Will stricter cybersecurity requirements make flying safer? The TSA says yes, and sees it as a time-sensitive imperative.

The Transportation Security Administration (TSA) announced a new set of cybersecurity requirements this week for airport and aircraft operators. The initiative constitutes "an emergency action," the TSA explained in a press release, urgent "because of persistent cybersecurity threats against US critical infrastructure, including the aviation sector."

This announcement comes hot on the heels of the White House's National Cybersecurity Strategy, published March 2. It's all part of a broader government effort to increase cyber resilience across critical industries.

Back in July, for example, the TSA issued near word-for-word similar requirements for the rail industry. As Robert Carter Langston, press secretary for the TSA, tells Dark Reading: "This amendment to the aviation security programs extends similar cybersecurity performance-based requirements that currently apply to other transportation system critical infrastructure."

"It's good that the TSA is codifying these requirements," says Mike Parkin, senior technical engineer at Vulcan Cyber, "though it remains to be seen how it will affect airline passengers."

**New Cyber Guidelines for Airports and Airlines**

This isn't TSA's first set of cyber rules of the road for airport and airline operators. In years prior, the TSA instituted requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA), establish cybersecurity points of contact, develop incident response plans, and complete vulnerability assessments.

The new set of rules states that TSA-regulated organizations must develop and assess "an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure," the agency wrote. TSA described four primary measures:

1.  Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
2.  Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3.  Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
4.  Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, noted that the guidelines are timely, and that TSA's "emergency" designation could be well warranted.

"I think it is wise of the TSA to require airport and aircraft operators to improve their cybersecurity resilience as attacks and geopolitical tension have continued to escalate over the years," he said in an emailed statement. "Airports and aircraft operators have also been caught in the cross hairs of Russian and Iranian cyber crews. This is why the aviation industry needs to protect all digital controls because they can and will be hacked. I truly believe that the cyber 9/11 is coming, which is why operators must invest in proactive cybersecurity measures."

**Will TSA's New Rules Make a Difference?**

Whether these new guidelines will make any real, material difference in airline security remains to be seen, but researchers welcomed them nonetheless.

On one hand, the details of exactly what will be considered sufficient security, from airports and airlines, and how compliance will be enforced, are still hazy. According to Langston, the details of how each organization will implement these measures "will be coordinated directly with TSA's stakeholders."

Even if airlines and airports do take heed, though, will the effects be significant? TSA's initiative "does fall in line with, and reinforces, the new National Cybersecurity Strategy document, and makes sense from multiple angles," Parkin says, but neither network segmentation nor access control, monitoring, or patching are particularly groundbreaking ideas.

As Parkin points out, "None of these requirements aren't already considered industry best practice\[s\] and things the airport authorities and airline operators shouldn't be doing already."

Kellerman, however, noted that some advanced tools fall under the broad umbrella of TSA's broader language in the requirements. Those include "micro-segmentation of networks, managed detection and response services (MDR), runtime application self-protection (RASP), and multifactor authentication (MFA) to protect against future intrusions," he noted. "They should also consider moving to secure cloud environments that deploy serverless application security. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business, not an expense, and that TSA cannot protect operators from growing ephemeral threats."

TSA Issues Urgent Directive to Make Aviation More Cyber Resilient

Led by growth in Russia, more than 40% of global ICS systems faced malicious activity in the second half of 2022.

More than 40% of the total number of global industrial control systems (ICS) computers saw some kind of malicious attack during the course of 2022.

This volume of cyberattacks against industrial systems was led by growth in Russia, which, as a region, saw a full 9 percentage-point increase in malicious activity in 2022, according to research into telemetry statistics this week from Kaspersky. Blocked malicious scripts were a particularly common threat within the firm's data for the period, which, along with phishing pages targeting ICS, saw an 11% rise over 2021, the analysis added.

However, Russia, which saw 39.2% of the ICS machines in Kaspersky's telemetry attacked, was not the top target overall. Rather, Ethiopia took the crown with 59% of its ICS footprint seeing malicious activity.

"In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions," the Kaspersky report said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

40% of Global ICS Systems Attacked With Malware in 2022

A state-backed threat actor impersonates political figures, tricking a prime minister, a former US president, and several European mayors and MPs into video calls later used in an anti-Ukraine influence campaign.

A Russian duo notorious for pranking numerous high-profile individuals, including Canadian Prime Minister Trudeau, is at it again — this time seeking to embarrass public figures that have expressed support for Ukraine in its war with Russia.

Over the past year, the two individuals — known publicly as Vovan and Lexus — have targeted high-ranking government officials and CEOs at large companies in North America and Europe, according to Proofpoint researchers, in a campaign to lure them into saying potentially volatile things on video and phone calls. The effort seems to be in retaliation for the targets' support for Ukraine in the war with Russia. 

**An Elaborate Impersonation Con**

In a blog post this week, Proofpoint said it had observed a sharp increase in activity from the pair following Russia's invasion of Ukraine last February. Since then, Vovan and Lexus have contacted numerous prominent business leaders and politicians that have either made public statements against the war or have donated to Ukrainian humanitarian programs.

In emails to the targeted individuals, the pair have variously presented themselves as Ukrainian Prime Minister Denys Shmyhal, Ukrainian Member of Parliament Oleksandr Merezhko, and Russian opposition leader Alexei Navalny's Chief of Staff Leonid Volkov. Other emails have purported to be from the "Embassy of Ukraine to the US" and the "Embassy of Ukraine in the US," and were sent from plausible-looking, embassy-themed email addresses.

The emails have attempted to convince recipients into participating in recorded video chats and phone calls, where they are encouraged to speak on various matters associated with the war in Ukraine. In some of the video conversations, the two individuals have worn heavy makeup and likely used deepfake technology to take on the appearance of figures they were impersonating. Edited versions of the recordings have later appeared on YouTube, Telegram, Twitter, and Russian-video platform Rutube.

"Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts," Proofpoint's report said. "The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences."

**A Who's Who of Victims**

Proofpoint's report did not name any specific individuals that might have fallen for Lexus and Vovan's tricks. But researchers from the company pointed Dark Reading to publicly known examples of their work.

In one instance, the pair posed as Ukrainian Prime Minister Shmyhal and tricked former UK Home Secretary Priti Patel into a 15-minute conversation with them on the war and the related refugee crisis. The hoaxers later posted a video of them duping Patel on YouTube and other social media channels. In another campaign last June, Vovan and Lexus tricked the mayors of Warsaw, Berlin, Vienna, and Budapest into making video calls with an individual they believed was Vitaliy Klychko, the mayor of Kyiv.

Vovan and Lexus, whose real names are Vladimir Kuznetsova and Aleksei Stolyarov, have also, as mentioned, tricked Canadian Prime Minister Trudeau (into thinking he was speaking with climate change activist Greta Thunberg). Last year, they posted a video on YouTube that purported to show former US President George Bush speaking with an individual he assumed was Ukrainian President Volodymyr Zelenskyy. In May 2021, the pair tricked multiple European members of Parliament into video meetings using deepfake technology to impersonate Russian opposition leaders, including Navalny.

**A Russian State-Backed Threat?**

Researchers at Proofpoint have been tracking the two individuals since 2021 under the threat actor designation "TA499." This week, they cautioned against dismissing them merely as pranksters, as some have previously. "While Vovan and Lexus brand themselves as 'pranksters and comedians,' multiple governments and officials deem the pair to be Russian, state-funded bad actors," Alexis Dorais-Joncas, senior manager for threat research at Proofpoint, tells Dark Reading.

Proofpoint has not been able to confirm the level of government involvement with the pair, but the company has determined from open source intelligence that the two actors are likely state encouraged and patriotically motivated. "It's fair to consider Vovan and Lexus as 'influencers' or 'propagandists,' as they deem to influence the political nature of Russia as a whole and reach an English audience through various methods," Dorais-Joncas says.

"TA499's elevation to state-aligned activity is due to the targeted nature of its campaigns, utilization of actor-controlled domain infrastructure, \[and\] multiple VoIP fake phone numbers for separate recipients," he notes. 

The two individuals perform reconnaissance to target both directly and via the close contacts of selected targets, and presents a risk to organizations, the researcher says. "These things combined with their specific focus on Russia-aligned propaganda, make them a state-aligned threat."

Proofpoint assessed with high confidence that TA499 will continue with its influence campaign, and likely reuse old or additional infrastructure to do so. The primary target continues to be C-level executives or those at the highest-profile positions at their respective organizations. 

The security vendor posted a list of email addresses that the duo has used so far in their campaigns and advised anyone who has reason to believe they could be targeted to verify the identities of people inviting them to discuss political topics.

Russian Influence Duo Targets Politicians, CEOs for Embarrassing Video Calls

Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation.

A proof-of-concept, artificial intelligence (AI)-driven cyberattack that changes its code on the fly can slip past the latest automated security-detection technology, demonstrating the potential for creating undetectable malware.

Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM) — the technology on which ChatGPT is based — to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote.

The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.

"Traditional security solutions like endpoint detection and response (EDR) leverage multi-layer, data intelligence systems to combat some of today’s most sophisticated threats, and most automated controls claim to prevent novel or irregular behavior patterns," the HYAS Labs researchers wrote. "But in practice, this is very rarely the case."

They tested the attack against an EDR system that was not identified specifically, but characterized as "industry leading," often resulting in zero alerts or detections.

Using its built-in keylogging ability, BlackMamba can collect sensitive information from a device, including usernames, passwords, and credit card numbers, the researchers said. Once this data is captured, the malware uses a common and trusted collaboration platform — Microsoft Teams — to send the collected data to a malicious Teams channel. From there, attackers can exploit the data in various nefarious ways, selling it on the Dark Web or using it for further attacks, the HYAS Labs researchers said.

"MS Teams is a legitimate communication and collaboration tool that is widely used by organizations, so malware authors can leverage it to bypass traditional security defenses, such as firewalls and intrusion detection systems," they wrote. "Also, since the data is sent over encrypted channels, it can be difficult to detect that the channel is being used for exfiltration."

Moreover, because BlackMamba's delivery system is based on an open source Python package, it allows developers to convert Python scripts into standalone executable files that can be run on various platforms, including Windows, macOS, and Linux, they wrote.

**What This Means for Modern Security**

AI-powered attacks like this will become more common now as threat actors create polymorphic malware that leverages ChatGPT and other sophisticated, data-intelligence systems based on LLM, according to the HYAS Labs researchers. This, in turn, will force automated security technology to evolve as well to manage and combat these threats.

“The threats posed by this new breed of malware are very real," the researchers wrote in the post. "By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today's predictive security solutions."

Typically, organizations that deploy EDR and other automated security controls as part of a modern security stack believe they're doing everything in their power to detect and prevent malicious activity. However, BlackMamba's use of AI now demonstrates that "they are not foolproof," the HYAS Labs researchers noted.

"The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene," they wrote.

The security landscape will have to evolve alongside attackers' use of AI to keep up with the more sophisticated attacks that are on the horizon, according to the researchers. Until then, it's imperative that organizations "remain vigilant, keep their security measures up to date," they advised, "and adapt to new threats that emerge by operationalizing cutting-edge research being conducted in this space."

AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security

For International Women's Month, new ongoing initiative is aimed at celebrating women and bringing visibility to those making cybersecurity history.

**Mountain View, Calif., March 8, 2023 –** Lacework®, the data-driven cloud security company, in celebration of International Women’s History Month, today announced the launch of a new ongoing initiative, “Secured by Women,”  to honor, bring visibility to, and increase opportunities for the women making history in today’s cybersecurity landscape. 

Despite comprising nearly half of the workforce, women only account for 38% of those in the STEM industry and 25% in the cybersecurity industry, according to Cybersecurity Ventures. Secured by Women not only celebrates the groundbreaking women shaping modern security, but is also designed as an ongoing initiative to help more women secure a seat at the table, a voice in the decision-making process, and all the opportunities they deserve. 

“In the security industry, we often talk about visibility – how to increase visibility into our technology environments to better see and understand our risks and potential threats. In that same spirit, now is time to increase visibility for the incredible women in the space who are leading, innovating, and revolutionizing modern security, ” said Sowmya Karmali, Director of Product Management, Lacework. “With this ongoing initiative, we hope to shine a light on this and create more urgency around increasing opportunities for women in security to showcase their amazing contributions and capture leadership roles.” 

On March 23, five women, nominated by their peers for making an impact in cybersecurity, will be selected as the first Secured by Women leaders. Lacework will sponsor each individual to attend one of the following upcoming major security conferences: RSA, Black Hat USA, Black Hat EMEA, or AWS re:Invent. Those recipients unable to attend a conference will be awarded the opportunity to donate the value of this sponsorship to a charity of their choice. And for every nomination submitted, Lacework is donating $1 to Girls Who Code. 

Do you know a brilliant woman in cybersecurity who's making history? Now's your chance to give her the recognition she deserves. Nominations open today, International Women’s Day, and will be open until Monday, March 20th, 5PT.  Submit your nominations today on SecuredbyWomen.com! 

Resources: 

*   Learn more from Lacework CMO Meagen Eisenberg on Secured by Women. 
*   Celebrate the rise of the CISO with us! 
*   Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

**About Lacework **

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization’s cloud and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Lacework Launches Secured by Women Initiative

Organizations in both industries are falling short when addressing new challenges to protect data in the cloud, finds Blancco report.

**AUSTIN and LONDON – March 8, 2023**—New research launched today by Blancco Technology Group (LON: BLTG), the industry standard in data erasure and mobile lifecycle solutions, reveals the extent to which healthcare and financial services organizations have embraced cloud, as well as the effects cloud adoption has had on data classification, minimization and end-of-life (EOL) data disposal.

Based on a global survey of 1,800 respondents, the study, _Data at a Distance__,_ found extensive cloud adoption, thanks to the ease of managing increasing volumes of data. However, 65% say the switch has increased the volume of redundant, obsolete or trivial (ROT) data they collect.

Increasing volumes of stored data brings with it many issues and is of growing concern for organizations operating in heavily regulated markets. In addition to regulatory noncompliance risks, there are the cost and sustainability impacts of storing this data, as well as security concerns—more data means a greater attack surface and more liability in case of a breach.

Data management best practices indicate that organizations need to know what data they have collected, including its value, where it’s stored and when it needs to be permanently erased. Yet just over half of organizations (55%)can boast a mature data classification model that determines when data has reached EOL—meaning that nearly half fall short when it comes to determining when to dispose of cloud-stored data.

When asked about their cloud approaches, 60% of respondents said that their cloud provider handles EOL data for them. However, more than a third (35%) do not trust their cloud provider to appropriately manage EOL data on their behalf.

“Healthcare and financial services providers handle some of the most confidential and sensitive information possible. While they have made the move to cloud for better connectivity, digital transformation and ease of managing data, many of them are still falling short when it comes to knowing how to reduce risk and maintain compliance when that data is no longer serving a business function,” said Jon Mellon, President Global Sales, Marketing and Field Operations at Blancco.

“Covid changed working norms for all industries, and adopting the cloud helped adapt to those changes. But hackers also changed their approach. The industry reported that 45% of breaches that occurred in 2022 were cloud based. Yet our research found multiple instances of insufficient practices for managing EOL data in the cloud.”

**According to Blancco’s global study of 1,800 healthcare and financial services respondents:**

*   65% of organizations feel that they can better manage EOL data on premises than in the cloud
*   63% use software-based erasure with an audit trail for managing all data – both on-premises and cloud, but a worrying 38% carry out erasure without an audit trail
*   91% of those surveyed recognize data classification as an important first step for achieving data security
*   36% are just beginning to implement a policy for data classification and minimization, with nearly one in ten yet to implement any such process

Regular assessment of data and setting retention periods is a critical and growing concern as regulatory requirements increase for the healthcare and financial services industries. The study found that 57% of organizations have a data schedule where they review different data types to determine whether data has reached end of life. But just over a quarter (28%) use the blunt approach of automatically setting a data expiration date, which is simple but ineffective: it does not consider what the data is, what it’s worth, or the risk of it getting into the wrong hands.

Healthcare and financial services organizations are, however, aware of the new challenges for managing EOL data in the cloud. In fact, 65% have found it necessaryto reassess how they determine what data is no longer needed since making the switch from analog to digital. But in addition to falling short when it comes to data classification and minimization, a worrying 59% of respondents reported using processes without verified data destruction at least some of the time to deal with at least some of their EOL data. This can leave data intact and retrievable without a proper audit trail to prove proper EOL data disposal.

Best practice that may have been in place in on-premises data centers can be left behind when organizations migrate their data to the cloud. While it is standard for cloud providers to refer to data deletion or destruction processes within user agreements, the practice of receiving clear assurances that specific sensitive data has been removed for good is still in its infancy, leaving highly regulated industries vulnerable to both regulatory noncompliance and unauthorized data access threats.

Rapid covid-generated cloud adoption is bringing to light the need for organizations to rethink ownership of their data in a heavily regulated and threat-saturated market. The report lists best practices that will guide these and other data-dependent industries towards ensuring regulations are met and that they can continue to protect both themselves and their customers.For full analysis, read the report here: https://www.blancco.com/data-at-a-distance.

Surge in Cloud Adoption Means a Greater Data Attack Surface for Healthcare and Financial Services

Using a risk-based approach to deal with policy violations and continuous compliance monitoring will help avoid data exposures and fines.

Public cloud spending and adoption is growing fast. Analysts predict that organizations will spend $591.8 billion on cloud infrastructure and services in 2023, up 20.7% from the year before. In fact, according to Forrester, the public cloud market is projected to reach $1 trillion by 2026, with the majority of spending directed to the big four: Alibaba, Amazon Web Services, Google Cloud, and Microsoft.

So, what's happening? Organizations accelerated their cloud migration during the pandemic and saw huge benefits as cloud services enabled faster innovation, provided elasticity to respond to fluctuating demand, and scaled with growth. Now, there's no turning back, even as the C-suite cuts spending in other areas. Organizations' appetite is particularly large for infrastructure-as-a-service (IaaS), projected to reach $150 billion; and platform-as-a-service (PaaS), anticipated to reach $136 billion in 2023.

Yet all this heady growth, which is thrilling to business strategists and technologists alike, has a dark side. Organizations risk significantly increasing public cloud data risks if they don't take necessary steps to improve its security.

**Shadow Data Is Growing Due to Lax Security Controls**

Multiple factors are contributing to the problem of "shadow data" or unknown, unmanaged public cloud data. Business users are provisioning their own applications, and developers are continually spinning up their own instances to develop and test applications. Many of these services store and use sensitive data that IT and security teams don't know about. Cloud buckets may also store multiple versions of data in the same bucket, a process called versioning, which increases risks if policies aren't configured properly.

As the pace of innovation increases, unmanaged data stores are often forgotten about and abandoned. In addition, sensitive data that is properly secured could be moved or copied to an unsecured environment or rendered vulnerable if third parties or extraneous users are granted excessive access privileges.

To understand just how much sensitive data is out there, Laminar Labs scanned publicly facing cloud storage buckets. We were able to detect personally identifiable information (PII) in 21% of the buckets. The information we uncovered included physical and email addresses, phone numbers, drivers' license numbers, names, loan details, credit scores, and more. As just one example, we discovered a file with contact information, Ethereum and Bitcoin address information, and block card email addresses — all information that could easily be exploited by a hacker.

The majority of this shadow data was misplaced — often placed in a public bucket that became accidentally exposed. In other cases, AWS S3 buckets were misconfigured as public instead of private. Either way, myriad organizations are exposing sensitive data that is completely open to be exfiltrated.

**Three Steps to Better Public Cloud Data Security**

Most security professionals (82%) are aware of — and concerned about — their growing public cloud data security problem. Here's how these experts can move swiftly to mitigate threats:

*   **Discover and classify all cloud data:** A next-generation public cloud data security platform enables teams to auto-discover all their cloud data, not just known or tagged assets. It detects all cloud data holdings in managed and unmanaged assets, virtual instances, shadow data stores, data caches and pipelines, and big data. With this information, the platform builds a comprehensive, consistent data catalog across organizations' multicloud environments. The catalog precisely identifies and classifies all sensitive data, such as PII, personal health information (PHI), and payment card industry (PCI) transaction data.

*   **Secure and control cloud data:** With holistic insights into their sensitive cloud data, security teams can apply and enforce the right security policies and validate data settings against their organization's predetermined guardrails. A public cloud data security platform will reveal outstanding policy violations that can be prioritized in a risk-based manner, based on data sensitivity level, security posture, volume, and exposure.
*   **Remediate risks and monitor activity without interrupting data flow:** Teams can then begin remediating sensitive data without compromising business activity. A public cloud data security platform will prompt teams to apply best practices, such as enabling encryption and limiting third-party access, and practice better data hygiene, by removing unused sensitive data from the environment. This process is called data security posture management and provides recommendations that are tailored to each cloud environment, making them more relevant and effective. In addition, security teams can use the platform to enable continuous data monitoring. By doing so, they can rapidly identify policy violations and ensure public cloud data adheres to the organization's stated security posture and regulations, regardless of where it is stored, used, or moved in the cloud.

**Reduce Public Cloud Data Security Risks Today**

Public cloud data security is too important to be left to chance. In a report we released last year, "State of Public Cloud Data Security, "50% of respondents said their cloud environments had been breached in 2020 and 2021. And of this group, 58% had experienced cloud data leaks or exfiltration.

The best way to protect this valuable data is with a public cloud data security platform that is cloud-native, agentless, asynchronous, and able to scale with data growth. With this resource, IT and security teams can tame the complexity of managing and securing data across multiple vendors and hundreds of services. They can also regain control over sensitive cloud data: applying proper governance, using a risk-based approach to address the areas of greatest concern, and maintaining continuous compliance to avoid data exposures and fines.

Rising Public Cloud Adoption Is Accelerating Shadow Data Risks

Cisco’s acquisition of cloud-native firewall provider Valtix and HPE’s deal to buy SSE provider Axis Security fill gaps in their existing portfolios.

Cloud-native is where the deals are. Last week, Cisco announced a deal to buy Valtix, a startup offering a cloud-native firewall. A few days later, Hewlett Packard Enterprise (HPE) announced its own plans to buy Axis Security, a secure services edge (SSE) provider. Neither company disclosed the terms of the acquisitions, both of which are pending regulatory and shareholder approvals.

Both deals highlight how both companies are interested in cloud-native security capabilities and are filling the gaps in their respective product portfolios. Even so, analysts described both deals as being incremental.

“I see both of these acquisitions primarily as gap fillers,” says Mauricio Sanchez, research director covering network security, SASE, and SD-WAN at Dell’Oro Group. “HPE filled a larger gap by purchasing Axis, while Cisco got some interesting IP.”

**HPE Adds SASE to SD-WAN**

HPE plans to incorporate Axis Security’s SSE capabilities with its existing SD-WAN and network firewall offerings (from its Aruba division) to create a secure access service edge (SASE) offering. SASE provides the function of secure web gateways (SWS), cloud access security brokers (CASB), firewall-as-a-service offerings, and zero-trust network access (ZTNA) tools. Dell’Oro Group forecasts that spending on SSE, which consists of SD-WAN and SASE, will increase fivefold by 2027, when revenues top $60 billion.

HPE Aruba gained its SD-WAN offering to accelerate network connectivity to branch offices with its 2020 acquisition of Silver Peak. But until now, HPE lacked a SASE offering. “If HPE can execute well on that acquisition, it brings them back into the game for a broader SASE play,” says Omdia senior principal analyst Fernando Montenegro.

“With Axis, HPE is now able to say they are an end-to-end SASE vendor versus offering just the networking \[SD-WAN\] piece,” adds Sanchez. “The security element is where the action and money are, so by getting Axis, HPE can double their SAM \[served available market\] in one go.”

However, Axis is a small company with a limited market share, Sanchez warns. “HPE got the technology solution but not the market share,” he says. “They will have to battle it out with the large goliaths, like Zscaler and Palo Alto.”

Sanchez thinks HPE will steer midsize enterprises toward Axis.

**Cisco Will Build a Cloud-Native Firewall**

As for Cisco, Valtix engineers will join the networking giant’s Security Business Group, “where they will work closely to integrate into our Security Cloud portfolio and accelerate our path to delivering a seamless experience in securing workloads across multi-cloud environments,” said Raj Chopra, senior VP and the group’s chief product officer, in a blog post.

The Valtix position is that virtual appliances are not well-suited for multicloud and hybrid environments, a sentiment shared by Omdia’s Montenegro.

“The challenge with deploying virtual firewalls in cloud environments is they don’t integrate as well with the rest of the clouds,” Montenegro says. “You want your network security component, the firewall, to understand how elastic your underlying environment is and to potentially do more than a traditional firewall, which is what Valtix is bringing to Cisco.”

Valtix’s advantage over virtual appliances is that it offers automated orchestration and provides visibility by supporting the integration of cloud provider APIs, the company says. It centralizes and consolidates network security by provisioning distributed enforcement points across Microsoft Azure, Amazon Web Services, Google Cloud Platform and Oracle Cloud Infrastructure. Valtix also offers a web application firewall (WAF), which Valtix says can protect cloud workloads, and it provides low-latency TLS decryption at scale.

Dell’Oro Group’s Sanchez views the Valtix deal as more of an acquisition of intellectual property rather than a “fully baked, market-competitive solution.” Sanchez says that Cisco is behind some of its competitors, such as Palo Alto Networks and Zscaler, in providing a cloud-native security offering.

“Palo Alto, as Cisco’s archnemesis in network security, has successfully monetized both virtual cloud firewalls as well as injecting themselves into the CNAPP market with Prisma Cloud,” he says. “Cisco has been largely on the sidelines. Cisco has a lot of catch up to do, and Valtix does help it incrementally. However, they need to do more, whether it be stitching the various products, like AppDynamics, Tetration, Kenna, together with Valtix to have a go at the CNAPP market, or leverage Valtix to invigorate Firepower \[Cisco’s next generation firewall — NGFW — line) to finally give Palo a run for its money in the cloud.”

Tech Giants Go Cloud-Native Shopping

**CAMBRIDGE, Mass.****,** **March 7, 2023** **/PRNewswire/ --** Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, today introduced the Akamai Hunt security service. The service enables customers to capitalize on the infrastructure of Akamai Guardicore Segmentation, Akamai's global attack visibility, and expert security researchers to Hunt and remediate the most evasive threats and risks in their environments. Akamai also released Agentless Segmentation, helping Akamai Guardicore Segmentation customers extend the benefits of Zero Trust to connected IoT and OT devices that aren't capable of running host-based security software.

As organizations embrace digital transformation and workforces continue to evolve, ransomware and other advanced attacks are still a threat to business continuity and overall brand trust, costing more than $20 billion in 2021 alone. To combat these threats, IT administrators must take new approaches to safeguard their networks, intellectual property and employees through the Zero Trust frameworks and microsegmentation to stop lateral movement within the network.

"Microsegmentation is proven to defend against ransomware and other attacks by greatly reducing attack surfaces in complex and dynamic environments," said Pavel Gurvich, Senior Vice President and General Manager, Enterprise Security at Akamai. "These new offerings for Akamai Guardicore Segmentation customers will extend protection to devices that have historically been difficult to secure and will provide the extra visibility and analysis necessary to fend off the most evasive threats."

**Akamai Hunt** 

Akamai Hunt combines the infrastructure, telemetry and control of Akamai Guardicore Segmentation with the data that Akamai has by delivering much of the world's internet traffic.

Now customers can eliminate threats in their environment, virtually patch vulnerabilities, and improve their IT hygiene. Other benefits include:

*   **Unique Dataset:** Rich telemetry from the customer's environment correlated with priority global threat data enables Hunt to find evasive threats and risks.
*   **Big Data Analysis:** Massive data is correlated and queried for suspicious and anomalous activity that other tools miss.
*   **Expert Investigation:** Dedicated security experts investigate detections to ensure teams are not bogged down by false positives.
*   **Alerts and Monthly Reports:** Detailed alerts provide the information required for mitigation, while monthly reports provide an executive overview.
*   **Guided Mitigation:** Hunt experts assist in the remediation of threats, patching of vulnerabilities, and hardening of IT infrastructures.

For more information about Akamai Hunt join the Akamai webinar on March 23 at 12:00 p.m. ET or click here.

**Akamai Agentless Segmentation**

Securing IoT and OT devices has traditionally been a challenge for most organizations. With Akamai Agentless Segmentation organizations are now able to reduce their attack surface, and enforce Zero Trust policies on devices that can't run host-based security software. Other features include:

*   **Continuous Device Discovery:** Automatically discover new network-connected devices and execute predefined device onboarding workflows.
*   **Integrated Device Fingerprinting:** Identify, assess, and categorize all connected devices to ensure that appropriate security policies are applied.
*   **Visualization of Enterprise Assets:** View IoT and OT devices, traffic, and interactions with endpoints, servers, and cloud assets throughout the enterprise.
*   **Agentless Zero Trust Segmentation:** Enforce agentless least-privilege segmentation policies and quarantine suspicious devices through direct integration with network control points.
*   **Roaming Device Awareness:** Maintain device visibility, context, and control as devices move between different areas of your wired and wireless network infrastructure.

Akamai Agentless Segmentation will be available for Akamai Guardicore Segmentation customers in Q2 2023.

**About Akamai**

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. With the world's most distributed compute platform — from cloud to edge — we make it easy for customers to develop and run applications, while we keep experiences closer to users and threats farther away. Learn more about Akamai's security, compute, and delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on Twitter and LinkedIn.

Akamai Technologies Releases New Service and Tools to Stop Advanced Threats and Drive Zero Trust Adoption

Two novel malware binaries, including "HiatusRAT," offer unique capabilities that point to the need for better security for companies' router infrastructure.

A cyber-espionage campaign featuring novel malware has been uncovered, targeting DrayTek routers at medium-sized businesses worldwide.

Unlike most spyware efforts, this campaign, dubbed "Hiatus" by Lumen Black Lotus Labs, has dual goals: to steal data in targeted attacks and to co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.

The threat actors use known vulnerabilities to target DrayTek Vigor models 2960 and 3900 running an i368 architecture, according to an analysis this week on Hiatus from Black Lotus. Once the attackers achieve compromise, they can plant two unique, malicious binaries on the routers. 

The first is an espionage utility called tcpdump, which monitors router traffic on ports associated with email and file-transfer communications on the victim's adjacent LAN. It has the ability to passively collect this cleartext email content as it transits the router.

"More established, medium-size businesses run their own mail servers, and sometimes have dedicated internet lines," according to the report. "These networks utilize DrayTek routers as the gateway to their corporate network, which routes traffic from email servers on the LAN to the public internet."

The second binary is a remote access Trojan (RAT) called HiatusRAT, which allows cyberattackers to remotely interact with the routers, download files, or run arbitrary commands. It also has a set of prebuilt functions, including two proxy functions that the threat actors can use to control other malware infection clusters via an infected Hiatus victim's machine.

**HiatusRAT's Proxy Functions**

The two proxy commands are "purpose-built to enable obfuscated communications from other machines (like those infected with another RAT) through the Hiatus victims," according to the Black Lotus report.

They are:

*   **socks5:** Sets up a SOCKS version 5 proxy on the compromised router.
*   **tcp\_forward:** For proxy control, this takes a specified listening port, forwarding IP, and forwarding port and transmits any TCP data that was sent to the listening port on the compromised host to the forwarding location. It establishes two threads to allow for bidirectional communications between the sender and the specified forwarding IP.

The ability to turn the router into a SOCKS5 proxy device "allows the threat actor to interact with malicious, passive backdoors such as Web shells via infected routers as a midpoint," explains Danny Adamitis, principal threat researcher for Lumen Black Lotus. "Using a compromised router as the communications for backdoors and Web shells enables the threat actors to bypass geo-fencing-based defense measures and avoid being flagged on network-based detection tools."

The TCP function, meanwhile, has likely been designed to forward beacons or interact with other RATs on other infected machines, which would "allow the router to be a C2 IP address for malware on a separate device," according to the report.

All of this means that organizations shouldn't underestimate their worth as a target, the report noted: "Anyone with a router who uses the internet can potentially be a target for Hiatus — they can be used as proxy for another campaign — even if the entity that owns the router does not view themselves as an intelligence target."

**Varied Types of Hiatus Victims**

The campaign is unusually small, having infected only around 100 victims, mainly in Europe and Latin America.

"This is approximately 2% of the total number of DrayTek 2960 and 3900 routers that are currently exposed to the Internet," according to Adamitis. "This suggests the threat actor is intentionally maintaining a minimal footprint to limit their exposure and maintain critical points of presence."

In terms of espionage, some of the victims are "targets of enablement," says the researcher, and include IT service and consulting firms.

"We believe the threat actors target these organizations to gain access to sensitive information about their customers’ environments," using the scraped email communications to mount downstream attacks, Adamitis says.

He adds that a second grouping of victims can be considered targets of direct interest for data theft, "which included municipal government entities and some organizations involved in the energy sector."

While the number of primary victims is small, the scope of the data theft suggests an advanced persistent threat as the culprit behind Hiatus.

"Based upon the amount of data that would be collected from these accesses, it leads us to believe that the actor is well resourced and is capable of processing large volumes of data, suggesting a state-backed actor," Adamitis notes.

**What to Learn From Hiatus**

The key takeaway for businesses is that the conventional idea of perimeter security needs to be adapted to include routers.

"The benefits of using routers for data collection are that they are unmonitored, and all traffic passes through them," Adamitis explains. "This stands in contrast to Windows machines and mail servers, which usually have endpoint detection and response (EDR) and firewall protections deployed in enterprise networks. This lack of monitoring allows the threat actor to collect the same information that would be achieved without directly interacting with any assets that might have EDR products pre-installed on them."

To protect themselves, businesses need to make sure that routers are "routinely checked, monitored, and patched like any other perimeter device," he says.

Organizations should take action: The Hiatus binaries were first seen last July, with new infections continuing up to at least mid-February. The attacks use version 1.5 of the malware, indicating that there could have been activity using version 1.0 prior to July. Black Lotus said that it fully expects the activity to continue.

Source

DARKReading