Increased federal cybersecurity regulations provide a pivot point for manufacturers to reconsider their access management strategy.

Because they are dependent on dozens of highly technical processes, modern factories can't afford to let security burden end users who rely on technology. While this sounds simple enough, putting a plan in action isn't easy.

The pandemic, the Internet of Things (IoT), and the proliferation of cloud technologies sparked digital transformation, practically overnight. Manufacturers were forced to adopt new technologies to keep up with remote work, while still relying heavily upon on-premises infrastructure. Increased regulations like those from the National Institute of Standards and Technology (NIST) and Cybersecurity Maturity Model Certification (CMMC) posed even greater security complexities as manufacturers ramped up production to meet global demands. All of these factors led to a disheveled infrastructure that has allowed cybercriminals to thrive.

To ensure compliance, maintain bottom lines, and solve fragmentation, manufacturers need an access management strategy that works with all aspects of their environment. An agile single sign-on solution is the best place to start.

**Integrating Single Sign-on**

Single sign-on (SSO) isn't new. Many manufacturers have been utilizing the function for years to streamline operations. But with so much diverse technology, some of it dating back decades, manufacturing's patchwork environment has created a fragmentation challenge for both end users and IT departments.

While end users have to juggle several passwords across multiple apps, websites, and workstations, IT has the additional burden of monitoring user access and managing security in this complex environment. This includes conducting password resets and manually on- and offboarding users for each app.

It's necessary that SSO integrates with every application and endpoint — both on-premises and in the cloud. Not only would this help solve fragmentation and reduce the burden on IT, but with fewer logins to remember (or none at all), it would also increase productivity and satisfaction for end users. As more policies and regulations require additional authentication, modernizing SSO cannot be a maybe, but is a must.

**Enable Compliance With Access Management**

Before attacks like the one on Colonial Pipeline, many manufacturing plants had poorly secured workstations to streamline employee access to keep critical processes functioning. However, that ease of access also opened the door to cyber criminals. In response, increased regulations from the Department of Defense (DoD), like NIST and CMMC, completely transformed the security environment to protect federal infrastructure.

This may be less complicated for modern manufacturers with largely cloud environments. But for those smaller or midsize manufacturers that still rely a lot of on-premises technology, improving security can be frustrating for end users. And frankly, many organizations can't afford to overhaul this older technology to accommodate modern solutions that favor cloud. Instead, they need SSO that accommodates them.

Among the several digital identity requirements outlined by NIST, organizations that process any data related to government agencies or the DoD (a large bucket into which many manufacturers fall) must log in every time a system or application is accessed. In essence, this means no more unsecured workstations that workers can walk up to and start working on. NIST also requires increasingly complex passwords for every login and, in many circumstances, enforces multifactor authentication (MFA).

For end users who previously only had to log in a handful of times throughout their shift, this added authentication can become a burden — especially for plant workers wearing full protective gear who previously only had to push a few buttons to enable operations. With factories under more pressure than ever before, their bottom lines cannot afford to deal with hindered productivity.

These increased regulations represent a pivotal moment for the on-premises manufacturer. In short, if your SSO doesn't integrate with every login, it's time for you to rethink your access management strategy with these two words: passwordless experience.

**The Passwordless Experience**

Without the ability to use SSO for every login, there's more risk of credentials being forgotten — or worse, compromised. The fewer credentials an end user has to remember, the less likely that person is to forget a password or write it down. So, isn't the best password the one you don't know?

Think about it. If a user only logs in by tapping an NFC badge to a reader or by using biometrics, that password will remain stored away, only invoked in the background when the user authenticates. In combination with a push notification or physical token for MFA, organizations can provide employees with a completely passwordless experience that benefits both security and productivity. This also enables better holistic digital identity management, traceability, and agility across the entire organization.

While compliance should be achieved, it does not equal security. It's time to ditch meeting the minimums and strive toward efficient methods that enable growth. The technology you have is only as good as your ability to use it, so ensure it's useful for everyone. Because after all, without SSO for every login, you are only as strong as your weakest password.

**About the Author**

    

As the Senior Vice President of Worldwide Engineering and Cyber at Imprivata, Joel Burleson-Davis is responsible for building, delivering, and evolving the suite of Imprivata's cybersecurity products. Before joining Imprivata, Joel was Chief Technical Officer at SecureLink, the leader in critical access management. There he developed advanced solutions for enterprises to secure access to their most valuable assets, systems, and data. While at SecureLink, Joel was responsible for the overall technology and operational strategy and execution including direction and oversight for Product Development, Quality Assurance, IT and Cybersecurity Operations, Compliance, and Customer Success.

Single Sign-on: It's Only as Good as Your Ability to Use It

More than three-quarters of police and emergency responders worry about ransomware attacks and data leaks, while their organizations lag behind in technology adoption.

Cybersecurity threats have become commonplace for police departments, first responders, and other public-safety groups, with 93% of organizations experiencing a cybersecurity issue in the past year.

That's according to a report released on Dec. 8 by cloud platform provider Mark43, based on a survey of 343 first responders. The 2023 U.S. Public Safety Trends Report found that 76% of first responders had concerns that their IT systems are vulnerable to ransomware attacks and data breaches.

At the same time, the vast majority of first responders must deal with outdated technology and disconnected systems, with 68% of public-safety officers required to file paperwork from the office rather than in the field, and 67% of first responders encountering issues with inefficient technology, according to the report.

While adopting technology can solve many issues that currently plague first responders, most state and local agencies do not have the technical expertise to protect such technology against threats, says Larry Zorio, chief information security officer for Mark43, which provides information systems for law-enforcement and first responder agencies.

"These agencies in many cases do not have a dedicated security staff who can worry about these issues all day, ensuring that data is backed up and running vulnerability scans," he says. "To the the \[cybersecurity\] community, these are table stakes — you need to be doing patching, you need to be doing vulnerability scanning ... but these agencies are realizing that they cannot protect themselves from these risks on their own."

First responders' cybersecurity concerns are not unwarranted. In 2019 and 2020, ransomware groups started targeting state, local, tribal, and territorial (SLTT) government agencies in earnest. In 2019, for example, 22 town agencies and local government organizations were targeted with a coordinated ransomware attack disrupting services for citizens. Ransomware attacks on local school systems impacted education for at least 753,000 students during 2019 and 1.2 million in 2020.

And in 2021, the FBI warned that ransomware spread by the Conti cybercriminals group had targeted at least 16 healthcare and first responder networks. In September 2022, a ransomware attack disrupted 911 service for Suffolk County, NY.

**Targeting First Responders**

These attacks carry with them additional risks for citizens, the FBI stated in its 2021 advisory.

"Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed," the advisory stated. "Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges."

In general, the information technologists believe that ransomware attacks will continue at the same pace. The vast majority of IT professionals (84%) see ransomware as a significant threat to businesses, according to a study commissioned by Ransomware.org. In addition, 41% of IT professional believe their company is more likely to be a target this year, and 43% believe the threat will remain the same.

**Cloud Adoption Lags**

For first responders, the cybersecurity threats are balanced against the slow adoption of technology that could make their jobs and operations more efficient. While the majority of first responders believe that an integrated system for reporting would streamline operations, only a quarter of first responder organizations (27%) have moved to the cloud — two-thirds have not, the Mark43 survey found.

The Mark43 survey found that compliance and data transparency are also significant concerns for first responders, with 86% of respondents asking for improved crime reporting and two-thirds of those surveyed wanting more public transparency.

The agencies need to prioritize technology, data management, and cybersecurity roles. Instead, cybersecurity is often tasked to untrained IT workers inside the department or to officers that are nearing retirement, Zorio says.

"I don't feel that officers, who are trying to serve our communities, the fact that they are worried about that every day is definitely a concern," he says. "The industry in general needs to help them where we can, because it is not their job to worry about cybersecurity."

The survey defined cybersecurity issues as both malicious attacks by cybercriminals and availability problems caused by attacks.

Lack of Cybersecurity Expertise Poses Threat for Public-Safety Orgs

IE is still a vector: South Koreans lured in with references to the deadly Halloween celebration crowd crush in Seoul last October.

North Korean threat group APT37 was able to exploit an Internet Explorer zero-day vulnerability to deploy documents loaded with malware as part of its ongoing campaign targeting users in South Korea, including defectors, journalists, and human rights groups.

Google's Threat Analysis Group (TAG) found the zero-day flaw in the Internet Explorer JScript engine in late October, tracked under CVE-2022-41128, and now reports that Microsoft was responsive and has issued applicable patches.

To lure in potential victims, the malicious documents referenced the deadly crowd crushing incident in Seoul that happened during Halloween celebrations on Oct. 29.

"This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident," the TAG team reported. "This is not not the first time APT37 has used Internet Explorer 0-day exploits to target users."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

APT37 Uses Internet Explorer Zero-Day to Spread Malware

Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

**Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks**

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

**Phishing Attacks Targeting Developers and Software Supply Chain**

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

**How Do You Mitigate Risks Associated With Phishing in the Cloud?**

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

**Phishing Is Here to Stay**

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

Phishing in the Cloud: We're Gonna Need a Bigger Boat

Rapid adoption showcases increased interest in cyber education and training for individuals looking to enter the field while helping decrease the workforce gap.

**ALEXANDRIA, Va., Dec. 8, 2022 /PRNewswire/ —** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced it has registered more than 110,000 (ISC)² Candidates to help address the global cybersecurity workforce gap of 3.4 million professionals. The recruitment milestone comes within three months of launching (ISC)² Candidates, to help individuals pursue or consider a career in cybersecurity.

(ISC)² Candidates provide those pursuing or building a cybersecurity career with exclusive offerings, including discounts on (ISC)² certification education courses, study materials and events. The initiative encourages Candidates to work toward earning an (ISC)² certification such as the (ISC)² CISSP® or (ISC)² Certified in CybersecuritySM entry-level certification.

"The early success of (ISC)² Candidates underscores the strong global interest in cybersecurity careers and how programs aimed at educating the next generation of professionals can effectively help address the global workforce gap," said Clar Rosso, CEO, (ISC)². "The strong adoption of (ISC)² Candidates demonstrates there is no shortage of interest in joining the profession; the challenge is creating new entry points that remove barriers and embrace the diverse skillsets, experiences and aptitudes necessary for a successful career. (ISC)² is preparing these individuals by providing a new cybersecurity career pathway through (ISC)² Candidates."

The 2022 (ISC)² Cybersecurity Workforce Study reveals there is no single pathway into cybersecurity. The data shows a shift in how people are entering the field, with nearly half of respondents under the age of 30 moving into cybersecurity from a career outside IT. The change highlights the importance of (ISC)² Candidates, as it provides a way for individuals to enter the field through non-traditional methods.

**Free Certification Exams and Training for 1 Million**

(ISC)² also has launched One Million Certified in Cybersecurity. This initiative pledges to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to one million new professionals starting a career in cybersecurity. More than 98,350 people have enrolled for a free Certified in Cybersecurity course and exam in the last three months.

To learn more, visit www.isc2.org/candidate.

**About (ISC)²  
**(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates, and members, nearly 280,000 strong, is made up of certified cyber, information, software, and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter, or connect with us on Facebook and LinkedIn.

(ISC)² Recruits 110,000 People Interested in a Cybersecurity Career in Three Months

Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.

**CHARLESTON, S.C., Dec. 8, 2022 /PRNewswire/ —** Interpres Security, a company dedicated to helping companies optimize their security performance with a comprehensive new approach to managing the defense surface, announced its emergence from stealth alongside $8.5M in seed financing led by Ten Eleven Ventures. The Interpres Security platform offers a customized, continuous, and threat-informed analysis of an organization's detection and mitigation capabilities and provides automated security engineering directives based on this evaluation, ultimately enabling a hardened security posture in the most efficient manner possible.

To address the expanding number of cybersecurity threats, organizations now use an average of 76 tools in their security stack. Despite this level of investment, organizations still do not know how effective this tooling is against their specific and expanding threat profile. Without a clear picture of the most relevant threats or how well their current tools work against them, organizations do not have a complete view of how well-defended they are.

After experiencing a systems breach firsthand at a classified security operations center, members of the Interpres Security founding team developed a new Threat Centric Methodology to validate the effectiveness of all of the security vendors in the environment. This approach proved successful, and later the same methodology became the genesis for Interpres Security's automation of these capabilities into their new platform.

Interpres Security currently integrates the MITRE ATT&CK framework to prioritize threat coverage based on the adversaries most likely to target an organization, the malware and techniques those adversaries use, and the prevalence of those attacks as seen in the wild. It then recommends mitigations, telemetry collection strategies, and detection logic best suited to fill the prioritized gaps in coverage across the enterprise to detect and mitigate threats most likely to target the organization. It does all this while utilizing the organization's existing investment in cybersecurity products and solutions. Once the defense ecosystem is optimized, Interpres maintains this state through a situational awareness dashboard that detects drift in configuration and changes to risk posture while offering detailed board-level reporting.

"Until now, only large security engineering teams have even been able to attempt to analyze, validate, and optimize an organization's specific security toolset and processes. However, the detailed analysis and threat intelligence needed is extremely time-consuming and manually intensive to complete. The capabilities that we have automated within the Interpres platform goes beyond the scope of what humans can complete regularly, in real-time," said Nick Lantuh, Chief Executive Officer and Co-Founder at Interpres Security and former Founder and President of NetWitness (acquired by EMC in 2011). "It's time for a new approach. Automation and threat-informed prioritization are necessary to properly assess, configure, optimize and align current security tools to optimally defend against advanced threats in a timely manner. That's the value of the Interpres platform."

"We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization's specific needs," said Mark Hatfield, General Partner at Ten Eleven Ventures and new board member at Interpres Security. "They want to hold the vendors accountable for what they've promised - to understand how well their tools stand up to threats they are most likely to face. The exceptional team at Interpres Security has developed a platform that does exactly that - help companies 'shrink the stack', get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses."

**About Interpres Security**

Interpres Security makes security performance intelligible and provable for the enterprise with a comprehensive new approach to managing the defense surface. With Interpres, security teams can take a threat-informed perspective to understand what their current tools can detect and defend against, identify gaps and inefficiencies, and iteratively improve their security posture with a data-driven and custom tailored approach. Interpres Security is backed by top cybersecurity specialist investor, Ten Eleven Ventures. To learn more and request a demonstration of the platform, visit their website at InterpresSecurity.com and follow the company on LinkedIn or Twitter.

**About Ten Eleven Ventures**

Ten Eleven Ventures is the original cybersecurity-focused, global, stage agnostic investment firm. The firm finds, invests, and helps grow top cybersecurity companies addressing critical digital security needs, tapping its team, network, and experience to help build successful businesses. Since its founding, Ten Eleven Ventures has raised over $US 1 billion and made over 40 cybersecurity investments across stages worldwide, including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

Interpres Security Emerges from Stealth to Help Companies to Optimize Security Performance

A free resource, updated monthly, lists the most-popular, highly rated OSS projects.

In the past decade or so, open source software has become a critical component of many companies' tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this trend, making open source projects such as Kubernetes, TensorFlow, Jenkins, and OpenCV more attractive to developers and infrastructure teams alike.

And security operations are no exception. Open source software has found its way into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, etc., are often found in organizations' arsenal of security tools. Open source is now fundamental to security operations, and building, supporting, and using open source tools is an integral part of InfoSec culture.

To better track the proliferation of open source software in cybersecurity infrastructure and applications, Andrew Smyth of Atlantic Bridge and I created The Open Source Security Index as a free resource for developers and security engineers to find and identify the best open source security technology. The index lists the top 100 most popular and fastest-growing security projects on GitHub. We emphasize _fast growing_ as we believe modern security operations are different from security in the past, when most deployments happened on-premises. As such, many of the fast-growing OSS projects are newer initiatives designed for modern infrastructure environments.

To build this index, we use the GitHub API to pull projects based on tags and topics, and manually added projects that lack labels. To constrain our scope, we limited the search to projects that are considered direct security tools. Those that have security implications but fall more into infrastructure capabilities, such as Terraform, Elastic, Istio, and Envoy, are not included here.

**How We Ranked the Entries**

Once we had the raw list, we ranked entries based on an "Index Score," which is a weighted average of six metrics retrieved from GitHub. They include:

*   Number of stars: 30%
*   Number of contributors (excluding bots and anonymous accounts): 25%
*   Number of commits the project had in the last 12 months: 25%
*   Number of watchers: 10%
*   Change in the number of watchers over the last month: 5%
*   Number of forks: 5%

Based on this scoring methodology, we list the top 100 GitHub projects on the The Open Source Security Index website. The index is an evolving, live project. We will refresh the data monthly to keep the list current.

While the top 25 list includes familiar tools like Metasploit, Wireshark, and OS Query, there are also relatively new entrants, such as Cilium, Checkov, and Calico, that are designed specifically for modern and cloud-native infrastructure.

Looking across the top 25 list, a few interesting trends emerge. They are:

*   **Attack and red-team open source tools remain popular:** Projects that provide effective attack and testing tools are prominently positioned on the list. Metasploit, OSS Fuzz, Atomic Red Team, and Zap are a few examples.
*   **Security for modern infrastructure is gaining popularity:** Unlike traditional security utilities, projects such as Cilium, Trivy, Calico, and Sysdig are becoming increasingly popular. Those projects are designed to work with newer, cloud-native infrastructure, such as Kubernetes, containers, and microservices. The fact that these projects are listed among the most popular shows that cloud computing is now mainstream with security operations.
*   **Automation and "as-code" workflow utilities have emerged:** It's also worth noting that projects that enable automation and "as-code" workflows have also appeared in the top list. For instance, Nuclei, a project that focuses on vulnerability-management-as-code, is a fast-growing project used by bug researchers, red teams, and defenders. Sigma is another project that enables automation and sharing of attack detection methods.

We believe that the evolution of open source security (OSS) will follow the same trajectory as enterprise infrastructure in embracing OSS models. An increasing number of security practitioners choose open source as a fundamental strategy because of its extensibility, flexibility, and transparency of implementation. In addition, sophisticated security teams have adopted the "shift-left" mindset, where managing security policies and operations is like managing "code." To this end, an open source strategy provides a clear advantage compared with the traditional way of developing and deploying proprietary software artifacts.

We created this index because we had a challenging time finding a good, representative list of open source security projects. Although imperfect, this index represents a starting point to build a structured and comprehensive list of meaningful open source tools for security practitioners to consider. We worked with many open source creators to build this list, and we welcome feedback at @OSecurityIndex.

Where to Find the Best Open Source Security Technology

Common mistakes in network configuration can jeopardize the security of highly protected assets and allow attackers to steal critical data from the enterprise.

Common misconfigurations in how Domain Name System (DNS) is implemented in an enterprise environment can put air-gapped networks and the high-value assets they are aimed at protecting at risk from external attackers, researchers have found.

Organizations using air-gapped networks that connect to DNS servers can inadvertently expose the assets to threat actors, resulting in high-impact data breaches, researchers from security firm Pentera revealed in a blog post published Dec. 8.

Attackers can use DNS as a command-and-control (C2) channel to communicate with these networks through DNS servers connected to the Internet, and thus breach them even when an organization believes the network is successfully isolated, the researchers revealed.

Air-gapped networks are segregated without access to the Internet from the common user network in a business or enterprise IT environment. They are designed this way to protect an organization's "crown jewels," the researchers wrote, using VPN, SSL VPN, or the users' network via a jump box for someone to gain access to them.

However, these networks still require DNS services, , which is used to assign names to systems for network discoverability. This represents a vulnerability if DNS is not configured carefully by network administrators.

"Our research showcases how DNS misconfigurations can inadvertently impact the integrity of air-gapped networks," Uriel Gabay, cyberattack researcher at Pentera, tells Dark Reading.  

What this means for the enterprise is that by abusing DNS, hackers have a stable communication line into an air-gapped network, allowing them to exfiltrate sensitive data while their activity appears completely legitimate to an organization's security protocols, Gabay says.

**DNS as a Highly Misconfigurable Protocol**

The most common mistake companies make when setting up an air-gapped network is to believe they are creating an effective air gap when they chain it to their local DNS servers, Gabay says. In many cases, these servers can be linked to public DNS servers, which means "they have unintentionally broken their own air gap."

It's important to understand how DNS works to know how attackers can navigate its complexities to break into an air gap, the researchers explained in their post.

Sending information over DNS can be done by requesting a record that the protocol handles — such as TXT, a text record, or NS, a name server record — and putting the information into the first part of the record’s name, the researchers explained. Receiving information over DNS can be done by requesting a TXT record and receiving a text response back for that record.

While DNS protocol can run on TCP, it is mostly based on UDP, which does not have a built-in security mechanism — one of two key factors that come into play for an attacker to take advantage of DNS, the researchers said. There also is no control over the flow or sequence of data transmission in UDP.

Thanks to this lack of error detection in UDP, attackers can compress a payload prior to sending it and immediately decompress after sending, which can be done with any other type of encoding, such as base64, the researchers explained.

**Using DNS to Break an Air Gap**

That said, there are challenges for threat actors to communicate successfully with DNS to break an air gap. DNS has restrictions on the types of characters it accepts, so not all characters can be sent; those that can't are called "bad characters," the researchers said. There also is a limit on the length of characters that can be sent.

To overcome the lack of control over data flow in DNS, threat actors can notify the server which packet should be buffered, as well as what is expected as the last package, the researchers said. A package also should not be sent until an attacker knows that the previous one successfully arrived, they said.

To avoid bad characters, attackers should apply base64 on data sent right before sending it, while they can slice data into pieces to be sent one by one to avoid the DNS character length limit, they said.

To get around a defender blocking a DNS request by blocking access to the server from which it is being sent, an attacker can generate domain names based on variables that both sides know and expect, the researchers explained.

"While the executable is not necessarily difficult, an attacker or group would need the infrastructure to continue to buy root records," they noted.

Attackers also can configure malware to generate a domain in DNS based on a date, which will allow them to constantly send new requests over DNS using a new, known root domain, the researchers said. Defending against this type of configuration "will prove challenging to organizations using static methods or even with basic anomaly detection to detect and prevent," they said.

**Mitigating DNS Attacks on Air-Gapped Networks**

With DNS attacks occurring more frequently than ever — with 88% of organizations reporting some type of DNS attack in 2022, according to the latest IDC Global DNS Threat Report — it's important for organizations to understand how to mitigate and defend against DNS abuse, the researchers said.

One way is to create a dedicated DNS server for the air-gapped network, Gabay tells Dark Reading. However, organizations must take care to ensure that this server is not chained to any other DNS servers that may exist in the organization, as this "will ultimately chain it to DNS servers on the Internet," he says.

Companies should also create anomaly-based detection in the network utilizing an IDS/IPS tool to monitor and identify strange DNS activities, Gabay says. Given that all enterprise environments are unique, this type of solution also will be unique to an organization, he says.

However, there are some common examples of what abnormal type of DNS behavior should be monitored, including: DNS requests to malicious domains; large amounts of DNS requests in very short period of time; and DNS requests made at strange hours. Gabay adds that organizations also should implement a SNORT rule to monitor for the length of requested DNS records.

Report: Air-Gapped Networks Vulnerable to DNS Attacks

Security researchers share their biggest initial screwups in some of their key vulnerability discoveries.

BLACK HAT EUROPE 2022 – London – Researcher Douglas McKee was having no luck extracting the passwords in a medical patient-monitor device he was probing for vulnerabilities. The GPU password-cracking tool he had run to lift the layers of credentials needed to dissect the device came up empty. It wasn't until a few months later when he sat down to read the medical device's documentation that he discovered that the passwords had been right there in print the whole time.

"I finally got around reading the documentation, which clearly had all the passwords in plaintext right in the documents," McKee, director of vulnerability research at Trellix, recounted in a presentation here today. It turned out the passwords were hardcoded into the system as well, so his failed password-cracking process was massive overkill. He and his team later discovered bugs in the device that allowed them to falsify patient information on the monitor device.

Failing to pore over documentation is a common misstep by security researchers eager to dig into the hardware devices and software they are studying and reverse-engineering, according to McKee. He and his colleague Philippe Laulheret, senior security researcher at Trellix, in their "Fail Harder: Finding Critical 0-Days in Spite of Ourselves" presentation here, shared some of their war stories over mistakes or miscalculations they made in their hacking projects: mishaps that they say serve as useful lessons for researchers.

"At all conferences we go to \[they\] show the shiny results" and successes in security research like zero-days, Laulheret said. You don't always get to hear about the strings of failures and setbacks along the way when sniffing out vulns, the researchers said. In their case, that's been everything from hardware hacks that burned circuit boards to a crisp, to long-winded shellcode that failed to run.

In the latter case, McKee and his team had discovered a vulnerability in the Belkin Wemo Insight SmartPlug, a Wi-Fi-enabled consumer device for remotely powering on and off devices connected to it. "My shellcode was not getting through to the stack. If I had read the XML library, it was clear that XML filters out characters and there's a limited character set allowed through the XML filter. This was another example of lost time if I had read through the code I was actually working with," he says. "When we deconstructed it, we found a buffer overflow that allowed you to remotely control the device."

**Don't ASSume: Schooled by Distance-Learning App 'Security'**

In another project, the researchers studied a distance-learning software tool by Netop called Vision Pro that, among other things, includes the ability for teachers to remote into students' machines and exchange files with their students. The Remote Desktop Protocol-based feature seemed straightforward enough: "It allows teachers to log in using Microsoft credentials to get full access to a student's machine," McKee explained.

The researchers had assumed that the credentials were encrypted on the wire, which would have been the logical security best practice. But while monitoring their network captures from Wireshark, they were shocked to discover credentials traveling across the network unencrypted. "A lot of times assumptions can be the death of the way you do a research project," McKee said.

Meantime, they recommend having in hand multiple versions of a product you're researching in case one gets damaged. McKee admitted getting a bit overzealous in deconstructing the battery and internals of the B Bruan Infusomat infusion pump. He and his team took apart the battery after spotting a MAC address on a sticker affixed to it. They found a circuit board and flash chip inside, and they ended up physically damaging the chip while trying to get to the software on it.

"Try to do the least invasive process first," McKee said, and don't jump into breaking open the hardware from the start. "Breaking things is part of the hardware hacking process," he said.

Hacker Fails for the Win

A ransomware attack on the company's Hosted Exchange environment disrupted email for thousands of mostly small and midsize businesses.

A Dec. 2 ransomware attack at Rackspace Technology — which the managed cloud hosting company took several days to confirm — is quickly becoming a case study on the havoc that can result from a single well-placed attack on a cloud service provider.

The attack has disrupted email services for thousands of mostly small and midsize organizations. The forced migration to a competitor's platform left some Rackspace customers frustrated and desperate for support from the company. It has also already prompted at least one class-action lawsuit and pushed the publicly traded Rackspace's share price down nearly 21% over the past five days.

**Delayed Disclosure?**

"While it's possible the root cause was a missed patch or misconfiguration, there's not enough information publicly available to say what technique the attackers used to breach the Rackspace environment," says Mike Parkin, senior technical engineer at Vulcan Cyber. "The larger issue is that the breach affected multiple Rackspace customers here, which points out one of the potential challenges with relying on cloud infrastructure." The attack shows how if threat actors can compromise or cripple large service providers, they can affect multiple tenants at once.

Rackspace first disclosed something was amiss at 2:20 a.m. EST on Dec. 2 with an announcement it was looking into "an issue" affecting the company's Hosted Exchange environment. Over the next several hours, the company kept providing updates about customers reporting email connectivity and login issues, but it wasn't until nearly a full day later that Rackspace even identified the issue as a "security incident."

By that time, Rackspace had already shut down its Hosted Exchange environment citing "significant failure" and said it did not have an estimate for when the company would be able to restore the service. Rackspace warned customers that restoration efforts could take several days and advised those looking for immediate access to email services to use Microsoft 365 instead. "At no cost to you, we will be providing access to Microsoft Exchange Plan 1 licenses on Microsoft 365 until further notice," Rackspace said in a Dec. 3 update.

The company noted that Rackspace's support team would be available to assist administrators configure and set up accounts for their organizations in Microsoft 365. In subsequent updates, Rackspace said it had helped — and was helping — thousands of its customers move to Microsoft 365.

**A Big Challenge**

On Dec. 6, more than four days after its first alert, Rackspace identified the issue that had knocked its Hosted Exchange environment offline as a ransomware attack. The company described the incident as isolated to its Exchange service and said it was still trying to determine what data the attack might have affected. "At this time, we are unable to provide a timeline for restoration of the Hosted Exchange environment," Rackspace said. "We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365."

The company acknowledged that moving to Microsoft 365 is not going to be particularly easy for some of its customers and said it has mustered all the support it can get to help organizations. "We recognize that setting up and configuring Microsoft 365 can be challenging and we have added all available resources to help support customers," it said. Rackspace suggested that as a temporary solution, customers could enable a forwarding option, so mail destined to their Hosted Exchange account goes to an external email address instead.

Rackspace has not disclosed how many organizations the attack has affected, whether it received any ransom demand or paid a ransom, or whether it has been able to identify the attacker. The company did not respond immediately to a Dark Reading request seeking information on these issues. In a Dec. 6. SEC filing, Rackspace warned the incident could cause a loss in revenue for the company's nearly $30 million Hosted Exchange business. "In addition, the Company may have incremental costs associated with its response to the incident."

**Customers Are Furious and Frustrated**

Messages on Twitter suggest that many customers are furious at Rackspace over the incident and the company's handling of it so far. Many appear frustrated at what they perceive as Rackspace's lack of transparency and the challenges they are encountering in trying to get their email back online.

One Twitter user and apparent Rackspace customer wanted to know about their organization's data. "Guys, when are you going to give us access to our data," the user posted. "Telling us to go to M365 with a new blank slate is not acceptable. Help your partners. Give us our data back."

Another Twitter user suggested that the Rackspace attackers had also compromised customer data in the incident based on the number of Rackspace-specific phishing emails they had been receiving the last few days. "I assume all of your customer data has also been breached and is now for sale on the dark web. Your customers aren't stupid," the user said.

Several others expressed frustration over their inability to get support from Rackspace, and others claimed to have terminated their relationship with the company. "You are holding us hostages. The lawsuit is going to take you to bankruptcy," another apparent Rackspace customer noted.

Davis McCarthy, principal security researcher at Valtix, says the breach is a reminder why organizations should pay attention to the fact that security in the cloud is a shared responsibility. "If a service provider fails to deliver that security, an organization is unknowingly exposed to threats they cannot mitigate themselves," he says. "Having a risk management plan that determines the impact of those known unknowns will help organizations recover during that worst case scenario."

Meanwhile, the lawsuit, filed by California law firm Cole & Van Note on behalf of Rackspace customers, accused the company of "negligence and related violations" around the breach. "That Rackspace offered opaque updates for days, then admitted to a ransomware event without further customer assistance is outrageous,” a statement announcing the lawsuit noted.

**Did the Attackers Exploit "ProxyNotShell" Exchange Server Flaws?**

No details are publicly available on how the attackers might have breached Rackspace's Hosted Exchange environment. But security researcher Kevin Beaumont has said his analysis showed that just prior to the intrusion, Rackspace's Exchange cluster had versions of the technology that appeared vulnerable to the "ProxyNotShell" zero-day flaws in Exchange Server earlier this year.

"It is possible the Rackspace breach happened due to other issues," Beaumont said. But the breach is a general reminder why Exchange Server administrators need to apply Microsoft's patches for the flaws, he added. "I expect continued attacks on organizations via Microsoft Exchange through 2023."

Source

DARKReading