Kim Jong Un's Swiss Army knife APT continues to spread its tendrils around the world, showing it's not intimidated by the researchers closing in.

Globally, interest has surged around North Korea's Kimsuky advanced persistent threat group (a.k.a. APT43) and its hallmarks. Still, the group is showing no signs of slowing down despite the scrutiny.

Kimsuky is a government-aligned threat actor whose main aim is espionage, often (but not exclusively) in the fields of policy and nuclear weapons research. Its targets have spanned the government, energy, pharmaceutical, and financial sectors, and more beyond that, mostly in countries that the DPRK considers arch-enemies: South Korea, Japan, and the United States.

Kimsuky is by no means a new outfit — CISA has traced the group's activity all the way back to 2012. Interest peaked last month thanks to a report from cybersecurity firm Mandiant, and a Chrome extension-based campaign that led to a joint warning from German and Korean authorities. In a blog published April 20, VirusTotal highlighted a spike in malware lookups associated with Kimsuky, as demonstrated in the graph below.

    

Volume of lookups for Kimsuky malware samples. Source: Virus Total

Many an APT has crumbled under increased scrutiny from researchers and law enforcement. But signs show Kimsuky is unfazed.

"Usually when we publish insights they'll go 'Oh, wow, we're exposed. Time to go underground,'" says Michael Barnhart, principal analyst at Mandiant, of typical APTs.

In Kimsuky's case, however, "no one cares at all. We've seen zero slowdown with this thing."

**What's Going on With Kimsuky?**

Kimsuky has gone through many iterations and evolutions, including an outright split into two subgroups. Its members are most practiced at spear phishing, impersonating members of targeted organizations in phishing emails — often for weeks at a time — in order to get closer to the sensitive information they're after.

The malware they've deployed over the years, however, is far less predictable. They've demonstrated equal capability with malicious browser extensions, remote access Trojans, modular spyware, and more, some of it commercial and some not.

In the blog post, VirusTotal highlighted the APT's propensity for delivering malware via .docx macros. In a few cases, though, the group utilized CVE-2017-0199, a 7.8 high severity-rated arbitrary code execution vulnerability in Windows and Microsoft Office.

With the recent uptick in interest around Kimsuky, VirusTotal has revealed that most uploaded samples are coming from South Korea and the United States. This tracks with the group's history and motives. However, it also has its tendrils in countries one might not immediately associate with North Korean politics, like Italy and Israel.

For example, when it comes to lookups — individuals taking an interest in the samples — the second most volume comes from Turkey. "This may suggest that Turkey is either a victim or a conduit of North Korean cyber attacks," according to the blog post.

    

Kimsuky malware sample lookups by country. Source: VirusTotal

**How to Defend Against Kimsuky**

Because Kimsuky targets organizations across countries and sectors, the range of organizations who need to worry about them is greater than most nation-state APTs.

"So what we've been preaching everywhere," Barnhart says, "is strength in numbers. With all these organizations around the world, it's important that we all talk to each other. It's important that we collaborate. No one should be operating in a silo."

And, he emphasizes, because Kimsuky uses individuals as conduits for greater attacks, everybody has to be on the lookout. "It's important that we all have this baseline of: don't click on links, and use your multi-factor authentication."

With simple safeguards against spear phishing, even North Korean hackers can be thwarted. "From what we're seeing, it does work if you actually take the time to follow your cyber hygiene," Barnhart notes.

North Korea's Kimsuky APT Keeps Growing, Despite Public Outing

An uptick in EvilExtractor activity aims to compromise endpoints to steal browser from targets across Europe and the US, researchers say.

A phishing campaign that launched in March and is actively targeting Microsoft operating system users in Europe and the US is making the rounds, using the EvilExtractor tool as its weapon of choice.

Research this week from FortiGuard Labs details the EvilExtractor attack chain, explaining that it usually starts with a legitimate-seeming Adobe PDF or Dropbox link, which instead deploy a malicious PowerShell when opened or clicked, before eventually leading to the modular EvilExtractor malware.

"Its primary purpose seems to be to steal browser data and information from compromised endpoints, and then upload it to the attacker’s FTP server," FortiGuard Labs researchers wrote.

The report points out that EvilExtractor was first developed by Kodex, which claimed that, despite its obvious name, it's used as an "educational tool,' according to the EvilExtractor report. "However, research conducted by FortiGuard Labs shows cybercriminals are actively using it as an info-stealer."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'EvilExtractor' All-in-One Stealer Campaign Targets Windows User Data

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

Software written or acquired outside of IT's purview is software that IT can't evaluate for security or compliance.

There's no denying that software-as-a-service (SaaS) has entered its golden age. Software tools have now become essential to modern business operations and continuity. However, not enough organizations have implemented the proper procurement processes to ensure they're protecting themselves from potential data breaches and reputational harm.

A critical component contributing to concerns around SaaS management is the rising trend of shadow IT, which is when employees download and use software tools without notifying their internal IT teams. A recent study shows that 77% of IT professionals believe that shadow IT is becoming a major concern in 2023, with more than 65% saying their SaaS tools aren't being approved. On top of the obvious concerns around overspending and the disruptions to operational efficiency, organizations are beginning to struggle with maintaining security as their SaaS usage continues to sprawl.

Unfortunately, ignoring shadow IT is no longer an option for many organizations. Data breaches and other security attacks are costing businesses $4.5 million on average, with many of them taking place due to an expanding software landscape. To combat shadow IT and the high risks that come along with it, organizations must gain greater visibility over their SaaS stacks and institute an effective procurement process when bringing on new software solutions.

**Why Is Shadow IT Such a Liability?**

All issues surrounding shadow IT can be traced back to an organization's lack of visibility. An unmanaged software stack gives IT teams zero insight into how sensitive company information is being used and distributed. Since these tools are not vetted properly and are left unmonitored, the data they store is not adequately protected by most organizations.

This creates the perfect framework for hackers to easily seize important data, such as confidential financial records or personal details. Critical corporate data is at risk because most, if not all, SaaS tools require corporate credentials and access to an organization's internal network. A recent survey by Adaptive Shield and CSA actually shows that in the past year alone, 63% of CISOs have reported security incidents from this type of SaaS misuse.

**The Consequences of No Action**

As stated prior, the recurring theme that many businesses are experiencing with shadow IT is the risk associated with a data breach. However, it is equally important to realize the potential industry scrutiny that businesses face and the penalties they receive from regulators because of sprawling shadow IT. When unapproved software is added to an organization's tech stack, it likely fails to meet compliance standards — such as the General Data Protection Regulation (GDPR), the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA) — that businesses must maintain. For organizations in strict regulatory industries, the consequences of being penalized for compliance failures can cause irreparable reputation damage — a problem that cannot be fixed simply by paying the fee associated with the penalty.

On top of the costs associated with a security failure and the reputational damage a business receives, organizations are also oblivious to the wasted operational dollars spent on applications and tools. Unfortunately, it can be almost impossible for large organizations to uncover all the applications that the company never sanctioned due to complications like rogue subteams, departments self-provisioning their own software, or employees using corporate credentials to access freemium or single-seat tools.

**So How Do We Fix the Shadow IT Dilemma?**

The crucial first step for rectifying an organization's SaaS sprawl and ensuring that shadow IT never puts you in a compromising position is to gain visibility into the existing software stack. Without visibility, an organization will be blind to which tools are being used and won't be able to make informed decisions about centralizing its software. IT teams should focus on bringing their software portfolio's documentation up to speed and making records of application functions, software utilization, the contract/subscription length of each tool, and cost.

Once access for this information is received and properly updated, IT teams can establish which tools are essential and where changes can be made. After cleaning house, businesses can then create a centralized procurement system to ensure that all future purchases are coordinated across departments and that all security measures or compliance standards are continuously being met to prevent security breaches and regulation penalties. Having these records will help organizations easily keep track of all usage, therefore minimizing wasted costs and security failures.

The hardest obstacle for companies feeling the impact of shadow IT and overall SaaS sprawl is to recognize that you have a software management issue and come up with a solution to tackle the problem. Between economic pressure and regulatory scrutiny, organizations no longer have the luxury to ignore the growing concern of shadow IT and the types of software they use.

Shadow IT, SaaS Pose Security Liability for Enterprises

Attackers have their methods timed to the second, and they know they have to get in, do their damage, and get out quickly. CISOs today must detect and block in even less time.

It may not be fair to say that incident response (IR) is the essence of an enterprise's cybersecurity strategy, but it is what everything else is building toward. However, the biggest opponent of IR is not as much attackers as it is time.

The bad guys, often aided by machine learning (especially in state-actor attacks), are ultrafocused. Cyberattackers today have a precise attack plan. Typically, they will be prepared to steal what they are looking for — or to damage systems — in a few minutes and then quickly exit the system.

Although some attackers prefer a stealthy means that installs malware and watches network activity for potentially months, many of the nastiest criminals today use a hit-and-run approach. That means an IR plan must identify what is going on, lock down ultrasensitive systems, and trap the attacker in moments. Speed may not be everything, but it's close.

Complicating the current IR environment is the fact that enterprise threat landscapes have gotten exponentially more complex in recent years, especially in terms of being porous as well as giving bad guys far more places to hide. Beyond the WAN and company systems, there are the shrinking — but still relevant — on-premises systems, a large number of cloud environments (both known and unknown), IoT/IIoT, partners with far greater access, home offices with insecure LANs, vehicle fleets with their own data retention and IP addresses, mobile devices with full credentials (often owned by employees, raising more security concerns), and SaaS apps that are hosted in systems with unknown holes of their own.

With all of that happening, the security operations center (SOC) may have mere minutes to identify and deal with a breach.

The biggest CISO problem with IR is a lack of preparation, and the biggest IR enterprise weakness today is foundational. The best processes for IR begin with readiness via building a solid organizational threat model and reconciling the threat library of things that could adversely affect the company with an alignment to what preventative, detective, and reactive controls are present against the attack surface of that threat model. Employing automation via security orchestration, automation, and response (SOAR) technologies has become highly useful in reducing response times and being able to leverage playbooks that get triggered upon certain defined conditions being met in the technical environment.

**Check the Map**

One of the most critical foundational elements is working from a current, accurate, and comprehensive data map. The problem is that today's environments make having a truly complete data map impossible.

Consider the mobile factor alone. Employees and contractors are constantly creating new intellectual property (a series of emails or texts, for example, between a sales rep and a customer or prospect) via mobile devices and then not syncing that information with centralized systems controlled by IT.

Because it's impossible to protect that which you don't know exists, generating as accurate a data map as possible is critical. It wouldn't hurt to also increase the visibility of all tools, platforms, hardware/devices (especially IoT), and anything else that an attacker could subvert.

Continuous attack surface management (CASM) has been an evolving area of security activities that companies need to mature to ensure that edge devices, particularly those that are IoT devices that may have direct access to the edge gateway, are adequately protected with detective controls.

You need to start with traditional asset management strategies, identifying all components and tracing all assets, regardless of whether they're in a rack somewhere or in a colocation. For too many enterprises, there is no comprehensiveness, no proper governance. They need to match assets and data with each line of business to plot out sustainability for that LOB. They need to figure out everything from IoT devices to third-party vendor software. There are so many things that often exist below the radar. What is the ecosystem for each and every product line?

**The Vertical Dimension**

Beyond that one enterprise, attack surface and the threat landscape must be identified for any verticals where the machine operates and often it has to drill into any and all subindustries. That forces a strict evaluation of what threat intelligence is being used.

For industry/vertical data, that means integrating information sharing and analysis centers (ISACs) along with open source alerts, vendor notifications, the Cybersecurity and Infrastructure Security Agency (CISA) and the (National Vulnerability Database (NVD) and many others, song with internal SIEM data.

But all of that threat intel is powerful before an incident. Once an attack begins and the SOC staff is actively defending itself, threat intel can sometimes prove more of a distraction than a help. It's great before as well as after the attack, but not during.

Companies often undermine their IR speed and effectiveness by not giving the SOC team sufficient access as well as information. For example, audit logs often include the IP addresses of affected devices, but some logs only display an internal NAT address and SOC staff couldn't easily and quickly map public IP addresses to NAT IP addresses. That forced the SOC team — during an emergency — to reach out to the network infrastructure team.

Does the SOC team have access to all cloud environments? Are they listed as contacts for all colocation and cloud support staff?

It is common for security people to use military analogies — especially war references — when describing incident response strategies. Sadly, those analogies are more apt than I'd wish. Attackers today are using top-end machine learning systems and are sometimes financially backed by nation-states. Their systems are often more robust and modern than what enterprises use for defense. That means that today's IR strategies must use the ML tools to keep up. The attackers have their methods timed to the second, and they know they have to get in, do their damage, exfiltrate their files, and get out quickly. CISOs today must detect and block in even less time.

The Tangled Web of IR Strategies

**SANTA CLARA, Calif.****,** **April 20, 2023** **/PRNewswire/ --** Infoblox Inc. the company that delivers a simplified, cloud- enabled networking and security platform for improved performance and protection, today published a threat report blog on a remote access trojan (RAT) toolkit with DNS command and control (C2). The toolkit created an anomalous DNS signature observed in enterprise networks in the U.S., Europe, South America, and Asia across technology, healthcare, energy, financial and other sectors. Some of these communications go to a controller in Russia.

Coined "Decoy Dog," Infoblox's Threat Intelligence Group was the first to discover this toolkit and is collaborating with other security vendors, as well as customers, to disrupt this activity, identify the attack vector, and secure global networks. The critical insight is that DNS anomalies measured over time not only surfaced the RAT, but ultimately tied together seemingly independent C2 communications. A technical analysis of Infoblox's findings is here.

"Decoy Dog is a stark reminder of the importance of having a strong, protective DNS strategy," said Renée Burton, Senior Director of Threat Intelligence for Infoblox. "Infoblox is focused on detecting threats in DNS, disrupting attacks before they start, and allowing customers to focus on their own business." 

As a specialized DNS-based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, where there is "intent to compromise'' and before the actual attack starts. As a normal course of business, any indicators that are deemed suspicious are included in Infoblox's Suspicious domain feeds, direct to customers, to help them preemptively protect themselves against new and emerging threats.

**Threat Discovery, Anatomy & Mitigation:** 

*   Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.
*   The RAT was detected from anomalous DNS activity on limited networks and in network devices such as firewalls; not user devices such as laptops or mobile devices.
*   The RAT creates a footprint in DNS that is extremely hard to detect in isolation but, when analyzed in a global cloud-based protective DNS system like Infoblox's BloxOne® Threat Defense, demonstrates strong outlier behavior. Further it allowed Infoblox to tie the disparate domains together.
*   C2 communications are made over DNS and are based on an open-source RAT called Pupy. While this is an open-source project, it has been consistently associated with nation-state actors.
*   Organizations with protective DNS can mitigate their risk. BloxOne Threat Defense customers are protected from these suspicious domains.
*   In this case, Russian C2 domains were already included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox's anti-malware feed.
*   Infoblox continues to urge organizations to block the following domains:

*   claudfront.net
*   allowlisted.net
*   atlas-upd.com
*   ads-tm-glb.click
*   cbox4.ignorelist.com
*   hsdps.cc

"While we automatically detect thousands of suspicious domains every day at the DNS level – and with this level of correlation, it's rare to discover these activities all originating from the same toolkit leveraging DNS for command-and-control," added Burton.

The Infoblox team is working around the clock to understand the DNS activity. Complex problems like this one highlight the need for an industry-wide intelligence-in-depth strategy where everyone contributes to understanding the entire scope of a threat.

For the full threat summary titled **"Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic"** click here.

**About Infoblox's Threat Intelligence Group:**

The Threat Intelligence Group at Infoblox is dedicated to creating high fidelity "block-and-forget" domain name service (DNS) intelligence data for use in BloxOne Threat Defense. Core to Infoblox's protection strategy is the identification of suspicious domains. Infoblox's Threat Intelligence Group uses a patented machine learning algorithm to minimize the risk of enterprise outages while enabling maximum coverage of threats. Infoblox identifies suspicious domains through several **custom-built algorithms and DNS based threat hunting**.

The organization focuses on DNS and infrastructure actors. The team can identify suspicious behavior before its impact is known by the adjacent areas of the industry (endpoint, netflow vendors), and can track persistent actors to block their DNS infrastructure before it becomes a problem for our customers. Threat actors often register domains well in advance of using them for attacks, typically 14-120 days in advance, but we have seen domains held dormant for upwards of two years - like this case in point.

**About Infoblox** 

Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organization runs faster and stops threats earlier. Visit infoblox.com**, or follow-us on** LinkedIn or Twitter.

Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains

**BOSTON** **–** **April** **20,** **2023** **–** Bitsight, a leader in managing and monitoring cyber risk, today unveiled its expansion into a broader category of integrated cyber risk management. As the category creator and global leader in the cybersecurity ratings industry, Bitsight’s enhanced strategy will deliver new capabilities to empower security professionals and business leaders to more effectively and holistically manage cyber risk. The announcement includes large-scale distribution of risk data and insights through Moody’s/BVD’s Orbis, a new Third-Party Vulnerability Detection & Response solution, and more predictive cyber risk ratings that help mitigate cyber risk and make CISOs and risk professionals’ jobs easier.

Bitsight’s integrated solutions address the needs of CISOs and risk leaders, whose roles have become more challenging in recent years with digital transformation, supply chain risk, and expanded attack surfaces. “As the cyber threat landscape worsens and the global regulatory landscape demands more nimble and thorough risk management, Bitsight has evolved to stay ahead of our customers’ needs. Business leaders, risk leaders and boards are turning to us as an integrated solution to manage risk and build trust across their ecosystem,” said Bitsight CEO Steve Harvey.

Furthermore, comprehensive cyber risk management is also essential to good corporate governance, reaffirmed by the recently released White House national cyber strategy, pending SEC regulations on cybersecurity disclosure, and cybersecurity requirements emerging throughout Europe and Asia. Harvey noted, “Our strategic shift to become an integrated cyber risk management leader means we’re able to provide customers and governments with the industry’s most impactful data, services and tools to confidently navigate the uncertain cyber landscape.”

**Accelerated Partnership with Moody's Corporation**

Newly-added integrations with Moody’s will deliver expanded insights for enterprises and assist with holistic cyber risk management. In October 2021, Moody's Corporation invested $250 million in Bitsight, and the two companies announced a landmark partnership agreement. Through this partnership, Bitsight became the primary cyber risk analytics provider across Moody’s suite of integrated risk assessment offerings.

Bitsight data is now accessible by nearly 2,000 global credit analysts within Moody’s Investors Service. These analysts are leveraging Bitsight to better understand the relative cyber risk of issuers, engage issuers on cybersecurity risk, and publish research on the intersection of cyber risk and credit risk. Additionally, Bitsight ratings data is now also integrated within Moody’s Analytics' BVD Orbis platform, enabling non-technical risk managers to easily consider cyber risk factors in counterparty risk analysis.

“The rise of cyberattacks and ransomware has created an imperative for business leaders and boards to assess and quantify their cyber risk,” said Moody’s Analytics President Stephen Tulenko. “Bitsight is our trusted partner in helping leaders to better understand, measure, and navigate the cyber risk landscape with confidence.”

Through these integrations, Bitsight and Moody’s insights may be used together in powerful combinations for applications such as Know-Your-Customer, supply chain management, insurance underwriting, and credit risk assessment.

**New Third-Party Vulnerability Detection & Response Application**

To further its cyber risk management capabilities, Bitsight has enhanced its Third-Party Vulnerability Detection tool to include a Response workflow. Zero-day attacks and other vulnerabilities are increasingly common, and most companies are struggling to properly manage third-party exposure to critical vulnerabilities quickly, effectively, and at scale. With Vulnerability Detection & Response, cybersecurity teams can now access the most important vulnerability data and effectively prioritize vendor outreach with built-in questionnaires while tracking vendor response progress in real time. This release is another innovative application showcasing Bitsight’s continued commitment to helping customers better monitor, manage, and mitigate vulnerabilities across their third-party ecosystems.

**More Predictive Cyber Risk Ratings – Bitsight’s Ratings Algorithm Update**

Bitsight has launched a new ratings algorithm, with several key enhancements, most notably modifying the weights of several risk vectors based on independent research and insight into how those risk vectors correlate to real life cyber events. As a part of delivering an integrated cyber risk management solution, Bitsight remains committed to investing in and producing actionable cybersecurity ratings that have the strongest correlation in the industry to the likelihood of a cyber incident. “Cybersecurity ratings remain a critical tool in cybersecurity and risk leaders’ arsenals, while the pressures and demands to address cyber risk have significantly expanded,” said Harvey.

As attacks on organizations intensify and business leaders demand greater strategic support to address risk, Bitsight’s mission to build trust in the digital economy has extended well beyond cyber risk ratings. “Risk leaders globally spend every day working against a relentless and growing problem of cyber risk uncertainty,” said Harvey. “And as waves of digital transformation continue to disrupt cybersecurity stability, we are committed to supporting our current and future customers with a broad and unified cyber risk management solution that helps them navigate with greater confidence.”

Supporting Resources

*   Learn more about our partnership with Moody’s Corporation here
*   Learn more about Third-Party Vulnerability Detection & Response here
*   Learn more about the Rating Algorithm Update here

**About Bitsight**  
Bitsight is a global cyber risk management leader transforming how organizations manage exposure, performance, and risk for themselves and their third parties. Companies rely on Bitsight to prioritize their cybersecurity investments, build greater trust within their ecosystem, and reduce their chances of financial loss. Built on over a decade of market-leading innovation, its integrated solutions deliver value across enterprise security performance, digital supply chains, cyber insurance, and data analysis.

Bitsight Expands into Integrated Cyber-Risk Management

A bug in how Google Cloud Platform handles OAuth tokens opened the door to Trojan apps that could access anything in users' personal or business Google Drives, Photos, Gmail, and more.

A security vulnerability in Google's Cloud Platform (GCP) could have allowed cyberattackers to hide an unremovable, malicious application inside a victim's Google account, dooming the account to a state of permanent, undetectable infection.

The bug, dubbed "GhostToken," was discovered and reported by Astrix Security researchers. According to an analysis released by the team on April 20, the malicious app could have paved the way for a startling array of nefarious activity, including reading the victim's Gmail account, accessing files in Google Drive and Google Photos, viewing the Google calendar, and tracking locations via Google Maps.

Armed with that information, attackers could craft extremely convincing impersonation and phishing attacks, or even place the person in physical danger.

"In even worse cases … attackers may be able to delete files from Google Drive, write emails from the victim's Gmail account to perform social engineering attacks, \[exfiltrate\] sensitive data from Google Calendar, Photos, or Docs, and more," researchers wrote in the posting.

**An App That 'Ghosts' the Victim**

The Google Cloud Platform is built to host any of thousands of applications for end users, which, like other app ecosystems, have an official store where they can be easily downloaded — in this case, the Google Marketplace — along with third-party markets. Once authorized for download by the user, the application receives a token in the background, granting access to the installer's Google account based on the permissions that the app asks for.

Using the GhostToken vulnerability, cyberattackers can craft a malicious application that they can plant in one of the app stores, masquerading as a legitimate utility or service. But once downloaded, the app will hide itself from the victim's Google account application management page.

For the user, it basically disappears.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," according to the analysis. "The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

Idan Gour, researcher at Astrix, says that the flaw could have had far-reaching consequences for both businesses and individuals, and that it serves as a wake-up call to remember just how much access cloud apps have into our lives, and the danger that shadow IT can have for enterprises. 

"This specific vulnerability allowed cyberattackers on one side to have access to organizational GCP environments, but on the other side, to people's personal Google Photos and their email accounts," he says. "It's worth remembering that these different services that we use every day for everything are actually prone to these kinds \[of\] challenges, and it's all about how we use it and, on the other side, how we secure it."

**Tracking Down a Phantom**

While details are scant, the technical issue generally arose from the way Google processes OAuth clients when they're decommissioned, the researchers said. Third-party OAuth clients are often integrated into apps to allow them to log users in more easily by making use of existing authentication with other trusted users. A common example is the "log in with Facebook" offered by many websites. 

As far as how it could be exploited, it starts with the fact that every application offered to Google users in the Google Marketplace (or other websites) is associated with a single GCP "project" that hosts it. If the owner of the GCP project (usually the developer) deletes it, it enters what Astrix refers to as "a limbo-like, pending deletion state," and it "stays that way for 30 days until it's fully purged and deleted."

These pending-deletion projects can be completely restored at the owner's whim from a dedicated page made for that purpose. However, for end users, the app immediately disappears from the "apps with access to your account" management page.

Thus, the attack scenario goes like this:

*   A victim authorizes a seemingly legitimate (but, in reality, evil) OAuth application. In the background, the attacker receives a token for the victim's Google account.
*   The attackers delete the project associated with the authorized OAuth application, which enters a pending deletion state — the application becomes hidden and unremovable from the victim's perspective.
*   Whenever the attackers wish to get access to the victim's data they restore the project, get a new access token, and use it to access the victim's data.
*   The attackers then immediately re-hide the application from the victim.
*   To maintain persistence, the attack loop must be executed periodically before the pending-deletion project is purged.

"During Step 2 of the attack loop, the access re-appears in the 'Apps with access to your account' page, which means the victim may technically remove the application's access in this time window," the researchers explained. "However, it's a very limited time frame which lasts until the attacker executes Step 1 of the attack loop again."

**Eternal Battle of Usability & Security**

Gour notes that the vulnerability was an unusual one because it related to a core feature that was, ostensibly, behaving as it should: Giving developers flexibility without bogging down end users with notes on apps they can no longer use.

"Normally when we talk about vulnerabilities, these are things that are broken that you can just patch and continue on," he explains. "But in this case, it was actually a core feature of GCP and how you create projects in GCP. It's actually nice to be able to revert to things that you did in the past, that you didn't mean to erase. But on the other hand, with a little bit of creativity, and a very straightforward approach, it could be turned into something that can completely break the way that identity and access management is done by an external third party that was integrated to this environment (OAuth)."

And indeed, the bug speaks to the ongoing push-pull between usability and security that's felt within all parts of an enterprise environment, Gour notes.

"The implications for cloud security, especially as it touches organizations and the private information of so many people nowadays, is that yes, sometimes it gets in the way of productivity or personal mobility, and is that what we want?" he says. "You have to be thinking of these things from the design phase and evaluate features for the balance between value to the user and security. It's much, much, much, easier to do before everything is implemented and hundreds or thousands of people are using it."

**Banishing the Ghost: Mitigation & a Patch**

Earlier this month, Google rolled out a global patch, fixing the issue by making sure that apps in a pending deletion state are still visible in a user's app management screen. However, Astrix researchers warned that while they aren't aware of active exploitation, Google Workspace administrators should look for applications that may have attacked users before the patch was initiated on April 7.

This can be done in two ways, the researchers said:

1.  Looking for applications whose client ID is the same as the 'displayText' field and removing their access if they prove to be malicious;
2.  Or inspecting the OAuth log events in the "Audit and Investigation" feature of Google Workspace for token activity of any such apps.

'GhostToken' Opens Google Accounts to Permanent Infection

The new Security Legal Research Fund and Hacking Policy Council are aimed at protecting "good faith" security researchers from legal threats and giving them a voice in policy discussions.

Security researchers who report vulnerabilities run the risk of either being slapped with legal sanctions to suppress disclosure or getting caught up in a legal battle punishing them for finding the flaws in the first place.

Even though the US Department of Justice announced last year that it won't prosecute cybersecurity researchers engaged in "good faith" vulnerability research and disclosure for violating the Computer Fraud and Abuse Act (CFAA), researchers still risk criminal and civil actions from states, foreign governments, and corporations. The nonprofit Center for Cybersecurity Policy & Law is pushing back with two coordinated initiatives – the Hacking Policy Council and the Security Legal Research Fund – to protect individuals who discover vulnerabilities that could potentially harm users if exploited.

The formation of the Hacking Policy Council and Security Legal Defense Fund underscores how critical it is to identify and disclose vulnerabilities to prevent malicious actors from gaining access to software, infrastructure, and data, says Futurum Research senior analyst Krista Macomber.

"The intention is to create a climate that encourages collaboration and information sharing and protects folks working diligently to expose potential threats," Macomber says.

The Hacking Policy Council plans to advocate and lobby for better vulnerability disclosure regulations and removing outdated laws. Founding member organizations include Google, Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security. The Security Legal Research Fund, as of now, will provide only funding.

"The defense fund does not plan to provide direct legal representation to researchers at this time," said Harley Geiger, an attorney with Venable and coordinator of the two new groups, during the press conference announcing the two initiatives. "Instead, it will help provide funding to individuals who are facing legal threats due to good faith security research and vulnerability disclosure."

**Plight of Ethical Hackers**

James Dempsey, one of the Security Legal Research Fund's board members and a lecturer at the University of California at Berkeley Law and Stanford University, noted that independent researchers have long faced legal jeopardy for their efforts. For example, Dempsey pointed to a well-known case in 2008 when a judge issued an injunction that prevented a team of MIT students from presenting at the DEF CON security conference about vulnerabilities they discovered in Massachusetts Bay Transit Authority's fare card system.

Dempsey pointed to a more recent case in 2021 when Missouri Governor Mike Parson threatened to prosecute reporters at the St. Louis Post-Dispatch after the newspaper published an article exposing vulnerabilities on a state agency's website. But Missouri prosecutors ultimately declined to file charges.

"To get that letter on the letterhead threatening legal action can be very intimidating, and that's what we want to help people overcome," Dempsey said.

"This issue has so much impact that I think it really merits a group that is tightly focused on this issue and can bring that expertise to policymakers to help them make more informed policy," said Charley Snyder, Google's head of security policy.

The Hacking Policy Council will initially work to lobby for changes in laws and regulations in the US and, ultimately, worldwide. Luta Security founder and CEO Katie Moussouris emphasized that many regulations are outdated.

"Right now we have a lot of regulations that were, frankly, written in a different era when there was not a nuanced understanding of the hand-in-hand relationship between vulnerability discovery and malicious hacking prevention," she said.

Complicating matters is the global disparity in regulations and policies, which sometimes require disclosure to a government, either in tandem or before notifying affected users and the public, Moussouris noted. A provision in the Cyber Resilience Act, proposed by the European Commission, would require anyone in the EU discovering a vulnerability to disclose it within 24 hours.

"As written, it will be as effective for security as GDPR was for privacy; it will have that much of an impact," Venable's Geiger said.

Adding to the complexity, Geiger noted that the current definition doesn't distinguish between good faith security research and malicious criminals.

"There is currently no provision for making sure that the vulnerability, before it is disclosed, is patched," he said. "Part of the concern with the CRA is that you then end up EU-wide with a rolling list of software and vulnerabilities that may not yet be mitigated, shared with perhaps dozens of EU government agencies."

**Legal Aid for Security Researchers**

The Security Legal Research Fund will help good faith security researchers and penetration testers facing cease-and-desist letters, lawsuits, fines, and prosecution for disclosing vulnerabilities, said Tim Willis, head of Google's Project Zero team, during the media briefing.

"My hope in the long term for this fund is that the chilling effect that is currently felt by security researchers is reversed over time. One thing that all these parties can agree on is that users lose when things don't get fixed quickly," Willis said.

Geiger emphasized that the effort would focus on protecting ethical hackers who only use their research to protect users.

"The fund is not looking at helping good faith security researchers who are sued for something like extortion if they, in fact, committed extortion," Geiger said. "It will be for the act of good faith security research or the act of vulnerability disclosure connected with that good faith security research."

Amie Stepanovich, VP of US policy at the Future of Privacy Forum and a Security Research Legal Defense Fund board member, said each request will be considered based on the scope and merit of the case and the applicant's financial resources.

"We are going to be targeting funds to where they're needed most," Stepanovich said. "We want to be able to help as many people as possible in as dire need as possible, and so we will be making decisions about amounts based on the case and the need and what the actual factual circumstances are."

Google is seeding the Security Legal Research Fund with an undisclosed amount, but the fund would be operated by the Center for Cybersecurity Policy & Law to ensure no one company has influence or receives favor over how the funds are used. Willis urged other companies to also contribute to the fund.

Omdia analyst Curtis Franklin believes the fund and counsel further validate and support independent researchers' role in finding vulnerabilities.

"Independent researchers are a necessary part of our security infrastructure right now, and I think it's good that this is being recognized and that these companies want to take the steps of having more formal legal recognition of that," Franklin says. "Our systems are now sufficiently complex that no one company can find all of the vulnerabilities that exist and all of the interactions that exist in their systems, either before or after they're released."

New Policy Group Wants to Improve Cybersecurity Disclosure, Support Researchers

The Open Source Security Foundation's SLSA v1.0 release is an important milestone in improving software supply chain security and providing organizations with the tools they need to protect their software.

The Open Source Security Foundation (OpenSSF) has released v1.0 of Supply-chain Levels for Software Artifacts (SLSA) with specific provisions for the software supply chain.

Modern application development teams regularly reuse code from other applications and pull code components and developer tools from myriad sources. Research from Snyk and the Linux Foundation last year found that 41% of organizations didn't have high confidence in open source software security. With supply chain attacks posing an ever-present and ever-evolving threat, both software development teams and security teams now recognize that open source components and frameworks need to be secured.

SLSA is a community-driven supply chain security standards project backed by major technology companies, such as Google, Intel, Microsoft, VMware, and IBM. SLSA focuses on increasing security rigor within the software development process. Developers can follow SLSA's guidelines to make their software supply chain more secure, and enterprises can use SLSA to make decisions about whether to trust a software package, according to the Open Source Security Foundation.

SLSA provides a common vocabulary to talk about software supply chain security; a way for developers to assess upstream dependencies by evaluating the trustworthiness of source code, builds, and container images used in the application; an actionable security checklist; and a way to measure compliance with the forthcoming Secure Software Development Framework (SSDF).

The SLSA v1.0 release divides SLSA’s level requirements into multiple tracks, each one measuring a particular aspect of software supply chain security. The new tracks will help users better understand and mitigate the risks associated with software supply chains and ultimately develop, demonstrate, and use more secure and reliable software, the OpenSSF says. SLSA v1.0 also provides more explicit guidance on how to verify provenance, along with making corresponding changes to the specification and provenance format.

The Build Track Levels 1-3, which roughly correspond to Levels 1-3 in earlier SLSA versions, describes levels of protection against tampering during or after software build. The Build Track requirements reflect the tasks required: producing artifacts, verifying build systems, and verifying artifacts. Future versions of the framework will build on requirements to address other aspects of the software delivery life cycle.

Build L1 indicates provenance, showing how the package was built; Build L2 indicates signed provenance, generated by a hosted build service; and Build L3 indicates the build service has been hardened.

The higher the level, the higher the confidence that a package can be traced back to its source and has not been tampered with, OpenSSF said.

Software supply chain security is a key component of the Biden administration's US National Cybersecurity Strategy, as it pushes software providers to assume greater responsibility for the security of their products. And recently, 10 government agencies from seven countries (Australia, Canada, Germany, the Netherlands, New Zealand, the United Kingdom, and the United States) released new guidelines, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default," to urge software developers to take necessary steps to ensure they are shipping products that are both secure by design and by default. That means removing default passwords, writing in safer programming languages, and establishing vulnerability disclosure programs for reporting flaws.

As part of securing the software supply chain, security teams should be engaging with developers to educate them about secure coding practices and tailoring security awareness training to include the risks surrounding the software development life cycle.

Source

DARKReading