As CPRA went into effect on January 1, latest CYTRIO research says 91% of companies still uncompliant with GDPR; 92% not compliant with CCPA and CPRA.

**BOSTON — Feb. 15, 2023 —** CYTRIO, a next-generation data privacy compliance company, released its latest research report from Q4 2022 on companies’ preparedness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). The fifth report shows that as of December 31, 2022, 92% of companies across all verticals, states, and business sizes are still unprepared for CCPA and CPRA, and 91% are unprepared for GDPR, using time consuming and error prone manual processes. CPRA and employees’ rights to exercise data privacy went into effect on January 1, 2023, requiring companies to deploy a CCPA/CPRA and GDPR compliance management solution to avoid fines and penalties.

"The requirements that companies are facing today related to data privacy regulations are steadily increasing," said Vijay Basani, founder and CEO of CYTRIO. "As the California Privacy Protection Agency (CPPA) turns its attention to CPRA enforcement, we will see a significant increase in enforcement actions. Additionally, as was the case with GDPR, media coverage of increasingly higher numbers of enforcement actions will educate consumers regarding their data privacy rights resulting in consumer requests under CPRA. Companies need to act now to implement solutions to comply with CCPA, GDPR, and other data privacy regulations."

GDPR continues to be actively enforced with fines totaling in excess of $2.5 billion and total number of fines under GDPR reaching 1,462 as of the end of Q4 2022.

Key findings of the research showed 53.2% of companies stated they need to comply with CCPA but do not provide a mechanism for consumers to exercise their data privacy rights. Further, 38.6% of companies are using expensive and error prone manual processes. Four percent of companies that were using manual processes in Q1 2022 moved to compliance automation solutions, while 11% of non-compliant companies moved to a manual process to comply with CCPA by Q4 2022, indicating companies are slowly moving up the CCPA/GDPR compliance maturity curve.

During Q4 2022, CYTRIO researched an additional 1,521 U.S. mid to large companies with revenues from $25 million to $5+ billion, bringing the total number of companies researched to 11,358 over five quarters. CYTRIO continued looking for trends among companies that were either non-compliant or partially compliant by comparing its compliance status to previous quarters.

This year, data privacy regulations go into effect in Virginia, Colorado, Utah, and Connecticut, while  several other states are expected to approve a data privacy regulation.

After Q3 2022 saw the first enforcement action under CCPA with Sephora being fined $1.2 million for violating the Do Not Sell My Information provision, last month, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and others that fail to comply with CCPA.

**About CYTRIO**

CYTRIO’s software-as-a-service (SaaS) data privacy compliance management platform helps organizations comply with data privacy regulations such as GDPR, CCPA, CPRA, VCDPA, CPA, and others. The company offers an all-in-one solution built on automation, AI-led data discovery, and automated response workflows. CYTRIO’s solutions are simple to deploy, deliver value in the first hour, and do not require dedicated privacy teams to manage. Learn more at www.cytrio.com and follow on LinkedIn and Twitter.

5th State of CCPA, CPRA, and GDPR Compliance Report Shows More Than 90% of Companies Are Not Compliant

**KANSAS CITY, Missouri, and MIAMI (****S4X23****) —**  In an effort to improve cybersecurity resiliency for critical infrastructure environments, 1898 & Co. is launching Managed Threat Protection & Response, a new proactive threat hunting and response capability to its existing Managed Security Services (MSS) solution. 1898 & Co. is the business, technology and cybersecurity consulting arm of Burns & McDonnell, a 100% employee-owned engineering, construction and architecture firm.

Since the beginning of 2020, cyberattacks aimed at sectors that are critical to society have increased by more than 400%. Of those attacks, 45% were ransomware attacks that targeted or impacted industrial control systems. Left undetected, cyber sabotage within critical infrastructure environments like the power grid and water systems result in service disruptions, infrastructure damage and negative impacts to the environment and to public health and safety.

Unlike other firms that focus mostly on information technology cybersecurity, 1898 & Co. is one of the first firms to apply their operational technology (OT) and industrial control systems (ICS) cybersecurity specialization into managed security services.  

“Managing security for ICS and OT is a rare capability for a reason: Critical infrastructure is a highly complex environment,” says Chris Underwood, vice president and general manager of 1898 & Co. “At 1898 & Co., our consultants live and breathe critical infrastructure. We’ve worked in the industry and for the industry, so we have a deep understanding of its challenges.”

1898 & Co.’s Managed Threat Protection & Response service, through intelligence enrichment and insights gained from collective defense information sharing, leverages a variety of indicators and tactics, techniques and procedures to provide 24x7 threat monitoring and detection. 1898 & Co.’s service also proactively hunts for possible intrusions within clients’ OT and ICS.

Industry analysts note that incidents in these environments are inevitable, however damage and fallout can be lessened through rapid detection and response capabilities. Additionally, regulatory measures continue to evolve in response to the heightened threats posed to critical infrastructure companies. For example, Federal Energy Regulatory Commission recently directed the North American Electric Reliability Corporation to develop reliability standards requiring Internal Network Security Monitoring standards. These new standards require power utilities to implement monitoring and detection and identify anomalous activity by way of regulatory mandate, a significant development for that industry.

“Cyber-related risk remains a top concern and consideration for every critical infrastructure company,” says Matt Morris, managing director of Security & Risk Consulting, 1898 & Co. “We continue to see increasing digitization, threats and corresponding regulation. Given the increasing talent shortage, keeping critical processes operational is getting more and more complicated. As specialists who focus on critical infrastructure cybersecurity, we uniquely understand how these environments are designed, built and operated, and we have an unmatched team of engineers and consultants at our back.”

The new capability and MSS services from 1898 & Co. are now available and uniquely leverages multiple on-premise monitoring and detection partner platforms, including Dragos, Claroty and Armis, with a limited number of platforms expected to be added over time. The MSS provides active response via CrowdStrike Falcon platform, an industry-leading security solution. The MSS service also provides the additional value of OT asset discovery, inventory and reporting to include vulnerabilities and network topology mapping.

1898 & Co. has also collaborated with various information sharing and analysis centers (ISACs) to access various industry-specific indicators of compromise and tactics, techniques, and procedures. Initial affiliates include the E-ISAC (electric utilities) and WaterISAC (water utilities), with additional ISACs on the roadmap.   
This summer, 1898 & Co. will launch an upgraded, next generation security operations center (SOC) for advanced protection and response.

**About 1898 & Co.**

1898 & Co. is a global business and technology consultancy that brings together a unique blend of engineers and industry leaders to deliver strategic business insights and solutions for critical infrastructure industries. We partner with clients to plan, invest, secure and optimize critical assets for a successful, sustainable future. For more information, visit 1898andCo.com.

**About Burns & McDonnell**

Burns & McDonnell is a family of companies bringing together an unmatched team of more than 13,500 engineers, construction and craft professionals, architects, planners, technologists, and scientists to design and build our critical infrastructure. With an integrated construction and design mindset, we offer full-service capabilities. Founded in 1898 and working from 70 offices globally, Burns & McDonnell is 100% employee-owned. Learn how we are designed to build.

1898 & Co Launches New Cybersecurity Service for Critical Infrastructure

The National Institute of Standards and Technology has settled on a standard for encrypting Internet of Things (IoT) communications, but many devices remain vulnerable and unpatched.

A new encryption standard for Internet of Things (IoT) should help advance security for these connected devices in businesses, manufacturers, critical infrastructure, and other sectors running this equipment.

But many of these devices continue to lag behind in cybersecurity functions and practices.

On Feb. 7, the National Institute of Standards and Technology (NIST) announced it had selected a group of cryptographic algorithms, known as Ascon, to be the formal encryption standard for "lightweight" electronic devices and their communications. The standard should help devices makers and their customers better secure the data and devices from attackers increasingly targeting operational technology even though such devices have limited processing power and storage.

The algorithms allow encryption protections for even the smallest devices, NIST computer scientist Kerry McKay said in the announcement of the standard.

"The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation," she said. "These algorithms should cover most devices that have these sorts of resource constraints."

**Why IoT Is Exploding**

Connected devices in business and industrial settings are a rapidly growing application driven by two major forces over the past three years. Initially, the pandemic spurred the need to support remote operations, while the current concerns of a recession are pushing companies to automate operations using connected devices.

For example, the Industrial Internet of Things (IIoT) — an umbrella term for connected devices that monitor and control physical systems and industrial processes — is predicted to grow dramatically. The number of industrial IoT connections — a measure of the number of devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020, according to Juniper Research.

    

Self-assessed maturity of industrial firms. Source: Fortinet

However, the massive growth also brings a massive attack surface area. Vulnerabilities in the so-called Extended Internet of Things (XIoT), which includes both devices and the systems that manage those devices, jumped 57% in the first half of 2022 continuing a dramatic rise from the prior year. On the enterprise side, security researchers demonstrated 63 exploitable vulnerabilities in a variety of connected devices at this year's Pwn2Own, such as printers and network-attached storage.

Meanwhile, enterprise and industrial IoT devices and systems are often used for decades without regular updates, unlike conventional IT environments, which are replaced every three to five years and updated regularly in between, says Bill Malik, vice president of infrastructure strategies at cybersecurity firm Trend Micro.

"Right now, tens of thousands of industrial IoT environments are open to the Internet, either through carelessness or a lack of awareness of the risks," he says. "Many of these systems ship with default passwords, which are rarely changed by the use, and those systems are often incapable of being updated."

**Lightweight — but Not Light — Security**

The NIST standard aims to give even low-power devices a base level of cybersecurity by encrypting stored data and communications. The process took several years, starting with 57 candidates in March 2019, which were whittled down to 10 finalists in 2021. 

"The ability to provide security was paramount, but we also had to consider factors such as a candidate algorithm's performance and flexibility in terms of speed, size, and energy use," NIST's McKay stated in the Feb. 7 announcement. "In the end, we made a selection that was a good all-around choice."

Implementing the NIST standard will take time, as many IoT vendors are still catching up to cybersecurity best practices, with devices often lacking strong authentication capabilities, no easy way to distribute and install patches, and poor visibility into activity, including weak or nonexistent logging, Trend Micro's Malik says.

The level of maturity for the industrial sector in North America, for example, continues to lag behind other some other countries. Compared to the worldwide average of 57%, only half the companies (50%) in the region have adopted technologies that look for anomalous behavior or use automation and orchestration to manage and secure devices, considered the top two tiers of security maturity for operational technology, according to Fortinet's "2022 State of Operational Technology and Cybersecurity Report."

The risks to connected enterprise and industrial devices is growing, especially against the manufacturing sector, which accounted for 68% of observed attacks against industrial systems in the third quarter of 2022, according to Dragos, a cybersecurity services firm. Russia's invasion of Ukraine has created an online battlefield with threat actors on both sides targeting a variety of systems and devices, aiming at causing physical damage and disruption through cyberattacks.

As enterprises and industries continue to move toward ubiquitous monitoring and control, enabling smart factories, smart cities, and smart infrastructure, cyberattacks will become more impactful, Deloitte stated in its "Industry 4.0 and Cybersecurity" report.

**Detection Alone Is "Not Enough"**

Focusing on detection, however, is not enough, says Keao Caindec, a principal analyst with Farallon Technology Group and chair of the Security Working Group at the Industry IoT Consortium (IIC).

"A lot of the security controls that we use today, focus more on detection and remediation, a lot of monitoring and then prioritizing events and alerts," he says. "The problem is that leaves you always just one step behind the attacker, so companies need to really focus on addressing initial access, preventing compromised access, preventing unauthorized discovery and reconnaissance and preventing lateral attacks."

Yet the ability to protect enterprise and industrial IoT remains with companies, which should seek to gain as much visibility as possible into what devices are connected to their environments, Caindec says. He points to an already-pursued defensive framework, zero-trust architectures, as perhaps the best current approach to securing enterprise and industrial IoT devices and systems.

In addition, companies need to have the top decision makers on their side. Cybersecurity efforts are a significant investment, especially if they include replacing devices, so you need executive support, says Wendy Frank, cyber IoT leader with consultancy Deloitte.

"I think a lot of this comes down to really talking to your boards, making sure they're aware of the specific problems around devices, because they don't do this for a living," she says.

NIST's New Crypto Standard a Step Forward in IoT Security

De-shaming security mistakes and taking the blame and punishment out of incident reporting can strengthen security efforts both inside and outside of the workplace.

Your boss may respect work-life boundaries, but cybercriminals don't. Bad actors are increasingly targeting employees in social engineering scams that originate on their personal networks, with the ultimate goal of compromising the workplace. This year, chief information security officers (CISOs) should focus on how they can defend and protect employees beyond the walls of corporate systems.

Large high-profile tech companies are the most recent in a long line of organizations that have fallen victim to social engineering attacks. In 2023, there are bound to be more. Social engineering will be the leading root cause of major cyberattacks for the foreseeable future, for two reasons: They're cheap to execute, and they actually work. When one path — such as corporate email — becomes more difficult, attackers shift to other communication methods, including employees' personal platforms like texts, social media, or LinkedIn profiles. In fact, according to recent Tessian data, 56% of employees said they received a text message scam in the past year.

It's clear that security needs to extend outside of corporate walls, but there's an important balance that security leaders must strike to respect boundaries on employees' personal accounts and devices. Here's what should be top of mind when building a strategy to cover risks outside of the security team's reach. 

**Social Engineering Attacks Have Moved to Personal Channels**

While corporate email has historically been the main channel for social engineering scams, a combination of cybersecurity tools, strategies, and awareness training has made it more difficult for attackers to break through. As a result, attackers are moving to personal channels that aren't as well protected. 

In last summer's major Twilio breach, attackers targeted employees through their personal phone numbers and sent text messages posing as Twilio's IT department, rather than the traditional method of sending messages to a corporate email address. The text messages instructed employees to log in to a fraudulent Twilio website, which attackers then used to harvest employee credentials and breach the company's internal systems. Targeting personal devices can be especially effective, because people tend to give their phone numbers away less often than their email addresses, so there's a higher level of trust when receiving a text message that impersonates an employer.

**How to Protect Employees Outside of the Workplace **

De-shaming security mistakes and taking the blame and punishment out of incident reporting can strengthen security efforts both inside and outside of the workplace. Leaders should create a security culture where employees are encouraged to flag mistakes and suspicious activity, even if a personal account is breached on a company computer.

It's difficult for many employees to find and access simple, actionable steps to improve personal information security. There's a strong opportunity for security teams to provide curated resources to help employees, including arming them with resources to help their friends and family as well.

For example, some enterprise security vendors, including several password managers, provide employees with free personal versions of their tools as part of their B2B business. Another tactic is to develop an internal list of resources available to employees to help protect them in their personal lives. This can be quite efficient for improving the overall security of the workforce.

**How to Respect Employees' Personal Boundaries**

Trust is a crucial part of security. IT and security teams must respect boundaries when it comes to employees' personal devices and accounts. 

Being predictable and transparent is key to building trust and increasing engagement with employees. Having well-defined security support processes, including examples, can help employees know exactly what will happen when they reach out for support at work, or for support outside the workplace. For example, if an employee needs help with targeted phishing emails in their personal email, knowing ahead of time that the security team will not ask for remote access to their personal devices can increase their confidence and trust when they reach out for help.

One strategy that's worked quite well for my teams is to maintain a "transparency page" that provides high-level information about internal security practices such as logging and monitoring on laptops and other corporate systems. This way, employees are not surprised and can make informed, safe choices about personal data and usage (within the acceptable use policy, of course). 

Attackers will continue to evolve their social engineering strategies and cross whatever boundaries it takes to successfully execute a breach. Even when corporate systems and devices aren't the initial source of an attack, these tactics can compromise company systems, credentials, and data. Security teams must continue to evolve their strategies and expand their reach while respecting the personal privacy of employees and maintaining crucial trust.

How Security Teams Can Protect Employees Beyond Corporate Walls

Vladislav Klyushin and co-conspirators used SEC filings stolen from the networks of Tesla, Roku, and other publicly traded companies to earn nearly $100 million in illegal trades.

A former cybersecurity entrepreneur from Russia has been convicted for crimes related to insider trading conducted using information stolen from US computer networks, ultimately earning him and his co-conspirators nearly $100 million.

A jury in a US District Court in Boston convicted Vladislav Klyushin, aka Vladislav Kliushin, of conspiring to obtain unauthorized access to computers and to commit both wire fraud and securities fraud, according to the United States Attorney's Office, District of Massachusetts. He also was convicted on substantive counts of obtaining unauthorized access to computers, wire fraud, and securities fraud.

“The jury saw Mr. Klyushin for exactly what he is — a cybercriminal and a cheat," US Attorney Rachael S. Rollins said in a statement. "He repeatedly gamed the system and finally got caught."

The charges of securities fraud and wire fraud alone each provide sentence of up to 20 years in prison, while other charges each provide lesser penalties of up to five years in prison. All the charges also include substantial fines. Klyushin, 42, will face sentencing May 4.

Authorities arrested Klyushin in Sion, Switzerland, on March 21, 2021, as he was about to embark on a ski trip; he was extradited to the US later that year on Dec. 18. His conviction comes after a 10-day jury trial presided in a US District Court in Massachusetts.

Klyushin was charged alongside co-conspirators Ivan Ermakov and Nikolai Rumiantcev, former business colleagues who were employed at Klyushin's Moscow-based IT firm M-13, which offered penetration testing and so-called "advanced persistent threat emulation," according to its website. Two others involved in the crimes, Mikhail Vladimirovich Irzak and Igor Sergeevich Sladkov, also have been charged in a separate indictment; all four of Klyushin's co-conspirators remain at large.

M-13 did business with the Kremlin, which the company's website officially indicated as the Administration of the President of the Russian Federation and the Government of the Russian Federation, authorities said. Other customers included various federal ministries and departments as well as regional government bodies, in addition to commercial organizations and public entities.

**Trading Scam**

Klyushin and his colleagues also had an overtly nefarious side hustle: For about two and a half years between January 2018 and September 2020, they hacked into the computer networks of publicly traded companies — including Tesla, Capstead Mortgage, SS&C Technologies, Roku, and Snap Inc. — and used earnings and other information included in SEC files stolen from these attacks to make illegal trades on stock exchanges, including Nasdaq and the NYSE, according to trial evidence.

The attacks involved deploying malware that could harvest and steal employee login information to gain access to victim networks; from there, they stole earnings reports to gain access to information before it was made public.

The cybercriminals used proxy networks outside of Russia to conceal the origin of the activity, with many of the illegally obtained reports downloaded through a computer server located in downtown Boston — hence the site of the trial.

Armed with the information they stole, Klyushin and his cohorts used a company's financial performance data to know whether its share price would rise or fall, then traded based on that info via various brokerage accounts distributed across several countries —including Cyprus, Denmark, Portugal, Russia, and the US. When conducting business, the cybercriminals misled brokerage firms about the nature of their trading activities, according to trial evidence.

**How Their MO Ultimately Exposed Them**

Authorities ultimately learned what the crew was doing based on their patterns of trading and the return on investment, which ultimately gave them away, trial evidence revealed. For instance, the times of their profitable trades corresponded with the times in which the targeted companies reported being hacked, according to authorities.

Moreover, while Klyushin and his cohorts were raking it in — earning a return of more than 900% based on close to $100 million in earnings traded from $9 million in investment — the overall stock market wasn't doing nearly that well, authorities said. During the period of their crimes, the market returned just over 25%, they said.

Additionally, of the more than 2,000 earnings events around which Klyushin and his co-conspirators traded during the period of their activity, the victim filing agents filed more than 97% with the SEC. During the trial, testimony indicated that the odds of this trading pattern occurring without a relationship between the trading and the company itself was less than one in a trillion, according to authorities.

Of the total earned by the co-conspirators, Klyushin individually netted more than $38 million, including nearly $23 million on his personal trading and trading for M-13. He also earned more than $13 million on money he invested for others.

Russian Cybercriminal Faces Decades in Prison for Hacking and Trading Operation

Explosive growth of devices associated with the Internet of Things and operational technologies gives attackers a larger pool of targets.

Internet of Things (IoT) and operational technology (OT) devices represent a rapidly expanding, often unchecked, risk surface that is largely driven by the technology's pervasiveness, vulnerability, and cloud connectivity. This has left a wider array of industries and organizations vulnerable and opened the door for damaging infrastructure attacks. 

Microsoft recently identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. Keep reading to learn more about these cyber-risks to critical infrastructure and what you can do to mitigate them.

**IoT's Growth Has Outstripped Device Security**

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. This includes traditional IT equipment, OT controllers, and IoT devices like sensors and cameras. Many organizations have adopted a converged, interconnected model of OT and IoT in recent years. This trend has caused attackers' presences in these environments and networks to grow exponentially.

IDC estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. And although the security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace. Threat actors are exploiting these devices accordingly by compromising newly networked devices to gain access to sensitive critical infrastructure networks.

Take the recent Boa Web server vulnerabilities, for example. Microsoft discovered these vulnerabilities during an investigation of continued attacks on Indian power grid assets by Chinese state-sponsored groups. Despite being discontinued in 2005, the Boa Web server is still used by different vendors across a variety of IoT devices and popular software development kits. Data from the Microsoft Defender Threat Intelligence platform identified more than 1 million Internet-exposed Boa server components around the world over the span of a week. Without developers managing the Boa Web server, its known vulnerabilities create an opening for attackers to silently gain access to networks by collecting information from files.

**Nation-States Targeting Critical Infrastructure**

It is important to remember that attackers can have varied motives. Russia's cyberattacks against Ukraine, as well as other state-sponsored cybercriminal activity, demonstrate that some nation-states will target critical infrastructure in order to achieve military and economic objectives.

Threat actors have more varied ways of mounting large-scale attacks as the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use. 

Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments. This can be seen in instances like the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company's IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small-office routers in order to compromise these devices as footholds. This provides new address space that is less associated with their previous campaigns — giving them a new foothold from which to launch future attacks.

**Secure Your OT and IoT**

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

If organizations are to secure their IoT and OT systems, there are a number of recommendations that should be put in place.

● **Identify your vulnerabilities:** It's important to map out business-critical assets in IT and OT environments so you can fully understand your landscape and its innate weaknesses.

● **Evaluate device visibility:** Next, you should identify which IoT and OT devices are critical assets by themselves and which are associated with other critical assets.

● **Perform a risk analysis on critical assets:** Focus on the business impact of different attack scenarios as suggested by MITRE. This publicly available knowledge base outlines common tactics, techniques, and procedures deployed by cybercriminals, and offers specific guidance for a variety of control systems.

● **Define a strategy:** Finally, define your protection strategy by addressing the risks that you previously identified. Rank risk by business impact priority.

Looking for more tips on how to secure your IoT and OT systems? Explore the full breadth of our cybersecurity research and recommendations with Microsoft's Security Insider.

Infrastructure Risks Increase As IT and OT Converge

The new managed detection and response platform simplifies cloud security for Kubernetes applications.

Expel unveiled its Managed Detection and Response for Kubernetes offering this week. With Expel MDR for Kubernetes, security teams can quickly detect and respond to security risks in their Kubernetes environments without slowing down the DevOps teams.

Kubernetes is an open source orchestration system that relies on containers to automate the deployment, scaling, and management of applications in cloud environments. The overall container application market is expected to grow to $12 billion by 2028, with Kubernetes driving the majority of spending, according to KBV Research.

Security teams have to recognize that the shift to Kubernetes comes with a new set of security challenges. Misconfigurations (53%) and major vulnerabilities (38%) are the two top security incidents affecting Kubernetes environments, according to Red Hat's 2022 State of Kubernetes Security report. Security teams are struggling with challenges specific to Kubernetes, including a lack of security knowledge about containers and Kubernetes, inadequate security tooling, and being unable to keep up with DevOps teams.

With Expel MDR, organizations can secure their business across their Kubernetes environment and adopt new technologies at scale, Expel said in a statement. Because the new offering aligns to MITRE ATT&CK framework, security teams can quickly remediate issues and build resilience into their networks.

To help organizations stay ahead of pervasive misconfigurations, Expel's offering identifies cluster misconfigurations and references the Center for Internet Security (CIS) Kubernetes benchmark when making recommendations on configuration improvements. Expel MDR integrates with Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) infrastructure to analyze audit logs and apply custom detection to alert on malicious activity. Finally, the MDR platform integrates with a runtime container security vendor to get better security insights regarding the devices the users are using — a necessity in "Bring Your Own Tech" shops, Expel said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Expel Tackles Cloud Threats With MDR for Kubernetes

How newly exposed security weaknesses in industrial wireless, cloud-based interfaces, and nested PLCs serve as a wake-up call for hardening the physical process control layer of the OT network.

S4x23 — Miami — As IT and operational technology (OT) network lines continue to blur in the rapidly digitalized industrial sector, new vulnerabilities and threats imperil conventional OT security measures that once isolated and guarded physical processes from cyberattacks.

Two new separate sets of research released this month underscore real, hidden dangers to physical operations in today's OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs) — effectively further dispelling conventional wisdom about the security of network segmentation as well as third-party connections to the network.

In one set of findings, a research team from Forescout Technologies was able to bypass safety and functional guardrails in an OT network and move laterally across different network segments at the lowest levels of the network: the controller level (aka Purdue level 1), where PLCs live and run the physical operations of an industrial plant. The researchers used two newly disclosed Schneider Modicon M340 PLC vulnerabilities that they found — a remote code execution (RCE) flaw and an authentication bypass vulnerability — to breach the PLC and take the attack to the next level by pivoting from the PLC to its connected devices in order to manipulate them to perform nefarious physical operations.

"We are trying to dispel the notion that you hear among asset owners and other parties that Level 1 devices and Level 1 networks are somehow different from regular Ethernet networks and Windows \[machines\] and that you cannot move through them in very similar ways," says Jos Wetzels, security researcher with Forescout. "These systems are reachable, and you can bypass safety checks if you have the right level of control. We are showing how to do this."

The highly complex attack sequence that the researchers demonstrated with a proof-of-concept (PoC) — and that they acknowledge would require the technical chops and resources of nation-state attackers — stands in stark contrast to a relatively simple new hack that another group of researchers pulled off that exposes plants via wireless network devices. Both of these separate sets of OT attack findings poke holes in traditional assumptions of inherent security at the lower layers of OT networks, and the two teams of researchers behind them shared their findings here this week at the S4x23 ICS/OT conference.

**Wireless Threat "Got Our Attention"**

In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.

The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.

Matan Dobrushin, vice president of research at Otorio, says his team used the open source WiGLE tool, a Shodan-style search app that locates and maps wireless access points around the world. WiGLE collects SSID or network names, encryption types (such as WEP or WPA), and the geolocation of a wireless access point. The team was able to locate various OT sites via those geolocated Aps that WiGL spotted, including an oil well with weak authentication to its wireless device.

The team discovered relatively simple ways for an attack to hack industrial Wi-Fi access points and cellular gateways and wage man-in-the-middle attacks to manipulate or sabotage physical machinery in production sites. In one attack scenario, the researchers pose, an attacker armed with a laptop could find and drive to a plant location and connect to the operational network.

"You don't have to go through all of the layers of the enterprise IT network or firewalls. In this example, someone can just come with a laptop and connect directly to the most sensitive physical part of that network," Dobrushin says. "This is what got our attention."

Physical proximity is just one of three attack scenarios the team discovered when they found the vulns in these wireless devices. They also could reach the plant wireless devices via oft-exposed IP addresses inadvertently open to the public Internet. But the third and most surprising attack scenario they found: They could reach the OT networks via blatantly insecure cloud-based management interfaces on the wireless access points.

Many of the devices that come with cloud-based management also contain interfaces with either very weak authentication, or no authentication at all. InHand Networks' InRouter302 and InRouter615, for example, use an unsecured communications link to the cloud platform by default, sending information in cleartext.

"It's a single point of security and failure," Dobrushin says of the weak management interfaces, and "the main attack surface" for plant wireless access points.

The onus is on the wireless device vendors to better secure their Web interfaces. "I think the biggest fail point here is not wireless itself, not the cloud itself: It's the integration point between the cloud and modern Web-based world, to the old industrial world. These integration points are not strong enough."

For example, an RCE vulnerability in the Sierra Wireless Airlink's AceManager Web interface could let an attacker inject malicious commands. The vulnerability actually bypasses a previous patch Sierra had issued in April of 2019 for another bug, according to Otorio.

**Lateral Movement Research**

Forescout's research, meanwhile, also shows how Purdue Level 1 of an OT network security is not as airtight as many industrial organizations believe. The company's findings demonstrate how a threat actor could spread an attack across various network segments and types of networks at the Purdue Level 1/controller level of the OT network.

In their proof-of-concept attack, the researchers first hacked a Wago coupler device in order to reach the Schneider M340 PLC. Once they got to the PLC, they employed two newly disclosed vulnerabilities they first found last year as part of the OT:ICEFALL set of vulns but were unable to reveal until Schneider had patched them, CVE-2022-45788 (remote code execution) and CVE-2022-45789 (authentication bypass). That allowed them to bypass the PLC's internal authentication protocol and move through the PLC to other connected devices, including an Allen-Bradley GuardLogix safety control system that protects plant systems by ensuring they operate in a safe physical state. Then they were able to manipulate the safety systems on the GuardLogix backplane.

What sets their findings apart is that it looks at lateral movement not just between Level 1 devices in the same network segment or to Layer 2 SCADA systems but spreading across nested devices and networks at Layer 1. And unlike previous PLC research, Wetzels and Daniel dos Santos, head of security research at Forescout, didn't just hack a PLC via an inherent vulnerability. They instead pivoted from the PLC to other systems connected to it in order to bypass the security and physical safety checks within the OT systems.

"We're not just talking directly \[to\] one of the PLCs. We're moving to all devices existing behind it to bypass the functional and safety constraints" of the PLC that would cause the device to halt or shut down the process, Wetzels says. "Or I can manipulate the PLC and cause physical damage."

Wetzels says some vendors provide incorrect guidance to OT operators that states that "nesting" PLCs via serial links or nonroutable OT protocols provides secure segmentation for those devices and the OT network. "We're demonstrating this is a faulty line of reasoning against a certain type of attacker," he says. The researchers show that all devices — valve controllers and sensors, for example — that reside under the PLC in other networks behind it also can be exposed and provide an attacker more detailed control of the systems.

"If you want to manipulate \[the physical processes\] at a deep level, you move deep into those networks," he says.

Another weak and often-overlooked link are network connections to third-party maintenance providers, for HVAC or water treatment plant work, for example. The maintenance contractor often has a remote connection to their packaged system, which then interfaces with the OT network. "The perimeter to the outside that exists at Level 1 is not hardened or monitored," Wetzels explains.

**How to Defend Against These Threats to OT**

Forescout's Wetzels and dos Santos recommend that OT operators re-evaluate the state of their Level 1 devices and interconnectivity. "Make sure nothing can be disabled by cyber means," Wetzels advises.

He also recommends that plants with Ethernet links that are not firewalled should add a firewall. And at the least, ensure visibility of the traffic with an intrusion detection system, he says. If the PLCs include IP-based access control list (ACL) and forensics inspection functions, deploy them to harden the devices, he says.

"Likely there's a lot of network crawlspace not on your radar," Wetzels said today in his presentation here. "At Level 1, between different \[network\] segments needs a perimeter security profile."

As for the wireless access point vulnerabilities and attacks Otorio revealed, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.

They also advise disabling unused cloud-based services, which typically are on by default, and firewalling and/or adding virtual private network (VPN) tunnels among the connections.

Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication. "Access control is always a concern."

OT Network Security Myths Busted in a Pair of Hacks

78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.

**The Zero-Day Trio**

The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of "critical" severity and 66 as presenting an "important" threat to organizations.

Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.

Dustin Childs, head of threat awareness at Trend Micro's ZDI, which reported eight of the vulnerabilities in this month's update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.

"The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts," he says. "Since this was found by Mandiant, it was likely discovered by a team working an incident response," Childs says. That means it's unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.

"People who are either disconnected or otherwise blocked from the store will need to manually apply the update," he says.

Childs says that based on Microsoft's description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. "It's always alarming when a security feature is not just bypassed but exploited. Let's hope the fix comprehensively addresses the problem."

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.

Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. "This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features," Automox said in a blog post. It allows attackers to "potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering."

**New Exchange Server Threats**

Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.

"Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell," Narang said in a statement.

Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. "We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they've applied the latest Cumulative Updates for Exchange Server."

**RCE Bugs in Microsoft PEAP**

Researchers at Cisco's Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft's security update for February 2023.

The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server's account.

"Almost all Windows versions are vulnerable, including the latest Windows 11," the company said in a statement.

CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.

"Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy," the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.

9 New Microsoft Bugs to Patch Now

Fire emergency, 911 services functioning, along with Oakland financial systems, city says.

More than a week after a ransomware attack on Oakland networks, some city services are still struggling to recover.

Although the Oakland officials assure residents fire emergency, 911 dispatch, and the Oakland financial systems are functioning normally, other operations haven't yet recovered from the Feb. 8 cyberattack. IT had to move some city systems offline as part of the effort to restore services.

Filing police reports and paying taxes are among the city services still offline, according to local news reports.

"The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," Oakland officials said in their latest update on the city's cyberattack response and recovery efforts. "This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading