Analyzing and learning from incidents is the ideal path to finding more insightful data and metrics, according to the VOID report.

Security teams have traditionally used _mean time to repair_ (MTTR) as a way to measure how effectively they are handling security incidents. However, variations in incident severity, team agility, and system complexity may make that security metric less useful, says Courtney Nash, lead research analyst at Verica and main author of the Open Incident Database (VOID) report.

MTTR originated in manufacturing organizations and was a measure of the average time required to repair a failed physical component or device. These devices had simpler, predictable operations with wear and tear that lent themselves to reasonably standard and consistent estimates of MTTR. Over time the use of MTTR has expanded to software systems, and software companies began using it as an indicator of system reliability and team agility or effectiveness.

Unfortunately, Nash says, its variability means that MTTR could either lead to false confidence or cause unnecessary concern.

"It's not an appropriate metric for complex software systems, in part because of the skewed distribution of duration data and because failures in such systems don't arrive uniformly over time," Nash says. "Each failure is inherently different, unlike issues with physical manufacturing devices."

**Moving Away From MTTR**

"\[MTTR\] tells us little about what an incident is really like for the organization, which can vary wildly in terms of the number of people and teams involved, the level of stress, what is needed technically and organizationally to fix it, and what the team learned as a result," Nash says.

MTTR falls victim to the oversimplification of incidents because it is calculating an average — the average time, says Nora Jones, CEO and co-founder of Jeli. Simply measuring this single average of reported times (and those reported times have also been proven to not be reliable in the first place) inhibits organizations from seeing and addressing what's going on within the infrastructure, what's contributing to that recurring incident, and how people are responding to incidents.

"Incidents come in all shapes and size — you'll see them span the complete range in severity, impact to customers, and resolution complexity all within one organization," Jones explains. "You really have to look at the people and tools together and take a qualitative approach to incident analysis."

However, Nash says moving away from MTTR isn't an overnight shift — it's not as simple as just swapping one metric for another.

"At the end of the day, it's being honest about the contributing factors, and the role that people play in coming up with solutions," she says. "It sounds simple, but it takes time, and these are the concrete activities that will build better metrics."

**Broadening the Use of Metrics**

Nash says analyzing and learning from incidents is the ideal path to finding more insightful data and metrics. A team can collect things like the number of people involved hands-on in an incident; how many unique teams were involved; which tools people used; how many chat channels there were; and if there were concurrent incidents.

As an organization gets better at conducting incident reviews and learning from them, it will start to see traction in things like the number of people attending post-incident review meetings, increased reading and sharing of post-incident reports, and using those reports in things like code reviews, training, and onboarding.

David Severski, senior security data scientist at the Cyentia Institute, says when working on the Verizon DBIR, Cyentia created and released the Vocabulary for Event Reporting and Incident Sharing to expand the types of metrics used to measure an incident.

"It defines data points we think are important to collect on security incidents," he says. "We still use this basic template in Cyentia research with some updates, for example identifying ATT&CK TTPs utilized."

The metrics for measuring an incident is not a one-size-fits-all across organization sizes and types. "Teams understand where they are today, assess where their priorities are within their current constraints, and understand their focus metrics might even evolve over time as their organization develops and scales," Jones says.

Additionally, it's about shifting focus to learnings, and then continuously improving based on those learnings, for example shifting to assessing trends and if things are trending in the right direction over time, as opposed to single-point-in-time metrics.

Why Mean Time to Repair Is Not Always A Useful Security Metric

Password manager accounts may have, ironically, been compromised via simple credential stuffing, thanks to password reuse.

Norton LifeLock customers have fallen victim to a credential-stuffing attack. Cyberattackers used a third-party list of stolen username and password combinations to attempt to break into Norton accounts, and possibly password managers, the company is warning.

Gen Digital, owner of the LifeLock brand, is sending data-breach notifications to customers, noting that it picked up on the activity on Dec. 12, when its IDS systems flagged "an unusually high number of failed logins" on Norton accounts. After a 10-day investigation, it turns out that the activity stretched back to Dec. 1, the company said.

While Gen Digital didn't say how many of the accounts were compromised, it did caution customers that the attackers were able to access names, phone numbers, and mailing addresses from any Norton accounts where they were successful.

And it added, "we cannot rule out that the unauthorized third party also obtained details stored \[in the Norton Password Manager\], especially if your Password Manager key is identical or very similar to your Norton account password." 

Those "details," of course, are the strong passwords generated for any online services the victim uses, including corporate logins, online banking, tax filing, messaging apps, e-commerce sites, and more.

**Password Reuse Subverts Password Management**

In credential-stuffing attacks, threat actors use a list of logins obtained from another source — buying cracked account info on the Dark Web, for instance — to try against new accounts, hoping that users have reused their email addresses and passwords across multiple services.

As such, the irony of the Norton incident is not lost on Roger Grimes, data-driven defense evangelist at KnowBe4.

"If I understand the reported facts, the irony is that the victimized users would have probably been protected if they had used their involved password manager to create strong passwords on their Norton logon account," he said via email. "Password managers create strong, perfectly random passwords that are essentially unguessable and uncrackable. The attack here seems to be that users self-created and used weak passwords to protect their Norton logon account that also protected their Norton password manager."

Attackers lately have focused identity and access management systems as a target, given that one compromise can unlock a veritable treasure trove of data across high-value accounts for attackers, not to mention a bevy of enterprise pivot points for moving deeper into networks.

LastPass, for instance, was targeted in August 2022 via an impersonation attack, in which cyberattackers were able to breach its development environment to make off with source code and customer data. Last month, the company suffered a follow-on attack on a cloud storage bucket that it uses.

And last March, Okta revealed that cyberattackers had used a third-party customer support engineer's system to gain access to an Okta back-end administrative panel for managing customers — among other things. About 366 customers were impacted, with two actual data breaches occurring.

Norton LifeLock Warns on Password Manager Account Compromises

The bargain T95 Android TV device was delivered with preinstalled malware, adding to a trend of Droid devices coming out-of-the-box tainted.

At $39.99 with a $3 coupon option for Amazon Prime members, the T95 Android 10.0 TV box might seem like a good value. But when an unsuspecting but cybersecurity-savvy customer ordered one up, he said it came "festooned" with malware — no extra charge.

Daniel Milisic warned consumers in Reddit and GitHub posts that he just happened to have bought the box to run Pi-hole tracker blocking — and that he immediately made a startling discovery. His first clue something was funky with the device's security was that it was signed with Android 10 test keys.

"If test keys weren't enough of a bad omen, I also found ADB wide open over the Ethernet port — right out of the box," Milisic added.

Then he let Pi-hole go to work.

"After running the Pi-hole install I set the box's DNS1 and DNS2 to 127.0.0.1 and got a hell of a surprise,” Milisic wrote. “The box was reaching out to many known, active malware addresses.”

Milisic explained he discovered traffic-monitoring malware, and an additional type of malware he said operates similarly to Android mobile malware CopyCat, but he wasn't able to identify it as a known variant. 

To boot, the malicious code is unremovable: Ultimately, Milisic was unable to strip the malware from the device, so it's currently unplugged, he said.

**Preinstalled Malware Isn't New**

Hardware being sold with preinstalled and often unremovable malware is an ongoing issue for consumers. Researchers at Check Point, for instance, warned consumers back in 2017 that a telecom company was distributing more than 36 different Android devices preloaded with adware.

In 2018 Chinese PC maker Lenovo was ordered to pay millions in a class-action lawsuit over its laptops coming with preinstalled adware, in the well-publicized "Superfish" incident. More recently, in April 2022, security researchers with ESET reported they had found and disclosed firmware-level vulnerabilities in millions of Lenovo consumer laptops that could allow attackers to escalate device privileges and drop malware undetected.

And in July 2020, researchers at Malwarebytes raised the alarm that government-funded Android phones for low-income households came out of the box with preinstalled Chinese malware that was deemed incapable of being removed.

The trend indicates that security teams and end users alike should source their devices using a bit of extra caution, from phones to laptops to TV boxes and more. 

"The main take-away here: Don't trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys," Milisic warned. "They are stealing your data and (unless you can watch DNS logs) do so without a trace!"

Malware Comes Standard With This Android TV Box on Amazon

Rhadamanthys spreads through Google Ads that redirect to bogus download sites for popular workforce software — as well as through more typical malicious emails.

A sneaky new info stealer is sliding onto user machines via website redirects from Google Ads that pose as download sites for popular remote-workforce software, such as Zoom and AnyDesk.

Threat actors behind the new malware strain, "Rhadamanthys Stealer" — available for purchase on the Dark Web under a malware-as-a-service model — are using two delivery methods to propagate their payload, researchers from Cyble revealed in a blog post published Jan. 12.

One is through carefully crafted phishing sites that impersonate download sites not only for Zoom but also AnyDesk, Notepad++, and Bluestacks. The other is through more typical phishing emails that deliver the malware as a malicious attachment, the researchers said.

Both delivery methods pose a threat to the enterprise, as phishing combined with human gullibility on the part of unsuspecting corporate workers continues to be a successful way for threat actors "to gain unauthorized access to corporate networks, which has become a serious concern," they said.

Indeed, an annual survey by Verizon on data breaches found that in 2021, about 82% of all breaches involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

**"Highly Convincing" Scam**

Researchers detected a number of phishing domains that the threat actors created to spread Rhadamanthys, most of which appear to be legitimate installer links for the various aforementioned software brands. Some of the malicious links they identified include: _bluestacks-install\[.\]com, zoomus-install\[.\]com, install-zoom\[.\]com, install-anydesk\[.\]com, and zoom-meetings-install\[.\]com_.

"The threat actors behind this campaign … created a highly convincing phishing webpage impersonating legitimate websites to trick users into downloading the stealer malware, which carries out malicious activities," they wrote.

If users take the bait, the websites will download an installer file disguised as a legitimate installer to download the respective applications, silently installing the stealer in the background without the user knowing, the researchers said.

In the more traditional email aspect of the campaign, attackers use spam that leverage the typical social engineering tool of portraying an urgency to respond to a message with a financial theme. The emails purport to be sending account statements to recipients with a Statement.pdf attached that they are advised to click on so they can reply with an "immediate response."

If someone clicks on the attachment, it displays a message indicating that it's an "Adobe Acrobat DC Updater" and includes a download link labelled "Download Update." That link, once clicked on, downloads a malware executable for the stealer from the URL _"https\[:\]\\\\zolotayavitrina\[.\]com/Jan-statement\[.\]exe"_ into the victim machine's Downloads folder, the researchers said.

Once this file is executed, the stealer is deployed to lift sensitive data such as browser history and various account log-in credentials — including specific technology to target crypto-wallet — from the target's computer, they said.

**The Rhadamanthys Payload**

Rhadamanthys acts more or less like a typical info stealer; however, it does have some unique features that researchers identified as they observed its execution on a victim's machine.

Though its initial installation files are in obfuscated Python code, the eventual payload is decoded as a shellcode in the form of a 32-bit executable file compiled with Microsoft visual C/C++ compiler, the researchers found.

The shellcode's first order of business is to create a mutex object aimed at ensuring that only one copy of the malware is running on the victim's system at any given time. It also checks to see if it's running on a virtual machine, ostensibly to prevent the stealer from being detected and analyzed in a virtual environment, the researchers said.

"If the malware detects that it is running in a controlled environment, it will terminate its execution," they wrote. "Otherwise, it will continue and perform the stealer activity as intended."

That activity includes collecting system information — such as computer name, username, OS version, and other machine details — by executing a series of Windows Management Instrumentation (WMI) queries. That's followed up by a query of the directories of the installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software, and others — on the victim’s machine to search for and steal browser history, bookmarks, cookies, auto-fills, and login credentials.

The stealer also has a specific mandate to target various crypto wallets, with specific targets such as Armory, Binance, Bitcoin, ByteCoin, WalletWasabi, Zap, and others. It also steals data from various crypto-wallet browser extensions, which are hardcoded in the stealer binary, the researchers said.

Other applications targeted by Rhadamanthys are: FTP clients, email clients, file managers, password managers, VPN services, and messaging apps. The stealer also captures screenshots of the victim’s machine. The malware eventually sends all the stolen data to the attackers' command-and-control (C2) server, the researchers said.

**Dangers to the Enterprise**

Since the pandemic, the corporate workforce has become overall more geographically dispersed, posing unique security challenges. Software tools that make it easier for remote workers to collaborate — like Zoom and AnyDesk — have become popular targets not only for app-specific threats, but also for social engineering campaigns by attackers that want to capitalize on these challenges.

And while most corporate workers by now should know better, phishing remains a highly successful way for attackers to gain a foothold in an enterprise network, the researchers said. Because of this, Cybel researchers recommend that all enterprises use security products to detect phishing emails and websites across their network. These should also be extended to mobile devices accessing corporate networks, they said.

Enterprises should educate employees on the dangers of opening email attachments from untrusted sources, as well as downloading pirated software from the Internet, the researchers said. They should also reinforce the importance of using strong passwords and enforce multifactor authentication wherever possible.  

Finally, Cyble researchers advised that as a general rule of thumb, enterprises should block URLs — such as Torrent/Warez sites — that can be used to spread malware.

Sneaky New Stealer Woos Corporate Workers Through Fake Zoom Downloads

High-profile software provider compromises in the past few months show that threat actors are actively targeting the services underpinning corporate infrastructure. Here's what to do about it.

In early January, development-pipeline service provider CircleCI warned users of a security breach, urging companies to immediately change the passwords, SSH keys, and other secrets stored on or managed by the platform.

The attack on the DevOps service left the company scrambling to determine the scope of the breach, limit attackers' ability to modify software projects, and determine which development secrets had been compromised. In the intervening days, the company rotated authentication tokens, changed configuration variables, worked with other providers to expire keys, and continued investigating the incident.

"At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well," the company stated in an advisory last week.

The CircleCI compromise is the latest incident that underscores attackers' increasing focus on fundamental enterprise services. Identity services, such as Okta and LastPass, have disclosed compromises of their systems in the past year, while developer-focused services, such as Slack and GitHub, hastened to respond to successful attacks on their source code and infrastructure as well.

The glut of attacks on core enterprise tools highlights the fact that companies should expect these types of providers to become regular targets in the future, says Lori MacVittie, a distinguished engineer and evangelist at cloud security firm F5.

"As we rely more on services and software to automate everything from the development build to testing to deployment, these services become an attractive attack surface," she says. "We don't think of them as applications that attackers will focus on, but they are."

**Identity & Developer Services Under Cyberattack**

Attackers lately have focused on two major categories of services: identity and access management systems, and developer and application infrastructure. Both types of services underpin critical aspects of enterprise infrastructure.

Identity is the glue that connects every part of an organization as well as connecting that organization to partners and customers, says Ben Smith, field CTO at NetWitness, a detection and response firm.

"It doesn't matter what product, what platform, you are leveraging ... adversaries have recognized that the only thing better than an organization that specializes in authentication is an organization that specializes on authentication for other customers," he says.

Developer services and tools, meanwhile, have become another oft-attacked enterprise service. In September, a threat actor gained access to the Slack channel for the developers at Rockstar Games, for instance, downloading videos, screenshots, and code from the upcoming Grand Theft Auto 6 game. And on Jan. 9, Slack said that it discovered that "a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository."

Because identity and developer services often give access to a wide variety of corporate assets — from application services to operations to source code — compromising those services can be a skeleton key to the rest of the company, NetWitness's Smith says.

"They are very very attractive targets, which represent low-hanging fruit," he says. "These are classic supply chain attacks — a plumbing attack, because the plumbing is not something that is visible on a daily basis."

**For Cyberdefense, Manage Secrets Wisely & Establish Playbooks**

Organizations should prepare for the worst and recognize that there are no simple ways to prevent the impact of such wide-ranging, impactful events, says Ben Lincoln, managing senior consultant at Bishop Fox.

"There are ways to protect against this, but they do have some overhead," he says. "So I can see developers being reluctant to implement them until it becomes evident that they are necessary."

Among the defensive tactics, Lincoln recommends the comprehensive management of secrets. Companies should be able to "push a button" and rotate all necessary password, keys, and sensitive configuration files, he says.

"You need to limit exposure, but if there is a breach, you hopefully have a push button to rotate all those credentials immediately," he says. "Companies should plan extensively in advance and have a process ready to go if the worst thing happens."

Organizations can also set traps for attackers. A variety of honeypot-like strategies allow security teams to have a high-fidelity warning that attackers may be in their network or on a service. Creating fake accounts and credentials, so-called credential canaries, can help detect when threat actors have access to sensitive assets.

In all other ways, however, companies need to apply zero-trust principles to reduce their attack surface area of — not just machines, software, and services — but also operations, MacVittie says.

"Traditionally, operations was hidden and safe behind a big moat \[in the enterprise\], so companies did not pay as much mind to them," she says. "The way that applications and digital services are constructed today, operations involve a lot of app-to-app, machine-to-app identities, and attackers have started to realize that those identities are as valuable."

CircleCI, LastPass, Okta, and Slack: Cyberattackers Pivot to Target Core Enterprise Tools

With the $7.2M contract, Cloudflare will enhance resilience and simplify security for .gov domain users.

**San Francisco, CA, January 13, 2023** **–** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, has been awarded a $7.2 million contract from the Cybersecurity and Infrastructure Security Agency (CISA) to provide Registry and Authoritative DNS services to the .gov TLD (Top Level Domain).

"The Internet has made the United States government more accessible for constituents than ever before, whether they're applying for a passport, learning health and safety recommendations for their communities, or reaching out to a representative," said Matthew Prince, co-founder & CEO of Cloudflare. "Having a reliable and secure DNS for government agencies is critical to instill trust in all .gov activity, and working with us to achieve this is a testament to the reliability and security of the Cloudflare network."

CISA is the nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the nation’s capacity to defend against cyber attacks by providing cybersecurity tools, incident response capabilities, and assessment services to safeguard the Federal IT enterprise, state and local partners, and systems that support national critical functions.

DNS is a core Internet service that is foundational to the security of the applications that sit on top of it. CISA turned to Cloudflare to provide registry and DNS services to meet the need for highly available DNS services that enhance resilience and simplify security operations for .gov domain users. CISA makes .gov domains available at no cost to US-based government organizations, but it takes more than registering a domain to put it on the Internet. DNS services guide visitors to the site. The .gov TLD registry and DNS services are available to all bona fide U.S.-based government organizations.

With this contract, Cloudflare will provide managed name servers for the .gov zone and authoritative DNS hosting for .gov domain names. Cloudflare will support CISA’s goals:

*   Reducing the attack surface of .gov-related infrastructure and government organizations
*   Automating sensitive portions of DNS security management, setting DNS records that make it hard to successfully impersonate the government in email by default, and offering new features
*   Gaining visibility to better detect and prevent certain DNS ecosystem issues instead of reacting to them

Cloudflare recently achieved FedRAMP moderate authorization and is available on the FedRAMP marketplace. Cloudflare provides security, performance, and reliability services through its global network to over 40 United States Federal Government agencies. In 2021, CISA began utilizing Cloudflare to deliver a protective DNS resolver solution for all Federal Civilian Executive Branch (FCEB) agencies. Cloudflare is committed to supporting critical government functions, including the nation's election infrastructure. Through its Athenian Project, Cloudflare provides services for free to state, county, and local officials administering elections.

For more information, visit:

*   Cloudflare for Public Sector

**About Cloudflare** Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements** This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to the U.S. government and Cloudflare’s other customers from using Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the expected functionality and performance of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to Cloudflare from achieving FedRAMP moderate authorization, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Cloudflare’s actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in its filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that we may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Wins CISA Contract for Registry and Authoritative Domain Name System (DNS) Services

Establish clear and consistent processes and standards to scale lite threat modeling's streamlined approach across your organization.

New development happens all the time at busy software companies. But is secure development happening as well?

A process called lite threat modeling (LTM) involves stakeholders in secure development, ensuring that security is baked in and not bolted on. What is LTM, and how does it differ from traditional threat modeling?

**The Lite Threat Modeling Approach**

LTM is a streamlined approach to identify, assess, and mitigate potential security threats and vulnerabilities in a system or application. It's a simplified version of traditional threat modeling, which typically involves a more comprehensive and detailed analysis of security risks.

With LTM, we're not manually sticking pins into the system or app to see if it breaks, as we would with pen testing. Rather, we poke "theoretical holes" in the application, uncovering possible attack avenues and vulnerabilities.

Here are some questions to consider asking:

*   Who would want to attack our systems?
*   What components of the system can be attacked, and how?
*   What's the worst thing that could happen if someone broke in?
*   What negative impact would this have on our company? On our customers?

**When Are LTMs performed? **

It's best to perform an LTM whenever a new feature is released, a security control is changed, or any changes are made to existing system architecture or infrastructure.

Ideally, LTMs are performed _after_ the design phase and _before_ implementation. After all, it's much, much easier to fix a vulnerability before it gets released into production. To scale LTMs across your organization, be sure to establish clear and consistent processes and standards. This can involve defining a common set of threat categories, identifying common sources of threats and vulnerabilities, and developing standard procedures for assessing and mitigating risks.

**How to Perform LTMs at Your Organization **

To start performing LTMs within your own organization, first have your internal security teams lead your LTM conversations. As your engineering teams get more familiar with the process, they can begin performing their own threat models.

To scale LTMs across your organization, be sure to establish clear and consistent processes and standards. This can involve defining a common set of threat categories, identifying common sources of threats and vulnerabilities, and developing standard procedures for assessing and mitigating risks.

**Common LTM Mistakes to Avoid**

Security people are great at threat modeling: They often expect the worst and are imaginative enough to think up edge cases. But these qualities also lead them to fall into LTM traps, such as:

*   **Focusing too much on outliers.** This occurs during an LTM exercise when the focus of the conversation veers away from the most realistic threats to its outliers. To solve this, be sure to thoroughly understand your ecosystem. Use information from your security information and event management (SIEM) and other security monitoring systems. If you have, say, 10,000 attacks hitting your application programming interface (API) endpoints, for example, you know that's what your adversaries are focused on. This is what your LTM should be focused on as well.
*   **Getting too technical.** Often, once a theoretical vulnerability has been discovered, technical people jump into "problem-solving mode." They end up "solving" the problem and talking about technical implementation instead of talking about the impact that vulnerability has on the organization. If you find this is happening during your LTM exercises, try to pull the conversation back: Tell the team that you're not going to talk about implementation yet. Talk through the _risk and impact_ first.
*   **Assuming tools alone handle risks.** Frequently, developers expect their tools to find all the problems. After all, the reality is that a threat model isn't meant to find a specific vulnerability. Rather, it's meant to look at the overall risk of the system, at the architectural level. In fact, insecure design was one of OWASP's most recent Top 10 Web Application Security Risks. You need threat models at the architectural level because architectural security issues are the most difficult to fix.
*   **Overlooking potential threats and vulnerabilities.** Threat modeling isn't a one-time exercise. It is important to regularly reassess potential threats and vulnerabilities to stay ahead of ever-changing attack vectors and threat actors.
*   **Not reviewing high-level implementation strategies.** Once potential threats and vulnerabilities have been identified, it's important to implement effective countermeasures to mitigate or eliminate them. This may include implementing technical controls, such as input validation, access control or encryption, as well as nontechnical controls, such as employee training or administrative policies.

**Conclusion**

LTM is a streamlined approach for identifying, assessing, and mitigating potential security threats and vulnerabilities. It is extremely developer-friendly and it gets secure code moving by doing threat modeling early in the software development life cycle (SDLC). Better still, an LTM can be done by software developers and architects themselves, as opposed to relying on labs to run threat modeling.

By developing and implementing LTMs in a consistent and effective manner, organizations can quickly and effectively identify and address the most critical security risks, while avoiding common pitfalls and mistakes.

Fast-Track Secure Development Using Lite Threat Modeling

Critical national infrastructure, widespread cybercrime, and cyber insecurity are major risks in the report

A lot has happened in the 12 months since the World Economic Forum's (WEF) previous "Global Risks Report." Russia invaded Ukraine. The consequential impact on the supply of food and energy has led to a cost-of-living crisis being experienced by many. Extreme weather events have become a reality for more and more people. This rapid change is the backdrop to the report.

The 2023 report highlights that there is no single dominating crisis that the world is facing and there are, and will continue to be, constant crises that organizations, governments, and countries must navigate. Attacks on critical national infrastructure (CNI), widespread cybercrime, and cyber insecurity are highlighted as major risks throughout the next 10 years in the WEF's "Global Risks Report 2023," published on Jan. 11.

In terms of current crises identified in the WEF report — those emerging or present today — cyberattacks on critical infrastructure is the only technological risk appearing on the chart. CNI attacks are much sought after by malicious threats, as they can result in high-profile trust failures, potential pay dirt for ransomware, and could even lead to civil unrest.

The report comments: "Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy and domestic, space-based and undersea communication infrastructure."

Examples of such attacks today include the UK's Royal Mail, currently dealing with a "cyber incident" that has resulted in the organization asking people to stop sending mail and parcels abroad. The outage of the NOTAM (Notice to Air Missions) system that grounded flights in the US on Jan. 11 is being investigated as a potential "nefarious cyber incident," although this is just one aspect of an investigation into the outage ordered by President Biden. Attacks on healthcare institutions, water supplies, fuel pipelines, and more all serve to remind what the "C" in CNI is there for — if something is defined as critical, it needs strong cybersecurity protection and resilience to keep people and societies safe and operational, as it will always be a target for cyberattack.

**Risks Ranked**

There is much to read in the 98-page WEF report. Although there are seven risks appearing in both the two- and 10-year outlooks ahead of widespread cybercrime and cyber insecurity, this is the leading technological risk, at No. 8 in both these outlooks.

There is actually little reference to cybercrime specifically in the report beyond the definition of "widespread cybercrime and cyber insecurity," which is described as "Increasingly sophisticated cyberespionage or cybercrimes. Includes, but is not limited to: loss of privacy, data fraud or theft, and cyber espionage."

Cybercrime is an everyday reality today. As just one example, ransomware continues to be a scourge on society and organizations, but the potential opportunities and yields are so great that it is here to stay. Phishing, crashing websites, and identity theft are just some further examples of cybercrime that are set to continue. Omdia's security breaches tracker has consistently shown that data exposure is the leading outcome of security breaches, accounting for around two-thirds of breaches in the first half of 2022.

This approximate two-thirds number has been consistent since 2019. The tracker also analyses the share of breaches by industry or vertical and healthcare was the biggest sector to be affected by security breaches in the first half of 2022, followed by the government sector. The healthcare and governmental sectors have interchanged "top spot" over the same three-year period as for data exposure. It's fair to say that data is poorly protected today and that government and healthcare are huge targets for data because of the sort of information they hold.

Cyber insecurity is useful terminology when we know that many organizations do not have adequate cybersecurity capabilities. Omdia's "IT Enterprise Insights 2022-23" found that 27% of organizations describe themselves as "well advanced" in managing security, identity, and privacy, and a further 34% as "advanced," this does leave 39% of organizations with a substantially inadequate approach.

WEF's Global Risks Report 2023 Keeps Cybersecurity on the Agenda

A security vendor's investigation of infrastructure associated with a new, crypto-focused Magecart skimmer leads to discovery of cryptoscam sites, malware distribution marketplace, Bitcoin mixers, and more.

Cybercriminals engaged in one form of criminal activity can sometimes have their hands in a wide range of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a fresh iteration of a Magecart skimmer.

Magecart is a notorious — and constantly evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, groups belonging to the syndicate have executed numerous — sometimes massive — heists of card information from websites, including those belonging to major companies like TicketMaster and British Airways.

Researchers from Malwarebytes recently observed a threat actor deploying a payment card skimmer — based on a framework called mr.SNIFFA — on multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users paying for purchases on e-commerce websites. The malware is known for employing various obfuscation methods and tactics like steganography to load its payment card stealing code onto unsuspecting target websites.

**Sprawling Crime Haven**

Their investigation of the infrastructure used in the campaign led to the discovery of a sprawling network of other malicious activities — including cryptocurrency scams, forums for selling malicious services, and stolen credit card numbers — that appeared linked to the same actor. 

"Where one criminal service ends, another one begins — but often times they are linked," said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company's research. "Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends."

In the Magecart campaign that Malwarebytes observed, the threat actor used three different domains for deploying different components of the attack chain. Each of the domains had crypto-inspired names. The domain that injected the initial redirect component of the infection chain for instance had the name "saylor2xbtc\[.\]com," apparently in a nod to noted Bitcoin proponent Michael Saylor. Other celebrities were referenced too: A domain named "elon2xmusk\[.\]com" hosted the loader for the skimmer, while "2xdepp\[.\]com" contained the actual encoded skimmer itself.

Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor's investigation showed each of the three domains were associated with a wide range of other malicious activities.

The IP address, which hosted the skimmer loader for instance, also hosted a fraudulent version of home décor and decoration company Houzz's website. Similarly, the IP address for 2xdepp\[.\]com — the site hosting the skimmer — hosted a website selling tools like RDP, Cpanel, and Shells, and another website that offered a service for mixing cryptocurrencies —something that cybercriminals often use to making illicitly earned money harder to trace. 

Researchers at Malwarebytes further discovered blackbiz\[.\]top, a forum that cybercriminals use to advertise various malware services, hosted on the same subnet.

**Crypto-Related Scams**

Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same "2x" in their domain names as the three sites associated with the Magecart campaign had. The exercise revealed multiple fraudulent websites engaged in illicit cryptocurrency related activities. 

"These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC," Segura said. "These crypto-giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB," he added.

Malwarebytes also discovered multiple other sites on DDoS Guard that appeared linked to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a Web portal named after journalist Brian Krebs for selling stolen credit card data, and one site selling a range of phishing kits.

Malwarebytes' research highlights the still sprawling nature of some cybercrime groups, even as others have begun to specialize in specific cybercriminal activities with a view to collaborating with others on joint malicious campaigns. 

Over the past few years, threat actors such as Evil Corp, North Korea's Lazarus Group, DarkSide, and others have earned reputations for being both big and varied in their operations. More recently though, others have begun to focus more narrowly on their specific skills.

Research that security vendor Trend Micro conducted last year showed that increasingly, cybercriminals with different skills are conglomerating to offer cybercrime-as-a-service. The company discovered these criminal services to be comprised of groups offering either access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on finding new attack methods and tactics.

"From an incident-response mentality, this means \[defenders\] will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks," Trend Micro concluded.

Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity

In the ad, cybercriminals are offering to sell employee-level access to Telegram, researchers warn.

For the non-negotiable price of $20,000, threat actors claim they can provide insider access to Telegram servers running the encrypted instant messaging platform preferred by a security-conscious clientele.

The ad, posted on a Dark Web marketplace and discovered by the researchers of SafetyDetectives, boasts that the access is high-level and provided "through their employees."

Rather than providing remote access, the seller is hawking "an offering of correspondence for six months," the SafetyDetectives team added.

"It is impossible to say how many users, or Telegram servers, may be impacted," the report explained. "However, if the vendor’s claims are valid, an insider in the internal Telegram network would be able to exfiltrate logs and compromise user data."

Meanwhile, it seems Telegram might have a broader phishing problem.

**Phishing Explodes on Telegram**

The discovery comes on the heels of the release of new data from Cofense that shows that the abuse of Telegram bots exploded by 800% in 2022, driven by threat actors using malicious HTML attachments to deliver credential phishing attempts. Telegram bots are also attractive to spear-phishers because they're free and easy to set up and run.

"Threat actors appreciate the ease of setting up bots in a private or group chat, the bots' compatibility with a wide range of programming languages, and ease of integrations into malicious mediums such as malware or credential phishing kits," the Cofense report said. "Coupling the ease of Telegram bot setup and use with the popular and successful tactic of attaching an HTML credential phishing file to an email, a threat actor can quickly and efficiently reach inboxes while exfiltrating credentials to a single point using an often-trusted service."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading