The chip giant has developed new features and services to make it tougher for malicious hackers and insiders to access sensitive data from applications in the cloud.

INTEL INNOVATION 2022 -- San Jose, Calif. — Intel has announced new hardware and software features for Project Amber, a confidential computing service that interlaces hardware and software to attest and certify the trustworthiness of data, at its Innovation developer summit this week.

The enhancements include features to protect data from the time it leaves the system and is in transit, in use, or at rest in storage.

"This is a fundamental technology that Intel has been developing for years. The place where it's going to be the most important is in AI/ML models ... to make sure when you're running a model on the edge, it's not being pilfered, it's not being stolen, it's not being manipulated," said Intel CTO Greg Lavender during his Wednesday keynote.

Data is traveling farther when outside the data center, with multiple stopovers, until it reaches cloud services or completes a round trip to enterprise infrastructure. Information from sources like sensors are added as data moves along a telecom network, with stopovers and artificial intelligence (AI) chips ensuring only relevant data moves ahead.

Project Amber uses hardware and software techniques to verify that the packets of data and its origin device are trustworthy. That layer of trust between devices and waypoints when data is in transit is a form of assurance that a company's infrastructure and execution environment are secure, says Anil Rao, Microsoft vice president for systems architecture and engineering in the office of CTO.

"Gone are the days where the central hubs are simply the data movers," Rao says. "They're not simple data movers. They're intelligent data movers."

The confidential computing offering is important for an enterprise mixing its own datasets with information from third parties to strengthen AI learning models. Project Amber provides a way to ensure that data is coming from trusted sources, Rao says.

**Secure Enclaves**

Project Amber adds a stronger lockdown mechanism to protect data while it is being processed. The Trust Domain Execution (TDX) instructions, which are on the company's upcoming 4th Generation Xeon Scalable processor, can secure an entire virtual machine as a trusted enclave.

The data is locked down so even hypervisors — which manage and monitor virtual machines — can't peek into the confidential computing environment.

"Your application will still do a virtual machine entry and exit call, but during those calls the data is still encrypted," Rao says.

Today's computing environment in the cloud is built around virtual machines, and applications don't run directly off processors, says Steve Leibson, principal analyst at Tirias Research.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon. But a virtual machine — that's just software. You can alter it," Leibson says. "Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

TDX is bigger in scope than Secure Guard Extensions (SGX), which is a secure area in the memory in which to push, run, and operate code. SGX, a common feature on Intel chips, is also a part of Project Amber.

Intel's Rao compares the scope of TDX and SGX to hotel rooms. If TDX was a trusted boundary in the form of a secure hotel room, SGX was a secure locker inside the hotel room.

Project Amber allows data to enter secure enclaves after matching numerical codes issued by Amber engines. If the codes match, data can enter the secure enclave; if not, entry is denied because data could have been altered, modified, or hacked in transit.

"It's almost like you're giving somebody your VIN number and saying, 'Is this the authentic VIN number for my car or has someone done something hanky-panky with that thing?'" Rao says.

Intel will also provide customers the ability to define their own policies to create a trusted execution environment.

"You may want to process everything in an East Coast data center versus a West Coast," Rao says. "What Amber says is that here is exactly what it is — your code did not pass the policy."

**Protection in the Clouds**

Amber will support multiple cloud service providers, but Intel didn't provide specific details.

"We want to make it multicloud so you don't need to have a different attestation mechanism as an enterprise when you go to different clouds," Rao says.

There are hundreds of millions of processors from Intel in data centers around the world, and bad actors have an established ability to break into servers and steal secrets, Tirias' Leibson says.

"It's a cat-and-mouse game, and Intel is constantly trying to develop new ways to prevent the bad guys from breaking into the servers and stealing secrets," Leibson says. "And it goes all the way from script kiddies, to teenagers who are just hacking around, to state-sponsored sites."

At some point, one has to think about protecting data in use, in motion, and in storage. Project Amber was thus inevitable, especially with computing moving farther away from homegrown infrastructure to the cloud, Leibson says.

Project Amber is still in the pilot phase as Intel gears the technology for computing models adopted by verticals. The chipmaker is working with research company Leidos to use Project Amber in the healthcare sector, which has many types of devices and sensors spread over large geographies and requires attestation to ensure systems receive only trustworthy data.

Intel Hardens Confidential Computing With Project Amber Updates

REDWOOD CITY, Calif., Sept. 27, 2022 /PRNewswire/ -- Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams. New enhancements include development support on the most recent Mac computers, and improved secrets management usability through automation, intended to reduce development time and increase visibility.

According to a 2022 Crowdstrike report, 80% of cyber attacks involve stolen credentials, and in late 2021 Gartner listed managing machine identities as one of the top five cybersecurity and risk trends. Delinea strives to reduce the risk of using hardcoded credentials in applications and services by instead dynamically injecting secure credentials with Just-in-Time access from DevOps Secrets Vault.

Expanded Support for developers on Macs

With added support for the M1 chip, developers coding on the latest Macs can now benefit from using DevOps Secrets Vault's command line interface (CLI) and the DSV Engine (an agent supporting database dynamic secrets) as part of their toolset. Building upon its focus on seamless usability, Delinea continues to reduce friction that commonly arises when securing sensitive secrets and credentials, especially in fast-paced DevOps environments.

Continual interface improvements reduce friction for DevOps teams

Both the CLI and graphical interface receive continual usability and flexibility enhancements, allowing developers to work seamlessly in their preferred interface with their preferred tools while helping organizations decrease the risk of compromised credentials.

New features added to both interfaces include:

Expanded support for Security Information and Event Management (SIEM) functionality

A certified Ansible plugin for use on Ansible Automation Hub

Enhanced authentication methods

"The exponential growth of machine identities as applications are modernized and architected as micro-services continues to place organizations at increased risk," said Jason Michell, SVP of Engineering at Delinea. "Delinea's ongoing focus on making security seamless for developers is reflected in these recent enhancements, enabling them to use DevOps Secrets Vault to dynamically insert credentials in their code, in line with security best practices."

Organizations can try DevOps Secrets Vault for free at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Latest Delinea Update Streamlines DevOps Security

KnowBe4's Compliance Audit Readiness Assessment (CARA) now addresses select requirements from HIPAA Security Rule.

TAMPA BAY, Fla., Sept. 27, 2022 /PRNewswire/ -- KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today launched a new version of its Compliance Audit Readiness Assessment (CARA) that now covers select requirements for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to address healthcare privacy requirements.

Healthcare organizations around the world continue to inadequately protect sensitive protected health information (PHI). Between 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the U.S. Health and Human Services' (HHS) Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure or impermissible disclosure of 314,063,186 healthcare records.

CARA is a complimentary, web-based tool that helps organizations assess their readiness for meeting compliance requirements. With this new version, IT and security professionals are guided through specific select requirements from the Health Insurance Portability and Accountability Act (HIPAA) Security Rule outlined by HHS. CARA asks security professionals to rate their readiness for each requirement and then provides an analysis of the results to help them define the controls they need in place before a compliance audit.

"Accessing confidential patient data is the cybercriminal's equivalent to discovering buried treasure, but it happens far more often than imaginable due to antiquated healthcare systems and security practices," said Stu Sjouwerman, CEO, KnowBe4. "Security professionals are overwhelmed with trying to comply with all of the healthcare security requirements through HIPAA. Our CARA tool now has the capability to help healthcare organizations become better prepared for compliance requirements related to the HIPAA Security Rule. This refreshed tool goes a long way towards simplifying the process of getting healthcare organizations adequately equipped for compliance audits."

The HIPAA Security Rule contains the standards to safeguard and protect electronically created, accessed, processed or stored PHI. The rule applies to any organization or system that has access to confidential patient data.

For more information on CARA, visit https://www.knowbe4.com/compliance-audit-readiness-assessment.

**About KnowBe4**  
KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 52,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

KnowBe4 Simplifies Compliance Requirements for Healthcare Privacy

Combination of two companies to help SAP customers streamline audit, compliance and control processes.

DALLAS, Sept. 27, 2022 /PRNewswire/ -- Pathlock, the leading provider of application security and controls automation for critical business applications, today announced the acquisition of Grey Monarch, a UK-based specialist SAP Partner dedicated to SAP Process Automation. The acquisition will strengthen Pathlock's vision of providing the industry's most complete 360-degree platform for application security and controls automation for the SAP ecosystem.

Since 2008, Grey Monarch has developed expertise in SAP Security, Segregation of Duties, SAP Licence Optimization, SAP Background Processing Automation and Secure Managed File Transfer. With this acquisition, the SAP community will benefit from the very best SAP Process Automation advice, implementation skills, and software and training capabilities, improving levels of security, enhancing their users' experience and streamlining audit, compliance and control procedures.

"It's now more imperative than ever for organizations to utilize a holistic view of user access and privileges so they can be managed, monitored and controlled to ensure the maximum protection of data, business processes and intellectual property," said David Lloyd, Director and Co-Founder, Grey Monarch. "Combining Grey Monarch's capabilities with the Pathlock family of expertise, resources and product portfolio will provide our customers, existing and new, with an unsurpassed visibility into their business applications."

"We're thrilled to complete the acquisition of Grey Monarch," said Piyush Pandey, CEO of Pathlock. "We continue to see a strong demand for our globally recognized application security and controls automation solutions, and know that with Grey Monarch's specialization in SAP process automation we can continue to enable our global customers to revolutionize the way they secure their sensitive financial and customer data."

In May 2022, Pathlock announced a $200M capital raise sponsored by Vertica Capital Partners alongside a merger with Appsian and Security Weaver and the acquisition of Belgium-based CSI Tools and Germany-based SAST SOLUTIONS. The company has successfully doubled in size in terms of revenue and employees and is now servicing over 1,400 customers across all major industries on a global scale with offices across the United States, Belgium, the UK, Germany, Israel and India.

**About Pathlock**

Pathlock is the leader in application security and controls automation. With Pathlock, enterprises can manage all aspects of access governance via a single platform, across applications, including user provisioning, ongoing User Access Reviews, segregation of duties, control testing, and audit preparation. Today, many of the world's most respected, global 2000 companies rely on Pathlock to protect their critical digital assets from financial, operational, regulatory and security threats, ensure corporate compliance and improve performance. Our customers have saved millions in employee productivity, labor costs, audit fees and data loss prevention.

Pathlock Expands SAP Capabilities with Acquisition of Grey Monarch

Survey of over 2,000 IT pros revealed that a quarter either don't know or don't think Microsoft 365 data can be affected by ransomware.

PITTSBURGH, Sept. 26, 2022 /PRNewswire/ -- Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to a latest annual report from cybersecurity specialist Hornetsecurity.

The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with one in five (20%) attacks happening in the last year.

**Hornetsecurity**

Cyberattacks are happening more frequently. Last year's ransomware survey revealed one in five (21%) companies experienced an attack; this year it rose by three percent to 24%.

Hornetsecurity CEO, Daniel Hofmann said: _"Attacks on businesses are increasing, and there is a shocking lack of awareness and preparation by IT pros. Our survey shows that many in the IT community have a false sense of security. As bad actors develop new techniques, companies like ours have to do what it takes to come out ahead and protect businesses around the world."_

Microsoft 365 users targeted by attackers  
The 2022 Ransomware Report highlighted a lack of knowledge on the security available to businesses. A quarter (25%) of IT professionals either don't know or don't think that Microsoft 365 data can be impacted by a ransomware attack.

Just as worryingly, 40% of IT professionals that use Microsoft 365 in their organization admitted they do not have a recovery plan in case their Microsoft 365 data was compromised by a ransomware attack.

Hofmann added: _"Microsoft 365 is vulnerable to phishing attacks and ransomware attacks, but with the help of third-party tools, IT admins can back up their Microsoft 365 data securely and protect themselves from such attacks."_

Lack of business preparedness  
Industry responses showed the widespread lack of preparedness from IT professionals and businesses. There has been an increase in businesses not having a disaster recovery plan in place if they do succumb to the heightened threat of a cyberattack.

In 2021, 16% of respondents reported having no disaster recovery plan in place. In 2022, this grew to 19%, despite the rise in attacks.

The survey also showed that more than one in five businesses (21%) that were attacked either paid up or lost data. Hackers have an incentive to run these ransomware attacks because there's a decent chance that they'll get a payday - 7% of IT professionals whose organization was attacked paid the ransom, while 14% admitted that they lost data to an attack.

Hofmann concluded: _"Interestingly, 97% of pros are moderately to extremely confident in their primary protection method, even if they don't use many of the most effective security measures available, such as immutable storage and air-gapped off-site storage. This tells us that more education is needed in the field, and we're committed to this cause."_

**Next steps for IT Pros**  
Read more about Hornetsecurity's Ransomware Attacks Survey.

These findings will directly influence an educational webinar on October 5, **Ransomware Attack Survey: One Year Later**. Colin Wright, Hornetsecurity VP of EMEA and Andy Syrewicze, Microsoft MVP will break down the results of this survey and explore the current trends, threats, and news from the industry. Register for the ransomware attack webinar here.

**About Hornetsecurity Group**

Hornetsecurity is the leading security and backup solution provider for Microsoft 365. Its flagship product is the most extensive cloud security solution for Microsoft 365 on the market, providing robust, comprehensive, award-winning protection: Spam and virus filtering, protection against phishing and ransomware, legally compliant archiving and encryption, advanced threat protection, email continuity, signatures and disclaimers. It's an all-in-one security package that even includes backup and recovery for all data in Microsoft 365 and users' endpoints.

Hornetsecurity Inc. is based in Pittsburgh, PA with other North America offices in Washington D.C. and Montreal, Canada. Globally, Hornetsecurity operates in more than 30 countries through its international distribution network. Its premium services are used by 50,000+ customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, and CLAAS.

Ransomware Attacks Continue Increasing: 20% of All Reported Attacks Occurred in the Last 12 Months - New Survey

Call it cross-border enlightened self-interest: As one of the US's premier trade partners and closest neighbors, what's bad for Mexico is bad for the US.

In August 2020, the US and Mexico established a working group and conducted a first-of-its-kind dialogue regarding mutual cybersecurity concerns. While the two countries have been partnering to counter illicit drug trafficking for decades, only recently has real progress been made related to cybersecurity, as described in the State Department's recent joint statement. Given the evolving threat landscape in recent years, it is remarkable it has taken so long for this partnership to mature. What may be quicker to evolve is the private sector's reaction to this new partnership as cybersecurity service providers recognize this bilateral cooperation as a lucrative commercial opportunity.

**Reliance on Cross-Border Critical Infrastructure**

Perhaps the most significant strategic focus of this collaboration is the commitment to strengthening coordination and response to cyber incidents affecting critical infrastructures. Mexico and the US share interdependent economies, as well as the risk of closely related critical infrastructure. Mexico consistently ranks among the top trade partners for the US and in 2021 supplied 8% of US oil (by comparison, Saudi Arabia provided 5%), according to the US Energy Information Administration. US dependency on Mexican oil would thus, naturally, justify the protection and security of that resource as a US national security interest.

Similar to the US's own Colonial Pipeline compromise in 2021, Pemex (Mexico's state-owned petroleum company) experienced a ransom event in 2019. Fortunately, the Pemex incident did not result in the same disruption to services as the Colonial matter did. Pemex's incident does highlight that Mexico's infrastructure is a target and that it is also vulnerable. Though the Pemex incident did not make significant waves for the US, a more significant incident could cause far greater economic consequences for Mexico and the US alike.

**Benefits of Closing Vulnerabilities as Trade Partners**

As one of the US's premier trade partners and boundary sharing geographic neighbors, what is bad for Mexico is bad for the US. Be it in telecom, the financial sector, or any aspect of critical infrastructure and key resources, a disruption in Mexico would likely cross over and impact the US. One of the most effective and self-beneficial ways for the US to protect against this is to invest in Mexico's cybersecurity capabilities. In many cases, nation-state offensive operations view Mexico as a less secure technological gateway into targeting the US. The relatively weak cybersecurity posture in Mexico enables criminals to either exploit entities there or use compromised systems as proxies to target US entities.

Mexico is also seeing an increase in overseas factories relocating and setting up production within its borders. The Chinese in particular view this as a strategic advantage as it reduces their overall cost in shipping expenses as well as export tariffs. Chinese investment in this way will undoubtedly require additional bandwidth, expansion of IT related infrastructure, and efficient connectivity back to China. Aside from its implications to US national security, Mexico's cybersecurity capabilities and related infrastructure will need to mature to keep pace with this industrial and economic development.

With growing, increasingly complex internal cyber demands, Mexico is likely incapable of meeting these needs on its own and would benefit from able and experienced partners. US investment, both from the government and private sector, in Mexico is more a matter of investing in US interests, yielding benefits both economically and security-wise.

The US would be served well if it benchmarked the mission and vision of the Cybersecurity and Infrastructure Security Agency (CISA) and invested in Mexico's ability to "understand, manage, and reduce risk" to Mexico’s cyber and physical infrastructure. The near-term security priorities investment should be maturing capability delivery, vulnerability management, and cyber-defense education, and training. 

Additionally, forward-thinking cybersecurity vendors will undoubtedly see this opportunity as a chance to capitalize on private sector demand, and possibly government contracts as well. It should come as no surprise if the industry sees a flurry of activity around establishing capabilities and resources to serve the market in Mexico. And by treating Mexico's cybersecurity posture as important as countering illicit drugs, the US will enhance its own security in the long run.

Why the US Should Help Secure Mexican Infrastructure — and What It Gets in Return

Literacy, levels of personal freedom, and other macro-social factors help determine how strong average passwords are in a given locale, researchers have found.

When it comes to choosing passwords, it turns out that a person's country of residence has an impact on the strength of their choice.

Researchers from GoSecure have uncovered four primary macro-social factors that strongly correlate to positive password performance (measured by the time it takes to crack the credential, in seconds). Those are:

*   Level of human rights in-country and its degree of free society;
*   Literacy level of a population;
*   Country's placement in the Global Cybersecurity Index (GCI); and
*   Level of data-breach exposure and victimization.

    

Source: GoSecure

"Countries have an impact on the level of protection of their users," according to the report, released this week. "A user’s country of origin and/or residence necessarily has an impact on their social identity. It means that our social identity, which can be influenced by several levels (e.g., macro and micro), might have an impact on password choice."

**4 Correlations of Society's Impact on Password Performance**

To arrive at these conclusions, the researchers started with the mean time needed to crack the 200 most common passwords by country, as determined by NordPass. According to the most recent data set (last November), the mean time to crack passwords globally is about 9.6 hours, spanning a range from 0 hours to more than 10 years. That said, the majority of passwords (61%) included in the list can be cracked in less than a minute, according to the findings, which dovetail with other analysis.

GoSecure then took this dataset and cross-referenced it with 29 different social variables, eventually finding that four of them were strongly correlated indicators of password strength.

**1\. Support for Civil Society**

Interestingly, the level of democracy and freedom within a country posed a strong correlation to password strength, the firm found.

"Countries in which citizens participate in selecting their government and have freedom increase password strength performance," according to GoSecure researcher Andréanne Bergeron, writing in the analysis. "This might be explained by the fact that democratic countries also have greater access to the Internet."

The firm used Voice & Accountability as a cross-referenced data point, which is one of six components of governance indicators as stipulated by the World Bank. Voice & Accountability reflects perceptions of the extent to which a country’s citizens are able to participate in selecting their government, as well as freedom of expression, freedom of association, and a free media.

"Since the Internet is synonymous with access to information and freedom, undemocratic countries are resistant to the widespread use of Internet by their citizens," Bergeron said. "When the Internet is widely accessible, people learn how to use it and structures can be developed."

**2\. Basic Education**

Literacy is a predictive benchmark for better password practices because it's directly connected to the use of technologies and the ability to educate oneself, according to GoSecure. When a user’s level of cybersecurity knowledge increases, their cybersecurity behaviors improve. The firm cross-referenced publicly available data on literacy rates with the password-cracking data to bear this out.

"To seek, evaluate, and use information found on the Internet, users must navigate via largely text-based menus and links, as well as reading large volumes of text," Bergeron said. "The challenges faced by low-literacy users when creating and managing passwords are documented and research indicates that they are more prevalent than in the literate population."

**3\. Global Cybersecurity Index**

Unsurprisingly, the level of government commitment to and funding in cybersecurity also matters. Bergeron said, "The commitment of countries to fight against online crime is beneficial economically. The present analysis goes further suggesting this type of investment predicts better password strength performance."

Researchers found the correlation by cross-referencing the ITU's Global Cybersecurity Index (GCI) with the NordVPN numbers. The GCI is a comprehensive measure of the cybersecurity commitment of individual countries, gleaned from 25 indicators across five pillars (Legal Measures, Technical Measures, Organizational Measures, Capacity Development, and Cooperation).

**4\. Cybersecurity Exposure Index**

It makes sense that people might be more sensitive to the importance of protecting data with strong passwords when they are exposed to more cybersecurity incidents — in fact, GoSecure noted that the level at which countries are targeted (as determined by the Cyber Exposure Index) had the strongest correlation to better password hygiene in its analysis.

The CEI is based on data about sensitive disclosures, exposed credentials, and hacker-group activity against companies, collected from publicly available sources in the Dark Web and Deep Web and from data breaches.

"Users are aware of the meaning of a data breach, and it influences their behavior and password formation strategies," according to the report. "This demonstrates the resilience of users when they live in a hostile environment."

The Country Where You Live Impacts Password Choices

China-based threat actor used poisoned vSphere Installation Bundles to deliver multiple backdoors on systems, security vendor says.

VMware issued urgent new mitigation measures and guidance on Sept. 29 for customers of its vSphere virtualization technology after Mandiant reported detecting a China-based threat actor using a troubling new technique to install multiple persistent backdoors on ESXi hypervisors.

The technique that Mandiant observed involves the threat actor — tracked as UNC3886 — using malicious vSphere Installation Bundles (VIBs) to sneak their malware onto target systems. To do so, the attackers required admin-level privileges to the ESXi hypervisor. But there was no evidence that they needed to exploit any vulnerability in VMware's products to deploy the malware, Mandiant said.

**Wide Range of Malicious Capabilities**

The backdoors, which Mandiant has dubbed VIRTUALPITA and VIRTUALPIE, enable the attackers to carry out a range of malicious activities. This includes maintaining persistent admin access to the ESXi hypervisor; sending malicious commands to the guest VM via the hypervisor; transferring files between the ESXi hypervisor and guest machines; tampering with logging services; and executing arbitrary commands between VM guests on the same hypervisor.

"Using the malware ecosystem, it is possible for an attacker to remotely access a hypervisor and send arbitrary commands that will be executed on a guest virtual machine," says Alex Marvi, a security consultant at Mandiant. "The backdoors Mandiant observed, VIRTUALPITA and VIRTUALPIE, allow attackers interactive access to the hypervisors themselves. They allow attackers to pass the commands from host to guest." 

Marvi says Mandiant observed a separate Python script specifying which commands to run and which guest machine to run them on.

Mandiant said it was aware of fewer than 10 organizations where the threat actors had managed to compromise ESXi hypervisors in this manner. But expect more incidents to surface, the security vendor warned in its report: "While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware's virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities."

VMware describes a VIB as a "collection of files packaged into a single archive to facilitate distribution." They are designed to help administrators manage virtual systems, distribute custom binaries and updates across the environment, and create startup tasks and custom firewall rules on ESXi system restart.

**Tricky New Tactic**

VMware has designated four so-called acceptance levels for VIBs: VMwareCertified VIBs that are VMware created, tested, and signed; VMwareAccepted VIBs that are created and signed by approved VMware partners; PartnerSupported VIBs from trusted VMware partners; and CommunitySupported VIBs created by individuals or partners outside the VMware partner program. CommunitySupported VIBs are not VMware- or partner-tested or supported.

When an ESXi image is created, it is assigned one of these acceptance levels, Mandiant said. "Any VIBs added to the image must be at the same acceptance level or higher," the security vendor said. "This helps ensure that non-supported VIBs don't get mixed in with supported VIBs when creating and maintaining ESXi images." 

VMware's default minimum acceptance level for a VIB is PartnerSupported. But administrators can change the level manually and force a profile to ignore minimum acceptance level requirements when installing a VIB, Mandiant said.

In the incidents that Mandiant observed, the attackers appear to have used this fact to their advantage by first creating a CommunitySupport-level VIB and then modifying its descriptor file to make it appear that the VIB was PartnerSupported. They then used a so-called force flag parameter associated with VIB use to install the malicious VIB on the target ESXi hypervisors. Marvi pointed Dark Reading to VMware when asked whether the force parameter should be considered a weakness considering that it gives administrators a way to override minimum VIB acceptance requirements.

**Operation Security Lapse?**

A VMware spokeswoman denied the issue was a weakness. The company recommends Secure Boot because it disables this force command, she says. "The attacker had to have full access to ESXi to run the force command, and a second layer of security in Secure Boot is necessary to disable this command," she says. 

She also notes that mechanisms are available that would allow organizations to identify when a VIB might have been tampered with. In a blog post that VMWare published at the same time as Mandiant's report, VMware identified the attacks as likely the result of operational security weaknesses on the part of the victim organizations. The company outlined specific ways organizations can configure their environments to protect against VIB misuse and other threats.

VMware recommends that organizations implement Secure Boot, Trusted Platform Modules, and Host Attestation to validate software drivers and other components. "When Secure Boot is enabled the use of the 'CommunitySupported' acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs (even with the --force parameter as noted in the report)," VMware said.

The company also said organizations should implement robust patching and life-cycle management practices and use technologies such as its VMware Carbon Black Endpoint and VMware NSX suite to harden workloads.

Mandiant also published a separate second blog post on Sept. 29 that detailed how organizations can detect threats like the one they observed and how to harden their ESXi environments against them. Among the defenses are network isolation, strong identity and access management, and proper services management practices.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the attack demonstrates a very interesting technique for attackers to retain persistence and expand their presence in a targeted environment. "It looks more like something a well-resourced state- or state-sponsored threat would use, versus what a common criminal APT group would deploy," he says.

Parkin says VMware technologies can be very robust and resilient when deployed using the company's recommended configurations and industry best practices. "However, things become much more challenging when the threat actor is logging in with administrative credentials. As an attacker, if you can get root you have the keys to the kingdom, so to speak."

Dangerous New Attack Technique Compromising VMware ESXi Hypervisors

Identity verification could be the key to fighting back and building trust in an industry beset with high-stakes fraud.

Business email compromise (BEC) scams are some of the most potent threats to cybersecurity around the globe — and the threat is not letting up anytime soon. While ransomware attacks often grab the headlines, BEC scams are just as pervasive. Cybercriminals carry out BEC scams by "either spoofing an email account or website, sending spear-phishing emails, or using malware," according to the FBI.

Real estate is one of the industries significantly hit by BEC scams. Data from the FBI's Internet Crime Report 2021 revealed that "about 13,638 people were victims of wire fraud in the real estate and rental sector in 2020 — a 17% increase over 2019 — with losses of over $213 million." As a result, real estate and rental wire fraud were ranked No. 7 out of over 30 types of fraud monitored and reported by the IC3.

Another report, by the National Association of Realtors, showed that the real estate industry saw $6.9 billion in victim losses in 2021, with more than an estimated 2,300 average complaints daily. Undoubtedly, real estate wire fraud is one of the most common types of cybercrimes in the US today.

There are several reasons why BEC scams work. Tyler Adams, CEO and co-founder of Texas-based SaaS platform CertifID, recently discussed with Dark Reading three major ones and how to get ahead of them.

**1\. Information on Real Estate Transactions Is Public**

Whether they are targeting Fortune 500 companies or small real estate offices, BEC scam actors gather information to soften the target and make it more vulnerable to attacks. Usually, BEC scam victims receive a spoofed email on behalf of a party involved in a real estate transaction, with instructions directing them to change a payment type or location to a fraudulent account. Once the funds are deposited, they're rapidly withdrawn, making recovery difficult or impossible.

According to Adams, a major reason why attackers can successfully gather information on their targets is because all the information for real estate transactions is public.

"With a simple search online, you can see every house that's for sale, who the real estate agent is — and sometimes the seller themselves — and even the title/escrow companies that service the local market," he said.

Adams noted that information like the one above leads to targeted phishing attacks that result in BEC. "This makes it easy for fraudsters to impersonate mortgage lenders as part of a real estate closing, in hopes of having the payoff wire transfer redirected to the fraudster's bank account," he said.

In addition, the two parties involved in real estate transactions are expected to trust each other, and there's often a lot of information divulged in that process. Malicious actors exploit that trust by weaponizing the public information against unsuspecting businesses and individuals.

**2\. Many Communications Are Electronic**

Adams pointed out that lots of different people communicate electronically in the real estate industry. The average real estate transaction has six different people or parties, all communicating electronically to align on the details of the closing and transfer of funds, he noted. This often presents several loopholes that threat actors can exploit.

One of the ways attackers leverage electronic communications in real estate is through impersonation, Adams said.

"Sometimes it's realtor impersonation — such as a first-time home buyer getting an email from what appears to be their real estate agent but is instead a fraudster with details for where and when to send the money," Adams said. "Oftentimes it's lender impersonation."

He noted that a common fraud is impersonating a mortgage lender, fooling a buyer into sending their wire transfer to the scam artist instead of their lender.

**3\. Transactions Are Temptingly Big**

The payday for fraudsters is huge, Adams said. Measured by revenue, the market size of the US real estate sales and brokerage industry is $226.8 billion in 2022 alone, according to research firm IbisWorld. That's a per-year average growth of 4.9% from 2017 to 2022, the report states. The large volume of daily transactions in real estate makes the industry a juicy target for attackers.

This is why one of CertifID's major areas of practice is the small and midsize business (SMB) space, according to Adams. SMBs often lack the infrastructure to effectively monitor the daily volume of real estate transactions and the resources to recover from an incident when it occurs.

"There are millions of small and medium-sized businesses all across the United States that don't know how to leverage advanced API-based platforms to stay protected against cyberthreats. And one payoff from any of these cybercrimes can put such companies out of business," he said.

**Restoring Trust by Verifying Identity**

CertifID says it has developed the technology and expertise needed to track how money moves across the real estate industry, with the aim to restore trust in the industry. In an intricate system that involves knowing all the parties involved in every transaction, it's essential to prioritize identity verification, Adams said.

"If we're going to do a transfer transaction, we've got to know that you are who you say you are, because if you're at all being impersonated, then we can't trust any of the information," he says.

CertifID says its PayoffProtect product validates mortgage payoff wiring instructions, authenticating parties and bank wire information in real estate transactions. Its broader platform addresses the specific needs of real estate agents, title agents, and law firms.

Trust is one of the cardinal points in the real estate industry. Every single home that's for sale is online, and attached to it is a real estate agent who has a phone number and email address. They want to be contacted by as many people as possible because they want to sell that home, and they don't know whether a buyer is legit or a fraudster.

"Given real estate transactions are a fertile ground for BEC, and the impact these frauds have on the livelihoods of individuals and businesses, we'll continue to support this industry until we've made a significant impact in the fight against fraud," Adams said.

3 Reasons Why BEC Scams Work in Real Estate

2,700 cybersecurity career pursuers have already passed the (ISC)2 Certified in Cybersecurity℠ exam, with more than 53,000 more people registered for a free course and exam.

ALEXANDRIA, Va., Sept. 29, 2022 /PRNewswire/ — (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced the rapid adoption of three initiatives aimed at addressing the cybersecurity workforce gap. (ISC)2 Candidates, (ISC)2 Certified in CybersecuritySM and (ISC)² One Million Certified in Cybersecurity are significant milestones in making cybersecurity careers more accessible to more people around the world.

One month after announcing (ISC)2 Candidates, launching Certified in Cybersecurity and opening enrollment for One Million Certified in Cybersecurity:

*   **55,000 individuals have signed up for (ISC)2 Candidates,** which is for individuals pursuing or considering a career in cybersecurity, or already seeking an (ISC)² certification. Upon enrolling as an (ISC)² Candidate, participants receive access to exclusive resources and benefits to propel them along their journeys to becoming cybersecurity professionals.
*   **2,700 people have passed their Certified in Cybersecurity exams**. Anyone earning the (ISC)² Certified in Cybersecurity certification demonstrates that they have the foundational knowledge, skills and abilities to take on entry- and junior-level cybersecurity roles, enabling employers to more confidently build resilient teams across all experience levels.
*   Through the **One Million Certified in Cybersecurity initiative,** **53,000 more people have enrolled** for a free Certified in Cybersecurity course and exam. This initiative pledges to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to **one million new professionals starting a career in cybersecurity**.

**New Roads to Cybersecurity Career Success  
**Through these initiatives, tens of thousands of people have established or strengthened their connection with the cybersecurity community in just the past month, highlighting the importance of creating new and diverse pathways into the industry.

"These initial successes demonstrate that our efforts have already made a positive impact in opening new and unique pathways into the cybersecurity industry," said Clar Rosso, CEO, (ISC)². "They have also enabled us to expand our association which now reaches over a quarter of a million members, associates and candidates worldwide. It is exciting to see how targeted programs aimed at getting more people exposed to the cybersecurity profession can quickly lay the foundation for the next generation and not only help secure our nations and economies, but also enable them to benefit from rewarding and challenging careers."

"I'm switching career paths to move into cybersecurity," said Eric Turner, Systems Integration Developer, MSD of Warren Township. "The (ISC)2 Certified in CybersecuritySM entry-level certification is another great way to demonstrate my knowledge."

Learn more about these programs at www.isc2.org/candidate

(ISC)² will highlight the importance of diversity and accessibility in cybersecurity at its 12th annual (ISC)² Security Congress conference, a hybrid event taking place on October 10-12, 2022, in Las Vegas and online.

**About (ISC)²**

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 235,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

Source

DARKReading