Mainz brings 25 years of industry experience to execute on Forescout’s strategy and drive its next phase of growth.

**SAN JOSE, Calif.--(****BUSINESS WIRE****)--** Forescout Technologies Inc., the global leader in compliance and cybersecurity for all connected devices, today announced that Barry Mainz will join the company as CEO, effective immediately.

Barry Mainz brings more than 25 years of experience in executive leadership across infrastructure software and cybersecurity companies. Mainz has served as CEO and member of the Board of Directors for MobileIron and also led Wind River Systems, a division of Intel, as President during important years of growth. Additionally, Mainz has held leadership roles, as well as advisory and board positions at private and public companies such as Mercury Interactive, Makara (acquired by Red Hat, Inc.) and Sun Microsystems.

“Barry has been working with Wael, our Board and myself for the last several months as we prepared to execute our next stage of growth. Barry is a passionate and inspirational leader who delivers customer value, builds strong teams and drives operational discipline and rigor,” said Greg Clark, Chairman of the Board, Forescout and former CEO of cybersecurity companies BlueCoat and Symantec. “His experience across scaled and innovative companies makes him an ideal leader to take the company to the next level. Barry rounds out a fantastic team at Forescout and will be building on our strong foundation. We are pleased with the results of Forescout’s journey to date, and we are excited about the new value Forescout is bringing to our customers through our acquisitions as well as our organic development.”

Bryan Taylor, head of Advent’s technology investment team and a Managing Partner in Palo Alto added, “We are excited for Barry’s appointment as CEO as he brings a wealth of experience and expertise to the role, and we are confident that under his leadership, the company will continue to thrive and achieve even greater success. We also want to thank Wael Mohamed for his leadership and his significant contribution to Forescout.”

“I am really excited about the work we’ve done to plan Forescout’s next horizon and am thrilled to partner with our Board, our strong management team and employees as we execute our plans,” said Barry Mainz, CEO, Forescout. “Working together with Greg and our Board over the past few months gives me high confidence that we are on the right strategy and will deliver immense value to our customers.”

**About Forescout**

Forescout Technologies, Inc. delivers compliance and cybersecurity for all connected devices, including IT, IoT, OT, IoMT, and cloud environments. The Forescout Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Managing cyber risk, together.

Forescout Appoints Technology Veteran Barry Mainz as CEO

Restoration teams must be part of a collaborative, initial response team to address costly downtime.

**CHATTANOOGA, Tenn.****,** **Jan. 24, 2023** **/PRNewswire/ --** Fenix24, a leading provider of disaster recovery services, released a white paper proposing a new flow for post-cybersecurity breach incident response that would significantly shorten downtime, the most-costly aspect of cyberattacks today. The paper, titled "The High Price of Business Interruption Requires New Response Modalities," argues that today's cyberattacks, particularly ransomware, have been designed to cause maximum destruction to the organization; and since downtime can cost between $100K and $1M for most organizations, it's time to redesign incident response (IR) flows to reduce business interruption by getting companies back to business faster. This can be accomplished by prioritizing restoration efforts to begin in the immediate aftermath of breach discovery. 

"The earlier restoration teams are brought into events, the lower the overall business interruption expenses," said Heath Renfrow, co-founder, Fenix24. "A few years ago, restoration was turning on systems. Today, these teams are essential to accelerating forensic data capture, establishing remote access into a compromised environment, and helping identify and prioritize critical systems for restoration, easing the pain of business interruption. When restoration is there from the beginning, everyone else can move faster. We have forged new models with Digital Forensics/Incident Response partners that are very collaborative and, in concert with Fenix24's intelligent restoration strategies, are producing up to 50% shorter downtimes."

The paper: proposes that the industry at large considers redefining the incident response model to involve restoration teams in the initial attack aftermath; encourages cyber insurance carriers to include restoration panels in their policies to encourage greater referral rates for high-quality restoration experts; and urges DFIR solutions providers not already adopting a collaborative model to consider the advantages it provides. Today's pre-, mid- and post-incident efforts can be greatly supported by real-time orchestration and communications tools such as Cygnvs, helping make this collaborative model a reality.

Historically, breach coaches have brought in Digital Forensics/Incident Response Teams (DFIR) to take the lead in containing the incident and providing initial response. DFIR leads or breach coaches may—or may not—recommend restoration partners following this process, which can extend business interruption weeks or even months. However, it is becoming clear to customers and carriers alike that downtime is becoming far too expensive and commands most of the incident's exorbitant costs.

"At Eos, we work closely with large insurers and vendors in the cyber sector and consistently hear how business interruption has become a major factor in escalating cyber losses," said Zach Powell, partner at Eos Venture Partners. "Through our research, we see that BI now accounts for over 50% of losses in select cyber lines."

**Resource:** Download and read the full white paper**.**  

**About Fenix24**

Fenix24, part of the Conversant Group family of companies, is raising the bar for post-incident disaster recovery and restoration with a fast, thorough and professional operation. Our battle-tested professionals execute the most intelligent and strategic recovery playbook for minimal cost of incident response and business interruption. Fenix24 is the army you need to push out the criminals that have compromised your environment and restore your company's IT operations. Learn more at fenix24.com.

SOURCE Fenix24

Fenix24 Releases White Paper Proposing New Cyber Incident Response Paradigm

Respondents indicate organizations are unprepared to handle cyberwarfare, there's no one-size-fits-all response to ransomware, and cybersecurity spending is on the rise.

**SAN** **FRANCISCO** **,** **Jan.** **24**, **2023** **/PRNewswire/ --** Armis, the leading asset visibility and security company, today announced the Armis State of Cyberwarfare and Trends Report: 2022-2023, which highlights global IT and security professionals' sentiment on cyberwarfare. The study shares sentiment from more than 6,000 global respondents across multiple industries, including healthcare, critical infrastructure, retail, supply chain and logistics, and more.

The Russian invasion of Ukraine has not only tragically upended the lives of countless people in a sovereign nation, but it is also causing geopolitical shockwaves of cyberwarfare that will reverberate for the foreseeable future. Today's targets extend well beyond the higher levels of the opposition governments; any organization is a potential victim, with critical infrastructure and high-value entities at the top of the list.

"Cyberwarfare is the future of terrorism on steroids, providing a cost-effective and asymmetric method of attack, which requires constant vigilance and expenditure to defend against," said Nadir Izrael, CTO and Co-founder of Armis. "Clandestine cyberwarfare is rapidly becoming a thing of the past. We now see brazen cyberattacks by nation-states, often with the intent to gather intelligence, disrupt operations, or outright destroy data. Based on these trends, all organizations should consider themselves possible targets for cyberwarfare attacks and secure their assets accordingly."

Key global findings from the Armis State of Cyberwarfare and Trends Report: 2022-2023 include:

*   One-third (33%) of global organizations are not taking the threat of cyberwarfare seriously, identifying as indifferent or unconcerned about the impact of cyberwarfare on their organization as a whole, leaving room for security gaps.
*   Nearly a quarter of global organizations (24%) feel underprepared to handle cyberwarfare. Even still, the lowest-ranking security element in the eyes of IT professionals is preventing nation-state attacks (22%).
*   Over 3 in 5 (64%) IT and security professionals surveyed agree with the statement, 'The war in Ukraine has created a greater threat of cyberwarfare.'
*   Over half (54%) of professionals who are the sole decision maker for IT security said they experienced more threat activity on their network between May 2022 and October 2022 when compared to the six months prior.
*   Over half (55%) of IT professionals surveyed agree with the statement, 'My organization has stalled or stopped digital transformation projects due to the threat of cyberwarfare.' This percentage is even higher in specific countries, including Australia (79%), the U.S. (67%), Singapore (63%), the UK (57%), and Denmark (56%). 
*   When asked about their organization's policy on paying ransoms in the event of a ransomware attack, IT professionals globally were divided in their responses. Twenty-four percent of respondents indicated their organization always pays, 31% said their organization only pays when customer data is at risk, 26% said the organization never pays, and 19% indicated that it depends.
*   Just over three-quarters (76%) of IT professionals surveyed agree that the boards of directors are changing their organization's culture towards cybersecurity in response to the threat of cyberwarfare.
*   Almost 4 in 5 (78%) IT professionals surveyed said, when thinking about recent and ongoing sudden global events (such as the pandemic, Ukraine conflict, etc.), it's likely that their company invests more of its budget into cybersecurity, with nearly 2 in 5 (37%) who think it's very likely.

Proprietary data from the Armis Asset Intelligence and Security Platform collected from June 1, 2022 through November 30, 2022 confirmed the aforementioned trends haven't slowed, only worsened. Threat activity against the global Armis customer base increased by 15% from September to November when compared to the three months prior. Further, Armis identified the largest percentage of threat activity against critical infrastructure organizations, with healthcare organizations the second most targeted when compared to various industries.

In addition to the key global findings from the report and complimentary proprietary data from the Armis platform, Armis zoomed in on regional trends with unique country-by-country analysis within breakout reports for the U.S., UK, France, DACH (Austria, Germany, Switzerland), Iberia, Italy, Denmark, the Netherlands, and APJ (Australia, Japan, Singapore).

For further information on the Armis State of Cyberwarfare and Trends Report: 2022-2023, please visit: https://www.armis.com/cyberwarfare/

**Methodology**

Armis surveyed 6,021 IT and security professionals in firms with more than one hundred employees across the U.S., UK, France, DACH (Austria, Germany, Switzerland), Iberia, Italy, Denmark, the Netherlands, and APJ (Australia, Japan, Singapore). Those findings were gathered between September 22, 2022 and October 5, 2022 and depict the state of cyberwarfare globally across various regions and industries.

**About Armis**

Armis, the leading asset visibility and security company, provides the industry's first unified asset intelligence platform designed to address the new extended attack surface that connected assets create. Fortune 100 companies trust our real-time and continuous protection to see with full context all managed, unmanaged assets across IT, cloud, IoT devices, medical devices (IoMT), operational technology (OT), industrial control systems (ICS), and 5G. Armis provides passive cyber asset management, risk management, and automated enforcement. Armis is a privately held company and headquartered in California.

Armis State of Cyberwarfare and Trends Report: 2022-2023 Highlights Global IT and Security Professionals' Sentiment on Cyberwarfare

**CHICAGO****,** **Jan. 24, 2023** **/PRNewswire/ --** This week, we mark Data Privacy Day, dedicated to creating awareness around how to best protect your data and information online. There are growing risks associated with the collection, processing and storage of personal data, both on the individual and corporate levels. Even today, most people do not know how to respond when their rights are violated in a data breach or leak. Keeper Security is sharing password best practices to keep accounts and data protected against threat actors. The aim is to educate consumers and businesses around privacy, and help them to protect themselves against the growing risk of data breaches. 

The safety of an individual's identity, data and online accounts relies heavily on the strength of their passwords, even when so-called passwordless options such as biometrics are used. Individuals must understand the difference between weak and strong passwords, particularly as a breach could impact the organization they work for, resulting in millions of dollars in damages. This is a pervasive threat, as data shows that 81% of hacking-related data breaches are due to stolen or weak passwords. 

"Data Privacy Day provides an opportunity to elevate the critical importance of cybersecurity in all of our lives. The digital transformation shows no signs of slowing down, and with ever more connected devices from smartphones to smart fridges, we must all take concrete steps to protect ourselves," said Darren Guccione, CEO and Co-founder at Keeper Security. "It is imperative everyone utilize strong and unique passwords for all of their accounts, and store those passwords in a secure, encrypted vault to reduce their risk of an attack. The existential reality is that anyone can become a victim of cybercrime."

**Think before you share, open or click:**

One critical measure to protect yourself online is to avoid sharing personal information with anyone unless absolutely necessary. Watch out for links in emails from suspicious or unknown senders and learn what the tell-tale signs of a phishing attempt are. Only download attachments when you are sure they are safe.

It's human nature to believe what we see, which is why aesthetics and user interface often trick users into clicking on a malicious, incorrect URL. The key is to ensure the URL matches the authentic website. When a password manager is used, it automatically identifies when a site's URL doesn't match what's in the user's vault. This is a critical tool for preventing the most common attacks, including phishing scams.

**Improve your password habits:** 

*   Do not use any combination of characters that is easy to guess.   
*   Avoid using the same password across multiple accounts as well as including any personal information.   
*   Recognizable keystroke patterns or short passwords should also be avoided. 
*   Don't use repeated letters or numbers as a password.  
*   Instead, use lengthy combinations of letters, symbols and numbers.   
*   Creating a memorable phrase called a passphrase, replacing certain letters with numbers or symbols in a random order.   
*   Creating mnemonic passwords, inspired by notable events for example.   

**Use a password manager:**  

The best way for online users to secure their passwords is to implement a secure password manager. An effective password manager will allow individuals to create random combinations of characters for their passwords and save these in a password vault. This way users won't need to write them down or remember them, which is what tends to make them more vulnerable to breach.   

A zero-trust and zero-knowledge password manager creates an even more secure environment for users to store their passwords. Even in the worst case scenario of a breach, the stored data is encrypted in cipher text, meaning it cannot be accessed and is impossible to read by a human or machine.

**About Keeper Security Inc.** 

Keeper Security is transforming the way people and organizations around the world secure their passwords, secrets and confidential information. Keeper's easy-to-use cybersecurity platform is built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance. Trusted by millions of individuals and thousands of organizations globally, Keeper is the leader for best-in-class password management, secrets management, privileged access, secure remote access and encrypted messaging. Protect what matters at KeeperSecurity.com.

Keeper Security Shares Password Best Practices Ahead of Data Privacy Day

**NEW YORK****,** **Jan. 24, 2023** **/PRNewswire/ --** The finalists of the international cloud computing program, The Cloud Awards, have been released this week.

In its twelfth year, Cloud Awards categories include "Best Software as a Service," "Best Place to Work in the Cloud," and "Cloud Project of the Year."

Head of Operations for the Cloud Awards, James Williams, said: "Advancing to the next stage of The Cloud Awards program is a remarkable achievement and we're excited to celebrate with all those finalists who made the cut.

"The Cloud Awards finalists of 2022-2023 exceeded all expectations with truly creative solutions. With such a strong shortlist, advancing to the next level is a huge result.

"The Cloud Awards will announce its final winners next month, and we wish the finalists luck in an outstandingly competitive year.

"We now move on to the first Security Awards program, which will close for entries next month, while the business software 'Oscars,' The SaaS Awards, will return in May for its eighth year."

The full list of finalists includes hundreds of organizations from across the globe, covering the Americas, Australia, Europe and the Middle East. You can view all the finalists here: https://www.cloud-awards.com/2022-2023-cloud-awards-finalists/ 

The Cloud Awards will announce its winners on February 7, recognizing excellence in the cloud across all industry verticals. It will then open for entries to its 2023-24 program, alongside The SaaS Awards and The Cloud Security Awards, which are open for 2023 entries.

The Cloud Security Awards remains open for 2023 entries until February 17. Unlimited categories can be entered for a single-category fee in its inaugural year.

The SaaS Awards, a sister recognition platform to the Cloud Awards, is also now open for early 2023 entries. This business software awards program finds and promotes the best SaaS solutions across a wide range of industries, with a May 19deadline: https://www.cloud-awards.com/saas-awards/.

The 2022-2023 Cloud Awards Announces Its Finalists

Machine learning offers great opportunities, but it still can't replace human experts.

Machine intelligence has captured the human imagination since the invention of the first modern computer in the mid-20th century. And the latest milestone in artificial intelligence, ChatGPT, has reinvigorated our pervasive interest in AI's ability to simplify the way we work.

ChatGPT's advancements in machine learning are impressive: Its high-quality outputs feel close to human. The strides it represents for AI systems signal that even more remarkable achievements are close to reality. But while ChatGPT suggests that the full potential of AI is drawing nearer, the reality is it still isn't quite here. Right now, there are great opportunities for machine learning to augment human intelligence, but it still cannot replace human experts.

**The Obstacles Between ChatGPT and the Future It Promises**

A complete reliance on AI can only happen if any given AI technology is proven more effective than all the other tools used to serve the same purpose. And AI hasn't yet developed to run entirely autonomously. Narrow AI (ANI) often describes the AI we see today: AI designed for a single task, such as a chatbot or image generator. ANI still requires human supervision and some manual configuration to function and is not always run and trained upon the latest data and intelligence. In this case, Reinforcement Learning from Human Feedback (RLHF), which allows the model to learn from correct and incorrect responses to requests, helped train ChatGPT.

Our human inputs into AI systems pose a significant challenge as well. Machine learning models can be colored by our personal views, culture, upbringing, and world perspectives, limiting our ability to create models that entirely remove bias. If improperly used and trained, ANI can further ingrain our biases into our work, systems, and culture. We've even seen bug bounties dedicated to removing AI bias, underscoring these challenges. Complete dependence would be problematic unless we can identify how to build more robust AI systems that mitigate human bias.

**It's Foolish to Rely Fully on AI for Cybersecurity**

The growing threat landscape, diversification of attack vectors, and highly resourced cybercriminal groups necessitate a multipronged approach that leverages the strengths of both human and machine intelligence. A survey conducted in 2020 found 90% of cybersecurity professionals believed cybersecurity technology is not as effective as it should be and is partially responsible for the continued success of attackers. Fully trusting AI will only exacerbate many organizations' already significant overreliance on these ineffective automation and scanning tools, and vulnerability reports generated by AI with "confidently wrong" false positives can even add friction to remediation efforts.

Technology has its place, but nothing will compare to what a skilled human with a hacker mindset can produce. The type of high-severity vulnerabilities found by many hackers requires creativity and a contextual understanding of the affected system. A vulnerability report written by ChatGPT compared with one developed end to end by a hacker demonstrates this gap in proficiency. When tested, the former's report was repetitive, lacked specificity, and failed to provide accurate information, while the latter offered full context and detailed mitigation guidance.

**AI Can Supercharge Your Security Team**

There is a middle ground. Artificial intelligence _can_ accomplish tasks faster and more efficiently than any one person. That means AI can make work much easier for cybersecurity professionals.

Ethical hackers already use existing AI tools to help write vulnerability reports, generate code samples, and identify trends in large data sets. The diverse skill set of the hacker community fills the capability gaps of AI. Where AI really helps is providing hackers and security teams with the most critical component for vulnerability management: speed.

With nearly half of organizations lacking the confidence to close their security gaps, AI can play an instrumental role in vulnerability intelligence. AI's ability to reduce time to remediation by helping teams process large data sets faster could supercharge how quickly internal teams analyze and categorize vast swaths of their unknown attack surface.

**Narrow AI Could Help Address Major Industry Challenges**

We're already seeing governments recognize the potential of narrow AI: The Cybersecurity and Infrastructure Security Agency (CISA) lists AI as one possible vulnerability intelligence solution for software supply chain security. When the daily minutiae of important cybersecurity work is eliminated, the humans behind the technology are freed to pay closer attention to their attack surface, remediate vulnerabilities better, and build stronger strategies to defend against cyberattacks.

Soon, ANI could unlock even more potential from the hackers and cybersecurity professionals that use it. Instead of worrying about AI taking their jobs, security professionals should cultivate a diverse skill set that complements AI tooling while also maintaining a keen awareness of its current limitations. AI is far from replacing human thought, but that doesn't mean it cannot help create a better future. For an industry with a significant skills gap, AI could make all the difference in building a safer Internet.

Chat Cybersecurity: AI Promises a Lot, But Can It Deliver?

Hackers cleverly cobbled together a suite of open source software — including a novel RAT — and hijacked servers owned by ordinary businesses.

We imagine that the world’s most successful hackers write their own dangerous code and invest heavily in the technologies they use to breach their targets. In recent months, however, a new cluster of attacks succeeded with just the opposite approach.

According to a report out Jan. 24 from SentinelOne, a threat actor compromised a number of organizations across China and Taiwan by creating a Frankenstein's monster-style composite of preexisting open source components. Among them: multiple tools for escalating user privileges in Windows machines, and for establishing persistence and allowing remote code execution.

In addition to adopting other hackers' code, the attackers freely adopted other organizations' infrastructure, too. In staging their malware, the hackers puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, many of which were hosted by perfectly ordinary businesses, including an art gallery, a retailer for baby products, and companies in the gaming and gambling industries.

Researchers from SentinelOne named the campaign "DragonSpark" — a portmanteau referencing the attackers' Chinese-language links, and "SparkRAT," an open source remote access Trojan (RAT) never seen in the wild until now.

**An Open Source Party**

To gain initial access to their targets, the DragonSpark attackers sought out Internet-exposed Web servers and MySQL database servers. Then, with a foot in the door, they began deploying open source malware.

"Open source tools and existing infrastructure are very practical to threat actors," Aleksandar Milenkoski, senior threat researcher at SentinelOne, tells Dark Reading. This is especially true of "actors involved in cybercrime activities without many resources and in-depth technical readiness to develop their own tool set and setup an intricate infrastructure, but aiming for large-scale, opportunistic attacks at the same time."

The DragonSpark attackers carried out their opportunistic attacks with programs like SharpToken and BadPotato, which enable the execution of commands at the level of the Windows operating system. SharpToken also provides visibility to user and process information; it allows a user to freely add, delete, or modify passwords of system users. BadPotato, the researchers noted, had been previously used by other Chinese threat actors in an espionage campaign.

Next in the arsenal was GotoHTTP, which facilitates persistence, file transfer, and remote screen viewing. But the most notable malware of all was SparkRAT — "a very recent development on the threat landscape," Milenkoski noted. DragonSpark represents "the first concrete observation of threat actors using SparkRAT as part of larger campaigns."

Released in its current version on Nov. 1, 2022, SparkRAT is a jack of all trades. It's compatible with not only Windows but also Linux and macOS systems. Its most notable features are as follows, as the researchers outlined:

*   _**"Command execution:** including execution of arbitrary Windows system and PowerShell commands;_
*   _**System manipulation:** including system shutdown, restart, hibernation, and suspension;_
*   _**File and process manipulation:** including process termination as well as file upload, download, and deletion; and_
*   _**Information theft:** including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration."_

SparkRAT, SharpToken, Bad Potato, and GotoHTTP are all freely available to download online. As open-source tools, their use also makes attribution more difficult.

**Links to China**

All of the targets of DragonSpark were organizations based in East Asia. Many of them "have a large customer base," Milenkoski observes, "leading to the belief that the threat actors may be targeting customer data." Whether the motive was cybercrime or espionage was not determined.

Though unable to attribute anyone specific, the researchers considered it "highly likely" that the DragonSpark attackers were Chinese speakers. That is, in part, explained by the fact that most of their infrastructure and targets were located in East Asia. Additionally, the Web shell they used to deploy their malware — a well-known tool called China Chopper — and all of the open source tools described above were originally developed by Chinese-speaking developers and vendors.

This is consistent with recent activity in the world of Chinese threat actors. An alert published last summer by the Cybersecurity and Infrastructure Security Agency (CISA) highlighted how state-sponsored APTs from the People's Republic "often mix their customized toolset with publicly available tools."

All signs point to more of these kinds of attacks going forward. SparkRAT in particular, though nascent to the scene, "is regularly updated with new features," the SentinelOne researchers noted, adding that "the RAT will remain attractive to cybercriminals and other threat actors in the future."

'DragonSpark' Malware: East Asian Cyberattackers Create an OSS Frankenstein

The company will block the configuration files, which interact with Web applications — since threat actors increasingly use the capability to install malicious code.

Microsoft plans to add a feature to Office Excel that will make it harder for cyberattackers to exploit the spreadsheet application's "add-ins" function to run malicious code on a victim's computer.

And while it's a welcome development, Microsoft's countermeasure is just the latest go-around in the cat-and-mouse game going on between major software makers and cyberattackers, researchers say.

**Microsoft Takes Aim at XLLs **

In an update to its Microsoft 365 road map last week, the company stated that it is currently "implementing measures to block XLL \[add-in files\] coming from the internet," with a goal to have the feature in general availability sometime in March. 

Excel add-in files are designated with the XLL file extension. They provide a way to use third-party tools and functions in Microsoft Excel that aren't natively part of the software; they're similar to dynamic link libraries (DLLs) but with specific features for Excel spreadsheets. For cyberattackers, they offer a way to read and write data within spreadsheets, add custom functions, and interact with Excel objects across platforms, Vanja Svajcer, a researcher with Cisco's Talos group, said in a December analysis.

And indeed, attackers started experimenting with XLLs in 2017, with more widespread usage coming after the technique became part of common malware frameworks, such as Dridex. The add-in functionality has become increasingly popular with attackers since then; in fact, according to an Arctic Wolf report from early 2022, the use of XLL files increased nearly 600% in 2021.

One of the reasons for that is because Microsoft Office does not block the feature but raises a dialogue box instead, a common approach that Microsoft has taken in the past, Svajcer wrote: "Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning."

That could be an issue even after blocking is in place, Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading.

"Unfortunately, it's unclear at this point whether it's just going to be a warning that users can easily click through, a more proactive 'off by default' setting, or whether they are going to disable it entirely for XLL files downloaded from the Internet," he notes.

**Staying Ahead of the Cyberattackers?**

For more than two decades, cybersecurity firms have sought to strip out potential avenues for malicious scripts in common files types — such as Office formats or PDF files — but attackers have always adapted. 

For instance, Visual Basic for Applications (VBA) and Excel 4.0 macros both became so popular over the past five years for malware delivery that Microsoft blocked Office macros by default in the summer of 2022, disallowing macros from running when they have been assigned a Mark of the Web (MotW) tag, which indicates that the document came from the Internet.

Following that decision, threat actors began incorporating Shell Link (LNK) files as payloads for a number of malware families, with their use peaking in October with a spike in usage by the operators behind Qakbot, according to an analysis this week by researchers in Cisco's Talos intelligence group.

And LNK files aren't the only file type that's becoming a more popular way to hide malicious code in the wake of blocking macros. In the third quarter of 2022, for example, zip archives and HTML files became the most common file types for malware delivery, with 44% of malware files hidden in archives, according to the third quarter "HP Wolf Security Threat Insights Report." 

Even if these alternative approaches are not as efficient or powerful, attackers will have to adopt them to continue to successfully compromise victim's systems, because companies are hardening their products against more common attack techniques, Dave Storie, an adversarial collaboration engineer at cybersecurity-services firm Lares Consulting, said in a statement sent to Dark Reading.

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," he said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."

Microsoft to Block Excel Add-ins to Stop Office Exploits

When EVs and smart chargers plug in to critical infrastructure, what can go wrong? Plenty.

With more countries reaching the tipping point for electric vehicle (EV) adoption, it's more urgent than ever for the public and private sectors to invest in EV charging infrastructure. A robust and highly secure EV charging ecosystem is essential for ensuring network availability and stability, providing a seamless charging experience to drivers, and achieving zero-emission transportation.

The good news is that EV charging infrastructure build-out is gaining momentum. The downside is that cybersecurity risks are growing along with the charging infrastructure, and cybercriminals are starting to take notice.

Today, EV chargers themselves are the primary target, with hacks ranging from planting ransomware to hijacking charger message screens with politically motivated or objectionable content. In a major wakeup call to manufacturers, a white-hat security specialist demonstrated EV charger hardware and software vulnerabilities. Recent hacks have also shown that EVs, too, are at risk.

**The Vulnerabilities Are Broader Than Chargers and EVs**

The communications networks that connect chargers with their management system, the personal data that travels across those networks, the charge-point operators collecting payments, and the grid itself are increasingly vulnerable as the EV ecosystem grows and the attack surface expands. The risks include (but are not limited to):

*   Disruption of operations for public charger networks, rendering large numbers of chargers unusable and interfering with transportation
*   Takeover of charger networks to use the chargers as bots in massive distributed denial-of-service (DDoS) attacks
*   Theft of customers’ personal identifiable information (PII), including payment card information
*   Fraudulent payments for electricity used in EV charging
*   Disruption to the power grid, leading to blackouts and equipment damage
*   Damage to the EV charging provider's reputation

As IT security experts know, whenever you have digital communications between two points, you have a potential vulnerability. When an EV plugs in to a networked charger, a cascade of bidirectional communications between multiple computers ensues — between the vehicle and the charger, the charger and the driver's mobile app, the charger and the grid, the charger and the back-end management system, the management system and a payment gateway, and the management system and the charge-point operator. That's a broad attack surface.

It takes coordination and commitment across the EV charging ecosystem to achieve the end-to-end security needed for protecting EV charging networks, personal and payment data, and the grid.

**Standards and Protocols Offer a Way Forward**

EV charging and energy management solution providers must commit to industry protocols and standards — developed by global consortiums such as the Open Charge Alliance (OCA) and the International Organization for Standardization (ISO) — and the protections they provide. So do other industry players, such as EV charger manufacturers and their sub-suppliers, automotive manufacturers, and utilities.

Key to network security is Open Charge Point Protocol (OCPP). It governs communications between charging stations and a central management system. The latest version incorporates standards for secure connection setup, security events and logging, and secure firmware updates.

Another essential measure is ISO 27001, a comprehensive framework that covers legal, physical, and technical controls involved in a company's information security and risk management processes Compliance ensures all relevant processes, procedures, and tools are implemented and monitored to protect the EV charging platform.

ISO 15118.20 is an international standard that was updated in 2022 to tighten security requirements for bidirectional communications between a charging station and an EV. The standard provides for plug-and-charge capability, which uses security certificates to automatically identify the EV to the charger and authenticate a payment method. It also governs the exchange of data required for vehicle-to-grid (V2G), which sends energy stored in the EV battery back to the power grid.

**IT Security Best Practices Provide Multilayered Protection**

The first IT security best practice that EV charging ecosystem companies should consider is organizational: Hire a chief information security officer (CISO). With a broad attack surface to defend and the need to protect data from internal and external attacks, the CISO should work closely with the chief technology officer (CTO) to coordinate IT security and EV charging infrastructure security.

The communications and data exchange between management software in the cloud, EV chargers, EVs, and the grid can be protected by IT security best practices such as X.509 public key infrastructure (PKI), transport layer security (TLS), secure "tunneling" across the Internet, and data encryption.

EV charging infrastructure providers must also be concerned with data privacy regulations specific to PII. Any organization transporting, handling, or storing PII should comply with the General Data Protection Regulation (GDPR) in the EU, the Act on the Protection of Personal Information (APPI) in Japan, the California Consumer Privacy Act (CCPA), and the new California Privacy Rights Act (CPRA).

Compliance with Payment Card Industry Data Security Standards (PCI DSS) and SOC 1 security standards provides the security controls and measures to protect credit and debit card transactions during transmission and storage. Controls include using tokens rather than readable data and storing only the final four digits of a credit card. Intelligent safeguards for billing management systems should recognize and prevent fraudulent payment.

Endpoint detection and response (EDR) systems continuously monitor devices connected to the EVcharging management platform, identify intrusions, and enable rapid response so cybercriminals cannot penetrate the network and pivot to other components, whether that is the management software, the car, or the grid.

And conducting annual infrastructure and application penetration tests is essential to discovering potential vulnerabilities and building a solid plan to resolve them.

**The Final Takeaway**

Protecting the EV charging infrastructure from cybercriminals is a job for every participant in the ecosystem. Whether you're considering hosting EV chargers at your place of business or you're an active participant in the ecosystem, security must remain top of mind. A key takeaway from the IT security industry is the recognition that this will be a perpetual battle. The larger the EV charging ecosystem grows, the more monetary value it offers to cybercriminals. The challenge of staying ahead of bad actors, and responding quickly when unknown threats become known, never ends.

Security and the Electric Vehicle Charging Infrastructure

API Leak Management software discovers exposed API keys and other secrets, blocks their use, and monitors for abuse, the company says.

Just as pants are most likely to split along the seam, enterprise also risks holes opening up along the seam between systems: APIs. The scope of the potential problem is clear, with 78% of engineering teams managing upwards of 250 API keys, tokens, or certificates. It makes sense that API leaks are becoming more common — with a reported rise of 681% in 2021 alone — as tech stacks get more complex and software supply chains grow longer.

To help organizations ward off these intrusions, API security company Wallarm recently added a feature called API Leak Management to its End-to-End API Security bundle. Now in early release, the solution will alert you when it detects a leak, allowing security staff to quickly revoke and block the leaked key through a unified interface.

The new capability automates detection, remediation, and control to protect API secrets. It continuously monitors public sources for leaked API keys and resources. If any are found, the software revokes the key and blocks requests that reference it across the client's entire presence. API Leak Management then continues to automatically monitor and block future attempts to use leaked secrets.

Numerous high-profile breaches in 2022 trace back to losing control of API keys and other secrets, including CircleCI, Twitter, and Optus. Such breaches cost companies an average of $1.2 million annually, which makes API security an imperative priority for enterprise.

Attackers commonly target API keys and secrets because they provide direct access to the data and infrastructure, according to Ivan Novikov, CEO and co-founder of Wallarm. "Our API Leak Management solution allows enterprise customers to automatically detect and block the use of leaked API keys, providing an additional layer of security for their data to reduce organizational risk," he said in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading