An international counter-ransomware task force has been announced by Australian authorities following the recent Optus and Medibank data breaches.

Australian authorities have announced a new offensive against cybercrime, standing up a a joint operation between the Australian Federal Police and the Australian Signals Directorate to disrupt cybercriminal operations. 

The move comes after two headline-making breaches against Australian companies Optus and Medibank. The task force will collect information about cyber threats and identify targets with the potential to inflict harm on Australian national interests, according to the announcement about the new offensive cybercrime strategy. 

"This operation will collect intelligence and identify ring-leaders, networks and infrastructure in order to disrupt and stop their operations — regardless of where they are," a statement from the Australian Attorney General explained about the new ransomware task force. "It sends an important message to criminals and hackers intending to do harm — Australia will fight back."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Australia Declares War on Cybercrime Syndicates

Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.

Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action.

That's according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform.

The result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats: ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud.

CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided detection details and indicators of compromise (IoCs) to help security teams.

"Cyber-threat actors may be targeting unpatched ZCS instances in both government and private sector networks," according to a Zimbra advisory.

CISA and the MS-ISAC strongly urged users and administrators to apply the guidance in the Recommendations section of this Cybersecurity Advisory to help secure their organization's systems against malicious cyberactivity.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Unpatched Zimbra Platforms Are Probably Compromised, CISA Says

Data-deletion service's patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device

**ATLANTA, Nov. 14, 2022 /PRNewswire/** — Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.

Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today's top companies in the automotive space — including the three largest OEM's captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.

"Used vehicles are akin to large, unencrypted hard drives full of consumers' sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records," said Andrea Amico, CEO and founder of Privacy4Cars. "This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts," he continued. "This new patent demonstrates Privacy4Cars' commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice".

Privacy4Cars' newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars' U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.

Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars' stand-alone app or choose to integrate Privacy4Cars' Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.

For more information about Privacy4Cars, please visit: https://privacy4cars.com.

**ABOUT PRIVACY4CARS**

Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars' patented solution helps users quickly and confidently clear vehicle users' personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/

**SOUR****CE:** Privacy4Cars

Privacy4Cars Secures Fourth Patent to Remove Privacy Information From Vehicles and Create Compliance Logs

Designation recognizes highest caliber of information security.

**PLEASANTON, Calif., Nov. 14, 2022 /PRNewswire/** — Avatier, the industry leader in identity and access management, today announced it has received ISO 27001:2013 certification for its Information Security Management System (ISMS).

ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Avatier's certification was issued by A-LIGN, an independent and accredited certification body based in the United States, on the successful completion of a formal audit process. This certification is evidence that Avatier has met rigorous international standards in ensuring the confidentiality, integrity, and availability of the Avatier Identity Anywhere platform.

Avatier develops identity management and governance platforms that enable organizations to scale faster, innovate quicker and embrace change more securely. Avatier's identity access management (IAM) and identity governance and administration (IGA) solutions do not require client software, so management is in real-time across any platform, such as Google Chrome, Microsoft Teams, or iOS and Android.

"This certification demonstrates Avatier's continued commitment to information security at every level and ensures our customers that the security of their data and information has been addressed, implemented, and properly controlled in all areas of their organization," said Jeremy Russeau, Avatier CISO.

**About Avatier Corporation**

Avatier is the Identity Management company of the future with innovative solutions for today. Avatier develops a "state of the art" identity management platform enabling workforce collaboration resulting in better customer experiences and increased revenue. The company's Identity Anywhere platform uses container technology, providing maximum flexibility, scalability and security in a platform-independent and portable solution that future-proofs your investment. Avatier's identity management and access governance solutions make the world's largest organizations more secure and productive in the shortest time at the lowest costs. Avatier brings all your back-office business applications and employee assets together and manages them as one.

For more information, visit www.avatier.com.

**SOURCE:** Avatier

Avatier Achieves ISO 27001 Certification for its Information Security Management System

Quantum computing's a clear threat to encryption, and post-quantum crypto means adding new cryptography to hardware and software without being disruptive.

There is a potential dark side to quantum computing, one that is a threat to how we secure data. Back in 1994, Peter Shor developed an algorithm for factoring large numbers using a quantum computer, which could be used to break encryption. Today, RSA encryption relies on the difficulty a classical computer has with such factorization. With Shor's algorithm in mind, nation-states and nefarious actors started harvesting data packets, dreaming of a future where they would be able to decrypt those packets using a fault-tolerant quantum computer.

Currently, there are about three dozen quantum computers in the cloud. These quantum computers are error-prone and lack enough quantum bits (qubits) to run Shor's algorithm against RSA encryption. Some experts claim quantum computing will not be a threat for at least 30 years. However, those claims may be based upon outdated information and there is evidence that quantum computing will have the power to crack encryption sooner than we thought.

**Identifying Quantum Threats**

The day is coming when a quantum threat (Y2Q) to encryption becomes a reality. Y2Q proves similar to a combination of the Y2K bug and the 2014 Heartbleed attack, where it will affect almost every system on the planet and severely affect data in motion.

Y2Q affects two types of general cryptography: symmetric and asymmetric. Symmetric encryption is used for data at rest and functions like a locked box with a key. Shor's algorithm cannot attack symmetric encryption ciphers such as AES, however Grover's search algorithm can weaken it. To combat Y2Q in this situation, we can increase the symmetric key size and make it even more difficult to attack via brute force.

Data in motion on a network is protected by asymmetric encryption, which is commonly called public key cryptography, and its most prevalent example is via a cipher known as RSA. RSA is vulnerable to Shor's algorithm, allowing a quantum computer to reverse private keys and read messages. Blockchain also uses a type of public key encryption called ECC, which means the crypto economy is also threatened by quantum computing.

Preparing for Y2Q begins with conducting a post-quantum crypto (PQC) agility assessment. Crypto agility is the ability to introduce new cryptography to an organization's hardware and software without being disruptive to infrastructure. However, identifying those primary threats is not easy. It is a matter of determining what ciphers are used throughout an organization, including in third-party hardware and software. Further complicating the process is that some elements may not have a path forward for post-quantum cryptography.

**Exploring the PQC Threat and Timeline**

It may be too late to protect certain types of data. Mosca's theorem states that you must add the number of years it takes your organization to migrate to new cryptographic standards and primitives to the shelf life of your secret. For example, three years to migrate plus a regulatory requirement of 10 years of maintenance would equal 13 years.

Using the implementation example of Shor's algorithm called Toffoli-based modular multiplication, we can estimate that quantum computers will have enough power (high-fidelity qubits) to crack encryption by the end of this decade.

However, the quantum world is constantly making observations on its denizens, including qubits, which causes them to decohere and become "classical" or unable to compute with quantum algorithms. System builders must account for this noise and resolve engineering challenges to make qubits near perfect with 99.99% fidelity. We also need to run error correction, which requires sacrificing some physical qubits to create a logical, error-corrected qubit.

Qubit growth can be accelerated by using a few modest-size, quality quantum computers that work together using a technology called interconnect, which allows quantum computers to entangle qubits to behave as one quantum computer. If we get interconnect right, we could take, say, four 1,100-qubit quantum computers and instantly have a 4,400-qubit machine capable of doing damage to encryption.

IBM has a grim prediction that it will take 1,000 physical qubits to yield one error-corrected qubit. However, IonQ thinks it is closer to 16 to 1. An estimate between those two extremes indicates that if we get close to 1 million physical qubits this decade, we will quickly surpass current predictions.

NIST is aware of the looming threat and has been working to develop a new standard of PQC with ciphers to replace RSA. We expect a new standard by the end of 2024.

In May 2022, the White House released the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. That memo has action demands on federal entities to be taken after NIST finalizes the new standard.

We can expect regulators and other industries in the private sector to mirror these expectations closely. Simply put, organizations must become crypto-agile and introduce hybrid PQC solutions for today's most critical data flows.

Quantum Cryptography Apocalypse: A Timeline and Action Plan

Solutions that allow businesses to reduce complexity, develop and deploy applications and APIs, and protect those applications and APIs are no fairy tale.

Once upon a time, enterprise applications were deployed and delivered on-premises or in data centers. Managing the life cycle of these applications was not simple, though in time we learned. We also learned over time how to instrument the environment to collect telemetry data and use that data to monitor the applications for security and fraud threats.

Just when we had a handle on that model, things started changing. New environments, such as cloud, multicloud, edge, and hybrid started emerging. Groups such as AppDev, DevOps, SecOps, and NetOps that had learned how to manage in the traditional enterprise environment now found themselves needing to learn how to manage in a variety of environments. Each of these environments has its own technology stacks, controls, policies, processes, and procedures — not to mention the different skill sets and personnel required to manage, operate, and maintain these different environments.

These changes introduce a few marked challenges in managing the life cycle of applications and securing them:

*   Difficulty managing and securing environments due to increased complexity (multiple complex environments).
*   Difficulty deploying and managing applications and APIs across environments.
*   Difficulty protecting those applications and APIs from security and fraud threats.

For many businesses, these challenges have quickly introduced a variety of problems. Maintaining a team large and well-trained enough to successfully manage, operate, and maintain these environments is difficult for all but the largest enterprises. Managing, operating, and maintaining technology infrastructure, security stacks, and fraud technologies across environments has become prohibitively expensive.

Complexity is the enemy of security — adequately protecting applications and APIs has been hampered by the unruly mess that infrastructure has become. And enforcing consistent and effective controls, policies, processes, and procedures across environments has become nearly impossible.

Given these challenges, how can organizations:

1.  Reduce complexity?
2.  Develop and deploy applications and APIs anywhere at the speed the business requires?
3.  Protect applications and APIs from security and fraud threats?

Thankfully, businesses — even those that are not the largest of enterprises — now have some viable options. In other words, despite the words I used to start this piece, addressing these challenges is not a fairy tale. There are some solutions that allow businesses to achieve the three goals mentioned above.

**1\. Reducing Complexity**

As environments have grown more complex, a whole family of solutions has arisen around abstracting and simplifying the complexities of hybrid and multicloud environments. Businesses can now leverage options that will allow them to more easily manage technology stacks, manage controls and policies across environments, manage application development and deployment, instrument the environment to collect telemetry data, and monitor the environment for security, compliance, and fraud purposes.

These solutions generally abstract away the complexities of individual environments and provide businesses with an easy-to-use central console where they can leverage various components to build the workflows they need while satisfying necessary requirements. These solutions most often handle the translation and mapping from the logical components and workflows that the organization sets up to the physical implementations across various environments.

Having one centralized location in which technology, controls, policies, applications, APIs, telemetry, and other aspects of the infrastructure can be viewed, modified, audited, monitored, and reviewed gives businesses huge value when it comes to managing, operating, and maintaining complex, modern infrastructures.

**2\. Developing and Deploying Applications and APIs Anywhere at Speed**

Each year, more revenue moves to digital channels. As this happens, businesses need to remain competitive in a rapidly changing marketplace. An important part of remaining competitive is being able to deploy applications and APIs at the speed the business requires. Doing so requires having a good handle on the development life cycle across a variety of environments.

As environments have grown more complex, so has managing the life cycle of applications and APIs. Given this, it is not surprising that a crop of solutions has arisen around simplifying and managing the development and deployment of applications and APIs across multiple complex environments. Leveraging a solution that simplifies and standardizes the development and deployment of applications and APIs across a variety of environments can help businesses keep up with the demanding pace of the marketplace. This, in turn, allows businesses to be more competitive and to avoid losing revenue because they can't meet customer needs in the digital channels.

**3\. Protecting Applications and APIs From Threats**

As environments have grown more complex, so has protecting applications and APIs from security and fraud threats. It is logical, then, that solutions designed to facilitate API discovery, application and API protection, anti-bot/anti-automation across multiple complex environments have become popular of late.

First off, before we can protect our applications and APIs, we need to know what they are and where they are. Despite our best efforts to control and monitor the development and deployment life cycle, cases of infrastructure, applications, and APIs are always popping up without the knowledge or support of IT and security. It is because of this that discovery is so important.

Assuming we have a decent handle on what applications and APIs we have and where they are, we can move to focusing on protecting those applications and APIs from security and fraud threats. This includes protecting them from fraud/business logic abuse, unauthorized access, breaches, theft of PII or other sensitive data, and automated attacks.

This level of protection was difficult enough in the days of the enterprise network. With the complexity of today's environments, it has become even more difficult. This is another area in which businesses can look for solutions to help them discover their applications and APIs and protect them from a variety of threats.

The infrastructure complexities that modern businesses need to contend with are no laughing matter. That said, there are solutions that allow businesses to reduce complexity, develop and deploy applications and APIs anywhere at the speed the business requires, and protect those applications and APIs from security and fraud threats. It is no longer a fairy tale.

How APIs and Applications Can Live Happily Ever After

Military veterans tend to have the kind of skills that would make them effective cybersecurity professionals, but making the transition is not that easy.

Organizations are struggling to fill cybersecurity positions. That may be because they aren't utilizing security staff efficiently and so they need more people. It could also just be that the increase in threats means there is more work to be done. For whatever reason, organizations are casting a wider net to find talented and skilled professionals to staff up their security teams, and they are increasingly courting former military personnel.

"The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private sector offerings and is highly transferable to a career in the private sector," Carl Wright, chief commercial officer at AttackIQ, told Dark Reading earlier this year.

As an employee group, veterans exhibit characteristics that make them particularly well-suited for the cybersecurity workforce, the National Institute for Standards and Technology wrote in a special publication (SP1500-16) on helping veterans transition into private IT sector roles. "Their military experience has provided them with years of cybersecurity experience in 'live fire' scenarios, working on systems comparable to those found in the civilian work environment," according to the document. Veterans already possessing security clearances will also be very attractive as job candidates.

They may also have the requisite security certifications. Vendor-neutral certifications are particularly ubiquitous among military personnel, according to the most recent Cybersecurity Workforce Study from (ISC)2.

However, many veterans find making that switch from the military to private sector can be difficult. Veteran-hiring initiatives exist, both inside and outside of industry, but many of these programs are not discovered until too late, NIST said. "Veterans may not find information about these programs, may not see how their military experience translates to job-readiness in the private sector, or may need assistance in gaining certifications necessary to qualify for some private-sector cybersecurity roles," NIST said.

Veterans who did not work in cybersecurity while in the military still have valuable skills that they bring to the field, however. The military emphasizes teamwork, adaptability, and responsibility, all traits that security professionals need to have. Military personnel are also trained in careful decision-making even under extreme pressure using the available information. For example, Josh Smith, a cybersecurity analyst at Nuspire, told Dark Reading earlier this year how the same skills he relied on in the US Navy to ingest data, analyze what was received, disseminate the information to appropriate parties, and take action based on the findings translate to cybersecurity roles.

Earlier this year, the White House National Cyber Workforce and Education Summit issued a call to action to increase cybersecurity education and training opportunities. One of the announcements was to encourage more apprenticeship programs to help develop and train the cybersecurity workforce. In the months since, there have been a number of initiatives from cybersecurity organizations, including SANS Institute.

Many colleges and universities have training programs specifically to give veterans hands-on experience in various areas. Cybersecurity training platform Cybrary said this week it is partnering with VetSec, a community of over 3,300 veterans working in or transitioning into cybersecurity, and TechVets, a bridge service for moving veterans, service leavers, reservists, and their families into IT careers.

Private companies are partnering with veterans' organizations as well. For example, consulting giant Accenture offers a military veteran technology program, as does networking titan Cisco. Microsoft Software and Systems Academy (MSSA) was created to provide transitioning service members and veterans with career skills needed in the modern tech industry. Arctic Wolf, for example, works with the Department of Defense's SkillBridge program to provide a path to reentry into the workforce for those leaving the military.

Such efforts seem to be paying off. According to the US Department of Labor, unemployment among veterans is running nearly a full percentage point below the general population; in October 2022, only 2.7% of veterans were unemployed, compared to 3.6% overall.

Why Cybersecurity Should Highlight Veteran-Hiring Programs

Pretty much every aspect of the effort to create easy-to-understand labels for Internet-of-Things (IoT) products is up in the air, according to participants in the process.

The effort to create informative labels to give buyers insight into the cybersecurity of connected devices continues to advance, but very slowly, according to technology firms and the US government.

Last week, Google published a blog post outlining the company's stance on what should be included in product labels for Internet of Things (IoT) devices. It described five principles that should guide the industry, including a minimum security baseline, adherence to international standards, and allowing the label to change as knowledge of the security landscape changes. The need for a statement focusing on basics highlights the slow paces at which the standards are being developed.

One reason that IoT cybersecurity labelling standards are in their "early stages" is because the Internet of Things includes a massive number of products and categories, says Dave Kleidermacher, vice president of engineering for Android Security & Privacy at Google.

"Simplification of IoT security remains a challenge that the industry continues to work on," he says. "This is largely due to the fact that IoT has a broad spectrum of product categories like light bulbs and smart displays, which have very different levels of required security."

Google's published statement comes two weeks after the White House called together technologists from government and private industry for a summit on the progress in IoT labeling, and more than a year after the US National Institute of Standards and Technology (NIST) held its "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software," an effort to create IoT product labels that communicate the security state of applications and connected devices.

Both meetings were striving to deliver on the Biden administration's May 2021 "Executive Order on Improving the Nation's Cybersecurity," which mandates developing standards. The goal of the latest meeting was to continue progress toward a nutrition label or an Energy Star-like system that speaks to the security of any connected device, the Biden administration said in a statement.

"\[The\] dialogue focused on how to best implement a national cybersecurity labeling program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label," the White House said in an Oct. 20 statement. "Government and industry leaders discussed the importance of a trusted program to increase security across consumer devices that connect to the Internet by equipping devices with easily recognized labels to help consumers make more informed cybersecurity choices."

**No to Printed Labels, Yes to International Standards**

Progress is slow, Google stated in its blog post. Almost all of the details of IoT product labeling are up in the air, including "the definition of labeling, what labeling needs to convey in terms of security and privacy, where the label should reside, and how to achieve consumer acceptance."

Printed labels should be avoided, because security is ever-changing, and any label would only document a point in the past, Kleidermacher says.

"Labels need to be digital," he says. "Because the security posture of a device can change in a matter of days, providing a printed label could inadvertently hurt the user by providing potentially stale information or lead a consumer to buy a device which is no longer safe."

Google pointed to security label specifications being created by the IoT-focused Connectivity Standards Alliance (CSA) and the GSM Association, a mobile device industry group, as potential starting places.

"Being able to offer helpful, useful information to allow consumers to enable better purchase decisions is the core of the consensus building around IoT security labeling," Kleidermacher says. "The rest is still very much up for debate, including how the label should look — that is, binary or multi-level — where it should reside, and what the label should include."

**Binary Labels Get NIST's Nod**

One area of disagreement is whether labels should be binary — yes, a product meets standards, or no, it does not — or allow for a spectrum of cybersecurity ratings. In its final draft of its "Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products," NIST recommended in September a binary label for the baseline standard. In a statement published in October, the Biden administration committed to quickly develop the standards for labeling of "the most common, and often most at-risk, technologies — routers and home cameras."

Google's Kleidermacher noted that the binary approach deviates from multitiered labeling schemes adopted in other countries, such as Singapore. The company hopes that the United States and other countries can work through industry alliances to create a standard global approach for attesting to cybersecurity.

"Because these organizations bridge industry and policy makers, we hope that this could help drive speedy adoption through collaboration, coordination, and the sharing of ideas," he says. "Many countries have already started mandating minimum security baselines through regulation efforts, so it is imperative that the United States participate in international discussions to create coherent, interoperable standards."

Cybersecurity 'Nutrition' Labels Still a Work in Progress

Multifactor authentication has gained adoption among organizations as a way of improving security over passwords alone, but increasing theft of browser cookies undermines that security.

When the malware group Lapsus$ needed to gain access to systems compromised in recent breaches, it not only searched for passwords but also for the session tokens — that is, cookies — used to authenticate a device or browser as legitimate.

Their tactics for initial access highlights a trend among attackers, who will buy passwords and cookies on the criminals underground use them to access cloud services and on-premises applications. In addition, when they do get access to a system, attackers prioritize stealing cookies for later use or for sale. Session cookies have become the way for attackers to bypass multifactor authentication (MFA) mechanism that otherwise protect systems and cloud services from attackers, says Andy Thompson, global research evangelist at CyberArk Labs.

In a presentation at Black Hat Middle East and Africa next week, CyberArk researchers will demonstrate how attackers can steal session cookies and then use them to gain access to business and cloud services.

"The crazy part is that this applies to all types of multifactor, because stealing these cookies bypasses both authentication and authorization," Thompson says. "Once you have authenticated using multifactor, that cookie is established on the endpoint, and the attacker can then use it for later access."

Stealing session cookies has become one of the most common ways that attackers circumvent multifactor authentication. The Emotet malware, the Raccoon Stealer malware-as-a-service, and the RedLine Stealer keylogger all have functionality for stealing sessions tokens from the browsers installed on a victim's system

In August, security software firm Sophos noted that the popular red-teaming and attack tools Mimikatz, Metasploit Meterpreter, and Cobalt Strike all could be used to harvest cookies from the browsers' caches as well, which the firm called "the new perimeter bypass."

"Cookies associated with authentication to Web services can be used by attackers in 'pass the cookie' attacks, attempting to masquerade as the legitimate user to whom the cookie was originally issued and gain access to Web services without a login challenge," Sean Gallagher, a threat researcher with Sophos, stated in the August blog post. "This is similar to 'pass the hash' attacks, which use locally stored authentication hashes to gain access to network resources without having to crack the passwords."

**An Easy Attack for Sustaining Access**

Stealing cookies is a pretty basic attack, but one that has grown in importance as more companies adopt adaptive authentication strategies, which use a cookie to allow a users on a specific browser and device to access a protected service, without having to reenter a multifactor authentication code.

For attackers, there is very little needed to make the attack successful. As long as they have some sort of access to a machine, they can grab the cookies, says CyberArk's Thompson.

"Most attacks require some sort of elevation of privilege to install software," he says. "With this, we have everything we need, regardless of the level of privilege. Even as a non-admin, we are still vulnerable to cookie harvesting."

**Attackers Take on MFA by Necessity**

While stealing session cookies are a common way that attackers bypass multifactor authentication, there are a host of others as well. Keylogging can circumvent MFA by grabbing the one-time password used by many companies, while an adversary-in-the-middle attack can capture security information being sent both to and from a targeted service.

Attackers can also attempt to access an account repeatedly, with the backend system sending an authentication request to the actual user. Known as MFA bombing, the technique's goal is to overwhelm the user with requests and, from fatigue or from too little skepticism, have them click to allow the access. Attackers used stolen cookies and MFA bombing to compromise ride-share giant Uber and entertainment firm Take-Two Interactive.

Overall, the way to prevent attackers from bypassing MFA is to have additional security software on systems to detect the theft of cookies, says CyberArk's Thompson. So rather than just push users to adopt password managers and MFA and call that sufficient, companies need to adopt some sort of endpoint control as well, he says.

"We also need some ability to have a sort of least privilege or application control, antivirus, or EDR/XDR — any of those are really critical in solving the gap," Thompson says. "We want to prevent malicious tools and actors from harvesting passwords or harvesting cookie information from memory."

Cookies for MFA Bypass Gain Traction Among Cyberattackers

The bug affects several Aiphone GT models using NFC technology and allows malicious actors to potentially gain access to sensitive facilities.

A vulnerability in a series of popular digital door-entry systems offered by Aiphone can enable hackers to breach the entry systems — simply by utilizing a mobile device and a near-field communication, or NFC, tag.

The devices in question (GT-DMB-N, GT-DMB-LVN, and GT-DB-VN) are used by high-profile customers, including the White House and the United Kingdom's Houses of Parliament.

The vulnerability was discovered by a researcher with the Norwegian security firm Promon, who also found there is no limit to the number of times an incorrect password can be entered on some Aiphone door-lock systems.

After finding the admin passcode, the malicious actor could then inject the serial number of a new NFC tag containing the admin passcode back into the system's log of approved tags.

"This would give the attacker both the code in plaintext that can then be punched into the keypad, but also an NFC tag that can be used to gain access to the building without the need to touch any buttons at all," a blog post reporting the vulnerability explained.

Because the Aiphone system does not keep logs of the attempts, there is no digital trace of the hack.

Promon first alerted Aiphone to the issue in June 2021. The company said systems built before Dec. 7 of that year are unable to be fixed, but any systems built after that date include a feature limiting the number of passcode attempts that can be made.

The Promon report noted Aiphone alerted its customers to the existence of the vulnerability, which is tracked as CVE-2022-40903.

Despite the alarming top-line findings, Promon security researcher Cameron Lowell Palmer, who discovered the vulnerability, calls this kind of IoT security oversight "fairly typical." From an administrative standpoint, adding NFC was a win, but it exposed the system to this new attack vector, he explains.

"The system started off with some reasonable design choices, and with the addition of the NFC interface, the design became dangerous," he explains. "This product seems, to me, predicated upon the notion of physical security, and when NFC was added, they added a touchless high-speed data port on the exterior of the building, which violated the premise."

**Nobody Thought of Brute Force NFC Access**

Mike Parkin, senior technical engineer at Vulcan Cyber, says the lack of throttling or lockout features indicates that no one thought of an attacker trying to brute-force NFC access when the product was designed.

"Or, if they did, they believed the risk of an attacker doing it in the field was low enough to omit those security features," he adds.

He says the real questions are how many of these inherently vulnerable systems are deployed, and, just as important, what other products, from this or other vendors, use digital access without throttling or lockout timers to blunt a brute-force attack.

Palmer adds that NFC and IoT are challenging technologies to secure, which makes him think that vendors that are not collaborating with others for security are walking down a dangerous path.

"Developers and companies try to make the very best product they can, which is already hard," he says. "It is especially easy to make security gaffes, because security is usually not their area of expertise, and in many cases it does not directly improve the user experience."

Roger Grimes, data-driven defense evangelist at KnowBe4, is harsher, and says the vulnerability suggests that Aiphone did not even do basic threat modeling.

"It makes me suspicious of their entire design, security-wise," he says. "This is not just a problem with this vendor. You can name nearly any vendor or product you like, and they are also not doing the appropriate threat modeling."

**No Security by Design for IoT**

Jason Hicks, field CISO and executive adviser at Coalfire, explains that in recent years there has been a push to integrate things like remote access, voice over IP (VoIP), and newer wireless technologies like NFC to physical security systems.

"This introduces new attack vectors that physical access designers are not used to having to consider how to secure," he says. "The same basic security best practices we apply to IT equipment needs to be extended to these systems in a consistent manner."

For instance, "storing passwords in a plaintext file is something that should be avoided for obvious reasons," he says.

Hicks adds that there are many IoT devices whose compromise would not create much of a security issue — but access control systems are not one of them. A hack here could result in loss or physical harm.

Therefore, vendors need to train all developers on how to develop secure software and secure products.

"It's always seemed ironic to me that security vendors supplying me a \[physical\] security product don't train — or require — their developers in how to securely develop software and products," Grimes says. "How can you expect a developer with no training in secure development to naturally just figure it out?"

Palmer advises IoT companies to take even simple steps: Hire outside experts and have them test out the security of the devices regularly, for example.

**For Organizations, It's Tough Avoid IoT Dangers**

Bud Broomhead, CEO at Viakoo, says IoT represents the fastest-growing attack surface, adding that there are many reasons for that, starting with the fact that users often overlook security implications.

"IoT devices are typically managed by the line of business and not IT, so there is both a lack of skills and knowledge about maintaining cyber hygiene," he says.

He adds that many IoT systems are budgeted as a capital expenditure but do not always have the operating budget assigned to them to maintain their security.

"They are very hard to patch manually, and often have out-of-date firmware when they are brand new, and they exist in the supply chain for long periods of time," he says.

They also use a lot of open source software containing vulnerabilities and lack software bills of material (SBOMs) to quickly determine if the device contains those vulnerabilities. Broomhead adds there are often multiple makes/models that perform similar functions, so when a vulnerability is present, it takes multiple manufacturers to provide patches.

"There needs to be auditable compliance requirements, and coordination between the silos within an organization so that IoT security is shared across multiple disciplines including IT, CISO office, and the lines of business," he says.

For organizations struggling to protect a rapidly expanding volume of IoT devices, he adds, IoT fingerprinting could help with security and management.

Source

DARKReading