These agile controls and processes can help critical infrastructure organizations build an ICS security program tailored to their own risk profile.

It's no secret that the industrial control system (ICS) attack surface is rapidly expanding (PDF). From advancements in business digitalization, IT-OT convergence, and Internet of Things (IoT) adoption to the ripple effects of escalating geopolitical tensions, organizations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

After all, there's a clear differentiator regarding the nature of ICS/OT threats. Unlike traditional attacks against enterprise IT networks that are primarily rooted in monetary gain or data theft, state-sponsored adversaries often target critical infrastructure systems with the malicious intent to disrupt operations, inflict physical damage, or even facilitate catastrophic incidents that lead to loss of life.

This isn't fable or fiction — it's reality. In early February, leaders of two US House subcommittees called on the US Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. Or take the Russian state-sponsored Crashoverride incident (PDF) of 2016, which manipulated ICS equipment through the abuse of legitimate ICS protocols to disrupt the flow of electricity across Ukraine's power grid at the transmission substation level. As a result, part of Ukraine's capital, Kyiv, experienced a one-hour outage overnight.

The incident served as a microcosm to an evolving era of cyber-risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety, and national security.

That said, critical infrastructure organizations have a responsibility to deploy a robust ICS/OT security framework that protects their operational assets from sophisticated attacks. This isn't a matter of meeting mandatory compliance minimums to avoid fines or regulatory penalties. It's about leaving no stone unturned to protect people from the real-world impact of cybercrime — not only their own personnel, but those living and working in the surrounding communities from which they operate.

**The Five Components of Effective ICS/OT Security**

Balanced priorities are essential to effective ICS/OT security, as made clear by a recent SANS Institute whitepaper, "The Five ICS Cybersecurity Critical Controls." Prevention bias is a common theme across the cybersecurity community. Between 60% and 95%of the best-known and utilized security frameworks are preventative in nature but fall behind in detection and response. As a result, many organizations invest as little as 5% of their resources toward detecting, responding, operating through an attack, and recovering from compromises. Because the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organizations must be prepared for when that happens — and integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action.

Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.

1.  **ICS incident response:** An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings. These exercises reinforce risk scenarios and use cases tailored to their security environment — prioritizing actions based on the potential for operational impact and how to position the system to operate through an attack. They also enhance operational resilience by facilitating root cause analysis of potential failure events. 
2.  **Defensible architecture:** An effective ICS-defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarized zones, and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing risk through system design and implementation while driving efficient security team processes. 
3.  **ICS network visibility monitoring:** Due to the "systems of systems" nature of ICS attacks, it's vital to implement continuous network security monitoring of the ICS environment with protocol-aware tool sets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate, aiding in general resilience and recovery. 
4.  **Remote access security:** Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organization's IT network, but now threat actors can also capitalize on the IT network vulnerabilities of their entire supply chain. In turn, maintaining secure remote access controls is nonnegotiable for modern industrial operations. 
5.  **Risk-based vulnerability management:** A risk-based vulnerability management program empowers organizations to define and prioritize the ICS vulnerabilities that generate the highest level of risk. Often, they are vulnerabilities that allow adversaries to gain access to the ICS or introduce new functionality that can be leveraged to cause operational issues such as the loss of view, control, or safety within an industrial environment. Adopting risk-based vulnerability management requires having controls and device operating conditions in place that drive risk-based decisioning during prevention, response, mitigation, and recovery action.

**Fostering a Safer Future**

For facilities struggling to get a handle on their own ICS/OT security program, I recommend using the five critical controls as a starting point. These five pillars can serve as a road map for critical infrastructure organizations to build an ICS security program tailored to their own risk profile. And while the controls are invaluable to ICS/OT security, their potency still relies on an organizational culture of alignment where the severity of cyber-risk is understood and prioritized at every level — ranging from the board and executive leadership down to their security teams.

ICS/OT security must follow a team sport approach, combining the strength of agile controls and well-defined processes to keep pace with the accelerating nature of ICS attacks. With the right framework in place, critical infrastructure organizations can take proactive steps to drive their own defenses against malicious adversaries.

5 Critical Components of Effective ICS/OT Security

It's getting hard to buy cyber insurance, but not having it is not always an option. Low-coverage plans could bridge the gap.

"Everybody says it, so it must be true" is an example of the bandwagon logical fallacy. In the context of cyber insurance, the argument goes that everyone is a potential victim of an attack, thus everybody must have cyber insurance. In reality, not every organization can afford to buy cyber insurance, and there are organizations that don't qualify for a policy even if they want one.

Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. With the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware. In response to soaring claims, carriers are reducing the amount of coverage offered per policy, charging higher prices for less coverage, imposing much tighter rules on who can qualify for coverage, and cancelling policies for companies that don't meet the minimum requirements.

Policy coverages are significantly lower than they used to be, in some cases dropping from $10 million to $5 million and often lower, and many companies cannot get enough, says J. Andrew Moss, a partner at Reed Smith LLP's Insurance Recovery Group. "You have to fill in the gaps, and that's very tough because capacity has just been low or companies are priced out from buying as much insurance as they would ideally like to buy," he adds.

**Coverage Required, But Out of Reach**

For victims of a ransomware attack or a hacking attack where private information was disclosed, it can be difficult to obtain new policies. "What we usually recommend is that they undergo what we call a holistic review of their current insurance coverage," says Moss. The review includes general liability coverage, kidnap and ransom, property, first-party property insurance, and errors and omission, if they're in a professional services organization.

Some contracts and compliance regulations require that a company have a cyber insurance policy — posing a quandary for those companies that lose coverage. Without coverage, the company will find itself out of compliance or be vulnerable to a partner lawsuit for violating the terms of an existing contract. Getting some kind of cyber insurance policy often is mandatory, even if the company has other policies that could cover many of the losses a company might experience.

"It's not a comfortable time to be in business with respect to cyber risks," says Daniel J. Struck, a partner at the law firm Culhane Meadows PLLC. Characterizing today's cyber insurance market as being similar to the Wild West, Struck said he would not be surprised to see "relatively low-cost cyber insurance that doesn't cover much, but at least it provides the certificate for a contractor." He likens such "skinny" cyber insurance offerings to the low-cost, low-coverage auto insurance policies that allow drivers to meet US state auto insurance mandates.

**Bare Minimum Provides a Fig Leaf**

One benefit of a basic policy is that it could permit more organizations to obtain affordable coverage, eliminating the possibility of losing insurance and going out of compliance or violating contractual obligations.

Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security (CIS), notes that most corporate cyber insurance policies are negotiated by the corporate general counsel or outside counsel, and virtually all business policies are different. Underwriting these policies can take up to three months, he adds, due to their complexity and nonstandard clauses.

CIS offers a free self-assessment tool that helps users understand the financial impact of various aspects of a breach, including costs related to productivity, response, replacement, legal, competitive advantages, and reputation. The tool helps companies assess, report, and propose changes in cybersecurity controls based on a return-on-investment analysis, the organization says.

As all states have their own insurance commissioner and rules, Dukes suggests that companies lobby the National Association of Insurance Commissioners directly to develop national, standardized policies that would be easier for organizations to understand and manage, as well as set minimum requirements for a basic policy. A copy of the NAIC's 2022 Report on the Cyber Insurance Market can be found here, with its discussions on cyber insurance, committee actions, and resources located here.

'Skinny' Cyber Insurance Policies Create Compliance Path

Confidential computing will revolutionize cloud security in the decade to come and has become a top C-level priority for industry leaders such as Google, Intel and Microsoft. Edgeless Systems is leading these advancements to ensure all data is always encrypted.

**BOCHUM,** **Germany****,** **March 7, 2023** **/PRNewswire/ --** Edgeless Systems, a pioneering confidential computing company that is turning the public cloud into the safest place for sensitive data, today announced it has raised $5 million in its seed round led by Berlin\-based SquareOne with angel investors that include Evan Weaver (founder of Fauna), Mirko Novakovic (exit of Instana to IBM), Paolo Negri (founder of Contentful), Mathias Biilman and Chris Back (founders of Netifly).

The company is also hosting the annual Open Confidential Computing Conference (OC3) on March 15, 2023 where CTOs from Intel, Microsoft, AMD, Nvidia and others will discuss the state of confidential computing.

"Too many companies remain locked out of the cloud due to security concerns, but confidential computing technologies are poised to dramatically address this challenge in the coming months and years," said Georg Stockinger, Partner, SquareOne. "Edgeless Systems is already light years ahead of anyone else building the tools to make confidential computing easily accessible for developers in the enterprise. Its Constellation platform for Kubernetes is proof of its deep technical knowledge and first-mover position."

Edgeless Systems' flagship open source platform, Constellation and its associated tools, are already being used by hundreds of developers and DevOps engineers at companies such as Bosch, IBM and Intel, among others. Constellation is a confidential orchestration platform for Kubernetes. It leverages confidential computing to isolate and runtime-encrypt entire Kubernetes deployments, finally allowing enterprises to use the public cloud like their private cloud.

"We are turning the public cloud into everyone's private cloud," said Felix Schuster, CEO of Edgeless Systems. "By encrypting data all the time, even at runtime, and providing the best possible protection against infrastructure-based threats like malicious admins or co-tenants, Edgeless Systems can transform the way developers build and secure their public cloud workloads."

Moving workloads to the public cloud has many proven benefits but raises major compliance and data security concerns. Unfortunately, data leaks and compliance violations are realities associated with cloud transformation. Confidential computing is a hardware-based technology that shields computer workloads from their environments and keeps data encrypted even during processing. The required hardware (largely big hyperscalers) to realize the promise of confidential computing has only recently become available. Edgeless Systems has been an active driver of this emerging technology and today brings to bear both the technologies and financial backing to take it to the next level.

Edgeless Systems will use the seed funding to sustain its product lead, expand into the United States and add exciting features to its Constellation platform. It aims to be the defacto standard for 100 percent secure Kubernetes in the coming years. It will also build out its marketing and sales teams to help educate the industry on confidential computing and support advancements in this area.

For more information about Edgeless Systems, visit GitHub or get in touch for a live demo.

**About Edgeless Systems**

Edgeless Systems develops leading open source software for confidential computing to make the cloud the safest place for sensitive data. Edgeless Systems' Constellation is the first Kubernetes platform to ensure that hackers, cloud admins and foreign governments cannot access any data. The company was founded in 2020 by industry experts in Bochum, Germany, and has renowned investors and customers such as the Swiss stock exchange SIX and Bosch. For more information, please visit: https://www.edgeless.systems/

Edgeless Systems Raises $5M to Advance Confidential Computing

More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.

Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.

Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.

**Very Large File & Payload**

The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.

Researchers from Cofense and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.

"The malicious Office documents and the Emotet DLLs we're seeing are very large files," says Jason Muerer, senior research engineer at Cofense. "We have not yet observed any links with the emails."

Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. "The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely," according to a post by Hornet researchers. "This new instance is currently running at a slow pace, but our Security Lab expects it to pick up."

**A Malware That Refuses to Die**

Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.

The threat actors' preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotet's command-and-control infrastructure (C2) presently runs on two separate botnets that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)

In early 2021, law enforcement officials from multiple countries disrupted Emotet's infrastructure in a major collaborative effort that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the US Department of Justice assessed that Emotet's operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.

**New Activity, Same Tactics**

An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the group's continued ability to operate after the massive law enforcement takedown. These included more complex and subtle execution chains, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.

"Emotet has been used to deliver a range of secondary payloads," Muerer says. "While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware."

There's nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.

"Nothing major has shifted that we are aware of," Muerer says. "Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals."

Emotet Resurfaces Yet Again After 3-Month Hiatus

Will stricter cybersecurity requirements make flying safer? The TSA says yes, and sees it as a time-sensitive imperative.

The Transportation Security Administration (TSA) announced a new set of cybersecurity requirements this week for airport and aircraft operators. The initiative constitutes "an emergency action," the TSA explained in a press release, urgent "because of persistent cybersecurity threats against US critical infrastructure, including the aviation sector."

This announcement comes hot on the heels of the White House's National Cybersecurity Strategy, published March 2. It's all part of a broader government effort to increase cyber resilience across critical industries.

Back in July, for example, the TSA issued near word-for-word similar requirements for the rail industry. As Robert Carter Langston, press secretary for the TSA, tells Dark Reading: "This amendment to the aviation security programs extends similar cybersecurity performance-based requirements that currently apply to other transportation system critical infrastructure."

"It's good that the TSA is codifying these requirements," says Mike Parkin, senior technical engineer at Vulcan Cyber, "though it remains to be seen how it will affect airline passengers."

**New Cyber Guidelines for Airports and Airlines**

This isn't TSA's first set of cyber rules of the road for airport and airline operators. In years prior, the TSA instituted requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA), establish cybersecurity points of contact, develop incident response plans, and complete vulnerability assessments.

The new set of rules states that TSA-regulated organizations must develop and assess "an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure," the agency wrote. TSA described four primary measures:

1.  Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
2.  Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3.  Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
4.  Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, noted that the guidelines are timely, and that TSA's "emergency" designation could be well warranted.

"I think it is wise of the TSA to require airport and aircraft operators to improve their cybersecurity resilience as attacks and geopolitical tension have continued to escalate over the years," he said in an emailed statement. "Airports and aircraft operators have also been caught in the cross hairs of Russian and Iranian cyber crews. This is why the aviation industry needs to protect all digital controls because they can and will be hacked. I truly believe that the cyber 9/11 is coming, which is why operators must invest in proactive cybersecurity measures."

**Will TSA's New Rules Make a Difference?**

Whether these new guidelines will make any real, material difference in airline security remains to be seen, but researchers welcomed them nonetheless.

On one hand, the details of exactly what will be considered sufficient security, from airports and airlines, and how compliance will be enforced, are still hazy. According to Langston, the details of how each organization will implement these measures "will be coordinated directly with TSA's stakeholders."

Even if airlines and airports do take heed, though, will the effects be significant? TSA's initiative "does fall in line with, and reinforces, the new National Cybersecurity Strategy document, and makes sense from multiple angles," Parkin says, but neither network segmentation nor access control, monitoring, or patching are particularly groundbreaking ideas.

As Parkin points out, "None of these requirements aren't already considered industry best practice\[s\] and things the airport authorities and airline operators shouldn't be doing already."

Kellerman, however, noted that some advanced tools fall under the broad umbrella of TSA's broader language in the requirements. Those include "micro-segmentation of networks, managed detection and response services (MDR), runtime application self-protection (RASP), and multifactor authentication (MFA) to protect against future intrusions," he noted. "They should also consider moving to secure cloud environments that deploy serverless application security. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business, not an expense, and that TSA cannot protect operators from growing ephemeral threats."

TSA Issues Urgent Directive to Make Aviation More Cyber Resilient

Led by growth in Russia, more than 40% of global ICS systems faced malicious activity in the second half of 2022.

More than 40% of the total number of global industrial control systems (ICS) computers saw some kind of malicious attack during the course of 2022.

This volume of cyberattacks against industrial systems was led by growth in Russia, which, as a region, saw a full 9 percentage-point increase in malicious activity in 2022, according to research into telemetry statistics this week from Kaspersky. Blocked malicious scripts were a particularly common threat within the firm's data for the period, which, along with phishing pages targeting ICS, saw an 11% rise over 2021, the analysis added.

However, Russia, which saw 39.2% of the ICS machines in Kaspersky's telemetry attacked, was not the top target overall. Rather, Ethiopia took the crown with 59% of its ICS footprint seeing malicious activity.

"In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions," the Kaspersky report said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

40% of Global ICS Systems Attacked With Malware in 2022

A state-backed threat actor impersonates political figures, tricking a prime minister, a former US president, and several European mayors and MPs into video calls later used in an anti-Ukraine influence campaign.

A Russian duo notorious for pranking numerous high-profile individuals, including Canadian Prime Minister Trudeau, is at it again — this time seeking to embarrass public figures that have expressed support for Ukraine in its war with Russia.

Over the past year, the two individuals — known publicly as Vovan and Lexus — have targeted high-ranking government officials and CEOs at large companies in North America and Europe, according to Proofpoint researchers, in a campaign to lure them into saying potentially volatile things on video and phone calls. The effort seems to be in retaliation for the targets' support for Ukraine in the war with Russia. 

**An Elaborate Impersonation Con**

In a blog post this week, Proofpoint said it had observed a sharp increase in activity from the pair following Russia's invasion of Ukraine last February. Since then, Vovan and Lexus have contacted numerous prominent business leaders and politicians that have either made public statements against the war or have donated to Ukrainian humanitarian programs.

In emails to the targeted individuals, the pair have variously presented themselves as Ukrainian Prime Minister Denys Shmyhal, Ukrainian Member of Parliament Oleksandr Merezhko, and Russian opposition leader Alexei Navalny's Chief of Staff Leonid Volkov. Other emails have purported to be from the "Embassy of Ukraine to the US" and the "Embassy of Ukraine in the US," and were sent from plausible-looking, embassy-themed email addresses.

The emails have attempted to convince recipients into participating in recorded video chats and phone calls, where they are encouraged to speak on various matters associated with the war in Ukraine. In some of the video conversations, the two individuals have worn heavy makeup and likely used deepfake technology to take on the appearance of figures they were impersonating. Edited versions of the recordings have later appeared on YouTube, Telegram, Twitter, and Russian-video platform Rutube.

"Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts," Proofpoint's report said. "The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences."

**A Who's Who of Victims**

Proofpoint's report did not name any specific individuals that might have fallen for Lexus and Vovan's tricks. But researchers from the company pointed Dark Reading to publicly known examples of their work.

In one instance, the pair posed as Ukrainian Prime Minister Shmyhal and tricked former UK Home Secretary Priti Patel into a 15-minute conversation with them on the war and the related refugee crisis. The hoaxers later posted a video of them duping Patel on YouTube and other social media channels. In another campaign last June, Vovan and Lexus tricked the mayors of Warsaw, Berlin, Vienna, and Budapest into making video calls with an individual they believed was Vitaliy Klychko, the mayor of Kyiv.

Vovan and Lexus, whose real names are Vladimir Kuznetsova and Aleksei Stolyarov, have also, as mentioned, tricked Canadian Prime Minister Trudeau (into thinking he was speaking with climate change activist Greta Thunberg). Last year, they posted a video on YouTube that purported to show former US President George Bush speaking with an individual he assumed was Ukrainian President Volodymyr Zelenskyy. In May 2021, the pair tricked multiple European members of Parliament into video meetings using deepfake technology to impersonate Russian opposition leaders, including Navalny.

**A Russian State-Backed Threat?**

Researchers at Proofpoint have been tracking the two individuals since 2021 under the threat actor designation "TA499." This week, they cautioned against dismissing them merely as pranksters, as some have previously. "While Vovan and Lexus brand themselves as 'pranksters and comedians,' multiple governments and officials deem the pair to be Russian, state-funded bad actors," Alexis Dorais-Joncas, senior manager for threat research at Proofpoint, tells Dark Reading.

Proofpoint has not been able to confirm the level of government involvement with the pair, but the company has determined from open source intelligence that the two actors are likely state encouraged and patriotically motivated. "It's fair to consider Vovan and Lexus as 'influencers' or 'propagandists,' as they deem to influence the political nature of Russia as a whole and reach an English audience through various methods," Dorais-Joncas says.

"TA499's elevation to state-aligned activity is due to the targeted nature of its campaigns, utilization of actor-controlled domain infrastructure, \[and\] multiple VoIP fake phone numbers for separate recipients," he notes. 

The two individuals perform reconnaissance to target both directly and via the close contacts of selected targets, and presents a risk to organizations, the researcher says. "These things combined with their specific focus on Russia-aligned propaganda, make them a state-aligned threat."

Proofpoint assessed with high confidence that TA499 will continue with its influence campaign, and likely reuse old or additional infrastructure to do so. The primary target continues to be C-level executives or those at the highest-profile positions at their respective organizations. 

The security vendor posted a list of email addresses that the duo has used so far in their campaigns and advised anyone who has reason to believe they could be targeted to verify the identities of people inviting them to discuss political topics.

Russian Influence Duo Targets Politicians, CEOs for Embarrassing Video Calls

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

"Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns," the HYAS Labs researchers wrote. "But in practice, this is very rarely the case."

They tested the attack against an EDR system that was not identified specifically, but characterized as "industry leading," often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

"MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems," they wrote. "Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration."

Moreover, because BlackMamba's delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.

**What This Means for Modern Security**

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real," the researchers wrote in the post. "By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today's predictive security solutions."

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they're doing everything in their power to detect and prevent malicious activity. However, BlackMamba's use of AI now demonstrates that "they are not foolproof," the HYAS Labs researchers noted.

"The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene," they wrote.

The security landscape will have to evolve alongside attackers' use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it's imperative that organizations "remain vigilant, keep their security measures up to date," they advised, "and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space."

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

For International Women's Month, new ongoing initiative is aimed at celebrating women and bringing visibility to those making cybersecurity history.

**Mountain View, Calif., March 8, 2023 –** Lacework®, the data-driven cloud security company, in celebration of International Women’s History Month, today announced the launch of a new ongoing initiative, “Secured by Women,”  to honor, bring visibility to, and increase opportunities for the women making history in today’s cybersecurity landscape. 

Despite comprising nearly half of the workforce, women only account for 38% of those in the STEM industry and 25% in the cybersecurity industry, according to Cybersecurity Ventures. Secured by Women not only celebrates the groundbreaking women shaping modern security, but is also designed as an ongoing initiative to help more women secure a seat at the table, a voice in the decision-making process, and all the opportunities they deserve. 

“In the security industry, we often talk about visibility – how to increase visibility into our technology environments to better see and understand our risks and potential threats. In that same spirit, now is time to increase visibility for the incredible women in the space who are leading, innovating, and revolutionizing modern security, ” said Sowmya Karmali, Director of Product Management, Lacework. “With this ongoing initiative, we hope to shine a light on this and create more urgency around increasing opportunities for women in security to showcase their amazing contributions and capture leadership roles.” 

On March 23, five women, nominated by their peers for making an impact in cybersecurity, will be selected as the first Secured by Women leaders. Lacework will sponsor each individual to attend one of the following upcoming major security conferences: RSA, Black Hat USA, Black Hat EMEA, or AWS re:Invent. Those recipients unable to attend a conference will be awarded the opportunity to donate the value of this sponsorship to a charity of their choice. And for every nomination submitted, Lacework is donating $1 to Girls Who Code. 

Do you know a brilliant woman in cybersecurity who's making history? Now's your chance to give her the recognition she deserves. Nominations open today, International Women’s Day, and will be open until Monday, March 20th, 5PT.  Submit your nominations today on SecuredbyWomen.com! 

Resources: 

*   Learn more from Lacework CMO Meagen Eisenberg on Secured by Women. 
*   Celebrate the rise of the CISO with us! 
*   Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

**About Lacework **

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s cloud and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Lacework Launches Secured by Women Initiative

Organizations in both industries are falling short when addressing new challenges to protect data in the cloud, finds Blancco report.

**AUSTIN and LONDON – March 8, 2023**—New research launched today by Blancco Technology Group (LON: BLTG), the industry standard in data erasure and mobile lifecycle solutions, reveals the extent to which healthcare and financial services organizations have embraced cloud, as well as the effects cloud adoption has had on data classification, minimization and end-of-life (EOL) data disposal.

Based on a global survey of 1,800 respondents, the study, _Data at a Distance__,_ found extensive cloud adoption, thanks to the ease of managing increasing volumes of data. However, 65% say the switch has increased the volume of redundant, obsolete or trivial (ROT) data they collect.

Increasing volumes of stored data brings with it many issues and is of growing concern for organizations operating in heavily regulated markets. In addition to regulatory noncompliance risks, there are the cost and sustainability impacts of storing this data, as well as security concerns—more data means a greater attack surface and more liability in case of a breach.

Data management best practices indicate that organizations need to know what data they have collected, including its value, where it’s stored and when it needs to be permanently erased. Yet just over half of organizations (55%)can boast a mature data classification model that determines when data has reached EOL—meaning that nearly half fall short when it comes to determining when to dispose of cloud-stored data.

When asked about their cloud approaches, 60% of respondents said that their cloud provider handles EOL data for them. However, more than a third (35%) do not trust their cloud provider to appropriately manage EOL data on their behalf.

“Healthcare and financial services providers handle some of the most confidential and sensitive information possible. While they have made the move to cloud for better connectivity, digital transformation and ease of managing data, many of them are still falling short when it comes to knowing how to reduce risk and maintain compliance when that data is no longer serving a business function,” said Jon Mellon, President Global Sales, Marketing and Field Operations at Blancco.

“Covid changed working norms for all industries, and adopting the cloud helped adapt to those changes. But hackers also changed their approach. The industry reported that 45% of breaches that occurred in 2022 were cloud based. Yet our research found multiple instances of insufficient practices for managing EOL data in the cloud.”

**According to Blancco’s global study of 1,800 healthcare and financial services respondents:**

*   65% of organizations feel that they can better manage EOL data on premises than in the cloud
*   63% use software-based erasure with an audit trail for managing all data – both on-premises and cloud, but a worrying 38% carry out erasure without an audit trail
*   91% of those surveyed recognize data classification as an important first step for achieving data security
*   36% are just beginning to implement a policy for data classification and minimization, with nearly one in ten yet to implement any such process

Regular assessment of data and setting retention periods is a critical and growing concern as regulatory requirements increase for the healthcare and financial services industries. The study found that 57% of organizations have a data schedule where they review different data types to determine whether data has reached end of life. But just over a quarter (28%) use the blunt approach of automatically setting a data expiration date, which is simple but ineffective: it does not consider what the data is, what it’s worth, or the risk of it getting into the wrong hands.

Healthcare and financial services organizations are, however, aware of the new challenges for managing EOL data in the cloud. In fact, 65% have found it necessaryto reassess how they determine what data is no longer needed since making the switch from analog to digital. But in addition to falling short when it comes to data classification and minimization, a worrying 59% of respondents reported using processes without verified data destruction at least some of the time to deal with at least some of their EOL data. This can leave data intact and retrievable without a proper audit trail to prove proper EOL data disposal.

Best practice that may have been in place in on-premises data centers can be left behind when organizations migrate their data to the cloud. While it is standard for cloud providers to refer to data deletion or destruction processes within user agreements, the practice of receiving clear assurances that specific sensitive data has been removed for good is still in its infancy, leaving highly regulated industries vulnerable to both regulatory noncompliance and unauthorized data access threats.

Rapid covid-generated cloud adoption is bringing to light the need for organizations to rethink ownership of their data in a heavily regulated and threat-saturated market. The report lists best practices that will guide these and other data-dependent industries towards ensuring regulations are met and that they can continue to protect both themselves and their customers.For full analysis, read the report here: https://www.blancco.com/data-at-a-distance.

Source

DARKReading