The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.

Digital transformation has accelerated during the past couple years, and so, too, have security threats. With more employees working remotely, more customers buying through mobile and social channels, and more retailers expanding their supply chains to keep inventory in stock, criminals have more ways than ever to go after e-commerce businesses.

Meanwhile, security awareness training may not be keeping up. It's a good time to review your organization's awareness program and adjust reflect the current threat landscape. Here's how retailers can update their awareness training and practices to match their digital transformation progress.

**A Dramatic Increase in Shipping Fraud**

While most retailers understandably focus on fraud at the payment stage of the customer journey, shipping fraud should also be considered. In fact, shipping fraud is the fastest-growing type of fraud worldwide, according to TransUnion's "2022 Global Digital Fraud Trends" report. Shipping fraud grew by 780% from 2020 to 2021, and by 1,541% from 2019 through 2021, according to the report. Shipping fraud can lead to chargebacks, inventory losses, and brand damage just as card-not-present (CNP) and account takeover (ATO) fraud do.

"Shipping fraud" is an umbrella term that covers several tactics that criminals use to exploit the e-commerce shipping process. Different approaches can target different areas of your business, so it's important to expand shipping fraud awareness across your organization rather than solely training your fraud team on this threat.

For example, your customer service and fulfillment teams should be aware of how package rerouting scams operate. Fraudsters place orders with stolen payment data or hijacked customer accounts and use the victim's real delivery address so the order doesn't get flagged as suspicious. After the order is approved, fraudsters contact customer service and request a delivery address change, claiming they made a mistake.

While honoring such a request may seem like good customer service, it could be exposing your company to fraud. One solution that can satisfy legitimate customer requests while avoiding fraud is to cancel the original transaction and run it again with the updated delivery address. If it's approved, customers get their purchases directed to the right address. If it's not, your company has avoided a case of shipping fraud.

**Expanding Supply Chains, More Email Attack Risk**

Other security risks aren't necessarily coming in through your website or shopping app, but they can imperil your brand, your business operations, and your customers. A prime example is email phishing attacks, which increased against e-commerce businesses by 53.9% from 2019 through 2021, according to the TransUnion report.

One reason for the current email phishing surge is the rapid expansion of supply chains since the start of the pandemic, as retailers made new connections to avoid running out of stock and disruptions. Another is the increasing reliance on email for customer interactions since early 2020: Online interactions now make up 61% of all customer engagements with companies, according to Salesforce's "State of the Connected Customer" report. The addition of more contacts to the email ecosystem and the higher volume of email traffic provides criminals with more opportunities to launch email attacks.

A subset of business email compromise (BEC) is vendor email compromise, and it's a growing problem. In a vendor email compromise scheme, attackers impersonate trusted third parties such as suppliers and vendors to trick employees into paying fraudulent invoices, entering login credentials, or sharing proprietary data. According to a report from email security firm Abnormal, more than half of all BEC attacks now impersonate third parties. As a result, all employees need to be aware that when emails from trusted senders, including suppliers and vendors, contain requests that seem unusual, they should flag those messages for the security team to review before responding.

**Attackers Exploit Remote and Hybrid Workforce Trends**

Ransomware and other forms of malware are a perennial problem for retailers, especially malware that steals customer payment data. Verizon's "2022 Data Breach Investigations Report" found that the retail industry suffered seven times as many instances of "capture app data" malware than other industry. These Magecart-style attacks can silently scrape data as it's entered, going undetected until fraud complaints start coming in. To prevent them, everyone who works with your website needs to be aware of the potential for this type of malware and the processes for scanning, removal, and remediation.

Another growing opportunity for malware attackers is retailers' shift to remote or hybrid workforces. As employees log in remotely more often — and more often from personal rather than company devices — fraudsters have seized the opportunity to create realistic-looking login request emails that can appear to come from your company's cloud services, such as Google Drive or Microsoft SharePoint. All employees and executives need to be aware of the risk that unexpected or slightly unusual login request messages can pose. Like unusual vendor messages, these should be reported to the security team for review before replying.

These trends illustrate why it's important for security awareness to be a process rather than a one-time discussion. This year, your people need to be aware of shipping fraud, vendor email compromise, and credential phishing attacks posing as company resource providers. Next year, it will likely be something else. By having regular discussions about these security issues and encouraging a data-safety mindset, you can reduce the risk of today's threats and create a culture of security that benefits your company over the long term.

Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats

Multiclient research report shows organizations are significantly increasing efforts to secure their supply chains in response to software supply chain attacks.

In August 2022, the Enterprise Strategy Group (ESG) released "Walking the Line: GitOps and Shift Left Security," a multiclient developer security research report examining the current state of application security. The report's key finding is the prevalence of software supply chain risks in cloud-native applications. Jason Schmitt, general manager of the Synopsys Software Integrity Group, echoed this, stating, "As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative."

**_The report shows that organizations are realizing the supply chain is more than just dependencies. It's development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more._**

Although open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have "significantly increased" their software supply chain security efforts in response to recent supply chain attacks.

Respondents to the report's survey cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization's attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.

Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.  

**_The report shows that a lack of open source management is threatening SBOM compilation_**.

The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While respondents have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most-cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization's code is — or will be — composed of up to 75% open source. Fifty-four percent of respondents cited "having a high percentage of application code that is open source" as concern or challenge with open source software.

Synopsys studies have likewise found a correlation between the scale of open source software (OSS) usage and the presence of related risk. As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software bill of materials (SBOM) compilation. But with exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task — and 39% of survey respondents in the ESG study marked as a challenge of using OSS.

**_OSS risk management is a priority, but organizations lack a clear delineation of responsibilities._**

The survey points toward the reality that while the focus on open source patching following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has resulted in a significant increase in OSS risk mitigation activities (the 73% we mentioned above), the party responsible for these mitigation efforts remains unclear.

A clear majority of DevOps teams view OSS management as part of the developer role, whereas most IT teams view it as a security team responsibility. This may well explain why organizations have long struggled to properly patch OSS. The survey found that IT teams are more concerned than security teams (48% vs. 34%) about the source of OSS code, which is a reflection on the role IT has in properly maintaining OSS vulnerability patches. Muddying the waters even further, IT and DevOps respondents (at 49% and 40%) view the identification of vulnerabilities before deployment as the security team's responsibility.

**_Developer enablement is growing, but lack of security expertise is problematic._**

"Shifting left" has been a key driver of pushing security responsibilities to the developer. This shift has not been without challenges; although 68% of respondents named developer enablement as a high priority in their organization, only 34% of security respondents actually felt confident with Development teams taking on responsibility for security testing.

Concerns like overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight into security efforts seem to be the biggest obstacles to developer-led AppSec efforts. A majority of security and AppDev/DevOps respondents (at 65% and 60%) have policies in place allowing developers to test and fix their code without interaction with security teams, and 63% of IT respondents said their organization has policies requiring developers to involve security teams.

**About the Author**

    

Mike McGuire is a senior solutions manager at Synopsys where he is focused on open source and software supply chain risk management. After beginning his career as a software engineer, Mike transitioned into product and market strategy roles, as he enjoys interfacing with the buyers and users of the products he works on. Leveraging several years of experience in the software industry, Mike's main objective is connecting the market's complex AppSec problems with Synopsys' solutions for building secure software.

Report Highlights Prevalence of Software Supply Chain Risks

Security Pro File: The DevOps evangelist and angel investor shares his expertise with the next generation of startups. If you're lucky, maybe he'll even share his Lagavulin.

It was only a few years ago, around 2016 or '17, that Zane Lackey had a conversation that encapsulated the challenge of his life. Then a founding adviser at Signal Sciences, he was meeting with the CISO and CIO of a certain Fortune 500 client (he won't say which). 

He met with the CISO first. Lackey suggested a cloud migration, but the man refused to budge. "I'm not allowing any of that," Lackey remembers him saying. "It's all insecure."

Lackey's second meeting of the day was with the CIO, who informed him that cloud migration was "our No. 1 priority." Lackey must have given the man a strange look because he laughed. "I see you've been talking to the CISO," the CIO said. "We just don't invite him to meetings anymore."

Lackey, former CISO and general partner at Andreessen Horowitz (a16z) since March, is one of the foremost champions of DevOps, the integration of a company's code-writing and code-deploying teams. "The teams have different priorities," he tells Dark Reading, "but they form a Venn diagram. Solutions have to help everybody, in security and everything else."

The greatest obstacle to the kind of architectures Lackey lives for has nothing to do with code or obsolete firewalls: It's the culture of siloed security and operations teams, ignoring each other's processes, or, like the Fortune 500 officers that day, actively subverting each other.

In his words, "Technology is the easy bit. Culture is the hard bit."

**The Early Years**

The ancient feuds and impenetrable silos of digital business teams must be a particular headache to someone like Lackey, who never outgrew his boyhood joy in attacking tech problems. Lackey grew up in Murphys, Calif., a tiny village without much in the way of mental stimulation. Lackey discovered PCs in his early teens and began saving money for a new hard drive to learn Linux. It was hard, lonely work, and he loved it. It took him months to figure out the PPP settings to connect to his local ISP. But once he was on, it took only five minutes for someone to hack him and shut him down.

"It was a moment that changed my life," he says, "in an extraordinarily positive way." 

Security infrastructure became Lackey's obsession. He began spending nights playing virtual "capture the flag" with his friends, devouring Red Hat, Windows, and every systems manual he could find. The passion for infrastructure and offense-defense security took Lackey to UC Davis, that improbable cradle of geniuses, where he worked as an intern in the computer security lab (a rarity in the early 2000s, even at big universities). 

At one point he had to develop a honeytrap, and so he created an entire, fake departmental website to lure in hackers. A group of South American teenagers took the bait and installed their own Counter Strike server. He describes the event today as if it were a rugby match: all give and take, high pressure and clever footwork.

His first job out of Davis came from a 2005 Craigslist ad: A Bay Area startup called iSEC Partners was looking for its first employee. Lackey started immediately, working as a general consultant under the direction of Alex Stamos. His work involved a lot of app, wireless, and network pen testing and assessment.

Then in 2010 the NCC Group bought iSEC Partners, and Lackey went to New York to start an East Coast branch. It was there, around 2011, that Lackey began exploring the tools and tactics that would come to be known as DevOps. Companies were growing faster than their linear waterfall deployments could handle. Cloud storage and bespoke, integrated tool chains had only just bridged the gap of concept and code.

But Lackey was on the case, especially after Etsy took on the 26-year-old, briefly as a consultant and then as CISO. It wasn't exactly a gamble on the company's part, at least as Lackey tells it; his credentials spoke for themselves. Etsy gave Lackey his first real taste of the colossal volume of modern, international security upkeep. At iSEC, Lackey had deployed a pen test once every 18 months. At Etsy, he was expected to deploy 30 times _per day_.

"This was security," he says, "but for a different world." (Etsy was ahead of the pack — at the time, Google and Facebook were deploying once a week.)

That different world brought its own new tools, not only at Etsy but at its mirror company on the West Coast, Netflix, where another iSEC veteran, Jason Chan, was now CISO. Like Chan, Lackey saw that reliance on thousands of discrete Web application firewalls (WAFs) could never keep pace with the modern volume of threats. The cloud transition was part of the solution, as was a more nuanced zero-trust strategy than was common, then or now. 

But what companies like Etsy needed was a new architecture altogether, where each individual application fits into a companywide, vertically integrated security system like teeth in a zipper, accessible through one "single pane of glass" console. The console would have to be completely visible across teams, never "someone else's job" (in or out of the company), and, most importantly, scalable. That's where DevOps came in.

Businesses grow at different speeds; the point of DevOps is to keep their security operations moving at exactly the speed they need. Lackey says that scale is the foremost problem facing every security team, and that "if you have to be a security expert to use a security tool, \[the tool\] doesn't scale."

**Changing Up His Game**

In 2014, Lackey left Etsy with two of his colleagues to form Signal Sciences, a venture-backed Web app and API security startup. Signal Sciences blew up (in a good way): At the peak of Lackey's tenure as board member and CSO, the company had 150 employees, $28 million in annual recurring revenue, and outlets like Forbes and Gartner piled on accolades.

Lackey then found himself on the other side of the table, advising the Fortune 500 companies and, increasingly, investing in new firms. "I enjoy adapting," he says, with the same relish that comes through in his tales of early 2000s hacking games.

"Security was one of the largest speed bumps to early DevOps adoption," Lackey says. As CISO at Etsy, an early DevOps adopter, he learned how to institute DevOps through firsthand experience. He co-authored a book on the topic, called _Building a Modern Security Program_, and found he enjoyed sharing the lessons he learned with other enterprises going through the shift.

Angel investing seems to unite Lackey's two professional passions: the steady march of DevOps as a discipline and the love of frustrating, high-stakes, high-risk play. It's also a union of right-brain tech and left-brain leadership skills, which seems to come naturally to Lackey. Last year he explained to Cloud Security podcast that as all roles merge, founders have to keep their goals in mind or risk failing. "You're building a company," he told them, "not a tech project" — remarkable advice from an infrastructure specialist.

Fastly bought Signal Sciences in 2020. Lackey consulted independently for two years before accepting the partner role at a16z. He likes the work, particularly his interactions with founders — "I enjoy being their first call," he says — and says the new solutions he's seeing are extraordinary. He won't say what those solutions are, for confidentiality's sake; presumably they include updated zero-trust protocols for the 2020s. But he's happy to see the discipline he helped shape, DevOps, take on a life of its own. 

"This is a generational change in software development and delivery," he says. "I'm excited for the future."

**PERSONALITY BYTES**

**What professional achievement are you most proud of?** "It's not an achievement, but I'm very proud of all the teams I've been able to be a part of, and the work we've done."

**What one technology or solution has made the greatest impact on your work?** "Again, it's not a technology, but I'd say velocity — the increase in velocity. The shift from the waterfall-approach era to the DevOps era has been about rapid movement, rapid iteration. I mean, think of how long it took to found a company in the '90s, compared to the early 2000s, compared to now."

**What's one thing your colleagues would never guess about you?** "I was born in a fishing village in Alaska. Talk about low tech! My parents went to Alaska in the '70s to work as commercial fishermen. After they had me, they moved to Murphys."

**Any hobbies?** "Travel — I've been to every continent except Antarctica, but that's next. I ski and snowboard."

**Finally, we understand you're a scotch drinker. Islay, Speyside, Highland?** "I love all whiskeys: bourbon, scotch, Japanese. I tend to like peatier scotches, though — your basic Lagavulin 16, for example. One glass is usually enough."

Zane Lackey: 'Technology Is the Easy Bit'

A new group, Monti, appears to have used leaked Conti code, TTPs, and infrastructure approaches to launch its own ransomware campaign.

Analysts have discovered a ransomware campaign from a new group called "Monti," which relies almost entirely on leaked Conti code to launch attacks.

The Monti group emerged with a round of ransomware attacks over the Independence Day weekend, and was able to successfully exploit the Log4Shell vulnerability to encrypt 20 BlackBerry user hosts and 20 servers, BlackBerry's Research and Intelligence Team reported.

After further analysis, researchers discovered that the indicators of compromise (IoCs) for the new ransomware attacks were the same as in previous Conti ransomware attacks, with one twist: Monti incorporates the Acrion 1 Remote Monitoring and Maintenance (RMM) Agent.

But rather than being Conti reborn, the researchers said they believe Monti lifted Conti's infrastructure when it was leaked last spring, during February and March.

"As additional ransomware-as-a-service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate," the BlackBerry team added. "General familiarity with the TTPs \[tactics, techniques and procedures) of known groups can help us identify any unique traits of these lookalike crews."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Monti, the New Conti: Ransomware Gang Uses Recycled Code

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities.

The feds have moved to sanction the Iranian government for its cybercrime activities, which they allege have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

US Department of the Treasury's Office of Foreign Assets Control (OFAC) is specifically designating Iran's Ministry of Intelligence and Security (MOIS) for "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.

The sanctions mean that US citizens and visitors to the US are prohibited from doing business or carrying out any transactions involving funds, goods, or services with the designated entities or their proxies.

**Albanian Cyberattack Sparks US Action**

The Treasury Department cited a recent cyberattack in July that disrupted the Albanian government as emblematic of Iran's tactics; that incident resulted in the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.

"Iran's cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," Brian Nelson, undersecretary of the treasury for terrorism and financial intelligence, said in a statement on Friday. "We will not tolerate Iran’s increasingly aggressive cyber-activities targeting the United States or our allies and partners."

John Hultquist, vice president at Mandiant Intelligence, notes that Iran has a history of targeting the MeK, the group at the center of the Albanian incident. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain," he says. "Those operations were a template for the Albania attack."

**Calling Out MuddyWater & APT34**

The sanctions also extend to Minister of Intelligence Esmail Khatib, who the Treasury Department said is responsible for directing APT groups from within MOIS. The Friday announcement specifically mentions his weapon as including the MuddyWater APT (aka OilRig or APT34, specializing in espionage on rival governments) and APT39 (aka Chafer, which the US says supports Iran's human rights abuses).

“MOIS carries out cyber-espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service, the IRGC," says Hultquist, who notes that Mandiant has previously linked both APTs to Tehran. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personally identifiable information (PII)."

US Sanctions Iran Over APT Cyberattack Activity

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Microsoft, Cloud Providers Move to Ban Basic Authentication

A sweeping effort to prevent a raft of targeted cybercrime groups from posting ransomware victims'  data publicly is hampering their operations, causing outages.

The ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been the focus of distributed denial-of-service (DDoS) attacks targeting their data leak sites, causing downtime and outages.

The attacks have been monitored by Cisco Talos since Aug. 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.

Forum posts by the LockBit gang's technical support arm, "LockBitSupp," indicate that the attacks have had a significant impact on the group's activities, with nearly 1,000 servers targeting the leak site with close to 400 requests per second, researchers said.

"Many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites," a Talos blog post explained this week.

The groups have responded in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others have beefed up DDoS protections.

"Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to post new victim information publicly, we will likely continue to see various groups respond differently, depending on the resources available to them," the blog post authors noted.

**Shutdowns Offer Respite to Targeted Groups**

Aubrey Perin, lead threat intelligence analyst at Qualys, says in the case of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report showcases how effective these attacks are at halting ransomware operations, with outages allowing defenders precious time to investigate.

"If the leak sites are shut down, the victim's infrastructure cannot be announced," Perin says. "The purpose of these types of attacks is to interrupt the gangs' activities," adding that if gangs cannot list victim information, then extortion tactics become far more difficult, and in some cases benign.

However, Perin adds today's bad actors are growing increasingly sophisticated and learning from mistakes on the fly, so they may find workarounds rather quickly.

"More mature gangs have exemplified their agility to quickly re-organize and launch more sophisticated countermeasures for DDoS attacks," Perin explains. Where initial ransomware authors used "spray-and-pray" methods, Perin points out that today's bad actors carry out ransomware attacks as professional operations, with each applying their own "special sauce."

"Organizations each have their own strategies and protocols they follow, and RaaS is no different. Each gang finds what works best, develops strategy, and executes," Perin says. "Each gang's operations are unique to that of other gangs."

Thus, Perin says, without a deeper understanding of a specific gangs' operating schedule and strategy, it is next to impossible to know the real impact to their operations.

"That being said, these attacks certainly have the power to tarnish their reputations," Perin notes.

**Rival Extortion Groups, Government Agencies Could Benefit**

When it comes to who's behind the DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion crews and government agencies are two possible beneficiaries of attacks against data leak sites.

"There is no honor among thieves, and there is a history of groups targeting each other," he says. "On the government side, US Cyber Command commander General \[Paul\] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government has continued efforts to disrupt the adversaries."

Holland says extortionists need to think about their site's resilience, just like legitimate businesses.

"There are other ways for ransomware victims to interact with the actors," he explains. "RaaS representatives are available on forums, and victim negotiations can still be taken offline through various messaging applications."

Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively combatting the issue.

"We'll likely see the threat groups relocate their servers and services to a more distributed infrastructure to maintain availability, just like any organization would to stay operational," he says.

From Hay's perspective, the report suggests that attacks directed at RaaS data leak sites are likely not going to fade away anytime soon, which could lead to a sort of underground competition for affiliates.

"You don't need to be the best, you just have to be better — or more available — than the other guy," he says.

LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks

More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

Evidence indicates that the world's ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.

While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

**The Cyber-Risk to Ships**

The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship's networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.

Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships' attack surface.

Common ship-based cyber vulnerabilities include the following:

*   Obsolete and unsupported operating systems
*   Unpatched system software
*   Outdated or missing antivirus software and protection from malware
*   Unsecured shipboard computer networks
*   Critical infrastructure continuously connected with the shore side
*   Inadequate access controls for third parties including contractors and service providers
*   Inadequately trained and/or skilled staff on cyber-risks

**Troubled Waters?**

Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.

For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.

Some past examples of port-based cyber breaches:

**Port of Rotterdam:** In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the Møller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.

**Port of Shahid Rajaee:** In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the "computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility." This cyberattack was presumed to be Israel's response to an attack on its water network.

**Port of Kennewick:** In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.

Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.

**The Danger**

Ports have no choice but to accept the ships' documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner's knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.

Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These "hacks'' often exploit vulnerabilities in the ships' networks, using the vessel to gain access to the ship's partners, including the port.

Source

DARKReading