing that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations."

So the question may not be whether ransomware groups will jump into macOS, but how soon. "This," Wardle thinks, "is really the million-dollar question."

**Are Apple Devices Prepared for Ransomware?**

Luckily for Mac users, Apple has anticipated this ransomware D-Day, and has proactively gotten ahead of it. Wardle points to two primary defenses already built into the operating system.

Firstly, he says, "system files are under read-only conditions. So even if ransomware gets root access on a computer, it's still not going to be able to modify those critical files and lock or render the system inoperable."

Second is TCC — short for Transparency, Consent, and Control.

"The idea is that certain directories — for example, the user's document directory, desktop, downloads, their browser folders, and cookies — are actually protected by the operating system," Wardle explains. If ransomware finds its way onto the system, "it's going to run into TCC and it's not going to be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access."

There's a caveat to that happy news though. "Apple has done a great job implementing security mechanisms, but," Wardle warns, "these features haven't been really tried and tested yet. Maybe hackers will start poking and find some flaws. TCC, for example, has been riddled with bypasses basically since day one."

"It would be naive to think that the attackers aren't going to improve their techniques and create more effective ransomware," he concludes. "So, I think it's really great to be talking about this now."

Researchers Discover First-Ever Major Ransomware Targeting macOS

How can we build security back into software development in a low-code/no-code environment?

We’ve come to rely heavily on the software development life cycle (SDLC) as the go-to method for getting security ingrained into development processes. In fact, the assumption of a comprehensive continuous integration/continuous delivery (CI/CD) has become so fundamental that we as an industry spent most of last year focused on addressing one of its derivatives: security of the CI/CD pipeline as the centerpiece of the software supply chain. This is good news, of course. A proper SDLC and its operational manifestation, the CI/CD, has allowed us to embed security controls where they are most useful — while developers are building and testing their software.

With the continued soar of low-code/no-code and citizen development in the enterprise, many AppSec teams have been occupied with creating secure development guidelines for these new business applications. Cross-industry collaborations have emerged to provide a security risk framework. The real challenge, however, is bringing this new wave of business users becoming developers under the security umbrella.

Business users are best at knowing what the business needs, and so they are best positioned to address those needs when empowered with low-code/no-code tools that allow them to build their own applications. On the other hand, trying to discuss security risks or development practices with business users can prove challenging.

Embedding security in the SDLC works because it is where it is more comfortable for developers to consume it, making it less costly to fix a security vulnerability. In order to do the same for business users, we must understand how their process for building applications works.

**R.I.P. to the SDLC**

A boilerplate version of the SDLC shows how software goes from articulating a need by the business; to planning, development, and testing by engineering and Q&A teams; to deployment, monitoring, and management by the operations teams. This, of course, varies widely across organizations. The important point for our discussion is that the responsibility is shifted among different teams and perhaps different departments throughout the development life cycle. Every transition can also be harnessed as a quality or security assurance gate, whether automated, like SAST/DAST/IAST tools, or manually, like threat modeling or security review.

In contrast, consider the low-code/no-code development process. A business user articulates their needs, moves on to creating their application or automation with an intuitive drag and drop interface, clicks save, and ... that’s it! Sometimes even the save step is skipped with a helpful autosave. Although not all low-code/no-code applications are built this way by the person who envisioned them, many are. Note how much faster the development process can be now — no exchange of responsibility or convincing someone else to align with your goals, and everyone can address their own business needs as they are spotted, on their own. This is the power of business-led development and mature citizen-development initiatives.

Unfortunately, it comes at the cost of skipping those security and quality gates we’ve baked into the development life cycle. These gates were critical, especially in an enterprise that needs to enforce values that are just as important as business productivity: security, compliance, and privacy, to name a few.

**Meeting Developers Where They Are**

Business users are building and will continue to build more applications than we’ve ever seen before. To bring them under the security umbrella, we must meet them where they are and speak their language. Instead of relying on the existence of a CI/CD pipeline and introducing business users to concepts like production versus test environments, we should accept reality and focus on making it easy to create secure applications and difficult to create risky ones.

To do this, we must understand the low-code/no-code platforms they use to build applications and the ways in which these applications are built and adopted by others. We must embrace our responsibility to guide these new developers, apply security best practices to the applications they create according to our organization's risk appetite, and take a retroactive approach to address critical issues swiftly.

Where There's No Code, There's No SDLC

China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy.

The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.

According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.

When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victim's system.

APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.

TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media.

**Using Publicly Available Tools**

Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; there's also been a shift to using lesser-known red teaming tools such as Brute Ratel and Sliver to evade detection during their attacks.

The use of such "living off the land" tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is "only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems."

He adds, "A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: "Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control."

**Who Is APT41?**

The group's activities illustrate the "continued overlap of public sector threat actors targeting private sector organizations with limited government ties," according to the TAG analysis.

Last year the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability.

Bronze Atlas is "one of the most prolific groups we have been tracking for a long time," says Marc Burnard, senior security researcher for Secureworks' Counter Threat Unit, having tracked it since at least 2007. And during that time, the group "has been very prolific," he says.

Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China's political and economic interests.

"They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well," he notes.

Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a "destructive element" too.

**APT41 Quiets Down Its Wall of Noise**

As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don't set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.

However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.

APT41 Taps Google Red-Teaming Tool in Targeted Info-Stealing Attacks

To address the rising risk of online fraud, stolen identities, and cyberattacks, innovative organizations have begun converging their security functions — here's how yours can prepare.

Across early-stage startups and mature public companies alike, we're seeing a convergence of fraud prevention, identity and access management (IAM), and cybersecurity.

It's time for businesses to take notice and break down these walls.

During my 20 years of experience building and scaling cybersecurity solutions, I've witnessed a slow shift that's finally picking up speed and becoming essential for businesses as they seek to reduce operational overhead and streamline security operations.

**A Silo-Breaking Moment**

To improve an organization's overall security posture, business, IT, and fraud leaders must realize that their areas shouldn't be treated as separate line items. Ultimately, these three disciplines serve the same purpose — protecting the business — and they must converge. This is a simple statement, but complex in practice, due mainly to the array of people, strategies, and tooling today's organizations have built.

The convergence of these three functions comes at a seminal moment, as global threats are heightened due to several factors: geopolitical tensions like the war on Ukraine, the economic downturn, and a never-ending barrage of sophisticated attacks on businesses and consumers.

At the same time, companies are facing slowing revenues, rising inflation, and increased pressure from investors, causing layoffs and budget reductions in the name of optimization. Cutting back in the wrong areas, however, increases risk.

**Pay Attention to the Warning Signs**

Every business unit that participates in the security ecosystem is stressed, but if there's one thing I know about operational pain points, it's that they have great potential to inspire change across industries and business units.

Consider these questions in the context of your organization:

*   Are you failing to achieve secure online experiences despite employing security policies, zero-trust models, multifactor authentication (MFA), and other tactics?
*   Is the friction you've added to online digital experiences hampering your revenue growth?
*   Are you limited in your ability to launch or grow your business in new markets due to heightened fraud risks?
*   Are you seeing continual scams and fraud attacks with little to no prevention progress?
*   Do you feel you have blind spots in your security visibility due to disparate tooling, data, and teams?
*   Is your understanding of how the fraud ecosystem thrives underground comprehensive enough?
*   Is the level of burnout across your security-focused teams at its peak?

If you answered yes to even one of these questions, it's time to start reimagining how the three above-mentioned areas can work together to break the forced compromise between security and revenue growth.

Many forward-looking companies have already aligned these teams under the common goal of creating safer digital experiences. Here are a few tips for how you can do the same.

**Take inventory:** First things first — take a look at your cybersecurity, IAM, and fraud prevention approaches. 

Many organizations have amassed loads of technical debt due to the accelerated threat landscape, which pushed them to adopt technologies without comprehensive strategies. These might include security and compliance, bot detection, identity and access functionality (authentication, MFA, and identity verification), anti-risk and anti-fraud solutions, orchestration, and case management.

Ask yourself:

*   What are my business goals and priorities? What measures, metrics, and objectives must be set?
*   What do my budget and my spending look like? What should they look like?
*   Where are my gaps in staffing?
*   What business-critical tools are we using? Do we need any tool changes?

This inventory is key to gathering a single source of truth that builds the case for convergence and highlights what's truly important to secure your business. 

This step is especially important because fraudsters like to hide in the cracks. Organizational silos allow those cracks to proliferate.

**Get a quick win:** Even if your three teams sit in different departments, align around a common goal and develop an annual plan. Knowing the basics from your inventory pull, have each team share about their individual objectives, priorities, tooling, signals, and processes. You may find some easy-win opportunities by standardizing vendor technology or introducing a joint initiative.

For example, you could build a joint account takeover metric that quantifies the number of fraud attacks you can successfully thwart by pairing an IAM initiative with a fraud initiative.

**Go big:** Pull together a joint business case for your CEO. Along with a general manager or chief operation officer who owns revenue, customer adoption, and customer experience, document and define what these three domain areas can do together to accelerate security and fraud prevention. Be sure to highlight how this approach enables you to take in more business without introducing customer friction.

Once key stakeholders see how the strategic value of a unified fraud detection, IAM, and cybersecurity approach enables the best possible user experience, creative ideation and strategic conversation should follow.

At this point, you're no longer reviewing fraud signals to merely solve a fraud problem. Rather, you're reviewing fraud signals to simultaneously strengthen the posture of your IAM solution and provide friction-free experiences for your users. You will find that you can accept more orders and reduce friction when you're more certain of your customers' identities and your own fraud posture.

As your work unites, measure against these goals and keep your teams honest.

Fraud and identity naturally align on user experience (UX), and putting them under one owner is certainly a step toward convergence, but don't stop there. Regularly brainstorm ways of bringing cybersecurity functions into your strategy. Cyber has great insights and domain expertise in malware, network security, and bots — all signals you should bring together alongside fraud signals for the most powerful coverage.

**Develop your strategy and your workforce.** Over time, you should iterate on processes and build a customized security convergence framework for your organization. Don't be afraid to get creative. Begin leveraging technologies like machine learning and AI to build context between teams, automate workflows, and improve efficiency and visibility across teams. Meanwhile, prepare to upskill and reskill your teams.

We're embarking on uncharted territory here, but keep the goal in sight: Safer digital experiences for all.

Why Your Anti-Fraud, Identity & Cybersecurity Efforts Should Be Merged

Malware that can steal data, track location, and perform click fraud was inadvertently built into apps via an infected third-party library, highlighting supply chain risk.

Malware that can steal data and commit click fraud has hitched a ride into 60 mobile apps, via an infected third-party library. The infected apps have logged more than 100 million downloads from the official Google Play store and are available in other app stores in South Korea, researchers have found.

Goldoson, discovered and named by researchers at McAfee Labs, can perform a variety of nefarious activities on Android-based devices, they said in a blog post. The malware can collect lists of applications installed, as well as sniff out the location of nearby devices via Wi-Fi and Bluetooth. It also can perform ad fraud by clicking advertisements in the background without the user's consent or knowledge, the researchers said.

Some of the popular apps affected by Goldoson include L.POINT with L.PAY, Swipe Brick Breaker, Money Manager Expense & Budget, Lotte Cinema, Live Score, and GOM. The researchers found more than 100 million downloads of infected apps on Google Play, and 8 million on ONE, South Korea's leading mobile app store, they said.

McAfee reported the infected apps to Google, which quickly notified developers that their apps were in violation of Google Play policies and that they needed to fix their apps, the researchers said. They do not mention in their post if they contacted the ONE app store.

Some apps were removed from Google Play outright while others were updated by the official developers. McAfee is encouraging users of any of the affected apps — a list of which is in the post — to update them to the latest version to remove any trace of Goldoson from their devices.

"While the malicious library was made by someone else, not the app developers, the risk to installers of the apps remains," SangRyol Ryu of McAfee's mobile research team wrote in the post.

**How Goldoson Works**

The Goldoson library registers a device right after it infects it, acquiring remote configurations from a command-and-control server (C2) as the app runs simultaneously. It evades detection by both varying and obfuscating the library name and the remote server domain with each application; developers dubbed it "Goldoson," because this is the first domain name they found, they said.

A remote configuration contains the parameters for each of the app's functionalities and specifies how often it runs the components.

"Based on the parameters, the library periodically checks, pulls device information, and sends them to the remote servers," Ryu wrote.

Goldoson's ability to collect data from all the apps on the device comes from a permission called "QUERY\_ALL\_PACKAGES," that it requests from the device. Users of devices with Android version 11 or above installed appear to be more protected from this query, with only about 10 percent of the cases observed by McAfee demonstrating vulnerability, the researchers said.

The malware requests permissions to access location, storage, or the camera at runtime from devices running Android 6.0 or higher. If location permission is allowed, the infected app can access not only GPS data but also Wi-Fi and Bluetooth info from devices nearby, which gives them more accuracy in locating the infected device, especially indoors, the researchers noted, adding that the ability to identify or discover the location of users puts them at risk for further malicious activity.

Goldoson can also load Web pages without the user knowing — a functionality that attackers can abuse to load ads for financial gain, the researchers said. In technical terms, this works because the library loads HTML code and injects it into a customized and hidden WebView, then produces hidden traffic by visiting the URLs recursively, they explained.

Goldoson sends data it collects from devices out every two days to the attackers, who can change this cycle using remote configuration.

**Third-Party Mobile App Component Risk**

The existence of Goldoson demonstrates once again how swiftly malicious activity can spread when it's a part of third-party or open source components that developers build into applications without knowing that they are infected, the researchers noted.

This was well documented in the Apache Log4j debacle — in which a logging library used in nearly all Java environments was found to contain an easily exploitable vulnerability. The repercussions of Log4j — which has been declared an endemic cyberthreat by the Department of Homeland Security because of how many existing applications remain vulnerable — likely will be felt for years to come.

Indeed, this ability to gain a large malicious footprint quickly and without organizations or developers knowing — and thus before they can react — has not been lost on attackers. In response, they increasingly are targeting the software supply chain with malware or exploits for Log4j and other known vulnerabilities — and will continue to do so as their successes mount, observes a security expert.

"Attackers are becoming more sophisticated in their attempts to infect otherwise legitimate applications across platforms," says Kern Smith, vice president for the Americas for sales engineering at mobile security firm Zimperium.

**Demand for Transparency**

Transparency across organizations and developers' teams appears to be the best way to mitigate software supply chain issues, experts said.

Both developers and organizations using applications that include open source or third-party components "need to assess the risks of these applications and their components, especially as it pertains to a software bill of materials (SBOM)," which provides an inventory of what comprises software components, Smith says.

Indeed, developers should be willing to reveal what libraries and other components are used in applications they develop and deliver to protect users and prevent compromise via infected or vulnerable components, McAfee researchers said.

Developers of external libraries also need to be transparent about their code so organizations and developers leveraging them can understand their behavior and thus be aware quickly of any issue that may arise, they said.

'Goldoson' Malware Sneaks into Google Play Apps, Racks Up 100M Downloads

Use ongoing exposure management to parse the riskiest exposures and probable attack paths, then identify and plug the choke points.

In 2022, the National Institute of Standards and Technology reported more than 23,000 new vulnerabilities, the largest spike ever recorded within one calendar year. Alarmingly, this upward trend is anticipated to continue, with recent research suggesting that we may see more than 1,900 new common vulnerabilities and exposures (CVEs) _per month_ on average this year, including 270 rated high-severity and 155 rated critical-severity.

As CISOs and security teams grapple with reduced security budgets and the perpetual scarcity of cyber talent, patching this veritable tidal wave of new vulnerabilities every year is simply an unattainable and ludicrous task.

Out of the hundreds of thousands of registered CVEs, only 2% to 7% are ever seen exploited in the wild. Thus, mindless patching is rarely a fruitful activity. With expanded attack surfaces, the threat landscape isn't as siloed as we often treat it. Attackers aren't executing an attack on an individual vulnerability because it almost never leads to critical assets. Vulnerabilities, in most instances, do not equal exposures and aren't rewarding enough for an attacker looking to penetrate organizational systems.

Instead of concentrating on vulnerabilities, malicious actors are leveraging a combination of exposures, such as credential and misconfigurations, to discreetly attack critical assets and steal company data. Let's explore some of these prominent, and often overlooked, exposures that organizations should be most concerned about.

**The Discarded Environment: On-Premises**

While we cannot discredit the need for robust cloud protections, its dominance over the past decade has caused many to overlook their investment in building effective and agile on-premises controls. Make no mistake, malicious actors continue to actively exploit on-premises exposures to gain access to critical assets and systems, even if they are in cloud environments.

Earlier this year, Microsoft urged users to secure their on-prem Exchange servers in response to several instances where security flaws within the software were weaponized to hack into systems. With all the focus on cloud security, many organizations have become blind to the hybrid attack surface and how attackers can move between the two environments.

**Overly Permissive Identities, Privileged Access**

With convenience in mind, cloud users, roles and services accounts continue to grant excessive permissions. This can make things easier to manage and it avoids having to deal with employees constantly asking for access to various environments, but it also allows attackers to expand their foothold and attack paths after successfully cracking through the first layer of defense.

A balance must be struck because right now, many organizations lack strong governance in relation to identity, resulting in excess access to those who don't require such abilities to perform their tasks.

While securing identities is highly complex in hybrid and multicloud environments, operating on the philosophy that every user is a privileged user makes lateral spread far harder to stop. It could also be the difference between a minor attack and a weeks-long project to try and contain the damage. Our recent research showed that 73% of top attack techniques involve mismanaged or stolen credentials.

**The Human Glitch**

Let us not forget about one of the most common, yet detrimental, mistakes: improper deployment and utilization of security controls. You make the investment, but you also must ensure that you reap the benefits. Despite being a widely communicated issue, security control misconfigurations are still highly prevalent. While no threat detection and response or endpoint solution is bulletproof to begin with, many are also misconfigured, not deployed across the entire environment, or inactive even when deployed.

We are operating in a world of hypervisibility, where diagnostic fatigue is prevalent and security teams are inundated with too many benign and unrelated vulnerabilities. CISOs and security teams seem to be on a quest to see everything. But exhaustingly long lists of exposures and technical weaknesses prioritized based on CVSS or other scoring mechanisms don't make their organizations safer. The key is to see what is important and not lose the critical in the sea of the benign.

Instead of trying to fix _everything_, organizations must work to identify their chokepoints, the areas where exposures commonly converge on an attack path. Doing this requires diligent evaluation of your exposure landscape and grasping how attackers can navigate through your environment to reach critical assets. Once these choke points are identified and remediated, it will make the other exposures irrelevant, not only saving an enormous amount of time, but potentially the sanity of your security team as well.

Additionally, this can have the added benefit of mobilizing your IT teams because it gives them a clear view into the significance of certain patches, and they no longer feel as though they're wasting their time.

**Keeping Ahead of Threat Landscape**

As Henry Ford once said, "If you always do what you've always done, you'll always get what you've always got." While most organizations have robust vulnerability management programs in place, vulnerabilities are only a small portion of risk.

Keeping ahead of the volatile threat landscape requires ongoing exposure management mechanisms. Understanding which exposures present the most risk to your organization and critical assets — and how an attacker may leverage these exposures on an attack path — will significantly help plug gaps and improve overall security posture.

Beyond CVEs: The Key to Mitigating High-Risk Security Exposures

Researchers explore a love-hate relationship with AI tools like ChatGPT, which can be used to both attack and defend more efficiently.

Generative AI tools are already being used to penetrate systems, and the damage will get worse, panelists said last week at a technology conference. But those same tools, enhanced with standard zero-trust practices, can counteract such attacks.

"We're definitely seeing generative AI being used to produce content that would make it more likely for an unwitting partner to click on a link ... \[and\] do something that they shouldn't have to give access to the system," said Kathleen Fisher, director of DARPA's Information Innovation Office, during a breakout session at Nvidia's GPU Technology Conference earlier this month.

A good chunk of the AI infrastructure has been built on Nvidia's GPUs, which is why the company's virtual developer conference has become a watering hole to discuss AI development and techniques. The show's focus is on providing swift and ethical responses to AI requests.

Nvidia CEO Jensen Huang declared ChatGPT's introduction in November 2022 to be the "iPhone moment" for AI. However, there are also concerns about generative AI being used to write malware, craft convincing business email compromise (BEC) messages, and create deepfake video and audio.

"I think we are just seeing the tip of the iceberg of these kinds of attacks. But given how easy that capability is to use and how it's only available as a service these days, we will see a lot more of that in the future," Fisher said.

**AI Deserves Zero Trust**

Perhaps the best-known generative AI system is OpenAI's ChatGPT, which is a chatbot from OpenAI that uses AI to produce coherent answers to user queries. It can write reports and generate code. Other prominent efforts include Microsoft's BingGPT (which is based on ChatGPT) and Google's Bard.

Organizations are eager to try ChatGPT and its competitors, but cybersecurity teams shouldn't be complacent as AI widens the overall attack surfaces and opportunities for hackers to break in, said Kim Crider, managing director for AI Innovation for National Security and Defense at Deloitte, during the panel.

"We should approach our AI from the perspective of 'it is vulnerable, it has already some potential to be exploited against us,'" she said.

Companies need to take a zero-trust approach to AI models and data used to train models. Crider talked about a concept called model drift, where bad data could be fed into an AI model, which could lead to a system acting unreliably.

The zero-trust approach will help put in place investments, systems, and personnel for continuous verification and validation of AI models before and after it is put into use, Crider said.

**Department of Defense's AI Defenses**

DARPA is testing AI cyber agents to enhance its digital defenses. The Cyber Agents for Security Testing and Learning Environments (CASTLE) program simulates a "blue" defensive agent to protect systems against a malicious "red" agent. The blue agent takes actions such as turning off access from a certain source, like an Internet address associated with domain fronting being used to stage an attack.

"The technology is using reinforcement learning, so you have a blue agent that is learning how to protect the system, and its reward is keeping up the mission readiness of the system," Fisher said.

Another defense program, Cyber-Hunting at Scale (CHASE), uses machine learning to analyze information from telemetry, data logs, and other sources to help track down security vulnerabilities in DoD's IT infrastructure. In a retrospective experiment, CHASE found 13 security incidents about 21 days earlier than the standard technique.

"It was very smart about the data management that it then fed into other machine learning algorithms that were in fact much more able to identify the threats really quickly," Fisher said.

Finally, Fisher talked about Guaranteeing AI Robustness Against Deception (GUARD), which uses machine learning to prevent data poisoning, which could potentially affect the effectiveness of AI systems.

**Civilian Use of AI-Based Cybersecurity**

The panelists also suggested supplementing standard security approaches, like running security drills to minimize phishing, with multiple security layers to make sure systems are safe.

Some AI-based defense tools are entering the commercial market. Microsoft introduced Security Copilot, an AI assistant that can help security teams triage threats by actively monitoring internal networks and comparing it to Microsoft's existing security knowledge base.

Microsoft runs all of its AI operations on GPUs from Nvidia. That's partly to take advantage of Nvidia's AI-based security algorithm Morpheus, which can diagnose threats and abnormal activity by analyzing system logs and user log-in patterns.

AI provides many benefits, but there needs to be a human at the wheel for security, Fisher said, giving the example of an autonomous car where a human is ready to take over if something goes wrong with a car's AI system.

Fisher said, "In a way, that takes the psychology of people seriously in terms of what we can do right now to improve the cyber system while we're waiting for these more enhanced agents" that can defend against cyberweapons more quickly than people typing on keyboards can.

"I think 2023 is going to be a major turning point in the generative AI space," Deloitte's Crider said. "It terrifies the heck out of me."

How Zero Trust Can Protect Systems Against Generative AI Agents

Researchers are warning about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.

Cameron Camp had purchased a Juniper SRX240H router last year on eBay, to use in a honeypot network he was building to study remote desktop protocol (RDP) exploits, and attacks on Microsoft Exchange and industrial control systems (ICS) devices. When the longtime security researcher at Eset booted up the secondhand Juniper router, to his surprise it displayed a hostname.

After taking a closer look at the device, Camp contacted Tony Anscombe, Eset's chief security evangelist, to alert him to what he found on the router. "This thing has a whole treasure trove of Silicon Valley A-list software company information on it," Camp recalls telling Anscombe.

"We got very, very concerned," Camp says.

Camp and Anscombe decided to test their theory that this could be the tip of the iceberg for other decommissioned routers still harboring information from their previous owners' networks. They purchased several more decommissioned core routers — four Cisco Systems ASA 5500, three Fortinet FortiGate, and 11 Juniper Networks SRX Series Services Gateway routers.

After dropping a few from the mix after one failed to power up and another two were actually mirrored routers from a former cluster, they found that nine of the remaining 16 held sensitive core networking configuration information, corporate credentials, and data on corporate applications, customers, vendors, and partners. The applications exposed on the routers were from big-name software vendors used in many enterprises: Microsoft Exchange, Lync/Skype, PeopleSoft, Salesforce, Microsoft SharePoint, Spiceworks, SQL, VMWare Horizon View, voice over IP apps, File Transfer Protocol (FTP), and Lightweight Directory Access Protocol (LDAP) applications.

These network backbone devices in essence contained digital blueprints of the previous owner organizations' networks, including Border Gateway Protocol (BGP), Routing Information Protocol (RIP), and Open Shortest Path First (OSPF) routing information. The researchers "found complete layouts of various organizations' inner workings" that, in the hands of threat actors, would provide a network topology map for attack, according to the Eset researchers' white paper on the router research, released Tuesday.

The routers contained one or more set of IPSec or VPN credentials, or hashed root passwords, and each had sufficient data for the researchers to identify the actual previous owner/operator of the device. Nearly 90% included router-to-router authentication keys and details on applications connected to the networks, some 44% had network credentials to other networks (such as a supplier or partner), 33% included third-party connections to the network, and 22% harbored customer information.

"I have the entire network topology of their core infrastructure, both internal and external, like cloud assets," for example, Camp says.

Camp says the discovery was a far cry from the malware he typically studies, and a lot less work for an attacker who happened upon one of these unwiped routers. "I don't need a zero day, I have your router," quips Camp.

Abscombe and Camp say they hope to alert enterprises on the proper disposal of critical network routers when they present their findings at the RSA Conference next week.

"They are the intersection upon everything that happens in your organization," Camp says of core routers. "Everything touches the router," including many cloud services, he adds.

Recycled and repurposed computing equipment traditionally has been a fraught area. Hard drives, mobile devices, and printers over the years have been found improperly cleansed of sensitive data. In 2019, a study conducted by Rapid7 found just two out of 85 devices had been properly wiped before they were handed off to secondhand sellers or recycling services. But decommissioned and unwiped routers pose a deeper level of security risk due to the vast amount of infrastructure information they hold.

**'Creepy' Interface**

Among the organizations whose information was exposed were a manufacturing company, a US law firm, managed services providers, an open source software firm, an events company, a telecommunications equipment supplier, a global data company, and a creative services company. Eset did not disclose the names of the organizations, but the researchers confirmed that they contacted all of them.

The Silicon Valley software vendor was quick to respond, even awarding Camp a bug bounty that he then donated to the Electronic Freedom Foundation and the Tor Project. But that was the researchers' easiest disclosure.

"Once we stepped outside of the tech \[sector\], it was incredibly different" and harder to disclose our findings, Anscombe notes. The other organizations didn't have processes or even people available to handle the disclosure information, he says.

Meanwhile, one of the unwiped routers contained what Camp describes as a "creepy" remote administration interface.

"I was never sure if it was on purpose, but it was creepy, very low-level access, and from one of the countries with flags that we're \[the US\] not happy with right now," he says. "It could be totally legit or that could be really bad. It was a little edgy to me."

**How to Securely Dispose of a Core Router**

So how do you wipe a router that you want to retire? The good news is most routers are fairly easy to securely decommission, and the big three — Cisco, Fortinet, and Juniper — on their websites provide detailed guidelines for restoring devices to their factory default settings.

With Juniper routers, for example, wiping the device is simple: "Going to config setting and type 'delete,' hit 'Y' \[to confirm\] and now that router doesn't know who it is anymore," Camp says. The entire wiping process takes less than five minutes, including the post-deletion reboot.

And if your organization already had disposed of routers that weren't properly wiped, Eset recommends rotating cryptographic keys in case an attacker were to get their hands on your old router and attempt to gain trusted access to your network. Zero trust can help here as well, they say.

But that's still no guarantee that a malicious actor who buys your old router still couldn't use it to target your organization. "Even if somebody goes and changes the credentials of the accounts being cached in router, potentially \[the attacker has\] got the app lists, so \[they\] can tell what apps are run internally locally or in the cloud," Abscombe says.

That gives the attacker just enough intel to plan a targeted attack, according to Abscombe. "If I know they're running \[a specific version of\] Exchange and that version had a CVE and they had not applied the patch … I suddenly know things about their network that can make them vulnerable," he says.

If you buy a secondhand core router, and, like the researchers, find that it still contains the previous owner's information, Eset recommends disconnecting the router and moving it to a secured area and contacting your regional CISA office. They also say it's best to document your purchase process as a precaution for insurance or legal purposes.

Recycled Core Routers Expose Sensitive Corporate Network Info

Businesses must leverage state and local guidance — along with technology — to maintain secure, compliant infrastructure.

Proposition 24, also known as the California Privacy Rights Act (CPRA), went into effect in January. Passed by California voters in November 2020, the CPRA increases consumer data privacy protections under the California Consumer Privacy Act (CCPA) by giving consumers the right to correct inaccurate personal information that a business has about them. It also allows consumers to limit the use and disclosure of sensitive personal information collected about them.

This has heavy implications for enterprise businesses, as the CCPA applies to any "legal entity that collects consumers' personal information, determines the purposes and means of processing consumers’ personal information, and conducts business in the State of California." To fall under the scope of the CCPA, organizations must either earn more than $25 million in annual gross revenue, derive at least half of their annual revenue from selling consumers' personal information, or buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices on an annual basis.

Organizations have an imperative to stay ahead of changing laws like the CCPA, but safeguarding consumer privacy can vary widely depending on where you operate, the type of data you collect and share, where your consumers are located, and more. Read on to learn how you can leverage state and local guidance alongside existing technology solutions to maintain a secure and compliant infrastructure.

**Understanding Consumer Privacy Through the Lens of CCPA**

According to Thomas Reuters, regulatory bodies release more than 250 compliance updates every day. So it makes sense that 25% of organizations don't understand which regulations apply to them or what they need to do to achieve compliance. And while specific requirements can vary depending on the law, the CCPA is a great place to start when trying to understand how consumer privacy is growing and changing in the US.

The CCPA, along with the CPRA, grants consumers six key rights.

*   **The right to know:** Consumers are entitled to know what personal information a business has collected about them and how that information is being used and shared.
*   **The right to delete:** Consumers may request that businesses delete any personal information that has been collected, with certain exceptions.
*   **The right to opt out:** Consumers may opt out of the selling or sharing of their personal information.
*   **The right to nondiscrimination:** Consumers may not be discriminated against for exercising their CCPA rights.
*   **The right to correct:** If a business has collected, stored, or shared inaccurate personal information, consumers may request that businesses correct that data.
*   **The right to limit:** Consumers may limit how sensitive personal information, like their Social Security numbers, or precise geolocation data is used and disclosed. 

The CCPA also establishes certain obligations for businesses. For example, businesses must disclose their practices around personal information either before the data is collected or at the point of collection. Businesses are also required to respond to consumer rights requests within 45 days. However, they may extend this response time by 45 days as long as they notify the consumer. Additionally, under the CPRA, businesses must conduct regular cybersecurity audits and privacy risk assessments as well as minimize the amount of data they collect and retain.

**Leverage Defense-In-Depth To Improve Data Security, Compliance**

Regulations like the CCPA can quickly become overwhelming. Taking a proactive defense-in-depth approach to data security and compliance ensures that organizations have multiple layers of built-in protection throughout all phases of the design, development, and deployment of any security platforms and technologies.

When it comes to data security and compliance, there are four core stages that organizations should be aware of:

*   **Discovery:** Organizations must understand how much data they have, where that data exists, and what kind of information is captured in that data. 
*   **Protection:** Once all data has been mapped out, companies can apply sensitivity labels, encrypt data, and enact additional safeguards to secure data against outside threats.
*   **Risk management:** Automated security alerts and multifactor authentication can be used to secure data against insider risks.
*   **Loss prevention:** Finally, companies can leverage AI-driven data loss prevention policies to ensure they don’t overshare sensitive information.

As consumer data privacy continues to evolve, now is the time to establish robust data retention and deletion strategies. Organizations must act quickly if they want to prepare employees for incoming "right to know" requests, while also mapping out consumers' personal and sensitive information and conducting businesswide risk assessments.

As Consumer Privacy Evolves, Here's How You Can Stay Ahead of Regulations

The combined company will boost ZeroFox's attack surface management capabilities.

ZeroFox has announced plans to acquire LookingGlass, a threat intelligence and attack surface management company, for roughly $26 million.

ZeroFox provides protection against phishing and other threats that could negatively impact an organization’s brand, threat intelligence, and incident response services. ZeroFox also provides “disruption” services, such as domain and social media takedowns and removing personal information from data brokers.

Organizations use LookingGlass’ Internet-facing attack surface intelligence data lake to identify and assess threats, as well as to determine the appropriate remediation and defense tasks. After the acquisition, LookingGlass technology will be integrated into ZeroFox’s platform for enhanced visibility into external attack surface assets and vulnerabilities, ZeroFox said in a statement on Monday that announced the acquisition.

ZeroFox previously acquired Cyveillance, a LookingGlass business unit, in October 2020. The combination of the two companies strengthened ZeroFox’s threat intelligence and automated protection capabilities, the company said at the time. Just seven months later, ZeroFox announced plans to buy Vigilante, a Dark Web threat intelligence company, to add new capabilities to its platform, including breach intelligence and response, botnet exposure monitoring, data on compromised credentials, infected and vulnerable hosts, and indicators of compromise.

The deal, mainly in stock (9.4 million shares) combined with convertible debt and cash, is expected to close within 30 days.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading