With security experts warning against attacks on machine learning models and data, startup HiddenLayer aims to protect the neural networks powering AI-augmented products.

As companies increasingly add artificial intelligence (AI) capabilities to their product portfolios, cybersecurity experts warn that the machine learning (ML) components are vulnerable to new types of attacks and need to be protected.

Startup HiddenLayer, which launched on July 19, aims to help companies better protect their sensitive machine-learning models and the data used to train those models. The company has released its first products aimed at the ML detection and response segment, aiming to harden models against attack as well as protect the data used to train those models.

The risks are not theoretical: The company's founders worked at Cylance when researchers found ways to bypass the company's AI engine for detecting malware, says Christopher Sestito, CEO of HiddenLayer.

"They attacked the model through the product itself and interacted with the model enough to ... determine where the model was weakest," he says.

Sestito expects attacks against AI/ML systems to grow as more companies incorporate the features into their products.

"AI and ML are the fastest growing technologies we have ever seen, so we expect them to be the fastest growing attack vectors that we have ever seen as well," he says.

**Flaws in the Machine Learning Model**

ML has become a must-have for many companies' next generation of products, but businesses typically add AI-based features without considering the security implications. Among the threats are model evasion, such as the research conducted against Cylance, and functional extraction, where attackers can query a model and construct a functional equivalent system based on the outputs.

Two years ago, Microsoft, MITRE, and other companies created the Adversarial Machine Learning Threat Matrix to catalog the potential threats against AI-based systems. Now rebranded as the Adversarial Threat Landscape for Artificial Intelligence Systems (ATLAS), the dictionary of possible attacks highlights that innovative technologies will attract innovative attacks.

"Unlike traditional cybersecurity vulnerabilities that are tied to specific software and hardware systems, adversarial ML vulnerabilities are enabled by inherent limitations underlying ML algorithms," according to the ATLAS project page on GitHub. "Data can be weaponized in new ways which requires an extension of how we model cyber adversary behavior, to reflect emerging threat vectors and the rapidly evolving adversarial machine learning attack lifecycle."

The practical threat is well known to the three founders of HiddenLayer — Sestito, Tanner Burns, and James Ballard — who worked together at Cylance. Back then, researchers at Skylight Cyber appended known good code — actually, a list of strings from the game Rocket League's executable — to fool Cylance's technology into believing that 84% of malware was actually benign.

"We led the relief effort after our machine learning model was attacked directly through our product and realized this would be an enormous problem for any organization deploying ML models in their products," Sestito said in a statement announcing HiddenLayer's launch.

**Looking for Adversaries in Real Time**

HiddenLayer aims to create a system that can monitor the operation of ML systems and, without needing access to the data or calculations, determine whether the software is being attacked using one of the known adversarial methods.

"We are looking at the behavioral interactions with the models — it could be an IP address or endpoint," Sestito says. "We are analyzing whether the model is being used as it is intended to be used or if the inputs and outputs are being leveraged or is the requester making very high entropy decisions."

The ability to do behavioral analysis in real time sets the company's ML detection and response apart from other approaches, he says. In addition, the technology does not require access to the specific model or the training data, further insulating intellectual property, HiddenLayer says.

The approach also means that the overhead from the security agent is small, on the order of 1 or 2 milliseconds, says Sestito.

"We are looking at the inputs after the raw data has been vectorized, so there is very little performance hit," he says.

Startup Aims to Secure AI, Machine Learning Development

Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.

Identity services provider Okta is facing serious security flaws, researchers contend, that could easily let an attacker gain remote access to the platform, extract plaintext passwords, impersonate users of downstream applications, and alter logs to hide any evidence they were ever there.

That's according to researchers from Authomize. However, Okta said in a blog that the issues are features, not bugs — and that the app works according to design.

Last January, threat group Lapsus$ claimed to have breached Okta with "superuser" account credentials, posting screenshots they claimed to have grabbed from internal systems. It was determined 366 Okta customers were potentially impacted in that incident, though Okta later said it determined only two actual breaches.

"Following the news of the Okta breach earlier this year, we focused our efforts on understanding what sorts of actions a malicious actor could do if they achieved even a minimal level of access within the Okta platform," Authomize CTO Gal Diskin said in the team's security analysis this week.

Diskin explained Okta's architecture for password synching allows potential malicious actors to access passwords in plaintext, including admin credentials, even over encrypted channels. To do so, the attacker would need to be signed into the system as an app admin of a downstream app (examples include customer service agents or financial operations teams) — from there, the person could reconfigure the System for Cross-domain Identity Management (SCIM) to nab passwords for any Okta user in the organization.

"All that is needed for extracting the clear text passwords is for an actor to gain app admin privileges," according to the report. Given the constantly expanding number of users within organizations of all sizes, especially in enterprises, Diskin said that the probability of an app admin being compromised is statistically quite high, with the Verizon Data Breach Investigations Report for 2022 finding that 82% of breaches involved human elements like stolen credentials and phishing. More concerningly, these app admins are generally not treated as privileged identities.

For Okta's part, the passwords are in clear text because there is no standard reliable protocol for syncing hashes, researchers noted. However, Authomize noted that Okta did pledge to have its product team take a closer look at the password-leak risks.

Okta Exposes Passwords in Clear Text for Possible Theft

Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.

With the surge in cybercrime continuing to advance, companies are scrambling to protect themselves. What's more, the attacks are increasingly politically motivated, and government-related industries are finding themselves targeted among heightened global tensions. Geopolitical conflicts are expanding into the digital realm, and threats are coming from all angles.

Given the ubiquitous risks, the cyber-insurance industry is booming. Corporations are increasingly transferring the risk of cybercrime to the insurance industry. So, if a cyberattack does occur, a company won't have to cover the expenses out of pocket — be they in ransom form or through damages and losses.

And yet, despite the market growth, multiple cyber-insurance carriers have moved to adopt act-of-war exclusions due to global political instability. This means that your carrier could deny you coverage if your cybersecurity breach has international political implications. You might pay a ransom to restore your systems, but your cyber insurance won't necessarily have to cover it.

So, how will shifting global conflicts shape the future of the cyber-insurance industry, and how can you protect your organization?

**Impact of the Russian-Ukrainian Conflict**

Let's start with the elephant in the room: the Russian-Ukrainian conflict. While the political ramifications of the conflict don't need repeating here, there are a multitude of uncertainties regarding its impact on the cyber-insurance sector.  

While act-of-war exclusions in insurance policies have been common since the Spanish Civil War, the language wasn't explicit regarding cyberattacks, which of course arose much later.

But now cyberattacks by state and non-state actors are causing hand-wringing across the insurance industry, which is seeking to protect itself from frequent, high cost payouts. Insurance companies are largely moving to rewrite your existing act-of-war clauses to make the language crystal clear that international cyber warfare is not covered.

But what exactly constitutes an act of war? Theoretically, to deny coverage, the cyberattack would have to be launched by official state actors. However, that can be very difficult to determine when you're talking about countries where the line between state and non-state actors is fuzzy at best. Non-state actors may be unofficially acting in collusion with government forces.

So, if Russian cybercriminals, harbored by the government, launch a cyberattack against your organization, are you covered? This is largely a gray area, but insurance companies are increasingly seeking to stretch the definition of war here to deny you coverage.

**How to Secure Adequate Coverage**

Due to the changing market and geopolitical situation, you need to be keenly aware of the exact kind of cyber-insurance coverage your organization requires. Your decisions should be dictated by the industry you're working in, the security risk, and how much you stand to lose in the event of an attack.

It's important to note that insurance providers are also being more stringent in their requirements for companies to even obtain cyber coverage in the first place. Carriers are increasingly requiring companies to practice good cyber hygiene and have rigid cybersecurity protocols in place before even offering a quote.

Once you have proper cybersecurity protocols in place, you should better qualify for adequate plans. However, remember that no two plans are alike or equally inclusive. When choosing a plan, be sure to look for any fine print regarding act-of-war and terrorism exclusions or those for other "hostile acts." Even when you've done everything right, your carrier can still attempt to deny you coverage under these loopholes.

For instance, after the pharmaceutical corporation Merck suffered millions in losses from Russian hackers, the company was denied payout by an arsenal of cyber-insurance providers. They collectively cited act-of-war exclusions. However, a judge ended up ruling in favor of the corporation, saying the clause only applied to armed conflict, and that insurers needed to expand the language to cover cyber warfare. So, know your plan and be prepared to advocate for yourself when making a claim.

**The Future of Cyber Insurance**

The insurance industry is learning from its past mistakes and getting a better handle on pricing cyber risk. As risk increases, you can expect that your premiums will also spike, all while your actual coverage decreases. In essence, corporations are paying more while getting less.

Again, it's not clear what constitutes an act of war today, but you can be sure that the definition will be ever expanding as insurance providers scramble to reduce their risk exposure.

The providers are paying attention — and you should be too.

Will Your Cyber-Insurance Premiums Protect You in Times of War?

The Curricula platform uses behavioral science with a simplified approach to train and educate users — and marks another step forward in Huntress’ mission to secure the 99%.

ELLICOTT CITY, Md., July 19, 2022 (GLOBE NEWSWIRE) -- Huntress, the managed security platform for small and mid-market businesses (SMBs), today announced it has acquired Curricula, a fun, story-based security awareness training platform that empowers employees to better defend themselves against hackers.

As cybercriminals continue to prey on individuals with little or no security training, the acquisition adds another critical layer to Huntress’ growing Managed Security Platform — delivered through an interactive eLearning experience that empowers employees to become their own line of defense in the fight against attackers.

“Delivering education and rallying the community have always been a core part of our mission,” said Kyle Hanslovan, Huntress CEO and Co-Founder. “Employees today need relatable and effective learning — not just more uninspired content that punishes learners and sets SMBs up for failure.Our team had already seen Curricula’s results internally, so it seemed criminal to not bring it to our partner ecosystem. Together, we're combining Curricula's creativity with Huntress' offensive expertise to address the demand for memorable and actionable threat training.”

In addition to its core platform, Curricula offers a number of additional features to help businesses build a positively focused security culture — including a gamified phishing simulator, story-based training episodes, custom content creation tools, compliance reporting and more.

“Curricula is already embraced by thousands of organizations across the globe simply because our training content is second to none,” said Curricula CEO Nick Santora. “Our animation studio creates security awareness content that is fun, memorable, and, most importantly, effective. Now under Huntress, we’re able to scale our global reach to resellers and service providers, setting the tone for what a remarkable security awareness program should be for every organization.”

More information can be found about Curricula’s training at www.curricula.com/cyber-security-awareness-training.

Today, Huntress partners with more than 3,000 service providers that in turn protect more than 1.2 million endpoints across more than 68,000 businesses.

**About Huntress**  
Hackers are constantly evolving, exploiting new vulnerabilities and dwelling in IT environments,—,until they meet Huntress.

Huntress protects small and mid-market businesses from modern cyberattackers. Founded by former NSA Cyber Operators—and backed by a team of 24/7 threat hunters — our managed security platform defends businesses from persistent footholds, ransomware and other attacks.

We're on a mission to secure the 99%. Learn more at www.huntress.com and follow us on social @HuntressLabs.

**About Curricula**  
Founded in 2015, Curricula is a fun security awareness training platform that uses story-based learning to communicate cyber risk to employees. Curricula’s mission is to fix boring security awareness programs by empowering employees to defend themselves against hackers. For more information visit: www.Curricula.com.

Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees

A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.

Six vulnerabilities have been found in a GPS tracking device used by businesses to monitor vehicle fleets, and by consumers as an anti-theft device. If exploited, they could allow attackers to widely disrupt fleet operations and track individual vehicles.

That's according to cybersecurity firm BitSight, which stated in a Tuesday advisory that the device, the MiCODUS MV720, has vulnerabilities in both the device and the back-end service. These pave the way for man-in-the-middle (MitM) attacks, authentication bypasses, and location tracking. The vulnerabilities include a hard-coded device password that allows access via SMS requests, and a default password on the API server, BitSight found.

"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," BitSight states in the report. "For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways."

The vulnerabilities include a hard-coded password that could allow commands to be sent to devices, the ability to use administrator privileges for commands, and a default password of 123456. Flaws of lesser severity include a reflected cross-site scripting (XSS) issue and the ability to directly access parts of the application. Five of the vulnerabilities have been assigned identifiers under the Common Vulnerabilities and Exposures (CVE) program: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944. The default password security weakness was not considered a vulnerability, and so did not get a CVE identifier.

**GPS Bugs Remain Unpatched**

While the company has not observed any signs that the vulnerabilities have been exploited, the Chinese firm that manufacturers the device, MiCODUS, has not responded to attempts at discussing the issues, says Stephen Boyer, co-founder and CTO for BitSight.

BitSight originally contacted MiCODUS about the problems in September 2021, and after an initial request for more information, the company refused subsequent attempts to communicate, according to the firm. MiCODUS did not immediately respond to a request for comment from Dark Reading.

"Unfortunately, the hard-coded password means that the only real remediation strategy is to remove the MV720 device or remove the SIM card from the device," he says. The firm shared the bug information with the Department of Homeland Security, he added, in hopes that it could develop an appropriate remediation strategy.

"IoT devices are full of vulnerabilities, and this will not change going into the future no matter how many of these stories come out," Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. "IoT devices are particularly hard to patch. They should all be auto-patching, but most aren't. Most require end-user interaction, and many times a physical connection."

He added, "If you think it's hard to patch regular software, it's ten times as hard to patch IoT devices. I'm purely guessing here, but I'd speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds."

**IoT: Still No Security by Design, Widespread Threat**

The vulnerabilities underscore the risks posed by Internet of Things (IoT) devices that have not benefited from adequate attention to security design and audits. Connected devices typically have less security, but are distributed throughout many companies' infrastructure and handle physical processes — such as entry access and power control — unlike traditional information technology. 

Concerned with the lack of security, the US government has established requirements for IoT device security.

    

MiCODUS GPS trackers are used by businesses and individuals in 169 countries. Source: BitSight

IoT devices often are also far more widespread than most business users recognize. As shown by the BitSight research, for example, GPS devices in general are used in vehicles belonging to at least five Fortune 50 companies, as well as energy utilities and governments in the Middle East, Europe, and North America.  

BitSight could not determine the prevalence of the MiCODUS MV720 specifically, but noted that MiCODUS claims that 1.5 million devices are used globally. In addition, BitSight saw nearly 2.4 million connections to the MiCODUS API server from 169 countries worldwide. The MiCODUS MV720 is a basic model sold for $20 online, but other models could account for some, or even most, of the IoT manufacturer's installed base.  

The BitSight report notes that two broad use cases exist for the devices. In some countries, data suggests that the devices are used to manage fleets of vehicles. However, in other countries, the large number of individual connections per capita suggests that individuals are using the devices for anti-theft applications.

"Indonesia has many unique IP addresses communicating with the MiCODUS server, but mostly in the GPS tracker port," BitSight states in the advisory. "This may suggest there are a small number of users with a high number of devices, which is typical in a fleet-management scenario. By comparison, Mexico has a very high number of connections to the web and mobile ports, which could indicate individuals are using the GPS tracker as an anti-theft device."

Mexico, Russia, and Uzbekistan are the countries with the most individual users, the company estimates. Russia, Morocco, and Chile appear to have the greatest number of actual devices.

Unpatched GPS Tracker Security Bugs Threaten 1.5M Vehicles With Disruption

New CAPE platform delivers patented intelligent automation and enforcement of consumer data privacy mandates at lowest total cost of ownership.

SAN JOSE, CA – (July 19, 2022) – GhangorCloud, a leading provider of intelligent information security and data privacy compliance enforcement solutions, today announced its patented Compliance and Privacy Enforcement (CAPE) product offering. The CAPE platform automates tasks associated with data discovery, data classification, data mapping and consumer privacy compliance enforcement in real time across all regulatory compliance mandates including GDPR, CCPA, HIPPA, PCI, PDPB, PDPL and other data privacy laws across the globe.

One of the biggest challenges that global organizations face is the pervasive risk of serious fines as mandated by consumer data privacy regulations. The EU General Data Protection Regulation (GDPR) is among the toughest data protection laws. Under the GDPR, the EU's data protection authorities can impose fines of up to €20 million (roughly $20,372,000), or 4% of worldwide turnover for the preceding financial year – whichever is higher. Companies that fail to comply with data privacy mandates risk not only financial exposure, but also operational and reputational losses.

GhangorCloud’s CAPE solution delivers a highly scalable architecture and can be quickly deployed across an enterprise as well as multi-cloud environments. Its’ AI powered eDiscovery Engine identifies and classifies content automatically, generates privacy enforcement policies without requiring tedious manual intervention, and provides real-time enforcement of privacy mandates to minimize risk and exposure while significantly reducing total cost of ownership.

“Data compliance and privacy enforcement is a daunting task that involves multiple, complex processes and requires the ability to sieve through large volumes of data corpuses at a very high rate both on-premises and across multi-cloud environments,” said Tarique Mustafa, CEO/CTO, GhangorCloud. “Leveraging our patented Intelligent Automation Engine, the CAPE platform addresses these issues with a modern-day data compliance and privacy system for expeditious and error-free performance of complex tasks, while significantly minimizing the cost of enforcement of regulatory compliance and privacy mandates.”

Compliance and Privacy Enforcement (CAPETM) Solution Features Include:  
AI Powered Data eDiscovery:  
GhangorCloud’s AI powered Data Discovery Engine was architected from the ground up to address the deficiencies and constraints of previous generation data discovery solutions.  
• Complex Data Object Definition: CAPE embodies unique AI based patented technologies that greatly facilitate the definition and discovery process for complex data/information objects that can represent any type of concrete and abstract data or information objects of interest. Virtually any kind of data/information such as structured, unstructured, semi-structured, ordered/unordered sets of data and data sequences can all be modelled and automatically identified and classified.  
• Auto Identification: Incorporates sophisticated patented technology for auto-identification of high granularity canonical as well as complex data objects that involve components with cross modality, cross type, composite structured and unstructured, embedded, or independent canonical data types.  
• Auto Classification: CAPE incorporates a unique Auto-Classification Engine that works with sophisticated data object ontologies to auto-classify sensitive information. The Auto-Classification engine examines every data/information object in the corpuses and using GhangorCloud’s patented algorithms automatically classifies it into one of the classification types defined in the data object ontology. It can classify sensitive information as granular as specific words and phrases. The Auto-Classification Engine completely replaces the requirement for manual tagging or fingerprinting of sensitive information. It can readily work out-of- the-box and does not require any pre-processing of data or a laborious training / learning process.

Data Mapping  
CAPE incorporates a sophisticated Data Mapping Engine that automatically creates a persistent Universal Data Map (UDM) for the data/information objects that exist in the enterprise corpuses. This is a crucial capability that greatly facilitates efficient navigation through large storage systems and corpuses following the lineage of any given data/information object of interest. The UDM created by the Data Mapping Engine is used effectively by the CAPE’s Privacy Enforcement Workflow Engine to automatically generate the Data Subject Request (DSR) and Data Subject Access Request (DSAR) service workflow.

Privacy Request Enforcement  
The Privacy Request Enforcement Engine utilizes its Universal Data Map (UDM) and Actor Repository Map (ARM) to correlate Actors (i.e., custodians of data repositories), specific set of repositories over which a given Actor has jurisdiction/authorization and the corresponding operations that they are authorized to perform on the specific data repositories. Using patented AI Algorithms, the engine can automatically discretize the incoming DSAR or DSR jobs into corresponding sets of ‘primitive’ (or atomic) tasks. The ‘primitive’ tasks are then automatically ‘serialized’ into a task sequence using the logical and precedence dependencies between these tasks. The Workflow Engine is equipped with a built-in mechanism to monitor and report the status of the DSAR or DSR fulfillment process, and raise alerts, alarms, or other notifications as appropriate during the fulfillment process.

GhangorCloud’s Compliance and Privacy Enforcement solution is available now. For more information and pricing details, email \[email protected\].

About GhangorCloud  
Headquartered in Silicon Valley, GhangorCloud is a leading provider of intelligent information security and data privacy compliance enforcement solutions. GhangorCloud's Information Security and Consumer Compliance solutions protect data based on its contextual and conceptual significance, using a powerful policy engine and security algorithms to identify, classify, and protect large volumes of information in real-time with unprecedented accuracy. The company is founded by Silicon Valley security veteran Tarique Mustafa and Bhanu Panda, and is backed by a team, board and advisors that include leading authorities from companies like Symantec, McAfee, Trend Micro, Cisco, Juniper, Alteon and Array Networks. For more information, see http://www.ghangorcloud.com/.

GhangorCloud Announces CAPE, a Next Generation Unified Compliance and Data Privacy Enforcement Solution

Builds personalization, posture scoring and enhanced market intelligence into interactive map of the application security ecosystem.

TEL AVIV, Israel, July 19, 2022 (GLOBE NEWSWIRE) -- Enso Security, developers of the first Application Security Posture Management (ASPM) solution, today launched the next iteration of the AppSec Map, its interactive map of the AppSec ecosystem. Embraced by the community for its ability to intuitively segment and visualize the AppSec tech stack, the Map now enables users to create custom maps and generate security posture ratings. By providing a community-driven framework to assess and improve their application security posture, Enso Security is empowering AppSec practitioners to think strategically about their programs and bolster their ability to navigate the fast-moving landscape.

“As a CISO, I always struggled to stay current with which vendors did what and could only have dreamed of a resource like this. I applaud Enso for rallying the community to provide it,” said Ryan Gurney, CISO-in-Residence, YL Ventures. “The AppSec Map is a simple yet powerful tool that makes it easy for practitioners to understand the current AppSec landscape and maintain control over the trajectory of their programs.”

**Enhanced AppSec Map functionality moves the industry forward**  
First launched in July 2021, the AppSec Map defines and classifies the many solutions and services that populate the AppSec landscape. The Map is open to all AppSec vendors. To add a product or a service please click here and once approved, Enso Security will publish it within 3-5 days.

It offers practitioners a holistic view of the AppSec stack and makes it easy for them to research the options available to them. The new iteration enables users to build a custom map and generate a security posture badge based on the code, tools and services their organization uses, offering AppSec practitioners a much deeper understanding of the state and maturity of their programs.

To create a personalized map, users follow a very simple wizard that prompts them to enter the full set of AppSec tools, code and services used by the organization. In a matter of seconds, the Map generates a visual representation of their organization’s AppSec program.

It also generates a Posture Badge -- a graphic that consists of a set of color coded, concentric circles that reflects the health of the user’s AppSec program. The Posture Badge considers the organization's full asset inventory and the effectiveness of the AppSec practices associated with activities on each asset and type of activity (such as Pen-Testing, Static Code Analysis, etc.). Posture Badges place the maps in context, providing a baseline that makes it easier for AppSec teams to identify gaps, analyze how resources are allocated and optimize their programs.

“We initially built the AppSec Map because, despite being seasoned practitioners, our experience navigating the AppSec landscape was pure chaos,” said Chen Gour Arie, chief architect and co-founder of Enso Security. “Given the growing set of buzzwords, acronyms and culture shifts AppSec professionals contend with, we’re excited to release new functionality that makes it even easier to separate the wheat from the chaff. We’re blown away by how well the Map has been received and hope we can continue to be of service to the community as they navigate the ever-shifting pool of AppSec resources at their disposal.”

The AppSec Map includes commercial services and solutions as well as open-source tools and projects for any AppSec-related activity, from security training to pen-testing to runtime detection and protection.

Because the Map is community driven, as services and toolsets mature and evolve, so does the Map. The AppSec community and vendors are encouraged to share their ideas and thoughts on how to improve this map, and to submit their solutions so that the community can easily discover the value it adds to their AppSec program. The AppSec Map can be found at https://appsecmap.com.

**About Enso Security**  
Enso Security is transforming application security by empowering organizations to build, manage and scale their AppSec programs. Its Application Security Posture Management (ASPM) platform easily deploys into an organization’s environment to create an actionable, unified inventory of all application assets, their owners, security posture and associated risk. With Enso Security, AppSec teams gain the capacity to manage the tools, people and processes involved in application security, enabling them to build a simplified, agile and scalable application security program without interfering with development. Enso has been recognized with numerous awards including the 2022 Excellence Awards, Globee Awards, and Forbes Top 20 Cybersecurity Startups to Watch.

Enso Security Leads Industry Mission to Bring Control to Chaos With Community-Driven AppSec Map

The conventional wisdom that virtual container environments were somehow immune from malware and hackers has been upended.

Kubernetes and container technology in general had a good run as seemingly immune to malware, but that ended when Siloscape burst onto the scene in March 2021. It was the first known threat targeting Kubernetes environments to potentially do all kinds of nefarious things, including spread ransomware. In the ensuing 16 months, Siloscape has undoubtedly provided other cybercriminals with a blueprint for attacking container environments.

It's worth reviewing the details of Siloscape. Threat researcher Daniel Prizmant, who discovered the malware, put it this way: "Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.

"Compromising an entire cluster is much more severe than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application," he continued. "For example, the attacker might be able to steal critical information such as usernames and passwords, an organization's confidential and internal files or even entire databases hosted in the cluster. Such an attack could even be leveraged as a ransomware attack by taking the organization’s files hostage."

**A Distant Threat? No! **

It's easy to fall into the trap of thinking this is some distant threat affecting an obscure technology few companies are deploying.

_Au contraire_. Prizmant himself pointed out that "with organizations moving to the cloud, many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks."

And recent research revealed one-third of organizations already rely on Kubernetes. Of the remaining two-thirds that do not yet use it, 86% expect to deploy the technology in the next two to three years.

Alarmingly, though, just 33% of organizations that have deployed Kubernetes so far have tools in place to protect their container environments against data loss incidents such as ransomware. That may be why it didn't take long for Prizmant's ransomware prediction to come true — the same research revealed that barely a year later, almost half of organizations that have deployed Kubernetes have already experienced a ransomware attack on their container environments, while a staggering 89% of respondents said that ransomware attacks on Kubernetes environments are "an issue" for their organizations today.

Does this mean that Kubernetes is the new weak link in data protection? The Achilles' heel in defense against ransomware?

Siloscape is undoubtedly just the first in a lineup of threats that will target Kubernetes environments as the technology continues to gain steam.

**The Simplest Solution**

Unfortunately, most organizations are overlooking the simplest solution: extending current data protection from their traditional workloads out across their containerized environments. Beyond the ability to quickly protect Kubernetes workloads, this approach has other benefits, including a simplified data restoration process and a single place to manage protection data.

Other keys to protecting Kubernetes environments against ransomware and other data loss threats are:

*   Use Transport Layer Security (TLS) for all API traffic.
*   Choose an authentication mechanism for the API servers to use that matches the common access patterns when you install a cluster.
*   Enable role-based access control.
*   Control access to the kubelet through kubelet authentication and authorization.
*   Set appropriate resource quotas and limit ranges.
*   Properly configure pod security admission.
*   Add rules to prevent containers from loading unwanted kernel modules.
*   Restrict network access.
*   Restrict cloud metadata API access.
*   Set controls for controlling which nodes pods may access.
*   Enable audit logging.
*   Restrict access to alpha and beta features.
*   Rotate infrastructure credentials frequently.
*   Review third party integrations before enabling them.

Learn more about these steps from Kubernetes here.

Kubernetes is easy for organizations to deploy, and quickly improves affordability, flexibility, and scalability — it's no wonder so many are embracing containerization. But because deployment is so simple, organizations can easily surge ahead faster with their Kubernetes implementation than their Kubernetes protection. Follow the guidance here to avoid letting that happen to you.

Protecting Against Kubernetes-Borne Ransomware

Major supply chain attacks have had a significant impact on software security awareness and decision-making, with more investment planned for monitoring attack surfaces.

Organizations are waking up to the need to establish better software supply chain risk management policies and are taking action to address the escalating threats and vulnerabilities targeting this expanding attack surface.  

These were among the findings of a Coalfire-sponsored, CyberRisk Alliance-conducted survey of 300 respondents from both software-buying and software-producing companies.

Most survey respondents (52%) said they are "very" or "extremely" concerned about software supply chain risks, and 84% of respondents said their organization is likely to allocate at least 5% of their AppSec budgets to manage software supply chain risk.

Software buyers are planning to invest in procurement program metrics and reporting, application pen-testing, and software build of materials (SBOM) design and implementation, according to the findings, released on Tuesday.

Meanwhile, software developers said they plan to invest in secure code review as well as SBOM design and implementation.

The survey also found 59% of software-development company customers have experienced purchase delays of up to three months due to concerns about code provenance.

As Coalfire vice president Dan Cornell explains, this statistic reflects a convergence between cybersecurity risk and more generalized business risk, indicating that organizations perceive software supply chain risks as being significant enough that they are slowing down purchases until those risks can be addressed.

"But in our modern business environment, delays add business risk because they postpone delivering value to stakeholders and open up opportunities for competitors to be first to market," he adds. "So, organizations need to look at how they’re addressing supply chain risk."

He says that if they can address that risk sufficiently but do it faster than their competitors, that means they can be quicker to market and quicker to start delivering value to their stakeholders.

"If they can’t, then the cybersecurity risk of software supply chains will increase the business risk of being late to take advantage of opportunities," he says.

**C-Suite Takes Notice of Software Supply Chain Security**

Cornell says some of the most significant findings for forward progress were around who in the responding organizations were concerned about software supply chain issues.

For software buyers, 51% of senior management (C-level) raised software supply chain concerns — this was second only to security team members raising the concerns (at 60%).

"I would expect security teams would be raising these questions, but I found it particularly interesting that these senior-level executives were also concerned with this issue," Cornell notes. "That’s fantastic, and a required precursor to making significant progress on this issue. Obviously, security teams care about this, but they don’t set corporate policy and direction — senior executives do."

He says as senior executives get on board, they will start to reflect this priority in budget allocations.

"Then — and only then — will the ball get rolling to address software supply chain issues in a structured and programmatic manner," he says.

On the software suppliers side, Cornell points out that 71% of respondents said that DevOps departments are driving software supply chain decision-making, even more than security teams (at 63%).

"This is really encouraging — I see having these initiatives being driven from outside security teams as being critical," he explains. "Security teams need to be advisers about risk, but DevOps teams are the ones who are selecting the open source components they use in their projects and making the decisions on what to upgrade and when."

He adds that seeing them take this issue seriously — and, arguably, the most seriously based on the responses — gives him hope that these issues will start to get addressed.

**DevOps Teams Build Center of Risk Management**

From Cornell's perspective, DevOps — or hopefully, DevSecOps groups — should really spearhead the management of software supply chain risk.

"They are the ones who own the software development process, and they see the code that is written," he says. "They see the components that are pulled in. They watch the software get built. And they make it available to whoever is next on down the line."

Given this vantage point, they can help to impact — in a positive way — an organization's software supply chain security status by implementing good policies and practices around what open source code is included in their software and when those open source components are upgraded.

"Forward-leaning DevSecOps teams can take advantage of their automation and testing to start pushing for more aggressive component-upgrade life cycles and other approaches that help minimize technical debt," he explains.

He says they’re also in a position and own the tooling to help generate SBOMs that they can then provide to software consumers who are in turn looking to manage their supply chain risk.

"An organization doesn’t have to adopt a DevSecOps approach to software development to address software supply chain security risks," Cornell says.

**Building Frameworks for Risk Evaluation**

In May, MITRE unveiled a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain, including software.

That same month, the National Institute of Standards and Technology (NIST) updated its cybersecurity guidance for addressing software supply chain risk, offering tailored sets of suggested security controls for various stakeholders.

Meanwhile, a growing number of threat actors looking at supply chain companies as an entry point into enterprise networks, including North Korea's infamous Lazarus Group.

Software Supply Chain Concerns Reach C-Suite

Tools purporting to help organizations recover lost passwords for PLCs are really droppers for malware targeting industrial control systems, vendor says.

Threat actors are targeting systems in industrial control environments with backdoor malware hidden in fake password-cracking tools. The tools, being touted for sale on a variety of social media websites, offer to recover passwords for hardware systems used in industrial environments.

Researchers from Dragos recently analyzed one such password-cracking product and found it to contain "Sality," an old malware tool that makes infected systems part of a peer-to-peer botnet for cryptomining and password cracking.

The password-cracking tool was being hawked as software that could help users of Automation Direct's DirectLogic 06 programmable logic controllers (PLCs) recover lost or forgotten passwords. When installed on the PLC, the software did not really "crack" the password. Rather, it exploited a vulnerability in the PLC to recover the password from the system on command and send it in clear text to the user's connected engineering workstation. The sample that Dragos analyzed required the user to have a direct serial connection from their workstation to the Automation Direct PLC. However, the security vendor said it was able to develop a more dangerous version of the exploit that works over Ethernet as well.

Dragos said it reported the vulnerability (CVE-2022-2003) to Automation Direct, which issued a fix for it in June.

In addition to retrieving the password, Dragos observed the so-called password-cracking tool dropping Sality on the host system and making it a part of the botnet. The specific sample of Sality also dropped malware for hijacking the infected system's clipboard every half second and checking it for cryptocurrency address formats. If the malware detected one, it replaced the address with a threat actor-controlled address. "This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated," Dragos said in a recent blog.

**Intriguing Strategy**

Dragos did not immediately respond to a Dark Reading request for clarification on who exactly the buyers for such password-cracking software would be and why they might want to buy these tools from unverified sellers on social media websites. It was also not clear why threat actors would go to the trouble of developing Trojanized password crackers for PLCs in critical infrastructure and operational technology environments if the goal is purely financial. Often attacks targeting equipment in industrial and OT environments have other motivations such as surveillance, data theft, and sabotage.

Dragos' research showed that the password cracker for Automation Direct's PLCs is just one of many similarly fake password retrievers that are available on social media websites. Dragos researchers found similar executables for retrieving passwords from more than 30 PLCs, human-machine interface (HMI) systems, and project files in industrial settings. Among them were six PLCs from Omron, two PLCs from Siemens, four HMIs from Mitsubishi, and products from an assortment of other vendors including LG, Panasonic, and Weintek.

Dragos said it only tested the password cracker for Automation Direct's DirectLogic PLC. However, an initial analysis of the other tools showed they contained malware as well. "In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password 'crackers'," Dragos said in its blog.

Attacks targeting ICS environments have grown in number and sophistication in recent years. Since the 2010 Stuxnet attack on Iran's uranium enrichment facility in Natanz, there have been numerous instances where threat actors have gained access to critical systems in ICS and OT environments and deployed malware on them. Some of the more recent, notable examples include malware such as Industroyer/Crashoverride, Triton/Trisis, and BlackEnergy. In April 2022, the US Cybersecurity and Infrastructure Agency (CISA) warned critical infrastructure organizations to be on the lookout for three sophisticated malware tools — collectively referred to as Incontroller/PipeDream — custom-built to attack PLCs from Schneider Electric, Omron, and systems based on the Open Platform Communications Unified Architecture (OPC UA) standard.

Source

DARKReading