Organizations looking to get ahead in cloud security have gone down the path of deploying CSPM tooling with good results. Still, there’s a clear picture that data security and security operations are next key areas of interest.

As an industry, we're now at a point where we don't have to convince anyone that we have a massive digital dependence on cloud technologies and that securing cloud deployments is a key initiative for most organizations. There is widespread availability of cloud security posture management (CSPM) tooling — commercial- and community-driven alike — and CSPM itself is being incorporated into new tooling coming under the heading of cloud-native application protection platforms (CNAPP).

Many cloud security conversations focus primarily on making sure clouds are configured properly, but there is much more to cloud security than that. Much like traditional security is much more than patching, there is more to cloud security than configuration.

As we analyze cloud security trends, we recently collected survey data under our Omdia Decision Makers survey and found interesting results that highlight these conclusions.

The figure below plots responses to the question "What are your top concerns in relation to cloud security?" The bars on the left show the aggregate view (n=186). We can clearly see a major concern with cost of security tooling, then other concerns aggregated together, including security tooling functionality, responding to events, data security, and others.

    

That said, we also segmented the population into two groups based on their response to a previous question about how advanced their deployments of CSPM tools were. Our ongoing industry interactions with multiple stakeholders point to CSPM tools as the type of tool most often associated with "cloud security" conversations, so we chose CSPM deployment experience as a proxy for cloud experience. Statistician George Box is famous for saying "all models are wrong, but some are useful," which we think is relevant here; there's no implication of causation, but some interesting variations show up in the response data.

For those that have what we consider "low" experience with cloud security (n=61) by virtue of having CSPM deployments in the pilot or proof-of-concept stage, concerns around cost are even more pronounced, as are concerns about cloud permissions and a slight bump for concerns about compliance.

For those that have more cloud security experience (n=54) — those that responded that they have deployed CSPM in widespread production use —responses shifted significantly. Now, concerns about data security are much more pronounced, as are concerns about how to respond quickly to incidents, with additional notable concerns regarding the ever-present skills gap in terms of cloud technologies.

**Heightened Concerns**

Our interpretation of this data is that customers are indeed seeing value from the CSPM tooling for configurations and compliance, but they now have heightened concerns on data security, security operations, and making sure their teams are skilled in cloud technologies. These concerns are already lurking in the shadows, and once CSPM clears the way of handling the more visible security configuration/compliance concerns, these issues come to the forefront.

The responses uncovered here point to interesting directions for future inquiry. It is increasingly clear that data security presents a key area of concern. What are the ways one gets to data? One way is via direct access to the data stores themselves. This is the provenance of cloud configuration (CSPM) and the increasingly popular DSPM (data security posture management) category. Another is getting access via the very APIs provided by the company; this then leads down a path of paying close attention to API security.

For security operations, the path forward appears to include more considerations about how to incorporate cloud security use cases in SOC response flows. Dubbed cloud detection and response (CDR), this is also a promising area of research that we're watching.

For end users, this means being ready to address these categories soon. For vendors, understand that there is much more to customer demand for cloud security than CSPM — or even CNAPP — alone.

What Lurks in the Shadows of Cloud Security?

Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.

Growth in the number of new accounts looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, fake accounts may seem like the answer to your prayers — something you can show investors to demonstrate your reach. And to the end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light.

It's especially damaging when bots use real human data, stolen and sold on the Dark Web, to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own.

We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary.

**Enter the Billionaire**

Love him or hate him, you cannot deny the impact Musk has made on the tech industry. But second-guessing his motives and actions is very much like my dog trying to work out the significance of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, co-founder and CEO of Human Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. 

"It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot," he said. "Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

**Twitter & the Tragedy of the Digital Commons**

Twitter is an increasingly rare Internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse; the phrase "tragedy of the commons" originated to describe people overusing grassy common land to graze their livestock. As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because, along with all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying, _"__Hey, we aren't analyzing what you do or the content of your inbox_, _but here's some stuff to be aware of_,_"_ and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example, #cybersecurity), and then amplify those tweets to their audiences. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

**No One Should Pay for False Volume, Even Billionaires**

The primary incoming revenue stream for social platforms is advertising, which is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform lies in the number of active users, whether it be a general-purpose networking platform such as Twitter, a narrow-purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). Bots, while they may generate activity, defraud advertisers by artificially inflating the user count.

Musk is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When I asked about what a company can do about bots, Hassan commented, "Having the right protections in place, including transparency and regulation around the use of automation, to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business."

Musk very publicly tried to withdraw from the Twitter acquisition, which has generated continuing legal ramifications. If we take his statements at face value, then the clear message is that bots and other fake accounts are bad business. Considering the ways that future Twitter (or any social media platform) could make money, being a trustworthy source of curated identity that doctors, banks, governments, and any other interested party (including peer-to-peer) can rely on would be a significant advantage.

**Here's Mudge in Your Eye**

One of Musk's stated concerns about the Twitter acquisition is that he has no certainty about how many of the platform's 396.5 million accounts are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peiter "Mudge" Zatko, has blown the whistle on poor operational security controls, nonexistent software governance, and (you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups — some of which are backed by nation-states.

As a former Facebook security engineer pointed out to me, "Mudge has a decades-long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community." When I asked whether they believed Mudge's claims about foreign intelligence infiltration, the response was, "I believe enough of it not to care about the rest."

Robert Graham takes a different view in his Cybersect blog, which contrasts the focus of a cybersecurity activist with that of a corporate executive. An executive's primary objective is to further the interest of the company and its shareholders, he wrote, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive.

**Identity as a Commodity**

Identity is the cornerstone of cybersecurity. When an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its user base is a significant one.

It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter asserts that the cost of validating every account (and giving us all a little blue tick) is prohibitive, however, as the lifetime value of each Twitter account is very low.

I'm sure that Twitter is well aware of its security gaps. Indeed, a good use for some of Musk's proposed investment, if the company can still get it, would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier.

This is why identity is important, in particular being able to prove that a specific account is being operated by a human. If we manage to turn Twitter into a place where free speech is valued precisely _because_ the speakers are identified as human, then its value — to investors, the Twitter team, and most importantly, its users — will skyrocket.

Fake Accounts Are Not Your Friends!

The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business can’t avoid to pay, make sure you’ve got a strong data loss prevention practice in place.

$4.35 million. That's the average total cost of a data-exposing cybersecurity incident, according to the Ponemon Institute's "Cost of a Data Breach Report 2022." That's an all-time high, up 12.7% from 2020.

Between the potential loss of trade secrets, reputational harm, and regulatory fines related to data privacy, data breaches can threaten an organization's very existence. And if you don't take proactive measures to prevent them, the circumstances that led to one breach can easily result in another. Eighty-three percent of breached organizations report having suffered more than one such event.

Data loss prevention, or DLP, refers to a category of cybersecurity solutions that are specifically **designed to detect and prevent data breaches, leaks, and destruction**. These solutions do so by applying a combination of data flow controls and content analysis. And in today's cyber-threat landscape, DLP has become a basic business need.

**The Three States of Data and How DLP Protects Them**

There are **three main states** in which data can reside within an organization:

*   **Data in use**:**** Data is considered to be _in use_ when it's being accessed or transferred, either via local channels (e.g., peripherals and removable storage) or applications on the endpoint. An example could be files that are being transferred from a computer to an USB drive.
*   **Data in motion**:**** Data is considered to be _in motion_ when it's moving between computer systems. For example, data that is being transferred from local file storage to cloud storage, or from one endpoint computer to another via instant messenger or email.
*   **Data at rest**:**** Data is considered to be _at_ rest when it's stored, either locally or elsewhere on the network, and is not currently being accessed or transferred.

Of course, most sensitive data will change between these states frequently — in some cases, almost continuously — though there are use cases where data may remain in a single state for its entire life cycle at an endpoint.

Similarly, there are three primary "functional" DLP types, each dedicated to protecting one of these states of data. Here are just some examples of how this can work:

*   **Data-in-use DLP** systems may monitor and flag unauthorized interactions with sensitive data, such as attempts to print it, copy/paste to other locations, or capture screenshots.
*   **Data-in-motion DLP** detects whether an attempt is being made to transfer (confidential) data outside of the organization. Depending on your organization's needs, this can include _potentially_ unsafe destinations, such as USB drives or cloud-based applications.
*   **Data-at-rest DLP** enables a holistic view of the location of sensitive data on a local endpoint or network. This data can then be deleted (if it's out of place), or certain users' access to it blocked depending on your security policies.

Not all potential sources of a data breach are nefarious — they're often the result of good old-fashioned human error. Still, the impact is just as real whether sensitive information is intentionally stolen or simply misplaced.

**DLP Architecture Types**

DLP solutions can be categorized based on their architectural design:

*   **Endpoint DLP** solutions use endpoint-based DLP agents to prevent data in use, data in motion, and data at rest from leaking — regardless of whether they're used solely within a corporate network or exposed to the Internet.
*   **Network/cloud DLP** solutions use only network-resident components — such as hardware/virtual gateways — to protect data in motion or at rest.
*   **Hybrid DLP** solutions utilize both network- and endpoint-based DLP components to perform the functionality of both endpoint and network DLP architectures.

It's important to note that due to the nature of their architecture, network DLP solutions cannot effectively safeguard data in use: It remains vulnerable to purely local activities, like unauthorized printing and screen capturing.

**Adopting DLP Is More Important Than Ever**

The benefits of a strong DLP program are clear. By taking proactive steps to slash the risk of data loss and leakage, organizations can achieve some powerful benefits:

*   More easily achieving and maintaining compliance with relevant data privacy regulations, such as the GDPR and HIPAA
*   Protecting intellectual property and trade secrets
*   Strengthening security in an era of widespread remote work and BYOD policies
*   Minimizing the potential impact of human error and negligence

Larger enterprises may choose to adopt on-premises DLP solutions — and for some, this may be the right choice. But setting up a successful DLP program is complex and resource-intensive, and it requires fine-tuning over an extended period of time. Businesses will also need to bring aboard specialized experts with relevant experience. Those without such a team already in place will likely find it more efficient to work with a managed service provider (MSP) for their DLP needs.

In turn, MSPs are turning to partners to help them build out these Advanced DLP offerings to help prevent data leakage from clients' workloads.

Whether you manage your DLP in-house or turn to a vendor to help, it is a critical part of a modern, and future, security stack.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity. 

Of the 20 total security fixes included, 16 were found by external researchers through Google's bug bounty program. A blog post from Google Chrome's Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:

*   CVE-2022-3304: Use after free in CSS. _Reported by Anonymous on 2022-09-01_
*   CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. _Reported by NDevTK on 2022-07-09_
*   CVE-2022-3305: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24_
*   CVE-2022-3306: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27_
*   CVE-2022-3307: Use after free in Media. _Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08_

The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as "$TBD." 

As usual, Google did not list any technical details of the bugs. 

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Sista wrote. "As usual, our ongoing internal security work was responsible for a wide range of fixes." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Quashes 5 High-Severity Bugs With Chrome 106 Update

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

The company's website remains offline after hackers used its compromised CMS to send out racist messages.

Fast Company, the business-news publication, has taken its website offline after cyberattackers compromised its content management system (CMS). They used the access to send out two obscene and racist push notifications to its Apple News subscribers.

The incident follows a similar defacement attack on the FastCompany.com homepage on Sunday, where the attackers posted similar language. The outlet replaced its website with a statement overnight on Tuesday, which remains in place at press time.

"The messages are vile and are not in line with the content and ethos of Fast Company," the company said in the notice. "Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."

The company is investigating the situation and working to clean the site, it said. While no details of the attack are yet available, James McQuiggan, security awareness advocate at KnowBe4, noted that the goal was clearly brand assassination, perhaps with a side of flexing.

"While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared," he said in an emailed statement.

**Highlighting the Need for Better Security**

Christopher Budd, senior manager of threat research at Sophos, tells Dark Reading that this is just latest example of an attack against PR and news infrastructure to deliver false information, with another recent example being a fake press release claiming Walmart was to begin accepting bitcoin.

The attack "highlights the fragility of PR and news infrastructure, and showcases how attacks like these could potentially be carried out for more malicious purposes that result in more dire consequences," he says. "Ultimately, this attack shows how news channels form a critical information infrastructure, and that this infrastructure should be secured in ways that match its criticality."

On a broader level, Jason Kent, hacker in residence at Cequence Security, suspects a credential-stuffing attack could be in play, indicating that the "credentials weren't terribly sophisticated and not backed up by multifactor auth or VPN requirements," he says.

"Credential-stuffing attacks are some of the most pervasive attacks we see on a daily basis," he adds. "Attackers attempt to guess passwords for valid accounts, and if they are successful the attacker will utilize the full permission of those credentials. Privileged access should be closely monitored as once the attacker has those, they will perform all manner of havoc."

Fast Company CMS Hack Raises Security Questions

Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.

Companies that focus on trusting their developers, looking beyond blame, and striving for strong cooperation tend see greater adoption of measures that contribute to more secure software supply chains.

According to the annual 2022 Accelerate State of DevOps published on Sept. 28 by Google Cloud's DevOps Research and Assessment (DORA) team also found that DevOps teams that focused on good security practices had a lower rate of burnout, with low-security teams having 1.4 times greater odds of voicing high levels of stress.

While technical infrastructure did help, the survey shows that starting with, or developing, the right culture is extremely important.

For instance, the DORA survey at the heart of the report measured DevOps teams' adherence to 13 different aspects measured by the Supply-chain Levels for Software Artifacts (SLSA) security framework, which calls for building product releases using centralized continuous integration/continuous development (CI/CD) systems, storing change histories indefinitely, defining software builds through scripts, and isolating the build process. And even though the majority of companies had completely or moderately implemented all of the 13 practices, those that had more collaborative and less blame-oriented cultures did better, the DORA survey found.

"More open, generative cultures ... tend to have positive effects for organizational performance as well as for the people who work there," says Todd Kulesza, one of the authors of the report and a senior user-experience (UX) researcher at Google Cloud. "What we want to see is — if there is a security problem — we want the engineers to feel empowered and safe to bring attention to that. You don't want your developers to sweep things under the rug, especially in terms of the security."

The survey unfortunately found that there's work to do on the collaborative front: Many software developers feel there is a gulf between programmers and application-security teams.

"High-friction approaches to security can be frustrating for developers and ineffective overall, as people try to avoid the friction points," the report stated. "The developers we spoke with wanted to do the right thing, and often discussed frustration that shipping features or fixes consistently took priority over potential security issues."

**Supply Chain Security: Critical Barometer for DevOps Performance**

In its eighth year, the DevOps Research and Assessment (DORA) team's annual report has strived to identify best practices among teams that use the DevOps approach to software development. In 2021, the DORA group found that software supply chain security had become a critical component of high-performing DevOps organizations, so this year, the researchers focused on determining what led to successful outcomes on that front.

    

Most DevOps teams have adopted SLSA practices. Source: Google Cloud's 2022 DORA report.

In the survey, Google focused on adoption of security practices that are part of supply chains.

In addition to DevOps teams' adherence to the SLSA framework, the survey asked developers the degree to which they comply with dozens of security practices that form the Secure Software Development Framework (SSDF) created by the US National Institute of Standards and Technology (NIST).

Organizations that had highly cooperative teams that shared risks and responsibilities, and prioritized learning over blame — so-called "generative" cultures — were more likely to adopt more than two dozen of those security practices, the survey of DevOps practitioners found.

"A lot of these practices — I'm not going to say that they are 100% established across organizations — but a lot of these practices have 50% or more of practitioners reporting that it is established or very well established," says John Speed Meyers, a co-author of the report and a security data scientist at software supply chain security firm Chainguard. "There is a lot of room for improvement, but these things are not so hard that no one is doing it."

The survey also measured developer burnout, based on how highly they rated their agreement with statements such as "my feelings about work negatively affect my life outside of work" and "I am indifferent or cynical about my work." Teams that did not focus on security were 40% more likely to agree or strongly agree with these statements.

In addition, teams that had the worst change failure rates and took the longest to deploy — anywhere from once a month to once every six months — also had high rates of burnout.

Google Cloud DORA: Securing the Supply Chain Begins With Culture

Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.

Last quarter saw a record-shattering number of observed phishing attacks, fueled in large part by attempts to target users on their mobile devices. 

The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history. 

The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency. 

But much of the rise in phishing volume is due to a new threat actor focus on mobile devices, specifically vishing (voice phishing) and smishing (SMS phishing) attacks, the report noted. 

"We're seeing a huge increase in mobile phone-based fraud, with smishing and vishing collectively seeing a nearly 70% increase in volume as compared to Q1 totals," Matthew Harris, senior product manager of fraud at Opsec said in reaction to the APWG findings. "We are still seeing fraud coming in via the typical OTT apps (WhatsApp, WeChat, Facebook Messenger, etc.), but the SMS-based fraud is really the kicker here," 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Phishing Attacks Crushed Records Last Quarter, Driven by Mobile

With provisional agreement reached on the Digital Operational Resilience Act, the clock is now ticking for banks and information and communications technology (ICT) services companies with European operations. Here's what you need to know.

On May 11, 2022, the European Union (EU) reached provisional agreement on the new Digital Operational Resilience Act (DORA). Despite the phrasing, there's nothing "provisional" about DORA. In fact, one of the world's most far-reaching cybersecurity regulations for financial services and their supply chains is mostly a done deal.

All that remains prior to formal adoption, expected sometime this October, primarily involves a handful of technical changes and translation into the 24 official languages of the EU's member states.

DORA represents the EU's response to the ever-increasing number of cyberattacks against financial institutions. It's designed to strengthen the security of EU financial firms, such as banks, insurance companies, investment firms, and more, by imposing resilience requirements and regulating the supply chain. But, as I noted in an earlier post, the tenets of DORA extend far beyond the EU and its financial sector.

DORA's uniform requirements for the security of network and information systems encompass not only enterprises in the financial sector but also critical third-party vendors providing information and communications technology–related services to the financial sector, such as cloud platforms and data analytics.

Indeed, DORA's reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether or not that enterprise or service is based inside the EU. In fact, under DORA, the complexity of the supply chain or the lack of EU presence are both considered risk factors.

**Mandating New Regulatory Perspectives**

DORA is unique in that it brings a new and different level of regulatory scrutiny to a wide variety of global enterprises. DORA's requirements _mandate_ — not merely suggest — compliance with its provisions. Just as important, the impact of this new level of regulatory scrutiny differs depending on the point of view of the enterprise.

Financial institutions accustomed to a regulatory environment primarily designed to assess financial risk and stability will now have to take the potential risk posed by their ICT operations just as seriously. Financial institutions are accustomed to address risk in the form of capital requirements. DORA takes a different approach by mandating specific behavior and performance-based requirements. From the point of view of financial institutions, that elevation of risk has consequences across multiple aspects of their business, such as how they consume technology and how they transform their business by transitioning to new technologies like cloud computing. This includes overall risk management strategies and capabilities, supply chain security, and organizational staffing and policies for ensuring proper ICT risk assessment and compliance.

DORA also changes the regulatory perspective of ICT organizations. Up to now, they've been regulated primarily on data-related issues, such as data privacy, and data breach notification, based on concerns about personal data and political objectives like digital sovereignty. Groundbreaking rules, such as the General Data Protection Regulation (GDPR) in Europe, and the more recent California Consumer Privacy Act (CCPA) in the United States, come to mind.

ICT organizations might also have other regulatory obligations on security, or have been classified as critical infrastructure, depending on where they are located, such as under the Network and Information Security Directive (NIS) in Europe, the Cybersecurity Act 2018 in Singapore, or sector-specific legislation for specialized industries, such as telecoms in the United States.

Now, if ICT companies are servicing financial institutions in the EU, they most likely will be subject to DORA as well. So, in addition to their prior regulatory frameworks, those ICT providers designated as offering a critical service will suddenly be regulated under DORA in a way that very much feels as if they are becoming _extensions_ of the EU financial institutions they're servicing. Regardless of how one looks at it, that's a dramatic change — for both financial institutions and ICT providers.

But that's not all. DORA changes the perspective for the EU's regulatory establishment. Regulators who are experts on financial institution compliance must now extend their scope to include ICT providers offering critical services, such as cloud providers, data analytics services, and other non-financial businesses. In countries with complex regulatory structures, there will also be the need to cooperate with other bodies tasked with regulating these additional types of non-financial industries.

**Meeting the Challenges**

DORA requires EU financial institutions to assess their own cybersecurity and risk management maturity. Understanding and managing their supply chain risk performance will be central to this effort.

In general, financial institutions are adept at stress tests for determining security and financial stability. It's a different challenge to extend those kinds of tests to other organizations. So, for the EU's financial sector, how to manage vendors, risk management, and operational capabilities in an ever more complex and extended supply chain poses the biggest puzzle.

For example, a financial institution might be headquartered in Europe but have all its support activities outsourced to businesses based in India. These support services may not technically be financial institutions. But DORA will require the financial institution to assess if the vendor is critical to its operations and apply the relevant DORA requirements to that relationship.

For enterprises not based in the EU, the key question is one of jurisdiction and market access. Financial institutions or ICT providers operating outside the EU are not affected. But if the enterprise is a financial institution or ICT service provider servicing the EU finance sector in any way, it will most likely be subject to DORA — directly or indirectly.

**Countdown to 2024**

Unless something changes in the final text, DORA goes into effect 24 months after its official adoption. Realistically, that is likely to be somewhere near the close of 2024. The good news is that this provides plenty of time for organizations to prepare for compliance. Most importantly, it is not too long for inclusion in a typical enterprise budget cycle.

But before that deadline sneaks up on you, start preparing _now_. Here are five key steps:

*   Use the time until 2024 wisely.
*   Understand where you are. Search, find, and identify your compliance gaps.
*   Determine what you need to remediate your gaps.
*   Educate and get buy-in from senior management.
*   Budget for the 24 months.

The clock is ticking.

Source

DARKReading