A February 2022 attack knocked the giant tire maker's North American operations offline for several days.

As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen.

Not having a clear-cut line of action at the executive level in advance can exacerbate the consequences of a cyberattack and allow the attacker an opportunity to create more damage, Corridon said in an interview at Accenture's third annual virtual OT cybersecurity summit last week..

"When you want to pull a lever, when you want to make a decision about disconnecting networks, or paying a ransom, who makes those decisions?" Corridon said. "To know that going in is really, really important because then you are not caught flatfooted. You are not caught looking around the room going, 'is that you, or is that me?'"

The February 2022 ransomware attack on Bridgestone led to the tire giant to shut down its networks at manufacturing and retreading facilities in North America and Latin America for several days. The well-known ransomware group LockBit 2.0 later claimed credit for the attack and announced plans to publicly leak data accessed from Bridgestone's systems if the company did not comply with the group's ransomware demand.

Bridgestone later disclosed that the cyberattackers had accessed business records as well as files containing Social Security numbers, bank information, and other sensitive data on some of its customers. But the company has released no other details of the attack since then, including whether it paid the LockBit gang a ransom or not. 

The attack was one of several last year that affected operating technology (OT) networks at industrial and manufacturing companies in the US and elsewhere. A second-quarter 2022 analysis of ransomware attacks from Dragos showed most attacks (68%) on industrial organizations targeted the manufacturing sector.

**Tabletop Exercises for Executives**

Corridon's interview at the Accenture virtual event steered clear of the details of the attack, the damage it had caused, and the recovery effort. However, it focused on several lessons the company was able to take away from the attack. The biggest, according to Corridon, is knowing who makes crucial decisions during an unfolding crisis, and how.

Corridon advocates that organizations that do tabletop exercises for their technical team need to have a parallel scenario-based exercise that involves key executives and decision-makers. Just like incident management processes have two threads — one technical and one for executives — so, too, should tabletop exercises.

Another key consideration is that the executives in charge of making critical decisions during a ransomware attack need to be comfortable making them without a lot of data. 

"They need to be comfortable making decisions in the moment that are going to feel like gut decisions or rash decisions," Corridon noted. "But we need to be prepared for that because the longer you sit on a decision and you analyze it and think it through and wait for that perfect decision to land in your lap, the more time the threat actor has to go further into your environment and do more damage."

**Never Let a Good Crisis Go to Waste**

According to Corridon, who was interim CISO at Bridgestone when the attack happened, one silver lining with major security events is the heightened awareness and willingness to change that it can foster. In the year since the attack, Bridgestone has implemented security changes that would otherwise have taken years to convince executives of, push through, and enable, he said.

He advised that security teams take a never-let-a-good-crisis-go-to waste approach to push through change, if they are unfortunate enough to experience a major security breach. 

"In an incident, your executives have a front-row seat to the action," Corridon said. "So, they are walking away with a better understanding of terms they never wanted to understand or wanted to know." 

That heightened awareness and understanding often means they are more prepared to give security teams the money and resources they need to implement a stronger security posture moving forward. "They are prepared for change \[because\] they have a taste in their mouth of a bad experience," he says.

Similar change can be harder to achieve in the lower echelons, where concerns over everyday jobs and goals can quickly relegate security concerns to the backburner once an immediate crisis has passed, Corridon acknowledged. Therefore, it's important to always keep cybersecurity a relevant and top of mind topic for employees. In much the same way that OT environments emphasize physical safety precautions, organizations need to make cybersecurity a part of the daily routine for employees.

One way to begin getting stakeholders to think differently about cyber resilience is to stop describing breaches and attacks as security incidents. "An incident is when you trip and fall or somebody unplugs something by accident," he said. A ransomware attack, on the other hand, is a criminal act against the company. 

"Having that reframing of thought can go a long way," Corridon said. "The words you use as you are going through the event and actually recognizing it as a crime against the organization is a first step."

Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking

Shorter certificate lifespans are beneficial, but they require a rethink of how to properly manage them.

On March 3, Google (via The Chromium Projects, which it controls) proposed a plan to drastically shorten the lifespan of Transport Layer Security (TLS) digital certificates, from 398 days to 90 days. This will spur significant changes in how organizations manage their certificates, particularly regarding automated processes.

The proposal by the open source body behind the Google Chrome browser and Chrome OS, included in a road map called "Moving Forward, Together," is a positive step toward ensuring more reliable, robust Web operations. But it will require companies and other organizations to significantly transform their certificate processes.

The lifespan of digital certificates has fallen steadily over the past decade, from five years in 2012 to a little more than two years in 2018 to 13 months, or 398 days, in July 2020. The shorter lifespans help ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.

Google said the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to move away from time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.

**A Wake-up Call for Certificate Monitoring**

If adopted, the Chromium Projects' proposal to the CA/Browser Forum — a consortium of certification authorities (CA), browser makers, and others — would most likely take effect by the end of 2024. And although the changes are not set in stone, the prospects of a considerably shorter lifespan should serve as a wake-up call for organizations. They need to get greater control and visibility over their public keys and certificates, because the proposal is a sure sign that the game has changed.

The five-year life of certificates from a decade ago reflected a different time, when teams could get a certificate for, say, a Web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.

As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it's about automating the process.

Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they'll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.

**Centralized Monitoring Is Critical**

To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it's still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as "severe."

Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It's not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what's running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.

The interconnected nature of business operations may also require that TLS visibility extend to supply chains, because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.

**Looking Ahead**

The full impact of the Chromium Projects' proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates, or if it's limited to just Web servers.

But no matter what happens with the proposal, it reflects the reality of today's environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can properly manage them.

Enterprises Must Prepare Now for Shorter TLS Certificate Lifespans

Security vendors, businesses, and US government agencies need to work together to fight ransomware and protect critical infrastructure.

Cyber threats have a long reach. What seems like a low-level cyber incident can have a larger ripple effect, impacting millions of innocent people. A password breach that occurs in a private company, such as Colonial Pipeline, can end up taking down sections of the critical infrastructure, for example. The line between attacks on the public sector and private interests are blurring, and now, with new directives and initiatives from the Biden administration — along with new departments within federal agencies — the government seems committed to collaborating with companies to address emerging cyber threats.

Both government agencies and private vendors already see the value in building partnerships.

"Partnering with the private sector is critical for advancing our mission of accelerating commercial adoption of technology across many sectors, especially in cybersecurity," says Pat Gould, director of the Defense Innovation Unit (DIU) Cyber Portfolio.

The private-sector view is similar — the need to collaborate is critical, and it is about time that efforts are being made to facilitate such a partnership. Initiatives like the National Cybersecurity Strategy, for example, are bringing in private-sector security vendors to share threat information or provide solutions and tools that are beyond government scope.

Mick Baccio, global security advisor with Splunk, admits the ability to work together has been hindered by the private sector's inherent distrust of government, especially as administrations and congressional leadership change.

"Building credibility is tough to do in this atmosphere," says Baccio, "but thanks to a push by the current administration, the continuity that cybersecurity and the private-public partnership needed is finally in place."

Executive orders with guidelines to facilitate improved security across the supply chain, for example, can be canceled the moment a new president takes office. The Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agency's attempts to bake public-private cybersecurity efforts into its mission.

**Government's Role in Collaboration**

A few agencies are uniquely set up to focus on collaboration with the private sector. Beyond its high-profile work in keeping voting systems safe, CISA is responsible for securing critical infrastructure in cooperation with companies.

The FBI has worked closely with both public and private entities for years, but as cybercrime — particularly ransomware — ramps up, so too has the outreach from the FBI to the private sector.

Many other agencies also have similar security-related outreach built in, like the Department of Energy. Because many areas of the energy critical infrastructure are owned and operated by corporations, the department needs to build partnerships not only to keep the infrastructure safe but also to prevent disinformation and misinformation that could cause a national panic. (The Colonial Pipeline cyber incident is a prime example, when poor communication led to gas shortages on the East Coast two years ago.)

The Cybersecurity Collaboration Center (CCC), part of the National Security Agency, was established three years ago, and it signifies a shift in how the government works with private-sector vendors to share information and expertise to scale mitigations, according to the center's chief, Morgan Adamski.

"We're looking at the quality of our relationships over the quantity," Adamski said during a 2023 RSA Conference panel on public-private partnerships. She said CCC will share threat analytics with cybersecurity companies that have the broadest outreach, which could provide protection for billions of customers.

However, some argue that this trickle-down information sharing hampers security efforts.

"The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they'll have more threat intel to share," wrote Mike Wiacek, founder and CEO of Stairwell, in a Dark Reading article. "But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems."

**What Private Vendors Bring**

Innovation comes from small companies, which file more than 14 times more patents in the US than larger businesses and universities do. Government and large enterprises rely on strategic partnerships with smaller security vendors to build out their cybersecurity programs.

Government is more than federal agencies, says Merlin Cyber CEO David Phelps. States, counties, and especially municipalities don't have large budgets or staffing to manage cybersecurity needs.

"They need the outreach to the private sector to help address cybersecurity concerns," Phelps says.

Vendors may have a better — or at least different — view into the threat landscape and can work quickly to come up with the right tools or solution for a government entity at a more affordable rate than is charged to the private sector. Not only can community governments take advantage of the lower cost, but because they are using an approved government vendor, they now have federal oversight.

Having similar tools, knowledge base, threat landscape, and product behavior as businesses gives CISA a broader view of what's happening across a larger swath of the critical infrastructure.

"By actually having government entities of all sizes using the same platforms, threats will be a lot more visible as an ecosystem," says Phelps.

The value of having partnerships like this is having a private sector that has the flexibility and funding to investigate threats in ways that the government can't. Larger businesses within the private sector can invest in startups that are developing cutting-edge technologies. This agility and scalability are among the most important contributions the private sector provides.

**United Against Ransomware**

The fight against ransomware is a good example of a public-private collaboration. The FBI actively works with private vendors to not only identify ransomware, but also to defend against ransomware crime rings and nation-state actors. Partnering on this type of attack works well because ransomware attacks tend to have a lot of similarities.

"Because all of the actors use the same tools and services, all of our options increase," explained Cynthia Kaiser, deputy assistant director with the FBI, during the RSA panel.

For example, in 2019 government agencies learned that a global Russian-distributed botnet was using a US company to implant malware in millions of devices. The FBI worked closely with that company and different government agencies to find a solution to counter this malicious activity and cut off the command-and-control infrastructure of the global botnet before it could do any more damage.

When an incident occurs, the most vital pieces of information come from the victimized organization. The victims become partners with government agencies, sharing details about what happened and what they continue to see happening in their networks. The government agencies gather that information and help the companies put the threats into context.

"A key part of collaboration is that it is bidirectional, and it's critical that people come early and often to that trusted relationship to have the \[cybersecurity\] conversation," CCC's Adamski said.

Improving Cybersecurity Requires Building Better Public-Private Cooperation

The climate of concern around open source security and supply chain attacks may have caused a small story to become a big one.

Following a temporary suspension of all new users and package uploads, the Python Package Index (PyPI) repository is back up and running. Many noted that the culprit was the flooding of the site with a glut of malicious packages -- but a PyPI administrator noted that there was no unusual glut, simply fewer people than usual to address the usual glut.

PyPI is the official software repository for Python, serving over 700,000 users and over 450,000 projects, according to the site's homepage. Its popularity has attracted not just developers but hackers who like to upload malicious packages as a first step in supply chain breaches.

Beginning Saturday afternoon (UTC), PyPI temporarily suspended new user and project registrations. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the site's admins wrote in an incident report.

The statement raised eyebrows across the security community, with many news sites reporting the site as falling victim to either an anomalous wave of malicious activity or even an outright cyberattack. And, the research firm Checkmarx in a blog characterized the situation as part of an uptick in “actors publishing overwhelming amounts of malicious packages in several open-source registries.”

But Ee Durbin, director of infrastructure for the Python Software Foundation, tells Dark Reading that the actual circumstances of the shutdown were much less dramatic than they were made out to be.

"This weekend was just a matter of human capacity," Durbin says. "Effectively, there was just one PyPI admin available to handle reports out of the usual three, and they (I) needed a weekend."

As of the evening of May 21 (UTC), PyPI was once again operating as usual, with its administrative team available in force.

**Why We Worry About Open Source Software Repos**

At least some portion of the hubbub around PyPI's 30-hour shutdown can be explained by growing fears around the state of open source security.

"We've seen the number of attacks skyrocket over the past two years," says Peter Morgan, co-founder and CSO of Phylum. In the first quarter of 2023, Phylum analyzed 2.8 million packages published to popular repos like PyPI, npm, and Nuget, 18,016 of which executed suspicious code upon installation, 6,099 referenced known malicious URLs, and 2,189 targeted specific organizations.

Malicious packages run so rampant today that some hackers hardly feel the need to hide them anymore.

"More and more attackers are realizing how easy this is to do. It doesn't require any skill. You can download scripts off of the Internet and use them to pollute the open source supply chain," Morgan explains. "Also, it's costless. You don't need to spend any money. You can do it for free with anonymous accounts."

With software today, Morgan continues, "there are so many dependencies. All an attacker has to do is get one foot in the dependency chain to get a hold in your computer. So the defender \[has a\] massive disadvantage here. The attacker only has to win once."

By contrast, organizations that utilize open source software — read: _all_ organizations — have a far more difficult time defending against even such low-level attackers, prompting calls for better package inspection, the development of new tools to track dependencies, and software bills of materials (SBOMs).

Those in charge of maintaining the repos acknowledge these issues as much as anybody. "Regular caution should always be exercised when installing from a public index, whether in your projects or on the command line with 'pip install,'" Durbin says.

**Repos Make Changes to Battle Malicious Packages**

Historically, repositories have struggled to keep up with their far more numerous adversaries. To assuage concerns, though, Durbin tells of how "we have exciting developments that will allow for much more sustainable and potentially automated handling of malware reports coming soon."

The Python Software Foundation also recently added a security developer-in-residence role, meant to improve Python security at large. And just a couple of weeks ago, Durbin announced that PyPI will bring on a safety and security engineer, whose job will be to focus on PyPI's security in particular.

Supply chain security in years to come will turn on our ability to keep public repos clean and protect ourselves when they're not. "Everyone is very, very focused on finding things that have vulnerabilities," Durbin concludes, "but software vulnerabilities are not what attackers are using to break into computers today. They're creating malicious packages."

PyPI Shuts Down Over the Weekend, Says Incident Was Overblown

The technology conglomerate has until later this year to end its transfer of European user's data across the Atlantic.

Meta, owner of Facebook and Instagram, has been fined $1.3 billion (€1.2 billion) for violating the European Union's General Data Protection Regulation (GDPR) by the Irish Data Protection Commission, for the transfer of EU users' personal data to US servers.

This penalty is the biggest that's been dealt out after the European Union's strict data privacy policies went into effect in 2016; this fine far surpasses even Amazon's previously record-breaking $808 million (€746 million) tab in 2021 due to data protection violations.

Because the European Court of Justice nullified the Privacy Shield, the EU and the US continue to search for alternatives on a new data flow. Privacy Shield originally served as a data transfer mechanism under the GDPR, enabling participating companies to meet the EU requirements for transferring personal data to third countries. Though a replacement is expected later in the year, there are multiple multinational companies, including Meta, that illegally rely on the former agreement — specifically with the use of standard contractual clauses.

"The fine regarding a GDPR violation serves as a stark reminder of the importance of data protection in today's dominant digital landscape and the consequences organizations may face if they fail to meet these obligations," Eduardo Azanza, CEO of Veridas, said in a statement in response to the announcement. "The GDPR is designed to safeguard the rights and privacy of individuals. Thus, it's fundamental for organizations to respect these laws and regulations to not only maintain customer trust and confidentiality but to also avoid such public scrutiny and reputational damage."

Meta has a deadline of Oct. 12, 2023, to cease its reliance on standard contractual clauses for data transfers of users' private data.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations

The purchase gives IBM access to a new category of products called "data security posture management" for security data in cloud and SaaS repositories.

IBM's purchase of Polar Security for an undisclosed sum on May 16 has focused attention on an emerging market space that, until recently, didn't even have a formal name associated with it.

Polar is among an increasing number of startups — many based in Israel — that offer a new class of tools, built to accomplish "data security posture management (DSPM)." They help organizations discover, monitor, and secure sensitive data across hybrid and multi-cloud environments. To that end, IBM will integrate Polar's technology with its Guardium portfolio of data security products. 

The Polar acquisition is the company's fifth so far this year.

**Data Classification in the Cloud**

The key selling point of products from Polar and companies like it, is their ability to automatically classify discovered data in these environments (in addition to monitoring user access and discovering threats to the data) — so security teams can protect it better. Many of the technologies, including Polar Security's DSPM platforms, are agentless and have the claimed ability to automatically discover sensitive data in minutes and to classify them into categories such as PII, PHI, and PCI.

Gartner, which gave the category its name last year, describes DSPM products as enabling organizations to discover shadow data — structured and unstructured — in repositories across cloud service providers, data lakes, and SaaS environments. The analyst firm has predicted that more than 20% of organizations will deploy a DSPM capability by 2026 because of "urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”

IBMs purchase of Polar gives the company immediate access to technology that will help it compete in the market segment with a growing number of pureplay vendors, and vendors expanding into the space from other markets such as cloud security posture management and cloud DLP. Examples of pureplay DSPM vendors include Laminar, Cyera, and Dig, while Wiz, Varonis, Orca — and now IBM — are all vendors that have added DSPM to their technology portfolio over the past year.

**A Vibrant DSPM Market**

Richard Stiennon, chief research analyst at IT-Harvest, says his firm currently tracks over a dozen vendors in the market. "DSPM is a vibrant space with at least 16 players," Stiennon says. 

Polar, which launched in 2021, was in the middle of the pack with about 30 employees at time of purchase he notes, adding, "IBM Tech Fund had participated in the $8 million seed funding, so they have had visibility into Polar for at least 16 months." Among the larger vendors in the space are Wiz, Laminar with about 95 employees, and Cyera with a headcount of some 75, Stiennon says.

A lot of the enterprise interest in the space stems from growing concerns over data exposure in cloud and SaaS environments. Just like shadow IT is a problem, shadow data — or sensitive data in cloud databases, AWS S3 buckets, and other repositories stored across multiple environments — has become a real and pressing problem for many organizations.

"Sensitive data discovery and classification has become a top priority \[for organizations\]," says Justin Lam, an analyst with S&P Global Market Intelligence. A recent survey of technology decision makers that the analyst firm conducted showed that for many organizations, DSPM has become a top technology priority for 2023, he adds. 

"A lot of enterprises are waking up to the fact they need to find out what data they have in the cloud," Lam says. "How do I find out what it is, how risky it is, what kind of non-public info is out there in the cloud. These are all huge concerns."

**IBM's Cloud Security Investment: Triggering a Landgrab?**

Analyst firm Omdia expects the IBM acquisition of Polar to push other technology heavyweights into the space as well. As has often been the case with new technologies, a lot of the initial proponents of DSPM are startups. But that could change quickly as bigger players move into the space. 

"We have seen such landgrabs before — in data leak prevention in the mid-2000's, cloud access security brokers in the mid-2101's, and cloud security posture management later in the last decade," says Rik Turner, analyst with Omdia.

Turner describes the DSPM market as still largely immature or moving just beyond that phase. To date, it has been all about startups, many of them from Israel, raising early rounds of venture capital money and starting to evangelize about DSPM. Until Gartner came up with a name for the category, many of the players in the space were positioning themselves as providing cloud data posture management and DSPM together, he says.

IBM's purchase has raised the profile of DSPM as a technology and potentially puts other cyber industry majors in the market to buy one of Polar's competitors. Already, there are some rumors that Laminar is in talks with a potential buyer or two, Turner says. 

"Now, alongside the startups, we have not only Big Blue jumping in but also CSP vendors like Orca and Wiz, both of whom are adding some DSPM capabilities," Turner notes. "It may be too early to see IBM's acquisition of Polar as the tipping point, but if Laminar does indeed go to one of the bigger beasts, the land grab really will have begun."

IBM's Polar Buy Creates Focus on a New 'Shadow Data' Cloud Security Area

Techniques used in cyber warfare can be sold to anyone — irrespective of borders, authorities, or affiliations. We need to develop strategies to respond at scale.

The Russia-Ukraine war has taught us a lot about cyber warfare. After all, it's the first time ever that a world-class cyber power is simultaneously engaged in a kinetic war. But before we can fully grasp the lessons that have surfaced over the past year, we first have to understand what role cyber plays as part of active kinetic warfare, as well as the criteria that determines its effectiveness.

**Breaking Down Cyber in Warfare**

The main roles of cyber in warfare include: 1) espionage, 2) sabotage, 3) propaganda, and 4) disruptions usually caused by distributed denial-of-service (DDoS) attacks targeting government, electrical, and economic/financial institutions. I believe cyber warfare is two parts information warfare using cyber tactics and techniques and one part cyber warfare with actual destruction.

Cyberattacks with strategic or military implications can include the manipulation of software, data, knowledge, and opinion to degrade performance and produce political or psychological effects. Introducing uncertainty into the minds of opposing commanders or political leaders is a calculatable military objective. Manipulating public opinion to damage an opponent's legitimacy and authority in both domestic and international audiences also is valuable. Some actions may provide only symbolic effect aimed at a domestic audience, but this too is valuable for a nation at war.

So, how can we judge the effectiveness of cyber warfare attacks? My more than two decades of experience serving as an FBI agent taught me that the criteria for success in deploying cyber offensive tactics lies across five areas:

*   Creating chaos
*   Collecting intelligence
*   Driving narratives to shape opinions (disinformation)
*   Inflicting damage to data or ecosystems
*   Stealing/exfiltrating victim data for extortion and/or sale to criminal data brokers

**Cyber Warfare in the Russia-Ukraine Conflict**

Russia has largely been cited as an "aggressor" in its conflict with Ukraine. But it is important to remember that because cyber knows no boundaries, any country or hacktivist group can join the battle with impunity — it is one of the ways cyber is fundamentally different from traditional warfare, and a dynamic that both sides have benefited from and been victimized by.

Russia holds a broad definitional concept of information warfare, which includes intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems, and propaganda.

As used by the Russian military, cyber power is a key facet of hybrid warfare and is an important enabler in the Russian political strategy to oppose NATO's expansion and cohesion. Cyberattacks can be targeted specifically toward and with the purpose of eliminating key networks but also can be used as a tool to intensify the fog of war by sowing confusion within command-and-control networks. If local political and military leaders can't get ahead of and develop an accurate estimate of quickly developing events, critical hours or even days can be gained with which an adversary can create facts on the ground that cannot easily be reversed. As part of its military campaign, Russia used myriad cyberattacks against computers in Kyiv, Poland, the European Parliament, and the European Commission prior to rolling tanks across the Ukraine border.

Here are just a few examples of cyber warfare tactics used in the Russia-Ukraine conflict:

*   The Russians targeted Viasat, a US satellite communications company that provided support to the Ukrainian military, with malware designed to erase its data before disabling it. The Russians did not limit the malware's scope, and it affected other ground satellite components, causing hundreds of thousands of people outside of Ukraine to lose electrical power and Internet connection.
*   A cyberattack against the City Council of Odessa, a major Ukrainian port city situated on the Black Sea, was timed to coincide with a cruise missile attack that was meant to disrupt Ukraine's response to Russian forces attacking in the south.
*   Cyberattacks also have been launched against many parts of Ukraine's infrastructure and government and civilian networks, including hospitals.
*   Ukrainian military units have created bogus dating websites for Russian soldiers, coupled with social media platforms, to lure Russian troops to use their personal mobile devices — at which point Ukrainian troops triangulate their location so they can use a drone to drop a bomb on their geolocated positions.

Even though Russia is considered one of the most dangerous cyber-nation-state actors, the use of cyber warfare tactics against Ukraine leading up to and currently during their one-year-old unprovoked war shows that offensive cyber techniques, when used as a separate warfighting domain, does not necessarily offer magic solutions and miraculous shortcuts to achieving strategic military goals. Similar to when the Russian Army deployed cyberattacks against Georgia in 2008 and Syria after that armed conflict, when the Russia-Ukraine war ends, we will have another example for history to judge the effectiveness of Russian cyber-enabled warfare.

**Lessons Learned So Far**

Cyber warfare is real, and it is playing out in various theaters across the world — some visible, as in the Russia-Ukraine conflict, and others behind-the-scenes. There will be many lessons learned from these actions, but here are a few takeaways we have so far:

*   The effects of cyberattacks are difficult to contain when not coupled with kinetic military activity. The effects most always extend far beyond the intended target and can be used more as a strategic weapon as opposed to a tactical or precision weapon.
*   Attribution of cyberattacks is difficult and more easily denied. Cyber warfare sits in a gray zone, as it can be used by state and non-state actors, with fewer inhibitions than kinetic strikes.
*   With the use of non-state or patriotic proxies, cyberattacks are less manpower-intensive than kinetic attacks but certainly require more skills to prepare and execute and can be just as devastating to the victim's infrastructure.

There is no question that cyber power is being wielded as a strategic weapon alongside the use of kinetic force in the Russia-Ukraine conflict. And cyber warfare allows power and force to be democratized and sold on the Dark Web, available to anyone with technical skills — irrespective of borders, authorities, or affiliations. Because of this, we must start to think ahead of the threat and develop strategies to respond to these challenges at scale.

Cyber Warfare Lessons From the Russia-Ukraine Conflict

**Woburn, MA – May 19, 2023 –** Kaspersky researchers have provided further details on the CommonMagic campaign, which was first observed in March targeting companies in the Russo-Ukrainian conflict area. The new research reveals more sophisticated malicious activities from the same threat actor. The investigation identified that the newly-discovered framework has expanded its victimology to include organizations in Central and Western Ukraine. Kaspersky experts have also linked the unknown actor to previous APT campaigns, such as Operation BugDrop and Operation Groundbai (Prikormka).

In March 2023, Kaspersky reported a new APT campaign in the Russo-Ukrainian conflict area. This campaign, named CommonMagic, utilizes PowerMagic and CommonMagic implants to conduct espionage activities. Active since September 2021, it employs a previously unidentified malware to collect data from targeted entities. Although the threat actor responsible for this attack remained unknown at the time, Kaspersky experts have persisted with their investigation, tracing the unknown activity back to forgotten campaigns in order to gather further insights.

The recently uncovered campaign utilized a modular framework called CloudWizard. Kaspersky’s research identified a total of 9 modules within this framework, each responsible for distinct malicious activities such as gathering files, keylogging, capturing screenshots, recording microphone input, and stealing passwords. Notably, one of the modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access and smuggle activity logs, contact lists, and all email messages associated with the targeted accounts.

Furthermore, the researchers have uncovered an expanded victim distribution in the campaign. While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine.

After extensive research into CloudWizard, Kaspersky experts have made significant progress in attributing it to a known threat actor. They have observed notable similarities between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. These similarities include code similarities, file naming and listing patterns, hosting by Ukrainian hosting services, and shared victim profiles in Western and Central Ukraine, as well as the conflict area in Eastern Europe.

Moreover, CloudWizard also exhibits resemblances to the recently reported campaign CommonMagic. Some sections of the code are identical, they employ the same encryption library, follow a similar file naming format, and share victim locations within the Eastern European conflict area.

Based on these findings, Kaspersky experts have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard may all be attributed to the same active threat actor.  

"The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future."

Read the full report about the CloudWizard campaign on Securelist.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

*   Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
*   Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
*   For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
*   In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
*   As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine

In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.

Device diversity, cloud adoption, remote work, and the increasingly complex software supply chain have significantly expanded today's attack surface. But despite increased year-over-year investment in security operations, most organizations only have the resources to address 10% of the millions of issues present in their environments.

Security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to _their_ organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down barriers caused by existing data siloes.

Everything within the digital ecosystem creates data — from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management life cycle to explore the strengths, weaknesses, and opportunities for each resource.

**Silo 1: Cyber Asset Management**

There are ample approaches to creating a consolidated inventory of all assets and their associated risk posture: legacy spreadsheets, "traditional" network scanners and IT asset management tools, and cyber asset attack surface management (CAASM) platforms.

Depending on the approach, though, teams may only be looking at the "traditional" attack surface instead of considering everything that would be present in a typical multicloud, decentralized, and well-segmented modern network. While progress is being made in this category, it's still built off point-in-time, state-based insights. The lack of insight into attack behavior therefore impacts their overall effectiveness.

**Silo 2: Threat Detection and Response**

On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary's perspective through analyzing network, user, and machine behavior. Although the quality of data from security information and event management (SIEM) systems is considerable, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.

Additionally, threat detection and response platforms typically only monitor "known" assets for changes, whereas the greatest threat lies with the changes made to unknown assets. So, while these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations. Gartner predicts unpatchable attack surfaces will grow from less than 10% of the enterprise's total exposure in 2022 to more than half by 2026.

**Silo 3: Third-Party Intelligence**

There are several ways to gauge the potential impact and exploitability of vulnerabilities, such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities.

The greatest risk of relying only on third-party guidance is that it doesn't consider the organization's unique requirements. For example, security teams still have to decide which patches to prioritize in a group of "severely critical" vulnerabilities (e.g., those with a CVSS score of 9.0 or higher).

In this case, it's impossible to make an informed decision using these quantitative methods alone. Factors such as the location of the asset would help teams determine the exploitability of the vulnerability within _their own_ organization, whereas its interconnectivity would give teams an idea of the blast radius — or potential overall attack path.

**Silo 4: Business Insights**

From configuration management databases (CMDBs) to controls and dependency maps to data lakes, this list wouldn't be complete without internal business tracking systems. These resources are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping.

But as enriching as they are, custom databases require a heavy manual lift to not only implement, but also keep current. Therefore, due to the rate at which our environments change, they quickly become outdated, making it impossible to accurately survey security posture changes.

**Change Is Programmatic, Not Tool-Centric**

While each source listed above serves its own purpose and provides a unique layer of valuable insight, none serves as a single source of truth for navigating today's sophisticated threat landscape. That said, they're extremely powerful when they work together, revealing a comprehensive vantage point that enables teams to make better, more informed decisions.

Many of the valuable insights necessary to drive informed, risk-based decisions either get lost in the siloes of enterprise tech stacks or stuck between conflicting teams and processes. Although modern environments require equally progressive security, there isn't a single tool or team that can repair this broken process.

Security leaders need to align their cyber asset intelligence to their primary use cases. That may be through mapping their vulnerability prioritization process using third-party intelligence, business context, and asset criticality, or by targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.

Source

DARKReading