Proxyjacking is an emerging, low-effort and high-reward attack for threat actors, with the potential for far-reaching implications.

Threat actors have found a lucrative new attack vector that hijacks legitimate proxyware services, which allow people to sell portions of their Internet bandwidth to third parties. In large-scale attacks that exploit cloud-based systems, cybercriminals can use this vector — dubbed "proxyjacking" — to earn potentially hundreds of thousands of dollars per month in passive income, researchers from Sysdig Threat Research Team (TRT) have found.

In a February blog post, Kaspersky researchers described proxyware services like this: "\[Users install a client that creates a\] proxy server. Installed on a desktop computer or smartphone, it makes the device's Internet connection accessible to an outside party." That outside party — the proxyware service — then resells an agreed-upon portion of the user's bandwidth to other people. 

"Depending on how long the program remains enabled and how much bandwidth it is permitted to use, the client accumulates points \[for the user\] that can eventually be converted into currency and transferred to a bank account," according to researchers at Kaspersky.

In one attack that the Sysdig researchers observed, threat actors compromised a container in a cloud environment using the Log4j vulnerability, and then installed a proxyware agent that turned the system into a proxy server without the container-owner's knowledge, the researchers revealed in a blog post on April 4.

This allowed the attacker to "sell the IP to a proxyware service and collect the profit," in an unusual type of Log4j exploit. Usually, Log4j attacks involve an actor dropping a backdoor or cryptojacking payload on the device, Crystal Morin, Sysdig threat research engineer, wrote in the post. "While Log4j attacks are common, the payload used in this case was uncommon," she wrote.

Proxyjacking shares characteristics of cryptojacking in that both profit off the bandwidth of a victim — and both are about equally profitable for the attacker, Morin said. However, these attacks differ in that attackers typically install CPU-based miners to extract maximum value from compromised systems, while proxyjacking mainly uses network resources — leaving a minimal CPU footprint, she wrote.

"Nearly every piece of monitoring software will have CPU usage as one of the first (and rightfully most important) metrics," she wrote. "Proxyjacking's effect on the system is marginal: 1 GB of network traffic spread out over a month is tens of megabytes per day — very likely to go unnoticed."

**How Proxyjacking Works**

Proxyjacking is a relatively new phenomenon spurred by the growth and use of proxyware services in the last couple of years, the researchers said. As mentioned, these services, such as IPRoyal, Honeygain, and Peer2Profit, are installed as apps or software on Internet-connected devices that, when running, allow someone to share Internet bandwidth by paying to use the IP address of the app users.

Proxyware comes in handy for people who want to use someone else's IP address for activity such as watching a YouTube video that isn't available in their region, conducting unrestricted Web scraping and surfing, or browsing dubious websites without attributing the activity to their own IP, the researchers said. According to the service, people pay for each IP address that someone shares via proxyware based on the number of hours they run the application.

In the attack investigated by Sysdig researchers, attackers targeted an unpatched Apache Solr service running in Kubernetes infrastructure to take control of a container in the environment, and then downloaded a malicious script from a command-and-control server (C2), which they placed in the /tmp folder to have privileges to perform their activity.

"The attacker's first execution was downloading an ELF file renamed /tmp/p32, which was then executed with some parameters, including the email address \[email protected\]\[.\]com and the associated password for their pawns.app account," Morin wrote in the post.

Pawns.app is a proxyware service that has been seen sharing IPs from IPRoyal's proxy network. Indeed, Sysdig TRT correlated the binary downloaded and executed in the malicious script to the command-line interface version of the IPRoyal Pawns application from GitHub, which uses the same parameters, researchers said. In this way, attackers began using the compromised pod to earn money on the service, they said.

Attackers covered their tracks by cleaning the compromised system of their activity, clearing the history, and removing the file they dropped in the containers and the temp files, the researchers added.

**Impact & Mitigation for Proxyjacking Attacks**

While the list of proxyware services reported as being used for proxyjacking is small right now, Sysdig researchers believe that this attack vector will continue to grow and eventually "defenders will uncover more nefarious activities," Morin wrote. "This is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications."

Researchers estimate that in 24 hours of activity for one proxyjacked IP address, an attacker can earn $9.60 per month. In a modest compromise of, say, 100 IP addresses then, a cybercriminal could net passive income of nearly $1,000 per month from this activity, they said.

When exploiting Log4j on unpatched systems, this figure can climb even higher, as millions of servers are still running vulnerable versions of the logging tool, and more than 23,000 of them can be reached from the Internet, according to Censys, the researchers said. "This vulnerability alone could theoretically provide more than $220,000 in profit per month" for an attacker, Morin wrote.

To avoid "receiving potentially shocking usage bills" due to proxyjacking activity, organizations need to take actions to mitigate potential attacks, the researchers said. They recommended that organizations set up billing limits and alerts with their respective cloud service provers, which can be an early indicator that something is amiss, Morin wrote.

Morin advised that organizations should also have threat-detection rules in place to receive alerts on any initial access and payload activity preceding the installation of a proxyware service application on your network.

'Proxyjacking' Cybercriminals Exploit Log4j in Emerging, Lucrative Cloud Attacks

Authorities claw back funds from six crypto accounts they say were linked to a "pig-butchering" cybercrime ring.

Half a dozen cryptocurrency accounts, allegedly used to launder romance scam proceeds, have been seized by the Department of Justice.

The DoJ said in a statement that, in total, it seized more than $112 million in cryptocurrency that was being laundered through the accounts.

"Transnational criminal organizations are combining confidence scams with technological savvy to swindle Americans out of their hard-earned funds," Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department's Criminal Division said about the seizure. "Now that we have seized this virtual currency, we will seek to swiftly return it to victims."

They added, "In addition to our tireless efforts to disrupt these schemes, we must also work to raise public awareness and help inform potential victims: be wary of people you meet online, seriously question investment advice, especially about cryptocurrency, from people you have not met in person, and remember, investments that seem too good to be true, usually are."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ Recovers $112M in Crypto Stolen With Romance Scams

"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.

The threat actor — believed to be the Lazarus Group — that recently compromised 3CX's VoIP desktop application to distribute information-stealing software to the company's customers has also dropped a second-stage backdoor on systems belonging to a small number of them.

The backdoor, called "Gopuram," contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.

Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).

**Gopuram: Known Backdoor Linked to Lazarus**

Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group.

In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.

Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says.

Kaspersky's discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.

**A Major Supply Chain Compromise**

On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.

Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application's installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.

Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed. 

3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.

**Attackers Exploited a 10-Year-Old Windows Flaw**

Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature. 

In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company's update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.

In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn't have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers. 

"Microsoft was reluctant, for a time, to make this patch official," says Jon Clay, vice president of threat intelligence at Trend Micro. "What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers."

Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says the company's researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.

“I think the best advice for organizations at the moment would be to apply Microsoft's patch for CVE-2013-3900 if they have not already done so," O'Gorman says.

Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That's because the newer OS undid the effect of the patch, Kucherin and other researchers say.

"CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity," Clay says. Patching would help security products flag the file for analysis, he notes.

William Dormann, senior vulnerability analyst at Analygence says the attackers in the 3CX incident used CVE-2013-3900 to plant shellcode in a digitally signed binary and banked on the malware slipping past analysts because it was digitally signed. "Users who have applied the mitigation for CVE-2013-3900 would not have been protected in any way whatsoever against the 3CX malware on an otherwise default configuration of Windows," he says. No Windows platform includes a fix for CVE-2013-3900 at this point in time. It remains strictly optional. He also notes that with GitHub taking down the payload files attackers had stored on it, there's nothing more users can do to protect against the threat.

A Microsoft spokesman said an attacker would be able to add code to a signed DLL only if they had already compromised the code via a third-party. "As a best practice, we encourage customers to apply all the latest security updates for better protection," the spokesman said. 

"In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat," the spokesman added. Microsoft did not directly address a Dark Reading question on why the company had decided to make the fix for CVE-2013-3900. Instead, the spokesman pointed to Microsoft's original security advisory on the bug. "Regarding CVE-2013-3900 updates specifically, we recommend customers assess their system environment and follow the steps and suggested actions outlined in the security advisory," the spokesman said.

_This story was updated on 04/04 to include comments from Microsoft and analyst Will Dormann._

3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor

They rake in millions, but now, as much as zero-days and ransoms, cybercriminals are dealing with management structures and overhead.

Today's foremost cybercrime gangs operate like large enterprises, with more than $50 million dollars in annual revenue and around 80% of operating expenses going to wage bills.

In a report published April 3, researchers David Sancho and Mayra Rosario Fuentes of Trend Micro mapped out the economics of running a cybercrime business in 2023. Using "observations and estimations," they explained, they aimed to show "the quarterly financial reports for typical criminal groups under small, medium, and large enterprise categories."

"Our hypothesis was that the bigger these organizations are going to be, the more they're going to resemble the structure of a corporation," Sancho tells Dark Reading. The most surprising thing, he says, is "when you put everything together, how consistent the picture is."

Small, medium, and especially large cybercrime gangs operate just like their legitimate counterparts, from their managerial structure all the way down to benefits for the lowest-level employees.

The inner workings of cybercrime operations don't just make for fun facts, though. "If you agree with our conclusion that the larger the organism, the more structured it becomes," Sancho says, "that presents an opportunity for anybody who is investigating or otherwise dealing with these organizations."

**The Cybercrime Economy of 2023**

In parallel with the corporate economy, the researchers mapped cybercrime organizations into three categories:

*   Small: 1-5 staff and affiliates, one management layer, under $500K annual revenue
*   Medium: 6-49 staff and affiliates, two management layers, up to $50M revenue
*   Large: 50+ staff and affiliates, a few management layers, and more than $50 million in revenue

The smallest hacker groups operate with a "move fast and break things" kind of mentality — funding operations out of their own pockets, making income however they can, and with everybody on the team doing a little of everything.

But "as revenue grows larger and larger, there's a bottleneck," Sancho explains. "If we can get this much money with five hackers. Let's see what we can get with six."

At this point gangs begin to bring on full-time staff — necessary for maintaining million-dollar annual profits — and a defined organizational structure.

"When you're more than five, six people, somebody needs to be in charge of something, otherwise if everybody does everything, it's kind of a mess," the researcher notes.

"The more they start growing, the more the complexity grows," he continues. "And when you're thinking about organizations of 20-plus, 50-plus, you definitely need people arranged in some sort of structure. Some people do finance, some do marketing, some do sales."

These groups have IT and even human resources divisions, operating with a pyramid-style management structure. As a humorous case in point: The Conti group used to have employees of the month.

**How Corporate Cybercrime Targets Can Benefit **

As Sun Tzu famously observed in _The Art of War_: "When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. Know thy enemy and know yourself; in a hundred battles, you will never be defeated."

Hackers have a reputation for working in the shadows — dark rooms, anonymous identities, and so on — by their own design. Once enterprises can recognize a bit of themselves in their adversaries, it makes the job of dealing with them less confusing.

For example, if you've been hit by a small group, you might reasonably assume that they act more like a startup. "Those groups can be more flexible and attack you differently," Sancho says, and so victims should react with more caution.

Conversely, for the biggest, baddest criminal outfits. "Once you realize that criminal organizations behave in an enterprise manner, then you realize their need to have a repository of documents," he explains. "They need to have rules for how to interact with one another. They're mostly working remotely."

Investigators can look for data one might not otherwise associate with cybercrime gangs — mergers and acquisitions information, shared calendars, and the like. And if nothing else, businesses may take some comfort in knowing that their attackers have predictable systems in place.

Professionalization can also prevent agility for cyberattackers. Cybercrime gangs are just like corporations now and as long as that's true, Sancho concludes, "they'll have the same headaches corporations have," like, for instance, sourcing good talent.

For Cybercrime Gangs, Professionalization Comes With 'Corporate' Headaches

The company behind digital storage brand SanDisk says its systems were compromised on March 26.

Business operations for Western Digital, a data storage hardware provider, have been disrupted due to a recent systems breach that the company said occurred on March 26.

Western Digital Corporation is behind the personal and professional-grade data storage brands SanDisk, WD, and WD\_Black, which collectively offer a range of devices, including external drives, internal hard drives, flash drives, and more.

Western Digital has released a statement announcing that an unauthorized third party was able to compromise its systems, that the incident is ongoing, and the internal investigations are being coordinated with law enforcement.

The company added that some system data was compromised, but assessments about exactly what was accessed are underway, the Western Digital breach disclosure statement explained.

"Western Digital is actively working to restore impacted infrastructure and services," the statement read. "Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data Breach Strikes Western Digital

Whether protecting a financial institution or a hospital, everyone needs an effective strategy for fending off slippery threats like those that hide in memory.

Advanced threats are now more accessible than ever. On the Dark Web you can buy or rent zero-day attacks, fileless malware, supply chain compromises, and malware that targets device memory processes.

In 2021, memory compromise was the most common of the top five MITRE attack techniques, and the number of fileless attacks increased by over 900%. The number of zero-days seen in the wild more than doubled from 2020, according to Google's Project Zero. In 2022 data breaches were just 60 short of the all-time record of 1,862 breaches, set in 2021. There was a notable dip in data breach volumes during the first half of 2022, likely because Russia-based cybercriminals were too distracted or preoccupied by the invasion of Ukraine, along with volatility in the cryptocurrency market.

Advanced cyberattacks against well-defended networks have resulted in crippled oil pipelines, school systems, and even entire countries. And we will never know how many successful attacks on major enterprises occurred that never went public.

**Threats Hide in Memory to Avoid Detection**

Detection technologies are essential defenses in any IT environment. They include next-generation antivirus (NGAV), endpoint protection platform (EPP), endpoint detection and response/extended detection and response (EDR/XDR), and managed detection and response (MDR). But the most advanced threats and new variants of existing threats are specifically designed to evade these tools, usually by hiding in memory.

Scanners try to identify malware and malicious activity by looking at known signatures. But even if you have multiple layers of security technologies, these scanners cannot see threats that don't have recognizable signatures, are fileless, or exist in memory, which is impossible to scan effectively at runtime. After all, if you don't know what to look for and can't see your environment in real time, you can't find what you can't see.

Memory is a major vulnerability in modern cybersecurity because standard cybersecurity tools can't find stealthy, unknown, and evasive threats in memory — certainly not fast enough to stop attacks. As a result, security teams end up one step behind threat actors.

**The Memory Security Gap Is Growing**

Threat actors are targeting memory because it's the best place to persist on a device while remaining invisible. This is because runtime memory is such a big space that it's basically impossible to scan without massively degrading performance, leaving it mostly undefended by security controls.

To avoid compromising performance, detection-based solutions like EDR must look at memory selectively. They depend on picking specific times and spaces in memory to scan and looking for certain indicators, such as the recently released Cobalt Strike Yara rules.

Because threats can hide in a vast space and be reconfigured to avoid triggering rulesets, scanning solutions miss evasive threats almost all the time.

In a device's run-time memory environment, threats can steal credentials, hijack legitimate processes, and even turn a low-privileged user into a system administrator.

For example, malicious versions of the pen-testing framework Cobalt Strike enable threat actors to deploy a loader in the memory of a legitimate application, such as PowerShell. This means the threat exists purely in the memory environment while an application is running.

**Adding Memory Defenses**

The only way to reliably prevent compromise by advanced threats is to deploy a layered security posture that makes attackers' lives difficult. This means building secure networks, hardening systems, and deploying security technologies like EDR, EPP, and AV to spot malicious behavior and keep security teams informed about network activity. Security teams also need to consider solutions that protect memory by denying access to untrusted actors.

One way to protect memory is by using moving target defense technology to randomize the run-time memory environment so attackers can't find what they're looking for, breaking their attack chain. Instead of a static, known target environment, an attacker faces a dynamic memory environment containing decoy traps that capture unauthorized activity for forensic analysis.

As advanced threats become more common, layered security that incorporates memory defense is becoming essential. Without it, there is no effective way to stop threats targeting device memory.

How Good Is Your Advanced Threat Management?

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

We provide the cartoon. You write a witty cybersecurity-related caption to explain the scene above. Our favorite will win a $25 Amazon gift card.

The contest ends on April 26, 2023. Here are four convenient ways to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge April 2023 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congratulations, Mark Phinick! HCL Software's global VP of BigFix sales snagged first place for March's "Domino Effect" contest. His caption appears below.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Tower of Babble

If companies prioritize communications and make the DevOps process more transparent, team members will better know what vulnerabilities to look for.

Customer satisfaction is today's business battleground. The winners are the companies that deliver the best, highest-functioning software and applications in the shortest amount of time.

ChatGPT is the latest example of a winning app. In just a few months, the tool has reached 100 million users, making it the fastest-growing consumer application ever. Its success has also set off an artificial intelligence (AI) apps arms race, with competitors, including Google, emerging to grab market share as fast as possible. This race illustrates the ongoing struggle companies face to quickly develop high-performing software and applications that are also highly secure. This is a delicate balance in today's environment, where trading security for speed could lead to disastrous consequences.

**Security-Speed Balance**

One method that companies are embracing to strike this balance is implementing the "shift left." The shift left in this context refers to moving practices related to testing software as early in the development process as possible. By embracing the shift left, technology teams — specifically DevOps teams — can identify bugs, errors, and vulnerabilities early on and resolve them, resulting in high-performing, highly secure software, and applications.

Here are four steps DevOps teams can take to embrace the shift left, improve application performance, reduce vulnerabilities, and win the security battle.

**Step 1: Define the Security Strategy**

No army worth its salt heads into the field without a detailed map of the terrain, information on adversaries, and a hierarchy in place with responsibilities for every rank. The same should be true of any DevOps unit shifting left.

Companies should take the time to identify who will be in charge of what responsibilities, determine metrics for success, and formalize procedures. DevOps leaders should build appropriately staffed teams, implement processes that maximize security, and determine what kind of tests they will run and how often they will run them. Businesses should also identify and prepare for specific known vulnerabilities that could lead to issues.

Shifting left involves developing a new set of principles for software delivery and security; thus, planning and defining the strategy is very important.

**Step 2: Understand the Development Pipeline and Deployment Process**

As companies shift left, it's critical to have a thorough understanding of the software development pipeline and the deployment process.

This pipeline is the set of tools and processes in place to build and release software and applications. Once this analysis and understanding is complete, DevOps teams can begin carrying out tests in the build pipelines, checking code validity within development environments, and much more.

One solution that is helping DevOps teams map and understand their pipelines and embrace the shift left is observability. With observability, teams can help teams get a single-pane-of-glass view across applications, databases, and infrastructures that can be key to understanding application performance, user experience, and the overall environment required for modern application architecture. Some observability solutions even offer live code profiling that automatically sees potential user issues or performance bottlenecks before code is shipped.

**Step 3: Include Security Automation**

In enterprise technology, software teams have turned to automation to streamline testing for multiple reasons. First, manually testing software can introduce human error. Second, the shift left requires companies to test software as early and often as possible. And while these principles are meant to create more secure, better-performing products, this high volume of testing can also result in overloaded teams, requiring DevOps to manually evaluate every new feature the development team introduces.

To avoid this scenario, DevOps teams should use tools that automate running tests. Doing so will help reduce the stress placed on DevOps teams while also providing faster feedback related to any vulnerabilities that may be found in software code. Generally, automating tests in the development cycle allows organizations to increase the speed with which a product is completed while ensuring that fewer bugs or vulnerabilities are found later.

**Step 4: Build a Culture of Transparency**

While automation and modern technology can contribute significantly to an organization's success, a more human process and trait plays an equally important role — communication and transparency.

One of the key principles behind DevOps is narrowing the divide between development and production. Increasing communication and transparency across the product and software development life cycle can help narrow this divide. As it relates to the shift left, involving the appropriate team members as early as possible and during every step in the process is key to increasing transparency.

By prioritizing communication and adding transparency to the process wherever possible, team members will better understand how to test, what vulnerabilities to look for, and how to make software and applications more secure, better performing, and more resilient.

4 Steps for Shifting Left & Winning the Cybersecurity Battle

Launching CSPM, container workload security, and cloud vulnerability management to modernize cloud security operations.

**MOUNTAIN VIEW, Calif.--(****BUSINESS WIRE****)--** Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch, today announced expanded capabilities for Elastic Security including Cloud Security Posture Management (CSPM) for AWS, container workload security, and cloud vulnerability management. Building on the previously released Kubernetes security posture management (KSPM) and Cloud Workload Protection Platform (CWPP) capabilities, Elastic now delivers a comprehensive security analytics solution that includes complete Cloud Native Application Protection for AWS.

According to Gartner, more than 85% of organizations are moving to a cloud-first model and 95% of new digital workloads are being deployed on cloud-native platforms. However, 99% of cloud failures will be the customer’s fault due to mistakes like cloud misconfigurations. Research from Elastic Security Labs found that nearly 1 in 3 (33%) attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and fail to configure and protect them adequately.

“Many companies have a fragmented approach to cloud security, as security and devops teams pivot between multiple dashboards,” said **Ken Buckler, Research Analyst - Security and Risk Management, Enterprise Management Associates.** “Unified visibility across all cloud resources, as well as on-premises systems, is critical to quickly identify and stop security threats at scale, especially when attackers repeatedly cross boundaries between cloud and on-premise in attempts to evade detection. With Elastic Security, organizations can streamline their cloud security operations by establishing real-time, unified visibility across their environments in a single interface.”

Elastic’s comprehensive suite of cloud security capabilities includes:

*   **Cloud Workload Protection** (generally available) — Expands on existing runtime security for traditional endpoints, enabling cloud security teams to gain deep visibility into the entire runtime workload including standalone Linux workloads, virtual machines, and infrastructure hosted in AWS, Google Cloud, and Microsoft Azure.
*   **Container Workload Protection** (beta) — Provides cloud security teams deep visibility into container workloads in managed Kubernetes environments with pre-execution runtime analysis for workloads running in Amazon EKS, GKE, and AKS environments.
*   **Cloud Security Posture Management** (beta) — Enables cloud security teams to continuously detect and remediate misconfigurations across workloads in AWS and Amazon EKS in real-time with Center for Information Security (CIS) benchmark controls, out-of-the-box integrations, and posture management dashboards and reports.
*   **Cloud Vulnerability Management** (beta) — Uncovers cloud-native vulnerabilities in AWS EC2 workloads with minimal resource utilization on workloads and enumerating vulnerabilities with risk context to help cloud security teams identify and respond to potential risk.

“Elastic Security is a unified security solution offering SIEM, endpoint, and cloud security capabilities—rooted in data management and analytics—that enables customers to protect, investigate and respond to threats across their entire infrastructure,” said **Santosh Krishnan, General Manager of Elastic Security, Elastic**. “The expansion of Elastic Security’s comprehensive cloud security capabilities provides organizations with the power they need to modernize their cloud security operations, improve attack surface visibility, reduce vendor complexity, and accelerate remediation.”

For more information, read the blog.

Gartner Press Release, "Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences," November 10, 2021.

**About Elastic:**

Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,900+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.

The release and timing of any features or functionality described in this document remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

_Elastic_ and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Elastic Expands Cloud Security Capabilities for AWS

The physical and cyber safety issues surrounding medical devices like IV pumps is finally being meaningfully addressed by a new policy taking effect this week.

The Food and Drug Administration (FDA) this week put into effect fresh guidance concerning the cybersecurity of medical devices — long a concerning area of risk for healthcare organizations and patients alike. The policy is one in a long line of attempts by the FDA to put some guardrails around the susceptibility of things like insulin pumps and heart monitors to hacking, and experts say that this time, the FDA's move might actually make a difference.

Effective immediately, medical device manufacturers are advised to submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits."

Manufacturers are also asked to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes making patches available "on a reasonably justified regular cycle," and for newfound critical vulnerabilities, "as soon as possible out of cycle."

And finally, the FDA is asking that new devices come prepared with a software bill of materials (SBOM).

For some, FDA guidance may evoke memories of prior actions that failed to improve cybersecurity in this critical area in any real way. But experts say this long road has finally reached a real, genuine inflection point. Starting now, new medical devices that don't meet these standards will be blocked from the market.

"It's actually been a process that's taken place over approximately the last 10 years," says Cybellum CMO David Leichner. "And it came to fruition two days ago."

**Medical Devices in Cyber-Crisis**

Medical device security has been an alarmingly lagging area for cybersecurity for a very long time, and there's a laundry list of reasons why. Healthcare facilities often use legacy IT and have flat networks that aren't segmented, for instance — even as medical devices for patients are increasingly connected. And security by design isn't common.

"A medical device manufacturer may be very experienced in designing highly reliable and innovative devices, but they may not necessarily be security experts," explains Axel Wirth, chief security strategist at MedCrypt.

In fact, the most cutting-edge medical equipment sometimes introduces new security problems that the old stuff never had. Internet connectivity brings a slew of benefits to providers, but also opportunities for hackers. In the State of Healthcare IoT Device Security 2022 report, healthcare IoT firm Cynerio found that more than half of all connected medical devices are vulnerable, including, for example, nearly three out of every four IV pumps.

Thus, cybercriminals can easily break in and run rampant across a hospital network, reaching whatever endpoints they choose, including these life-saving devices. This could have potential physical consequences for patients if a device is vulnerable to takeover by an unauthorized user. The risk isn't theoretical: A September 2022 report by Proofpoint's Ponemon Institute linked a 20% increase in mortality rates to cyberattacks targeting healthcare organizations.

This is all exacerbated by the fact that when bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely manner (as is the case for most IoT gear), and healthcare settings have an even more terrible track record of implementing them.

"One reason \[for the insecurity\] is that these devices live longer," Wirth points out. Because they're designed to last a while — which is otherwise a positive thing — "they may be outdated or running outdated software, and any operational technology (OT) that is not necessarily up to date is more difficult to maintain. It's more difficult to deploy patches; it's more difficult to find time during hospital operations to update the device."

Considering the ubiquity of security failures in the industry, coupled with the massive consequences at stake in the event of a breach, many have urged the government to do more than offer "suggestions" for addressing the problems.

**The FDA's New Teeth**

On Dec. 29, President Biden signed into law the Consolidated Appropriations Act, also known as the Omnibus bill, which included Section 3305 — "Ensuring cybersecurity of medical devices" — an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect on Thursday, 90 days after the Omnibus' passing.

So what happens now? It takes time for manufacturers to change their processes and for new products to integrate new rules and regulations (to say nothing of how healthcare, in general, moves more slowly than other industries, by necessity). The FDA has arranged for a six-month window — until Oct. 1 — for manufacturers to get used to the new rules of the road.

From now until then, the FDA will "work collaboratively" with manufacturers to ensure compliance, the agency clarified in an accompanying notice. Once Oct. 1 hits, "FDA expects that sponsors of such cyber devices will have had sufficient time to prepare." At that point, they will begin issuing "refuse to accept" (RTA) decisions to prevent any devices that don't meet the stated standards from reaching the market.

"Manufacturers are asking: 'When does this hit us?,'" Naomi Schwartz, MedCrypt's senior director of cybersecurity quality and safety, explains. "And the FDA is clarifying: 'We're not going to start refusing to accept until October, so that you have time to update all of your documentation and relieve a little bit of pressure and fear. But no kidding, you guys better get your stuff ready in the next six months, because it's coming.'"

What remains to be seen is how the FDA will enforce its rules after a device is released to the public. Preventing a machine from reaching hospitals is one thing, but ensuring that vendors meet so many of the other requirements outlined in these guidelines — like regular monitoring, consistent patching, and responsible vulnerability disclosure — requires never-ending oversight.

"This is definitely going to increase the overhead of the FDA," Cybellum's Leichner figures. "It'll be interesting to see how they go about this."

**The Timeline for Real, Visible Change**

Even once manufacturers start turning out gear that's in compliance with the policy, an overhaul of healthcare device cybersecurity will take a while.

"Medical devices can be very pricey," Wirth points out, "and replacing medical devices in hospitals requires budget, requires training. Sometimes it requires even changes in building and infrastructure. So it'll take a number of years." Section 3305 assigns no deadline for healthcare providers to replace their existing legacy equipment.

Still, he says, "I think we are already seeing better secure devices arrive in the market," especially since the US isn't the only place to start demanding security hardening of the devices.

Even though the FDA's policy might take a while to bear real fruit (and it's too soon to know for certain), we may look back on 2023 as a watershed for the industry.

"This is going to help FDA staff, it's going to help the industry, it's going to motivate people to stop kicking the can down the road and start buckling down now," MedCrypt’s Schwartz concludes. "It's pretty cool."

Source

DARKReading