Trying to get the whole organization on board with better cybersecurity is much tougher than it may sound.

With cyberattacks becoming more frequent and costly, not to mention the additional challenges inherent in securing a remote workforce, it is more important than ever that organizations build a culture of security. This of course, isn't a new thing to say and yet it keeps needing to be said. So, why haven't we solved this yet?

Part of it is that the work never stops. It's like leading a healthy lifestyle; regardless of how fit and healthy you get, you never arrive at a point where you can just stop making healthy decisions and stay healthy. What makes it more challenging is trying to get a whole organization on board with making all the small decisions to stay secure.

**Don't Be the Team of "No"**

Security teams are often seen as the team of "no," or like the doctor telling you that you should really cut out salty foods entirely. You might agree in general, but how realistic is it that you never have salty foods again? If rules are overly restrictive or they make tasks significantly harder, people are going to cheat the system. We have to find a way to have more carrot and less stick. We have to pave the road for employees so that security isn't a chore.

It is absolutely important for there to be training on phishing attacks, use two-factor authentication, and regularly change passwords. But how could we simplify this process? I'm a big fan of companies giving employees a subscription to a password manager. This solves one of those concerns while arguably making employees' lives a bit simpler. It's very much about building a two-way street rather than being a hardened gate. This allows us to start building in processes alongside other departments that make sense for their workflow. These processes will change from company to company, but the key here is to look for ways that security can be improved while also improving the workflow for employees in general.

**Embrace Agility**

One of the biggest reasons security teams are bypassed is that they hinder agility. There is nowhere this is more true than on the development team. I have worked in the SaaS space for some time, and the development team's ability to deliver, and deliver fast, is the core of what will determine a company's success or failure.

However, developers are notorious for finding ways around security protocols because the protocols slow down how fast they are able to launch applications. While some security teams might see this as a failure on the developer team, I see it as a failure of the security program. SaaS companies must be able to deliver applications at the speed of business while also being secure. It's the security team's job to be the security coach of the organization and that involves implementing policies that don’t hinder the developer's ability to do their job.

As one example, developers often use open source to avoid recreating functions that already exist and are easy to plug in. The danger of this, however, is the source of this code. There is plenty of malicious code out there, and we have seen even some of the most talented developers fall prey to it. To prevent this, organizations should prioritize creating internal repositories of vetted code that developers can pull from. If the organization isn't of the size to create their own internal repository, they should look for vendors who provide scanned code libraries. This way the developer workflow isn't impeded, but it is nonetheless made more secure.

**Break Down Silos**

Another key step is to build the culture so that security belongs to everyone within the organization. Anyone who touches a computer has to be security aware. While the security teams have to be able to work with different departments and effectively integrate into their workflows, it must still be a collaborative effort. When it comes to enabling the development teams, I recommend building a security champion (or security liaison) program. This gives security a seat at the table as the developers are designing applications and planning work.  

Establishing this program as early as possible in your organization will increase your awareness of what is going on within different development teams and ensure security does not become a bottleneck in the software delivery pipeline. Finding people to buy into this model from other departments is as good as gold for security professionals because the advice always goes down smoother when it isn't coming from the security team directly.

The challenge of course is finding individuals who are willing to take on the extra work of advocating for security, but in the absence of a champion, look to at least get liaisons to the different departments. The simple truth is that security teams are stretched too thin to be the one and only protection from malicious actors, so we need to get buy-in from the rest of the organization.

3 Tips for Creating a Security Culture

Attackers almost immediately leapt on a just-disclosed bug, CVE-2022-26138, affecting Atlassian Confluence, which allows remote, unauthenticated actors unfettered access to Confluence data.

A critical Atlassian Confluence vulnerability that was disclosed last week is now being actively exploited in the wild, researchers are warning.

According to researchers at Rapid7, the bug in question (CVE-2022-26138, one of three patched last week) is due to a hardcoded password in the Questions for Confluence app, which would allow cyberattackers to gain complete access to data within the on-premises Confluence Server and Confluence Data Center platforms.

More specifically, once installed, the Questions for Confluence app will "create a user account with a hard-coded password and add the account to a user group, which allows access to all nonrestricted pages in Confluence," according to Rapid7's posting. "This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance."

The stakes are high. Many organizations use Confluence for project management and collaboration among teams scattered across on-premises and remote locations. Often Confluence environments can house sensitive data on projects that an organization might be working on, or house it on its customers and partners.

Organizations are urged to patch quickly because the password was made public last week, prompting emergency action by Atlassian. Confluence is unfortunately a popular target for attackers, as evidenced by the active exploitation of the bug tracked as CVE-2022-26134 in June, used to spread ransomware.

Admins should note: The bug only exists when the Questions for Confluence app is enabled, and it does not impact the Confluence Cloud instance. However, crucially, “uninstalling the Questions for Confluence app does not remediate this vulnerability," according to Atlassian's advisory last week.

"Confluence has had no shortage of headlines," Rick Holland, CISO at Digital Shadows, said via email. "Hardcoded passwords significantly increase the likelihood of exploitation, especially when the passwords become widely shared. If you play soccer, hardcoded passwords are 'own goals.' Adversaries score enough goals alone; we don't need to put the ball in our own net. Never use hardcoded passwords; take the time to set up proper authentication and minimize future risks."

Patch Now: Atlassian Confluence Bug Under Active Exploit

By embracing cybersecurity as a critical part of our national security and education strategy, and working together to invest in opportunities for all, we can create a safer, more secure world.

Last week, the White House announced the National Cyber Workforce and Education Summit to address the crisis that is our nation's cybersecurity talent shortage. With over 700,000 open roles alone in the United States, we are facing not only an industry crisis but one that affects national security, as Russia and China and a slew of organized cybercriminal groups continue to wage cyberattacks across the globe.

During the summit, the White House put a stake in the ground, announcing that an official strategy is coming this fall to address this critical issue. Now that this important summit has taken place, here are a few recommendations that policymakers should keep in mind as they formulate the official strategy.

**Treat Cybersecurity as the Skilled Trade It Is**

Coming out of the summit, the Department of Labor announced the 120-Day Cybersecurity Apprenticeship Sprint, expanding the use of Registered Apprenticeship programs to apply to cybersecurity jobs and upskill and train individuals who are interested in breaking into the industry.

While this is a step in the right direction, the government can assist further with the cyber talent gap by increasing support and funding for programs that promote cybersecurity in high schools, provide scholarships in college, cybersecurity trade programs, or even creating an extended cyber "Peace Corps" in which the government would pay for training after which the recipient would give years of service providing free expertise to organizations around the country.

Similarly, we must hold the private sector accountable for providing resources, training, and development programs that are applicable to the industry at large. Many companies now have scholarship programs or apprenticeships, which, in collaboration with public sector initiatives can make a meaningful difference in bringing up the next generation of cyber defenders, especially when it applies to development of new technologies in the field of artificial intelligence, cloud computing, detection and response, and more.

**Harness the Power of the Digital Generation**

As we go through our educational journeys, we are taught basics about history, math, and arts, but we lack common knowledge about things such as personal cybersecurity and data privacy. Despite the digital world our children are growing up in, cybersecurity hygiene isn't introduced at an early age, and therefore it may be seen as a "chore" for them when they become adults.

We need to focus on building always-on cybersecurity literacy, through national cybersecurity literacy programs. These can be introduced at a young age through early education but should also be reinforced through digital citizenship courses and opportunities at the high school level. By introducing cybersecurity literacy earlier, we can open up talent pools and diminish unnecessary obstacles that impede underrepresented communities from participating in the cybersecurity labor market. This investment showcases that the pathway to careers in cybersecurity is tangible and available for all. In turn, we'll inspire a new generation of diverse, aspiring professionals to help create and protect the future of technology.

**Abolish the Silicon Valley Barrier to Entry**

Although Silicon Valley has been the home to some of the most successful technology companies, it's no secret that the socioeconomic barriers to entry are high. Between the cost of living and the highly coveted Stanford or MIT pedigree, it's challenging for members of underrepresented communities or those without an Ivy League degree to make connections with the movers and shakers in the industry. Meanwhile, public and private sector authorities acknowledge that the lack of diversity and inclusion in cybersecurity is a long-term, generational problem with no clear end in sight or solution strategy at a national level.

The US government should partner with the private sector to identify and invest in the rising talent markets across the country, providing incentives to businesses that in turn, are investing in untapped talent markets — such as veterans, non-coastal cities, etc. For example, veterans have a mission-driven mindset that is invaluable to cybersecurity. Along with enhanced apprenticeship programs, the government should work with private sector businesses to invest in this talent pool as part of reentry programs post-service.

Hundreds of thousands of open roles nationwide, in a critical sector, is a daunting figure, but it's also a tremendous opportunity. Public and private sector leaders may disagree at times, but if there's one thing that we've come to agree on, it's that this skill shortage is a crisis, and we must work together to bridge the gap. By embracing cybersecurity as a critical piece of our national security and education strategy, and working together to invest in every avenue of opportunity, we have the chance to create a safer, more secure world.

What the White House's Cybersecurity Workforce Plan Should Look Like

By dynamically mirroring an organization’s login page, threat actors are propagating legitimate-looking phishing attacks that encourage victims to offer up access to the corporate crown jewels.

A phishing campaign is underway that uses mirror images of target organizations' landing pages to trick victims into entering login credentials.

According to a report from security firm Avanan, the malicious actors are then able to use these harvested credentials to gain access to a treasure trove of personal or company files, and access to other applications and other places in the network.

The attack flow starts with emails telling targets that it's time to update their passwords, with a button to click. That takes them to a phishing page that appears to be the organization's Google domain, with a pre-populated email address and a Google reCAPTCHA form, further adding to the veneer of authenticity.

Here's the interesting part: The landing page is dynamically rendered, so that it changes the logo and background presented to match the legitimate domain from the user's email address.

"Though the URL is completely unrelated to the company website, the page looks exactly like the real deal," according to the report, out today. "In fact, it’s a bit-for-bit mirror of the actual company site. The end user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing."

From there, the phishing page will either request the email twice as validation or, use the credentials in real time in order to verify the password. If the password is good, the user will be directed to a real document or to the organization's home page.

Meanwhile, the user's browser receives a cookie that renders the phishing page "unreachable," preventing any further analysis.

Jeremy Fuchs, cybersecurity research analyst at Avanan, explains that the attackers are after usernames and passwords because of what they can access later.

"They are after these credentials because they are incredibly valuable," he says. "Passwords are keys to the kingdom. They can open financial documents, personnel files, employee records; they can lead to bank accounts and medical records. By stealing credentials, the attackers have a whole bevy of information at their fingertips."

**Ties to SPAM-EGY, APTs**

Fuchs says he's seen this page-mirroring approach off and on for about two years, in attacks from the SPAM-EGY phishing-as-a-service group as well as advanced persistent threats (APTs). 

This current spate of attacks follows the SPAM-EGY group's trademarks, but Avanan researchers note that these attacks differ by targeting Google domains instead of Microsoft 365.

"This represents an evolution of this type of attack and thus may be carried out by a different group," according to the report.

Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, agrees page-mirroring is not a new tactic but certainly an effective one. He points out such mirrored sites are often included in phishing kits that are sold through the crime-as-a-service (CaaS) model  

**Organizations Should Take Note of Telltale Phishing Signs**

A recent report from Kaspersky says that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications. But Fuchs says that, as with most phishing attacks, there are some telltale signs on which organizations need to train users.

"It's important to remind employees to take two seconds and do two quick things: look at the sender address and the URL of the page," he advises. "The sender address is often amiss; that's clue one that something is off. The URL will also likely be off; that's clue two. Infusing that into everything employees do is critical."

Manky adds that any credential transactions should be done securely (HTTPS/SSL), and the certificate should be checked, as the certificate is unique and would not be mirrored.

"Of course, a site that looks completely legitimate will cause the victim to trust further — however, they should not be trusting the content rather the flow," he adds.  

Manky also notes that cyber-hygiene training is a necessity for everyone in the organization, with home workers, not just organizations, being targets of cyberattacks.

"Multifactor authentication and password protection can help protect remote workers’ personal information, and knowing how to spot phishing emails and malvertising schemes will help employees avoid falling for these social engineering ploys," he says.

**Phishers Adopting Sophisticated APT Tactics**

Kristina Balaam, senior threat researcher of threat intelligence at Lookout, says as the general public’s awareness of phishing threats increases, threat actors seem to recognize that they need to improve their tactics to successfully compromise their targets.

"Users are becoming more discerning and aware of the risks that phishing campaigns pose to their personal and financial security," she explains. "When page-mirroring is used to help ensure a phishing page closely replicates a legitimate authentication portal, users are more likely to place trust in the Web application and miss more sophisticated indicators of compromise."

She adds that while some phishing campaigns may use incorrect branding or contain extensive grammatical errors, these more sophisticated pages may only reveal themselves through less obvious indicators, like slightly misspelled domains (that is, typosquatting) domains or missing SSL certificates.

"Phishers take what works and amplify it. If something works, they'll keep at it," Fuchs says. "Given that many of these attacks are available as downloadable 'kits,' the barrier to entry is far lower."

From his perspective, that means there will likely be a continued proliferation of these types of attack spread by various groups, both APT and non-APT alike. Balaam agrees and says she believes this convergence reflects a shift in the willingness of financially motivated threat actors to increase their investment in their campaigns to improve their success rates and generate a greater return on their investments.

"For IT security, this shift seems to be leading us toward a marked increase in the number of everyday users targeted by more sophisticated campaigns with TTPs previously employed primarily by APT actors," she says.

Other recent phishing campaigns from the current avalanche of attacks also show ever-greater sophistication, including the Ducktail spear-phishing campaign and a phishing kit that injects malware into legitimate WordPress sites.

APT-Like Phishing Threat Mirrors Landing Pages

Three observations about our industry that might help demystify security for women entrants.

I speak to women in the cybersecurity industry almost every single day, from our own security team, to prospective candidates, female CISOs, and security professionals at our customers' organizations. I ask them all some version of the same question: What do you wish every woman thinking about a career in cybersecurity knew?

After dozens if not hundreds of these conversations, there are three themes that I hear time and time again as the most important things to know for women when evaluating the cybersecurity profession.

**First, Ignore "Cyber" — It's Just Security**

There's a misconception that cybersecurity is inherently a technical practice, requiring a computer science degree or a science, technology, engineering, and math (STEM) background. And while women have made huge strides within STEM industries, much of that has come in the sciences, with only 25% of women in STEM fields being in computer-related roles.

Women still are underrepresented in software engineering and IT. And many times, cybersecurity gets lumped together with those, and with that comes the belief that it requires the same skills. And that's simply not the case. At the core, the job of cybersecurity teams is to assess, prioritize, and work to resolve risks; nothing in there requires a STEM background or understanding of software engineering.

Sure, these risks might related to code a developer wrote, or a cloud environment the IT team deployed, but reviewing alerts, assessing the impact to the business and the potential risk, and determining the appropriate course of action — those are not things that require a security professional to be a developer or to moonlight in IT. Computer science skills and backgrounds aren't a barrier to the cybersecurity profession — we're a business function, not a technical one.

**Most Important Skills: Communication, Collaboration**

Over the last few years, we've seen more and more essential services, critical infrastructure, and leisure activities move online. This transformation has changed how we all work and live, and brought every aspect of modern business into the digital world, no matter what team you're on.

Software engineering teams creating new applications, hardware teams developing new mobile and virtual-reality devices, IT and DevOps teams building and maintaining cloud infrastructure, sales and marketing teams using all of these resources to track customer interactions and business metrics … everyone has a piece of the digital pie.

If you're on a cybersecurity team, you're tasked with keeping all these teams safe, each and every day. But this isn't something you can do alone. You need help from all of them in order to deliver that protection. This can be anything from asking a team to change their process to support a better security outcome, to requesting a sudden change in priorities to address a critical risk.

Getting this help requires an investment in building relationships, finding the right communication styles for different teams or peers, and focusing on working together to help everyone be safer. Without investments in these skills, you'll find yourself siloed from the very people you're trying to protect every day.

**You’re Part of a Movement Making Our Industry More Equitable**

Look, there's no denying cybersecurity is still a male dominated industry. In 2013, women were a mere 11% of the industry. But we're changing that every single day. Today, women are a quarter of the cybersecurity workforce. It took seven years to go from 11% to 20%, but only two years to go from there to 25%. We're closing the gender gap in cybersecurity faster than ever, across all aspects of the organization. And we're doing it together.

There are great organizations and programs out there that champion equality and diversity in cybersecurity, from Women in Cybersecurity (WiCyS) and Women's Society of Cyberjutsu (WSC), to organizations like Cyersity that support all underrepresented groups in the industry. The SANS Institute has an immersion course for women career-changers and college students looking to learn more. There's a plethora of tools, groups, and resources to support you in your journey every step of the way. You won't be alone and every step you take helps us all.

What Women Should Know Before Joining the Cybersecurity Industry

The peer-to-peer network IPFS offers an ingenious base for cyberattacks and is seeing a stratospheric increase in malicious hosting.

The distributed, peer-to-peer (P2P) InterPlanetary File System (IPFS) has become a hotbed of phishing-site storage: Thousands of emails containing phishing URLs utilizing IPFS are showing up in corporate inboxes.

According to a report from Trustwave SpiderLabs, the company found more than 3,000 of these emails within its customer telemetry in the last three months. They lead victims to fake Microsoft Outlook login pages and other phishing webpages.

**The Astronomical Advantages of IPFS**

IPFS uses P2P connections for file- and service-sharing instead of a static URI resource demarked by a HTTP host and path, according to the Thursday analysis — which offers big benefits for malicious users.

For once, IPFS is designed to be resistant to censorship by making content available in multiple places — meaning that even if a phishing site is taken down in one place, it can quickly be distributed to other locations. This makes it very difficult to stop a phishing campaign once it's started.

"In a centralized network, data is not accessible if the server is down or if a link gets broken. Whereas with IPFS, data is persistent," the report notes. "Naturally, this extends to the malicious content stored in the network."  

P2P also gives those phishers an additional layer (and potentially multiple layers) of obfuscation because the content doesn't have a static, blockable address — and this bolsters a greater likelihood of phishing emails evading scanners and arriving in a victim's inbox.

"So, in addition to the benefits for attackers \[related to\] 'traditional cloud services,' this layer of obfuscation provides the attackers with additional benefits," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading.

Furthermore, because IPFS is a decentralized system, it means there is no central authority that can take down a phishing site. This makes it much harder for law enforcement and security researchers to take down phishing sites hosted on IPFS.

"This represents a significant evolution in phishing, as it's now much harder to take down phishing sites and block access to them," says Atif Mushtaq, founder and chief product officer at SlashNext, an anti-phishing company. "Organizations need to be aware of this new development and adjust their defenses accordingly."

He explains that one way to do this is to use DNS sinkholing to block access to IPFS-based phishing sites. That's a technique where DNS requests for a phishing site are redirected to a dummy server.

"This prevents users from accessing the phishing site, as they will only be able to reach the dummy server," Mushtaq says. "Organizations can also use Web filters to block access to IPFS-based phishing sites."

**More Sophisticated IPFS Tactics Likely to Emerge**

Mushtaq warns that phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables (DHTs), a type of data structure that is often used in P2P systems, which provide a way to distribute data across many different machines.

Sigler says there will likely be greater adoption of IPFS by malicious actors, which will have the effect of making the technique more common and likely easier to spot.

"However, with more focus from those attackers, we will likely see more creativity brought to the table and IPFS utilized in ways we haven't see yet," he adds.

**Phishing Overwhelms Orgs**

Phishing attacks are already causing massive security headaches for organizations: Just this week, Ducktail was discovered targeting marketing and HR professionals through LinkedIn to hijack Facebook accounts. And earlier this month, Microsoft announced that 10,000 organizations were targeted in a phishing attack that spoofed an Office 365 authentication page to steal credentials.

Sigler explains that using IPFS for obfuscation can provide security admins with a new attack vector that they may not have considered before.  

"We recommend educating yourselves and your staff about how IPFS works and take a look at the specific examples in the blog post for how IPFS is utilized in specific ways," he says. "Given how it's being utilized by phishing campaigns right now, we also recommend monitoring for unexpected email for URLs that contain IPFS pointers."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says the first response with phishing is always the same: better user education.

"A phisher, in any of their myriad forms, relies on a target not being attentive and falling for their bait," he explains. "Here, the attackers are using IPFS to help conceal their origin, but a prepared user should be able to see through the ruse and not take the bait."

He points out it's hard to say how threat actors will alter their techniques going forward.

"As defensive tools get better, the attackers adapt and improve their game. The challenge is getting the users educated to recognize these attacks and not take the bait," he explains. "Moving to IPFS for distribution gives threat actors some advantages but doesn't change the fact that a lot of these attacks rely on the victim not realizing they are being attacked."

1,000s of Phishing Attacks Blast Off From InterPlanetary File System

With Microsoft disabling Office macros by default, threat actors are increasingly using ISO, RAR, LNK, and similar files to deliver malware because they can get around Windows protections.

Threat actors have sharply reduced the use of one of their favorite malware distribution tactics following Microsoft's decision earlier this year to disable Office macros in documents downloaded from the Internet. However, container files have risen to help cyberattackers get around the issue.  

This pivot is clear: In the months since Microsoft's Oct. 21 announcement that it would disable macros by default, there's been a 66% decline in threat actor use of VBA and XL4 macros, according to Proofpoint.

Other security vendors such as Netskope have also observed a substantial drop in Office-based attacks following Microsoft's move. In July 2022, the percentage of Office malware that the security vendor's cloud security platform detected was less than 10% of all malware activity, compared with 35% a year ago.  

Researchers at Proofpoint who have been tracking the pivot to container files said this week that attackers have begun using a variety of new file types as alternatives to hiding malware in macro-enabled documents attached to email messages. This particularly includes switching to using files such as LNK, RAR, IMG and ISO files in their recent campaigns, according to the security vendor.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says researchers at his company have noticed, for instance, an increase in attacks using ISO files. Often these attacks have targeted non-technical staff such as sales or customer service representatives, he says. Usually, the attackers try to convince the victim to download and open the ISO file under the guise of scheduling a meeting  

**Same Tactics, Evolving Delivery Mechanisms**

"Generally speaking, these other file types are directly attached to an email in the same way we would previously observe a macro-laden document," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. 

However, there are also cases where the attack chains are more convoluted, she says. For example, with some recent QakBot (aka Qbot) banking Trojan campaigns, threat actors embedded a zip file containing an ISO within an HTML file that was directly attached to a message. 

But, "as for getting intended victims to open and click, the methods are the same: a wide array of social-engineering tactics," DeGrippo says.

In addition, she notes that before Microsoft's macros announcement, a variety of actors were already using archives and image files to distribute malware, so this is not new technique by any means. "\[The increased use of container files should be seen as\] more of a realignment or pivot to existing techniques that should already be accounted for in a defensive posture," she says.

**Getting Past Mark of the Web Protections**

Attackers have made the switch because container files give them a way to sneak malware through the so-called Mark of the Web (MOTW) attribute that Windows uses to tag files downloaded from the Internet, DeGrippo says. 

Such files are restricted in what they can do and — starting with Microsoft Office 10 — are opened in Protected View by default. 

Executables that have been tagged with the attribute are checked against a list of known trusted files and prevented from executing automatically if the check shows the file to be unknown or untrusted. Instead, users get a warning about the file being potentially dangerous.

"MOTW is metadata stored in an alternate data stream, and generally speaking, that data only exists for the outermost container: the file directly downloaded," DeGrippo tells Dark Reading. 

The key is that the document inside a container file — a macro-enabled spreadsheet, for instance — will not be tagged the same way. 

"The interior or archived files were not downloaded and, in many cases, will then not have any MOTW metadata associated with them," she says. In these instances, a user would still need to enable macros for the malicious code to run, but the file would not be identified as having come from the Web and therefore would not be considered untrusted.

MITRE's ATT$CK database also identifies container files as one way threat actors can bypass MOTW to deliver malicious payloads on target systems. 

"MOTW is a New Technology File System (NTFS) feature and many container files do not support NTFS-alternative data streams," MITRE has noted. "After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections."

Russia's APT29 gang (aka Cozy Bear) and the TA505 group (the threat actor behind the Locky ransomware variant and the Dridex banking Trojan), are both examples of cyberattackers that have used container files to subvert MOTW protections and deploy malicious payloads, according to MITRE.

**Easier to Block**

Security researchers have widely welcomed Microsoft's decision to disable macros in files from the Internet. Attackers have long used macros to distribute malware, relying on the fact that users often leave macros enabled by default, therefore giving them a relatively straightforward to execute malicious payloads on victim systems. Microsoft itself has urged users to disable Office macros when not needed citing security concerns. But the company did not make it a default setting until earlier this year.  

DeGrippo says Microsoft’s decision to disable macros as default behavior impacts defenders in a positive way even if threat actors are looking at other ways to distribute malware. 

"Organizations generally have a hard time blacklisting filetypes like Word and Excel documents," she says. "But something like ISOs are often less essential to a company’s day-to-day operations," and can therefore be more easily put on a block list.

Keeper Security's Tiquet agrees. Current endpoint security systems can block most of these attacks, but "users must be aware of and trained about this kind of attack," he says.

In a Post-Macro World, Container Files Emerge as Malware-Delivery Replacement

Dark Reading's analysis suggests that the merger between Human Security and PerimeterX will bring modern defense strategies to disrupt cybercrime and fraud.

Human Security, a company focused on bot mitigation and fraud detection, announced its merger with PerimeterX, a company focused on safeguarding Web apps from account takeover and automated fraud.

Dark Reading analyzed the two companies in order to assess the impact the merger will have on customers and on the overall bot defense market. Our assessment is that, separately, the two companies addressed different parts of the bot, account abuse, and fraud problem. Going forward, the merged company, operating under the existing Human Security name, will offer a strong product portfolio showcasing Human's bot defense capabilities and PerimeterX's comprehensive account protection capabilities. Enterprises will be able to safeguard against bot attacks via a single Human Defense Platform, which would be attractive to both features-focused CISOs and managers interested in consolidating the number of vendors they are working with.

The new company, Human, will serve more than 500 customers and have more than $100 million in ARR (revenue). Human Security's CEO Tamer Hassan will continue as CEO of the combined company, while Omri Iluz, the CEO and co-founder of PerimeterX, will become general manager of the Enterprise security division and join the board. Ido Safruti, PerimeterX's co-founder and CTO, will join as CTO of the Enterprise security division at Human. Financial terms of the merger were not disclosed.

**The Bot Problem**

Bot management and defense is often viewed as an extension of the Web application firewall, as it handles an array of Web application and business-logic abuse attacks. Business-logic abuse, or Web attacks that abuse the legitimate processing flow of an application, is a growing problem for enterprises and a difficult one to mitigate.

Many attack surface management and detection products fail to see business-logic attacks because they look like normal user activity. An attack-focused CISO may overlook these attacks because they don't look like a direct attack on the organization the way a SQL injection or cross-scripting attack would. A compliance or governance-focused CISO could also miss these attacks because they typically don't violate regulatory standards.

In fact, these types of attacks are often discovered by the CMO examining business performance and finding that website activity did not correlate with forecasted results. Business-logic abuse attacks show up in situations where bots buy up popular items and scalp them as part of an unauthorized secondary market, consume content to make it look like there is user engagement when there isn't, use stolen payment cards or gift cards to make purchases, and fraudulently take over accounts via credential-stuffing attacks, to name a few.

CISOs looking at bot defense, account abuse, and fraud protection want to be able to detect undesirable or unwanted actor behavior and make it uneconomic for an attacker to misuse e-commerce processes without impacting legitimate user activity.

**Analysis: Strength, Weakness, and Opportunity**

Human's platform addresses an array of media security challenges: digital advertising fraud, CTV fraud and misrepresentation, mobile app and malware, abuse and spoofing, paid marketing manipulation, lead generation fraud, loyalty program abuse, and coupon and promotion fraud. Both Human and PerimeterX also address enterprise security risks such as account takeover, fake account creation, carding, client-side supply chain attacks, digital skimming, PII harvesting, Web scraping, scalping, and denial of inventory.

Dark Reading's analysis suggests that a specialist like the combined company of Human will be able to expand its abilities to detect, identify, and actually disrupt sophisticated cybercriminals. The wider product portfolio means more signal and visibility across the Internet, giving the new company richer data assets. Human's platform gives insight into front-wave activity and identity through ad-tech signals, whereas PerimeterX gives insight into BLA attack patterns. Data collected by each product will complement the other product's capabilities.

With the merger, the companies will be able to invest even more in research and development efforts to develop new capabilities for the platform and new products. The combined company will be able to expand into adjacent product areas such as fraud analytics, identity verification, and authentication.

However, a wider product portfolio increases the chance that enterprises already have deployed some of the elements, potentially increasing the customer's resistance to buying into this portfolio.

It doesn't appear, according to Dark Reading's analysis, that customers will see much — if any — immediate disruption as a result of the merger. Both companies have similar customer acquisition and retention models. While Human's customers tend to be ad tech, performance marketing, and cybersecurity/application security teams in organizations, PerimeterX has worked mostly with security and e-commerce digital teams with e-commerce companies. Joining these silos means that customers will have a fully articulated solution addressing key business needs. Both organizations have Client Success Teams and dedicated sales leads that focus on retention.

"Our advanced technology, combined resources, mission-focused teams, and industry-leading strengths will enable us to create the most comprehensive Human Defense Platform that offers the most complete protection for enterprises and internet platforms across advertising, marketing, ecommerce, and cybersecurity," says Hassan.

When Human Security Meets PerimeterX

HARTLAND, Wis., July 27, 2022 /PRNewswire/ -- OneTouchPoint, Inc. ("OTP") is providing notice of an incident that may affect the privacy of certain individuals' personal information. OTP is a vendor who provides printing and mailing services to various health insurance carriers and medical providers. To perform these services, OTP was provided certain information by its customers. OTP is providing details of the incident, its response, and steps individuals may take to better protect their personal information, should they feel it appropriate to do so. This notice is made on behalf of the impacted covered entities listed at the website referenced below.

**What Happened?** On April 28, 2022, OTP discovered encrypted files on certain computer systems. OTP immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. The investigation determined that there was unauthorized access to certain OTP servers beginning on April 27, 2022. On June 1, 2022, OTP learned that it would be unable to determine what specific files the unauthorized actor viewed within the OTP network. OTP provided a summary of the investigation to its customers beginning on June 3, 2022. OTP later determined that the impacted systems contained certain information related to individuals provided by its customers. While OTP is unable to say definitively what personal information was accessed by the unauthorized actor, OTP worked with their customers to determine what personal information related to individuals was stored on the OTP network, to whom that information related and OTP offered to mail letters to potentially impacted individuals on behalf of these customers. OTP has seen no evidence of misuse of any information related to this incident.

While the specific data elements vary for each potentially affected individual, the scope of information potentially involved includes an individual's name and one or more of member identification number, information provided as part of a health assessment, address, date of birth, description of service, date of service and diagnosis codes. One covered entity had Social Security numbers of members impacted.

OTP takes the confidentiality, privacy, and security of personal information in its care seriously. Upon discovery, OTP immediately commenced an investigation to confirm the nature and scope of the incident. OTP reported this incident to law enforcement and appropriate regulatory authorities, and OTP is taking steps to implement additional safeguards and review policies and procedures relating to data privacy and security.

OTP encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and monitoring free credit reports for suspicious activity, and detect errors.

Individuals who want additional information about this event or to see a list of impacted customers can visit OTP's website at 1touchpoint.com.

SOURCE ONETOUCHPOINT

OneTouchPoint, Inc. Provides Notice of Data Privacy Event

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

Once we acknowledge that one of the weak links in cybersecurity is us humans, the natural next step is shore up that vulnerability, usually through training. But does watching a video or clicking through a quiz help you know what to do when you're actually faced with a security threat in the flesh? Probably not. So logically, you have to practice with a physical threat to learn how to deal with them — even when it comes in the form of a fellow who smiles at you in a goofy t-shirt.

    

Don't let this man use your computer, even if he asks nicely. (Source: Atkins)

The United Kingdom's Ministry of Defence (MOD), like most organizations concerned with matters of war and national security, is well aware of the importance of a security-savvy workforce. Military-affiliated organizations also have a strong built-in hierarchy that emphasizes compliance and makes it difficult for workers to contradict authority, sometimes known as the fail-to-challenge vulnerability. MOD needed its workforce to be able to assert themselves when they see a potential problem. To that end, the ministry teamed up with outside experts to create a program that gives people opportunities to practice recognizing — and even more importantly, responding to — physical security risks in what the UK MOD Cyber Awareness, Behaviours & Culture team (CyAB&C) calls a "malicious floorwalker" exercise.

Essentially, someone walks into a workplace and wanders around, trying to get people to do risky things like letting them borrow a computer or scan a USB key.

"Grounded in robust psychological theory interwoven with social engineering practice, it is a way to manage human vulnerability rather than just uncover it," behavioral scientists Simon Pavitt and Stephen Dewsnip wrote in their Black Hat presentation. "By making it as obvious as possible that a challenge is required it leverages the social cues and psychological tensions felt by the individual, leaving them with no option but to raise a challenge."

**Exercise Makes You Stronger**

Back in 2020, Pavitt, a UK army veteran and civilian employee of MOD, solicited proposals for contractors to "help improve cyber awareness, behaviors, and culture" at the government agency. A consultancy called Atkins won the contract, which became the CyAB&C project.

The project's malicious floorwalker exercises involved a person wandering around an office site trying to provoke workers into challenging his conduct and presence. "Lots of people have done penetration type tests where they try not to get caught doing something risky – but we've not yet seen anything else where people are actively trying to get caught and in a lighthearted and humorous way," Dewsnip, the Atkins consultant co-presenting at Black Hat, tells Dark Reading.

Far from a tabletop exercise, the malicious floorwalker is an in-person effort that aims to get people more comfortable with the idea and practice of challenging other people's unsafe behaviors. Dewsnip adds, "We are using all the techniques of a social engineer, and the things that an SE would use to manipulate people, but we're doing it for good, not evil."

"What we do is not a test — it's an opportunity to practice a set of behaviors, in a safe space, that we're rarely given the opportunity to practice," Dewsnip says. He is careful to point out that nobody fails this exercise since the focus is on getting workers comfortable with new actions, and not to assess their current state of security knowledge. "We leave people with a positive sentiment towards challenging \[unsafe behaviors\]."

And the data bears that assertion out. According to post-exercise questionnaires, 91% of the people who engaged directly with the floorwalker said they would now directly challenge things they thought were a risk.

**'What Are You Lot Up to Now?'**

While training employees to improve their security practices at a defense office is serious business, this lighthearted exercise prompted some hilarious interactions. For example, after one exercise, Dewsnip says that when the floorwalk team went outside to have their lunch, "we were suddenly heckled from that second story with people shouting things like 'what are you lot up to now?' and 'we can still see you!'"

Some people, especially those who were already confident in their security practices, took things more seriously, he adds. "We have had cyber policy quoted at us to prevent us from getting our way, we have been marched to security offices, and have had others contacting the security team in secret via MS Teams, whilst keeping us occupied so that we couldn't leave."

Dewsnip points out that the funny reactions showed that the exercise was working. "People are engaging with the floorwalker," he says. "They understand that the floorwalker is there to be challenged and in a safe space, and in doing so, they're ... building that mental script required to challenge successfully and are beginning to become comfortable with it, overcoming some of the social anxieties or uncertainties that exist with challenging in the workplace."

**Learning Lessons All Around**

So almost everyone who engaged with the floorwalker felt more confident in challenging the next dodgy visitor. What other benefits has this project sown? Dewsnip says that managers of the sites they visited report that personnel there "have successfully challenged others on things they were doing that could have been risky – including people challenging upwards (i.e., challenging those more senior than them, which in a military setting is a big deal!)."

The project emphasized making the exercise fun, giving people a chance to practice free from fear and punishment. Hence the amiable floorwalker in the picture above, who has helpfully labeled himself "Cyber Threat." This reassuring attitude dovetails with the push in other sectors to create a culture in which people feel secure enough to admit when they've made an error.

"Far too often security and IT professionals assume employees know better or that they'll know how to act on or report suspicious behavior," Brian Wrozek, CISO at Optiv Security, told Dark Reading earlier this year. "Organizations can institutionalize a healthier security culture by conducting tabletop exercises to ensure employees receive hands-on practice in responding to different scenarios."

A security culture like that is especially important in life-or-death industries like medicine and aeronautics — and defense.

Source

DARKReading