More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.

Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential information, client data, source code, or regulated information to the LLM. 

In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out \[remains to be seen\] — I think, we're in pregame; we're not even in the first inning."

With the surging popularity of OpenAI's ChatGPT and its foundational AI model — the Generative Pre-trained Transformer or GPT-3 — as well as other LLMs, companies and security professionals have begun to worry that sensitive data ingested as training data into the models could resurface when prompted by the right queries. Some are taking action: JPMorgan restricted workers' use of ChatGPT, for example, and Amazon, Microsoft, and Wal-Mart have all issued warnings to employees to take care in using generative AI services.

    

More users are submitting sensitive data to ChatGPT. Source: Cyberhaven

And as more software firms connect their applications to ChatGPT, the LLM may be collecting far more information than users — or their companies — are aware of, putting them at legal risk, Karla Grossenbacher, a partner at law firm Seyfarth Shaw, warned in a Bloomberg Law column.

"Prudent employers will include — in employee confidentiality agreements and policies — prohibitions on employees referring to or entering confidential, proprietary, or trade secret information into AI chatbots or language models, such as ChatGPT," she wrote. "On the flip side, since ChatGPT was trained on wide swaths of online information, employees might receive and use information from the tool that is trademarked, copyrighted, or the intellectual property of another person or entity, creating legal risk for employers."

The risk is not theoretical. In a June 2021 paper, a dozen researchers from a Who's Who list of companies and universities — including Apple, Google, Harvard University, and Stanford University — found that so-called "training data extraction attacks" could successfully recover verbatim text sequences, personally identifiable information (PII), and other information in training documents from the LLM known as GPT-2. In fact, only a single document was necessary for an LLM to memorize verbatim data, the researchers stated in the paper.

**Picking the Brain of GPT**

Indeed, these training data extraction attacks are one of the key adversarial concerns among machine learning researchers. Also known as "exfiltration via machine learning inference," the attacks could gather sensitive information or steal intellectual property, according to MITRE's Adversarial Threat Landscape for Artificial-Intelligence Systems (Atlas) knowledge base.

It works like this: By querying a generative AI system in a way that it recalls specific items, an adversary could trigger the model to recall a specific piece of information, rather than generate synthetic data. A number of real-world examples exists for GPT-3, the successor to GPT-2, including an instance where GitHub's Copilot recalled a specific developer's username and coding priorities.

Beyond GPT-based offerings, other AI-based services have raised questions as to whether they pose a risk. Automated transcription service Otter.ai, for instance, transcribes audio files into text, automatically identifying speakers and allowing important words to be tagged and phrases to be highlighted. The company's housing of that information in its cloud has caused concern for journalists.

The company says it has committed to keeping user data private and put in place strong compliance controls, according to Julie Wu, senior compliance manager at Otter.ai.

"Otter has completed its SOC2 Type 2 audit and reports, and we employ technical and organizational measures to safeguard personal data," she tells Dark Reading. "Speaker identification is account bound. Adding a speaker’s name will train Otter to recognize the speaker for future conversations you record or import in your account," but not allow speakers to be identified across accounts.  

**APIs Allow Fast GPT Adoption**

The popularity of ChatGPT has caught many companies by surprise. More than 300 developers, according to the last published numbers from a year ago, are using GPT-3 to power their applications. For example, social media firm Snap and shopping platforms Instacart and Shopify are all using ChatGPT through the API to add chat functionality to their mobile applications.

Based on conversations with his company's clients, Cyberhaven's Ting expects the move to generative AI apps will only accelerate, to be used for everything from generating memos and presentations to triaging security incidents and interacting with patients.

As he says his clients have told him: "Look, right now, as a stopgap measure, I'm just blocking this app, but my board has already told me we cannot do that. Because these tools will help our users be more productive — there is a competitive advantage — and if my competitors are using these generative AI apps, and I'm not allowing my users to use it, that puts us at a disadvantage."

The good news is education could have a big impact on whether data leaks from a specific company because a small number of employees are responsible for most of the risky requests. Less than 1% of workers are responsible for 80% of the incidents of sending sensitive data to ChatGPT, says Cyberhaven's Ting.

"You know, there are two forms of education: There's the classroom education, like when you are onboarding an employee, and then there's the in-context education, when someone is actually trying to paste data," he says. "I think both are important, but I think the latter is way more effective from what we've seen."

In addition, OpenAI and other companies are working to limit the LLM's access to personal information and sensitive data: Asking for personal details or sensitive corporate information currently leads to canned statements from ChatGPT demurring from complying.

For example, when asked, "What is Apple's strategy for 2023?" ChatGPT responded: "As an AI language model, I do not have access to Apple's confidential information or future plans. Apple is a highly secretive company, and they typically do not disclose their strategies or future plans to the public until they are ready to release them."

Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

By working together as an industry, we can develop the technologies needed to account for human error.

With more than 20 years of experience in security, I'm more attuned to the nuances of sophisticated phishing schemes than most people. But as cybercriminals adopt more advanced tactics to steal people's data, even the most seasoned security experts can fall victim. 

In 2021, there were more than 4,145 publicly disclosed breaches that exposed information across 22 billion records. And as phishing increased in 2022, 82% of breaches involved a "human element," meaning that individuals played a role in exposing their own or their companies' secrets. 

Fortunately, technology came to my rescue one recent morning (pre-coffee, I might add), after I was almost lured in. When I clicked the link in an email purporting to be from my credit card company, my password didn't automatically autofill — a telltale sign that the URL didn't match a website for which I'd input login information. I took a closer look: Sure enough, the URL was slightly off. 

I'm not the only one on my team who's been targeted. Here are a few examples of scams that security pros almost fell for, the aspects of human psychology that the threat actors leveraged, and strategies to ensure that you (and we) don't fall victim in the future.

**Exploiting "Confirmation Bias"**

On the morning in question, I was expecting an email from American Express. So when I appeared to receive one, confirmation bias kicked in. The email looked right: The grammar and spelling were perfect, the credit card depicted looked like my own card, and I immediately recognized the four digits of the card number that were included.

I clicked. Once I realized it was a scam (thank you, technology, for not auto-filling my password), I quickly noticed other discrepancies. The digits of my credit card number were the _first_ four digits, not the closely guarded last four. And while the color and design of my credit card were accurately depicted, thousands of customers no doubt have the same card.

Confirmation bias — defined as "the tendency to process information by looking for, or interpreting, information that is consistent with one's existing beliefs" — can help us process information efficiently. But it also has drawbacks, like hindering our ability to process critical information contradicting our assumptions. 

Being aware of our tendency toward confirmation bias is key. If you receive an email, call, or text that you're not 100% sure is legitimate, take a moment to pause and verify. 

**Preying on Our Deference to Authority**

Several members of our security team recently received a text purporting to come from 1Password's CEO, Jeff Shiner. In the text, "Shiner" explained that he was heading into a meeting and unreachable by phone, but needed this person to "run a quick task now for progress."

"Boss alerts" like this are increasingly common. They're a form of "pretexting" — a type of social engineering attack in which criminals create a story (or pretext) manipulating their target into sharing private information.

If you receive an email or text (known as "smishing" attacks, as they use SMS) from your boss or another executive, take a deep breath and ask yourself a few questions before responding. Can you confirm the phone number? What is it requesting (or demanding) of you? To verify the request, consider responding via another channel, like Slack or an email address you've used before. 

**Fabricating Urgency **

Another way scammers can throw us off guard is by creating a false sense of urgency. When we're overwhelmed, we may be tempted to put out a fire quickly so we can return to our regular workload.

Victims may be alerted that if they don't pay a bill immediately, their account will be shut down or they'll incur a late fee. They may be told that if they don't click a link to confirm, a package won't be delivered.

A colleague of mine almost responded to a legitimate-looking PayPal invoice saying they owed a large sum of money for their Norton Antivirus subscription. If this was a mistake, they were told, they should respond before being charged. While the request was sent via PayPal, my colleague noticed that the email address they were instructed to respond to was a Gmail account. 

Their suspicions were confirmed when they Googled "PayPal Norton invoice" and saw multiple references to this scam. To spare other victims, they alerted PayPal. 

**Technology Can Save the Day **

While phishing training and tests can raise awareness, they can't solve the root cause of the problem. And while security experts understand the value of practices like turning on two-factor or multifactor authentication (2FA/MFA) and of updating software regularly, many consumers don't. 

At the end of the day, we are and will remain human — even those who monitor security threats for a living. Technology is an essential backstop to human error, which is why it's ultimately the answer when it comes to cybersecurity. 

We need technologies that reduce risks from phishing — whether by erecting barriers to scammers, limiting the number of phishing attempts that reach consumers, or clearly marking scams as suspicious. Passkeys, which are both extremely secure and extremely easy to use, are one of the most promising solutions. Several leading tech and security companies are now collaborating on an effort to make it easier to use passkeys across multiple systems and devices. We need to work together as an industry to develop technologies like these that account for human error. It's incumbent on us to build systems that remain secure when an insider is compromised — wittingly or unwittingly, by phishing, smishing, or whatever strategy tomorrow brings.

Scams Security Pros Almost Fell For

**LONDON, UK / March 7, 2023** - Egress, a cybersecurity company that provides intelligent email security, today released its **Email Security Risk Report 2023**. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

**Email Security Risks Report 2023: Key findings**

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

**Organizations continue to fall victim to phishing attacks**

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

*   86% of surveyed organizations were negatively impacted by phishing emails.
*   54% of organizations suffered financial losses from customer churn following a successful phishing attack.
*   40% of incidents resulted in employees exiting the organization.
*   85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email. 
*   The top three types of phishing attacks that organizations fell victim to:

*   Phishing involving malicious URL or malware attachment.
*   Social engineering.
*   Supply chain compromise.

**Risky behavior and mistakes lead to costly data loss**

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

*   91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:

*   Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
*   Human error, including employees emailing confidential information to incorrect recipients.
*   Malicious or self-serving data exfiltration, such as taking data to a new job.

*   49% suffered financial losses from customer churn following a data loss incident.
*   48% of incidents resulted in employees exiting the organization.

**Cybersecurity leaders confess a dissatisfaction with SEG technologies**

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

*   58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
*   53% - Too many phishing emails end up in employees’ inboxes.
*   50% - It takes a lot of administrative time to manage.

**Is traditional security awareness and training (SA&T) effective at changing behavior?**

While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

*   59% say it’s necessary for compliance with regulations or cyber insurance.
*   46% say employees skip through it as fast as possible.
*   37% admit they are not confident people remember what they’re taught.
*   29% say employees find training annoying.

**How to defend against inbound and outbound email security threats**

The report highlights that people need real-time teachable moments thatalertthem to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

To read **Egress Email Security Risk Report 2023:** _Inbound and outbound email security threats in Microsoft 365,_ including all its analysis and findings please visit https://egress.co/ufxkz.

**About Egress**

Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

99% of Cybersecurity Leaders Are Stressed About Email Security

Third annual report identifies top security gaps and challenges for organizations operating in the cloud.

**SANTA** **CLARA,** **Calif.****,** **March** **7,** **2023** **/PRNewswire/** **\--** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today published its 2023 State of Cloud-Native Security Report. The report surveyed more than 2,500 C-level executives around the world to better understand their cloud adoption strategies, and how those strategies are working.

With organizations of all sizes moving more of their operations to the cloud, a majority are struggling to automate cloud security and mitigate risks. It's one reason why many companies are trying to improve security earlier in the development process, and looking for fewer vendors that can offer more security capabilities.

**Cloud Use Has Grown, Along With Security Concerns -** The expansion of hybrid work during the pandemic drove organizations to expand their use of clouds by more than 25%. As a result, DevOps teams are being pressed to deliver production code at warp speed — making application security more complex, and putting pressure on security organizations to keep pace.

**Most Organizations are Slow to Detect and Respond to Threats** \- 90% of organizations we surveyed said they cannot detect, contain and resolve cyber threats within an hour. Bad actors are working just as fast as developers to take advantage of organizations' vulnerabilities. What could go wrong often does go wrong and any cloud asset that is inadvertently exposed to the internet can be compromised within minutes. Detecting threats in real-time represents the new frontier of cloud security.

**Teams Don't Understand Their Security Responsibilities** - When asked about the challenges of moving to the cloud, respondents' top concerns remained unchanged from our 2020 report: struggles with comprehensive security, compliance, and technical complexity. A large majority (78%) of organizations said they have distributed responsibility for cloud security to individual teams, but almost half (47%) said a majority of their workforce does not understand their security responsibilities.

**A Greater Need for Code-to-Cloud Security -** As more applications are being built in the cloud using off-the-shelf software, there's a risk that any vulnerability in the development process could compromise an entire application later on. That's why more companies are encouraging a deeper level of engagement between application developers and security tools and teams — with 81% of respondents saying they have embedded security professionals inside their DevOps teams.

"With three out of four organizations deploying new or updated code to production weekly, and almost 40% committing new code daily, no one can afford to overlook the security of cloud workloads," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As cloud adoption and expansion continues, organizations need to adopt a platform approach that secures applications from code to cloud across multicloud environments."

**Moving Towards Consolidation** \- Three quarters of the leaders we surveyed say they struggle to identify which security tools are necessary to achieve their objectives. This has led many of them to implement numerous single point solutions — with the average organization using more than 30 security tools, including six to 10 dedicated to cloud security.

The sheer number of security tools makes it difficult for leaders to have in-depth visibility into their entire cloud portfolio. 76% of survey respondents reported that using multiple security tools creates blind spots that affect their ability to prioritize risk and prevent threats. And 80% said they would benefit from a centralized security solution that sits across all of their cloud accounts and services.

**A Clear Path Forward -** Despite the upheaval caused by the pandemic, organizations have mostly been able to succeed in their cloud expansions — and organizations that made cloud infrastructure a strategic focus across the business were generally more successful. This makes cloud security a clear enabler of business outcomes.

Of course better security does not guarantee success. But having security under control — consolidating tools and vendors and using proven DevSecOps and security automation strategies — lets development teams do their jobs better and gives organizations the tools they need to succeed.

**About the Survey**

This survey was administered online by Palo Alto Networks, and data was gathered from November 21, 2022, to December 14, 2022. Respondents were surveyed from across the globe, spanning the U.S., Australia, Germany, the UK, Singapore and Japan. Over half are from enterprise-sized organizations (over $1B in annual revenue), and respondents were gathered from both ends of the organizational spectrum between executive leadership and more practitioner-level roles in order to understand sentiments broadly across companies.

**Additional Resources**

*   Read more about the 2023 State of Cloud-Native Security Report in this blog.
*   Watch the State of Cloud-Native Security Report Webinar on demand.
*   Find out more about Prisma Cloud here.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ the United States _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

The strategy document does nothing to change things on the ground in the near term; legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda.

The Biden administration's plans to introduce minimum cybersecurity requirements for organizations in critical infrastructure sectors could face challenges in a divided Congress.

That said, many other proposals in the president's broad new National Cybersecurity Strategy, announced March 2, could be relatively easier to implement, even though some of them might have to be via executive fiat, several former government officials and security experts said.

**Much Needed Updating**

"President Biden's National Cybersecurity Strategy will drive a much-needed updating of the United States' cyber-social contract," a senior administration official tells Dark Reading. "That includes both immediate initiatives that build on the administration's executive actions to drive critical infrastructure cybersecurity, as well as an ambitious, long-term vision that will require legislative, regulatory, and technological innovations over the next several years."

The strategy represents a commitment by federal agencies to pursue those innovations and to collaborate with industry to meet objectives, the official says, and continues "our longtime, critical partnership with Congress in developing bipartisan cybersecurity policy."

The key focus areas for Biden's strategy for building US resilience in cyberspace are: critical infrastructure defense, disrupting threat actors, and using the government's purchasing clout and other mechanisms to influence better cybersecurity practices in the public and private sector. The plan also proposes new federal investment in cybersecurity research and development, building a digital identity ecosystem, and focusing on foundational Internet technologies such as the Domain Name System and IPv6.

Individual components of the strategy include mandatory minimum cybersecurity requirements for critical infrastructure, a proposal to make software vendors liable for the security of their products, and services and scaling existing public and private partnerships.

**What's Next for the National Cybersecurity Strategy?**

For the moment, at least, the strategy document does nothing to change things on the ground. Legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda, says Jordan Burris, senior vice president and head of public sector strategy at Socure. 

"Specifically, we will see this play out in regulation for critical infrastructure sectors to set minimum requirements for cybersecurity," says Burris, former chief of staff at the White House Office of Management and Budget. Legislation will also play a role in ensuring that resources are available for some of the new requirements in the strategy for agencies and other stakeholders.

"Cybersecurity has always been viewed as a non-partisan issue in Washington, DC," Burris says. "However, it is critical that as the administration continues to roll out its plans, that it works with both sides of the aisle to make progress." 

This is going to be especially key when calling on Congress to invest in cybersecurity capabilities across agencies, he says, "Unfortunately, there are many proposals that administrations have advocated for that have obtained little to no traction in the halls of Congress."

Ideally, Biden's plans should receive bipartisan applause and action for his proposals, says Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House. "But I've been around long enough to understand the political atmosphere in Washington right now is just short of toxic," she says. "So, finding common ground on these critically important issues is going to be difficult," she adds.

Like Burris, Payton notes that for now, the new strategy provides a road map for the administration's cybersecurity priorities more than anything else. Essentially, the strategy acknowledges the federal government's significant role in cybersecurity while also demanding a whole lot more from the private sector.

**The Biggest Congressional Sign-Off Challenges**

Garnering the support in Congress is going to be especially difficult when it comes to the regulatory component in Biden's strategy document, Payton says. While it is notable the administration is willing to wade into an area that other administrations have stayed away from, the regulatory question will be a tough sell on the Hill, given the pro-business/anti-regulation climate amongst the House majority. Even so, "I think in the aftermath of the SolarWinds breach and the Colonial Pipeline attack, it's an important and probably overdue dialogue that all public and private sector partners need to have," Payton says.

And the Biden administration's proposal to shift liability for software away from users to software vendors and publishers is almost certainly going to be another hard sell. There have been similar proposals in the past that have gone nowhere, and there's little to suggest the new plans will fare any differently.

One initial stumbling block is that software is still not a tangible product under the Uniform Commercial Code (UCC) in the US, explains John Pescatore, a former National Security Agency (NSA) analyst and current director of emerging security trends at the SANS Institute. Before discussions around legislative support for the liability-shifting proposal in Biden's new strategy can even begin, that issue needs resolution, Pescatore tells Dark Reading. 

"The UCC says software is not a tangible good and without that you cannot assign liability," he says. The lobbying power that tech giants have in Washington is only going to exacerbate the challenge, he notes.

Even so, the White House can also take unilateral action in many cases, according to Payton. "Nearly all areas of the strategy can be actionable whether if implemented as an executive order or as a law passed by Congress," Payton adds. "Given the divided nature of Congress, I would expect to see a series of executive orders coming from the White House in the weeks and months ahead."

**There Are Some Actionable Strategy Components**

While the biggest pieces of the plan remain unactionable for now, not all of the proposals in Biden's strategy are dependent on legislation and regulatory action. Perhaps the most important among this group, according to security experts, is the plan to use the federal government's purchasing power to get software vendors and others doing business with the government to follow cybersecurity best practices. 

A Biden May 2021 executive order already requires all federal contractors to produce a software bill of materials (SBOM) and other artifacts of secure software development practices to their federal agency customers. Last week's strategy seeks to scale up and build on those kinds of efforts and doing so will require no legislative support. The strategy document's proposal to bolster public-private information sharing and for dismantling threat actor infrastructure are two other areas that are also not dependent on Congress to move on.

And indeed, Burris perceives that the administration can also move things forward on that front by getting Sector Risk Management Agencies (SRMAs) to better coordinate with entities such as information sharing and analysis centers (ISACs), the US Cybersecurity and Infrastructure Agency (CISA), and bodies such as the Joint Cyber Defense Collaborative.

"Some of the strategy can be enacted by the executive branch under the direction of the White House," says Curtis Franklin, an analyst with Omdia. "These pieces are quite likely to be actionable and, once in place, binding and long-lasting." As examples, he points to proposals in the new strategy to integrate federal cybersecurity centers, to update the federal incident response plan and processes, and integrating federal disruption activities. 

"There's a lot in the document that is an extension of existing strategic items and those will have the easiest time moving forward," Franklin says. Nonetheless, he agrees that it's important to be realistic: "The pieces that would require legal or regulatory action are much more challenging, and some will never happen."

Key Proposals in Biden's Cybersecurity Strategy Face Congressional Challenges

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

National defense and security experts long predicted that future warfare would not be waged by firearms but with code designed to disable services people depend on for daily life.

In May 2021, security experts' worst fears came true, when a ransomware attack struck the Colonial Pipeline. Gas delivery to most of the US Northeast halted almost overnight. Although systems were eventually restored, the event still lives in infamy today and reminds us of the destructive potential cyberattacks can have when levied against critical infrastructure. Since then, similar infrastructure attacks have dominated headlines across most of the world and are increasingly carried out by non-state-sponsored actors.

In our "Q2/Q3 Ransomware Index Update," Securin (formerly Cyber Security Works) researchers mapped out the impact of ransomware on industrial control systems (ICS) deployed in critical infrastructure establishments. They identified the three most at-risk sectors: healthcare, energy, and manufacturing. Our researchers also examined 16 ransomware vulnerabilities and the bad actors who exploit them, such as Ryuk, Conti, WannaCry, and Petya. We have included a table at the end of the article with the full list of vulnerabilities and impacted vendors.

With each successful attack, ransomware groups grow bolder and target industries that can cause the most pain to exploit the crises for maximum extortion. Understanding the threat actors and their methods is the key to protecting critical industries and maintaining smooth operations.

    

Ransomware CVEs affecting ICS products yet to be included in the CISA KEVs (as on date of publishing the report).

**Healthcare**

Cybersecurity and Infrastructure Security Agency (CISA) advisories to healthcare providers come in the aftermath of ongoing attacks by ransomware groups such as Black Basta, Quantum, and MountLocker. The impact of unpatched critical vulnerabilities in this sector could be potentially life threatening.

Public health and healthcare systems are affected by the majority of vulnerabilities — nine out of the 16 identified — because they are dependent on other sectors for the continuity of their service delivery and operations. Philips Healthcare, a technology-based company that develops advanced visualization software for crucial imaging equipment, is the most affected vendor, clocking in eight vulnerabilities found in its IntelliSpace Portal 9.0. Vulnerabilities CVE-2017-0144 and CVE-2017-0147 should be patched immediately for their high ransomware family associations used in real-world attacks.

**Energy**

An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. The energy sector is plagued by six vulnerabilities that organizations must watch, particularly those found in Schneider Electric's products.

CVE-2017-6032 and CVE-2017-6034 affect Schneider Electric's Modicon Modbus Protocol, an open communications standard that is used across critical infrastructure, which can lead to chain reaction attacks. However, vulnerabilities CVE-2019-18935 and CVE-2020-10713 found in Hitachi ABB Power Grid systems and Hitachi Energy Transformer Asset Performance Management (APM) Edge, respectively, pose just as much risk. They should be treated as serious by network security administrators.

**Manufacturing**

The critical manufacturing sector can be divided into four core subindustries: transportation equipment; machinery manufacturing; electrical equipment, appliance and component manufacturing; and primary metals manufacturing.

A quarter of the vulnerabilities included in our analysis affect vendors in the manufacturing sector, including Exacq Technologies, Sensormatic Electronics, and Schneider Electric.

**How to Stay Protected**

We encourage organizations to stay aware of vendor advisories of the products they utilize and take steps to organize vulnerability enumeration according to severity. Most of the vulnerabilities in this article take advantage of legacy setups comprising out-of-date software and, sometimes, unsupported end-of-life components. Here are key insights to keep your system and industry safe:

*   **Improper input validation** is the most prevalent weakness powering ICS ransomware CVEs. Proper input screening can prevent bad actors from infiltrating databases and locking admins out of the system.
*   **Six vulnerabilities** are missing from the CISA Known Exploited Vulnerability (KEV) catalog and should be patched: CVE-2018-5391, CVE-2018-10115, CVE-2017-6034, CVE-2017-6032, CVE-2017-7494, and CVE-2020-10713.
*   **Performing simulated** **penetration tests** of your systems can identify hidden entry points that criminals would otherwise use. Finding where you are most exposed can help set patch priorities and build defenses before attackers can leverage them.

The US economy depends on an interconnected infrastructure of energy, health, and manufacturing. Hospitals need the energy to function and render life-saving services, and oil and natural gas refineries deliver necessary fuel to power domestic manufacturing — it's a marvelous system to appreciate, but a rather precious one as well, and we should take steps to protect it.

CVE ID

Impacted Vendors

CVSS v3 Score

Action

CVE-2021-44228

Exacq Technologies, a subsidiary of Johnson Controls, Inc.; Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.

10

Vendor patch

CVE-2020-10713

Hitachi Energy

8.2

Vendor patch

CVE-2019-18935

Hitachi ABB Power Grids

9.8

Vendor patch

CVE-2019-0708

Spacelabs

9.8

Vendor patch

CVE-2018-5391

Siemens

7.5

Vendor patch

CVE-2018-10115

Philips

7.8

Update to latest version

CVE-2017-7494

Schneider Electric

9.8

Vendor advisory

CVE-2017-6034

Schneider Electric

9.8

ICS advisory

CVE-2017-6032

Schneider Electric

5.3

ICS advisory

CVE-2017-0199

Philips

7.8

Vendor patch

CVE-2017-0148

Philips

8.1

Vendor patch

CVE-2017-0147

Philips

5.9

Vendor patch

CVE-2017-0146

Philips

8.1

Vendor patch

CVE-2017-0145

Philips

8.1

Vendor patch

CVE-2017-0144

Philips

8.1

Vendor patch

CVE-2017-0143

Baxter, Philips

8.1

Vendor patch

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

**DENVER****,** **March 7, 2023** **/PRNewswire/ --** Digitization and the heavy adoption of connected devices are enabling organizations to reach new heights and, at the same time, have intensified the threat landscape and extended the attack surface. As organizations work to reap the benefits of the IT, OT and industrial control system (ICS) convergence, Optiv, the cyber advisory and solutions leader, is helping businesses secure their critical hardware, systems and processes with a full suite of OT security advisory, deployment and management services.

Organizations need a path to mature their OT while also protecting what is most important to the business: safety, uptime and resiliency.

Optiv's OT cyber advisors hold nearly 130 combined years of on-the-ground ICS experience. They provide the foundation for identifying and quantifying risk with assessments, threat modeling, roadmapping, network validation, site walks and policy building.

"We're seeing organizations manage their production environment more effectively while improving their security posture. This has resulted in reduced downtime and increased output," said Sean Tufts, Optiv's OT security services leader. "New endpoints and data sources also create hidden vulnerabilities. Traditional network security struggles to map cyber risk, which puts an OT-driven facility's entire state of being on shaky ground. An impact to OT is an impact to the bottom line."

Optiv provides the necessary tools and services for organizations to gain control over protecting their crucial functions, SCADA systems and both company- and vendor-owned devices. Experts work closely with finely vetted technology partners on OT technology racking, stacking, tuning and integration.

In addition, OT/ICS clients can lift the operational burden from their in-house security teams, with Optiv customizing managed security services to their unique business needs. These might include real-time threat detection and response, platform patching, device maintenance and continuous technology configuration and optimization in OT alert triaging, technology management and Optiv's OT SOC and Advanced Fusion Center.

Whether it is mastering the fundamentals or building advanced capabilities, Optiv's OT cyber services are designed to help identify business-specific OT risks for an integrated approach that spans an organization's entire ecosystem.

Learn more about Optiv's OT Security Services with these resources:

*   Advise – Service Brief
*   Deploy – Service Brief
*   Operate – Service Brief

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/. 

**Optiv Security: Secure greatness.®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv Launches Full Suite of Operational Technology Services

Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Source

DARKReading