The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.  

The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.

The group says it would be using the exploit in campaigns targeted at businesses operating in India, which falls directly within its wheelhouse. During the past three months, DragonForce Malaysia has launched several campaigns targeting numerous government agencies and organizations across the Middle East and Asia.

“DragonForce Malaysia is adding to a year that will long be remembered for geopolitical unrest," says Daniel Smith, head of research for Radware’s cyber threat intelligence division. "In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war."

The most recent, dubbed "OpsPatuk" and launched in June, has already seen several government agencies and organizations across the country targeted by data leaks and denial-of-service attacks, with the number of defacements topping 100 websites.

“DragonForce Malaysia is expected to continue defining and launching new reactionary campaigns based on their social, political, and religious affiliations for the foreseeable future," Smith says. "The recent operations by DragonForce Malaysia ... should remind organizations worldwide that they should remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.”

**Why LPE Should Be on the Patching Radar**

While not as flashy as remote code execution (RCE), LPE exploits provide a path from a normal user to SYSTEM, essentially the highest privilege level in the Windows environment. If exploited, LPE vulnerabilities not only allow an attacker a step in the door but also provide local admin privileges — and access to the most sensitive data on the network.

With this heightened level of access, attackers can make system modifications, recover credentials from stored services, or recover credentials from other users who are using or have authenticated to that system. Recovering other users' credentials can allow an attacker to impersonate those users, providing paths for lateral movement on a network.

With escalated privileges, an attacker can also perform admin tasks, execute malware, steal data, execute a backdoor to gain persistent access, and much more.

Darshit Ashara, principal threat researcher for CloudSEK, offers one sample attack scenario.

“The attacker from the team can easily exploit any simple Web application-based vulnerability to gain aninitial foothold and place a Web-based backdoor,” Ashara says. “Usually, the machine on which Web server is hosted will have user privilege. That is where the LPE exploit will enable the threat actor to gain higher privileges and compromise not only a single website but other websites hosted on the server.”

**LPE Exploits often Remain Unpatched**

Tim McGuffin, director of adversarial engineering at LARES Consulting, an information-security consulting firm, explains that most organizations wait to patch LPE exploits because they typically require initial access to the network or endpoint in the first place.

“A lot of effort is placed on the initial prevention of access, but the further you move into the attack chain, the lesser effort is placed on tactics like privilege escalation, lateral movement, and persistence,” he says. “These patches are typically prioritized and patched on a quarterly basis and do not use an emergency 'patch now' process.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, notes that the importance of every vulnerability is different, whether it's LPE or RCE.

“Not all vulnerabilities can be exploited, meaning not every vulnerability requires immediate attention. It is a case-by-case basis,” she says. “Several LPE vulnerabilities have other dependencies, such as needing a username and password to carry out the attack. That's not impossible to obtain but requires a higher level of sophistication.”

Many organizations also create local admin accounts for individual users, so they can carry out everyday IT functions such as installing their own software on their own machines, Hoffman adds.

“If many users have local admin privileges, it is more difficult to detect malicious local admin actions in a network,” she says. “It would be easy for an attacker to blend into normal operations due to poor security practices that are widely used.”

Any time an exploit is released into the wild, she explains, it doesn't take long before cybercriminals with varying levels of sophistication take advantage and perform opportunistic attacks.

“An exploit takes out some of this legwork,” she notes. “It is realistically possible mass scanning is already taking place for this vulnerability.”

Hoffman adds that vertical privilege escalation requires more sophistication and is typically more in line with advanced persistent threat (APT) methodologies.

**DragonForce Plans Shift to Ransomware**

In a video and through social-media channels, the hacktivist group also announced its plans to start conducting mass ransomware attacks. Researchers say this could be an adjunct to its hacktivist activities rather than a departure.

“DragonForce mentioned carrying out widespread ransomware attacks leveraging the exploit they created,” Hoffman explains. “The WannaCry ransomware attack was a great example of how widespread ransomware attacks all at the same time are challenging if financial gain is the end goal.”

She also points out that it is not uncommon to see these announcements from cybercriminal threat groups, as it draws attention to the group.

From the perspective of McGuffin, however, the public announcement of a shift in tactics is “a curiosity,” especially for a hacktivist group.

“Their motives may be more around destruction and denial of service and less around making a profit like typical ransomware groups, but they may be using the funding to enhance their hacktivist capabilities or awareness of their cause,” he says.

Ashara agrees that DragonForce’s planned shift is worth highlighting, as the group’s motive is to cause as much of an impact as possible, boost their ideology, and spread their message.

“Hence, the group's motivation with the announcement of ransomware is not for financial cause but to cause damage,” he says. “We have seen similar wiper malwares in the past where they would use ransomware and pretend the motivation is financial, but the root motivation is damage.”

DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

The RSA conference in San Francisco always feels like drinking from a fire hose but especially this year at the first in-person RSA since the pandemic began.

It had been a few years, so with much anticipation, and not a little trepidation, 26,000 people descended on San Francisco for the RSA Conference. Vendors were eager to get back out in front of a live audience and the expo floor was tightly packed with more than 400 exhibitors. Themes emerged in numerous services.

Let’s start with data security. With all the talk of application security needing to "shift left", (i.e., embedding security processes into the development pipeline to reduce the attack surface of code before it enters production), it is only natural that data security should move in the same direction.

Keys and certificates associated with applications and containers need to be protected, as any organization that has adopted a DevSecOps approach will be aware. Indeed, in an ideal scenario, capabilities such as key management and encryption are baked into the workflows of developers and DevSecOps teams and "just work."

Identity was at the center of many a discussion. Achieving "zero trust" transformation with passwordless authentication received renewed attention at the show. Getting rid of passwords has been the holy grail for many organizations and individuals over the past 30 years, and Omdia believes that 2022 will be the year that we finally start to properly phase out passwords.

When it comes to infrastructure security, figuring out the 'risk' of cloud environments was a key topic of interest. Vendors such as Palo Alto Networks, Orca, Wiz, Check Point, and many, many others highlighted tooling to enable deeper understanding of one's cloud estate, with an increasing emphasis on cloud permissions management as a key focus area.

Working to secure the development process for creating cloud environments was another area much discussed, with Infrastructure as Code (IaC) a key pattern for achieving necessary scale. The broad interest in API security was also noteworthy. Specialized vendors such as Salt Security, Wallarm, Cequence, and others joined several of the cloud security vendors in adding API security capabilities to their offerings.

Wrapping up the key topics around infrastructure security, it was noticeable how prevalent the conversations around Secure Access Service Edge (SASE) were, in terms of major security vendors aligning themselves to the broader SASE theme or to its subset known as SSE. Cisco, Netskope, Versa Networks, Forcepoint, among others, demonstrated integrated offerings in this space.

Moving on to SecOps, RSA Conference 2022 will perhaps be seen as the first big opportunity for extended detection and response (XDR) vendors to make their case. Numerous vendors made significant XDR announcements, including BitDefender (launching GravityZone XDR solution), CrowdStrike (expanding Falcon's XDR module), and RSA Group (debuting NetWitness XDR), among others. XDR has the potential to revolutionize enterprise threat detection and incident response (TDIR), making it faster, easier, and potentially even cheaper to find, analyze, and fix cybersecurity threats.

Proactive approaches such as risk-based vulnerability management and attack surface management (ASM) were also in the spotlight. It has been clear throughout 2022 that ASM products are quickly becoming an important component of broader proactive posture management strategies. The market, particularly for external ASM (EASM) solutions, has been busy with both investment and M&A activity.

RSA 2022: Omdia Research Take Aways

Transitive dependencies can complicate the process of developing software bills of materials.

If you're building software applications, you're familiar — or should be familiar — with SBOMs, or software bills of materials. Think of an SBOMs as a list of ingredients in your application. The urgency for organizations to create and maintain accurate SBOMs has increased in the wake of recent software supply chain vulnerabilities such as Log4Shell and Spring4Shell. What's more, if you do business with the US government, an accurate and up-to-date SBOM is now a requirement, based on the May 2021 Executive Order issued by the White House in response to the far-reaching repercussions of the SolarWinds attack.

According to Gartner, "by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20% in 2022." Gartner also acknowledges that "keeping software bills of materials (SBOMs) data in sync with corresponding software artifacts presents a key challenge."1

Are organizations keeping pace with such market dynamics? A recent Tidelift survey shows that only 37% of organizations are aware of new government software supply chain requirements around security and SBOMs. Of these organizations, only 20% are using SBOMs for most or all applications today.

However, change is coming quickly: The vast majority of organizations — 78% — are either already using SBOMs in at least some applications or have plans to do so in the next year, according to the survey.

**Open Source Complicates SBOM Matters**

Developing SBOMs can be challenging, but if you are using open source components in your applications — as most modern software development teams do — then the process for building an SBOM and keeping it up to date becomes even more complex because of the impact of transitive dependencies.

Open source components that other open source components rely on, transitive dependencies can be difficult to track down. For example, many organizations affected by Log4Shell weren't immediately aware of their exposure because it came through transitive dependencies. It is therefore critical that your SBOM identifies not only direct open source dependencies but also transitive dependencies.

In addition, because developers are constantly committing code to deliver enhanced functionality to applications, it is critical that SBOMs are dynamic, capturing changes to the open source components up and down the open source software supply chain.

**Conclusion: Get a Handle on SBOMs**

To ensure the integrity of software supply chains, the use of SBOMs will become more common — and will often be required. To ensure that your organization is delivering accurate and up-to-date SBOMs for the applications it develops and delivers, it's important to get a handle not just on your list of ingredients, but also the ingredients your ingredients are using.

1 Gartner, "Innovation Insight for SBOMs," Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

When It Comes to SBOMs, Do You Know the Ingredients in Your Ingredients?

With more staff working remotely, identity, authentication, and access (IAA) has never been more important. Microsoft has a new response.

At the start of June 2022, just before RSAC 2022, Microsoft announced a new product family, Microsoft Entra, which encompasses all of Microsoft’s identity and access capabilities. Microsoft Entra products include:

*   Azure Active Directory (Azure AD) as well as two new product categories:
*   Microsoft Entra Permissions Management (a Cloud Permissions management (CPM) / Cloud Infrastructure Entitlement Management (CIEM) solution)
*   Microsoft Entra Verified ID (a decentralized identity product offering)

According to Microsoft, Entra is part of the company’s expanded vision for identity and access. The plan is to verify all types of identities and secure, manage, and govern their access to any resource, by:

*   Protecting access to any app or resource for any user;
*   Securing and verifying every identity across hybrid and multicloud environments;
*   Discovering and governing permissions in multicloud environments; and
*   Simplifying the user experience with real-time intelligent access decisions.

**Azure Active Directory (Azure AD)**  

**Microsoft Azure AD**, is also part of the Microsoft Entra family, and all its capabilities, such as conditional access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be the vendor’s identity solution for customers and partners under the Microsoft Entra family.

Identity Governance for employees and partners is another area of focus for Microsoft. It’s a significant challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. At the other end, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization (the dangerous "orphan account" scenario that can be exploited by threat actors).  

Microsoft believes that their **Identity Governance (in Azure AD)** offering addresses this with identity lifecycle management, which simplifies and speeds up the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights and monitoring and tracking access as user attributes change. Lifecycle workflows enhancements in Identity Governance are scheduled to enter public preview in July 2022.

Omdia believes that automating identity, authentication, and access features and tasks is a key trend within this space. There is an ever-increasing amount of data that companies need to keep secure and interpret when things go wrong, the automating of features and tasks will continue to accelerate in the coming years. This increase in data is helping to drive automation in a number of segments within the identity, authentication and access sector.

**Microsoft Entra Permissions Management** (Cloud Permissions Management)

Microsoft stated that the Microsoft Entra Permissions Management product/solution will be a standalone offering, be integrated within the Defender for Cloud dashboard, extending Microsoft Defender for Cloud's protection into the CPM realm (a.k.a. CIEM). It is worth recalling the history and development of this product. In July 2021, Microsoft **acquired CloudKnox Security, which was the market leader in CPM technology, with a view to enabling businesses using its Azure Active Directory service to exercise tighter control over employees’ access rights to their cloud assets, regardless of which cloud they reside in.**

CPM is an emerging technology segment, with most of the start-ups offering the capability dating from the late 2010s. CloudKnox was among the first, having been founded in 2017. So recent is the technology that it still has no standard name: one analyst firm calls it cloud infrastructure entitlements management (CIEM), which is both excessively wordy and confusing, given its similarity to security incident and event management (SIEM) and customer identity and access management (CIAM). Another calls it cloud identity governance, which is less self-explanatory than Omdia's preferred name, cloud permissions management. The permissions management product/solution will be available worldwide in July 2022.

It is also worth noting that the Permissions Management product is cloud agnostic, i.e. it will be able to enforce the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platforms.

**Microsoft Entra Verified ID** (Decentralized Identity)

Microsoft Entra Verified ID is a new product offering based on decentralized identity standards that makes portable, self-owned identity possible. Verified ID represents Microsoft's commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when and with whom they share it, and—when necessary—to take it back by rescinding access rights. The Verified ID product will be available from early August 2022. Omdia believes that decentralized identity is gaining traction and this announcement by Microsoft to launch a product in this space will help to turbocharge the segment.

**Expansion of the Microsoft Entra product family – Which IAA segments next?**

It was interesting to note in Microsoft's recent press release that they stated this launch "is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family." So what areas are they likely to expand into? PAM? CPM technology looks like a natural adjacency for privileged access management (PAM) vendors, and indeed, the largest player in PAM, CyberArk, launched a CPM module in late 2020. Meanwhile Zscaler, which delivers security as a service from the cloud, acquired CPM start-up Trustdome in April 2021, reportedly for $31M, and XDR vendor SentinelOne's $616M acquisition of Attivo in March this year brought it, among other things, a CPM capability.

If Microsoft were to enter the PAM market, then what other areas of identity, authentication and access are logical to look at?

In recent years, segments such as PAM and IGA have undergone the cloudification of their products/solutions. Enterprise applications were already moving to the cloud long before the pandemic, to be delivered as a service. However, the impact of the pandemic was to turbocharge that process, and with it, the need for cloud-based identity management capabilities.

This backdrop explains the importance Omdia attributes to the cloud in the identity services market, not only as a locus from which to deliver IGA, but also as the place where an increasing number of corporate assets now reside, which puts a new level of requirement for entitlements management. It is also worth noting that Okta, the 800 pound gorilla of cloud-native identity management, is planning to launch IGA and PAM products in Q4 2022 and Q1 2023.

There has also been an expansion of diverse access points over the last couple of years and an overlapping of identity and access tools. All of this helps to explain why Microsoft has expanded its identity, authentication, and access product portfolio and why it sees this area as being central to secure access in a connected world.

**Identity As a Trust Fabric**

By launching Entra, Microsoft plans to move forward, by expanding their identity and access solutions so that they can serve as a "trust fabric" for the _entire_ digital ecosystem, now and long into the future.

The "trust fabric" is an identity mesh of connections that secures, governs, and manages for Microsoft products. To make this vision a reality, identity must evolve. This interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions.

**Conclusions**

Microsoft has traditionally been seen as the unspoken giant of identity. With the Entra announcements it is now entering the fray in a more direct fashion, and other IAA vendors need to sit up and take notice of these developments. Where once they simply played nicely with Active Directory as the backend identity repository for their technology, Microsoft may now be coming for their lunch.

The next few years will certainly be an interesting time in the identity space, with new entrants, new product launches and more mergers and acquisitions. Omdia predicts disruption and displacement, with Microsoft as the disruptor in chief!

Microsoft Going Big on Identity with the Launch of Entra

Cyber mercenaries in countries like India, Russia, and the UAE are carrying out data theft and hacking missions for a wide range of clients across regions, a couple of new reports said.

The threat associated with nation-state-backed hacking groups has been well-researched and chronicled in recent times, but there's another, equally dangerous set of adversaries that's operated comparatively in the shadows for years.

These are hack-for-hire groups that specialize in breaking into systems and stealing email and other data as a service. Their clients can be private investigators, law firms, business rivals, and others that don't have the capabilities to carry out these attacks on their own. Such cyber mercenaries often openly advertise their services and target any entity of interest to their clients, unlike state-backed advanced persistent threat (APT) actors, which tend to be stealthy and have specific missions and a tight target focus.

Researchers from Google's Threat Analysis Group (TAG) this week released a report on the threat, using hack-for-hire ecosystems in India, Russia, and the United Arab Emirates as examples of the prolific nature of the criminal activity. The TAG researchers identified the services offered by cyber mercenaries as different from that offered by surveillance vendors that sell tools and capabilities for others — such as intelligence agencies and law enforcement — to use.

**Broad Range of Targets**

"The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets," said Shane Huntley, director of Google TAG, in a blog Thursday.

As an example, he pointed to a recent operation that Google observed where an Indian hack-for-hire outfit targeted an IT company in Cyprus, a shopping company in Israel, a financial technology company in the Balkans, and an academic entity in Nigeria. In other campaigns, Google has observed these groups targeting human rights advocates, journalists, and political activists.

"They also conduct corporate espionage, handily obscuring their clients' role," Huntley wrote.

Google's report on hack-for-hire activity coincided with a lengthy Reuters investigative report on how parties involved in courtroom litigation have in recent years hired Indian cyber mercenaries to steal information from the other side that would give them an edge in the battle.

Reuters said it was able to identify at least 35 instances going back to 2013, when someone involved in a lawsuit hired Indian hackers to obtain information from the entity they were litigating against. One of them involved a $1.5 billion legal battle between the Nigerian government and the heirs of an Italian businessman over control of an oil company.

In each of these instances, the hackers sent phishing emails to targeted victims with malware for stealing credentials for their email accounts and other data.

**Numerous Hacking-for-Hire Victims**

Reuters said it identified some 75 US and European companies, three dozen advocacy groups, and numerous business executives in western countries that were the targets of these attacks. In all, over the seven-year period that was the focus of the investigation, Indian hackers sent some 80,000 phishing emails to 13,000 targets across multiple countries.

Among those whose email inboxes the attackers tried to access were at least 1,000 attorneys at 108 law firms, such as Baker McKenzie and Cooley and Cleary Gottlieb in the US and Clyde & Co. and LALIVE in Europe.

Reuters described the report as being based on information from victim interviews, US government officials, lawyers, and court documents from seven countries. Also helping with the investigation was a database of those tens of thousands of emails sent by the Indian hackers that Reuters said it received from two email providers.

"The database is effectively the hackers' hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020," the Reuters story stated.

Among the Indian entities that Reuters named in its report were Appin, BellTroX, and Cyberoot — all of which shared infrastructure and staff at some point.

**Tracking Cyber Campaigns**

Google said it also has been tracking Indian hack-for-hire operators, many of which were associated with Appin and BellTroX, since 2012. A lot of the activity has focused on organizations in the government, telecom, and healthcare sectors in the UAE, Saudi Arabia, and Bahrain, according to TAG.

Google's report also described hack-for-hire operators that TAG researchers have been tracking in Russia and the UAE. One of them is a previously known Russian actor that others have referred to as Void Balaur, which has spied on thousands of individuals and stolen private information about them for sale to various clients.

This is not the first time that security researchers have sounded a warning on hackers-for-hire. Trend Micro, for instance, reported on the Void Balaur threat in November 2021. A year prior, BlackBerry security researchers reported on a hack-for-hire group it had observed called CostaRicto, which targeted victims in multiple countries, many of them in South Asia.

"The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," TAG's Huntley wrote.

Google: Hack-for-Hire Groups Present a Potent Threat

It didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.

So far this year, a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild, according to an analysis – and half of those were preventable flaws.

According to Google's Project Zero, nine of the issues were simply variants of previously patched bugs, with four being variants of previous 2021 in-the-wild zero-day bugs. Since these are closely related to security weaknesses that have been seen before, it blows a hole in the theory that zero-day exploits are so advanced that defenders can't hope to catch them, Project Zero's Maddie Stone notes.

"\[After\] the original in-the-wild zero-day \[was\] patched, attackers came back with a variant of the original bug," she explains in a Thursday blog post. "Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched."

The slate of 2022 zero-days affects a wide range of platforms, including Apple iOS, Atlassian Confluence, Chromium, Google Pixel, Linux, WebKit, and, of course, Windows (including the Follina and PetitPotam vulns).

In some these cases (Windows win32k and Chromium), the proof-of-concept attack path was patched but not the root cause, so attackers could trigger the original vulnerability through a different path. In other cases, such as PetitPotam, the original vulnerability was patched but "at some point regressed so that attackers could exploit the same vulnerability again," Stone says.

"The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method," she says. "To do that effectively, we need correct and comprehensive fixes."

18 Zero-Days Exploited So Far in 2022

A recent analysis of breaches involving application programming interfaces (APIs) arrives at some eye-popping damage figures, but which companies are most affected, and in what ways?

US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web application programming interfaces (APIs), which have proliferated with the increased adoption of cloud services and DevOps-style development methodologies, according to an analysis of breach data.

In the last decade, API security has grown to become a significant cybersecurity issue. Acknowledging this, the Open Web Security Application Project (OWASP) released a top-10 list of API security issues in 2019, flagging major API weaknesses — such as broken authorization for objects, weak user authentication, and excessive data exposure — as critical issues for software makers and companies that rely on cloud services.

According to the Quantifying the Cost of API Insecurity report out this week, published last week by application-security firm Imperva and risk-strategy firm Marsh McLennan, security issues will only likely grow as APIs continue to become a common pattern for cloud and mobile infrastructure.

"The growing security risks associated with APIs correlates with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva. "The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs."

Interestingly, the business losses have less to do with API-specific issues, the analysis found. Rather, breach recovery and interruption of operations account for the majority of the cyber-losses. Only a small subset of companies in any country suffered losses directly linked to API vulnerabilities, the report found.

**API Losses Vary by Business Segment**

The Marsh McLennan data comes from reported breaches, which represents a subset of all businesses. It found that when drilling down into the data, important differences between impact can be drawn out.

For instance, certain kinds of companies (larger firms in IT and professional services, for example) are much more likely to face API-related security incidents than others (smaller companies, say, in the finance sector).

"The $12 billion is not distributed over millions of companies," a Marsh McLennan spokesperson said. "The number of breached companies, especially due to API insecurity, is considerably lower."

Small firms face the highest absolute number of API security events, with most incidents affecting companies with less than $50 million in revenue. Yet API-related incidents only accounted for about 5% of their overall number of security incidents. Conversely, large companies with more than $50 billion in revenue are at a much higher risk of breaches related to APIs, with at least 20% of their security events involving APIs.

To some extent, the increased risk for large companies is due to the growth in the attack surface area caused by APIs, but larger companies are also more attractive targets, says Imperva's Cheng.

"The proliferation of APIs, combined with the lack of visibility into these ecosystems, creates opportunities for massive, and costly, data leakage," he says. "These are issues that scale with an organization's size. Larger organizations have more APIs in production, and limited visibility leaves a larger number of APIs vulnerable. This makes enterprises an attractive target."

Similarly, firms in Asia had slightly more than 100 combined API security events, and US companies had more than 600 API security events. The sheer number of reported security events overall in the United States resulted in API incidents accounting for a much lower share of the pie — about 5% compared to more than 15% for Asia.

**How to Cope With API Security Concerns**

Unlike other types of application vulnerabilities, API security weaknesses typically exploit authorization, authentication, or business logic issues. The exploitation of APIs often results in access to data or the ability to bypass an authorization check, says Cheng.

To prevent this, companies need to gain visibility into how they are using APIs and create a complete inventory of the API traffic in their network, he says.

"API-related security incidents are sophisticated attacks that use a valid API token to exploit a vulnerability in the business logic to access the data layer," Cheng says. "Without the right visibility into the API schema, or the changes being made to the schema, organizations are often unaware if an API is compromised or what data is exfiltrated through the compromised API."

API attacks generally form the initial access vector for a larger campaign, so while the initial intrusion may seem non-critical, the end result could be a widespread compromise, Cheng says.

"API abuse is often part of a larger campaign that involves online fraud, like account takeover or automated scraping," he says. "Organizations need protection from a range of attacks that a criminal may use to abuse the API and get to the underlying data. If the organization is only focused on protecting the API endpoint, they're overlooking attacks on the application and/or business logic."

API Security Losses Total Billions, But It's Complicated

Malicious ISS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (ISS) servers for Windows, like Exchange servers.   

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exchange Servers Backdoored Globally by SessionManager

Titaniam’s ‘State of Data Exfiltration & Extortion Report’ also finds that while over 70% of organizations had heavy investments in prevention, detection, and backup solutions, the majority of victims ended up giving into attackers' demands.

**SAN FRANCISCO, Calif., June 30, 2022 -** Titaniam, Inc., the industry's most advanced data security platform, announced today the ‘State of Data Exfiltration & Extortion Report.’ The survey revealed that while over 70% of organizations have an existing set of prevention, detection, and backup solutions, nearly 40% of organizations have been hit with ransomware attacks in the last year, and more than 70% have experienced one in the previous five years, proving existing solutions to be woefully inadequate in managing the risks and impacts from these attacks.

Data exfiltration during ransomware attacks is up 106% relative to where it was five years ago. We are seeing the emergence of a new trend where cybercriminals are no longer limiting themselves to just encrypting entire systems—they are making sure to steal data ahead of the encryption so that they can have additional leverage on the victim. The survey found that 65% of those who have experienced a ransomware attack have also experienced data theft or exfiltration due to the incident. Of those victims, 60% say the hackers used the data theft to extort them further, known as double extortion. Most of them, i.e., 59% of victims, paid the hackers, implying that they were not helped by their backup or data security tools to prevent this fate.

Data is being exposed for theft and extortion in other ways too. Nearly half (47%) uncovered publicly exposed data in their systems in the last 24 months. It was found that respondents have a mix of data security & protection (78%), prevention & detection (75%), and backup and recovery (73%) in their cybersecurity stacks. Still, exposure and extortion numbers imply a missing puzzle piece regarding attacks.

Interestingly, observing peers being attacked (33%), management’s request (29%), and compliance (24%) are mostly driving budget decisions, while just 10% say it’s learning from their own attacks. 90% agree or somewhat agree that they have a sufficient budget for data security tools. 59% claim data security has the highest security spend. Yet, in the face of these attacks and data exposures, nearly all (99+%) respondents would be interested in data security solutions that protect sensitive data at all times, including while active and in use.

Promisingly, the survey revealed organizations have enough budget to improve which solutions security and data teams are using. This indicates that boards and executives appear to recognize the importance of cybersecurity to business success.

“Reliance on legacy technologies worked for years, but as bad actors continue to evolve, our technology must evolve as well,” said Arti Raman, CEO and Founder of Titaniam. “It is unfortunate that organizations continue to believe that investing in detection, backup, and recovery solutions constitutes the complete solution to ransomware. These organizations overlook data security, which, when not implemented adequately, becomes the ultimate reason attackers gain excessive leverage and win—the results of this survey highlight this enormous gap in current cybersecurity solutions. Suppose over 70% of experts claim to use data protection, prevention and detection service, and backup and recovery. Why are 60% still being extorted, and even further, why are 59% paying the ransom? There needs to be a deep look at how we as an industry approach ransomware protection. We need to understand that while prevention, detection, and backup are essential, no ransomware defense strategy is complete without eliminating data exfiltration. This is what would take us beyond the notions of impenetrability and towards immunity.”

With survey results showing that along with overall backup and recovery, data masking (54%), encryption at rest (49%), encryption in transit (49%), and tokenization (25%) are the main means of protection, we must accept that these are simply not enough to get enterprises the data protection they need to beat ransomware.

Fortunately, organizations can now look to advanced data security platforms like Titaniam, which combine traditional data protection techniques like the ones above, with high-performance encryption-in-use, and highly sophisticated key control to close the gaps being exploited by ransomware and extortion actors. Systems protected by Titaniam do not yield unencrypted data even if they are attacked using highly privileged credentials, as in a vast majority of data exfiltration-based attacks.

\*This survey was conducted by CensusWide, polling 100 IT security professionals.

**ABOUT TITANIAM**

Titaniam is the industry’s most advanced data security platform that utilizes high-performance encryption-in-use to keep valuable data secure even if the enterprise is breached and its data stolen. With the ability to process data without decryption as well as support nine different privacy-preserving data formats, Titaniam is the market's answer to address ransomware and extortion, insider threats, and data privacy enforcement. In addition to cutting-edge encryption-in-use, a single deployment of Titaniam provides the equivalent of three other categories of data security solutions. In the event of an attack, Titaniam offers auditable evidence that valuable data retained encryption throughout the attack, thus minimizing compliance as well as notification obligations. Titaniam was founded in 2019 and has offices in Silicon Valley and India. To learn more, visit https://titaniam.io/.

Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion

A password link that didn't expire leads to the discovery of exposed personal information at a payments service.

_Editor's Note: Dark Reading was able to verify that the issue Cerrudo found was present as of June 24, when we created an account on Veem and confirmed that the personal information and partial bank account information was visible to anyone else. We also confirmed that even after deleting the account, most of the information remained accessible. We contacted Veem, and they provided this comment:_

_"Veem is committed to safeguarding customer information and funds and has in place a comprehensive security program that includes internal, external and regulatory assessments. We have responded to Mr. Cerrudo, and we continue to evaluate information provided to us by customers or third parties to ensure that any issues raised from those sources are included in our roadmap, as appropriate. As a matter of policy, we do not publicly comment on specifics of our program, other than to reinforce that we take our obligations seriously and devote substantial resources to deliver services in a reliable and secure manner."_

Over the years I have made hundreds of disclosures, and it still amazes me how some companies have such bad security practices and lack of security awareness.

This is a cybersecurity horror story from Veem, a well-funded fintech company that clearly fails badly at security and privacy. What's Veem? From its site: "Easily pay vendors and contractors domestically or internationally in over 100 countries, and get paid faster with one simple, yet powerful digital payments solution. With more payment flexibility and visibility, Veem gives small businesses the power to save time and control cash flow."

This all started when I was using the Veem service. It was pretty good, cheap, and easy to use. I liked it, and I recommended it. But I grew concerned about Veem's approach to security.

First I noticed that it displayed too much information about Veem users who weren't in my contact list. I just ignored it, though, and kept using it. Then one day, I was unable to log in and was forced to change my password via an email with a link to a form. I used the form to change my password, but I noticed something weird in this process, so I left the email marked to take a look at later.

After some days, I remembered about the email I saved and went to take a look. I clicked on the link and was presented again with a form to change my password. That was unusual — the link should have expired because I had already changed my password and because too much time had passed since the link was sent to me. Then, when examining the link, I realized that it was sent using the Mailchimp add-on Mandrill. That meant that this platform, a third-party email marketing and automation service, had access to change my password for many days, since it had the link saved in its systems. This is a really bad security practice that any minimum security check should have identified. I started to believe that Veem's systems hadn't been security tested.

After I found this password change security issue, I got a bit worried about Veem's security overall. It's a fintech solution that allows users to send and get payments, so it deals with a lot of money from its users, including myself. I decided to take a deeper look at some functionality that had looked strange to me but I had ignored earlier. I logged in, accessed this functionality, and, to my surprise, I found out that they were leaking all users' personal information, such as full name, address, city, state, country, email, phone number, date of birth, bank name, account type, and last four digits of bank account number. I couldn't believe what I was seeing — anyone could easily access any Veem user's personal information.  

I had to quickly report these issues — especially the last one, which was very critical. After I got help finding the correct contact email, on March 29, 2022, I emailed \[email protected\] detailing the problems. I was hoping for a quick answer, but no. On April 2, I emailed again, and after two days, still no answer. I was getting worried, since when you report such a critical issue, you should get an instant response. Every day that passes means someone gets another chance to exploit the issue.

Thinking about how to get a response, I got an interesting idea: What about using the security issue to find out information about Veem executives? So I got the Veem CEO's information — all of his information, but I really just needed the email address. I didn't think cold-calling him would be a good idea, and no, I'm not doxing him here. :)

**Initial Outreach**

On April 4 I sent an email to the CEO:

_Hi, I sent this (I forwarded previous email sent to \[email protected\]) almost a week ago and I haven't had any answer._

_There is at least a serious issue that leaks users personal information such as full name, email, date of birth, address, phone number, name of user's Bank, bank account last 4 numbers, etc._

_Please have your security team take a look and answer ASAP._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Later that day, I got the following from \[email protected\]:

_Hello Cesar,_

_I want to thank you for proactively reaching out to us regarding the vulnerabilities you have found on our web application. Unfortunately, we do not have a bug bounty program or a financial reward at this time and there are no exceptions for one-time rewards either._

_In the meantime, we hope you continue leveraging the Veem network for your payments, and keep us informed on any future feedback you may have that will make it better and safer for all of our customers._

_Thank you for your time and understanding._

_Regards,_

_Cyber Security Team_

As you can see, they clearly didn't realize the criticality of the issue and thought that I was just looking for some reward. I had to explain (cc'ing the CEO just in case):

_Hi_

_I'm not looking for any reward, I just want you to take a look at the issues and fix them ASAP, once they are fixed let your users know about it. Also in the meantime provide feedback._

_For a financial institution it is very serious to leak customers information._

_btw, I'm CCing your CEO so he is aware of this, I got his personal information from Veem platform._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Then, after two days, they replied:

_Hello Cesar,_

_Thanks for following up._

_Apropos your findings, we are already tracking the two information leakage-related gaps in our risk register. These gaps exist to support otherwise desirable features — changing their design to eliminate this avenue for data exfiltration is nonetheless on our product roadmap. However, because this logic exists to support features which our customers expect to work, there is no quick or easy solution available. We recognize that this is a shortcoming and are planning appropriate redesign — prioritizing security and privacy, while also retaining essential parts of our product's user journey and customer experience._

_Regarding password reset links, you raise an entirely valid concern regarding link expiry. We have scheduled a fix for release in an upcoming sprint cycle._

_Once again, thank you for your proactive outreach and for helping us improve the security and privacy of our platform._

_Thanks,_

_Veem security team_

**Please Prioritize Security**

Cool, so they're fixing the password reset issue, but the personal information leakage is a feature they can't easily fix? How are they "prioritizing security and privacy"? Welcome to the 2020s, where fintechs prioritize functionality over security and privacy.

At this point it was clear to me that this was a very immature company in terms of cybersecurity and privacy, so I would have to deal with this in the best possible way and try harder to make them understand the issues, collaborate, and act quickly. I replied:

_Hi_

_Thanks for getting back with more details._

_I completely understand your challenges and point of view. What I would like is to have more visibility on this, so I would like to get some timeline information, like when are you planning to start working on the fixes and when they will be ready. As you may know, when vulnerabilities are reported is called responsible/coordinated disclosure, it requires collaboration from both sides and there is a limited waiting period for the issues to be fixed. We can't wait forever, holding back the vulnerability information we have that affects several thousand of your users, if you don't fix it in a short period of time we need to go public and let people know about the issues. If you are not familiar with responsible/coordinated disclosure, please take a look at it to understand these common practices on cyber security._

_I'm open for a quick call if you like so we can be on same page on this._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Twelve days after the above email was sent, I still had no answer at all, so I asked for news. The following day they replied:

_Hello Cesar,_

_We are actively addressing these findings._

_Please be assured that we take this seriously and that customer security and privacy are at the top of our priorities._

_Thanks_

_Veem Security Team_

I wasn't happy with the answer. Such a delay and lack of communication doesn't reflect taking security and privacy seriously.

**Sketchy NDA**

Anyway, I waited for a few days to see if they would get back to me again with more updates — but, no, I had to email them again:

_Hi_

_I'm sorry but it seems you are not understanding how severe the issue is and how to manage it. Please let's have a call urgently and have some decision maker attend. I'm available most days from 1:30pm to 3pm ET_

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

The same day, they replied:

_Hi Cesar,_

_We would like to send you our SOC2 report and set up a discussion but need to put an NDA in place to do so. Our CSO proposes that we connect at 2:15 pm EST on 5 May 2022 to address questions you may have. Here is the link for our eNDA http://bit.ly/VeemNDA_

_Veem Security team_

That was weird — why did they mention the SOC2 report? They wanted to show me they were in compliance? But were they? Also, that was on April 25, and they wanted to have a call in two weeks — more than a month since I sent the initial report — so clearly they didn't feel any urgency.

Plus they wanted me to sign a nondisclosure agreement (NDA). That was an indication of suspect cooperation, in my experience; when a company dealing with a disclosure brings an NDA, it's highly probable they want to keep everything hidden. I discussed this with my team at Strike and got back to Veem the next day:

_Hi_

_Ok, let's confirm the call for 2:15 pm EST on 5 May 2022. We don't usually sign NDA for this so I have to consult our lawyer and will get back to you ASAP._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

After taking a look at the NDA with our lawyer, we identified that it said: _"evaluate the potential for, or the expansion of, a business relationship between the parties..."_

Why would they want us to sign an NDA that mentions business relationships?

**Avoiding the Problem**

On April 28 I replied:

_Hi_

_After evaluating the NDA, it says: "evaluate the potential for, or the expansion of, a business relationship between the parties" which doesn't make sense since we aren't talking about any business here._

_Also the NDA should explicitly exclude the vulnerability information I already shared with you and any previous communication before the NDA is signed. I see two options, we don't sign the NDA or the NDA is modified with my requests. Anyway, I think we can have the call next week without NDA, what's important is to talk about current situation and plans to fix it._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

Unsurprisingly I got no answer. Then on May 4, one day before the call was supposed to take place, I asked for updates:

_Hi, are we having the call tomorrow? please send an invite._

_Thanks._

_Cesar Cerrudo_

_Chief Research Officer_

_Strike_

and later the same day I got the following:

_Hello Cesar,_

_We are pleased to convey that your concerns have been addressed and our platform has been updated. As such, a meeting will not be required._

_Thank you for being our valued customer._

_Sincerely_

_Veem Cybersecurity Team_

Whoa, that was really a surprise. I didn't like the answer, but I thought, "OK, at least they fixed the issues." Of course I have to check, though, so I took a look at the issues again.

The password reset issue was partially fixed but only partially because they continue to use the same mailing/marketing service. And surprise, surprise, surprise — the main issue was not really fixed :(

For the personal information leakage, they only removed the date of birth and the last four digits of the bank account number. But the last four digits of the bank account number were still displayed in another field in same HTTP response, so they were still leaking everything except the date of birth. Really bad fixes.

**In Short: Terrible**

After many efforts and goodwill from our side, Veem proceeded in a very unprofessional and noncollaborative way, demonstrating lack of security and privacy awareness. We decided we needed to go ahead and publish this in order to let people know.

The personal information leakage can allow cybercriminals to easily perform several attacks, such as phishing, SIM swapping, etc., resulting in possible huge money losses.

Veem didn't notify its customers about the issues. Instead it tried to silently fix them — and failed.

Veem users should contact Veem directly and ask for an explanation. In the meantime, we recommend Veem users to set the "List my Information" or "List my business" (depending on account type) user account setting to "NO" — it is set to "YES" by default. Setting it to "NO" doesn't prevent the personal information leakage, but it does make it a bit difficult.

It's hard to understand how a company that has $100 million in investments doesn't allocate proper resources to cybersecurity and privacy, especially when dealing with users' money. Also, I wonder if they are violating any regulations.

Sadly, bad security and privacy practices are not exclusive to Veem. Many fintech companies choose feature release speed and great user experience over security and privacy. From one side, they want to get more customers and delight them, but from the other side, they don't properly protect their customers' data and privacy. Security and privacy should always be top priority, especially in fintech.

Source

DARKReading