From updating employee education and implementing stronger authentication protocols to monitoring corporate accounts and adopting a zero-trust model, companies can better prepare defenses against chatbot-augmented attacks.

Over LinkedIn, Slack, Twitter, email, and text messages, people are sharing examples created using ChatGPT, the new artificial intelligence (AI) model from the team behind OpenAI.

Using ChatGPT, you can produce authentic-sounding dialogue that can be used for almost anything — from answering follow-up questions in an online chat dialogue to writing poetry. There are plenty of opportunities for enterprises to take advantage of the new chatbot technology, including helping with enterprise support and customer interactions. Its ability to quickly generate content, and, according to its developers, "answer follow-up questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests," opens many opportunities and some new challenges.

AI and machine learning (ML) is shifting quickly from niche solutions in corporate scenarios that have been high cost/high reward toward solutions to more expansive implementations that can solve a range of enterprise challenges, particularly those which focus on end users. Cybersecurity, for example, is now embracing AI-based approaches to provide greater protection with smaller security teams. One example highlights how organizations can use AI/ML to perform dynamic, risk-based checks when someone tries to access sensitive applications or data. This replaces older, policy-based approaches, which can take significant time and human interaction to develop and maintain the individual access policies. In a larger company, maintaining those policies could include hundreds or even thousands of applications and data repositories.

**Using AI for Greater Efficiency**

Interest in AI is continuing to explode as modern attacks require rapid detection and response to anomalous user behavior — something an AI model can be trained to quickly identify, but which takes significant human power to try and replicate manually. The goal of AI is to increase efficiency and trust while reducing friction and improving the user interface for typical users. Self-driving cars, for example, are designed to increase the safety and security of end users. In cybersecurity, specifically in the authentication of users (human and nonhuman), AI-based approaches are advancing rapidly, working with rule-based systems to improve the experience for end users.

In an increasingly digital world, attackers can already sidestep detection of binary identity authentication, including location, device, network, and other checks. Inevitably, cybercriminals will also look at the new opportunities ChatGPT opens up. AI tools that interact in a conversational way can be leveraged by cybercriminals to launch convincing phishing campaigns or account takeovers. In the past, it may have been easier to spot a phishing attack due to the poor grammar, unusual phrasing, or frequent spelling errors so common in phishing emails. That is quickly evolving with solutions like ChatGPT, which use natural language processing to create the initial message and then generate realistic responses to a target user's questions without any of those telltale markers.

**Rethink Security Approaches**

To prepare for chatbot-augmented attacks, organizations need to rethink security approaches to mitigate potential threats. Five measures they can take include:

1.  **Updating employee education** regarding the risks of phishing. Employees who understand how ChatGPT can be leveraged are likely to be more cautious about interacting with chatbots and other AI-supported solutions, and thereby avoid falling victim to these types of attacks.
2.  **Implementing strong authentication protocols** to make it more difficult for attackers to gain access to accounts. Attackers already know how to take advantage of users tired of reauthenticating through multifactor authentication (MFA) tools, so leveraging AI/ML to authenticate users through digital fingerprint matching and avoiding passwords altogether can help increase security while reducing MFA fatigue.
3.  **Adopting a zero-trust model.** By only granting access after verification and ensuring least-privileged access, security leaders can create an environment where even if an attacker leverages ChatGPT to get around unsuspecting users, the cybercriminals will still have to verify their identity and, even then, will only have access to limited resources. Limiting the access not only of developers but also leadership, including technical leadership, to the least access needed to perform their jobs effectively, may initially meet with resistance, but will make it harder for an attacker to leverage any unauthorized access for gain.
4.  **Monitoring activity** on corporate accounts and using tools, including spam filters, behavioral analysis, and keyword filtering, to identify and block malicious messages. Your employees cannot fall victim to a phishing attack, no matter how sophisticated the language is, if they never see the message. Quarantining malicious messages based on the behavior and relationship of the correspondents rather than specific keywords is more likely to block malicious actors.
5.  **Leveraging AI.** Cyberattacks are already leveraging AI, and ChatGPT is just one more way that they will use it to gain access to your organization's environments. Organizations must take advantage of the capabilities offered by AI/ML to improve cybersecurity and respond faster to threats and potential breaches.

Account takeover via social engineering, leveraging passwords from data breaches, and phishing attacks will become more frequent and more successful — despite our best defenses — given that ChatGPT can provide authentic-sounding responses to target inquiries. By updating and adopting these five approaches, organizations can help to reduce the risks to themselves and their employees when chatbots and other AI tools are used for malicious purposes.

ChatGPT Opens New Opportunities for Cybercriminals: 5 Ways for Organizations to Get Ready

Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security.

The motive of financial and political gain — fueled partially by the ongoing conflict in Ukraine — has emboldened threat actors to barrage industrial control systems (ICS) with ever more disruptive cyberattacks, diversifying the threat landscape for critical infrastructure, new research shows.

This trend is expected to continue throughout 2023 with attackers arming themselves with new tactics and malware, forcing ICS operators to level up if they want to protect their networks, according to Nozomi Networks' "OT/IoT Security Report: A Deep Look Into the ICS Threat Landscape" for the second half of 2022, published Jan. 18.

It used to be that nation-state actors were the leading perpetrators of attacks against ICS, primarily using remote access Trojans (RATs) to drop malware payloads and gain remote access to networks, as well as mounting distributed denial-of-service (DDoS) attacks to cause "inconvenient" disruption, says Roya Gordon, security research evangelist at Nozomi Networks. "Historically, critical infrastructure disruptions were seen as a nation-state tactic," she says.

However, the now-infamous Colonial Pipeline attack in May 2021 marked a significant shift in this trend. In that incident, a ransomware attack that started with a stolen password caused panic and gas shortages across the eastern United States, and attackers realized how disruptive and potentially lucrative new attack vectors could be, she says.

"The Colonial Pipeline attack demonstrated how cybercriminals can leverage ransomware attacks on critical infrastructure — since they tend to depend heavily on real-time data, and have the means to meet ransom demands — for financial gain," Gordon notes.

Then with Russia's attack on Ukraine last February, attacks on ICS got political, with hacktivists, traditionally known for data breaches and DDoS attacks, wielding destructive wiper malware to disrupt transportation systems such as railroads and other critical infrastructure in the Ukraine for political gain, she says.

This marked a shift in not only who was attacking ICS, but how and for what motive they were launching these attacks, Gordon says. "All in all, this unprecedented level of activity across all fronts should cause us concern."

**Top ICS Cyberattack Trends**

The report identified top trends in the ICS threat landscape based on a compilation of information from various sources including open source media, CISA ICS-CERT advisories, and Nozomi Networks telemetry, as well as on exclusive IoT honeypots that Nozomi researchers employ for "a deeper insight into how adversaries are targeting OT and IoT, furthering the understanding of malicious botnets that attempt to access these systems," Gordon says.

What researchers observed over the last six months was a significant uptick in attacks that caused disruption to a number of industries, with transportation and healthcare being among the top new sectors finding themselves in the crosshairs of adversaries among more traditional targets.

Attackers are using various methods of initial entry to ICS networks, although some common weak security links that have historically plagued not just ICS but the entire enterprise IT sector — weak/cleartext passwords and weak encryption — continue to be the top access threats.

Still, “Root” and “admin” credentials are most often used as a way for threat actors to gain initial access and escalate privileges once in the network, the findings show. Other ways threat actors find their way in include brute-force attacks and DDoS attempts.

In terms of malware, RATs remain the most common malware detected against ICS, while DDoS malware and unusually high and still-rising IoT botnet activity continued to be the top threat for IoT devices on a network. The use of default credentials to hack IoT devices was the primary means of entry for IoT botnets, the researchers found.

Over the second half of last year, attacks on ICS spiked in July, October, and December, with more than 5,000 unique attacks in each of those months. Manufacturing and energy remained the most vulnerable industries, followed by water/wastewater, healthcare, and transportation systems.

Interestingly, despite the uptick in targeting Ukraine, the top attacker IP addresses observed in the second half of 2023 didn't come from Russia nor countries that side with Russia, the researchers found. Instead, the main IP addresses associated with ICS attacks were in China, the US, South Korea, and Taiwan, according to Nozomi's data.

**The Look Ahead**

Top among ICS/IoT threats to watch out for: adversaries will use hybrid threat tactics that don't follow what operators may have seen in the past, which means "it will become increasingly difficult to categorize types of threat actors based on TTPs and motives," according to the report.

Organizations in the healthcare sector — which saw a spike in attacks when COVID-19 hit that has continued even as the pandemic largely wanes — should be mindful to stay on top of medical-device updates, according to Nozomi. Threat actors will likely use exploits to access medical systems that aggregate device data, a manipulation that can have dire and even life-threatening consequences for patients, potentially leading to malfunctions, misreadings, or even overdoses in automatic release of medication.

Another new threat on the horizon is from AI-driven chatbots that attackers will use for malicious purposes, such as writing code or developing exploits for vulnerabilities. They also can use them to generate more accurate phishing/social engineering texts that can be used as entry access to ICS networks, the researchers said.

"All this could reduce the time it takes to develop targeted threat campaigns, thus increasing the frequency of cyberattacks," according to the report.

Though the news appears gloomy, securing ICS against oncoming threats can be as simple as practicing "basic cyber hygiene," employing typical IT security practices that any organization already should be using, Gordon says.

"While threat actors may have the capability to access OT and IoT directly, it's one of their long-standing strategies to first breach IT and pivot into OT," she says. "Therefore, taking steps to secure IT is key."

ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware

**NEW YORK****,** **Jan. 18, 2023** **/PRNewswire/ --** Abacus Group, the leading provider of hosted IT services and solutions to alternative investment firms, today announces that it has acquired two boutique cybersecurity consulting companies, Gotham Security and its parent company, GoVanguard, both of which have unparalleled track records of excellence in the cyber arena.

Gotham Security, as the new business will be known, will be a subsidiary of Abacus Group but continue to operate independently. The acquisition marks a milestone in Abacus Group's expansion from a security-focussed managed service provider (MSP) to a full-bodied managed security service provider (MSSP) with an extensive suite of industry-leading cybersecurity services and products.

The deal will see Gotham Security supercharge Abacus Group's existing services portfolio with a wide breadth of cybersecurity consulting expertise. Abacus Group will acquire a comprehensive set of information security capabilities to provide clients with real-world, actionable insight, including penetration testing, red teaming, tabletop exercises, risk and compliance gap assessments, and threat hunting services.

Complementing and aligning with Abacus Group's leading cybersecurity technology platform, Gotham Security's services will continue to be delivered by its team of industry trailblazers, comprised of cybersecurity leaders, researchers, educators, and creators. Gotham Security's dedicated leadership team will remain at the helm of the company, bringing their passion for elevated quality, insight, and cybersecurity awareness to both their own clients and customers of Abacus Group.  

Chris Grandi, CEO of Abacus Group, commented: "This acquisition is a natural next step in a long working relationship with Gotham Security, as the businesses have been valued resources to each other and our clients over the last decade. It's fantastic to now join forces and take further strides in our own expansion from MSP to MSSP. Abacus Group has always been committed to keeping our clients safe and secure, especially as the security and regulatory landscape continues to evolve in line with escalating cyber threats. Therefore, we are thrilled to be able to expand our cybersecurity capabilities and provide the full suite of services offered by Gotham Security to our customers and investors."

The synergy between Abacus Group's cybersecurity offerings and Gotham Security will result in a complete set of MSSP capabilities. Expanding further into the MSSP space will support Abacus Group in meeting the growing demand for comprehensive, expert-led cybersecurity insights at every level of an organization's technology stack, especially as security threats against businesses continue to increase and become ever more sophisticated.

Christian Scott, COO, CISO and Partner at Gotham Security, added: "This is a very exciting time for everyone at Gotham Security. Alongside the close, collaborative working relationship we've developed with Abacus Group over the years, our shared mission to provide a broader scope of high-quality cybersecurity and technology services to customers has been the key driving force behind our union under the same umbrella. We continue to take pride in the best-in-class security insight we provide to our customers, but we've also listened closely to their growing demand for integrated technology solutions that fulfil an entire spectrum of security needs and requirements. The complementary opportunities created by Abacus Group's robust technology solutions and Gotham Security's innovative cybersecurity services will provide greater value and more options than ever to our shared customer base."

Lowenstein Sandler LLP served as legal counsel to Abacus Group, while Szaferman, Lakind, Blumstein & Blader, PC. Served as legal counsel to GoVanguard and Gotham Security on the transaction.

**About Abacus Group**

Abacus Group is a leading provider of hosted IT solutions and services focused on helping alternative investment firms by providing an enterprise technology platform specifically designed for the unique needs of the financial services industry. The innovative and award-winning Abacus Cloud platform allows investment managers to source all technology needs as a service, offering the capacity to scale on demand to meet current and future cybersecurity, storage and compliance requirements. The company has offices in New York, NY; San Francisco, CA; Boston, MA; Dallas, TX; Greenwich, CT; Los Angeles, CA; Charlotte, NC; Miami, FL; and London, England. For more information, visit www.abacusgroupllc.com.

**About Gotham Security**

Gotham Security is a boutique cybersecurity firm founded in 2013 and based out of Manhattan, focused on providing high-quality penetration testing, malicious adversary simulation, threat intelligence services, and cybersecurity strategy services. Our team is comprised of elite white hat hackers, known as the go-to "cyber strike team." We are not just excellent at red teaming, more importantly, we know how to communicate cybersecurity threats in a practical way to organizations. We work with a growing number of Fortune 1000 companies across all major sectors of business, including multi-billion-dollar hedge funds, major insurance providers, international options trading exchanges, and more.

SOURCE Abacus Group LLC

Abacus Group Acquires Gotham Security and GoVanguard to Expand Cybersecurity Service Offerings

The integration provides crucial protection for businesses’ most vulnerable departments — help desks and customer support teams — preventing the most advanced threats sent by online users.

**(Tel Aviv, Israel – January 18, 2023) --** Perception Point, a leading provider of advanced threat protection across digital channels, today announced that it has launched _Advanced Threat Protection for Zendesk_, the champions of service-first CRM software, to provide unparalleled detection and remediation services for Zendesk customers. Perception Point customers can now protect Zendesk along with their email, web browsers and other cloud collaboration apps from a single, consolidated platform with the highest detection rates in the industry.

Helpdesk and customer support staff communicate regularly with people outside of the organization, making them especially vulnerable to external threats originating from malicious content within support tickets. Content uploaded externally can potentially be used as a vehicle for cyberattacks, allowing malicious payloads to enter an organization’s system.

Perception Point's _Advanced Threat Protection for Zendesk_, a multi-layered threat prevention platform, boosts Zendesk’s basic native security to protect customers from the most advanced malware and social engineering attacks. Easily deployed to protect all customer-facing personnel, Perception Point scans every single ticket attachment coming through Zendesk (including embedded URLs/files) in near real-time, using a combination of patented dynamic and static detection layers, based on threat intelligence, advanced algorithms and machine learning. Perception Point’s next-generation sandbox technology uniquely scans 100% of content, 40x faster than traditional technologies, to achieve unprecedented visibility into any type of attack, including advanced attacks like APTs and zero-days. Zendesk customers will be able to rapidly remediate any attack that slips through the cracks through the support of Perception Point’s free-of-charge 24/7 managed incident response service.

“The threat landscape is only becoming more complex, with threat actors initiating more advanced attacks across multiple attack vectors,” said Peleg Cabra, Product Marketing Manager, Perception Point. “Adding Zendesk integration to our Advanced Threat Protection platform allows Zendesk users to protect their organizations against malware and social engineering attacks that would otherwise avoid detection by traditional cyber defense mechanisms. The offering not only secures Zendesk’s support channels, but also reduces SOC team workloads through the support of Perception Point’s managed incident response service.”

_Advanced Threat Protection for Zendesk_ has already been successfully deployed by Agoda, an international hospitality company with over 7,000 employees worldwide, which uses Zendesk to process all customer requests. Over a three-month period, Perception Point’s solution scanned over 385,000 root files, scanned around 69,000 embedded files and URLs, identified and prevented 187 malicious events, and dynamically scanned all traffic at an average of 7.1 seconds, with 75% of content dynamically scanned in just three seconds.

“Perception Point has been instrumental in strengthening and fortifying both our organization and our Zendesk systems,” said Guy Fridman, Head of Security Operation and Response, Agoda. “Securing Zendesk is critical to the success of our customer relationships. Beyond future-proofing against potential threats, Perception Point also allows our SOC team to focus on other important security areas such as monitoring, testing, and analyzing our overall security posture. This combination of innovative technology and reliable client servicing has provided us with the confidence to operate with zero to little friction.”

Read more about the Zendesk case study with Agoda here.

Perception Point’s advanced threat protection solution is now available for Zendesk Support products. Read here for more information about protecting Zendesk.

**About Perception Point**

Perception Point is a Prevention-as-a-Service company for the fastest and most accurate next-generation detection and response to all attacks across email, cloud collaboration channels, and web browsers. The solution's natively integrated incident response service acts as a force multiplier to the SOC team, reducing management overhead, improving user experience and delivering continuous insights; providing proven best protection for all organizations.

Deployed in minutes, with no change to the enterprise’s infrastructure, the patented, cloud-native and easy-to-use service replaces cumbersome legacy systems to prevent phishing, BEC, spam, malware, Zero-days, ATO, and other advanced attacks well before they reach end-users. Fortune 500 enterprises and organizations across the globe are preventing content-borne attacks across their email and cloud collaboration channels with Perception Point.

To learn more about Perception Point, visit our website, or follow us on LinkedIn, Facebook, and Twitter.

Perception Point Launches Advanced Threat Protection and Rapid Remediation for Zendesk Customers

**WESTMINSTER, Colo.****,** **Jan. 18, 2023** **/PRNewswire/ --** In partnership with the world-class Dark Reading research team, global cybersecurity pioneer Coalfire today unveiled its second annual State of CISO Influence report, which explores the expanding influence of Chief Information Security Officers (CISOs) and other security leaders.

The report revealed that the CISO role is maturing quickly, and the position is experiencing more equity in the boardroom. In the last year alone, there was a 10-point uptick in CISOs doing monthly reporting to the board. These positive outcomes likely stem from the increasingly metrics-driven reporting CISOs provide, where data is more effectively leveraged to connect security outcomes to business objectives.

An especially promising development in this year's report is how security teams are being looped into corporate projects. Of the security leaders surveyed, 78% say they are consulted early in project development when business objectives are first identified, and two-thirds are now making presentations to the highest levels of enterprise authority. 56% of CISOs present security metrics to their CEOs, up from 43% in 2021.

Cloud migration was universally identified as one of those top business objectives. The move to the cloud saddles CISOs with many challenges. The top priorities listed by CISOs include dealing with an expanding attack surface, staffing, and new compliance requirements — all within constrained budgets. In fact, 43% of security leaders said their budgets remained static or were reduced following business migration to the cloud. 

Given these challenges, leading CISOs are transforming their approaches. To address multiple cloud compliance requirements, security leaders are focusing on the most onerous set of rules and creating separate environments for different requirements. Risk assessments were identified as the key tool used to secure funding for these and other cyber initiatives and to set top priorities.

"Costs and risks are up, while at the same time, cyber budgets are trending flat or down," said Coalfire CEO Tom McAndrew. "Cybersecurity has historically been lower in priority for organizations, but we are witnessing a big shift in enterprise cyber expectations. CISOs are rising to meet those expectations, speaking to the business, and as a result, solidifying their role in the C-suite."

The report provides seasoned and aspiring security leaders with the most effective strategies to increase C-level influence, build brand trust, and implement cloud migration best practices. Respondents comprised 137 C-level security and IT professionals in North America across major industry sectors.

To see the full findings, visit: State of CISO Influence report

**About Coalfire**

The world's leading organizations – including the top five cloud service providers and leaders in financial services, healthcare, and retail – trust Coalfire to elevate their cyber programs and secure the future of their business. Number one in compliance, FedRAMP®, and cloud penetration testing, Coalfire is the world's largest firm dedicated to cybersecurity, providing unparalleled technology-enabled professional and managed services. To learn more, visit Coalfire.com.

New Coalfire Report Reveals CISOs Rising Influence

People are working harder than ever, but they're not happy about it — and the insider threat is all too real.

Quiet quitting, as the media reports it, is a myth.

On the heels of the Great Resignation that plagued companies during the COVID-19 pandemic, businesses started to fear the notion of quiet quitting, an idea that went viral after Zaid Khan, a 24-year-old engineer from New York, posted a video on TikTok in July. The video, which has drawn about a half-million likes (and endless media attention), was an argument for reassessing work-life balance in a post-COVID world — by doing your job but resisting the "hustle-culture mentality" to regularly go above and beyond. Since its posting, people have latched on to the twisted notion of workers doing as little as possible, essentially causing work slowdowns without leaving their jobs.

That is nonsense. In reality, people are working harder than ever, and they are not happy about it — and that might be bad for business. A dissatisfied workforce increases the potential for insider threats, either through sabotage or exfiltrating corporate IP.

**The Myth of Quiet Quitting**

Let's get this out of the way. Quiet quitting, as the media report it, is a fabrication. Productivity is up. With economic uncertainty looming around every corner of the tech world, people aren't quitting, quietly or otherwise. Most people cannot afford to be perceived as not working hard. But that doesn't mean they are happy in their work life. A recent Gallup survey of 15,001 workers found that 55% were "struggling" in the poll's Life Evaluation Index, and only 24% said their organizations cared about their overall well-being — a steep drop-off from 49% in May 2020.

Employee discontent comes from two opposite extremes:

*   Marginal employees, fearful of a looming recession, are keeping their heads down and noses to the grindstone. But, concerned about their futures, they may be exfiltrating corporate data for their own benefit.
*   In the other camp, star employees, having realized that if they can work from home, they can work from anywhere, are becoming more demanding. The belief that their employer is not doing enough for them can lead to disillusionment with an organization, resulting in those "star employees" doing things that are harmful to the corporation.

Employees in both camps may be thinking of their next job while working in their current position. Employees who are looking for exit signs often wonder what they need to take with them when they walk out the door, either in a forced march or fleeing for theoretically greener pastures. And sometimes, they leave behind ticking time bombs.

**You Can Take It With You**

About 50% of all employees exfiltrate IP that will be helpful for their next job. Most of the data they take is from projects they have worked on, but 12% of what they take does not relate to their jobs — including information such as SharePoint directories, company lists, and contract terms.

The latter cases might involve information that was shared companywide and could prove useful to an employee in their next job. Some of the illicit information can be obtained through the corporate network, while some can only be gathered through social engineering by asking a colleague to pass along some content that the requester cannot access.

**Sabotage From the Inside**

As the pace of layoffs increases, some employees may turn from contented to disgruntled and look to strike back via corporate sabotage. This can take the form of sabotaging an organization's internal infrastructure or stealing company secrets and selling them to the highest bidder. In either case, it can happen whether the employee is staying in place or heading for the exit.

HR teams need to provide notices of layoffs to IT workers, and if employees stay in place while looking for new positions, the security team needs to find a way to cut off the employees' ability to damage the company internally or exfiltrate sensitive data.

**How Data Is Extracted**

The use of unsanctioned applications, especially by employees working from home and mixing work and personal tools, provides an avenue for employees to exfiltrate data. Companies may block unauthorized IM apps, but external email programs and third-party browsers often go unnoticed.

An employee could, for example, copy company data, save it as an email draft, and retrieve it later via a personal device. A third-party browser may also use Tor encryption, which can make it fairly easy to exfiltrate data by circumventing security controls.

**HR and IT Need to Work Together**

Quiet quitting is a myth. Employee productivity is flat or even up. The segue from working in an office to remote work has dislodged employee loyalty. It also has made it somewhat easier for employees to take information with them when they decide to look for better working conditions or are asked to leave. Until recently, it was always the IT team warning HR about security risks. In this current economic climate, it's the other way around, with HR needing to inform IT about the risks stemming from the inside.

HR and IT need to take certain steps together, such as blocking shadow IT, to prevent data from being surreptitiously moved. This will help ensure that departing employees, as well as those who remain, aren't taking any information that could later harm or even cripple the company. HR taking the lead here is a new paradigm, but so is almost everything else in this post-pandemic world.

Cybersecurity and the Myth of Quiet Quitting

Range of Addressable Concerns Includes "Brute Forcing Accounts with Weak Passwords" and "Excessive File System Permissions."

**DENVER****,** **Jan. 18, 2023** **/PRNewswire/ --** Lares, a leader in global security assessment, testing, and coaching, today released new research highlighting the five most common penetration testing findings encountered by the firm's consultants over hundreds of client engagements in 2022.

Lares typically finds numerous vulnerabilities and attack vectors when conducting penetration tests or red team engagements for clients, regardless of the organization's size or maturity. However, the research team at Lares was surprised by how many times the same five findings kept turning up during their penetration tests and red team engagements in early 2022.

"As we wrapped up 2022, our surprise gave way to expectation, and we found ourselves genuinely surprised if one, or all, of the top five issues were not found on any given engagement," said Andrew Hay, Chief Operating Officer of Lares. "Every single vulnerability described in our latest research paper can be avoided or eliminated through better cybersecurity hygiene practices."

The Lares research team emphasized that these Top 5 findings were not the most severe threats for clients, but rather, the ones they most frequently encountered during engagements over the past year. Key takeaways describing each category include:

**Brute Forcing Accounts with Weak and Guessable Passwords:** Organizations that have not implemented multifactor authentication (MFA) should be aware that adversaries may target accounts where users have selected weak or guessable passwords to gain access to systems, services, and network resources. If authentication failures are high, there may be a brute-force attempt to gain access to a system using legitimate credentials.

**Kerberroasting:** Kerberos Service Principal Names (SPNs) uniquely identify each instance of a Windows service configured to accept Kerberos Tickets for authentication. Adversaries possessing a valid Kerberos Ticket-Granting Ticket (TGT) may request one or more Kerberos Ticket-Granting Server (TGS) Service Tickets for any service with an SPN configured from a Key Distribution Server – typically the Domain Controller (DC) in Windows Active Directory. This Service Ticket is then brute-forced offline to recover the plain-text credentials of the account.

**Excessive File System Permissions:** Improperly set permissions on the binary or directory in which it resides may allow attackers to replace the legitimate binary with a file of their choosing. Adversaries may use this technique to replace legitimate pre-existing binaries or dynamic-link libraries (DLLs) with malicious ones to execute subversive or potentially disruptive code with a much higher permission level than their current user permissions.

**WannaCry/EternalBlue:** Remote code execution vulnerabilities exist in the Microsoft Server Message Block 1.0 (SMBv1) server that handles certain requests. An attacker who successfully exploits the vulnerabilities could gain the ability to execute code on the target server. The EternalBlue and EternalRomance exploits were leaked by "The Shadow Brokers" group in 2017. The EternalBlue exploit was also leveraged by WannaCry ransomware to compromise Windows machines, load malware, and propagate to other machines in a network.

**WMI (Windows Management Instrumentation) Lateral Movement:** Lateral movement is a critical phase in any attack targeting more than a single computer. It is not a vulnerability, but a technique employed by attackers to interact with or gain access to a system other than the current system upon which they are operating. The WMI allows for a structured approach to communicating with a remote computer and exposes system monitoring and configuration capabilities to a remote machine. An adversary can use this native functionality to execute malicious code, modify system settings such as adding a user or password or disabling security tools before performing other activities.

The Lares Top 5 Penetration Test Findings in 2022 research paper is available for download here: https://www.lares.com/lares-top-5-penetration-test-findings-report/.

Lares has scheduled a webinar on Thursday, January 26, at 10 a.m. (PT)/1 p.m. (ET), to discuss these white paper findings in greater detail. To sign up or get more information about the webinar, please click here: https://attendee.gotowebinar.com/register/4185409087390473815.

**About Lares, LLC**

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008. For more information, visit lares.com, contact us at (720) 600-0329, or follow Lares on Twitter @Lares\_.

Lares Research Highlights Top 5 Penetration Test Findings From 2022

With Actions Integrations, Okta is expanding its no-code offerings to help administrators manage and customize their identity workflow.

Every organization has its own set of identity requirements, which means very few identity platforms have everything right out of the box. Administrators have to customize the identity workflow to address their security, privacy, compliance needs while balancing ease-of-use. For many organizations, that means developers are writing custom code to secure and manage identity workflows.

Okta has introduced Actions Integrations, easily integrated third-party components that extend Okta Customer Identity Cloud with new features and capabilities. These components make third-party connections directly, without having to write any code, Okta said.

Actions Integrations "solve common identity needs that aren’t addressed out of the box by Okta Customer Identity Cloud," Okta said in a blog post announcing the general availability of Actions Integrations. This way, developers can focus on the core product features and less on building out code to manage authentication and identity.

The Marketplace already has a number of security- and privacy-focused components – such as for identity proofing (to verify the end user's identity), consent management (capture and tract consent through the customer lifecycle), and data collection (directly from users). Even as Okta provides more no-code options, it will continue to support developers and partners who want to build their own integrations.

"The Auth0 Marketplace hosts all available integrations where developers can find the pieces that are missing from their identity flow," Okta said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Okta Expands No-Code Offerings for Identity Cloud

A rapid increase in the number of operators in the space — the "locksmiths" of the cyber underground — has made it substantially cheaper for cybercriminals to buy access to target networks.

Names such as Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka are unlikely to mean anything to a vast majority of enterprise security teams. But for ransomware operators and other cybercriminals looking for quick access to enterprise networks, these were _the_ brokers to approach for a major portion of last year.

Between them, the five entities accounted for some 25% of all access offers to enterprise networks that were available for sale on underground forums between the second half of 2021 and the first half of 2022. For an average price of around $2,800, these so-called initial access brokers (IABs) sold stolen VPN and remote desktop protocol (RDP) account details and other credentials that criminals could use to break into the networks of more than 2,300 organizations around the world, without breaking a sweat.

**A Vast & Growing Marketplace**

The five operators were the leaders in a much bigger and fast-growing market of hundreds of other similar IABs that security firm Group-IB discovered when conducting research for its 11th annual report on high-tech crime, released this week.

The company's research showed a sharp year-over-year growth in the number of IABs operating in underground forums and markets — from 262 in the immediately preceding 12-month period to 380 in the period between the second half of 2021 and the first half of 2022. Some 327 of the IABs that Group-IB observed operating during that period were new entries in the space.

Group-IB researchers also uncovered a 41% increase in the number of countries to which compromised entities belonged — from 68 a year earlier to 96 over the period of its study. Nearly a quarter — 24% — of all initial access offers involved the networks of US-based organizations. Other countries with a relatively high number of victims included Brazil, Canada, France, and the UK.

"As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023," warned Dmitry Volkov, CEO of Group-IB, in a statement accompanying the new report.

"Initial access brokers play the role of oil producers for the whole underground economy," he noted. "They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries."

**"Opportunistic Locksmiths of the Security World"**

The value proposition of IABs in the cybercrime economy is that they give other cybercriminals a way to gain an easy foothold on a target network without their having to do any legwork upfront. IABs do the technical work of breaking into a network and stealing credentials — such as those associated with VPNs, RDP services, Active Directory, and remote management panels — that provide subsequent access to it. Often, they can drop Web shells on a compromised network to ensure persistent future access to it and then sell the Web shells. In a report last year, researchers from Google's Threat Analysis Group described IABs as the "opportunistic locksmiths of the security world" who specialize in breaching a target and offering access to it to the highest bidder.

**Fueling the Ransomware Economy**

IABs offer their wares to anyone willing to purchase them, and the market for their services has grown rapidly over the past two years or so. But their biggest customers of late have been ransomware operators. 

A new study by threat intelligence firm KELA showed that several major ransomware attacks involving groups such as Hive, Sodinokibi, BlackByte, and Quantum started with network access from an IAB. In one instance, members of the Conti ransomware group joined an IAB to target organizations in Ukraine. 

"The most notable incident was related to the attack on Medibank, an Australian insurance provider, which was attacked after network access to the company was sold on a private Telegram channel," KELA said.

Group-IB's researchers found that 70% of the access types that IABs offered were RDP and VPN account details. Many of the offers — 47% — involved access with administrator rights on the compromised network. Twenty-eight percent of advertisements in which rights were specified involved domain administration rights, 23% had standard use rights, and a small fraction provided root account access. 

Group-IB researchers also found IAB advertisements for access to Citrix environments, multiple Web panels for CMS and cloud servers, and Web shells on compromised systems. In some instances, IABs even offered to launch lateral-movement payloads such as Cobalt Strike Beacon or Metasploit sessions on behalf of the buyer. But offers for these credentials and services tended to be less common than those involving RDP and VPN credentials.

Organizations for which access offers were most commonly available in underground forums and marketplaces included manufacturing companies, financial services firms, real estate organizations, education, and information technology firms.

Group-IB found that the sharp increase in the number of entities operating in the IAB space during the period of its study had pushed prices down for most categories of initial access. 

The average price of $2,800 that the company observed was, in fact, less than half of the $6,500 that IABs used to charge on average for the same access a year previously.

Initial Access Broker Market Booms, Posing Growing Threat to Enterprises

Companies are being urged to update 0Auth, runner, and project API tokens, along with other secrets stashed with CircleCI.

The recently disclosed security incident at CicleCI has put customers in a pinch to update any secrets stowed inside their systems.

Customers of the the CI/CD DevOps platform need to update their protected data — ranging from tokens and keys of all sorts — stat, the company said in its Jan. 4 announcement and regular, subsequent updates.

However, the company assured its users it is still safe to build applications with CircleCI.

Besides sharing tools to help teams track down all of the potentially impacted secrets, CircleCI announced it is also working with AWS to notify those to have possible breached tokens. The company proactively updated GitHub and Bitbucket 0Auth tokens as well, CircleCI said. reported.

CircleCI also warned customers of a credential harvesting scam circulating, trying to get victims to enter their GitHub logins with a bogus Terms of Service update.

**CircleCI Security Incident Fallout**

Following the notification of the CircleCI security incident, researchers at Datadog discovered that a RPM GNU Privacy Guard (GPG) private signing key and its password were also vulnerable. Although the Datadog team found no evidence of exploitation, they have updated their RPM keys. The team also recommended key updates for those operating an RPM-based Linux distribution in which the system trusts the affected GPG key.

"The signing key, if actually leaked, could be used to construct an RPM package that looks like it's from Datadog, but it would not be enough to place such a package in our official package repositories," the alert from Datadog explained. "A hypothetical attacker with the affected key would need to be able upload the constructed RPM package to a repository used by the system."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading