Revived levels of holiday spending have caught the eye of threat actors who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.  

A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.

Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.

Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.

A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.

Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.

"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.

**Ramifications for Legitimate Businesses**

Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.

"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.

This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.

Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.

"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."

For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.

Curry points out now is the time when many retailers go into the black.

"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.

That means any hiccups now are even more painful as a result.

"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."

**Threat Actors Look for Quick, Easy Wins**

Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.

"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."

Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.

"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.

**Keeping Alert Across the Organization**

DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.

Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.

He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.

"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.

An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.

"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just \[by\] the network defenders," he says.

In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.

Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.

"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.

**The Perils of Losing Customer Trust**

Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.

"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.

He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.

Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.

"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."

Holiday Spam, Phishing Campaigns Challenge Retailers

Microsoft-owned GitHub is taking steps to secure the open source software ecosystem by rolling out security features to protect code repositories.

GitHub is making secrets scanning available for all public repositories and requiring all developers to enable two-factor authentication (2FA) for their accounts. The secrets scanning service will be available to all users by the end of January, and mandatory 2FA will be in place by the end of 2023, GitHub said.

**Scanning for Secrets**

The secret scanning service alerts developers when secrets such as application tokens and user credentials are exposed in code. Up until now, the service was available to paid enterprise users (via GitHub Advanced Security). The new policy will provide the service for free to all public GitHub repositories.

The service to scan for secrets helped identify 1.7 million potential secrets exposed in public repositories in 2022, GitHub said.

While the scanner can recognize over 200 known token formats, the option to define custom regex patterns is also available. 

“You can define custom patterns at the repository, organization, and enterprise levels. ... With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the company said.

Developers will be able to find this option in their repository settings under Code security and analysis, where there is a section called Vulnerability alerts, and a Security tab. All secrets found by the service will be displayed in the same section, along with suggested ways to remediate the exposures.

**2FA For All**

The company has been talking about making 2FA mandatory across the platform, and the requirement will begin rolling out in March. Users will receive reminders 45 days prior to when they have to turn on 2FA, and their accounts will be blocked if 2FA is still not enabled seven days after the deadline, the company said.

Users required to enable 2FA include those who publish GitHub or OAuth apps or package, those who create a release, enterprise and organization administrators, and those who contribute code to other repositories.

“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.

GitHub Expands Secret Scanning, 2FA Across Platform

The 2022 FIFA Men's World Cup final in Qatar will be the most-watched sporting event in history — but will cybercriminals score a hat trick off its state-of-the-art digital footprint?

As Argentina and France prepare to face off in Doha for the final of the 2022 FIFA Men's World Cup, stadium staff and tournament organizers likely have more on their minds than whether Lionel Messi or Kylian Mbappe will claim the title of top goal-scorer. The event represents a vast cyberattack surface for both FIFA and the host nation of Qatar, security experts say — and ahead of the tournament's grand finale, cyber threats from all corners remain very clear and present.

According to FIFA, 2022 will end up being the most-watched tournament in history, followed by literally billions around the globe. On-the-ground numbers are impressive, too: Stadium Lusail, where the final will be played, is the biggest stadium in Qatar and has a capacity of the 88,966 spectators. Ticket sales for the World Cup have topped 3 million for an unprecedented 1.2 million visitors, which is equivalent to nearly half of Qatar's population.

That's a juicy target for not only financially motivated threat actors and hacktivists but also nation-state groups, who more often than not can get the ball in the back of the intelligence-gathering net when they want to.

**Smart Stadiums & the Digital Pitch**

The risks come from a few different places: social engineering efforts against fans and visitors being the most well known. What's less well known is the fact that Qatar has leaned in hard to the smart stadium concept, connecting its eight World Cup venues into one connected digital space.

A partnership between Johnson Controls' OpenBlue digital platform and Microsoft Azure, for instance, has enabled an artificial intelligence-based approach to physical security and operations, gathering data from edge devices and systems to identify when a security or safety issue has the potential to affect fans and players, or how crowd size and weather changes might affect energy efficiency and playing conditions.

Each stadium also has a 3D digital twin, an interactive digital model that provides live information on safety, comfort, and sustainability to a team of command center experts.

"With major sporting events becoming increasingly digitized, the attack surface for threat actors has also increased," a recent ZeroFox report on World Cup threats noted. "Qatar has constructed eight state-of-the-art 'smart stadiums' specifically for the World Cup, meaning sophisticated threat actors will almost certainly aim to compromise networks by exploiting vulnerabilities within interconnected stadium systems, including operational technology and Internet of Things (IoT) devices."

This raises the possibility of denial-of-service attacks or disruption on the order of the Olympic Destroyer threat, which took aim (largely unsuccessfully) at the Winter Games in Pyeongchang in 2018.

While it's not known what specific cyber defenses this first-of-its-kind footprint has in place, Qatar brought in a team of cybersecurity experts for a summit in March, and it has been working closely with Interpol's Project Stadia to enhance its security posture. So far, so good — but it's not over yet.

**Mobile Privacy Concerns**

Also, notably, there is a pair of mobile apps that everyone 18 and above entering Qatar for the World Cup is required to download, named Ehteraz and Hayya. Ehteraz is a COVID-19 tracking app, while Hayya is an app used for World Cup game tickets and accessing the Qatar metro system to move between stadiums.

At issue is the fact that Ehteraz has an extensive list of required permissions so that it can monitor locations and proximity to other app users; it can capture data from the device, automatically exfiltrate data from a user's phone, disable a lock screen, make calls from the phone, and access location services.

The Hayya app, meanwhile, is able to "access almost all personal information on a phone," according to ZeroFox, and can tap into location services and network connections between a phone and other networks.

Both apps potentially offer riches to cybercriminals. "When threat actors look to exploit an app, the end goal is to steal information that would be profitable — login credentials, personally identifiable information, email, credit cards, etc. — so that they can either sell it to actors who know how to further exploit or use the credentials and check to see if they can steal money or crypto from the victim accounts," says Adam Darrah, senior director of Dark Ops Collections at ZeroFox.

However, more shadowy risks also apply; the apps, with their broad set of access to personal data, are a perfect vector for espionage and creating fan chaos.

"When a nation-state or a motivated hacktivist group has you in their sights, they will find a way in," Darrah says. "All nations view an event such as the World Cup as a way to gather intelligence."

Regarding the COVID-19 contact tracing app for instance, the ZeroFox report noted, "Critics fear downloading the app could give the Qatari government access to privileged or sensitive content on a user’s phone. This is particularly notable if the user is breaking a Qatari law. It could also give Qatari authorities access to proprietary information contained on a company phone."

The firm recommended not installing the app on any phone with access to sensitive information, as a precaution.

**Facial Recognition at the World Cup**

Another wrinkle in the threat landscape for the World Cup is the vast facial-recognition footprint that Qatar has stood up in order to help respond to any threats of bodily harm to visitors and staff. Tensions famously run high at football (aka soccer) matches, but beyond run-of-the-mill hooliganism, some tourney-watchers are concerned that there could be a serious physical security incident.

To help thwart such a situation, the country has installed more than 15,000 cameras with facial recognition technology stationed throughout the eight stadiums and along roads and transportation infrastructure in Doha.

The benefits to physical security are myriad, of course. "Say a fan places a suspicious package close to a stadium entrance. When security personnel are alerted to this threat, staff can retroactively use facial recognition to trace the suspect's steps, determine where they are going next, and possibly pick them out in a crowd if needed," Terry Schulenberg, vice president of business development at CyberLink, tells Dark Reading. "The technology can even alert staff when a bad actor enters their area. Facial recognition will provide staff with the information they need."

However, critics have raised privacy concerns, a well-worn issue when it comes to facial recognition. After all, the population can't "opt in" to being scanned; the potential for surveillance by the Qatari government or advanced persistent threats (APTs) is there; and, it's unclear how the system handles the biometric data it collects.

"It would benefit them not to store faces in the cameras, workstations, or servers," Schulenberg says. "Rather, they could use software that identifies hundreds of vectors on a subject's face — such as the distance between the eyebrows — convert them into an encrypted file, send this file to a workstation or server, and compare its values with those of previously recorded subjects or those enrolled in a database. If it's being used, this more airtight facial recognition model will help security operators process camera feed data more quickly and securely."

If Qatar is not storing full images of attendees' faces, any unlikely leak of facial recognition data would be unreadable without access to the specific software Qatar is using, he stresses. 

**Thwarting Social Engineering Threats**

And finally, utterly predictably, phishers and scammers have been drawn to the event, using World Cup-themed lures, malicious mobile apps, and bogus ticketing websites to harvest data and steal funds from unsuspecting fans. In fact, Kaspersky said this week that its researchers have seen fake tickets being sold for as much as $4,000 a pop.

Group-IB's Digital Risk Protection team recently said it has detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the world's largest sporting event. The researchers also uncovered more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

Patrick Harr, CEO at SlashNext, notes that FIFA and any World Cup host nation can take action to protect aficionados of the beautiful game from social engineering.

"FIFA could ensure its security program includes brand impersonation identification, remediation, and a takedown service," he says. "With this type of security control, FIFA could safeguard their millions of fans, so they don’t accidentally engage with malicious content while following the news on their favorite teams."

Eyal Benishti, founder and CEO at Ironscales, notes that FIFA also should be focusing on raising awareness, sounding a loud drumbeat to fans.

"They should be told to avoid clicking on links behind QR codes, stay away from SMS messages asking to validate or verify, and to go directly to the official FIFA domain only, to interact and purchase tickets," he says. "Send out clear communication to the future guests on the guidelines, what to expect and what to be on the lookout for."

He also pointed out that World Cup employees have also been targeted throughout the tournament, bringing up another layer of responsibility for organizers.

"For the FIFA organization and businesses of Qatar, focus on what you can control, like making sure your internal employees are educated and aware of the probability of fake emails and fake support requests that will spike," he says. "If they receive requests that seem out of place, always validate with the sender via phone or alternate communicate method. Be extra cautious and ensure the proper communication and education are taking place for your employees."

**Cybersecurity Lessons to Be Learned**

Qatar's World Cup hosting duties may be coming to a close, and hopefully without a major cyberattack marring the experience, but there are lessons to be learned when it comes to implementing good security for such a sprawling endeavor. 

Whether it's an attack on infrastructure, privacy concerns, or the phishing glut that has surrounded the tournament, the time is now to be thinking about risk mitigation for future events, like the upcoming 2023 FIFA Women's World Cup next summer.

Researchers say that it's especially crucial to conduct an assessment once all is said and done, ideally using threat intelligence and data from this winter's event — given that it's likely that many of the pioneering technologies that Qatar put in place for the tourney will be tapped for future tournaments. For instance, stadiums across the US, which is a co-host of the 2026 FIFA Men's World Cup, are already using facial recognition tools for staff and fan entry, ticket verification, and contactless payments.

"An event the size and scale of a World Cup represents rich pickings for the criminally inclined, with millions of visitors seen as millions of potential victims," Rob Fitzsimons, field application engineer at Telesoft Technologies, said in a recent column. "It is the responsibility of the host nation to ensure the safety and security of its guests — both physically and digitally."

He added, "Indeed, a continuous flow of real-time threat intelligence in advance of and throughout the tournament \[provides\] a greater understanding of the potential threats, and enables security professionals to better defend against them. Recognizing where vulnerabilities lie, and addressing these accordingly, will allow better protection of mobile networks, and help protect against targeted attacks … and, by monitoring and controlling the flow of information across these networks, it's possible to reduce the likelihood of more widescale attacks."

Cyber Threats Loom as 5B People Prepare to Watch World Cup Final

Patched several months ago, researcher reports how they used Spring Boot to sneak past Akamai's firewall and remotely execute code.

Akamai's Web application firewall (WAF) is intended to fend off potential attacks like distributed denial-of-service (DDoS), but a researcher discovered a way to bypass its protections by using complex payloads to confuse its rules.

The researcher, known as Peter H., along with Usman Mansha, said Akamai has since patched against the vulnerability, which was not assigned a CVE number. In the write-up, Peter H. explained how he used a vulnerable version of Spring Boot to bypass WAF protections.

"We ended up able to bypass Akamai WAF and achieve Remote Code Execution (P1) using Spring Expression Language injection on an application running Spring Boot," the GitHub explanation of the Akamai WAF RCE find explained. "This was the 2nd RCE via SSTI we found on this program, after the 1st one, the program implemented a WAF which we were able to bypass in a different part of the application."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Researcher Bypasses Akamai WAF

Microsoft warns enterprises should pay attention to a new botnet used to launch DDoS attacks on private Minecraft Java servers.

The persistence and spread of a newly identified botnet targeting private Minecraft Java servers has far wider ramifications for enterprises than bumming out a Biome.

Microsoft researchers revealed in a report published Dec. 16 that this new botnet is used to launch distributed denial-of-service (DDoS) attacks on Minecraft servers, which might sound like kid stuff. But enterprises should take note because of the botnet's ability to target both Windows and Linux devices, spread quickly, and avoid detection, the Microsoft team added.

It starts with a user downloading a malicious downloads of "cracked" Windows licenses.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the Defender team reported. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

The threat researchers suggest that organizations harden their device networks against these kinds of threats.

The group's analysis revealed most of the infected devices were in Russia.

**Enterprises Beware**

Factors including the sheer number of potential server targets and the general lack of cybersecurity protections on private Minecraft servers make this botnet something security teams should take seriously, Patrick Tiquet, vice president of security architecture at Keeper Security, tells Dark Reading.

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets," Tiquet explains. "Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future."

Beyond this particular malware, Microsoft's recommendations are a good idea for protecting the enterprise from all sorts of botnets besides just the Minecraft-focused sort, according to Vulcan Cyber's Mike Parkin.

"They're industry best practices — restricting access, changing default passwords to strong ones, enabling multifactor authentication, etc. — and should be implemented regardless," Parkin says. "While some of the techniques can be challenging to implement on some low-power IoT devices, deploying to best practices is the absolute minimum that should be happening."

New Botnet Targeting Minecraft Servers Poses Potential Enterprise Threat

Cybercriminal rats are at play: Several food suppliers and distributors have experienced hundreds of thousands of dollars in losses after fulfilling fraudulently placed orders for food and ingredient shipments.

Threat actors have typically used business email compromise (BEC) attacks to steal money from unwary organizations in recent years. But in a new twist, cybercriminals are using them to steal food shipments and ingredients from suppliers and distributors around the country.

The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the attacks have been going on since at least the beginning of this year and have cost several organizations hundreds of thousands of dollars in losses so far.

"While BEC is most commonly used to steal money, in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products," the two agencies said in the joint cybersecurity advisory.

While the behavior has a certain rat-like scavenging quality to it, the goal behind these thefts often is to repackage and resell the stolen food items without regard for safety and sanitation regulations, they said.

**A Fridge-Full of Incidents**

The advisory highlighted several examples — the earliest one going back to February — where companies have fallen victim to the scam. In one incident in August, a food distributor received an email order supposedly from the chief financial officer of a multinational snack and beverage company for two full truckloads of powered milk. The attacker used the actual name of the CFO but had an email address that contained an extra letter in the domain name than that of the real company. The food distributor fell for the scam and later had to pay their supplier more than $160,000 for the fraudulent shipment.

Also in February, a food manufacturer experienced more than $600,000 in losses after receiving and shipping orders for whole milk powder and nonfat dry milk from four different fraudulent companies. In each instance, the attackers used real employee names and emails with slight variations of domain names belonging to legitimate companies to place the orders.

In another incident in April, an ingredient supplier received a request — purportedly from the president of another large food manufacturer — for pricing information for whole milk powder via the company's Web portal. In this instance, the supplier ran a credit check on the spoofed food manufacturer, extended a line of credit to the company, and made the first of two $100,000 shipments to the criminals, before realizing something was amiss. 

The FBI and FDA OCI alert mentioned other incidents as well where criminals attempted to pull off similar heists but were not successful. 

In each of these attacks, the criminals have created email accounts and websites that look nearly identical to those of a legitimate company but contain nearly indiscernible differences — for example, an extra letter or substitute character such as a "1" instead of a lowercase "l." Their tactics have often included gaining access to a legitimate company's email system and using that to send fraudulent emails to targeted victims.

To add further legitimacy to their fraudulent communications, the attackers have used the actual names of executives and employees at legitimate businesses and used copied company logos in their emails and other documents. The attackers have also used the actual business information of legitimate companies to pass credit checks and obtain lines of credit for fraudulently purchasing food supplies and ingredients from victim companies.

Losses continue to mount from BEC attacks, although the food theft scams are different from usual tactics where threat actors scam organizations into making fraudulent money transfers. In 2021, losses from BEC attacks totaled nearly $2.4 billion, making it one of the most financially damaging online crimes, according to the FBI's Internet Crime Complaint Center (IC3). Many BEC attacks target small and midsize companies, though large organizations are often victims as well. 

A report that IC3 released earlier this year showed that BEC attacks are only continuing to grow and evolve. IC3 estimated that between June 2016 and last December, there were some 241,206 BEC attacks that cumulatively caused organizations worldwide a staggering $43 billion in losses.

**The Big Takeaway**

The takeaway from these attacks is that threat actors can be clever and will adapt their techniques to find ways around an organization's defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber. 

"While using the BEC vector to steal finished food shipments or raw materials seems like a lot more work than simply fooling the victim into sending cash, that may have been the point," he says. "The threat actors here went for a novel scheme in order to slip under the radar and, possibly, steal more than they might have gotten from a single faked invoice."

Mika Aalto, co-founder and CEO at Hoxhunt, says the attacks on the food industry are a reminder of why BEC is the costliest form of cybercrime worldwide. "We've called BEC the kingpin of cybercrime in the past. Advanced technologies will make BEC a monster, particularly for global companies."

The FBI and FDA OCI urged organizations in the food sector to play closer attention to vetting new customers and vendors, especially to things like the new company's name and branding. 

"Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners," they noted. 

Organizations should look for additional punctuation, changes in the top-level domains, misspellings, and added prefixes or suffixes. They should also conduct periodic Web scans to ensure that attackers are not spoofing their domain and brands, the advisory said.

FBI: Criminals Using BEC Attacks to Scavenge Food Shipments

A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.

Most organizations are ill-equipped when it comes to meeting upcoming compliance standards for data privacy, according to a new CYTRIO report focused on GDPR and California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Data Subject Access Request (DSAR) requirements.

However, the results also indicated that noncompliant companies are making progress moving up the compliance maturity curve by moving to automate processes.

A major stumbling block for nearly all organizations surveyed is the cost and complexity of data privacy management solutions.

Vijay Basani, CEO of CYTRIO, says the most concerning surveying finding was that 52% of respondents who said they need to comply with the CCPA and CPRA do not provide a mechanism for consumers to exercise their data privacy rights.

"This means more than half the companies are electing to ignore data privacy and do not feel they need to respect the rights of consumers and their customers," he says.

Organizations that are still using error-prone and time-consuming manual processes for GDPR and DSAR requirements could be doing so because they are receiving a very low volume (one to five per year) of data requests.

"This could be a function of consumers not being aware of their data rights, such as right to access, right to delete or do not sell my information, and lack of active enforcement and fines for noncompliance in the U.S.," Basani says.

Bryan Cunningham, advisory council member at Theon Technology, explains that many compliance programs are run mostly by lawyers or financial professionals ill-equipped to evaluate technology and often "somewhat luddite" in their adoption of new technology.

"They are also highly risk averse and, partly because of their lack of understanding, skeptical that automated processes can ensure compliance without manual, human supervision," he says.

In addition, highly performant, trustworthy, and affordable technologies to do this type of work are not yet readily available, despite many vendors working to develop and sell solutions.

**Privacy Management Solutions Complex, Costly**

Most first-generation data privacy management solutions offer effective workflow automation capabilities but do not provide automated data discovery capabilities, Basani says.

Data discovery and identifying all personal information (PI) data belonging to a specific individual is the most time-consuming task.

"A typical company will save bits and pieces of PI data in many data stores, including structured databases and unstructured data stores, such as SharePoint, Office 365, Mailchimp, AWS S3, and so on, as well as SaaS applications such as Salesforce, HubSpot, and Shopify," he explains.

Developing technology to discover PI data in structured, unstructured, and software-as-a-service (SaaS) applications is not easy and requires significant investment.

"Technology tools that do this are costly to procure and take time to deploy," Basani says. "It requires various data stakeholders to collaborate during deployment and to respond to a data request."

To effectively respond to data subject requests, the solutions need to have visibility across a broad variety and significant volume of data store types and cloud environments, according to Claude Mandy, chief evangelist of data security at Symmetry Systems.

"The permissions and integrations required for responding to these requests are a challenge of complexity and scale," he says.

Adding to the cost for most solutions is the fact that many organizations have taken a traditional SaaS approach, requiring them to index this data to the solution provider's only environment, driving up storage and network costs.

**Keys to Holistic Data Privacy Management**

From Basani's perspective, a holistic data privacy policy should include both outward-facing communication clearly informing consumers that their PI data is being collected, and educating internal users and partners about the need to respect privacy and comply with data privacy regulations.

"Discuss what PI data is being collected, obtain consent from the consumers, share how the data is used, shared, stored, and processed," he says. "A privacy policy should clearly state what specific rights a consumer has about their personal data collected by the company."

It should also provide an easy mechanism for a consumer to exercise their data privacy rights, such as right to access or delete their information.

Stakeholders include legal and compliance teams, data owners, data processors, and data users in an organization.

Symmetry Systems' Mandy says a holistic data privacy policy should always start with an accurate and precise understanding of the personal information that an organization collects, uses, stores, and shares.

"It's only from an accurate understanding of information that organizations can reliably and transparently create a data privacy policy that reflects their actual practices," he says.

Refining the policy from the actual practice to desired state will require involvement from general counsel, security, privacy, and data teams.

"Most important are business stakeholders, who can describe how the personal information is used and why it is necessary," Mandy adds.

**Compliance Requirements Likely to Grow in 2023**

The CYTRIO report comes as a growing number of states weigh their own privacy legislation, following moves by California, Colorado, Virginia, and, most recently, Utah.

"We should expect data privacy compliance to continue to move forward in several states in 2023," Basani says.

He notes that as enforcement begins in several states, in addition to CPRA going to effect on Jan. 1, 2023, there will be enhanced consumer education about their data privacy rights.

"As CPPA turns its attention to CPRA enforcement with significantly more resources, we expect a meaningful increase in CPRA enforcement action and fines under CCPA/CPRA," he says.

Increased numbers of CCPA/CPRA fines and media coverage will result in greater consumer education about their data privacy rights, Basani adds.

"We saw this happen under GDPR in Europe, and we will see this happen with CCPA/CPRA," he says. "Employees’ rights to data privacy under CPRA should also increase the number of complaints and potential fines for noncompliance under CPRA."

As more states develop their own flavor of state privacy laws, the privacy landscape will continue to become more complex, adds Mandy Pote, managing principal of strategy, privacy, and risk at Coalfire.

"Organizations may find it difficult to keep up with new requirements – understanding applicability and determining reporting requirements," she says.

From her perspective, the best solution is to adopt a comprehensive data privacy program with the objective of implementing the most stringent set of privacy control requirements such that they follow current and future privacy laws.

"Rather than applying this program to certain systems or a certain subset of data, privacy should be blanketly implemented across the organization to ensure proper coverage," she notes.

Organizations Unprepared for Upcoming Data Privacy Regulations

Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.

During the coronavirus pandemic, organizations had to quickly adjust to the disappearance of central offices, employees working from home, and applications moving to the cloud.

The solution usually involved a combination of technologies — such as flexible networking infrastructure, identity and device-base security, and cloud-native applications and capabilities — continuing a trend identified by business analyst firm Gartner in 2019, which dubbed it the secure access service edge, or SASE (pronounced "sassy").

The SASE collection of cloud-centric technologies focuses on the identity of users and devices, granular access controls, functionality pushed to the network edge, and a de-emphasis on data centers — essentially, it's a combination of security technologies and software-defined wide area network infrastructure, commonly referred to as SD-WAN.

The term, however, quickly became a buzzword in the industry, with companies claiming to be SASE-compliant or have products that supported SASE. For that reason, nonprofit industry association MEF — a global industry association focused on network, cloud, and technology — decided this week to create a standard lexicon for SASE technologies and services that defines service attributes, a framework and common definitions, and a zero-trust framework.

The goal is to make services communicate better about capabilities and to make features — especially security features — interoperable across infrastructure, says Stan Hubbard, principal analyst with MEF.

With SASE, "the user can be anything and anywhere, and security and network functions can be distributed away from the enterprise data center to maximize the availability of high-performance edges and security clouds," Hubbard says, adding that "SASE standards are key to addressing the top two SASE service provider challenges which impact growth and efficiency in the market — customer education and lack of an industry standard."

**SASE Deployment Won't Wait for a Standard**

Gartner predicts that SASE will continue to grow quickly. By 2025, about 80% of companies expect to unify their Web, cloud services, and private application access using SASE, up from 20% in 2021, according to Gartner.

Yet, don't expect companies to wait for standards, says Andrew Lerner, vice president and analyst at Gartner.

"We don’t expect the lack of standards to limit adoption, and we also don’t expect the ratification or creation of a new standard to instantly change anything in the market," he says. "With time, we suspect that more offerings will emerge to achieve a certification, but vendors are not waiting, and enterprises aren't waiting either at this point."

The adoption is also driven by industry consolidation and organization's focus on simplifying their enterprise infrastructure. By 2025, about two-thirds (65%) of enterprises will consolidate a variety of SASE components into one or two SASE vendors, a massive increase from the 15% of companies that did so in 2021, according to Gartner.

Network technology and security firm Palo Alto Networks has seen similar industry consolidation. One customer, for example, simplified from nine products and five vendors down to a single SASE product, says Matt De Vincentis, vice president for SASE for the company, which is not a member of MEF.

"Almost every enterprise is trying to reduce the number of security tools and vendors that they have," he says. "Every time there is a new security vulnerability or availability issue, a new group of startups pop up to propose a solution. It's becoming unmanageable for customers."

**MEF Boosts the SASE Conversation**

Yet, with vendors and service providers claiming to have SASE products, both customers and partners need to establish a common dictionary and a common understanding of what capabilities SASE products should have, says MEF's Hubbard.

MEF has created standards, certification programs, and automation tools for the network, cloud, and service provider industries. The latest effort defines standards that define the attributes of SASE services and provides a framework for those services, while a second proposal creates a zero-trust framework for security services using identity, authentication, policy management, and access control to protect and secure organizations' data, systems, and networks.

"The SASE vendor ecosystem lacks common terminology leaving organizations challenged to compare SASE feature sets and solutions," Hubbard says. "Standards help simplify offerings and provide clarity for organizations when selecting SASE services. Choices can be made based on industry-standard features and common definitions allowing for easier evaluation and faster decision making and implementation."

With SASE Definition Still Cloudy, Forum Proposes Standard

The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.

State-sponsored advanced persistent threat (APT) Charming Kitten (aka TA453), which is purportedly linked to the Islamic Revolutionary Guard Corps (IRGC), has updated its phishing techniques, and is using malware and more confrontational lures, possibly in service to kidnapping operations.

Since 2020, Proofpoint researchers have observed variations in phishing activity by the APT (which also overlaps with the groups Phosphorous and APT42), with the group employing new methods and targeting different targets than in the past. In the latest campaigns, researchers have observed more aggressive activity, which could be used to support attempted "kinetic operations" from the IRGC, including murder for hire and kidnapping, researchers said.

"TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting," a Proofpoint report out this week concluded. "Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations."

**Hacking E-Mail Accounts**

In 2021, Proofpoint documented TA453 spoofing two scholars at the University of London to try and gain access to email inboxes belonging to journalists, think tank personnel, academics, and others. In August, Google researchers said the hacking team had started employing a data-theft tool targeting Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials. Intelligence gathered from email conversations could be used for location tracking and more. 

One campaign that researchers observed against a former member of the Israeli military was threatening and disturbing in that regard, Proofpoint's report noted.

"TA453 utilized multiple compromised email accounts, including those of a high-ranking military official, to deliver a link to the target," researchers explained. "The use of multiple compromised email accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to each compromised email account, each linked to the domain gettogether\[.\]quest and pointed to the same threatening message in Hebrew."

The message read: "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in Tel Aviv, in \[redacted\], in Dubai, in Bahrain. Take care of yourself."

**Updated Cyber-Targets for Charming Kitten**

Previous Charming Kitten email campaigns had almost always targeted academics, researchers, diplomats, dissidents, journalists, and human rights activists, using web beacons in message texts before eventually attempting to tap the target's credentials. Such campaigns can start with weeks of innocuous conversations on accounts created by the actors before launching the actual attack.

The new campaigns have targeted specific researchers in the medical field, an aerospace engineer, a real estate agent, and travel agents, among others, wrote Proofpoint researchers Joshua Miller and Crista Giering in a post this week.

In some cases, TA453 relies on a fictitious person, "Samantha Wolf," as bait. Proofpoint researchers first identified the persona in mid-March when the associated Gmail account was included in the bait content of a malicious document.

"Samantha's confrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other TA453 accounts," the report noted.

The Proofpoint report said it could state "with moderate confidence" that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force, which carries out physical operations.

In May, Israeli intelligence agency Shin Bet identified Iranian intelligence services' phishing activity designed to lure targets to kidnap them, Proofpoint noted.

"Based on the indicators provided, Proofpoint correlated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used a spoofed email address of a reputable academic ... to give a researcher an 'Invitation to Zurich Strategic Dialogue Jan-2022,' " according to the report.

Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping

The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.  

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

**Malicious Attachments**

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.

Source

DARKReading