Infrastructure as code can help teams build more consistently in the cloud. But who owns it? Are teams getting the insights they need from your IaC security tool?

Everything you read about infrastructure as code (IaC) is focused on how it works or why you want to make sure that it actually is building the way you want it to build.

These are critical areas. But are we thinking enough about how we use this approach in our organization?

As Melinda Marks from ESG states in a company report, "83% of organizations experienced an increase in IaC template misconfigurations" as they continue to adopt the technology.

We know from work done by the Cloud Security Alliance ("Top Threats to Cloud Computing: Egregious Eleven") and others, misconfigurations continue to be a top risk in the cloud.

IaC is supported to _reduce_ misconfigurations by systematizing the creation of infrastructure, adding a level of rigor and process that ensures teams are building what they want and only what they want. If ~83% of teams aren't seeing that, there's a deeper issue at play.

On smaller teams, one where the Dev and Ops bits of the DevOps philosophy are together, that makes sense. IaC allows these small teams to use the same language — code — to describe everything they're doing.

This is why we're seeing even higher-level abstractions than tools like Terraform or AWS CloudFormation in the AWS CDK and projects like cdk8s. Those high-level abstractions are more comfortable for developers.

An ops/SRE/platform perspective of a cloud service will be wildly different from a developer perspective of the same service. A developer will look at a queuing service and dive into its interface — a simple endpoint to add and one to read? Sold. That's an easy integration.

This operational perspective aims to find the edges. So, when does this queue reach its limit? Is the performance constant or does it change radically under load?

Yes, there are overlapping concerns. And yes, this is a simplified view. But the idea holds. IaC solves a lot of problems, but it can also create and amplify the disconnect between teams. More importantly, it can highlight the gap between the intention of what you're trying to build and the reality of what you have built.

As a result, this is where the security concerns often escalate.

Most tooling — commercial or open source — is focused on identifying things that are wrong with the infrastructure templates. _This_ is a good construct. Making _this_ would be bad. These tools aim to generate these results as part of the continuous integration/continuous delivery (CI/CD) pipeline.

That's a great start. But it echoes the same language issue.

**Who's Talking and Who's Listening?**

When an IaC tool highlights an issue, who will address it? If it’s the development team, does it have enough information to know why this was flagged as an issue? If it's the operations team, are the consequences of the issue laid out in the report?

For developers, what often happens is that they will simply adjust the configuration to make the IaC testing pass.

For operations, it's typically a matter of whether the tests are passing. If they are, then on to the next task. That's not a knock on either team; rather, it highlights the gap of expectations versus reality.

What's needed is context. IaC security tooling provides visibility into what is about to (hopefully) be built. The goal is to stop issues _before_ they get into production.

Today's IaC security tooling is highlighting real issues that need to be addressed. Taking the output of these tools and enriching it with additional context that is specific to the team responsible for the code is a perfect opportunity for some custom automation.

This will also help bridge the language gap. The output from your tooling is essentially in a third language — just to make things more complicated — and needs to be communicated in a manner that makes sense to either a development or an operations audience. Often both.

For example, when a scan flags that a security group rule doesn't have a description, why does that matter? Just getting an alert that says "Add a description for context" doesn't help anyone build better.

This type of flag is a great opportunity to educate the teams that are building in the cloud. Adding an explanation that security group rules should be as specific as possible reduces the opportunity for malicious attacks. Provide references to examples of strong rules. Call that out without knowing the intention, and other teams can't test the validity of the security confirmation.

Security is everyone's responsibility, so acknowledging the language gap between developers and operations will highlight opportunities like this to add simple automations that provide insights to your teams. This will help improve what they are building and, as a result, will drive better security outcomes.

**About the Author**

    

I'm a forensic scientist, speaker, and technology analyst trying to help you make sense of the digital world and it's impact on us. For everyday users, my work helps to explain what the challenges of the digital world. Just how big of an impact does using social media have on your privacy? What does it mean when technologies like facial recognition are starting to be used in our communities? I help answer questions like this and more. For people building technology, I help them to apply a security and privacy lens to their work, so that they can enable users to make clearer decisions about their information and behavior. There is a mountain of confusion when it comes to privacy and security. There shouldn't be. I make security and privacy easier to understand.

IaC Scanning: A Fantastic, Overlooked Learning Opportunity

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Settling for "satisfactory" level of readiness may underestimate growing levels of risk.

**DOWNERS GROVE, Ill., September 27, 2022** — Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, new research from CompTIA, the nonprofit association for the information technology (IT) industry and workforce, reveals.

While a majority of respondents in each of seven geographic regions feels that their company’s cybersecurity is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement.

“Companies are aware of the threats they face and the potential consequences of an attack or breach,” said Seth Robinson, vice president, industry research, CompTIA. “But they may be underestimating their exposure and how much they need to invest in cybersecurity. Risk mitigation is the key, the filter through which everything should be viewed.”

Two of the top three issues driving cybersecurity considerations are the growing volume of cybercriminals, cited by 48% of respondents, and the growing variety of cyberattacks (45%). Additionally, ransomware and phishing have quickly become major areas of concern as digital operations have increased and human error has proven more costly.

“Digital transformation driven by cloud and mobile adoption requires a new strategic approach to cybersecurity, but this poses significant challenges, both tactically and financially,” Robinson said. “As IT operations and strategy have grown more complex, so has the management of cybersecurity.”

As cybersecurity is more tightly integrated with business objectives, zero trust is the overarching policy that should be guiding modern efforts, though its adoption will not take place overnight because it requires a drastically different way of thinking and acting. The report suggests there is small progress in recognizing a holistic zero trust approach, but better progress in adopting some elements that are part of an overarching zero trust policy. Multifactor authentication is in place at 46% of companies and cloud workload governance at 41%. Among other changes in organizations’ approach to cybersecurity:

*   43% of companies have placed a higher priority on incident response,
*   39% are deploying a more diverse set of technology tools, with SaaS monitoring and management tools making a substantial jump in adoption,
*   38% are increasing their focus on process improvements,
*   37% are shifting to more proactive measures, and
*   36% are expanding employee education.

Adopting a total zero-trust philosophy, including setting specific, strategic objectives will address many problems companies face. But there are substantial hurdles to overcome, such as closing the communications gap that exists between the technology and business sides of organizations. The overall rate of business staff participation is too low for a business-critical function. Nearly half (47%) of small businesses have the CEO or owner as part of the cybersecurity chain compared to 37% of mid-sized firms and 27% of large enterprises. In addition, companies are struggling to address technical skill needs, such as threat knowledge, network security and data analysis.

CompTIA’s “State of Cybersecurity” report is based on a Q3 2022 survey of technology and business professionals involved in cybersecurity. There were 500 respondents from the U.S. and 125 from each of six other regions around the world. The full report is available at https://www.comptia.org/content/research/cybersecurity-trends-research.  

**About CompTIA**

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce.

Organizations Finding the Need for New Approaches on the Cybersecurity Front, CompTIA Research Reveals

A crime syndicate based in Russia steals millions of dollars from credit card companies using fake dating and porn sites on hundreds of domains to rack up fraudulent charges.

A subscription service scam has garnered millions of dollars in credit card charges by creating fake dating and porn sites, staffing them with live customer support, and using stolen credit card accounts to pay for "services." 

Endpoint security firm ReasonLabs stated in a Sept. 23 advisory that a Russian-speaking cybercrime group has created hundreds of fraudulent websites since 2019, likely using third-party proxies, as well as dozens of business sites that act as both a generic name for credit card charges and as a hub for customer support calls. By using recurring charges that are small enough to escape many customers' notice, the fraudsters were able to keep chargeback requests low enough to avoid being shut down and continue profiting from the scam.

While the different components of the scheme are not original, the sum total managed to bypass credit card companies' fraud detection and garner millions of dollars in revenue, ReasonLabs' research team said in the advisory.

"Eventually, once — some of — these users find these charges, they will immediately approach the issuer for a dispute and replacement of the card number, which will cause chargebacks."

The three-year scam highlights the resurgence of credit-card fraud, especially for businesses that are dealing with a hybrid workforce. Two-thirds of companies have experienced fraud in the past year, according to a recent study from KPMG. Security experts have meanwhile warned that third-party scripts on websites — part of the software supply chain — could be at risk of being co-opted to steal credentials and credit-card information.

**Designed to Seem Legitimate**

In the latest credit card scam, the cybercriminals created the right mix of components to dodge anti-fraud defenses and to remain unnoticed by consumers who don't always check their credit card bills, researchers said. While unsurprising, the scope of the fraud is quite brazen, Timothy Morris, technology strategist for security management firm Tanium, said in a statement sent to Dark Reading.

"Real companies can run virtually, so it isn’t hard to imagine fake companies running virtually," he said. "Front-end user interfaces, back-end customer support, payment providers, \[and other components\] give this swindle all the ingredients of legitimacy."

The business sites that originated the charges and appeared to be legitimate all have similar structure, with the organization's name, a motto, and information on how to contact support. ReasonLabs found 75 support sites, all with the same HTML code, importing the same JavaScript files, and having identical comments, the company said.

The scheme was also given the veneer of credibility by these 200 fake sites — mainly adult- and dating-themed — that supposedly were the source of the charges. While adult sites are classified as high risk in the financial industry, the combination of live sites and active business hubs helped make the scheme seem legitimate.

The type of fake site that the fraudsters used also likely made the scheme more successful, Matt Mullins, senior security researcher at Cybrary, said in a statement sent to Dark Reading.

"Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light," he said. "This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it."

Finally, the criminal group uses typical credit card spending patterns to make the transaction less suspicious. Rather than use test transactions followed by large transaction, the criminal group uses recurring payments of small dollar amounts to escape notice.  

Because most financial providers have strict agreements with high-risk businesses — such as adult sites — to limit the level of chargebacks, the cybercriminal group takes a variety of actions to avoid chargebacks. The fake businesses' names are fairly generic, they charge small dollar amounts, allow the user to cancel their "subscription," and have live customer support, ReasonLabs said.

"The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one," the company stated in its advisory. "This would ensure that their payment processing capabilities will not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legit transactions."

The campaign is ongoing, but ReasonLabs has notified the companies affected by the fraud to help shut down the cybercriminal enterprise.

Fake Sites Siphon Millions of Dollars in 3-Year Scam

MITRE's new FiGHT framework describes adversary tactics and techniques used against 5G systems and networks.

The modernization of wireless technology is well underway with 5G deployments -- and so are the attacks. In response, MITRE, along with the Department of Defense, announced an adversarial threat model for 5G systems to help organizations assess the threats against their networks.

A "purpose-built model of observed adversary behaviors," FiGHT (5G Hierarchy of Threats) is a knowledge base of adversary tactics and techniques for 5G systems. The framework empowers organizations to "reliably assess the confidentiality, integrity, and availability of 5G networks, as well as the devices and applications using them," according to MITRE.

FiGHT is similar to MITRE ATT&CK, a knowledge base of adversary behaviors seen in attacks against the broader ecosystem. In fact, FiGHT is derived from ATT&CK, making FiGHT's tactics and techniques complementary to those described in ATT&CK. The FiGHT Matrix lists tactics used in attacks as columns, and some of the items listed are actually ATT&CK techniques or sub-techniques relevant for 5G.

Tactics and techniques are grouped across three categories: theoretical, proof-of-concept, and observed. At the moment, most of the techniques are categorized as either theoretical or proof-of-concept as the information is based on academic research and other publicly available documents. Just a minority of the techniques described in FiGHT are based on real-world observations, reflecting the fact that the number of 5G attacks are still relatively low.

Even though 5G has built-in security features, there still some risks and vulnerabilities to be aware of. 

"We identified an industry need for a structured understanding of 5G threats because even though 5G represents the most secure cellular standard to date, it can be implemented and deployed in ways that still have risks and vulnerabilities," Dr. Charles Clancy, senior vice president and general manager of MITRE Labs, said in a statement.

During this year's RSA Conference, researchers from Deloitte & Touche described a potential avenue of attack targeting network slices, a fundamental part of 5G's architecture. Enterprises rolling out 5G LANs also need to consider that the new capabilities that come with these environments, such as cross-network roaming and cloud edge services, also increase that attack surface.

FiGHT can be used to conduct threat assessments, enable adversarial emulation, and identify gaps in security coverage. Security teams can also use FiGHT to determine which areas the organization should be investing in.

"FiGHT helps stakeholders assess where cyber investments should be made to achieve the highest impact as they build, configure, and deploy secure and resilient 5G systems," Clancy said.

MITRE's FiGHT Focuses on 5G Networks

Funding has been somewhat lower than last year, but investment remains healthy, analysts say, amid thirst for cloud security in particular.

The cybersecurity industry continues to remain largely unaffected by the uncertainty surrounding the rest of the economy.

Though funding activity this year is somewhat slower than in 2021 and market valuations of cybersecurity firms have taken a hit, mergers and acquisitions activity has remained strong through the year, as has investor interest in the sector.

So far in the third quarter, there have been multiple major transactions that, according to analysts, highlight the overall robustness of the sector amid broadening concerns of a recession.

**Robust M&A Activity**

Two of the biggest involved previously announced deals: In September, Google completed its planned acquisition of incident response firm Mandiant for $5.4 billion, and in August, private equity firm Thoma Bravo closed it $6.9 billion purchase of identity management vendor SailPoint.

That same month, Thoma Bravo announced plans to acquire Ping Identity for $2.8 billion in cash. The $28.50 per share that the private equity firm offered for Ping represented a 63% premium over the identity management vendor's closing share price on Aug. 2. Thoma Bravo will take Ping private once the deal is completed in the fourth quarter. 

Other examples of M&A activity in the third quarter include Devo's purchase of SOAR vendor LogicHub for an undisclosed amount, Volaris Group's acquisition of Hitachi ID Systems in September, Cerberus Sentinel's purchase of application security vendor CyberViking, and CrowdStrike's acquisition of Reposify last week.

M&A activity in the third quarter is consistent with activity in the previous two quarters. Data from Momentum Cyber shows there were a total of 148 cybersecurity M&A deals during the first half of 2022. Total M&A volume over the period was nearly $103 billion. Momentum Cyber identified eight M&A transactions during the first half of 2022 that topped $1 billion, including the SailPoint and Mandiant deals, and private equity firm KKR's $4 billion acquisition of Barracuda.

The most obvious trend of late has been the move by larger vendors to buy into the attack surface management (ASM) space, and more specifically external attack surface management (EASM), says Rik Turner, an analyst with Omdia.

"This has, of course, been underway for a while," he says, pointing to Palo Alto's purchase of Expanse in November 2020 and Microsoft picking up RiskIQ in July 2021. "But there has been something of an intensification of this tendency of late, with Tenable acquiring Bit Discovery in April, IBM buying Randori in June, and CrowdStrike picking up Reposify last week," Turner says.

There are numerous other EASM vendors, so there will be no shortage of acquisition targets for any other big players that want to get into this market, he says.

**Multiple Market Drivers**

Turner says one of the other trends driving the M&A activity is growing interest in proactive security technologies, as opposed to the focus on reactive detection and response of the past few years.

"The proactive wave posits not a replacement technology for the reactive ones, but rather complementary ones that seek to reduce a customer's overall attack surface before threat actors have even launched an attack," Turner says. "Unlike the extended detection and response (XDR) spectrum, proactive security doesn't have a single acronym or initialism yet that can capture the imagination of the market, though Omdia is tentatively proposing security posture management, or SPM." 

Examples of products that fall into this category include cloud-specific proactive technologies such as cloud security posture management (CSPM), SaaS security posture management (SSPM), and cloud permissions management (CPM). Breach and attack simulation technologies are other examples as are vulnerability management and patch management, Turner says.

Chris Stafford, a senior manager in West Monroe's M&A practice, sees another set of factors driving the financial activity in the cybersecurity space. According to Stafford, the big ones are accelerated cloud adoption, the shift to remote work, and the continuing talent shortage. 

 "Fundamentally, cybersecurity is a really durable sector from a growth and revenue perspective," Stafford says. "All companies across all sectors require cybersecurity tools and services. That is what is fundamentally driving growth in the industry."

**Funding & VC Interest Slow but Remain Healthy**

While M&A activity has maintained a robust pace through the year, funding activity has been somewhat lower than last year, as noted earlier. Data from analyst firm IT-Harvest shows that through Sept. 1, some 220 vendors received a total of $12.3 billion in direct funding from investors. 

"That is half of 2021's record $24 billion, but more than the previous year's $10 billion," says Richard Stiennon, chief research scientist at IT-Harvest, adding that just 33 companies received more than $100 million so far this year, compared with 69 in 2021. "I expect to see the industry finish the year at $15 billion total invested," Stiennon says.

Omdia's Turner says while venture capital funding overall appears to have dipped somewhat, there is still plenty of money available for projects that VC's find especially interesting. "I think they have gotten somewhat choosier than they were in 2021," Turner says.

IT-Harvest's analysis of funding activity so far this year showed that investors are pouring more money into the security analytics space — $2.6 billion — than any other segment. Stiennon points to the more than $500 million in total that Devo has raised so far and the massive $1-plus billion funding round that Securonix received in February as examples of investor interest in this segment.

Identity and network security were the next two most active categories, with $1.4 billion in funding in each. There is also a trend of investing in cloud analytics and general security operations center tools like XDR, and a resurgence in vulnerability management startups that are getting funding, Stiennon notes.

"In short, funding is extremely healthy. No surprise to me because venture funding is not like the stock market, where you invest on expectations of next quarter's results," he says. "Most VCs have a five-year horizon, and they can count on cybersecurity to still be a growing sector through an economic downturn."

Despite Recession Jitters, M&A Dominates a Robust Cybersecurity Market

Ukraine military intelligence says Russia is planning cyberattacks on the country's energy sector, as well as against allies including Poland and the Baltic states.

As protests against military conscription rage inside Russia, the country is planning to continue its offensive into Ukraine with cyberattacks on critical infrastructure. 

The Odessa Journal reported Ukrainian military intelligence has learned the first cyberattacks will soon be launched against the Ukrainian energy sector, informed by previous Russian cyberattacks on the country's electricity infrastructure in 2015 and 2016.  After energy supply operations are crippled by cyberattacks, the Russian military plans to ramp up missile strikes on those facilities to shut down the electrical service throughout the war-battered country. 

"The occupying command is convinced that this will slow down the offensive actions of the Ukrainian Defense Forces," the Odessa Journal added. 

Additional cyberattacks are being planned against Ukrainian allies Poland and the Baltic states, according to the report. 

**Russian Tactical Shift?** 

With increasing pressure to show military gains, Russian cyber threats are a potentially effective way to ramp up offensive measures without drawing military retaliation, according to John Hultquist, vice president of intelligence analysis at Mandiant said in response to the reports of anticipated cyberattacks. 

He added in the months since the occupation of Ukraine began, Russia hasn't been launching cyberattacks outside of Ukraine, indicating a potential shift in focus on cyberwarfare by the Kremlin. 

"Many of the disruptive and destructive cyberattacks we have seen thus far have been disrupted, isolated, or largely limited to Ukraine, where there is intense focus," Hultquist said. "With a few exceptions we have not seen the scaled, serious attacks we expected even before the war began."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Russia Planning Cyberattacks on Ukraine's Energy Grid

CTA now has 36 members headquartered in 11 countries who follow cyber activities across the world, showing cybersecurity industry members realize the value in collaboration.

**WASHINGTON, D.C., Sept. 26, 2022 —** Cyber Threat Alliance (CTA), a nonprofit organization working to improve the cybersecurity of the global digital ecosystem, is announcing a recent growth in membership that expands our reach to a total of 36 active members across the world.

We are pleased to announce our newest members include: Blueliv, Cloudbric, DataDome, Maltiverse, Red Piranha and Trellix. Several more are in the CTA membership onboarding process and we expect to announce those companies soon. CTA now has members headquartered in 11 countries and engaged in cyber activities across much of the world. CTA's global expansion in the midst of a global pandemic, geopolitical tension, and economic disruption reinforces the high value front-line cybersecurity companies perceive in coming together to share threat intelligence and data. As cyber threats continue to evolve in sophistication, leaders in the cybersecurity industry are realizing this strength in numbers and value in collaboration.

To date, CTA members have shared over 280 million observables along with associated context, averaging around 350-400K per day. The CTA Early Share program, where members share information such as blogs, research, threat reports and more, generally 24-72 hours before public posting, has surpassed 675 early shares. As one CTA member noted, “CTA has been the single most valuable sharing alliance that we have been a member of.”

“I'm excited to welcome these new members to the Cyber Threat Alliance,” said Michael Daniel, President and CEO of the Cyber Threat Alliance. “CTA's growth over the past two years clearly demonstrates CTA's value, because members have continued to join the Alliance despite the pandemic and other disruptions. These additions make CTA stronger and more effective by increasing our diversity, reach, and expertise. I am looking forward to working with the new members and continuing CTA's growth.”

CTA's members play a crucial role in cybersecurity protection and response across all continents and critical infrastructure sectors. Members actively share timely, actionable, contextualized and campaign-based intelligence to improve our collective defenses against cyber adversaries — improving the members' products and services to better protect their customers, as well as more systematically thwarting adversaries and strengthening the security of the broader digital ecosystem. Each additional organization that joins CTA generates new avenues of data, increasing the quality of intelligence from which members draw impactful and actionable insights to apply to their customer base.

**About the Cyber Threat Alliance**

CTA was founded by Check Point Software Technologies Ltd., Cisco, Fortinet, McAfee, Palo Alto Networks, and Symantec Enterprise Division of Broadcom. Membership also includes AT&T Alien Labs, Avast, Blueliv, Cloudbric, DataDome, Dragos, Juniper Networks, K7 Computing, Maltiverse, Morphisec, NEC Corporation, NETSCOUT, NTT, OneFirewall, Panda Security (WatchGuard), Rapid7, ReversingLabs, SANDS Lab, Scitum, SecureBrain (Hitachi), SecurityScorecard, SK shieldus, SonicWall, Sophos, TEHTRIS, Telefónica Tech, Trellix, and VMware.

CTA is the industry's first formally organized group of cybersecurity practitioners that work together in good faith to share threat information and improve global defenses against advanced cyber adversaries. CTA's mission is to facilitate the sharing of actionable intelligence and situational awareness about sophisticated cyber threats to improve its members' cyber defenses, more effectively disrupt malicious cyber actors around the world and raise the level of cybersecurity throughout the Internet and cyberspace. The alliance is continuing to grow on a global basis, enriching both the quantity and quality of the information that is being shared across the platform. CTA is actively recruiting additional regional players to enhance information sharing to enable a more secure future for all. For more information about CTA, please visit: https://www.cyberthreatalliance.org/.

SOURCE: Cyber Threat Alliance

Cyber Threat Alliance Extends Membership to 6+ Leading Cybersecurity Companies

Company unnecessarily collected consumers' personal data and failed to safeguard it, suit alleges, leading to two back-to-back data breaches.

OAKLAND, Calif., Sept. 23, 2022 /PRNewswire — Earlier this month, two Samsung users, Shelby Holtzclaw and Naeem Seirafi, fired a class action lawsuit at Samsung Electronics of America, accusing the company of unnecessarily collecting consumers' personal data and failing to safeguard it.

Represented by powerhouse public interest firm, Clarkson Law Firm, the Plaintiffs further allege that Samsung failed to take appropriate protective measures leading to two back-to-back data breaches. Samsung then exacerbated the problem, according to the lawsuit, by neglecting to inform consumers whose data may have been compromised. The 43-page complaint asserts that Samsung violated consumer protection laws in all 50 states.

According to the lawsuit, Samsung disabled functions and features of its electronics like TVs and printers unless consumers submitted personal identification data like their home address and date of birth. Samsung then stored, monitored, and sold that data without adequately securing it, despite having assured its customers that "security and privacy are at the core of what we do and what we think about every day." Samsung allegedly touted that it was "protecting users' security and privacy at all times" via "holistic" and "industry-leading security." However, the lawsuit claims the tech giant's deficient security measures led to two data breaches and distribution of consumers' private, personal information.

The first breach allegedly occurred in April 2022 when confidential data was accessed, stolen, and published online. Samsung reassured customers that the leak only included "some source code relating to the operation of Galaxy devices" which the Plaintiffs assert "minimized entirely the impact of this first data breach." A preventable second attack then occurred when personal identification data was allegedly stolen by an "unauthorized third party." According to the complaint, "It is believed that greater than half of Samsung's U.S. consumers had their \[personal identifiable information\] compromised in the breach."

The plaintiffs allege that Samsung consumers have been left vulnerable to phishing scams, identity theft, and dual-authentication scams, requiring them to spend time, energy, and money on extra security protocols like credit monitoring.

Holtzclaw and Seirafi are demanding that Samsung notify all consumers whose data was stolen, improve their security systems, and compensate victims for the financial harm they've sustained.

The case is pending in the United States Federal District Court for the Northern District of California, Case Number 3:22-cv-05176. Visit clarksonlawfirm.com for updates.

SOURCE: Clarkson Law Firm, PC

Samsung Fails Consumers in Preventable Back-to-Back Data Breaches, According to Federal Lawsuit

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Source

DARKReading