NSA and CISA release guidance on protecting against cybersecurity threats to operational technology and industrial control systems.

The National Security Administration (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are warning that there are active, known threats to industrial control systems (ICS) and operational technology (OT) that critical infrastructure sectors should be aware of.

In particular, the report, "Control Systems Defense: Know the Opponent," warns about the rise in attacks against utilities and industrial targets from advanced persistent threat (APT) groups and gathers insights into the tactics, techniques, and procedures (TTPs) of common threats to ICS and OT systems to help security teams shore up their defenses. For instance, APTs have recently begin developing tools specifically for scanning, compromising, and controlling targeted OT devices, according to the feds.

"State-sponsored APT actors target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population," according to the alert, issued Sept. 22. "The cyber-actor selects the target and intended effect — to disrupt, disable, deny, deceive, and/or destroy — based on these objectives."

Awareness of this growing threat is key. "Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them,” Michael Dransfield, NSA control systems defense expert, said about the new cybersecurity advisory. “We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Sound Alarm on Rising OT/ICS Threats From APT Groups

Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts.

A malicious package in the npm open source code repository is hitching a social engineering ride on the "Tailwind" legitimate software library tool, which millions of application developers use around the globe. The finding comes as threat actors continue to see opportunity in seeding open source software with malware.

Threat actors are branding the malicious package as "Material Tailwind," describing it as "an easy-to-use components library for Tailwind CSS and Material Design," two commonly used open source libraries that have millions of downloads each, researchers from ReversingLabs have found.

Tailwind is as an open source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both "are recognizable names and massively popular libraries among developers," according to the firm.

However, Material Tailwind is not helpful to developers at all, researchers revealed in a post published on Sept. 22. It instead delivers a multistage attack — rare for this type of malware — that downloads a malicious, custom-packed Windows executable capable of running PowerShell scripts.

"In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated," Karlo Zanki, reverse engineer at ReversingLabs, observed in the post. "Sophisticated multistage malware samples like Material Tailwind are still a rare find."

Researchers at ReversingLabs detected the malicious behavior because the purported library modification contained code obfuscated with JavaScript Obfuscator. Moreover, while the description of the package seemed legitimate enough, closer inspection revealed that it was copied from another npm package named tailwindcss-stimulus-components, they said, which the threat actors then Trojanized.

"The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind," Zanki wrote. "The malicious package also successfully implements all of the functionality provided by the original package."

**How the Attack Works**

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script, executes immediately after the package is installed — behavior that is in and of itself "a (big) red flag" for threat researchers, Zanki noted.

Once the package installs, the module first sends a POST request with platform information to a specific IP address to validate that it's being executed on a Win32 system. If so, it constructs a download link containing the type of the operating system, and it also adds a parameter likely used to validate that the download request is coming from the victim's machine, researchers found.

A password-protected .zip archive named DiagnosticsLogger.zip is downloaded, which contains a single file, named DiagnosticsHub.exe, likely to disguise the payload as some kind of diagnostic tool, Zanki noted. Attackers probably use password protection to avoid basic antivirus checks as well, he said.

Finally, the script spawns a child process that executes the downloaded file, a custom-packed, Windows executable that uses several protections aimed at making it difficult to analyze, Zanki said.

Packed information includes several PowerShell code snippets responsible for command and control, communication, and process manipulation, researchers found. The malware achieves persistence by executing a Base64-encoded PowerShell command, which sets up a scheduled task to be executed daily.

A stage-two process of the malicious code fetches an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in the case that the link can't be accessed, from one or the other of two alternative download locations — one at GitHub and another one at OneDrive, researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command-and-control server from which the malware receives encrypted instructions using a dedicated socket connection, they added.

**Weaponizing Open Source Code**

Open source software and npm packages in particular have become a target of choice for threat actors lately because they can easily be weaponized against the software supply chain. In fact, planting malware in open source code is one of the fastest-growing types of software supply chain attacks "being spotted almost daily now," according to Zanki.

These types of attacks also are forcing enterprises to pivot when it comes to how they secure their environments, notes Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

"Up until recently, organizations only had to contend with the security vulnerabilities in their applications that were unintentionally inherited through open source components and their dependencies — which wasn’t a trivial task to begin with," he says. "Now, attackers are baiting organizations into using open source packages that were modified with malicious intent."

Npm packages are an attractive conduit for software supply chain attacks "in part due to the sheer volume of open source components and dependencies typically used to build NodeJS applications," he observed.

These dependencies indeed are increasing the security risks for enterprises, presently a considerable challenge in how quickly problems throughout resources can multiply, notes Ben Pick, principal cybersecurity consultant at application security provider nVisium.

"Thus, an attacker would only need to target and compromise one of the many open source projects in a pipeline to cause considerable harm," he observes.

**Software Supply Chain: Multiple Cyberattack Options**

Attackers that leverage npm packages are getting creative in how they use the open source repositories.

A report published in February identified more than 1,300 malicious npm packages in 2021 that allowed attackers to get up to a number of nefarious activities, including cryptojacking and data theft. In terms of tricking people into installing them, some packages masquerade as tools for security research, researchers found.

Two examples of recent attacks in which attackers leverage npm packages surfaced in July. The first, reported on July 5, revealed a long-range supply chain attack after several packages using a JavaScript obfuscator to hide their true function were discovered in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread the "Volt Stealer" and "Lofy Stealer" malware to collect information from their victims, including Discord tokens and credit-card information, as well as spy on them over time.

Malicious npm Package Poses as Tailwind Tool

Allurity has acquired Spanish multinational Aiuken Cybersecurity, as an important step in its journey to becoming Europe's leading cybersecurity provider. Aiuken brings an entire SOC platform spanning three continents, as well as its Cloud Security and SOC-as-a-Service platforms.

Aiuken Cybersecurity was founded in 2012 by former Telefónica executive Juan Miguel Velasco, who is currently the CEO and will continue to lead the company following this transaction. The company has achieved impressive growth and will continue its journey with Allurity as an accelerator.

According to Juan Miguel Velasco, CEO of Aiuken Cybersecurity, “We are proud to join forces with this flourishing European group that has big ambitions to have a long-term impact and drive our growth in the cybersecurity sector. We believe they will be truly valuable and contribute towards our continued rapid expansion with a shared vision to help organisations secure their digital assets via security solutions that combine the best of human and machine intelligence.”

Allurity CEO Frida Westerberg said: “I am delighted to welcome Aiuken to our growing group, consisting of best-in-class cybersecurity service providers in Europe. Aiuken is an important player in the south of Europe and several other countries in different parts of the world, enabling a true “follow the sun” model. Aiuken brings unique expertise, a scalable tech platform and high ambitions and we are committed to supporting them to reach their full potential. Together we have the common goal of fighting cybercrime and making the world a better place.”

This is the fourth company Allurity has acquired, following the purchases of Swedish companies Arctic Group, ID North and Pulsen IAM. Allurity will continue to add new companies to the group with the goal of improving data protection, reducing the significant cost of cyberattacks and contributing to improving talent and competence in the market.

This goal is fully aligned with the cybersecurity targets set by the EU, which is determined to support important business groups, as it seeks to build regional leaders and secure robust European competition.  

**About Aiuken Cybersecurity**

Aiuken Cybersecurity is a Spain-based international company that safeguards major corporations, telecommunications systems and critical infrastructure. The company offers a full suite of cutting-edge services: detecting, identifying and protecting against cybernetic threats, responding to incidents, and implementing and managing the very latest in 24/7 security technologies.

The company operates in seven countries – Spain, Morocco, Saudi Arabia, UAE, Chile, Côte d'Ivoire and Puerto Rico – and has over 300 clients and 120 employees.

https://www.aiuken.com/es

**About Allurity**

Allurity is a group of tech-enabled cybersecurity service providers, comprising best-in-class companies with a common purpose of enabling a safe digital world.

Allurity’s vision is to become the preferred partner of cybersecurity services in Europe. The group offers a full range of cybersecurity services, from proactive to reactive services and software, aimed at improving data protection and reducing the cost of cybercrime.

Allurity's growth strategy is backed by Trill Impact, a Swedish pioneering Impact House with the ambition to create powerful societal impact alongside competitive financial returns.

https://allurity.com/our-group-companies/

Allurity Acquires Spanish Multinational Aiuken Cybersecurity

Businesses need to turn privacy and security into an advantage. Store less data, and live up to customer expectations that their information is protected. Take small steps, be transparent about data management, and chose partners carefully.

Today, the mere threat of a breach can crush your business. The Twitter whistleblower saga shows that, after years of indifference, customers are sensitive to even rumors of data leaks. A few years ago, PR teams could paper over a small breach, and customers would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed that lightning couldn't strike twice.

Times have changed, though, so how can you protect yourself … and even turn privacy and security into an advantage? The companies that win will embrace small steps, transparency, and the right partners.

**Ex-Twitter Exec Blows the Whistle**

The Twitter whistleblower story will change how the news industry reports on security and privacy moving forward. Just as ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories are going to become mainstream news. Even if your company isn't as high profile as Twitter, the floodgates have opened.

Furthermore, the Twitter story demonstrates that you don't need to be breached to make the news. Former Twitter security executive Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter's security and privacy policies and execution. While there have been well-known Twitter hacks, Zatko's most powerful criticisms are about Twitter's state of security. In his almost 200-page report to federal regulatory agencies and the Department of Justice, the most serious allegations are that Twitter provided regular employees access to central controls and sensitive information without adequate oversight.

**It Doesn't Matter If the Accusations Are True**

If a reporter asked, "Who has access to your data," could you answer? Would you want to answer? You will be convicted in the court of public opinion before you can defend your security posture. I have no inside information on the Twitter case, but it doesn't matter whether it's found to have egregious breaches of standard security protocols. There will be a large contingent that already assumes this information is true.

After so many high-profile breaches (Target, Adobe, Yahoo, and more), companies are considered guilty until proven innocent. Unfortunately, it's almost impossible to prove innocence since you cannot prove the absence of a breach. Furthermore, even if you could, by the time you could prove that you haven't been breached, the news machine already has moved on. You cannot react quickly enough to counteract the rumors.

**Why Are Customers So Sensitive to Privacy?**

Everybody knows that companies are gathering vast amounts of personal data. Clicking on the GDPR-inspired "Track my information" buttons may be a reflex, but we understand that we're always being tracked. Customers accept that their vendors will hold their personal data, but they expect the company to protect their information.

Unfortunately, cybercriminals are targeting personal customer information. Identity theft, spam, phishing, ransomware, and other attacks aren't just theoretical. Everybody knows somebody who's been affected.

With more data and more threats, every customer is sensitive to breaches. Corporate data breaches lead to fines, damaged reputations, and loss of customer trust. Companies are desperate to secure their data because it's the difference between survival and failure.

**How to Protect Yourself: Transparency**

The only way to survive is to be transparent about your data management. Most organizations are hesitant to talk about security and privacy because they know there is a chasm between what they are doing and what they should be doing, but everybody is in the same position. Therefore, whoever steps into the light will immediately take the lead.

When making yourself publicly accountable, you should:

1.  **Create a concrete, achievable plan.** Focus on the most business-critical data and risk areas. Make a short- and long-term plan, so your internal team and external customers will buy-in.
2.  **Set up regular public reviews.** Most organizations review their security and privacy posture with executives and the board of directors. Run that same review with the entire company so employees can participate and see that you care about the mission.
3.  **Get certified.** External auditors and certifications demonstrate that you're willing to hold yourself to a high standard and that you're not hiding anything. Nobody likes being audited, but it keeps you honest.

**Remember, You're Never Done**

Threats and expectations keep evolving, so you must keep ratcheting up your security plan, as well. Since most companies won't give you an unlimited budget, you'll need to plan for how to do more with less  

1.  **Offload work:** You don't need to do all the work on your own. The days of "Do it Yourself" security are past. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
2.  **Use savings to fund initiatives:** Most teams look to push vendors for better discounts, not refresh assets, or overwork their team. Smart teams look for holistic savings. For example, advancements in security and privacy should reduce cyber-insurance premiums.
3.  **Store less data:** Most businesses want to store all their data, messages, and emails forever. Not only is this approach expensive, but it also creates nearly unbounded legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.

**Start Today**

The best way to start protecting your company's reputation is with a single assignment. Pick one dataset — a business-critical application, your CRM system, or your backups. Figure out who has access to them. Create a plan to make them more secure. Then share that plan with your colleagues and hold yourself accountable.

Twitter's security issues are blanketing the news. When even a rumor can destroy your business, it's not the time to wait for consultants and focus groups. Now is the time to make your part of the world a little bit better, every day. Shine a light on how you protect your data, and your customers will trust you.

Twitter's Whistleblower Allegations Are a Cautionary Tale for All Businesses

Expansion of test coverage includes custom scan discovery, custom test scripts and custom test data for REST APIs, enabling developers to leave no paths untouched.

DENVER, Sept. 22, 2022 /PRNewswire/ — StackHawk, the company making application security testing part of software delivery, today announced its Deeper API Security Test Coverage release. This expands StackHawk's solution to help developers scan the entire API layer to uncover potential vulnerabilities. Today's application architectures require different approaches to security testing, and legacy security testing tools result in untested parts of the application, or require tedious manual testing and are too slow for most modern release schedules. With this release. StackHawk provides developers the ability to test APIs deeper and faster, so organizations can be confident every build they release is secure.

The API layer presents the highest level of security risk for software companies. Yet API discovery can be a challenge for many security teams. StackHawk's Deeper API Security Test Coverage release allows teams to leverage existing automated testing tools, such as Postman or Cypress, to guide discovery of the paths and endpoints, provide custom test data to be used during scans and cover proprietary use cases for security testing.

"Modern API and application security requires tooling that integrates into existing engineering workflows and provides thorough test coverage for today's application architectures," said Scott Gerlach, StackHawk co-founder and chief security officer. "With our recent release of Deeper API Security Test features, StackHawk continues to lead the market in depth and accuracy of real API security testing, all while remaining true to our developer-first security approach."

Engineering teams have sophisticated automated test suites in CI/CD to ensure that quality is maintained as they push software changes to production, and security testing should be no different. By integrating into existing testing workflows, StackHawk provides developers with security testing in a familiar way, shifting security left.

StackHawk's comprehensive scan functionalities have expanded to address several key issues, including:

*   Custom Test Data for REST APIs: The ability to use realistic required variables for paths, query, or request body, is something DAST tools historically have struggled with as the use of incorrectly formatted data can prevent the scan from reaching critical logic in the application.
*   Custom Scan Discovery: The ability to use test scripts and data from devtools such as Postman or Cypress for guiding the scanner, resulting in a more comprehensive, thorough test without the need for API docs.
*   Custom Test Scripts: The ability to test for specific use cases like business logic, privacy laws, and sensitive data requires custom scripts. This functionality also addresses the issue of tenancy checks, the top vulnerability in the OWASP Top 10, and testing for Broken Function Level Authorization, which are test cases not covered with the ZAP library.

Those interested in learning more about StackHawk's Deeper API Security Testing can see the functionality in action by registering here for the webinar at 10 AM PT on Wednesday, September 28.

**About StackHawk**

StackHawk is making application security testing part of software delivery. The StackHawk platform empowers engineers to easily find and fix application security bugs at any stage of software development. With a strong founding team that has deep experience in security and DevOps, and some of the best venture investors in the business, StackHawk is putting application security testing into the hands of engineers. Learn more and sign up for a free trial at www.stackhawk.com.

StackHawk Launches Deeper API Security Test Coverage to Improve the Security of APIs

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Palo Alto Networks 5G-Native Security Now Available on Microsoft Azure Private Multi-Access Edge Compute

The decentralized finance (DeFi) platform was the victim of an exploit for a partner's vulnerable code — highlighting a challenging cybersecurity environment in the sector.

London-based cryptocurrency-trading platform Wintermute saw cyberattackers take off with $160 million this week, likely due to a security vulnerability found in a partner's code. The incident showcases deep concerns around implementing security for this finance sector, researchers say.

Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say that the heist was aimed at the company's decentralized finance (DeFi) arm, and that while the incident might disrupt some operations "for a few days," the company is not existentially impacted.

"We are solvent with twice over that amount in equity left," he tweeted. "If you have a \[money-management\] agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after."

He also said that about 90 assets were hit, and appealed to the culprit: "We are (still) open to treat this as a white hat \[incident\], so if you are the attacker — get in touch."

Meanwhile, he explained to Forbes that the "white hat" comment means that Wintermute is offering a $16 million "bug bounty," if the cyberattacker returns the remaining $144 million.

**Filled With Profanity**

He also told the outlet that the theft likely traces back to a bug in a service called Profanity, which allows users to assign a handle to their cryptocurrency accounts (normally account names are made up of long, gibberish strings of letters and numbers). The vulnerability, disclosed last week, allows attackers to uncover keys used to encrypt and pry open Ethereum wallets generated with Profanity.

Wintermute was using 10 Profanity-generated accounts to make rapid trades as part of its DeFi business, according to Forbes. DeFi networks connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions. When news of the bug broke, the crypto-firm tried to take the accounts offline, but due to “human error,” one of the 10 accounts remained vulnerable and allowed the attackers into the system, Gaevoy said.

"Some of these \[DeFi\] technologies also involve third-party integrations and connections where the company may not have the ability to control the source code, leading to additional risk for the company," Karl Steinkamp, director at Coalfire, tells Dark Reading. "In this instance, a vanity digital asset address provider, Profanity, was leveraged in the attack ... An expensive and preventable mistake for Wintermute."

**DeFi Exchanges Will Grow as a Target**

Analysts with Bishop Fox earlier this year found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the difficulty in locking down the sector, which relies on automated transactions.

And, just last month, the FBI issued a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, to the tune of $1.3 billion nabbed between January and March 2022 alone.

Researchers note that enhanced adoption and price appreciation of digital assets has and will continue to attract the attention of malicious individuals — as will the lax state of security in the DeFi area.

"Many of these companies are growing at such a rapid pace, customer acquisition is their primary focus," Mike Puterbaugh, CMO at Pathlock, says. "If internal security and access controls are secondary to 'grow at all costs,' there will be gaps in application security that will be exploited."

The obstacles in shoring up DeFi security are numerous; Wintermute's chief noted that finding appropriate tools is difficult.

"You need to sign transactions on the fly, within seconds," Gaevoy told Forbes, adding that Wintermute had to create its own security protocols since tools are lacking. He also admitted that Profanity didn't offer multifactor authentication, but the company decided to use the service anyway. "Ultimately, that's the risk we took. It was calculated," he added.

Steinkamp notes, "Depending on the architecture of the DeFi platform, there may be a multiple of challenges in securing them. These may range from risk from third parties, to crypto-bridge bugs, human error, and the lack of secure software development, to name just a few."

And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations could create weaknesses in overall security.

**Best Practices for Shoring Up DeFi Security**

Despite the challenges, there are nonetheless best-practice approaches that DeFi platforms should be implementing.

For instance, Puterbaugh advocates implementing access controls with each new app deployment, along with continuous checks for access conflicts or application vulnerabilities, as key, especially when dealing with easily portable digital currency.

Also, "companies within the DeFi space need to routinely be doing internal and external testing of their platforms to continually ensure they are mitigating threats proactively," according to Steinkamp. He adds that companies should also implement additional enhanced security measures as a part of transactional security, including multifactor authentication and alert triggers on suspicious and/or malicious transactions.

Every layer helps, he adds. "Which would you rather try to gain access to: a house with the door open or a castle with a moat and draw bridge?" he says. "DeFi companies will continue to be prime targets by cyber-thieves until they implement adequate security and process controls to make attacking their platforms less attractive."

Wintermute DeFi Platform Offers Hacker a Cut in $160M Crypto-Heist

SecurityScorecard's ROI Calculator helps organizations quantify cyber-risk to understand the financial impact of a cyberattack.

Security practitioners have to figure out how to accomplish their security goals with the budgets they have. They also must show that their security programs are effective at protecting their organizations. They need to be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).

Now there's a tool for that. SecurityScorecard released a content and ROI calculator to help security practitioners figure out high-level estimates to illustrate the organization's overall security posture.

"At a time of economic uncertainty, strengthening cybersecurity postures must be a priority, as bad actors take advantage of volatility," says Cindy Zhou, chief marketing officer at SecurityScorecard. "Organizations must be able to know and articulate if the cybersecurity products and tools they have purchased provide a sound ROI."

Security teams should consider a wide variety of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, social engineering, and knowing their digital supply chain.

**Calculating Risk to Justify Spend**

Quantifying cyber-risk in financial terms allows organizations to understand the financial impact of a cyberattack, gain insight into the risks their vendors pose, and quantify the reduction in expected losses if issues are resolved. For example, a cybersecurity product may cost $200,000; however, it may defend against a $5 million data breach, thus saving the organization considerable funds in the long run.

"CISOs must be able to quantify their business' cyber-risk to justify the spend on their cybertech stack," Zhou says.

Another key factor is the ability to procure cyber-risk insurance and the associated premiums.

"Many insurers use SecurityScorecard to assess if a company is eligible for a policy," she says. "CISOs and CFOs need to demonstrate their security posture just to be considered for a policy."

The interactive calculator is based on data collected for Forrester Consulting's Total Economic Impact of SecurityScorecard. Forrester Consulting constructed a financial model using a Total Economic Impact formula.

As part of the study, the consultants quantified the effects of having SecurityScorecard in the enterprise, including increased efficiency in risk management, technology efficiencies and consolidation, and improved security posture. This approach not only measures costs and cost reduction within an organization, but it also weighs the enabling value of a technology in increasing the effectiveness of overall business processes.

The ROI calculator expands SecurityScorecard's Cyber Risk Quantification (CRQ) capabilities, which are designed to help customers understand cyber-risk in financial terms as part of holistic business risk analysis.

**Getting Executive Buy-In**

The C-suite and the board are used to focusing on the organization's financial performance, so the CISO needs to be able to quantify cyber-risk in financial terms, says John Hellickson, field CISO at Coalfire. This way, the CISO can also justify and prioritize cyber investments.

This lets all parties make informed decisions about the financial impact and business outcomes of such investments.

"Justifying and accounting for the people, process, and technologies already in place ensures that current mitigating controls are considered in the overall risk calculations," Hellickson says.

From Hellickson's perspective, validating the comprehensiveness of the cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk is key to gaining executive trust and support.

"Focusing spend on the assurance of not being breached just about went by the wayside when fear, uncertainty, and doubt tactics stopped working nearly a decade ago when year after year security investments continued to rise," he adds.

Building a cyber program strategy that demonstrates positive business outcomes goes much further in the CISO's ability to influence other executives.

For years, organizations have increased spend, especially application security spend, and they've still failed to achieve the kind of coverage of their application portfolio they desire, says John Steven, CTO of ThreatModeler.

"When organizations see this spend as unsustainable, let alone the requested rate of growth, security executives must demonstrate they're not only getting stuff done, but getting more done for less than peer CISOs, or those that have come before them," he says.

As common as breaches are across the industry, they are probably rare within a single organization, so "time since breach" should be a fairly sleepy indicator of activity and result, Steven adds.

"Focusing on delivery enablement or customer friction can be significantly more impactful," he says.

Quantify Risk, Calculate ROI

The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.

A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.

In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.

"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."

The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.

**Not the First Tine Smart Links Feature Has Been Abused**

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.

LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.

It also gives attackers a convenient — and very credible — way to redirect users to malicious sites. 

"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."

**Leveraging Legitimate Services**

The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.

Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.

It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.

"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.

Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Source

DARKReading