The group's wanton attacks demonstrate that business email compromise is everything a hacker can want in one package: low risk, high reward, quick, easy, and low effort.

Business email compromise (BEC) has become one of the most popular methods of financially motivated hacking. And over the past year, one group in particular has demonstrated just how quick, easy, and lucrative it really is.

In a Feb. 1 blog post, Crane Hassold, director of threat intelligence at Abnormal Security, profiled "Firebrick Ostrich" a threat actor that's been performing BEC at a near-industrial scale. Since April 2021, the group has carried out more than 350 BEC campaigns, impersonating 151 organizations and utilizing 212 malicious domains in the process.

This volume of attacks is made possible by the group's wholesale gunslinging approach. Firebrick Ostrich doesn't discriminate much when it comes to targets, or gather exceptional intelligence in order to craft the perfect phishing bait. It throws darts at a wall because, evidently, when it comes to BEC at scale, that's enough.

"BEC is attractive to bad actors," Sean McNee, CTO at DomainTools, explains to Dark Reading, "due to the lower barriers to entry than malware, less risk, faster scaling opportunities, and way more profit potential to higher echelons than other methods of attack."

These factors may explain why such attacks are "absolutely _the_ emerging trend," as Hassold tells Dark Reading, leaving even ransomware in the dust. "There are literally hundreds, if not thousands, of these groups out there."

**Firebrick Ostrich's BEC M.O.**

Firebrick Ostrich almost always targets organizations based in the United States. Beyond that, though, there doesn't appear to be a pattern — it dips into retail and education, transportation and healthcare, and everything in between.

The group specializes in third-party impersonations, reflecting a shift in BEC more generally. "Since its inception, BEC has been synonymous with CEO impersonation," Hassold notes. But more recently, "threat actors have identified third parties as a sort of soft target in the B2C attack chain. More than half of the B2C attacks that we see now are impersonating third parties instead of internal employees."

The degree of reconnaissance Firebrick Ostrich requires to perform such an attack is frustratingly minimal. All that's needed is an understanding that two organizations connect to one another somehow — most often, that one provides a product or service to the other.

Such information is publicly available on many government websites. In commerce, it might be found on a vendor's website, on a landing page gallery of customer logos. If not, a simple Google search might do the trick. It's enough to go on, Hassold says, even if "they haven't compromised an account or a document that provides them with insight into payments that are going back and forth."

Having identified a vendor, the group registers a lookalike Web domain, and a series of email addresses for imaginary employees and executives in the vendor's finance department. "Firebrick Ostrich copies all of the additional fake accounts on their emails to make it look like they are including others in the conversation," Abnormal Security researchers wrote in the analysis, "which adds credibility and social proof to the message."

Finally the group sends the email, impersonating an accounts payable specialist, to the accounts payable division at the target organization. The note will typically begin with some flattery, like how the vendor "greatly appreciates you as a valued customer and we want to thank you for your continued business."

Firebrick Ostrich doesn't seek out bank information from its victims. Rather, its operatives request to update their own (the "vendor's") bank details, for future payments.

"These attackers are playing a longer game," according to the report, "hoping that a simple request now will result in a payment to their redirected account with the next payment." The group always opts for ACH, as it requires only an account and routing number — no other identifying information — to send a lump sum.

For good measure, these emails also include a vague inquiry regarding outstanding payments.

Source: Abnormal Security

What's notable in all this is how quick and easy the entire attack flow is. Case in point: Abnormal Security found that in 75% of cases, Firebrick Ostrich registered a malicious vendor domain within just two days of sending an opening phishing email, and 60% of the time within 24 hours.

**BEC Is Big-Time Cybercrime**

In 2018, the FBI released a public service announcement about a "12 billion dollar scam." From October 2013 to May 2018, the agency estimated, organizations worldwide had lost about $12.5 billion to BEC.

That seemed like a lot at the time. One year later, though, the Feds released a new PSA. Now, BEC was a $26 billion arena. And in 2022, a third PSA appeared, declaring BEC a $43 billion scam.

These numbers may even be underestimated, considering the cases that go unreported.

Firebrick Ostrich is a prime example of why BEC is so popular, according to Abnormal Security: "They have seen massive success, even without the need to compromise accounts or do in-depth research on the vendor-customer relationship." The campaigns are effective yet quick, low effort, with a low barrier to entry.

BEC can also be, as McNee calls it, a "'gateway drug' to other illicit, illegal activities" like ransomware.

"There’s an accessible underground economy of suppliers that make account takeover fairly trivial, so if a BEC-focused bad actor is interested in pivoting to other activities or selling the access they gain to others, they can easily do so." This relationship goes both ways, with ransomware double extortions feeding follow-on BEC attacks.

To prevent a costly compromise, Hassold recommends that organizations "have a really structured and rigid process for any financial transaction. Make sure that the account change is confirmed with the actual party offline, in a separate communication thread, before the change is actually implemented."

Most of all, employees must be aware of phishing tactics. "A key reason BEC attacks are difficult to defend against," McNee adds, "is that they attack people and not technology per se. Everyone is susceptible to social engineering because we’re all human."

Rising ‘Firebrick Ostrich’ BEC Group Launches Industrial-Scale Cyberattacks

Analysts find that 98% of QNAP NAS are vulnerable to CVE-2022-27596, which allows unauthenticated, remote SQL code injection.

A critical security vulnerability in QNAP's QTS operating system for network-attached storage (NAS) devices could allow cyberattackers to inject malicious code into devices remotely, with no authentication required.

According to researchers from security firm Censys, more than 30,000 hosts are running a vulnerable version of the QNAP-based system as of press time, meaning that approximately 98% of these devices could be attacked.

The issue (CVE-2022-27596) is a SQL injection problem that affects QNAP QTS devices running versions below 5.0.1.2234, and QuTS Hero versions below h5.0.1.2248. It carries a score of 9.8 out of 10 on the CVSS vulnerability-severity scale.

In its advisory this week, QNAP said the bug has a low attack complexity, which, when combined with the popularity of QNAP NAS as a target for Deadbolt ransomware and other threats, could make for imminent exploitation in the wild. And unfortunately, according to Censys, it's a target-rich environment out there.

"Censys has observed 67,415 hosts with indications of running a QNAP-based system; unfortunately, we could only obtain the version number from 30,520 hosts," the firm explained in a blog post on Feb. 1. "We found that of the 30,520 hosts with a version, only 557 were running \[patched versions\], meaning 29,968 hosts could be affected by this vulnerability."

To protect themselves, companies should upgrade their devices to QTS version 5.0.1.2234 and QuTS Hero h5.0.1.2248.

"If the exploit is published and weaponized, it could spell trouble to thousands of QNAP users," Censys researchers warned. "Everyone must upgrade their QNAP devices immediately to be safe from future ransomware campaigns."

Patch Critical Bug Now: QNAP NAS Devices Ripe for the Slaughter

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

Indusface's research on 1,400+ Web apps, mobile apps, and APIs revealed that open vulnerabilities remain cybercriminals' most significant attack vector.

According to the report, 829 million attacks were blocked on the AppTrana WAF in the fourth quarter of 2022, a 79% increase from the third quarter.

The alarming finding is that 61,713 open vulnerabilities were found, which is a 50% jump from the third quarter. The number of open vulnerabilities directly relates to the increased threat actors.

How can you protect them? The best option is to fix known vulnerabilities using virtual patching at the WAF level while blocking attacks.

**Critical Vulnerabilities Found on Applications**

While any vulnerability carries a risk to your business, here are the top 10 high/critical vulnerabilities that hackers attempted to exploit during the fourth quarter of 2022:

*   Server-side request forgery
*   HTML injection
*   Cross-site scripting (XSS)
*   TLS/SSL server certificate will expire soon
*   Script source code disclosure
*   SQL injection
*   SSL certificate common name mismatch
*   TLS/SSL server certificate expired
*   Untrusted TLS/SSL server certificate
*   Insecure Direct Object References

Prioritize addressing these vulnerabilities if you have not done so already.

**Cost of Vulnerabilities**

A single vulnerability can invite thousands of cybersecurity troubles. Poodle, Heartbleed, EternalBlue, and Shellshock are just a few of the vulnerabilities that open businesses to security threats.

The report found 31% of vulnerabilities have been open for 180+ days. And 1,700+ of these are rated as critical and high vulnerabilities.

So, what happens if you don't patch the vulnerabilities? A failure to maintain this responsibility could have severe effects, including potential security breaches.

Back in 2017, the massive Equifax security breach made headlines. Hackers exploited the known vulnerability CVE-2017-5638 in their app framework and gained access to the company's system.

This breach exposed the personally identifiable information (PII) of 147 million people. Two years after the breach, the company said it spent $1.4 billion on cleanup costs and revamping its security program. Equifax agreed to pay up to $700 million to settle claims related to the breach.

The breach's total cost is likely higher than the reported settlements and expenses. It also includes intangible costs such as loss of trust, brand reputation, and long-term impact on the business.

**Managing Vulnerabilities With Virtual Patching**

Security patches play a vital role in dealing with vulnerabilities. They patch up the security gaps and resolve the risks. After all, successful exploitation means an insecure configuration or missing security control.

The patching process can, at times, be challenging. Many companies turn to virtual patching to protect their apps on the Web application firewall (WAF) when a system can't be patched immediately.

Virtual patching is a vulnerability shield that secures apps during your risk window and beyond. It enables you to scale your coverage and responses accordingly with appropriate defense, which can be applied in minutes or hours. Thereby, it reduces the risk of exposure to vulnerabilities.

Virtual patching is attained by implementing a security policy layer in the WAF. It eliminates application vulnerabilities without changing the codebase.

Companies can leverage virtual patching in two ways to mitigate vulnerabilities:

1.  Core rules
2.  Custom rules

The Indusface report found that the WAF core rule set blocks 40% of requests, and custom rules block 60%.

**Why Are the Custom Rules Gaining Momentum?**

Core rules are predefined, standardized, based on industry best practices, and designed to protect against known vulnerabilities. Security experts typically create these rules. Core rules are easy to implement and can provide high protection.

Since most dev teams work on sprints that are a few weeks long, vulnerabilities keep getting added with the changing code.

Most companies leverage weekly scans and periodic penetration testing on applications. Since fixing these on code will be long and arduous, product owners rely on WAF's custom rules to plug these vulnerabilities while their dev team focuses on shipping features.

Whenever the teams get to a security-focused sprint, they fix these vulnerabilities in the code.

Virtual patching is also used as a risk mitigation mechanism. For instance, we have observed that geofencing is gaining popularity in the custom rule category as application owners look to limit traffic from geographies where the application is not designed to be used. The other example is blacklisting or whitelisting IPs that are used to allow traffic to the application.

**False Positive Monitoring**

While the power of custom rules is undisputed, they also add the burden of monitoring applications for false positives.

In talking to several security leaders, one consistent theme that we keep hearing about is the lack of skilled security practitioners who can manage a complex application like a WAF/WAAP.

The other challenge is the worsening economy; security teams are increasingly being asked to do more with less.

We are seeing an increased trend of product owners relying on managed services to help with virtual patches and guarantee no false positives.

**Conclusion**

If the attackers discover a piece of exploitable code, the next step is taking advantage of the vulnerability.

The sooner you deploy the virtual patching, the sooner attackers look elsewhere. Keep your WAF running to ensure your security and bottom line.

**About the Author**

    

Venky is an application security technologist who built the new-age Web application scanner and cloud WAF AppTrana at Indusface as a founding CTO. Currently, he spends his time on driving product road map, customer success, growth, and technology adoption for US businesses.

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

Forward-leading business and technology leaders are seeing the value of the "do-It-yourself" approach.

The no-code approach has changed the nature of software development. However, if you're in IT, the idea of no-code apps being written without the involvement of professional developers may trigger some immediate concerns. How should enterprises prepare themselves for the shift toward no-code apps? Clearly, it's not a good strategy to simply ignore potential risks. But at the same time, the no-code approach continues to grow. The best way to approach it is to have a clear plan and process in place.

Start by challenging the common assumption that all "shadow IT" is bad, and embrace the desire of non-technical employees to build apps for themselves. Shadow IT reflects the business's continued drive for more innovation. Just keep in mind that a realistic governance model is essential for the process.

Let's discuss the three Ps of a governance model for no-code: process, people, and platform.

**Process **

If you implement too heavy a governance process for simple no-code apps, you run the risk of stifling innovation by imposing too many checklists on the building of simple apps. This defeats the underlying benefits of faster speed and agility of no-code. However, being too lax on governance for more mission-critical applications can run the risk of security issues, data breaches, or compliance risks.

We recommend formalizing a framework to help your teams avoid a one-size-fits-all mentality regarding no-code governance. This framework should evaluate your no-code project from three different dimensions: business (i.e., complexity of process and organization), governance (i.e., internal and external compliance with laws, guidelines, and regulations), and technical (i.e., how much assistance teams need from professional developers). Use a checklist to "score" the complexity of your app and selectively apply governance practices in a manner that scales based on complexity. You want to apply just the right amount of governance that doesn't discourage business innovation, while balancing the need to appropriately control and secure apps.

**People **

The next dimension is people, which defines the organization for no-code delivery. Again, you want to scale your approach to be neither too small nor too large/complex. You generally categorize no-code development teams into three delivery models: 

*   "Do-it-yourself" is the simplest model, where all primary roles of the no-code project are contained within a team sitting inside a single business unit and a single sponsor. This makes the business highly autonomous and in charge of their own destiny.
*   "Center of excellence" (or CoE) delivery is typically owned and led by a single overall cross-functional CoE leader. It has skilled knowledge workers whose mission is to maximize efficiency through consistent definition and adoption of best practices for no-code across the organization. 
*   "Fusion team" represents a multidisciplinary team comprised of both business and IT resources collaborating together. Typically, this is because of greater technical requirements and complexity. They may also be tapped to provide expertise around specific technical areas, such as security or DevOps. 

These delivery models often evolve over time. The CoE and fusion approaches typically do not get formed immediately but emerge after the organization has started building some no-code expertise from multiple DIY projects and more technically challenging and mission-critical applications.

**Platform**

No-code apps run on an underlying no-code platform. It's essential to be thorough in your diligence when selecting a no-code platform provider: understand the measures they take to maintain and harden their platform against security attacks and meet any necessary industry compliance certifications (e.g., GDPR, HIPAA, PCI DSS, etc.). \[Editor's note: The author's company is one of a number of platform providers in this area.\] The first time the no-code platform is implemented, plan for thorough security and compliance reviews to validate the platform. Subsequent governance checks to build individual no-code apps will likely be streamlined.

Work with your organization's chief information security officer (CISO) and/or security department to create a no-code security checklist. This should identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance. The checklist should be applied by the business teams (and automated by a modern no-code platform) to provide a repeatable approach to security governance as they build no-code apps. The checklist should build upon the existing standards and practices within the organization, augmented with additional guidance from industry groups (like the OWASP Foundation), which are increasingly creating new checklists specific to low-code/no-code development.

Forward-leading business and technology leaders understand the value of no-code approach — and you should too. However, business teams that want to build DIY software need guidance with the right strategy that applies the "right amount" of governance.

Managing the Governance Model for Software Development in a No-Code Ecosystem

Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which is being led by OX Security.

**TEL AVIV, Israel****,** **Feb. 1, 2023** **/PRNewswire/ --** OX Security, the first end-to-end software supply chain security solution, today announced the launch of OSC&R (Open Software Supply Chain Attack Reference)_,_ the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

The founding consortium of cybersecurity leaders behind OSC&R include: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to better understand and measure supply chain risk, a process that until now could only be  based on intuition and experience. OSC&R is designed to provide a common language  and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Neatsun Ziv, who served as Check Point's VP of Cyber Security before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."

OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups.

"OSC&R helps security teams build their security strategy with confidence," said Hiroki Suezawa, Senior Security Engineer at Gitlab. "We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions," he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R.

"I believe the OSC&R framework will help organizations reduce their attack surface," said Naor Penso, Head of Product Security at FICO. "I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise."

The OSC&R framework is now online: https://pbom.dev/

**About OX Security**

OX Security believes that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lior Arzi, who previously led Check Point's Security Group, OX  is the first end-to-end software supply chain security solution. OX provides DevSecOps teams with the automation, visibility, and risk insights they need to bring security and integrity to every step of the supply chain, from the earliest planning stages until deployment to production.

SOURCE Ox Security

Cybersecurity Leaders Launch First Attack Matrix for Software Supply Chain Security

**WATERLOO, ON****,** **Feb. 2, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) today released new research revealing that half (51%) of IT professionals predict that we are less than a year away from a successful cyberattack being credited to ChatGPT, and 71% believe that foreign states may already be using the technology for malicious purposes against other nations.

The survey of 1,500 IT decision makers across North America, UK, and Australia exposed a perception that, although respondents in all countries see ChatGPT as generally being put to use for 'good' purposes, 74% acknowledge its potential threat to cybersecurity and are concerned. Though there are differing views around the world on how that threat might manifest, ChatGPT's ability to help hackers craft more believable and legitimate sounding phishing emails is the top global concern (53%), along with enabling less experienced hackers to improve their technical knowledge and develop more specialized skills (49%) and its use for spreading misinformation (49%).

Shishir Singh, Chief Technology Officer, Cybersecurity at BlackBerry explains: "ChatGPT will likely increase its influence in the cyber industry over time. We've all seen a lot of hype and scaremongering, but the pulse of the industry remains fairly pragmatic – and for good reason. There are a lot of benefits to be gained from this kind of advanced technology and we're only beginning to scratch the surface, but we also can't ignore the ramifications. As the maturity of the platform and the hackers' experience of putting it to use progresses, it will get more and more difficult to defend without also using AI in defense to level the playing field."

Indeed, BlackBerry's research results also revealed that the majority (82%) of IT decision-makers plan to invest in AI-driven cybersecurity in the next two years and almost half (48%) plan to invest before the end of 2023. This reflects the growing concern that signature-based protection solutions are no longer effective in providing cyber protection against an increasingly sophisticated threat.

Whilst IT directors are positive that ChatGPT will enhance cybersecurity for businesses, the survey also revealed that 95% believe governments have a responsibility to regulate advanced technologies.  However, at present, there is an optimistic consensus that technology and research professionals will gain more than cyber criminals from the capabilities of ChatGPT.

Singh concludes: "It's been well documented that people with malicious intent are testing the waters but, over the course of this year, we expect to see hackers get a much better handle on how to use ChatGPT successfully for nefarious purposes; whether as a tool to write better mutable malware or as an enabler to bolster their 'skillset.' Both cyber pros and hackers will continue to look into how they can utilize it best. Time will tell who's more effective." 

For more information on how BlackBerry's comprehensive, prevention-first, AI-driven cybersecurity solutions can help your business prepare for, prevent, detect and respond to cyber threats, please visit BlackBerry.com.

_Note: Research conducted in_ January 2023 _by_ OnePoll _on behalf of_ BlackBerry_, into 1,500 IT Decision Makers across_ North America _(_USA _and_ Canada_), the_ United Kingdom _and_ Australia_._

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust. 

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

ChatGPT May Already Be Used In Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

An OpSec slip from the North Korean threat group helps researchers attribute what was first suspected as a ransomware attack to nation-state espionage.

Security researchers on Feb. 2 reported that they have detected a cyberattack campaign by the North Korean Lazarus Group, targeting medical research and energy organizations for espionage purposes. 

The attribution was made by threat intelligence analysts for WithSecure, which discovered the campaign while running down an incident against a customer it suspected was a ransomware attack. Further investigation — and a key operational security (OpSec) slip-up by the Lazarus crew — helped them uncover evidence that it was actually part of a wider state-sponsored intelligence gathering campaign being directed by North Korea.

"This was initially suspected to be an attempted BianLian ransomware attack," says Sami Ruohonen, senior threat intelligence researcher for WithSecure. "The evidence we collected quickly pointed in a different direction. And as we collected more, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group."

**From Ransomware to Cyber Espionage**

The incident that led them to this activity began through an initial compromise and privilege escalation that was achieved through exploitation of known vulnerabilities in an unpatched Zimbra mail server at the end of August. Within a week, the threat actors had exfiltrated many gigabytes of data from the mailboxes on that server. By October, the attacker was moving laterally across the network and using living-off-the-land (LotL) techniques along the way. By November, the compromised assets started beaconing to Cobalt Strike command-and-control (C2) infrastructure, and in that time period, attackers exfiltrated almost 100GB of data from the network. 

The research team dubbed the incident "No Pineapple" for an error message in a backdoor used by the bad guys, that appended <No Pineapple!> when data exceeded segmented byte size.

The researchers say they have a high degree of confidence that the activity squares up with Lazarus group activity based on the malware, TTPs, and a couple of findings that include one key action during the data exfiltration. They discovered an attacker-controlled Web shell that for a short time connected to an IP address belonging to North Korea. The country has fewer than a thousand such addresses, and at first, the researchers wondered if it was a mistake, before confirming it wasn't.

“In spite of that OpSec fail, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints," says Tim West, head of threat intelligence for WithSecure.

As the researchers kept digging into the incident, they were also able to identify additional victims of the attack based on connections to one of the C2 servers controlled by the threat actors, suggesting a much broader effort than originally suspected, in keeping with espionage motives. Other victims included a healthcare research company; a manufacturer of technology used in energy, research, defense, and healthcare verticals; and a chemical engineering department at a leading research university. 

The infrastructure observed by the researchers has been established since last May, with most of the breaches observed taking place in third quarter of 2022. Based on the victimology of the campaign, the analysts believe the threat actor was intentionally targeting the supply chain of the medical research and energy verticals.

**Lazarus Never Stays Down for Long**

Lazarus is a long-running threat group that's widely thought to be run by North Korea's Foreign Intelligence and Reconnaissance Bureau. Threat researchers have pinned activity to the group dating as far back as 2009, with consistent attacks stemming from it over the years since, with only short periods of going to ground in between. 

The motives are both financial — it's an important revenue-generator for the regime — and spy-related. In 2022, numerous reports emerged of advanced attacks from Lazarus that included targeting of Apple's M1 chip, as well as fake job posting scams. A similar attack last April sent malicious files to targets in the chemical sector and IT, also disguised as job offers for highly attractive dream jobs.

Meanwhile, last week the FBI confirmed that Lazarus Group threat actors were responsible for the theft last June of $100 million of virtual currency from the cross-chain communication system from the blockchain firm Harmony, called Horizon Bridge. The FBI's investigators report that the group used the Railgun privacy protocol earlier in January to launder more than $60 million worth of Ethereum stolen in the Horizon Bridge heist. Authorities say they were able to freeze "a portion of these funds."

Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms

Enterprises often don't know whose responsibility it is to monitor for spoofed brand sites and scams that steal customers' trust, money, and personally identifiable information.

Impersonation stands at the heart of so many cybercriminal schemes today. Whether used to fuel traditional phishing or malware propagation attacks, business email compromise, advertising fraud, or e-commerce fraud, there's nothing quite so effective as piggybacking off the trust and goodwill of a brand to lure people into a scam.

Brand impersonation can be a particularly thorny problem for CISOs, especially when the threats stray from the typical malicious email attacks that security practitioners have grown up fighting. Today, retailers, product creators, and service providers increasingly face a whole host of brand theft and impersonation ploys that stretch far beyond the common phishing scam.

Criminals are making a killing setting up scam sites that masquerade as a brand's property to sell counterfeit or gray-market merchandise, to fence stolen goods, or to process payment and never send the product at all. According to the US Federal Trade Commission (FTC), consumers have lost more than $2 billion to these kinds of scams since 2017.

**Stealing a Brand**

For the businesses that are imitated, these scam sites at best erode the brand's trustworthiness and value. At worst, they steal sales and could even threaten the very existence of a small or emerging business.

"We've had a close shave with brand impersonation at Code Galaxy. Someone created a business profile — website, social media profiles, and everything — with our own brand identity. They went to advertise the same services we offer at ridiculously lower prices, only that they didn't even offer the services. They simply made away with the money," says Marliis Reinkort, CEO and founder of Code Galaxy, an online coding school for kids. She explained that her team didn't notice the fraud until it had not only scammed potential customers but also made the entire market think her business had drastically cut prices. "That single occurrence was a wake-up call for me. The reputational damage dealt a huge blow to the business for a while."

It's understandable that startups like Code Galaxy would struggle to detect brand impersonation due to resource constraints, but even enterprises with mature security functions can have a hard time systematically rooting out impostors that leech off their brand. Utilizing techniques like website spoofing through typosquatting and lookalike URLs, brand impersonation attacks often aren't attacking a company's owned infrastructure — making them very difficult for incident responders to detect in a security operations center (SOC) setting using traditional security alerting tools.

"The external attack surface for brand impersonation are built and launched by bad actors entirely on the Internet," says Ihab Shraim, CTO at CSC Digital Brand Services. "Therefore, the SOC security teams do not have the specific data feeds \[they need to detect impersonations\]."

**Tracking Mentions, Keywords**

To alleviate the gap, some companies proactively search online or use simple brand tracking tools. This is how Reinkort and her team have responded since Code Galaxy's costly brush with brand impersonation.

"We actively track brand mentions and keywords related to the business, even when misspelled," she says. "Brand mentions should just be for engagement and troubleshooting. We ended up discovering two brand impersonations by simply tracking mentions that mirror our keywords and acting words."

But the increasing volume of online marketplaces means that organizations trying to scan for keywords and mentions are likely to bump into scalability issues.

"Brand impersonation is hard to track due to the vast number of digital marketplaces that have materialized in the past decade," says Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG. "Simply scanning the Internet for similarly named products, websites, and product descriptions is no longer sufficient to identify and remove fraudulent information."

**Whose Job Is It?**

Additionally, because attackers are essentially committing trademark violations in these instances, and because irate victims often call the spoofed company's customer service asking for the product they paid for or to return defective products, it is often unclear within larger organizations whose responsibility it even is to go after the impostors once they're detected.

"This has not been in the realm of security practitioners in a consistent way for very long," says Josh Shaul, CEO of Allure Security, an online brand protection company that's part of a growing category of firms focused on detecting scam sites and remediating through actions like takedowns.

He explains that when he goes out to the market and talks to companies, sometimes they'll say they've got incident response (IR) looking at the problem. At other companies, they say the legal team is on it. At still others, they see it as a customer service or marketing problem. Meanwhile, the attacks keep mounting, and the company struggles with quickly orchestrating mitigation efforts like takedown requests and communication with registrars.

CISOs will need to take a systematic and multi-disciplinary approach to solve the brand impersonation problem. That begins with registering trademarks and setting up domains and social media presence for the brand, and then extends to include domain monitoring and using threat intelligence to identify impersonation attempts.

"It's odd, because to me this is all in the realm of the security \[professional\]," Shaul says. "The trademark is an important piece, but it's a fraud problem and a security incident problem. People are stealing from you, and you're trying to prevent the theft."

Why CISOs Should Care About Brand Impersonation Scam Sites

The average organization does business with 11 third parties, and 98% of organizations do business with a third party who has suffered a breach, an analysis finds.

Nearly every company does business with — or uses the products of — a third party that has suffered a compromise, thus increasing their security risks.

That's according to data science firm Cyentia Institute, which has issued an analysis that includes external measurements of security from more than 230,000 organizations provided by cybersecurity risk-management firm SecurityScorecard. It found that the average firm had around 10 third-party relationships, and hundreds of indirect fourth-party relationships, with the typical firm having 60 to 90 times more fourth parties than third parties. Nearly all firms (98%) had at least one third-party partner who had suffered a breach, the report stated.

The IT sector has the most third parties, with an average of 25, while the finance sector had the fewest, at 6.5. Those numbers quickly balloon when fourth-party relationships are included, as did their risk. The average firm has an indirect relationship with 200 fourth parties that have had a breach, the analysis found.

The research underscores the sprawling nature of third- and fourth-party relationships for corporations, and the dramatic increase in risk that they can cause, says Wade Baker, founder and partner at the Cyentia Institute.

"Risk goes downhill," he says. "The first parties are more likely to have good security \[risk\] scores than their third parties, and with fourth parties, the numbers really explode. You need to expect \[these firms and products\] to not be up to your standards for security."

That's because while many organizations have become more mature regarding their own cyber risks, few are cognizant of the extended risks, Cyentia and SecurityScorecard stated in the analysis.

"Many organizations are still unaware of the dependencies and exposures inherent to third-party relationships, and simply focus on managing their own security posture," the report stated. "Others are aware of those issues, but don't make vendor decisions based on security and/or require vendors to meet certain standards. Even firms that do establish third-party security requirements can struggle to continually monitor compliance and progress."

    

Almost all companies did business with a third party who had been compromised in the past 2 years. Source: Cyentia Institute and SecurityScorecard

Third-party and supply-chain risk have become significant issues in recent years. And CISOs have become increasing wary of their third-party providers, ever since the compromise of an HVAC supplier led to the breach of retail giant Target.

While the analysis looks at third-party risk, the definition of what a third party is extends not just to vendors and partners, but software providers and open source projects. Now-infamous attacks on software suppliers such as SolarWinds, and vulnerabilities in widely used software components such as Log4J, have raised the visibility of the risk that this arena poses.

The top 5 technologies included in third-party relationships within the data are Google Analytics, Google Tag Manager, Amazon Web Hosting, PHP, and Facebook products — all of which were involved in two-thirds (68%) of third-party relationships, the report stated.

"A lot of these third and fourth party relationships \[involve us\] both agreeing to adhere to certain policies just by virtue of using a product, and now I'm opening up myself to a certain degree of risk," Baker says.

**Risk Rises With Each Hop**

The analysis also found that third parties typically have a weaker security posture than the companies they served. Overall, there is a much higher likelihood that third parties will have security problems, meaning that companies can't assume that all of their third parties are as diligent about security.

"I view it in the same way as all of us knowing we have too many privileges — in general, people have access to more data than they need to do their job," Baker says. "It would be good to reduce the number of third parties, especially if they're not needed, and also be a little bit more choosy."

The data, however, does not suggest a clear path forward, beside becoming more aware of the problem. Baker does not necessarily recommend, for example, that organizations cut the bottom 25% of their third parties from their business. However, evaluating them more closely or more frequently might be more realistic, he says.

"If we really want to protect our supply chains, we've got to we've got to make the weakest link stronger," Baker says. "And I think the analysis is showing that there's a lot of weak links across third parties and fourth parties, and that is where the challenge lies."

Source

DARKReading