Updated OffSec™ identity substantiates the company's commitment to expanding its cybersecurity content and resources to prepare infosec professionals for the future.

**NEW YORK****,** **March 1, 2023** **/PRNewswire/ --** Offensive Security (OffSec), the leading provider of hands-on cybersecurity education, today unveiled a refreshed brand identity including a new, shortened name, OffSec. This update reflects OffSec's commitment to helping cybersecurity professionals and organizations look beyond traditional training and certification to provide additional educational content and hands-on resources that help learners advance in their field and companies develop their security team members.

The abbreviated name reflects OffSec's move beyond offensive security topics with expansion into new areas such as defensive security, and new learning paths for today's most in-demand cybersecurity job roles. The OffSec brand also speaks to the company's expansion beyond training and beyond certification to a continuous learning model that supports the unique needs of organizations and individual learners alike. The company's new tagline, _The Path to a Secure Future™_, highlights OffSec's commitment to supporting security professionals and infosec teams in achieving cyber preparedness through a growing skills library focused on keeping pace with evolving cyber threats.

Offensive Security built its global reputation on training penetration testing with its flagship course, _Penetration Testing with Kali Linux_ and the OSCP certification. The company is the developer and maintainer of Kali Linux, the widely-popular open-source distribution used by infosec professionals worldwide. More recently, OffSec has since moved well beyond foundational pentesting topics and has added new content and certifications in Cloud Security, Web Application Security, Secure Software Development, Security Operations, and Exploit Development. The ever-growing OffSec Learning Library (OLL) currently includes nearly 6,000 hours of written content, 1,500 videos, 2,500 practical exercises, and 900 hands-on labs, with more being added all the time. The OLL features an unmatched depth and breadth of content, helping learners build indispensable skills by offering a comprehensive variety of role-specific content, from entry-level to advanced.

"OffSec broke the mold when we started with a new way of presenting information security training, and with the OffSec Learning Library we are so excited to do it again," Jim O'Gorman, Chief Content and Strategy Officer at OffSec said. "Our library approach allows us to continue to offer our industry-leading content, but in a more flexible non-linear approach allowing for a more customizable learning experience. Learners can engage with OffSec content in a course-based context, follow learning paths specific to job roles or skill sets, or pick and choose their own pathway through a multitude of learning units and modules. This approach allows everyone, regardless of skill level or experience, to have custom access to unparalleled cybersecurity learning content, all of which embody OffSec's highly-regarded and time-tested approach and methodology."

About the brand refresh, Scott Ablin, OffSec's Chief Marketing Officer said, "Since our inception, we've been at the forefront of cybersecurity education and offered training by the best practitioners. We defined the industry with our intense, hands-on, practical approach. As OffSec, we are expanding our content and learning paths to prepare learners for career advancement and organizations for current and future threats. We all know the cybersecurity threat landscape is continually changing, and our new brand symbolizes our commitment to keeping pace for individual professionals looking for education to advance their career and organizations who seek to recruit, retain, and upskill top talent."

**Elements of the refreshed identity include:**

**New Logo**:

The logo mark is now in a circular shape to mirror the "O" in OffSec. It has morphed from the familiar Offensive Security door icon to the shape of a path, symbolizing the onward voyage for infosec professionals and teams.

**New Brand Colors**:

Previously red and black, the rebranded logo mark is rendered in a teal-to-purple gradation, reflecting the process of educational change experienced by learners, a movement driven by a philosophy dedicated to transforming students into industry leaders.

**New Tagline:** _The Path to a Secure Future™_

OffSec defined the industry with its intensive, practical approach. Our methodology, content, and learning paths prepare organizations and learners for whatever lies ahead on their journey - whether it's securing their future by upskilling for an individual, or team development that provides organizations a more secure posture.

**New Website Address:**

Website visitors can learn more about the company, purchase a course or package, request a meeting, or explore free learning resources at offsec.com.

**About OffSec**

OffSec is the leading provider of continuous professional and workforce development, training, and education for cybersecurity professionals. Created by the community for the community, OffSec's one-of-a-kind mix of practical, hands-on training and certification programs, virtual labs, and open-source projects provide practitioners with the highly desired offensive skills to get a job, advance their careers and better protect their organizations. OffSec is committed to funding and growing Kali Linux, the leading operating system for penetration testing, ethical hacking, and network security assessments. For more information, visit offsec.com and follow @OffSectraining and @kalilinux on Twitter.

Offensive Security Is Now OffSec - Refresh Reflects Future of Cybersecurity Learning and Skills Development

An infamous Chinese cyber-hacking team has extended its SysUpdate malware framework to target Linux systems.

A pervasive cyber-espionage group known as Iron Tiger, believed to be out of China, has updated one of its malware frameworks to attack Linux-based systems.

Researchers at Trend Micro recently discovered that Iron Tiger (aka Emissary Panda or APT27) had added new features to its so called SysUpdate malware family, which allows it to infect Linux platforms in addition to Windows. SysUpdate abuses system services, grabs screenshots, browses and terminates processes, retrieves drive information, executes commands, and can find, delete, rename, upload, and download files as well as peruse a victim's file directory.

One other new feature the firm found with the newest version of SysUpdate: command-and-control communications via DNS TXT requests. "While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information," the researchers wrote in a blog post about their findings.

Iron Tiger was among a group of five cyber-espionage groups flagged in 2020 by BlackBerry as targeting Linux-based systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Support Expands Cyber Spy Group's Arsenal

More cyberattackers are targeting organizations' cloud environments, but some cloud services, such as Google Cloud Platform's storage, fail to create adequate logs for forensics.

Major cloud platforms, such as Google Cloud Platform (GCP), fail to adequately log the event data that could facilitate the detection of compromises and the forensic analysis during post-compromise response, according to an analysis. 

Cloud security firm Mitiga stated in an advisory published on March 1 that the Google Cloud Platform allows customers to turn on storage access logs, but faced with an attacker that successfully compromises a legitimate user's identity, the logs fail to provide enough detail, creating forensic visibility gaps.

The security issues include failing to generate dedicated log information for critical actions related to exfiltration, failing to collect detailed information about changes to data, and a general lack of visibility that would give a picture of what happened, the advisory stated.

A variety of events, for example, are included under a single type of access — such as reading a file or downloading data — leaving analysts unclear as to what actually happened, says Veronica Marinov, an incident response investigator with Mitiga and author of the advisory.

"Google Cloud storage logging is missing granular log events," she says. "In the case of interacting with bucket objects, you can’t really differentiate between downloading the object, viewing its content, and just looking at the metadata of the said object."

As companies move their infrastructure and operations to the cloud, attackers have followed. For instance, the company faced an opportunistic attacker that moved laterally inside a cloud environment to successfully steal sensitive data, only to be stopped by rigorous permissions, according to a report earlier this week.

In its latest annual "Global Threat Report", cybersecurity services firm CrowdStrike noted that cloud exploitation incidents had increased by 95% in 2022, compared with the previous year, while cloud-conscious threat actors — which the firm defined as those who use "a variety of tactics, techniques, and procedures (TTPs) to exploit cloud environments" — nearly tripled. The increase in cloud-focused attacks means that companies need to focus on visibility and really understanding the changes being made to cloud environments, says Adam Meyers, head of intelligence at CrowdStrike.

"For years, cloud threats have been concerning, but it was pretty low tech, and they generally resulted in a cryptominer being deployed," he says. "Cloud is clearly in the sights of the threat actors now."

**Logs Need More Detail**

A key to understanding what happened during a compromise is having adequate visibility through detailed logging of events in cloud services. Forensics investigators rely on logs to determine what happened, what data may have been at risk, and what threat actors accomplished, Mitiga stated in the advisory.

While attackers often turn off logging as part of their compromise of cloud services, a knowledgeable attacker could also skip that and construct an attack chain that results in very little detail being revealed in Google Cloud Platform log files, Mitiga stated.

"Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," Mitiga said in its advisory. "This prevents organizations from efficiently responding to incidents, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all."

Google Cloud acknowledged the issues, while stressing that it does not consider the lack of visibility to impact the security of its platform. The company maintained that there is no risk of data infiltration, that the issue is not a vulnerability, and that customer data is secure (all assertions also made by Mitiga). Google Cloud plans to further investigate the forensics gap, however.

"While improving log forensics hasn't been an issue raised by our customers, we are continually evaluating ways to improve customers' insight into their storage," the company said in a statement sent to Dark Reading. "The highlighted forensics gap in the blog is one of those areas we are examining."

Among Google Cloud's recommendations are turning on and configuring VPC Service Controls and organization restriction headers, to limit access and produce additional log events.

**Not Just Google**

The ability to access detailed logs is part of the shared-responsibility compact between cloud providers and customers. To take responsibility for their infrastructure in the cloud, organizations need to have detailed insight into activity. While the advisory specifically calls out GCP, other cloud providers have similar issues, Marinov says, without naming names.

"We had seen, in other cloud providers, cases where we can't really understand what happened only by seeing the logs," she says. "We are in touch with vendors on such specific gaps. Only after completing our responsible disclosure process are we able to share details with the media."

Amazon's Simple Storage Service (S3) buckets, for example, collect the right level of detail, the advisory stated: "It is important to note that this deficiency is not inherent to cloud services and could be easily addressed by providing more detailed information in the logs. An example can be seen with AWS S3 access logs, which distinguish each of the event types with its own event log name."

Mitiga did not say whether AWS's other services are among those the company is investigating for gaps in forensics information.

What Happened in That Cyberattack? With Some Cloud Services, You May Never Know

Make sure cybersecurity is taken seriously and consistently across the board. Educate the ecosystem beyond your own organization to mitigate security risks for everyone.

There's been a lot of speculation about how this year will unfold. Many economic authorities, such as the US Federal Reserve, the European Central Bank, the Swiss government, and Morgan Stanley are predicting a macroeconomic slowdown as the year progresses. Whether a temporary pause in growth or a full-blown recession emerges, the fact is organizations are increasingly critically eyeing their budgets and, at minimum, trying to do more with what they have, or going down the path of fiscal reduction.

The fact is, regardless of the financial environment, cyber threats will continue evolving, and threat actors will only get more innovative in how they attempt to manipulate their targets. Therefore, the cybersecurity attack surface is certain to expand. There's simply no room to stand still, regardless of whether we're facing an economic downturn. Everyone reading this article understands the financial damage cyberattacks can cause and how they can serve to further heighten economic damage in an already challenging scenario.

**The Importance of Unifying Security Investments**

A key consideration for organizations in this climate is to examine the value of unifying their existing security investments to streamline their security operations. Typically, this can be done even in a period of stagnating budgets while still bolstering proactive defenses.

Questions to ask include: Is there overlap between elements of the security stack? As stated in the NIST Cybersecurity Framework (PDF), security applications need to cohesively and mutually support an organization's security posture by ensuring identification, protection, detection, response, and recovery are fully supported.

All these elements are, of course, interconnected. Security professionals need to keep that in mind, rather than introduce and/or manage the chaos of a siloed collection of point tools. We're long past the era of having to deal with disparate security systems. Rather, platforms, applications, and tools must be interoperable and interconnected, for comprehensive management, monitoring, and measurement.

**Evolving Beyond "Code Warrior" Silos**

Another key consideration in recession-proofing security operations is the importance of empowering more than "code warriors" when it comes to contributing to managing cybersecurity deployments. In 2023, it needs to be "all hands on deck," and it can't just be a tiny group of people responsible for large-scale enterprise security. Enterprise security management tools can play a major role in empowering a wider group of people to protect organizations.

Why does this matter? Because part of maximizing value involves security processes that focus on shared responsibilities, in which employees, R&D, DevOps, and IT are true partners and collaborators in protecting their organizations. An example of this is how security automation is now moving toward validating end users' identities and enabling them to have temporary security clearances to engage in system updates, credential retrieval, and remote access, with dramatically minimized risk. This is enabled through integration across communications and project management tools, anchored by workflows that ensure accurate verification and access controls.

**Empowering Your Customers and Partners**

There's another element that is rarely discussed when it comes to an optimal cybersecurity posture and managing costs: educating customers and partners about their own cybersecurity standards. After all, cybersecurity is an end-to-end multiorganization ecosystem. Cybersecurity problems that affect one company can come home to roost in another. The fewer issues that occur with customers and partners, the fewer problems your organization must deal with.

Developing a customer and partner awareness campaign can be crucial here. It's very important to educate the ecosystem beyond your own organization to mitigate risk for everyone. Organizations can deploy best practices via their own emails, newsletters, social media, customer and partner portals, and account managers. The best approach is to use multiple elements to get the word out about ensuring cybersecurity is taken seriously and consistently across the board.

In general, cybersecurity companies need to emphasize their proactive capabilities and philosophies over the historic reactive element in current economic circumstances. If they position themselves as a critical, protective layer and consultative presence, it will go a long way to cementing the essential nature of their offerings.

The Importance of Recession-Proofing Security Operations

The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.

A high-severity authentication bypass vulnerability in a widely used open source Java framework is under active exploit by threat actors, who are using the flaw to deploy backdoors to unpatched servers, the US Cybersecurity and Infrastructure Security Agency (CISA) and security researchers are warning.

The scenario could pose a significant supplychain threat for any unpatched software that uses the affected Java library, which is found in the ZK Java Web Framework, experts said.

The CISA has added CVE-2022-36537, which affects ZK Java Web Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, to its catalog of Known Exploited Vulnerabilities (KEV).

The flaw, found in ZK Framework AuUploader servlets, could allow an attacker "to retrieve the content of a file located in the Web context," and thus steal sensitive information, according to the KEV listing. "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager," CISA said.

Indeed, the flaw first drew widespread attention in October 2022 when ConnectWise sounded an alarm over its existence in its products — specifically, ConnectWise Recover and R1Soft server backup manager technologies. Senior security researchers John Hammond and Caleb Stewart at Huntress subsequently published a blogpost about how the flaw can be exploited.

In an update to that blog post published concurrent with the CISA's advisory, Huntress warned that "the vulnerability discovered last year in ConnectWise's R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537."

CISA and Huntress both based their warnings on research from Fox-IT published Feb. 22 that found evidence of a threat actor using a vulnerable version of ConnectWise R1Soft Server Backup Manager software "as an initial point of access _and_ as a platform to control downstream systems connected via the R1Soft Backup Agent," the researchers wrote in a blog post.

"This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges," according to the post. "This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server."

**History of the Flaw**

For its part, ConnectWise moved swiftly to patch the products in October, pushing out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and urging customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.

A researcher from Germany-based security vendor Code White GmbH was the first to identify CVE-2022-36537 and report it to the maintainers of the ZK Java Web Framework in May 2022. They fixed the issue in version 9.6.2 of the framework.

ConnectWise became aware of the flaw in its products when another researcher from the same company discovered that ConnectWise's R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to the company, according to the Huntress blog post.

When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited on Twitter, which researchers from Huntress used to replicate the vulnerability and refine a proof-of-concept (PoC) exploit.

Huntress researchers ultimately demonstrated they could leverage the vulnerability to leak server private keys, software license information, and system configuration files and eventually gain remote code execution in the context of a system superuser.

At the time, researchers identified "upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts," they said. But they surmised that the vulnerability had the potential to impact significantly more machines than that.

**Supply Chain at Risk**

When Huntress did its analysis of the flaw, there was no evidence of active exploit. Now, with that scenario changed, any unpatched versions of the ZK Java Web Framework found not only in ConnectWise but also other products are fair game for threat actors, which could create significant risk for the supply chain.

Fox-IT's research indicates that worldwide exploitation of ConnectWise's R1Soft server software started around the end of November, soon after Huntress released its PoC.

"With the help of fingerprinting, we have identified multiple compromised hosting providers globally," the researchers wrote.

In fact, Fox-IT researchers said on Jan. 9 that they had identified a "total of 286 servers running R1Soft server software with a specific backdoor."

CISA is urging that any organizations still using unpatched versions of the affected ConnectWise products update their products "per vendor instructions," according to the KEV listing. And while, so far, the existence of the flaw is known only in the ConnectWise products, other software using unpatched versions of the framework would be vulnerable as well.

CISA: ZK Java Framework RCE Flaw Under Active Exploit

The open authentication standard addresses existing multifactor authentication security vulnerabilities.

Remember when multifactor authentication (MFA) gave security professionals that nice, warm feeling that their data and users were protected? Those days are over. Traditional approaches to MFA don't cut it anymore, as attackers have developed effective workarounds for cracking that door wide open. For proof, consider last year's headline-grabbing breaches at Okta, Uber, and Cisco, just to name a few. A better approach is urgently needed — and it starts with the FIDO2 user authentication specifications.

**MFA Weaknesses**

Why do we need a new approach to authentication? Bypassing existing MFA techniques to garner employee credentials or to take over employee accounts has become child's play for attackers. There are even videos on YouTube explaining how to do it. Techniques range from simple phishing to push bombing — where attackers send push notifications until the employee accepts one — to more complex SS7 communications protocol exploits to obtain texted MFA codes.

For example, take the common MFA technique of using a push notification as the second factor.

One common approach the attackers use is to create a fake company login page, then send out phishing emails to drive employees to that page. When an employee enters their username and password into the fake page, the attacker simply takes the credentials and enters them into the real login page. When the employee receives the MFA request (the push notification), they are likely to treat it as genuine and click "Yes." With that simple approach, the attacker has now compromised the employee's account and has a beachhead into the company's network that can allow them to move laterally and install malware or ransomware.

**People as a Point of Failure**

Not all vulnerabilities are technical. Social engineering is becoming more sophisticated, with attackers using texts and voice calls targeted at specific employees to add credibility and urgency to that phishing email. The attackers pose as IT technicians or other trusted authorities to create that trust with the targeted employee. These techniques can be very effective, as hapless users willingly will do as asked, assuming they are speaking with a trusted person from their own organization.

**Enter the FIDO2 Standard**

So, what is FIDO2, and how can it help address these MFA vulnerabilities? Developed by the Fast Identity Online (FIDO) Alliance, FIDO2is an authentication method containing two components: WebAuthn (W3C) and CTAP (FIDO Alliance), which together eliminate the security gaps in standard MFA services.

With FIDO2, the site requesting authentication constructs the authentication challenge, encrypts it with the registered authenticator's public key, and sends it to the user by way of the user agent (browser) that originally requested access. The browser adds some context and forwards to the attached authenticator. The authenticator decrypts the challenge with its private key and compares it with its own registration records and the context provided by the browser. By nature of this process, attackers using stolen credentials are blocked (they receive the challenge but can't do anything, as they don't have the authenticator). Attackers who are actively man-in-the-middle are detected and blocked as well (they can replay the bidirectional traffic, but they cannot construct a challenge that would be accepted by the authenticator). This method makes it virtually impossible to compromise MFA. The key features of FIDO2 are:

*   Authentication credentials are based on private/public key pairs.

*   No shared secrets — the private key is generated by the FIDO2 authenticator, is stored in secure hardware on the authenticator, and cannot be exported or tampered with. Only the public key is sent to the server-side (website) when registering.

*   Authentication challenges are delivered to the user agent (the browser), which adds context about the challenge and then delivers it to the attached FIDO2 authenticator, which allows detection of a man-in-the-middle.

*   Platform authenticators (tied to the platform and only usable on that device) and roaming authenticators (that can be used across any device).

**Why Isn't Everyone Using FIDO2 MFA?**

Security professionals recognize the value that FIDO2-based MFA provides. However, because companies need to buy, distribute, and manage physical FIDO2 security keys, the added cost and complexity has slowed down adoption. In addition, users really dislike using a physical security key — it's yet another piece of hardware they have to carry around. Because of these factors, many companies will deploy FIDO2 for high-risk employees but use standard MFA for other employees.

**Phish-Proof Protection**

Authentication methods based on FIDO2 are the closest thing there is to a "phish-proof" solution, and the security community has taken note. The Cybersecurity and Infrastructure Security Agency (CISA) recently called FIDO "the gold standard" for authentication, urging corporate leaders to make it part of their MFA strategy. US federal agencies are also moving to FIDO2 to address the vulnerabilities of existing MFA techniques.

As it becomes more widely recognized, expect to see FIDO2 as a recommended or even required standard for online interactions/transactions where critical data must be protected. Currently, most underwriters of cyber insurance require MFA implementation to qualify for coverage. It's not a stretch to imagine that requirement expanding to include FIDO2.

**Time to Up Your Game**

For any organization concerned about cybercrime — and the economic and reputational risk it poses — proactively adopting FIDO2 authentication seems like a smart business move. For organizations that rely on vendors or partners for their online employee and/or customer interactions, now is a good time to find out whether they have adopted FIDO2.

As cybercriminals continue to up their game, organizations must do likewise. Don't wait until an attacker finds your weakness. Now is the time to take a critical look at your authentication protocols and see how FIDO2 can address MFA deficiencies and close that door.

Without FIDO2, MFA Falls Short

As companies increasingly adopt MFA, cybercriminals are developing a variety of strategies to steal credentials and gain access to high-value accounts anyway.

As companies increasingly require stronger versions of security for their employees and customers, attackers are getting better at bypassing multifactor authentication (MFA), resulting in a steady stream of compromises, such as this week's announcement of a data leak at cybersecurity firm LastPass and the announced breach at social media service Reddit earlier in February. 

While multiple ways exist to bypass the flawed security of two-factor authentication (2FA) that uses one-time passwords (OTPs) sent through short message service (SMS) texts, systems protected by push notifications or using hardware tokens are considered much harder to compromise. Yet attackers have landed on a trio of techniques to get around the additional security: MFA flooding, proxy attacks, and session hijacking — focused on the user, the network, and the browser, respectively. 

"Most of the time, attackers are getting around weaker forms of MFA, especially those that use SMS, \[but\] there are plenty of techniques attackers use to circumvent MFA, including MFA flooding, SIM-swapping, and attacker-in-the-middle attacks," says Matt Caulfield, CEO of Oort, an identity-security provider.  

    

MFA bypass attacks increased in 2020 (green) compared with previous years. Source: Okta

**MFA Flooding & Fatigue**

The first target for attackers is often the human behind the keyboard. Overall, 82% of breaches involved the "human element," and more than 80% of Web application breaches are attributed to the use of stolen credentials, according to Verizon's "2022 Data Breach Investigations Report (DBIR)." 

MFA flooding, where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at taking advantage of users' fatigue for security warnings. "Push notifications are a step up from SMS, but are susceptible to MFA flooding and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click 'Allow' on one of them," Caulfield says. 

Another popular tactic — the account reset attack — aims to fool tech support into giving attackers control of a targeted account, an approach that led to the successful compromise of the developer Slack channel for Take-Two Interactive's Rockstar Games, the maker of the Grand Theft Auto franchise.

"An attacker will compromise a user’s credentials, and then pose as a vendor or IT employee and ask the user for a verification code or to approve an MFA prompt on their phone," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Attackers will often use the information they’ve already compromised as part of the social engineering attack to lull users into a false sense of security."

**Session Hijacking & Pass-the-Cookie Attacks**

After a worker logs in to an online account or cloud service, a session cookie containing the user’s authentication credentials is typically set and remains active until the user ends the session by logging out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as a session hijack or pass-the-cookie attack. Malware such as Emotet has this functionality as a regular feature.

Other variants of this attack use cross-site scripting or malicious browser extensions to take control of a user's session after they pass the MFA barrier, says NCC Group's LaRose.

"The ultimate goal of this technique is to attack the user’s session indirectly, and therefore not interact with the stronger security controls in the login flow," he says.

**Proxy Attacks & AitM**

Finally, attackers can try to compromise infrastructure between the users device and a cloud service or online site. Using a compromised or malicious server to intercept requests from the user and destination server, a proxy attack — or adversary-in-the-middle (AitM) attack — allows cyberattackers to harvest the authentication mechanism in real time.

"This allows the attackers to bypass most available methods of MFA, since the user is providing the site, and the hacker, with both the username and password and additional authentication," Drew Trumbull, incident response team lead with the Information Security Office at the University of North Carolina, said in a review of the technique.

The technique may have contributed to the breach at LastPass, where "the threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA," according to the company's statement.

**Resetting the Matrix**

To defend against the latest attacks, companies should deploy phishing-resistant MFA, which consists of something you own, such as a hardware key, and something you are, such as a biometric. Common hardware key solutions, such as Yubikey, have made phishing-resistant MFA more easy to deploy, says NCC Group's LaRose.

Unfortunately, there are still hurdles for companies in adopting hardware keys, making it difficult to attain complete coverage, says Oort's Caulfield.

"Just the logistics of shipping hardware-based security keys to every employee and managing the process when they lose them can be a nightmare," he says. "Shipping laptops and security keys to contractors is even harder."

And with the increased overhead to manage the devices comes another in-road for attackers — resetting an account following a lost or stolen device. By pretending to be the victim, an attacker can claim to have lost a device, allowing them to enroll a new factor upon sign-in or act during a reset grace period, says Oort's Caulfield. 

"MFA resets are a massive challenge," he says. "It’s likely we’ll see attackers shifting from the factor as a weakness to the registration and reset process."

And indeed, rather than use a hardware token, workers and consumers are far more likely to subscribe to a security question or use a time-based OTP (TOTP) received through email or SMS. Nearly 80% of users polled at identity-provider Okta, for example, use email as a second factor — and nearly 40% have a TOTP pushed to them through an application — while only about 5% use a token or Yubikey, according to Oort's "2023 State of Identity Security" report. Users of Azure AD and Duo Security show similar preferences, the report noted, with security questions and SMS passcodes dominating enrollment numbers.

Cyberattackers Double Down on Bypassing MFA

The biggest dilemmas in running a modern cybersecurity team are not all about software, said CISOs from HSBC, Citi, and Sepio.

Managing risk on a global scale has always been challenging, but in the aftermath of the COVID pandemic, CISOs have had to become even more agile. The shift to hybrid work, the rapid deployment of cloud applications, and the move to continuous integration and continuous development (CI/CD) have emboldened threat actors with new and broader targets.

Meanwhile, the number of devices and endpoints on organizations' networks have increased exponentially. Two veteran CISOs lamented the challenges these changes have imposed during a webinar last week organized by Sepio, an asset detection and risk management startup. Sepio's CISO Ilan Kaplan moderated an hour-long discussion with HSBC CISO Monique Shivanandan and Carl Froggett, who was CISO at Citi for 17 years before joining startup Deep Instinct last summer as CIO.

Shivanandan and Froggett shared with Kaplan what they see as three of the most significant challenges the rapidly changing cybersecurity and risk landscape presents.

**1\. Maintaining Visibility of All Network Assets**

Cybersecurity professionals have historically struggled to gain complete visibility into what's on their networks and threats directed at them. Froggett noted that newer cloud-native technologies, such as container-based applications and SaaS, offer better visibility than traditional software because modern apps were built to be more secure.

But overshadowing that benefit is the sheer scale of all the components associated with modern applications. "An asset used to survive 5, 6, 7 years, or longer if you include the underlying operating systems, whereas now the lifetime of the container can be measured in seconds or maybe minutes," Froggett said. That creates "a whole new set of \[visibility\] challenges from that perspective."

Shivanandan noted that traditional methods of capturing inventories, keeping them up to date, and tracking them were predicated on the notion of adding assets to a network manually. But with modern applications, that doesn't work, she said, because of the scale and the speed by which devices and software are deployed. "One of the biggest challenges that every CIO and every CISO faces is having that visibility and making sure that visibility is up to date," Shivanandan said.

**2\. Avoiding New Risks When Adding Apps**

Besides addressing the mounds of existing regulatory risks and the current threat landscape, security teams must also avoid being the source of new risks. Asked how they ensure that, Shivanandan said that, while reviewing the source code of every component added to the infrastructure is impossible, HSBC has rigorous processes around onboarding a new technology, which includes "a lot of pen testing and red teaming."

"Unfortunately, with the number of parties we have, we cannot do it for everyone," she added. "We do it for a select few." The problem is "every software change and every new release can knowingly or unknowingly introduce something new. It's a constant battle that we're facing."

Froggett said that Citi has strict processes around onboarding new technology, including pen testing and red teaming, but with the current release cadences, enforcement has become challenging. "Ultimately, you can't usually do source code reviews" of everything that comes in, he said.

**3\. Recruiting and Retaining Skilled Talent**

The shortage of experienced cybersecurity specialists is nothing new, but Shivanandan said it remains one of her top challenges. "All the technology in the world is only as good as the people there to make sure that we install \[everything\] correctly and keep it up to date," she said.

Shivanandan said despite considerable progress, it remains difficult for women to break the glass ceiling. She believes men have an outsized presence in senior cybersecurity roles compared to the entire IT industry.

"When you start out at the lower levels, there's \[an\] equal \[proportion of\] men and women, 50-50, sometimes even 60-40 women," she said. "Then, as you go through the progression, the women drop out, and the men continue to progress from a seniority level."

Nevertheless, Shivanandan said women face fewer barriers today compared with when she started out. She said, "When I was starting out, they wanted to pat you on the head and say, 'dear, don't worry your pretty little head, I'll take care of technical things.' But not anymore. There's no ceiling for a woman to get into any position now. It's a matter of just perseverance."

Shivanandan considers herself fortunate at HSBC, where 40% of her leadership team is women. "The women and the men are both fantastic, and that's the thing that you really want to look for," she said.

Froggett said during his nearly 25 years at Citi, most of his bosses were women. "The job's not done for sure, but there is definitely more of a balance \[of men and women in senior leadership roles than\] I saw five or 10 years ago."

Shivanandan emphasized that creating a diverse team goes beyond gender. A large portion of her team has some sort of neurodiversity, she said. According to research, an estimated 15%-20% of people have some form of neurodivergence such as autism, attention deficit hyperactivity disorder (ADHD), mental health conditions, or learning disabilities.

Shivanandan said those conditions are often assets: "That's what makes them fabulous in the job." But she added, "I think that's probably harder to overcome from a career progression standpoint, from a leadership versus a technical perspective."

CISOs Share Their 3 Top Challenges for Cybersecurity Management

The data protection capability is now available across multiple Workspace applications: Gmail, Calendar, Drive, Docs, Slides, Sheets, and Meet.

Google is rolling out client-side encryption Gmail and Calendar, which would allow users to create meeting events as well as send and receive emails which have been encrypted before being sent to Google servers. Client-side encryption will be available to organizations with Google Workspace Enterprise Plus, Education Standard, and Education Plus plans. All other types of Google Workspace accounts and personal Gmail accounts will not get client-side encryption.

Google enabled client-side encryption for Google Drive, Docs, Slides, Sheets, and Meet last year, so with the latest update, client-side encryption is now available across Workspace applications. Workspace administrators have to enable client-side encryption before users can use it.

Client-side encryption means the data is encrypted within the user’s browser before it is transmitted or stored on Google servers. Because the client-side decryption keys are created by a cloud-based key management service, organizations retain control over who has access to their data. For example, if there is a government request for Google Workspace data, Google will not be able to provide the information because Google doesn’t have the decryption keys. Adversaries would have to target the organization’s specific key to access the data. For some organizations, this level of control is necessary to meet regulatory compliance requirements.

Media giant Groupe Le Monde rely on client-side encryption across Workspace to ensure journalists’ safety by protecting communications, appointments, and files from potential leaks, Ganesh Chilakapati, a Google Workspace group product manager, and Andy Wen, director of product management for Google Workspace Security, wrote in a Google Workspace blog post.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Adds Client-Side Encryption to Gmail, Calendar

Platform uniquely designed to facilitate automated compliance, security behavior change.

**MINNEAPOLIS****,** **Feb. 28, 2023** **/PRNewswire/ --** Hoxhunt, the leading cybersecurity behavior change software company, today announced the availability of the industry's foremost Human Risk Management Platform and three new products. For the first time, cybersecurity leaders can now focus on true visibility and measurable outcomes, not just regulatory and audit compliance.

According to the World Economic Forum, 95 percent of data breaches can be traced back to human error, mostly from clicking on targeted phishing attacks. Hoxhunt delivers high-ROI resilience with minimal resources by automating the transition of employees from being the greatest security risk to the most valuable resource. Hoxhunt's Human Risk Management Platform enables human threat intelligence—which is the only way to catch the millions of sophisticated phishing attacks that evade technical filters each year--into the security stack.

The AI-enabled platform offers three new products that can be aligned with an organization's security maturity state.

*   The new Comply product enables security awareness programs to be delivered automatically. From choosing the curriculum to customizing training content, Hoxhunt Comply enables security leaders to build a comprehensive program at the click of a button.
*   The Hoxhunt Change product adds capabilities to the market leading security behavior change solution. The advanced AI engine and machine learning algorithms transform employees into a global network of threat detection sensors that protect themselves and their organizations from threats that have infiltrated the perimeter. The AI platform delivers individualized, adaptive training experiences for employees at the edge of their skill levels at scale, resulting in lasting and measurable improvement. Even real phishing attacks are transformed into vital learning experiences when employees detect them. The platform assesses and expands individual abilities with quick micro-training nudges based on in-the-moment responses to both real and simulated phishing attacks, which in turn creates long-term engagement and optimal online behavior for employees.
*   Respond helps make sense of the threat feed to the SOC and automatically pinpoints the incidents that need attention. The Hoxhunt platform analyzes over 93,000 newly reported threats every day that have bypassed traditional security technology layers. Now organizations can harness the power of a global network of 1.5M human threat sensors to prevent the most malicious ransomware and BEC attacks.

Hoxhunt was established to take a people-first approach, going beyond traditional, compliance-based security awareness training and enabling a risk-based security strategy via measurable security behavior change.

"As bad actors refine their tactics, searching for gaps in security controls, employees have become the largest attack vector for cybercriminals looking to penetrate into corporate networks," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "Employees are often overlooked as a part of an organization's security posture and attackers continue to exploit this. In most organizations, at best, employees receive generic awareness training in order to meet corporate compliance goals, initiatives which fail to alter employee cyber behavior or create the ability to detect and respond to social engineering attacks. Hoxhunt was established to solve this uncontrolled issue. With our human risk platform, organizations can significantly alter their employees' security skill levels to create a strong human detection engine when attackers surpass technical layers."

Hoxhunt's full-stack, AI-driven platform delivers:

*   **Increased Visibility:** Provides visibility into the true risk of an organization's human layer and the threats that have (or could have) infiltrated their systems.
*   **Measurable Risk Reduction:** Hoxhunt transforms employees into security assets, creating a global human threat sensor network to detect and eliminate email threats that slip past your technical protections. Hoxhunt drives the failure rate to just 2%, compared to 25% when using alternative phishing tools.
*   **Streamlined** **Reporting:** Maintains full control and visibility of employee training progress across departments, automatically generating reports that CISOs can utilize to translate improvements in organizational security posture.

Since its inception, Hoxhunt has helped some of the world's leading companies graduate from security awareness training into security behavior change and human risk management, including Airbus, DocuSign, Kaercher, and Victorinox. The company has also received numerous accolades in recent months. Hoxhunt was named a Best Software Company (EMEA) by G2 and received three awards from TrustRadius for security excellence.

To learn more about Hoxhunt and to request a demo, please visit: https://www.hoxhunt.com/.

**About Hoxhunt**

Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.

Source

DARKReading