Making the option available only to paid subscribers — while also claiming SMS authentication is broken — doesn't make sense, some say. Is it a cash grab?

Twitter's sudden decision to disable SMS-based two-factor authentication (2FA) for all users except subscribers of its paid Twitter Blue service has infuriated security experts and further tarnished the social media giant's already somewhat dubious reputation for protecting users of its services.

Twitter, on Feb. 15, announced that in 30 days it would disable text-message based — or SMS-based — 2FA for all but paying Twitter Blue subscribers. "After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method," the company said. "At that time, accounts with text message 2FA still enabled will have it disabled."

Several analysts view the move as ill-conceived and weakening protections for the millions of users that currently use the two-factor option when accessing their Twitter accounts. Even those who agree with Twitter's view about text message-based authentication mechanisms being somewhat susceptible to attack still perceive it as offering magnitudes more protection than not having a second factor at all.

**Twitter's Ill-Conceived Move**

"The optics are certainly bad," says Richard Stiennon, chief research analyst at IT-Harvest. "This move seems to put a price on better security for Twitter which is the poster child for account takeover attacks dating back to 2008 when a script kiddie in California ran John the Ripper against celebrity accounts to guess their passwords."

The company urged users that still want to enable 2FA for their Twitter accounts to consider using an authentication app or security key/token as their second factor. Authentication apps are mobile apps that generate a one-time password or key that users can use in addition to their password when accessing an account on which they have enabled two-factor authentication. Examples include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator. 

Security keys are usually a physical device — like a USB dongle — that users can use to verify their identity when logging in to an account. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure," Twitter said.

"Using an authenticator app is better \[than text-based 2FA\]," Steinnon notes, "but there will never be a large number of users unless Twitter makes such an app a requirement and makes it available for free."

**Raising Questions About Text-Based 2FA**

The social media company's brief statement announcing its decision to stop SMS authentication alluded to concerns over the security of the process as the main motivation: "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors."

The widespread use of mobile devices for SMS-based 2FA authentication, for instance, has driven an increase in so called SIM-swapping attacks, where a threat actor transfers another individual's phone number to their SIM card so they can intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in mobile networks allowing attackers to intercept SMS messages and use it to break into 2FA protected accounts have persisted for years, as have calls to replace it with stronger token and app based token generators.

Nonetheless, Stiennon and others dismiss that explanation as not being enough reason to disable the option for anyone that wants to use it. "For highly targeted attacks, it is true that SMS can be intercepted by determined attackers," he says, noting that such attacks are rare.

**An Attempt to Raise Revenue?**

John Pescatore, director of emerging security trends at the SANS Institute, says Twitter's move is somewhat akin to a bank insisting that users of a free checking account only enter their PIN — and not their ATM card as well — to use an ATM machine. "While SMS messaging as 2FA is less secure than tokens, trusted apps, or other phishing-resistant forms, it is still so much more secure than reusable passwords," he says.

"The only justification for what they are doing is an attempt to raise revenue," Pesactore tells Dark Reading. Otherwise, why would they allow a supposedly less secure authentication only be available to their paid subscribers, he points out.

A transparency report that Twitter released in December 2021 showed at that time that some 2.4% of active Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a security key. Based on those numbers (the most recent), only a relatively small proportion of Twitter's active accounts would appear directly impacted by Twitter's recent decision — though, of course, adoption could have increased since 2021. Still, some see it as another indication of what they perceive as Twitter's cavalier attitude toward user security. Earlier this year, after all, an apparent API endpoint compromise at Twitter allowed an attacker to steal data on some 200 million Twitter users and put it up for sale on an underground forum.

"Twitter has a consistently poor record around security," Pescatore notes. Last year, for instance, the Federal Trade Commission assessed a $150 million civil penalty over the company not taking steps required of them to fix problems that caused privacy violations dating back years, he says. Those violations had to do with Twitter using phone numbers and email addresses that it collects for 2FA to deliver targeted advertising instead. 

"Under new ownership, this year they first tried to increase revenue by giving verified identity status to anyone willing to pay $8," Pescatore adds.

**Coming Under the Microscope**

As if the company's security challenges were not bad enough, Elon Musk's controversial leadership of Twitter has also put the company's every move under the microscope.

"As with anything to do with Twitter nowadays, the broader context for their decisions invites a lot of controversy from all over the political spectrum," says Fernando Montenegro, an analyst with Omdia.

With the latest move, there's a general understanding that SMS 2FA is less resistant to some attacks than the authenticator apps or security keys. So getting users to move towards "better" MFA is a good thing for potentially improving resilience against these attacks, he adds. "It's also a decision that saves Twitter money, as they will no longer be sending MFA SMS messages to accounts that are not subscribers," Montenegro says.

The key question here is whether people use SMS because it's easier to set it up or just because they don't know about alternatives, he points out. "If the former, and Twitter doesn't make the process easier, then security is likely to suffer. If the latter, then their decision can actually result in more people knowing about other options for MFA and turning those on."

Analysts Slam Twitter's Decision to Disable SMS-Based 2FA

Nation-state adversaries, new reporting regulations, and a fast-paced threat landscape mean that financial services and technology firms need to bolster their security posture.

The cybersecurity landscape for financial institutions and finance technology (fintech) has changed dramatically in the past few years, and 2023 will likely be no different.

In 2022, for example, distributed denial-of-service (DDoS) attacks targeting financial firms increased by 22% worldwide, compared to the previous year, according to a joint report published by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Internet infrastructure firm Akamai. Financial institutions in Europe saw an even greater jump, with 73% more DDoS attacks, the report stated.

While many businesses wave aside DDoS attacks as noise on the Internet, such tactics are increasingly used as a diversion tool, especially with geopolitical tensions running high, as they have since Russia invaded Ukraine, says Teresa Walsh, global head of intelligence at the FS-ISAC.

Financial institutions need to gauge "the potential for DDoS attacks to be used as a decoy for more damaging cyber activities, such as the infiltration of systems and the installation of malware," she says. "While DDoS attacks themselves tend to not cause large windows of downtime due to a wide array of standard defensive measures available to financial institutions, the same practices are not as readily available for DDoS used as a smokescreen."

The increase in DDoS attacks is just one area where financial services and fintech firms face an increasing level of threats. Driven by nation-state groups taking sides in the Russia-Ukraine war, ransomware is becoming more destructive, while attacks on financial data are increasingly a problem facing all types of organizations. In addition, attackers are using cybercriminal services — such as access brokers and ransomware-as-a-service — leading to more specialized and sophisticated operations against financial institutions and cryptocurrency services.

Regulations are also changing the cybersecurity landscape for financial firms, which must now — as of May 1, 2022 — disclose cyber incidents within 36 hours to their regulators in the United States, if the incident could impact the US banking system. At the same time, the recent ransomware attack on derivative service provider ION Group and the ongoing popularity of business email compromise (BEC) schemes shows the brittleness of the financial supply chain.

While financial firms have some of the best cybersecurity, attackers continue to find ways to succeed, says Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"They have invested much more than other industries in cybersecurity, they have the best technologies, and they have some of the very best people in the world," he says. "But they're being hunted by the most organized sophisticated cybercrime cartels in the world, coupled with intelligence services from rogue nation states who want to hack the sector — not just for the purposes of economic espionage, but to help offset economic sanctions."

**Geopolitics & Cybercriminal Specialization Spur Changes**

Two major forces are changing the overall cybersecurity landscape. Russia's invasion of Ukraine has led to a parallel cyberwar that, unlike the physical conflict, has spilled outside the boundaries of those two nations. The Russia-Ukraine conflict has led to a greater number of attackers focusing on destructive operations, in addition to stealing funds or deploying ransomware for profit.

More than half (54%) of financial firms interviewed by Contrast Security considered cyberattacks from Russia as the top threat, with a quarter naming North Korea as their top worry.

"The Russians are most concerning to these institutions because Russian cybercrime cartels are far more knowledgeable of, not only the financial sector in terms of how it operates and what is most valuable ... but also the interdependencies that exists in the sector," Kellermann says. "Which is why you're seeing that surge of attacks against APIs and an increase in island-hopping and watering hole attacks."

Overall, cyberattacks in the sector have become more sophisticated, with many traditionally standalone attacks now being used as part of more complex operations, with "as-a-service" models replacing some parts of the attack chain. Access brokers have become far more popular, as demonstrated by the growth of the Emotet malware-as-a-service operation, cybersecurity firm Kaspersky said in a list of cyberthreats targeting the financial services industry.

"These access broker cybercriminal groups, they are basically hacking as much as they can and then they are selling the access to us to anyone that wants to buy," Marc Rivero, a senior security research at Kaspersky, said during a presentation on the company's predications. "That allows other groups to spend less time compromising their targets."

Even company finance and accounting departments are seeing increased risks. More than a third of organizations (35%) had their accounting and financial data targeted by attackers in a cyber event in the past 12 months, and nearly half (49%) expect an increase in similar attacks in the next year, according to a survey conducted by consultancy Deloitte.

Increasingly, attackers are focusing on compromising financial transactions between corporate users and financial institutions, and between financial firms and their vendors, said Daniel Soo, a principal with Deloitte's risk and financial advisory group.

"These attackers are becoming a little bit more targeted, where they can get into some financials and see what's underlying each of these firms," he says. "And it's a little bit frightening, because by peering into the financials, you can learn a lot about organizations."

**More Regulations, Compliance Risks**

Financial institutions also have to deal with increasing regulations across multiple jurisdictions. Data breaches must be reported to European authorities to satisfy the General Data Protection Regulation (GDPR), and the United States is increasing oversight at both the state — led by California — and federal level. The American Data Privacy Protection Act (ADPPA) did not pass through Congress, but federal standards continue to progress, including a 36-hour reporting requirement for financial firms.

The increasing regulations means that any financial institution needs to build a holistic cyber resilience program to have the flexibility to meet changing regulations, particularly multinational institutions, says FS-ISAC's Walsh.

"This has been a major priority for many years now, so we expect few institutions to have to make dramatic changes to their cyber management or reporting infrastructure in response to regulation," she says.

Kellermann adds, "Plausible deniability is dead. They are just going to have to report now."

**Improvement Needed in Financial Security Posture**

While financial services firms typically lead the pack as adopters of cybersecurity, the fast pace of innovation in payment technologies requires financial institutions to quickly move to secure those technologies, according to Contrast Security's survey. In 2023, 72% of financial organizations plan to increase their investment in the security of their applications, while 64% mandated cybersecurity requirements for their vendors, the survey found.

In addition, the definition of cybersecurity and cybercrime is expanding to new categories. In a report released in January 2023, the Financial Industry Regulatory Authority (FINRA) added a new section for financial crimes in its cybersecurity and technology governance section.

For the most part, the financial industry needs to make its information infrastructure and processes more resilient — not only in resisting an attack, but also in the organization's ability to recover following an attack, says Deloitte's Soo. Currently, only 26% of companies have a process in place to estimate damages from specific types of cyber incidents, with another 17% aiming to put one in place in the next 12 months, Deloitte stated in its report.

"There's certainly going to be a disruption often related to some sort of cyber incident, and resilience is very much around 'how do you recover quickly in a very structured way'," Soo says. "How can you recover and how can you limit the blast radius, \[so\] you localize any type of damage?"

Cyberthreats, Regulations Mount for Financial Industry

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Someone is clearly irritated. But why? Come up with a cybersecurity-related caption for our latest cartoon, above, and you could win a $25 Amazon gift card. Here are four convenient ways to submit your ideas before the March 15, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading February Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dark Reading editors had a hard time keeping a straight face as we went though the many caption contenders for January's "Poker Hand" contest. But our favorite soon emerged. A hearty congratulations goes to TALAS Security co-founder Paul Marco.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Join the Club

Some employees' personal data was leaked, but the company responded swiftly to a socially engineered incident that gained access to legitimate employee login credentials.

Threat actors targeted employees of cryptocurrency exchange Coinbase in a smishing attack that exposed a "limited amount" of personal employee data, after cyberattackers bypassed multifactor authentication (MFA) to gain direct access to its corporate system.

Coinbase outlined the attack — which the company believes is connected to the previously identified Oktapus campaign that targeted several Okta employees with malicious SMS messages — in a recent blog post, providing an in-depth, step-by-step account of how it unfolded, escalated, and was eventually thwarted without a major breach.

One of the employees who was targeted responded to an attacker's SMS and gave up credentials to the corporate system; the person then received a follow-up phone call attempting to gain access after initial attempts to log in were blocked by MFA security. Coinbase's Computer Security Incident Response Team (CSIRT) responded within 10 minutes of the attack to shut it down, preventing a far more serious incident, the company said.

The situation once again demonstrates how human error remains a key factor in the success of cyberattacks, and the risk that increasingly sophisticated social engineering campaigns pose to the enterprise, Jeff Lunglhofer, Coinbase's CISO, noted in the blog post.

While "situations like this are never easy to talk about," Coinbase revealed and detailed the attack in the interest of transparency, as well as to help other organizations understand the potential risks from smishing in order to protect themselves from similar incidents, he said.

"They are embarrassing for the employee, they are frustrating for cybersecurity professionals, and they are frustrating for management," Lunglhofer wrote. "But as a community we need to be more open about issues like this."

**What Happened in the Coinbase Cyberattack **

Coinbase is a cryptocurrency exchange with more than 1,200 employees worldwide and more than 108 million verified users, making it an attractive target for financially motivated threat actors, Lunglhofer said.

The recent attack occurred on Sunday, Feb. 5, when the mobile phones of several Coinbase employees received SMS messages indicating that they needed "to urgently log in" to their Coinbase accounts via a link "to receive an important message," according to the post.

While most of the targeted employees ignored the message, one didn't, clicking on the link and eventually providing threat actors with their username and password. Attackers then proceeded to log in to the Coinbase system using the legitimate employee credentials, but couldn't provide the correct MFA credentials and thus was blocked from access.

While many attacks would stop here, this one didn't, most likely because the attacker "is associated with a highly persistent and sophisticated attack campaign that has been targeting scores of companies since last year," Lunglhofer wrote. That Okta attack spree, dubbed Oktapus by the researchers at Group-IB who discovered it, resulted in the compromise of 9,931 thousand accounts of more than 130 organizations.

Twenty minutes after the initial SMS message, the phone of the compromised employee rang. On the line was the attacker, claiming to be from Coinbase corporate IT and in need of the employee's help. The employee once again believed the request was legitimate and followed attacker instructions, logging in to the Coinbase system and responding to what became increasingly suspicious requests from the attacker.

The employee's actions gave up "some limited contact information" for Coinbase employees — including names, email addresses, and some phone numbers — but did not expose any customer info or other sensitive data, nor did the attackers gain the ability to steal Coinbase crypto, the company said.

Eventually, Coinbase's CSIRT intervened and reached out to the smishing victim to ask about unusual behavior and usage patterns associated with their account, and the employee terminated communication with the attacker, he wrote. CSIRT then suspended the employee's account access and launched an investigation.

**Why "Smishing" Attacks Are Successful**

In this case, the cleanup after the attack was "relatively quick," Lunglhofer said. However, the incident provides useful takeaways as to why sophisticated, socially engineered phishing attacks are still so successful even though they've been occurring since the emergence of the mainstream Internet, and the fact that there's broad awareness of them.

One important point to note is that even the savviest cyber-aware person can be fooled by a clever, socially engineered attack because of humans' natural tendency to want to "get along" and "be part of the team," Lunglhofer noted. "Under the right circumstances nearly anyone can be a victim," he wrote.

Indeed, research shows that the human factor remains one of the top reasons data breaches occur. This means that using the excuse that successful phishing scams are merely an employee "training problem" is a cop-out, and organizations have to put in place a proactive cyber-defense system that can act quickly in the case of employee compromise, Lunglhofer wrote.

Coinbase provided a list of the attackers' tactics, techniques, and procedures (TTPs) to help enterprises prevent attacks or recognize suspicious login attempts on the corporate system. In particular, login attempts to corporate applications from third-party VPN services should be flagged as suspicious, as they may be using stolen credentials, cookies, or other session tokens, Lunglhofer observed.

Coinbase Crypto Exchange Ensnared in 'Oktapus'-Related Smishing Attack

Fintech has drastically shifted the financial services industry toward digital technologies and, in so doing, has introduced a variety of new risks.

As with every other sector that has embraced digital transformation, cybercrime has become a more prominent threat in finance. According to VMware's Modern Bank Heists study, since the COVID-19 pandemic, there have been 238% more cyberattacks on companies in the financial sector, a shocking rise.

The recent string of attacks on DeFi platforms shows clearly how fintech companies tend to be a big prize for bad actors. Fintech apps, especially, tend to offer the potential for massive payoffs. Attackers can also cause more damage by targeting users of the tech, who may implement less rigorous cybersecurity measures. One malicious app can strip fintech users of their assets and leave the fintech company with a reputation in shambles.

Fintech companies are having to rethink how they approach their identity and access control strategy to ensure that their platforms are equally trusted by both consumers and businesses. As this industry continues to adapt to the cloud, it's imperative that the proper controls be put in place to retain an organization's security posture — and this comes with its own array of challenges.

**Why Fintech Applications Are Hard to Secure**

Cloud development has made new types of apps possible and existing apps work better than ever. However, it has also generated new opportunities for misconfigurations, human error, and identity management issues, and it has rapidly expanded potential attack surfaces. Because fintech apps are leveraging a massive range of technologies, this continues to be one of the most challenging areas when it comes to security.

Whether moving a legacy app to a new and better cloud-based architecture or expanding existing capabilities, any type of change leaves an organization vulnerable at cloud scale. This can make the blast radius of a single attack much larger, since an infrastructure's attack surface now expands and is dynamic in the cloud.

Fintech applications also must meet tight regulatory standards that vary around the world, and often face steep fines for noncompliance. For example, in 2019, the Spanish DPA fined a financial service provider 1 million euros due to an insufficient legal basis for data processing, which violated General Data Protection Regulation (GDPR). Operating in the financial realm means providing a higher level of accountability to customers and across the industry, which can be a tall order. Fintech demands that organizations ensure visibility, reliability, and correct configuration.

To stay competitive in this very crowded arena, fintech companies need to keep a tight grip on security and privacy from day one of development, especially as third-party services continue to grow.

**How Third-Party Services Can Increase Security Challenges**

As fintech organizations become more dependent on vendors and other partners such as manufacturers, suppliers, and subcontractors, as well as increasingly complex supply chains, they also become more exposed to attackers. Respondents from CRA Business Intelligence's recent Third-Party Risk Survey believe that third parties are increasingly the cause of IT security incidents, with more than half of all respondents (57%) reporting they were victims of an IT security incident — either an attack or a breach — related to a third-party partner in the past 24 months.

Organizations often lack visibility into third- and fourth-party partners, and with that, the vast scope of data accessible to them. In today's software-centric world, interoperability is essential, but it often leaves organizations even more vulnerable to attackers. Fintech developers must remain constantly alert for potential software supply chain issues and the security challenges third-party services can bring to their organizations.

**Remaining Compliant Amid Tight Regulatory Standards**

In direct response to recent high-profile cases of fraud within cryptocurrency, regulators are beginning to pay even closer attention on the already highly regulated space, creating a challenge for fintech applications and companies to stay on the pulse of these changes and remain compliant and protective of their sensitive information. According to Gartner's Fintech in 2022 Report, fintech leaders ranked regulatory challenges as the top threat to their business right now.

In the midst of these shifting regulations and requirements that vary around the world, including Payment Card Industry Data Security Standards (PCI-DSS), Anti-Money Laundering (AML)/ Know Your Customer (KYC), and newly established California Privacy Rights Act (CPRA) regulations, companies are being pushed to button up their data protection and privacy standards. So, how can businesses remain compliant?

Every enterprise must know who has access to the data and applications, their location, and what they do with it. As threats continue to grow exponentially within fintech, implementing identity and access management (IAM) tools will be essential.

It's important for an enterprise to have the proper technology and processes in place to not only ensure they remain compliant with industry regulations, but also provide consistent protection for their sensitive data, especially in the cloud. IAM tools, for example, provide organizations security that won't slow down development or add more work for their teams.

The security threats posed by financially motivated cybercriminals will unfortunately only become increasingly sophisticated. The fintech industry is faced with much pressure to protect sensitive customer data and needs to be prepared for cyber threats by establishing a proactive security posture and robust identity and access management strategy that can handle the complexity and scale of today's cloud security challenges.

Third-Party Providers Create Identity and Access Control Challenges for Fintech Apps

An Israeli university is being blackmailed by hackers. However, they aren't just after money but are looking to send a political message — and maybe something more.

Israel's top technology school, Technion Israel Institute of Technology (IIT), is the victim of a ransomware attack by the DarkBit hacker group, which has demanded an 80-Bitcoin payout (around $1.7 million at press time) in a ransom note laden with anti-Israel sentiments.

The university reported the attack on Feb. 12, a day after the threat actor compiled the payload, according to a report from BlackBerry.

"That might suggest DarkBit maintained the initial access to the victim's network sometime before that, while the implant was compiled a few hours before the attack materialized," says Dmitry Bestuzhev, a threat researcher at BlackBerry.

BlackBit also warned IIT that if the organization did not pay the ransom within 48 hours, the amount would jump 30%.

The extent of the damage, the origin of the breach, and the initial infection vector have not been publicly released.

The Golang-based ransomware possesses several notable features, such as the ability to accept command-line arguments and function independently. Its default mode involves encrypting the victim's device by utilizing AES-256, impacting numerous file types. Additionally, it employs the method of multithreading to ensure quicker and more effective encryption.

Bestuzhev tells Dark Reading that based on the ransom note, and threat actor's Twitter account and Telegram profile, the main motivator for the attack is geopolitical rather than financial.

An additional motivator — revenge — was indicated through a DarkBit tweet and the text of the ransom note, which alludes to the possibility that a vengeful former tech employee may be leveraging insider knowledge of tooling and software to carry out the attacks.

"A kindly advice to the hight-tech \[sic\] companies: From now on, be more careful when you decide to fire your employees, specially \[sic\] the geek ones. #DarkBit," the tweet stated.

While the statement could be a red herring, it's worth noting that insider threats — for example an angry employee who has been fired, or a disgruntled worker trying to cause some damage to the enterprise — are a growing concern for security professionals.

The commentary on Telegram, Twitter, and the DarkBit website also displays hacktivist motivations against Israel.

Bestuzhev says that targeting a university creates noise, and since geopolitics is the agenda, the goal is to spread the message.

"With many students and associates who can't study and work, it serves as a message amplifier," he says. "From the attacker's perspective, it's a great target to reach as many people as possible."

**Multiple Motivations: Political, Financial, Personal**

Melissa Bischoping, director of endpoint security research at Tanium, agrees this attack touches on multiple motivations — political hacktivism, revenge, and financial gain.

"Whoever is behind DarkBit has included comments in their ransom notes about their stances on political regimes as well as comments regarding layoffs and terminations of technical employees," she says. "It remains to be seen if this is an entirely new group or an offshoot of a previous gang."

She points out that ransomware is increasingly used as a weapon in geopolitics, because it can be easily purchased and deployed, and it can deliver high-impact destruction quickly.

"Ransomware operators are not concerned with remaining undetected," Bischoping says. "In fact, it's quite the opposite — they want to send a message, cause damage, and get paid."

She explains that universities can be popular targets because they often have understaffed IT departments and many endpoints to manage and secure, leaving multiple openings for a compromise.

"It wasn't a random attack, as DarkBit's social media as well as their ransom note indicate clear political stances and motives against the Israeli government and its associated organizations," she adds.

**Murky Intentions May Mask Something Worse**

Darren Guccione, CEO and co-founder at Keeper Security, says it's inadvisable to assume a threat actor’s only motivations behind a ransomware attack, or any other type of malware offensive, are the ones that seem obvious or are spelled out by the threat actors themselves.

"While ransomware is typically used to get paid, it could also be nothing more than a smoke screen or bonus payday as the threat actors work to compromise a target’s system or IT infrastructure in other ways," he says.

"No matter the threat actor’s apparent or true motivations behind this attack, a full investigation must be done to evaluate the scope of the cyberattack and remediate the damage," Guccione says.

As with all ransomware attacks, he advises against paying the ransom to deter future attacks of a similar nature.

"Organizations should also consider implementing a zero-trust, zero-knowledge architecture to mitigate the damage of any future cyberattack," Guccione says.

Israel's Top Tech University Targeted by DarkBit Ransomware

By implementing tools that enable internal users to do their jobs efficiently and securely, companies reduce insider threat risk by building insider trust.

Cloud technologies enable people to collaborate, enhancing distributed workforce models with automation. Organizations continue to invest in these technologies so that they can reduce overhead and optimize revenue. According to Flexera's 2022 "Tech Spend Pulse" report, 74% of respondents said digital transformation was one of their top five priorities last year, and 69% said they slightly or significantly increased their spending on software-as-a-service (SaaS) technologies. However, everything comes with a cost. 

The asynchronous collaboration that enables business operations generates new security risks. Historically, insider threats focused on malicious or disgruntled employees seeking to steal information, often for financial gain. Today, insider threats more often mean that people made honest mistakes.

Organizations owe a duty to themselves, their customers, and their workforces to implement technologies that help insiders from becoming a threat.

**The Majority of Insider Threats Are Not Threatening Insiders**

When most people hear the term "insider threat," they think of corporate espionage, insider trading, or embezzlement. The phrase connotes theft and stealth that may make workforce members feel their company no longer trusts them. 

However, according to one report, while insider threats nearly doubled between 2020 and early 2022, 56% of incidents arose from carelessness or negligence, while only 26% related to a criminal insider.

**Building Customer Digital Trust**

When companies focus on security and privacy, they center the conversations on building customer trust. Whether in a business-to-business or business-to-consumer organization, customers make buying decisions based on an organization's data protection capabilities. 

In the B2B space, customer due diligence and contracts validate security by requiring third-party audits and responses to questionnaires. Companies recognize that to sell their products or services, they must implement and maintain security and privacy controls.

At the B2C level, organizations have no contractual requirement to provide security and privacy validation, yet buyers do consider this when making purchases. McKinsey reports that consumers consider a company's security and privacy when making purchasing decisions, noting:

*   40% of all customers stopped doing business with a company that was not protective of customer data
*   53% of consumers make online purchases or use digital services only after making sure that the company has a reputation for protecting its customers data

To build customer trust, organizations implement tools that enhance their security posture. Unfortunately, in the process of protecting data, these tools create end-user frustrations or reduce productivity. These usability challenges mean that insiders try to find workarounds that lead to mistakes and insider threats.

**Building Insider Digital Trust**

Workforce members need to view security as an enabler rather than a burden. Too often, security and privacy professionals have been forced to choose between protecting data and ensuring workforce members can do their jobs. In the same way that organizations foster customer trust, they need to build insider trust.

By providing insiders with solutions that make security and privacy easier for them, organizations reduce the likelihood that people will find workarounds that undermine data protection objectives. When organizations think about their workforce members as consumers, they build internal trust that mitigates risk.

**Look for Zero-Knowledge Solutions**

Outside of their jobs, workforce members are consumers, meaning they consider privacy when making purchasing decisions. They want to know how their employer protects their information.

Organizations using zero-knowledge solutions protect themselves, but they also prove their commitment to employee data. A zero-knowledge solution never stores login credentials on its own servers. At the organizational level, this mitigates risks arising from a supply chain attack. 

A vendor data breach compromises employee information. A zero-knowledge solution protects employee privacy as much as it protects organizational security by protecting the contents of these communications, since the vendor never stores that information on its servers. By showing commitment to employee data, organizations build insider trust.

**Enable Security and Privacy Mindsets**

People rarely, if ever, want to be a data breach source. For example, when employees use a "share with a link" functionality in a cloud workspace, they just want to be helpful or get their jobs done. 

Security and privacy technologies should fit into how people already think about work. For example, end-to-end encrypted (E2EE) workspaces can provide the security and privacy organizations want with the end-user experience people expect. For example, an E2EE secure workspace builds security and privacy into people's daily activities by:

*   Encrypting data as they create it
*   Enabling them to send encrypted files, emails, and links

With these solutions, organizations implement security and privacy controls without blaming the end user. Workforce members feel trusted and respected.

**Leverage Automation and Workflows**

To build internal trust, organizations need to see security and privacy through their employees' eyes. People want efficiency. They want work-life balance. When security tools impact their efficiency, work time cuts into personal time. 

When choosing security and privacy solutions, organizations must consider how the technology impacts employee workflows. When faced with cumbersome tools, workforce members will look for more efficient solutions.

By implementing solutions that incorporate automation and workflows, organizations build internal trust. Technologies that reduce end-user frustration enable employees to build security and privacy into their daily tasks without compromising their personal and professional goals.

**The Circle of Digital Trust**

People are the reason technology exists. It enables them. It makes their lives easier. It helps them make decisions. People use technology.

Security and privacy professionals must consider people when implementing technologies. Too often, the industry focuses on external stakeholders: their customers. Organizations implement security and privacy technologies to gain external stakeholder trust. By paying less attention to internal stakeholders' needs, they often create security and privacy gaps.

Companies must close the digital trust circle. They must implement the tools that enable their internal users to do their jobs efficiently and securely. In doing this, they reduce insider threat risk by building insider trust.

Insider Threats Don't Mean Insiders Are Threatening

Open source has changed the software game from build or buy to assemble with care.

As the cybersecurity industry approaches conference season, it's incredible to see members of the community eager to share their experiences. One might argue that the call-for-speakers process offers a deep and broad snapshot of what's on the collective minds of the entire cybersecurity ecosystem. One of the most intriguing topics of discussion observed in this year's "RSAC 2023 Call for Submissions Trends Report" was in and around open source, which has become more ubiquitous and less siloed than previously observed. Modern software has changed, and with it comes promise and perils.

**Does Anyone Write Their Own Software Anymore?**

Not surprisingly, cybersecurity professionals spend a lot of time talking about software — how it's assembled, tested, deployed, and patched. Software has a significant impact on every business, regardless of size or sector. Teams and practices have evolved as scale and complexity have increased. As a result, "Modern software is being assembled more than it's being written," says Jennifer Czaplewski, senior director at Target, where she leads DevSecOps and endpoint security; she is also an RSA Conference program committee member. That's not merely an opinion. Estimates of how much software across the industry includes open source components — code that is directly targeted in attacks small and large — range from 70% to nearly 100%, creating a huge, shifting attack surface to protect, and a critical area of focus for everyone's supply chain.

Assembly of code creates widespread dependencies — and transitive dependencies — as natural artifacts. These dependencies are far deeper than the actual code, and the teams that are incorporating it also need to better understand the processes used to run, test, and maintain it.

Nearly every organization today has an unavoidable reliance on open source code, which has driven the demand for better ways to assess risk, catalog use, track impact, and make informed decisions before, during, and after incorporating open source components into software stacks.

**Building Trust and Components for Success**

Open source isn't just a technology issue. Or a process issue. Or a people issue. It really stretches across everything, and developers, chief information security officers (CISOs), and policymakers all play a role. Transparency, collaboration, and communication across all of these groups are key to building critical trust.

One focal point for trust building is the software bill of materials (SBOM), which grew in popularity after President Biden's May 2021 executive order. We're starting to see tangible observations of quantifiable benefits from its implementation, including control and visibility of assets, more rapid response times to vulnerabilities, and overall better software life-cycle management. SBOM's traction seems to have spawned additional BOMs, among them DBOM (data), HBOM (hardware), PBOM (pipeline), and CBOM (cybersecurity). Time will tell whether the benefits outweigh the heavy duty of care put upon developers, but many are hopeful that the BOM movement could lead to a uniform way of thinking about and approaching a problem.

Additional policies and collaborations, including the Securing Open Source Software Act, Supply chain Levels for Software Artifacts (SLSA) framework, and NIST's Secure Software Development Framework (SSDF), seem to encourage the practices that have made open source so ubiquitous — the collective community working together with a goal of ensuring a secure-by-default software supply chain.

The overt focus on the "cons" around open source code and manipulation, attacks, and targeting of it has given birth to new efforts to mitigate associated risk, both with development processes and reports, as well as technology. Investments are being made to avoid ingesting malicious components in the first place. This introspection and real-life learnings around software development, software development life cycle (SDLC), and the supply chain as a whole are incredibly beneficial to the community at this stage.

In fact, open source can greatly benefit … open source! Developers rely on open source tools to integrate critical security controls as part of the continuous integration/continuous delivery (CI/CD) pipeline. Continued efforts to provide resources, such as the OpenSSF scorecard, with its promise of automated scoring, and the Open Source Software (OSS) Secure Supply Chain (SSC) Framework, a consumption-focused framework designed to protect developers against real-world OSS supply chain threats, are just two examples of promising activities that will support teams as they assemble software.

**Stronger Together**

Open source has and will continue to change the software game. It has affected the way the world builds software. It has helped speed time to market. It has stimulated innovation and reduced development costs. Arguably, it's had a positive impact on security, but work remains to be done. And building a more secure world takes a village coming together to share ideas and best practices with the greater community.

Modern Software: What's Really Inside?

What's scarier than keeping all of your passwords in one place and having that place raided by hackers? Maybe reusing insecure passwords.

A few months ago, LastPass suffered a significant breach. Hackers got both the source code and user data, including encrypted secret vaults and plaintext metadata. This is not the first breach LastPass had suffered.

This breach put in me a weird situation. I'd been a champion of using secret vaults for a few years now. After a brief period of trial and examination, I chose LastPass even though it had been breached before. Being happy with the experience despite its quirks and a trying onboarding, I recommended its use to anyone I cared about — my family, friends, and colleagues. I helped them onboard and generate random passwords, install the app everywhere, and come up with a really good master password. In some cases, this wasn't easy and took a lot of guidance and convincing on my part.

The obvious fact I had failed to realize at the time was that a recommendation as strong as that comes with an implicit responsibility. When those people see a major news article about their passwords belonging to hackers now, they reach out to me for questions. They are right — I got them into this mess, didn't I?

**Why Evangelize Secret Managers?**

I was not always convinced secret managers were a good idea, especially commercial ones with their own cloud infra. As a teen, I started off where more people do, using one "good password" for everything, appending a service-specific prefix or suffix to avoid straight password duplication. I also had the unfortunate experience of working in an enterprise that forced me to change my password every 30 days. The number appended to the end of your password was a token of seniority in that org. I reached some number in the 40s and was really proud of myself and how experienced I was. Of course, when you're proud of something, you really want to share it. And so we did.

I always knew that sharing the chunky part of my password across services was a bad idea. That knowledge became a reality when I started to understand how hackers leverage these common yet faulty tactics to their advantage. Appending two letters to your "good password" does nothing to stop an attacker from compromising one service based on a compromised password for the other. It only makes you feel good about complying with a bad policy. Fortunately, monthly password changes are now passe.

But my first attempt at solving my password problem was using my dad's custom-built bare C based password manager. It was very basic: encrypt and decrypt a text file. You pop the encrypted file on a shared drive and congrats, you have a secret manager! Of course, this has clear downsides, like no mobile support, auto-fill, or password generation. I also wrote my own cli-based interface on top of cloud and native keyvaults. It was great, but still, no utilities. I used these two options for a long while. I was still looking for solutions with those utility features, but anything with the word "cloud" in it was denied at the doorstep.

Then I took an advanced crypto course as part of a masters in computer science. The beauty of Merkel trees and zero knowledge proofs excited my imagination and made me devour the Web in search of real-world applications. I encountered a scientific paper describing secret vaults, and the idea just clicked. Of course, it makes perfect sense! The only way for my passwords to be truly secure is to assume the vault provider is malicious and still be confident that they can't accomplish anything significant. I had reached the conclusion that a password manager that follows the theory would be safe to use.

The other threat vector to get my password is a malicious vendor or party within that vendor. They could, for example, steal my master password from the client application, making the theorized protections irrelevant. After reading though reviews putting different password manager clients under scrutiny, I became convinced that the implementations are up to standards and it's time to migrate.

Several years afterwards, I found myself with hundreds of auto-generated passwords managed by my password manager. I had also been able to convince the people I care about to go through that journey too. I was really happy about it.

**What If My Vault Gets Breached?**

If hackers actually get access to my plaintext passwords, I will be in a world of hurt. I do have MFA enabled on anything important, but MFA-anyway is notoriously hard to pull off. Just thinking about rolling all those passwords manually gives me a headache. I don't see myself being able to convince my family to do it for their accounts too.

In short, this scenario would be catastrophic.

_**Wait, Didn't Your Password Manager Just Get Breached?**_  
Well yes, most definitely. One colleague who chose LastPass on my advice recently asked me two questions after reading a concerning article. What happened? and How should he react?

My answer for the first question couldn't be worse. Hackers compromised both code and data. Data contains our vaults, with plaintext metadata including email addresses and our encrypted passwords.

My answer to the second question was very different. There is no indication of the hackers stealing master passwords by abusing the client. We can assume that didn't happen or we would see a whole host of reproductions across the industry. So if your master password is strong enough not to be cracked and you have MFA on everything that matters, you are fine. If you still feel iffy, roll your important passwords.

Concrete steps to take if you were affected by the breach:

*   Roll your master password.
*   Enable MFA and roll passwords everywhere that matters.
*   If your master password was weak, I strongly advise you to roll all of your passwords.

_**How Can That Be? Aren't Those Answers Contradictory?**_  
The seemingly contradictory nature of these two answers shows just how powerful avoiding storage of sensitive data is.

LastPass got breached. Repeatedly. Attackers took everything there is to take. The impact is severe, but not catastrophic at least given what we know now. That's a brilliant property of the system's design.

Despite Breach, LastPass Demonstrates the Power of Password Management

The system based on deep reinforcement learning can adapt to defenders' tactics and stop 95% of simulated attacks, according to its developers.

A newly created artificial intelligence (AI) system based on deep reinforcement learning (DRL) can react to attackers in a simulated environment and block 95% of cyberattacks before they escalate.

That's according to the researchers from the Department of Energy's Pacific Northwest National Laboratory who built an abstract simulation of the digital conflict between attackers and defenders in a network and trained four different DRL neural networks to maximize rewards based on preventing compromises and minimizing network disruption.

The simulated attackers used a series of tactics based on the MITRE ATT&CK framework's classification to move from the initial access and reconnaissance phase to other attack phases until they reached their goal: the impact and exfiltration phase.

The successful training of the AI system on the simplified attack environment demonstrates that defensive responses to attacks in real time could be handled by an AI model, says Samrat Chatterjee, a data scientist who presented the team's work at the annual meeting of the Association for the Advancement of Artificial Intelligence in Washington, DC on Feb. 14.

"You don't want to move into more complex architectures if you cannot even show the promise of these techniques," he says. "We wanted to first demonstrate that we can actually train a DRL successfully and show some good testing outcomes, before moving forward."

The application of machine learning and artificial intelligence techniques to different fields within cybersecurity has become a hot trend over the past decade, from the early integration of machine learning in email security gateways in the early 2010s to more recent efforts to use ChatGPT to analyze code or conduct forensic analysis. Now, most security products have — or claim to have — a few features powered by machine learning algorithms trained on large datasets.

    

The decision flow of PNNL's AI-powered cyber defender. Source: DoE PNNL

Yet creating an AI system capable of proactive defense continues to be aspirational, rather than practical. While a variety of hurdles remain for researchers, the PNNL research shows that an AI defender could be possible in the future.

"Evaluating multiple DRL algorithms trained under diverse adversarial settings is an important step toward practical autonomous cyber defense solutions," the PNNL research team stated in their paper. "Our experiments suggest that model-free DRL algorithms can be effectively trained under multi-stage attack profiles with different skill and persistence levels, yielding favorable defense outcomes in contested settings."

**How the System Uses MITRE ATT&CK**

The first goal of the research team was to create a custom simulation environment based on an open source toolkit known as Open AI Gym. Using that environment, the researchers created attacker entities of different skill and persistence levels with the ability to use a subset of 7 tactics and 15 techniques from the MITRE ATT&CK framework.

The goals of the attacker agents are to move through the seven steps of the attack chain, from initial access to execution, from persistence to command and control, and from collection to impact.

For the attacker, adapting their tactics to the state of the environment and the defender's current actions can be complex, says PNNL's Chatterjee.

"The adversary has to navigate their way from an initial recon state all the way to some exfiltration or impact state," he says. "We're not trying to create a kind of model to stop an adversary before they get inside the environment — we assume that the system is already compromised."

The researchers used four approaches to neural networks based on reinforcement learning. Reinforcement learning (RL) is a machine learning approach that emulates the reward system of the human brain. A neural network learns by strengthening or weakening certain parameters for individual neurons to reward better solutions, as measured by a score indicating how well the system performs.

Reinforcement learning essentially allows the computer to create a good, but not perfect, approach to the problem at hand, says Mahantesh Halappanavar, a PNNL researcher and an author of the paper.

"Without using any reinforcement learning, we could still do it, but it would be a really big problem that will not have enough time to actually come up with any good mechanism," he says. "Our research ... gives us this mechanism where deep reinforcement learning is sort of mimicking some of the human behavior itself, to some extent, and it can explore this very vast space very efficiently."

**Not Ready for Prime Time**

The experiments found that a specific reinforcement learning method, known as a Deep Q Network, created a strong solution to the defensive problem, catching 97% of the attackers in the testing data set. Yet the research is only the start. Security professionals should not look for an AI companion to help them do incident response and forensics anytime soon.

Among the many problems that remain to be solved is getting reinforcement learning and deep neural networks to explain the factors that influenced their decisions, an area of research called explainable reinforcement learning (XRL).

In addition, the robustness of the AI algorithms and finding efficient ways of training the neural networks are both problems that need to be solved, says PNNL's Chatterjee.

"Creating a product— that was not the main motivation for this research," he says. "This was more about scientific experimentation and algorithmic discovery."

Source

DARKReading