Critical national infrastructure, widespread cybercrime, and cyber insecurity are major risks in the report

A lot has happened in the 12 months since the World Economic Forum's (WEF) previous "Global Risks Report." Russia invaded Ukraine. The consequential impact on the supply of food and energy has led to a cost-of-living crisis being experienced by many. Extreme weather events have become a reality for more and more people. This rapid change is the backdrop to the report.

The 2023 report highlights that there is no single dominating crisis that the world is facing and there are, and will continue to be, constant crises that organizations, governments, and countries must navigate. Attacks on critical national infrastructure (CNI), widespread cybercrime, and cyber insecurity are highlighted as major risks throughout the next 10 years in the WEF's "Global Risks Report 2023," published on Jan. 11.

In terms of current crises identified in the WEF report — those emerging or present today — cyberattacks on critical infrastructure is the only technological risk appearing on the chart. CNI attacks are much sought after by malicious threats, as they can result in high-profile trust failures, potential pay dirt for ransomware, and could even lead to civil unrest.

The report comments: "Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy and domestic, space-based and undersea communication infrastructure."

Examples of such attacks today include the UK's Royal Mail, currently dealing with a "cyber incident" that has resulted in the organization asking people to stop sending mail and parcels abroad. The outage of the NOTAM (Notice to Air Missions) system that grounded flights in the US on Jan. 11 is being investigated as a potential "nefarious cyber incident," although this is just one aspect of an investigation into the outage ordered by President Biden. Attacks on healthcare institutions, water supplies, fuel pipelines, and more all serve to remind what the "C" in CNI is there for — if something is defined as critical, it needs strong cybersecurity protection and resilience to keep people and societies safe and operational, as it will always be a target for cyberattack.

**Risks Ranked**

There is much to read in the 98-page WEF report. Although there are seven risks appearing in both the two- and 10-year outlooks ahead of widespread cybercrime and cyber insecurity, this is the leading technological risk, at No. 8 in both these outlooks.

There is actually little reference to cybercrime specifically in the report beyond the definition of "widespread cybercrime and cyber insecurity," which is described as "Increasingly sophisticated cyberespionage or cybercrimes. Includes, but is not limited to: loss of privacy, data fraud or theft, and cyber espionage."

Cybercrime is an everyday reality today. As just one example, ransomware continues to be a scourge on society and organizations, but the potential opportunities and yields are so great that it is here to stay. Phishing, crashing websites, and identity theft are just some further examples of cybercrime that are set to continue. Omdia's security breaches tracker has consistently shown that data exposure is the leading outcome of security breaches, accounting for around two-thirds of breaches in the first half of 2022.

This approximate two-thirds number has been consistent since 2019. The tracker also analyses the share of breaches by industry or vertical and healthcare was the biggest sector to be affected by security breaches in the first half of 2022, followed by the government sector. The healthcare and governmental sectors have interchanged "top spot" over the same three-year period as for data exposure. It's fair to say that data is poorly protected today and that government and healthcare are huge targets for data because of the sort of information they hold.

Cyber insecurity is useful terminology when we know that many organizations do not have adequate cybersecurity capabilities. Omdia's "IT Enterprise Insights 2022-23" found that 27% of organizations describe themselves as "well advanced" in managing security, identity, and privacy, and a further 34% as "advanced," this does leave 39% of organizations with a substantially inadequate approach.

WEF's Global Risks Report 2023 Keeps Cybersecurity on the Agenda

A security vendor's investigation of infrastructure associated with a new, crypto-focused Magecart skimmer leads to discovery of cryptoscam sites, malware distribution marketplace, Bitcoin mixers, and more.

Cybercriminals engaged in one form of criminal activity can sometimes have their hands in a wide range of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a fresh iteration of a Magecart skimmer.

Magecart is a notorious — and constantly evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, groups belonging to the syndicate have executed numerous — sometimes massive — heists of card information from websites, including those belonging to major companies like TicketMaster and British Airways.

Researchers from Malwarebytes recently observed a threat actor deploying a payment card skimmer — based on a framework called mr.SNIFFA — on multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users paying for purchases on e-commerce websites. The malware is known for employing various obfuscation methods and tactics like steganography to load its payment card stealing code onto unsuspecting target websites.

**Sprawling Crime Haven**

Their investigation of the infrastructure used in the campaign led to the discovery of a sprawling network of other malicious activities — including cryptocurrency scams, forums for selling malicious services, and stolen credit card numbers — that appeared linked to the same actor. 

"Where one criminal service ends, another one begins — but often times they are linked," said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company's research. "Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends."

In the Magecart campaign that Malwarebytes observed, the threat actor used three different domains for deploying different components of the attack chain. Each of the domains had crypto-inspired names. The domain that injected the initial redirect component of the infection chain for instance had the name "saylor2xbtc\[.\]com," apparently in a nod to noted Bitcoin proponent Michael Saylor. Other celebrities were referenced too: A domain named "elon2xmusk\[.\]com" hosted the loader for the skimmer, while "2xdepp\[.\]com" contained the actual encoded skimmer itself.

Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor's investigation showed each of the three domains were associated with a wide range of other malicious activities.

The IP address, which hosted the skimmer loader for instance, also hosted a fraudulent version of home décor and decoration company Houzz's website. Similarly, the IP address for 2xdepp\[.\]com — the site hosting the skimmer — hosted a website selling tools like RDP, Cpanel, and Shells, and another website that offered a service for mixing cryptocurrencies —something that cybercriminals often use to making illicitly earned money harder to trace. 

Researchers at Malwarebytes further discovered blackbiz\[.\]top, a forum that cybercriminals use to advertise various malware services, hosted on the same subnet.

**Crypto-Related Scams**

Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same "2x" in their domain names as the three sites associated with the Magecart campaign had. The exercise revealed multiple fraudulent websites engaged in illicit cryptocurrency related activities. 

"These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC," Segura said. "These crypto-giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB," he added.

Malwarebytes also discovered multiple other sites on DDoS Guard that appeared linked to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a Web portal named after journalist Brian Krebs for selling stolen credit card data, and one site selling a range of phishing kits.

Malwarebytes' research highlights the still sprawling nature of some cybercrime groups, even as others have begun to specialize in specific cybercriminal activities with a view to collaborating with others on joint malicious campaigns. 

Over the past few years, threat actors such as Evil Corp, North Korea's Lazarus Group, DarkSide, and others have earned reputations for being both big and varied in their operations. More recently though, others have begun to focus more narrowly on their specific skills.

Research that security vendor Trend Micro conducted last year showed that increasingly, cybercriminals with different skills are conglomerating to offer cybercrime-as-a-service. The company discovered these criminal services to be comprised of groups offering either access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on finding new attack methods and tactics.

"From an incident-response mentality, this means \[defenders\] will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks," Trend Micro concluded.

Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity

In the ad, cybercriminals are offering to sell employee-level access to Telegram, researchers warn.

For the non-negotiable price of $20,000, threat actors claim they can provide insider access to Telegram servers running the encrypted instant messaging platform preferred by a security-conscious clientele.

The ad, posted on a Dark Web marketplace and discovered by the researchers of SafetyDetectives, boasts that the access is high-level and provided "through their employees."

Rather than providing remote access, the seller is hawking "an offering of correspondence for six months," the SafetyDetectives team added.

"It is impossible to say how many users, or Telegram servers, may be impacted," the report explained. "However, if the vendor’s claims are valid, an insider in the internal Telegram network would be able to exfiltrate logs and compromise user data."

Meanwhile, it seems Telegram might have a broader phishing problem.

**Phishing Explodes on Telegram**

The discovery comes on the heels of the release of new data from Cofense that shows that the abuse of Telegram bots exploded by 800% in 2022, driven by threat actors using malicious HTML attachments to deliver credential phishing attempts. Telegram bots are also attractive to spear-phishers because they're free and easy to set up and run.

"Threat actors appreciate the ease of setting up bots in a private or group chat, the bots' compatibility with a wide range of programming languages, and ease of integrations into malicious mediums such as malware or credential phishing kits," the Cofense report said. "Coupling the ease of Telegram bot setup and use with the popular and successful tactic of attaching an HTML credential phishing file to an email, a threat actor can quickly and efficiently reach inboxes while exfiltrating credentials to a single point using an often-trusted service."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims

SBOMs aren't enough. OpenSSF's Alpha-Omega brings in new blood to help secure the open source projects most impactful to the software supply chain.

The intricate labyrinth of open source dependencies across the global software supply chain has created an application security puzzle of mammoth proportions. Whether open source or closed, most of the world's software today is built on third-party components and libraries. Consequently, one piece of vulnerable code in even the smallest of open source projects can have a domino effect that impacts thousands of other applications, APIs, cloud infrastructure components, and more.

This issue is becoming one of the most pressing security concerns of CISOs today, and at an individual enterprise level, organizations are hard at work tackling it with projects like building out software bills of materials (SBOMs), establishing open source security management standards, and creating technical guardrails for developers to follow them.

But these efforts don't necessarily solve the problem at a more systemic level. According to many experts in the open source community, in order to make the biggest dent in the downstream supply chain, more effort needs to be put into helping open source project maintainers clean up their code.

This is the goal of the Alpha-Omega Project. About to hit its one-year anniversary next month, Alpha-Omega is a big-picture security project put together by the Open Source Security Foundation (OpenSSF) and its parent organization, the Linux Foundation, to address the fundamental issues in software supply chain security.

The "Alpha" side of the project is focused on collaborating with the maintainers of the open source projects most critical to the broader supply chain — including notables like node and jQquery — to help them level up the security posture of their code. These are projects hand-selected by the OpenSSF Securing Critical Projects working group using expert opinion and data from benchmarks like the Open SSF Criticality Score to determine the projects with the biggest downstream impact.

The "Omega" side of the project turns to the long-tail of software supply chain security, using automation and tooling to identify critical security vulnerabilities across a range of 10,000 widely deployed open source projects. It's an effort to scale up the remediation of the lowest-hanging, most obvious flaws that are pervasive across the supply chain.

Funded initially by Google and Microsoft, with additional toolchain and personnel support from financial giant Citi, Alpha-Omega wrapped up 2022 by snagging an additional $2.5 million from Amazon Web Services. More crucially, the project is preparing for 2023 with two new critical hires — Yesenia Yser, formerly a product security engineer for Red Hat, and Jonathan Leitschuh, who just finished up his one-year stint as the first Dan Kaminsky Fellow for Human Security. Yser steps in as a senior software security engineer, and Leitschuh will continue his research on automating open source security research and remediation as a senior software security researcher.

**Alpha-Omega Project's First Year**

This project is one of several high-profile security projects spearheaded and fundraised by OpenSSF and Linux Foundation in the past year to tackle the systemic issues in open source security. Following the organizations' successful model for rapid funding and action on security projects, Alpha-Omega has already made headway on a number of significant fronts.

According to the project's first annual report, the project has already engaged with five different open source projects: Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation. Over the course of 2022, Alpha-Omega doled out $1.5 million in grants to different projects, including $460,000 to the Rust Foundation, $400,000 to the Eclipse Foundation, and $300,000 to Node. In the case of Node, that support helped it reactivate the Node Security Working Group and get it working on a security and threat model for Node.js. It also spurred the triaging of 20 different vulnerability reports across the project's code base.

Additionally, Alpha-Omega recently released the initial version of the Omega Analysis Toolchain, which orchestrates 27 different security analyzers for identifying critical vulnerabilities in open source packages. The project also released a number of experimental tools, including a triage portal to make security research and reporting more efficient.

For year two, the project plans to accelerate work on the Omega side of the house.

**What 2023 Has in Store for the Project**

The addition of Yser and Leitschuh to the Alpha-Omega Project will not only infuse more brainpower, time, and talent into existing efforts, but also plenty of enthusiasm for moving the needle on open source security.

"Open source software is in every piece of equipment that is used today, from our automotives, airplanes, phones, trackers, and even utility systems," says Yser, who has deep roots in the DevSecOps and software supply chain worlds. In her position at Red Hat she was the supply chain ops technical lead.

"The vision for the project has a global impact of improving the security posture of open source software, supply chain security, and the lives of folks around the world," she says.

Yser will be working directly on improving the Omega toolchain and the triage portal to help engineer improvements in how projects and vulnerability impacts are analyzed and prioritized for mitigation.

"For the Omega tool chain, a goal for this year will be to have an operationalized system that a maintainer or developer can leverage," she says. "For the Triage Portal, the goal will be to support a researcher's ability to triage a discovered finding via importing a SARIF report to the portal and handle their investigation within the system. The system will remain limited to the Alpha-Omega team until noted otherwise, but thanks to open source software, a researcher can run their own instance and submit pull requests to the repository and support the overall mission."

Yser will be working in close collaboration with Leitschuh, who brings significant and very fresh experience to bear in the area of scaling and automating fixes across open source projects. He spent last year's fellowship working on this exact problem. His goal is to continue the work he did there and use what he learned to further his mission of rooting out the most prevalent and impactful flaws lurking across a wide swath of open source projects.

"We may not know where those little pegs are that are holding up the entire software industry exist," Leitschuh says. "It could be one of those tiny little pieces of software that has 15 stars on GitHub that nobody knows, but it's holding up the entire Internet. So how do we secure those projects that no one knows about but \[are\] somehow fundamental to the entire supply chain?"

He says his work during the fellowship helped him further home in on his niche of not necessarily going very deep on any one security vulnerability, but instead looking at a certain type of vulnerability and developing automated ways of finding that same flaw in lots of different places across the open source ecosystem. This dovetails perfectly with the Omega ethos, which is what led him to his newest gig.

Leitschuh will keep supporting refinements on automated methods for running down flaws in Data Flow and Control analysis and auto pull request generation. But he's also going to be continuing the very manual work of collaboration. One of the important lessons he learned last year is that a lot of the work ahead of him and his Alpha-Omega team is not necessarily technical. It's about building relationships with maintainers to help them see how sometimes even simple fixes to their projects can have a huge impact on global software supply chain security postures.

"Technologists and software people, we don't always love the human element — it's easier for us to sit down and write a line of code that detects this thing and throw it over a wall than it is for us to engage with an actual person and try to convince them this is a thing worth fixing," he says.

He explains how one instance last year illustrates this point perfectly. In this case he worked with a maintainer of a YAML Parser that had a 6-year-old remote code execution flaw that had a lot of downstream impact. For a long time when Leitschuh approached him about it, the maintainer told him, "Don't trust untrusted YAML. This is not my vulnerability."

Finally, after sitting the maintainer down in a video call with lots of technical debate, Leitschuh was able to show him that the change he requested was extremely narrow and could have a huge impact.

"So he's now willing to fix this 6-year-old remote code execution vulnerability in this YAML Parser because someone like me sat down with him on a video call, finally, and had a conversation with him to convince him the minimal thing that he needed to do to make it more secure," he says.

While Leitschuh could have automated fixing the vulnerability downstream, the more elegant fix was having this discussion instead.

"I thought it was worth it for me to sit down and spend the time focusing on this one piece of software to try to convince this maintainer. Having those conversations is what's going to have a wider positive impact writ large on the entire industry," he says. "At that point you just need boots on the ground. You need people that know what they're talking about to sit down and spend time that is required to engage with an actual person."

Software Supply Chain Security Needs a Bigger Picture

**CAMBRIDGE, England****,** **Jan. 12, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security artificial intelligence, today released three new cyber-threat trend reports revealing 2022 attack data observed across its global customer fleet.1 The industry reports pertain to the energy, healthcare, and retail sectors respectively.

"These industry-specific reports are the first of their kind released by Darktrace, representing an important effort to surface the data underpinning the rapidly evolving threat landscape that we are defending against," commented Toby Lewis, Global Head of Threat Analysis, Darktrace.

"The trends reveal crucial sector-specific challenges, from the tendency for hackers to siphon off the energy sector's resources in the form of crypto\-jacking, through to the invaluable nature of patient data which leads to data exfiltration in the healthcare sector," commented Lewis. "The surge in credential-based attacks across the retail sector reflects the fact that identity theft will be a key trend for 2023, increasing the need for AI-based behavioral analytics for understanding employee actions in rich context and authenticating the actions taken using certain credentials."

**Energy Sector: Key Findings**

Against the backdrop of a global energy crisis, Darktrace's energy sector report reveals that illegal crypto\-mining threats,whereby bad actors steal energy and processing power from other devices and networks, are on the rise across the industry. Notable findings include:

*   High-priority crypto\-mining accounted for 13 times more of all observed cyber incidents in the UK energy sector in 2022 compared to 2021
*   High-priority crypto\-mining accounted for 3 times more of all observed cyber incidents in the US energy sector in 2022 compared to 2021

The report divulges two real-world crypto\-mining threat finds from a European and US energy organization respectively, which were both stopped by Darktrace's AI technology. In the former case, attackers were caught attempting to mass pool crypto\-mining capabilities using 5 internal servers at the organization.

**Retail Sector: Key Findings**

As online shopping remains popular, Darktrace's retail sector report reveals that over the course of 2022, criminals increasingly turned toward credential theft, spoofing and stuffing to target this multi-billion-dollar industry's online infrastructure. Notably:

*   Credential theft, spoofing and stuffing accounted for over 170% more of all observed cyber incidents in the US retail sector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 14% more of all observed cyber incidents in the UK retails ector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 70% more of all observed cyber incidents in the Australian retail sector in 2022 compared to 2021

One threat find in the report from August 2022 details the discovery of a never-before-seen attack tool lying dormant inside a well-known UK automotive retailer. Months before Darktrace had been adopted by the retailer, one of its devices had become infected with novel malware that lay dormant, establishing a foothold and waiting for the right time to launch an attack. After deployment, Darktrace AI caught the malware when it made multiple authentication attempts using spoofed credentials for one of the organization's security managers. If successful, the attack could have undermined the organization's entire security posture, allowing malicious software to gain control of the company's infrastructure from within.

**Healthcare Sector: Key Findings**

Often viewed as a 'soft target' for cyber-criminals, hospitals and other healthcare organizations are extremely rich data sources from which attackers can make a profit by selling patient information such as medical records, credit cards or banking details. Darktrace's healthcare sector report notably revealed:

*   Data exfiltration was one of the top 3 observed threats faced by healthcare providers globally, with organizations in the UK and Australia suffering an increased volume in 2022
*   The most common attack type observed across healthcare globally in 2022 was suspicious network scanning, a form of intelligence gathering which often constitutes the initial phase of a cyber-attack

The report details a real-world sophisticated threat faced by a US healthcare provider in which a malicious PowerShell script was discovered to be deployed on one of the organization's internal servers, an attempt to give bad actors remote control over the target network. The threat was autonomously thwarted by Darktrace's RESPOND™ technology before attackers could do harm.

**About Darktrace**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D centre in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace's technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber-threats. It was named one of TIME magazine's 'Most Influential Companies' in 2021.

The data pertains to the period January-October 2022 and is compared with the same period in 2021.

Darktrace Publishes 2022 Cyberattack Trend Data For Energy, Healthcare & Retail Sectors Globally

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

This move accelerates the company’s vision of becoming the de facto identity security platform of choice for the modern enterprise.

**AUSTIN, January 12, 2023 –** SailPoint Technologies, Inc., the leader in enterprise identity security, today announced it has acquired SecZetta, the leading provider of third-party identity risk solutions. With nearly half of today’s enterprises comprised of non-employees, organizations need to factor this growing group of identities into their approach to identity security. With SecZetta, SailPoint will help companies gain better visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers, and non-human identities – all from a single, market-leading identity security platform. This acquisition will give enterprises the centralized approach needed, plus the proper identity proofing required to fully validate non-employee identities across their businesses. 

"The enterprise identity landscape has changed significantly in the last few years. We went from a largely in-office workforce to a distributed, virtual workforce and now a hybrid workforce. On top of that, most enterprises no longer rely solely on full-time employees to keep their business running. Yet not all of these companies have considered how this change impacts their approach to identity security," said Grady Summers, EVP Product for SailPoint. "With SecZetta, we can quickly give our customers the consolidated intelligence and visibility they need to ensure proper oversight into all identities and their technology access needs, regardless of whether they are a full-time employee or not."

SailPoint and SecZetta have a long-standing partnership. Once SecZetta’s solutions are fully integrated into SailPoint’s Identity Security Cloud platform, SailPoint will deliver a unified platform to customers — providing context-rich identity information with the right level of intelligence needed to answer the "who should have access to what", "when" and "why" questions for this unique, often under-secured set of identities. With SecZetta, SailPoint will also be able to further help companies with identity consolidation efforts, merging and organizing workforce data across authoritative sources to create a centralized repository of identities.  This identity intelligence will then be offered as a packaged offering within the Identity Security Cloud platform to deliver the next generation of identity security — one that provides the critical layer of risk management and governance needed across both employee and non-employee identities from a single platform.

"Acquiring SecZetta allows us to quickly address an emerging threat to our customers’ business — and that is this gap in visibility over non-employee identities. Here at SailPoint, we want to be known as the kind of company our customers can always rely on to anticipate and solve for their needs as they continue to evolve," said Mark McClain, CEO and Founder, SailPoint.  "This announcement underscores our relentless focus on accelerating our vision of becoming the de facto identity security platform of choice that discovers, manages and secures all identities across the modern enterprise." 

**About SailPoint**

SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Acquires SecZetta to Provide Identity Security for Non-Employee Identities

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

**Critical-Rated Bug Offers Root Privileges**

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

**Big Impact, Even at EoL**

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available

Energy has become the new battleground for both physical and cyber security warfare, driven by nation-state actors, increasing financial rewards for ransomware gangs and decentralized devices. Chris Price reports.

The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of \[the country's\] energy systems had been destroyed."

**Growing Cybersecurity Threat**

However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, \[and\] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

**Digitized Environments**

According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.

Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."

Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

**Integrated IT/OT Networks**

Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.

According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.

**Grid Edge Risk**

For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.

A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.

**Greater Regulation**

One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."

However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.

_**—Story by Chris Price**_

_This story first appeared on_ _IFSEC Global__, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more._

Securing the World's Energy Systems: Where Physical Security and Cybersecurity Must Meet

Russia's NoName057(16) group offers incentives and prizes via Telegram channel for "heroes" to mount attacks against targets within Ukraine and pro-Ukrainian countries.

A Russian threat group is offering incentives and cryptocurrency prizes in an effort to recruit Dark Web volunteers — who it calls "heroes" — to its distributed denial-of-service (DDoS) cyberattack ring.

A group tracked as NoName057(16) has launched the project, called DDosia, which aims at bolstering an earlier effort to mount DDoS attacks on websites in Ukraine and pro-Ukrainian countries. However, rather than try to do all the work themselves, DDosia "entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies," Avast researcher Martin Chlumecký wrote in a post on the Avast.io "Decoded" blog published Jan. 11.

Avast researchers first identified NoName057(16) in September, when they observed Ukraine-targeted DDoS attacks that the group was carrying out using botnets. The campaign specifically targeted websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine, as well as in neighboring countries supporting Ukraine, such as Estonia, Lithuania, Norway, and Poland.

A remote access Trojan (RAT) called Bobik was instrumental in carrying out the DDoS attacks for the group in the original attack, which had a success rate of 40 percent using the malware, the researchers said.

However, the group ran into a hitch in their plans when the botnet was taken down in early September, according to the group's Telegram channel, the researchers said. NoName057 subsequently launched DDosia to target the same set of pro-Ukraine entities on Sept. 15 as a response to this setback, they said.

"By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks," Chlumecký wrote in the post. The project also represents a pivot to a public, incentive-based DDoS effort versus the more secretive Bobik botnet, the researchers said.

**DDosia Technical Details**

The DDosia client is comprised of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semiclosed Telegram group — unlike the Babik malware, the researchers said. Another differentiator between the two efforts is that DDosia appears to have no additional backdoor activity, they noted. Bobik on the other hand offers extensive spyware capabilities, including keylogging, running and terminating processes, collecting system information, downloading/uploading files, and dropping further malware onto infected devices.

To become a DDosia member, a volunteer must through a registration process facilitated by the @DDosiabot in the dedicated Telegram channel, the researchers said. After registering, members receive a DDosia zip file that includes an executable.

NoName057(16) also "strongly recommends" that volunteers use a VPN client, "connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets," Chlumecký wrote.

The principal DDosia C2 server used in the DDosia campaign was located at 109. 107. 181. 130; however, it was taken down on Dec. 5, researchers said. Because NoName057(16) continues to actively post on its Telegram channel, the researchers assume it must have another botnet, they said.

The DDosia application has two hardcoded URLs that are used to download and upload data to the C2 server. The first one is used to download a list of domain targets that will be attacked, while the second one is used for statistical reporting, the researchers said.

DDosia sends the list of targets to the botnet as an uncompressed and unencrypted JSON file with two items: targets and randoms, the researchers said.

"The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: ID, type, method, host, path, body, and more," Chlumecký wrote. "The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values."

DDosia also generates random values at runtime for each attack, likely because attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate, the researchers said.

**Rewarding DDoS "Heroes"**

The most important new aspect of DDoS attacks is the possibility of volunteers who get involved in the campaign being rewarded, the researchers said. Via one of the aforementioned technical aspects of how DDosia works, NoName057(16) collects statistical information about performed attacks and successful attempts by its network of volunteers, which it calls "heroes," they said.

NoName057(16) pays out these heroes — who Chlumecký noted can "easily" manipulate the statistics for success — in cryptocurrency sums of up to thousands of rubles, or the equivalent of hundreds of dollars.

**DDosia: Looming Potential for Disruption**

Currently, the success rate of the DDosia campaign is lower than the previous Bobik campaign, with around 13% of all of attempted attacks disrupting targets, the researchers said.

However, the project "has the potential to be a nuisance when targeted correctly," Chlumecký wrote. The group currently has about 1,000 members; however, if that rises, researchers expect its success rate also to grow, they said.

"Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers," Chlumecký explained.

The researchers estimate that one DDosia "hero" can generate about 1,800 requests per minute using four cores and 20 threads, with the speed of request generation depending on the quality of the attacker’s Internet connection. Assuming that at least half of the current membership base is active, this means that the total count of requests to defined targets can be up to 900,000 requests per minute, the researchers said.

"This can be enough to take down Web services that do not expect heavier network traffic," Chlumecký noted. Meanwhile, "servers that expect a high network activity load are more resilient to attacks," he added.

"Given the evolving nature of DDosia and its fluctuating network of volunteers, only time will tell how successful DDosia ultimately will be," Chlumecký said.

Indeed, Russia's attack on Ukraine in February 2022 has driven DDoS attacks to an all-time high, allowing attackers to cause digital and IT-related disruption in a cyberwar that's been mounted alongside the ground war since it began.

NonName057(16) are among a number of threat groups perpetrating these attacks, albeit one of the less sophisticated ones whose attacks at this point remain low-impact and cause little significant damage, the researchers said.

Chlumecký likened the group to another pro-Russia threat actor Killnet, whose activities are aimed at drawing media attention: "NoName057(16) activities are still more of a nuisance than dangerous."

Source

DARKReading