CISA says Federal Civilian Executive Branch systems were compromised through a Log4Shell vulnerability in an unpatched VMware Horizon server.

An unpatched VMware Horizon server allowed an Iranian government-sponsored APT group to use the Log4Shell vulnerability to not only breach the US Federal Civilian Executive Branch (FCEB) systems, but also deploy XMRing cryptominer malware for good measure.

FCEB is the arm of the federal government that includes the Executive Office of the President, Cabinet Secretaries, and other executive branch departments.

A new update from the Cybersecurity and Infrastructure Security Agency (CISA) said that along with the FBI, the agencies determined the Iranian-backed threat group was able to move laterally to the domain controller, steal credentials, and deploy Ngrok reverse proxies to maintain persistence in the FCEB systems. The attack occurred from mid-June through mid-July, CISA said.

"CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities," CISA's breach alert explained. "If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Iranian APT Actors Breach US Government Network

Researchers find current data protections strategies are failing to get the job done, and IT leaders are concerned, while a lack of qualified IT security talent hampers cyber-defense initiatives.

Organizations are struggling with mounting data losses, increased downtime, and rising recovery costs due to cyberattacks — to the tune of $1.06 million in costs per incident. Meanwhile, IT security staffs are stalled on getting defenses up to speed.

That's according to the 2022 Dell Global Data Protection Index (GDPI) survey of 1,000 IT decision-makers across 15 countries and 14 industries, which found that organizations that experienced disruption have also suffered an average of 2TB data loss and 19 hours of downtime. 

Most respondents (67%) said they lack confidence that their existing data protection measures are sufficient to cope with malware and ransomware threats. A full 63% said they are not very confident that all business-critical data can be reliably recovered in the event of a destructive cyberattack.

Their fears seem founded: Nearly half of respondents (48%) experienced a cyberattack in the past 12 months that prevented access to their data (a 23% increase from 2021) — and that's a trend that Colm Keegan, senior consultant for data protection solutions at Dell Technologies, says will likely continue. 

"The growth and increased distribution of data across edge, core data center and multiple public cloud environments are making it exceedingly difficult for IT admins to protect their data," Keegan explains.

On the protection front, most organizations are falling behind; for instance, 91% are aware of or planning to deploy a zero-trust architecture, but only 12% are fully deployed.

And it's not just advanced defense that's lacking: Keegan points out that 69% of respondents stated they simply cannot meet their backup windows to be prepared for a ransomware attack.

**Data Protection Strategies Face Headwinds**

One of the primary reasons data protection strategies are failing is the lack of visibility of where that data resides and what it is — a problem exacerbated by the rapid, ongoing adoption of cloud-native apps and containers. More than three-quarters of survey respondents said there is a lack of common data protection solutions for these newer technologies.

"Seventy-two percent said they are unable to keep up with what their developers are doing in the cloud — it’s basically a blind spot for them," Keegan says.  

Claude Mandy, chief evangelist of data security at Symmetry Systems, a provider of hybrid cloud data security solutions, agrees that a lack of visibility is the primary reason current data-protection strategies fail.

"Organizations simply do not know what data they have, where it is, let alone how it is protected," he says. "Unfortunately, a lot of the data-protection failures are preventable by simply knowing the answers to these questions."

He adds that the problem is worsened by the constant change of data within an organization. From his perspective, the sheer scale and complexity of millions of individual data objects across thousands of data stored in multiple clouds, multiplied by a seemingly infinite combination of roles and permissions for thousands of user and machine identities, would be challenging for chief information security officers (CISOs) to secure even if they were static. They're not, so the situation is even more challenging.

To boot, in a lot of cases, organizations are using multiple data security tools for different silos of information, with no overarching integration between them.

"The billions of objects form over months or years, and change constantly," Mandy says. "This is further exacerbated through continuous data flows, privilege creep, data sprawl, and organizational churn, resulting in \[visibility\] to data that is far from ideal."

**Zero-Trust Implementation Lags, Despite Interest**

Zero trust is growing in popularity in enterprise security because not trusting users by default works well to reduce risk. Indeed, virtually all the GDPI respondents indicated they intend to implement zero trust into their environments at some point.

However, actual deployment is not happening at a rapid pace — as mentioned, only 12% of respondents indicated they have fully deployed at zero-trust architecture into their environments. According to researchers, the main problem is a critical shortfall in IT skills, particularly as it relates to cyber recovery and data protection.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions, but just 65 cybersecurity professionals are in the workforce for every 100 available jobs, a recent study shows.

"If you don’t have cybersecurity professionals on staff, it’s virtually impossible to make progress on deploying a zero-trust framework, unless, of course, you rely on partners to help you get there," Keegan says. "Now consider the demand for these resources in the market. Like supply chain constraints, demand is high, and the supply is low."

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, says that zero-trust management can be challenging even with staff on board.

"Implementation of \[zero trust\] is currently a common data-protection strategy," he explains. "However, for \[zero trust\] to be effective, access and roles must first be configured correctly."

This means ensuring the right people have access to the right data and resources within the zero-trust architecture. Roles must be implemented that are adequately scoped to protect the data that role can access — and correctly configuring access to data just one time ("set it and forget it," in other words) is not enough.

"The organization must maintain and manage data access through the lifecycle of the data, and as the organization grows," Tiquet adds. "Organizations must make sure that, as teams grow and change, the access given to a specific role is still appropriate."

**Vendor Consolidation on the To-Do List**

Keegan says it’s likely there will be some retooling at organizations in terms of platforms — many survey respondents (85%) said they believe they would see a benefit through reducing the number of data protection vendors they work with.

"The research tends to support this sentiment," he adds. "For example, those using a single data protection vendor had far fewer incidents of data loss than those using multiple vendors."

Likewise, the cost of data loss incidents resulting from a cyber attack was approximately 34% higher for those organizations working with multiple data protection vendors than those using a single vendor, according to the survey.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics software-as-a-service (SaaS) company, says the current spate of M&A and consolidation in the cybersecurity market speaks to those drivers — but warns that vendors trying to be all things to all security problems has its own downsides.

"The larger tech firms get, the less ability they have to innovate and solve problems leading to opportunities for new vendors to step in with new solutions," he explains. "It's \[a cycle\] we see of M&A frenzy and stagnation, then new companies enter to innovate — and more M&A."

Keegan, meanwhile, says he is hearing calls in the analyst community that organizations need to consider shifting their investments from cybersecurity prevention to resiliency.

"This means accepting the inevitability that security breaches will occur," he notes. "Moreover, companies need to have a plan that enables them to recover their critical data and business applications in a timely manner to meet their service level objectives."

Zero-Trust Initiatives Stall, as Cyberattack Costs Rocket to $1M per Incident

The socially engineered campaign used a legitimate domain to send phishing emails to large swaths of university targets.

Cyberattackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process.  

The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an "unusual login" on their account, according to a blog post published on Nov. 17 by Armorblox Research Team.

The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said.

"Traditional security training advises looking at email domains before responding for any clear signs of fraud," they explained in the post. "However, in this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain's validity."

As phishing has been around so long, attackers know that most people who use email are on to them and thus familiar with how to spot fraudulent messages. This has forced threat actors to get more creative in their tactics to try to fool users into thinking phishing emails are legitimate.

Moreover, those of university age who use Instagram would likely be among the savviest of internet users, having grown up using the technology — which may be why attackers in this campaign in particular were so careful to appear authentic.

Whatever the reason, the campaign's combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed through not only Office 365 and Exchange protections, but also DKIM, DMARC, and SPF alignment email authentication checks, the researchers said.

"Upon further analysis from the Armorblox Research Team, the sender domain received a reputable score of "trustworthy" and no infections in the past 12 months of the domain's 41 months of existence," they wrote in the post.

**"Unusual Login" Lure**

Researchers at Armorblox said the attacks started with an email with the subject line "We Noticed an Unusual Login, \[user handle\]," using a common tactic to instill a sense a urgency in the recipient to get them to read the email and take action.

The body of the email impersonated the Instagram brand, and appeared to be come from the social media platform's support team, with the sender's name, Instagram profile, and email address — which was the perfectly palatable "\[email protected\]" — all appearing legitimate, they said.

The message let the user know that an unrecognized device from a specific location and machine with a specific operating system — in the case of an example shared by Amorblox, Budapest and Windows, respectively — had logged in to their account.

"This targeted email attack was socially engineered, containing information specific to the recipient — like his or her Instagram user handle — in order to instill a level of trust that this email was a legitimate email communication from Instagram," the researchers wrote.

Attackers aimed for recipients to click on a link asking them to "secure" their login details included at the bottom of the email, which lead to a fake landing page that threat actors created to exfiltrate user credentials. If someone got that far, the landing page to which the link redirects, like the email, also mimicked a legitimate Instagram page, the researchers said.

"The information within this fake landing page provides the victims a level of detail to both corroborate the details within the email and also increase the sense of urgency to take action and click the call-to-action button, 'This Wasn’t Me,'" the researchers said.

If users take the bait and click to "verify" their accounts, they're directed to a second fake landing page that also impersonates Instagram credibly and are prompted to change account credentials on the premise that someone may already have stolen them.

Ironically, of course, it's the actual page itself that will be doing the stealing if the user logs in with new credentials, the researchers said.

**Avoiding Compromise and Credential Theft**

As threat actors get more sophisticated in how they craft phishing emails, so, too, must enterprises and their users in terms of detecting them.

Since the Instagram phishing campaign managed to bypass native email protections, researchers suggested that organizations should augment built-in email security with layers that take a materially different approach to threat detection. To help them find a solution, they can use trusted research from firms such as Gartner and others on which options are the best for their particular business.

Employees also should be advised or even trained to watch out for social engineering cues that are becoming more common in phishing campaigns rather than quickly execute the requested actions received in email messages, which our brains have been trained to do, the researchers said.

"Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email," they wrote.

Additionally, the researchers said, employing multifactor authentication and password-management best practices across both personal and business accounts can help avoid account compromise if an attacker does get ahold of a user's credentials through phishing.

Instagram Impersonators Target Thousands, Slipping by Microsoft's Cybersecurity

A single device with malicious code can foil a networking protocol used by spacecraft, aircraft, and industrial control systems, resulting in unpredictable operations and possible failures.

Imagine: A mission to redirect an asteroid using a team of astronauts goes wrong, when a malicious device onboard the spacecraft interferes with its ability to dock with a robotic spacecraft — causing the crewed capsule to veer off course, spinning into space.

Such a mission is still in the planning stages, but the simulated attack demonstrates the danger of a recently discovered vulnerability in the networking protocol used for securely sharing critical messages in software for spacecraft, airplanes, and critical infrastructure. That's according to researchers from the University of Michigan and NASA, who said the protocol, known as time-triggered ethernet (TTE), reduces the cost of implementing networks for critical infrastructure devices by allowing multiple devices to use the same network without affecting one another.

The vulnerability could be used to disrupt or cause failures in connected devices used in those highly sensitive applications. The researchers tested the attack in several experiments, ending with the simulation of an attack against NASA's planned Asteroid Redirect Mission. The ARM aims to use "a robotic spacecraft to move an asteroid into a stable orbit around the Moon." A crewed spacecraft, such as NASA's Orion, would then "carry astronauts to the asteroid in order to study it, take samples, and return the samples to Earth," the researchers stated in a paper published this week.

The experiments showed that it's practical for a simple device using electromagnetic interference to break the isolation that is the cornerstone of the TTE protocol.

The attack demonstrates some of the security issues that have to be considered when implementing networks hosting both critical and non-critical devices — an increasingly common occurrence as the designers of critical systems try to reduce costs and increase efficiency. TTE networks allow critical, time-sensitive traffic to travel on the same network as less critical traffic, known as best-effort (BE) communications. The attack, dubbed PCSPOOF, uses specially crafted interference to corrupt parts of non-critical network packets, allowing malicious data to be injected into critical systems.

"We wanted to determine what the impact would be in a real system," Baris Kasikci, an assistant professor of computer science and engineering at University of Michigan, said in a statement. "If someone executed this attack in a real spaceflight mission, what would the damage be?"

**Critical Infrastructure Under Attack**

The attack continues a trend of critical infrastructure and industrial control systems (ICS) being increasingly targeted by cyberattackers. The Cybersecurity and Infrastructure Security Agency (CISA) warned in September that advanced persistent threat (APT) actors had increased attacks against critical infrastructure, such as utilities and industrial targets.

Communications are a common point of entry. In April, CISA warned that attackers had created three malware tools that targeted the Open Platform Communications Unified Architecture (OPC UA), which allows sensors and other devices to exchange data with connected services and software.

Time-triggered networks are tightly synchronized using a global schedule that is loaded into the devices when the network is created, specifying when data frames are expected to be sent and received. The networks typically have low latency and jitter, measures of network delay and variability in bandwidth.

By identifying the IP address of another device on the network — the target — an attacker can determine the critical traffic marker through brute force. The networks allow devices on the same network to communicate with each other with the right critical traffic markers. Using the markers, an attacker could create a protocol control frame that holds data, a technique also known as packet-in-packet attack.

**Exploits in Space**

The disclosure comes as NASA launched its Artemis rocket after months of delays, the first step in its quest to put people back on the moon. With competition heating up in this second space race, attacks on spacecraft and robotic probes may not be out of the question: The PCSPOOF attack could certainly cause missions to fail in a catastrophic way, the researchers stated in the paper.  

"We evaluated PCSPOOF on an avionics testbed for a real spaceflight mission," the researchers said. "Our results show that PCSPOOF can threaten mission success and safety from a single BE device, such as those used in an onboard research experiment developed by a university."

Modern TTE networks often do not verify parts of the data packets sent through local subnets, which makes PCSPOOF attacks more achievable. During an attack, researchers gathered information from the targeted TTE network to create a special packet, known as a protocol control frame (PCF), and then injected that frame into the network while creating electromagnetic interference to undermine the switch's ability to control routing.  

As far as defending against such an attack, organizations can replace any copper Ethernet cables with fiber optic, thus eliminating the impact of electromagnetic interference. In addition, the network could be modified to prevent malicious synchronization-control messages from accessing the same devices as legitimate messages.

So far, affected organizations have committed to making the changes, according to Andrew Loveless, a UM doctoral student in computer science and engineering, and subject matter expert at NASA's Johnson Space Center. The researchers notified NASA, the European Space Agency, Northrop Grumman Space Systems, and Airbus Defense and Space — organizations which use TTE in critical systems.

"To our knowledge, there is not a current threat to anyone’s safety because of this attack," Loveless says. "We have been very encouraged by the response we have seen from industry and government."

Spacecraft Vulnerable to Failure, Thanks to Aerospace Networking Bug

Stop chatty apps from oversharing and eliminate a hacker backdoor — train developers on "security first" while subjecting APIs to least-privilege zero-trust policies.

We are more connected than ever — but far less so now than we will be: There will be 3.6 network devices for every living person in the world by 2023, up from 2.4 per person in 2018, according to the Cisco Annual Internet Report. The number of networked devices will rise from 18.4 billion to 29.3 billion within that time. The number of machine-to-machine (M2M) connections will increase from just over 6 billion to 14.7 billion.

As a result, we will grow only more reliant on software to make everything work. The performance of application programming interfaces (APIs) greatly affects software's overall effectiveness. Whether we're online seeking a weather update, participating in an industry webinar, sharing docs with colleagues, or calling up medical lab test results, APIs enable two software components to talk to each other to both make user requests and respond to them.

But, in this case, it's possible to have _too_ much talking between APIs which, like gossipy chatterbox co-workers in our offices, will overshare "too much information" if we let them. We call this "TMI tech."

By design, APIs open the floodgates for communication between apps. When the risk-mitigation measures of their access control are lax, APIs will reveal too much information or — even worse — expose themselves through a vulnerable app backdoor. Too often, developers over-permission APIs for functions so they don't have to keep changing access rights with every program build. However, attackers are well aware that this is happening, so they take over APIs and leverage their powerful permissions to breach networks.

As a result, oversharing APIs are emerging as frequently targeted, low-hanging fruit: The Salt Security State of API Security Report indicates that one-fifth of organizations have experienced a breach due to compromised APIs. Malicious traffic accounts for 2.1% of all API traffic, growing from an average of 12.22 million malicious calls per month to 26.46 million calls. The Open Web Application Security Project (OWASP) lists broken access control as the top Web application risk — over cryptographic failures, injections, and misconfigurations.

**Recommended Best Practices**

So, how do security leaders and their teams avoid these issues? We recommend the following best practices:

*   **Upskill developers to cultivate a "security first" culture.** It's critical to educate developers about the nuances that differentiate a poor coding pattern from a good one, to help them focus on building safe software from the start. When security teams strengthen their communications and relationships with developers, those developers learn how to use the right tools for protection and even maximize their value. Hands-on/person-to-person training proves essential here. Computer-based training by itself comes with too many limitations, often lacking the ability to verify the security skills of participants.
*   **Practice real-life scenarios.** All training programs must include this. Developers benefit the most by experiencing the real-world scenarios and consequences of broken access control – it's the most potent way to both verify and improve skills.
*   **Extend zero trust (ZT) to APIs.** We typically consider ZT in terms of user access. But we should apply it to APIs as well to eliminate over-permissioning and enforce role-based controls. If an API is supposed to perform a specific function, then security teams must work with developers to restrict permissions to solely that function.
*   **Contain API "phone privileges."** In further incorporating ZT, security/developer teams should limit the calls APIs are allowed to make, so these calls are strictly conducted based upon context-centered requests. Subsequently, attackers will encounter difficulties in modifying them for criminal purposes.

**Training Is Key**

Whether dealing with real people or software, we should take oversharing seriously. Those gossipy chatterbox co-workers could cause very real damage in the office, after all, which is why HR needs to sit down with them to firmly enforce what is appropriate to discuss and what is not. In the same office, we don't allow Sara from accounting to snoop around freely in the legal department and download whatever documents she wants.

Similarly, we have to train developers on "security first" while subjecting APIs to least-privilege ZT policies. With this, software will share only what is necessary to perform set tasks, and the elimination of TMI tech will firmly seal off our office "door" — and the network and all digital assets — from attackers.

TMI Tech: How to Stop Vulnerable Software from 'Oversharing'

Online fraud prevention company predicts Cyber Monday will see a 100% increase in online fraud attempts.

Austin, TX - November 17, 2022 — Leveraging data from its own platform, SEON is painting a daunting, but nuanced picture of online fraud in the run up to Black Friday and Cyber Monday. This year, SEON predicts that fraud attempts will increase by more than 100% on Cyber Monday when compared to a typical Monday. In addition, the company foresees bot programs and fake profiles as being the weapons of choice for fraudsters in 2022.

SEON’s internal data paints an interesting picture for online businesses like eCommerce merchants, online loan providers and iGaming companies. While the company processed 26% more transactions on Black Friday compared to a normal Friday, it saw a 57% increase in declined transaction rates. More surprisingly, the company’s system processed around 19.5% more transactions on Cyber Monday than on a typical Monday but experienced an 100.3% increase in declined transaction rates.

Last year, SEON reviewed more than $300 billion of transactions during Black Friday and Cyber Monday. During this period, the company was able to stop more than $6 billion in attempted fraud on behalf of its clients. Now, the company is predicting similar figures for this year’s shopping bonanza. In fact, SEON believes more people may now turn to online fraud in response to growing economic pressures.

SEON, which has just been named as the ‘Hottest Cybersecurity Startup’ at The Europas Awards 2022, predicted a 150% increase in attempted loan fraud during last year's Black Friday. The company’s own research now shows this prediction to be somewhat conservative. The sector saw the biggest increase in attempted fraud according to SEON’s data last year and must now brace for a similar period in 2022.

For more information about SEON, please visit: https://seon.io/

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyber Monday Will Be the Most Fraudulent Day of the Season, Says SEON

**NEW YORK, Nov. 16, 2022 /PRNewswire/ —** Yesterday, a broad transatlantic coalition of 41 associations - representing companies of all sizes from various sectors of the business community - called on EU policymakers to make a swift conclusion to the EU adequacy decision process so that businesses can confidently rely on the new EU-U.S. Data Privacy Framework. In a statement delivered to EU and U.S. officials, the associations offered an analysis of recent U.S. Executive Order and accompanying U.S. Department of Justice regulations implementing the U.S.'s commitments under the EU-U.S. Data Privacy Framework to help inform and support EU's work towards making the EU-U.S. Data Privacy Framework operational through the EU adequacy decision process.

"We urge all stakeholders to consider deliberately but fairly the substance of these new U.S. legal requirements, which establish unprecedented restrictions on U.S. surveillance activities as well as a meaningful redress mechanism for EU citizens," **the associations wrote.** "We are heartened that these new safeguards serve to strengthen all existing transfer mechanisms available to companies, including standard contractual clauses, and should be relevant considerations in the context of EU supervisory authority investigations. Furthermore, we recognize that this is not only a matter of facilitating economic stability and growth. The efforts to reach agreement on a new framework embody a statement of common purpose from the EU and U.S., and a willingness to work together to find new ways to uphold the joint values we share as democratic societies. These developments also send a strong message on the importance of privacy globally, and in establishing robust and secure frameworks for cross-border data transfers."

Recipients of the statement included European Commission President Ursula von der Leyen; Executive Vice-President Margrethe Vestager; Commissioner Didier Reynders; Commissioner Vera Jourova; Members of European parliament's LIBE Committee, the European Data Protection Board, the European Data Protection Supervisor, and individual Data Protect Authorities; officials from EU Member States; and U.S. Administration officials, including those at the U.S. Departments of Commerce and Justice.

The statement was signed by ACT | The App Association, Alliance Française des Industries du Numérique (AFNUM), Alliance for Automotive Innovation, Allied for Startups, AmCham EU, AmCham Ireland, American Council of Life Insurers, Asia Internet Coalition (AIC), Biotechnology Innovation Organization (BIO), Bitkom, Business Roundtable, Coalition of Services Industries (CSI), Computer & Communications Industry Association (CCIA), Confederation of Danish Industry (DI), Confederation of Industry of the Czech Republic (SPCR), Consumer Technology Association® (CTA), Danish Entrepreneurs, Dansk Erhverv / The Danish Chamber of Commerce, Developers Alliance, Digital Future for Europe, Digital Poland ZIPSEE, Ecommerce Europe, Engine, Entertainment Software Association, European Games Developer Federation (EGDF), European Publishers Council, FEDMA, IAB, INFOBALT, ITI – Information Technology Industry Council, Interactive Software Federation of Europe (ISFE), Internet Infrastructure Coalition, National Retail Federation, NLdigital, Software & Information Industry Association (SIIA), Swedish Enterprise (SN), TechNet, techUK, Trans-Atlantic Business Council, U.S. Chamber of Commerce, and **U.S. Council of International Business (USCIB)**.

Read the full statement here.

41 Transatlantic Business Coalition Calls on EU Policymakers to Finalize Agreement to Secure Transatlantic Data Flows

Unified data layer enables continuous platform updates.

**Santa Clara, CA, November 17, 2022 —** Revelstoke, the next-level Security Orchestration Automation and Response (SOAR) platform, today announces several new product upgrades to include sub-workflow, case management, and indicators of compromise (IOC) automation.

Revelstoke offers Chief Information Security Officers (CISOs) and security analysts the only SOAR solution built on a unified data layer (UDL). Revelstoke automates analysis, eliminates software development needs, optimizes workflows, prevents vendor lock, scales processes, and quickly and effectively allows analysts to get to the root of incidents.

New Revelstoke capabilities include:

**Sub-Workflow Replication**

Sub-workflows allow analysts to create a repeatable process that can be reused across multiple workflows. For example, if there is a common account lockdown procedure across numerous account types, a sub-workflow allows this functionality to be created once and used in multiple locations. Revelstoke users can containerize reusable objects, saving time and allowing analysts to focus more on mission-critical issues and threats.

Without an automated sub-workflow, analysts must build a workflow every time they repeat a task manually, and organizations cannot create and manage repeatable processes across the board.

**Case Management Console**

The new Case Management console builds on Revelstoke’s unique case management offerings. The console allows at-a-glance access to all active cases, including functional quick search, pagination, and sorting. Analysts can now view data simply instead of searching through pages and pages of case number listings. In addition, analysts get single-view access to the status of cases to determine those which need attention and those that are remedied.

**IOC Database Initiation**

Revelstoke now allows analysts to search the entire UDL data store for common entities between cases and incidents. As alerts flow into cases, analysts can discover cases that are similar or have similar indicators. This represents the first step toward a robust IOC database, allowing SOC analysts to search across cases for common IOCs and build correlations.

“The capabilities of Revelstoke’s unique UDL powers a platform that can be upgraded and augmented to meet the evolving needs of Security Operations Centers,” said Josh McCarthy, Revelstoke Co-Founder, and Chief Product Officer. “We continually focus on ensuring that our customers have access to SOAR automation capabilities not offered by any other platform.”

Additional user interface capabilities include:

· Streamlined Dashboard

*   Consolidated Workflow Interface
*   Integration Management Console

· New User Preferences including Light and Dark Mode

**Multi-Tenancy**

Multi-tenancy allows for Managed Security Service Providers (MSSPs), Managed, Detection and Responders (MDRs), and large multi-national enterprise customers to segregate, but still centrally manage individual customers or business units from one "parent" account. This allows the parent to push down workflows to all the other tenants as well as offer a birds-eye view of the entire environment while allowing the individual “child tenants” to manage their own environments and not see each other's data. This is made even more powerful by the UDL which pushes down workflows from the parent to seamlessly adapt to any technology stack.

For more details on platform enhancements, please visit: https://www.revelstoke.io/resource/revelstoke-interface-v2-features-updates-and-improvements/

**About Revelstoke**

Revelstoke is the only next-generation Security Orchestration, Automation, and Response (SOAR) solution built on a Unified Data Layer that offers no-code automation and low-code customization. Revelstoke empowers CISOs and security analysts to automate analysis, eliminate software development needs, optimize workflows, prevent vendor lock, scale processes, and secure the enterprise. For more information, get on board at Revelstoke.io.

Revelstoke Upgrades SOAR Platform With Augmented Automation, Case Management, and User Interface Capabilities

Access to digital certificates would allow the Chinese-speaking espionage group to sign its custom malware and skate by security scanners.

The state-sponsored cyberattack group known as Billbug managed to compromise a digital certificate authority (CA) as part of an wide-ranging espionage campaign that stretched back to March — a concerning development in the advanced persistent threat (APT) playbook, researchers warn.

Digital certificates are files that are used to sign software as valid, and verify the identity of a device or user to enable encrypted connections. As such, a CA compromise could lead to a legion of stealthy follow-on attacks.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates, they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," according to a report this week from Symantec. "It could also potentially use compromised certificates to intercept HTTPS traffic."

"This is potentially very dangerous," the researchers noted.

Others concur. 

“Certificate authorities are one of the most important elements of maintaining security in today’s digital world," Chris Hickman, CSO at Keyfactor, tells Dark Reading. "Much like a driver’s license or passport, digital certificates contain information about an individual or entity and are used to verify the authenticity of websites, devices, or organizations, ensuring an individual user that the entity that they’re communicating with online can be trusted. Think of this as the difference between issuing a real ID rather than a fake one — real IDs will always have some characteristics that cannot be replicated in a fake ID. The same holds true with certificates, which is why this dangerous.”

**An Ongoing Spate of Cyber-Compromises**

Billbug (aka Lotus Blossom or Thrip) is a China-based espionage group that mainly targets victims in Southeast Asia. It's known for big-game hunting — i.e., going after the secrets held by military organizations, governmental entities, and communications providers. Sometimes it casts a broader net, hinting at darker motivations: In one past instance, it infiltrated an aerospace operator to infect the computers that monitor and control the movements of satellites.

In the latest run of nefarious activity, the APT hit a pantheon of government and defense agencies throughout Asia, in one case infesting "a large number of machines" on a government network with its custom malware.

"This campaign was ongoing from at least March 2022 to September 2022, and it is possible this activity may be ongoing," says Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team. "Billbug is a long-established threat group that has carried out multiple campaigns over the years. It is possible that this activity could extend to additional organizations or geographies, though Symantec has no evidence of that at the moment."

**A Familiar Approach to Cyberattacks**

At those targets as well as at the CA, the initial access vector has been the exploitation of vulnerable, public-facing applications. After gaining the ability to execute code, the threat actors go on to install their known, custom Hannotog or Sagerunex backdoors before burrowing deeper into networks.

For the later kill-chain stages, Billbug attackers use multiple living-off-the-land binaries (LoLBins), such as AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR, according to Symantec's report.

These legitimate tools can be abused for various doppelganger uses, such as querying Active Directory to map a network, ZIP-ing files for exfiltration, uncovering paths between endpoints, scanning NetBIOS and ports, and installing browser root certificates — not to mention downloading additional malware.

The custom backdoors combined with dual-use tools is a familiar footprint, having been used by the APT in the past. But the lack of concern about public exposure is par for the course for the group.

"It's notable that Billbug appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past," says Gorman.

She adds, "The group's heavy use of living off the land and dual-use tools is also notable, and underlines the need for organizations to have in place security products that can not only detect malware, but can also recognize if legitimate tools are potentially being used in a suspicious or malicious manner."

Symantec has notified the unnamed CA in question to inform it of the activity, but Gorman declined to offer further details as to its response or remediation efforts.

While there's no indication so far that the group was able to go on to compromise actual digital certificates, the researcher advises, "Enterprises should be aware that malware could be signed with valid certificates if threat actors are able to achieve access to cert authorities."

In general, organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain, she says.

"Symantec would also advise implementing proper audit and control of administrative account usage," Gorman notes. "We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network. Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."

China-Based Billbug APT Infiltrates Certificate Authority

The results are labor-intensive to parse, so knowing how to interpret them is key, security experts say.

A new set of evaluations for managed security service providers that MITRE Engenuity has released can potentially give enterprise decision-makers a handy resource to consult when selecting a provider. The key to benefiting from the information, though, is knowing how to interpret the results, MITRE and others said this week.

MITRE Engenuity's first-ever evaluation of security service providers — like its product evaluations — does not offer any winners or losers, nor any rankings based on performance, nor any indication of how well, or poorly, a vendor might have performed. 

Instead, it offers detailed information on how different security service providers analyze and describe adversary behavior to their clients. MITRE's evaluation leaves it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it.

**An Objective Look at MDR Capabilities**

"MITRE Engenuity’s ATT&CK Evaluations for Managed Services is likely the only objective demonstration of what’s available in the managed services and managed detection and response (MDR) market," says Katie Nickels, director of intelligence at Red Canary, one of 16 security service providers that participated in the evaluation. "It allows organizations to see a realistic demonstration of how these tools actually work, with those results being provided by a neutral third party."

For the evaluation, MITRE Engenuity gave each of the participating vendors an opportunity to deploy their adversary detection and monitoring tools on a MITRE-hosted Microsoft Azure environment. A MITRE purple team then executed an emulated attack on the environment using tactics and techniques of the well-known Iranian threat group OilRig. 

Service providers that participated in the evaluation knew the simulated attack would happen within business hours in a specific two-week period. However, MITRE did not inform them of more exact timing, what techniques it would use, or which adversary MITRE Engenuity was emulating.

In carrying out the simulated attack, MITRE Engenuity's team showcased commonly used adversary tactics such as spear-phishing for initial access, credential dumping, Web shell installation, lateral movement, data exfiltration, and cleanup. Vendors had an opportunity to use any of the tools in their MDR portfolio to evaluate the malicious activity and report on it. 

But MITRE's rules prohibited them from taking any steps to respond or block the attack because the goal was to see how each service provider detected and analyzed the unfolding attack and the detail and clarity with which it reported their findings.

**Parsing the Results Can Be Challenging**

MITRE Engenuity's evaluation results for each participating service provider offers both a high-level and a detailed view of how each of them detected the attack through the entire chain. It provides a look at the depth of the analysis each vendor provided at each stage, their communications with MITRE during the emulation, the individual techniques that they spotted and reported on, and what context and information they provided about the attack.

The information can be very useful for skilled security professionals who don't have the resources to do their own bake-off and are willing to compare results themselves, says John Pescatore, director of emerging security trends at the SANS Institute. But the data can be difficult to parse for others, he says. 

"MITRE Engenuity purposely doesn't make it easy to rank vendors in their evals," Pescatore says. "So, the tests are not useful for someone who just wants to make a 'safe' choice or compete the top three against each other."

"To compare, I’d have to look at each one and count how many techniques, etc., they covered, and I’d get some kind of ranking,' Pescatore notes. "But in order to understand how they did it, to see how that would fit with my processes, I have to either get info from the vendor or play with the product or service myself."

**Context Is Key**

Nickels from Red Canary says that while the results don't offer a clear apples-to-apples comparison between vendors, that’s not the point. "Every provider is different in how it detects activity and communicate findings, and every organization and security team has different needs," she says.

The best way to get an understanding of the value provided by each vendor in MITRE Engenuity's evaluation is to consider qualitative aspects, such as how each vendor communicated with MITRE during the emulation, the screen shots they took, and the analysis and context they might have provided, she says: "Examining these resources, while labor intensive, will offer organizations the best view into the value provided by each vendor."

In a report this week, Red Canary also highlighted what it described as some limitations of the MITRE Engenuity tests, such as it being too endpoint-focused and being too heavily weighted toward detection coverage and not enough on response. 

"The test required participants to turn off many preventive and other security controls," Nickels says. "Under normal circumstances, most of the vendors who participated would have detected and responded to MITRE’s emulation activity relatively early, thereby preventing the more impactful, later-stage activity."

Another factor to keep in mind when interpreting the results is whether all participating vendors deployed technologies that they normally use for MDR, or if they used something else for the evaluation. "We recommend organizations reviewing these results ask vendors if their environment was normal for the average customer."

**MITRE Engenuity's Recommendation**

In a blog post, Ashwin Radhakrishnan, MITRE Engenuity's general manager of ATT&CK evaluations, recommended that users consider the results in the proper context. Like Nickels noted, MITRE too strongly recommended against organizations merely looking at the total number of techniques a vendor might have detected as the sole yardstick.

"Before starting any analysis of technique coverage, it is important to determine which techniques are most relevant to your organization based on the adversary groups and threats that your organization faces," MITRE said. The blog post offered 10 ways that security practitioners should interpret the evaluation results.

The recommendations include looking at top-level report statuses of the service providers to get a high-level understanding of how they performed in the evaluation, looking at how the service providers presented their findings to their customers, and determining if the service providers correctly attributed the adversary (OilRig). Some of the other measures users consider is whether the service providers recommended any mitigation measures; the length of their reports; the clarity of the language in the reports; and the details in their own releases about the evaluations, MITRE Engenuity said.

Source

DARKReading