We as industry leaders should be building on what individual platforms like GitHub are doing in two critical ways: demanding third parties improve security and creating more interoperable architectures.

GitHub recently made security news by announcing plans to implement default multifactor authentication (MFA) across its repositories. The company deserves credit for recognizing its gravitational pull within the software ecosystem and acting accordingly, but it shouldn't be alone. We as industry leaders should be building on what individual platforms like GitHub are doing in two critical ways: demanding our own ecosystems of providers raise the bar of their security practices, and creating more interoperable architectures and blueprints to make better security postures more accessible for organizations that rely on our critical platforms.

**Our Interconnected Tech Stack**

Enterprises today rely on a whole ecosystem to run their tech stacks. They rely on cloud services for their infrastructure, including Azure, AWS, and Google Cloud. They rely on companies like Okta for their identity solutions, and they rely on a whole host of technologies to help them build or sell products faster, including collaboration and CRM apps as well as repositories like GitHub.

They also rely on a broad set of third-party providers to deliver services such as customer support, or to manage some aspects of their infrastructure. We know the long chain of software cooks in the kitchen has created access nightmares and breaches. The Cybersecurity and Infrastructure Security Agency, along with other international government security organizations recently released guidance for managed service providers, and third-party risk is something we at Okta know better than most. In January of this year, we experienced the compromise of a provider that ultimately resulted in a threat actor briefly gaining access to an Okta support tool via a thin client. While the threat actor never directly accessed the Okta service through an Okta account, Okta's own security posture was threatened as a result of our interconnected ecosystem.

**The Path Forward**

The first step toward resolution is technology leaders looking internally to recognize and take stock of our own service supply chain and the third-party providers we rely on. In Okta's case, we took a hard look at how Okta provides access to our providers and the security expectations we have for third-party providers that have access to customer data. While security practitioners understand the need to implement systems of least privilege that limit lateral movement, it's critical to ask whether those same principles are being applied by the third-party providers you rely on. Movement within their environments can become movement in yours.

The second area is looking outward toward the customers and partners who rely on our platforms. In the case of GitHub, the attack surface is massive and the user base is broad. In an age where everyone acknowledges the need to implement MFA, its adoption levels are still quite low. Look no further than Microsoft Azure Active Directory, where more than three-quarters (78%) of organizations currently don't employ MFA for their user accounts according to Microsoft's "Cyber Signals Report."

For something like identity and access management, it's easy to see just how broad the identity and access management attack surface can be. According to Verizon's "Data Breach Investigations Report," 89% of Web app attacks are caused by credential abuse. While standards help a lot in access management, they are not foolproof. Leading identity solutions have largely eliminated the need for individual configurations to apps and services through prebuilt, self-service integrations that rely on standards and protocols like SAML and OpenID Connect.

But that ability to ensure secure interoperability can and should go further.

Organizations rely on multiple solutions that co-exist, feeding logs, risk signals, and other valuable insights into one another. We often think of this for security tools, but it should also apply to any platform or service where there is data and sensitive information. This is where we can and should improve in order to raise all security boats. Our efforts as an industry to operate with an eye toward open, prebuilt integrations and clear architectures will ensure that tentpole technologies — whether they're in networking, identity management, endpoint detection and response, or security information and event management — work effectively together. This goes beyond preventing misconfigurations: It's about creating better security outcomes.

Our technology world is flatter today than it has ever been before, whether it's our collective reliance on third-party providers, our interconnected software supply chain, or the interoperability of our tooling. In that environment, it's critical for industry leaders to not only maintain a high degree of compliance across their own ecosystems of third-party providers but to develop technologies and policies that raise the bar for their users and customers. Part of that is through steps like the one GitHub is taking: implementing default policies that rely on stronger factors. But in an interconnected world, we must move beyond individual actions to create open and interoperable technologies that enable users to easily configure and integrate their foundational technologies in secure ways.

GitHub's MFA Plans Should Spur Rest of Industry to Raise the Bar

With almost every business experiencing growth in human and machine identities, firms have made securing those identities a priority.

Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.

In a survey of IT and identity professionals released Wednesday from Dimensional Research, almost every organization — 98% — experiences rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.  

The rising incidence of breaches is unsurprising, says Julie Smith, executive director of the Identity Defined Security Alliance (IDSA), which sponsored the survey,

"The number and complexity of identities organizations are having to manage and secure is increasing," she says. "Whenever there is an increase in identities, there is a corresponding heightened risk of identity-related breaches due to them not being properly managed and secured, and with the attack surfaces also growing exponentially, these breaches can occur on multiple fronts."

For the most part, organizations focus on employee identities, which 70% consider to be the most likely to be breached and 58% believe to have the greatest impact, according to the 2022 "Trends in Securing Digital Identities" report based on the survey. Yet third-party partners and business customers are significant sources of risk as well, with 35% and 25% of respondents considering those to be a major source of breaches, respectively.

    

Source: IDSA

The IDSA recommends that companies focus on identity-related security outcomes that reduce the risk and impact of data breaches. Almost every respondent (96%) believes that implementing security controls focused on identities, such as multifactor authentication (MFA), could have prevented or minimized a breach.

"Centered on enabling effective identity governance, access, and behavioral detection, the security outcomes add a layer of protection around IT environments," the report states. "It is here that multifactor authentication as a mitigation strategy jumped to the top of the list in preventing breaches."

**MFA Reduces Identity-Related Breaches**

The top three countermeasures identified by respondents as potentially blunting the impact of breaches included MFA, more timely review of privileged access, and continuous discovery and monitoring of privileged access rights, according to the survey. Those three security controls also are likely to get the most investment in the coming year, says IDSA's Smith.

"We wouldn’t necessarily expect the countermeasures and planning to match up 100% as that would indicate organizations are chasing their tails and focusing only on the last breach when forward-thinking strategy and vision about the next potential breach is needed," she says.

Machine identities — such as system credentials, software secretes, and Internet of Things (IoT) passwords — are the main factors driving increased identities at 43% of organizations, according to the report. Despite that, only 18% of companies consider machine identities to be a significant source of breaches.

"Both human and machine identities are vulnerable without the proper mitigation and security tactics in place," Smith says. "Given that machine identities have the potential to expand much quicker than human identities, if a machine identity isn’t properly secured, managing the network of machine identities can quickly pose a major risk."

Meanwhile, the growing number of cloud workloads means that the credentials that allow software to talk use APIs and communicate with other software is an expanding surface of attack, Alex Simons, corporate vice president of program management for Microsoft's Identity division, said in March.

Companies that have executives focused on identity security are more likely to reduce the risk of breaches, according to the IDSA report. While only 30% of respondents consider training in securing passwords to be a very effective strategy, companies that have top-level business executives espousing support for password security are much more likely to be more careful with work-related credentials compared with companies that rely on security teams as the primary evangelist.

"If we’re talking about implementing and deploying meaningful security outcomes, we have to increase engagement beyond IT or security teams," IDSA's Smith says. "This simply demonstrates that when management embraces security as a part of messaging, the general trend implies that security becomes a strategic part of the company’s culture."

80% of Firms Suffered Identity-Related Breaches in Last 12 Months

New Cloud Security Alliance (CSA) and Google Cloud study shows many enterprises struggle to measure and manage risk in their cloud workloads.

Cloud adoption may be hopping, but many enterprises still wrestle with how to identify and manage their security risks with these services.

A new study conducted by the Cloud Security Alliance (CSA) and Google Cloud underscores that while the cloud ideally could help bolster security for organizations, many aren't adeptly handling their risk management in the cloud just yet. 

"Organizations are not taking advantage as aggressively of the capabilities to have a more secure environment" with cloud, says Jim Reavis, CEO of the CSA. "They're not being as proactive in monitoring and managing risk."

Interestingly, it appears many organizations may not know for sure the extent of their cloud adoption. Some 51% say that they now run 41% of their workloads in the public cloud, but it turns out most of them (85%) are not using cloud discovery tools to quantify that but, rather, estimating their use via manual methods. Those who use discovery tools including a cloud access security broker, or CASB (15%), to map their cloud workloads report 31% more cloud usage than those who performed manual assessments — a clue that most organizations relying on manual tracking don't have a complete inventory of what's running in their cloud services, according to the study.

"You can't manage the risk of things you don't know about. The basic things lead to either breaches or data exposure, exfiltration, or a ransomware attack if you are not keeping your cloud assets updated and there are gaps in your usage of cloud," Reavis notes. But the cloud offers a better way to manage assets, he says, than traditional IT networks.

“There are tools there," and automated ways to detect and secure cloud assets, he says.

The study confirms a significant rise in cloud adoption. The average number of software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) services used by organizations was more than 147, up from 38 in 2020. Some 66% of organizations say they have 100 or fewer services; 32%, from 101 to 999; and 3%, 1,000 or more services.

The most commonly used infrastructure-as-a-service (IaaS) cloud platform is Azure (70%), followed closely by AWS (65%), and then Google Cloud at 24%, according to the study.

"Enterprises interviewed intend on increasing their workloads in the cloud over the next 12 months. With enterprises continuing to add production in the cloud and using more cloud services, managing cloud and digital assets will be critical in the management and measurement of risk in the cloud," according to the report.

The goal of the study was to gauge organizations' challenges of risk management in public cloud services, and Google and the CSA gathered survey data as well as interviews in 2021 with 600 IT and security professionals.

**Cloud Escape**

While the cloud is becoming more pervasive for IT operations, there has not been a correlation or increase in data breaches, Reavis notes.

To date, nearly all publicly disclosed breaches in the cloud have stemmed from misconfigurations, not cyberattacks, says Phil Venables, CISO at Google Cloud. "To prevent and address the risk of misconfigurations and compliance violations earlier in the development process, security leaders have started to embrace security as code to achieve the speed and agility of DevOps, reduce risk, and more securely create value in the cloud," Venables says.

For its part, Google offers a series of blueprints for its customers to help avoid misconfigurations and other cloud mistakes, such as its Risk and Compliance as Code (RCaC), Secure Foundations guide, and Cloud Architecture Center, for example.

"Blueprints help our customers rapidly configure cloud environments in a secure and compliant manner," notes Venables. "And ultimately, this level of secure hygiene helps prevent misconfigurations becoming a security risk or attacker entry point to cloud workloads."

According to the report, some 70% of organizations in the study say they don't have solid processes for mapping risk to their cloud assets. A tiny percentage — 4% — report that they have "highly effective" risk management in the cloud. Slightly more than 20% use cloud data-classification tools.

Meanwhile, the main security worries over applications in the cloud include loss of sensitive data (64%), improper configuration and security settings (51%), and unauthorized access (51%).

Risk Disconnect in the Cloud

Data Processing and Infrastructure Processing Units – DPU and IPU – are changing the way enterprises deploy and manage compute resources across their networks.

SAN FRANCISCO, June 21, 2022 /PRNewswire/ -- The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the new Open Programmable Infrastructure (OPI) Project. OPI will foster a community-driven, standards-based open ecosystem for next-generation architectures and frameworks based on DPU and IPU technologies. OPI is designed to facilitate the simplification of network, storage and security APIs within applications to enable more portable and performant applications in the cloud and datacenter across DevOps, SecOps and NetOps.

Founding members of OPI include Dell Technologies, F5, Intel, Keysight Technologies, Marvell, NVIDIA and Red Hat with a growing number of contributors representing a broad range of leading companies in their fields ranging from silicon and device manufactures, ISVs, test and measurement partners, OEMs to end users.

"When new technologies emerge, there is so much opportunity for both technical and business innovation but barriers often include a lack of open standards and a thriving community to support them," said Mike Dolan, senior vice president of Projects at the Linux Foundation. "DPUs and IPUs are great examples of some of the most promising technologies emerging today for cloud and datacenter, and OPI is poised to accelerate adoption and opportunity by supporting an ecosystem for DPU and IPU technologies."

DPUs and IPUs are increasingly being used to support high-speed network capabilities and packet processing for applications like 5G, AI/ML, Web3, crypto and more because of their flexibility in managing resources across networking, compute, security and storage domains. Instead of the servers being the infrastructure unit for cloud, edge or the data center, operators can now create pools of disaggregated networking, compute and storage resources supported by DPUs, IPUs, GPUs, and CPUs to meet their customers' application workloads and scaling requirements.

OPI will help establish and nurture an open and creative software ecosystem for DPU and IPU-based infrastructures. As more DPUs and IPUs are offered by various vendors, the OPI Project seeks to help define the architecture and frameworks for the DPU and IPU software stacks that can be applied to any vendor's hardware offerings. The OPI Project also aims to foster a rich open source application ecosystem, leveraging existing open source projects, such as DPDK, SPDK, OvS, P4, etc., as appropriate. The project intends to:

*   Define DPU and IPU,
*   Delineate vendor-agnostic frameworks and architectures for DPU- and IPU-based software stacks applicable to any hardware solutions,
*   Enable the creation of a rich open source application ecosystem,
*   Integrate with existing open source projects aligned to the same vision such as the Linux kernel, and,
*   Create new APIs for interaction with, and between, the elements of the DPU and IPU ecosystem, including hardware, hosted applications, host node, and the remote provisioning and orchestration of software

With several working groups already active, the initial technology contributions will come in the form of the Infrastructure Programmer Development Kit (IPDK) that is now an official sub-project of OPI governed by the Linux Foundation. IPDK is an open source framework of drivers and APIs for infrastructure offload and management that runs on a CPU, IPU, DPU or switch. In addition, NVIDIA DOCA, an open source software development framework for NVIDIA's BlueField DPU, will be contributed to OPI to help developers create applications that can be offloaded, accelerated, and isolated across DPUs, IPUs, and other hardware platforms.

For more information visit: https://opiproject.org; start contributing here: https://github.com/opiproject/opi.

**Founding Member Comments**

**_Geng Lin, EVP and Chief Technology Officer, F5  
_**"The emerging DPU market is a golden opportunity to reimagine how infrastructure services can be deployed and managed. With collective collaboration across many vendors representing both the silicon devices and the entire DPU software stack, an ecosystem is emerging that will provide a low friction customer experience and achieve portability of services across a DPU enabled infrastructure layer of next generation data centers, private clouds, and edge deployments."

**_Patricia Kummrow, CVP and GM, Ethernet Products Group, Intel  
_**Intel is committed to open software to advance collaborative and competitive ecosystems and is pleased to be a founding member of the Open Programmable Infrastructure project, as well as fully supportive of the Infrastructure Processor Development Kit (IPDK) as part of OPI. We look forward to advancing these tools, with the Linux Foundation, fulfilling the need for a programmable infrastructure across cloud, data center, communication and enterprise industries making it easier for developers to accelerate innovation and advance technological developments.

**_Ram Periakaruppan, VP and General Manager, Network Test and Security Solutions Group, Keysight Technologies  
_**"Programmable infrastructure built with DPUs/IPUs enables significant innovation for networking, security, storage and other areas in disaggregated cloud environments. As a founding member of the Open Programmable Infrastructure Project, we are committed to providing our test and validation expertise as we collaboratively develop and foster a standards-based open ecosystem that furthers infrastructure development, enabling cloud providers to maximize their investment."

**Cary Ussery, Vice President, Software and Support, Processors, Marvell  
**Data center operators across multiple industry segments are increasingly incorporating DPUs as an integral part of their infrastructure processing to offload complex workloads from general purpose to more robust compute platforms. Marvell strongly believes that software standardization in the ecosystem will significantly contribute to the success of workload acceleration solutions. As a founding member of the OPI Project, Marvell aims to address the need for standardization of software frameworks used in provisioning, lifecycle management, orchestration, virtualization and deployment of workloads.

**_Kevin Deierling, vice president of Networking at NVIDIA  
_**"The fundamental architecture of data centers is evolving to meet the demands of private and hyperscale clouds and AI, which require extreme performance enabled by DPUs such as the NVIDIA BlueField and open frameworks such as NVIDIA DOCA. These will support OPI to provide BlueField users with extreme acceleration, enabled by common, multi-vendor management and applications. NVIDIA is a founding member of the Linux Foundation's Open Programmable Infrastructure Project to continue pushing the boundaries of networking performance and accelerated data center infrastructure while championing open standards and ecosystems."

**_Erin Boyd, director of emerging technologies, Red Hat  
_**"As a founding member of the Open Programmable Infrastructure project, Red Hat is committed to helping promote, grow and collaborate on the emergent advantage that new hardware stacks can bring to the cloud-native community, and we believe that the formalization of OPI into the Linux Foundation is an important step toward achieving this in an open and transparent fashion. Establishing an open standards-based ecosystem will enable us to create fully programmable infrastructure, opening up new possibilities for better performance, consumption, and the ability to more easily manage unique hardware at scale."

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world's leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation's projects are critical to the world's infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation's methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: _www.linuxfoundation.org/trademark-usage_. Linux is a registered trademark of Linus Torvalds. Red Hat is a registered trademark of Red Hat, Inc. or its subsidiaries in the U.S. and other countries.

_Marvell Disclaimer: This press release contains forward-looking statements within the meaning of the federal securities laws that involve risks and uncertainties. Forward-looking statements include, without limitation, any statement that may predict, forecast, indicate or imply future events or achievements. Actual events or results may differ materially from those contemplated in this press release. Forward-looking statements speak only as of the date they are made. Readers are cautioned not to put undue reliance on forward-looking statements, and no person assumes any obligation to update or revise any such forward-looking statements, whether as a result of new information, future events or otherwise._

Linux Foundation Announces Open Programmable Infrastructure Project to Drive Open Standards for New Class of Cloud Native Infrastructure

In the wake of devastating attacks, here are some of the best techniques and policies a company can implement to protect its data.

Artificial Intelligence and Security: What You Should Know

Joshua Bevitz, Partner, Newmeyer Dillion

Gabriella Stevens, Associate, Newmeyer Dillion

Prashant Sharma, Co-Founder & CTO, Secuvy Inc.

7 Ways to Avoid Worst-Case Cyber Scenarios

Most organizations still rely on virtual private networks for secure remote access.

Zero-trust initiatives may be on the security roadmap for most enterprises today, but remote-access architecture today is still highly dependent upon virtual private network (VPN) technology.

Newly published data shows that approximately 90% of organizations still utilize VPN in some capacity to secure remote access for their users. Meantime, across a broad population of IT and security practitioners, fewer than one in three say they have plans to — or have begun to — roll out zero-trust network access (ZTNA) to supplant VPN.

The results are from a survey conducted by Sapio Research on behalf of Banyan Security, which reached out to 1,025 IT respondents, focusing the bulk of the survey on the 410 who were aware of both VPN and ZTNA. The study shows that among that group, a full 97% reported that adopting a zero-trust model is a priority for them. Slightly over half of those aware of both VPN and ZTNA said they've begun to roll out zero-trust solutions.

ZTNA is a term Gartner started championing in 2019 to describe in broad strokes a range of products and services that create logical access boundaries around applications or sets of applications using a combination of identity- and context-based factors. The firm predicted at the time that by next year, 2023, approximately 60% of enterprises will start phasing out their VPNs in favor or ZTNA.

"VPNs are just a band aid on a fundamentally broken network security model. And ultimately this has to be replaced," Neil MacDonald, vice president and distinguished analyst for Gartner, said in a recent analysis of zero-trust strategies in 2022. "We need to invert the model. Instead of connecting and then worrying about authentication, we need to authenticate first, then connect. This is where you see many of the tenets of zero-trust networking coming in."

**The Problem With VPNs**

One of the biggest problems with VPN technology is the fact that it "allows for network-level access to an enterprise," explains Deloitte's Andrew Rafla, who leads the consultancy's zero-trust offering.

In contrast, ZTNA restricts remote users' access to only the specific applications and assets they need and nothing more, says Rafla. ZTNA is one important component of a broader zero-trust architecture, he says, which also should include a centralized and federated identity store, privileged access management controls, data protection, network segmentation, device security, and telemetry and analytics.

"General cyber hygiene fundamentals should not be overlooked as well; in order to realize the true benefits of the zero-trust model, an organization should have a solid grasp on its IT asset management, configuration and vulnerability management, and data classification," Rafla says.

Given these weighty requirements to truly grab the zero-trust brass ring, it should come as no surprise that many organizations can feel overwhelmed by it all. Over two-thirds of current VPN users report in this survey that implementing a ZTNA strategy is a large to very large undertaking.

The biggest constraint for VPN-dependent organizations that keep them from transitioning to ZTNA are cost/budget constraints, which was named by 62%. Approximately 13% of them say zero trust is confusing and they don’t even know where to start.

Interestingly, though, among those who have adopted ZTNA, the implementation timeframes may not be as scary as those clinging to VPN may think. The study shows that the mean time to deployment was about 11.5 months. This may be a good lesson in the fact that an organization can and should roll out zero-trust components in a phased manner, and that ZTNA for remote access may be an accessible first step in the journey.

VPNs Persist Despite Zero-Trust Fervor

ToddyCat's Samurai and Ninja tools are designed to give attackers persistent and deep access on compromised networks, security vendor says.

A threat group that may have been among the first to exploit the ProxyLogon zero-day vulnerability in Exchange Servers last year is using a pair of dangerous and previously unseen malware tools in a cyber espionage campaign targeting military and government organizations in Europe and Asia.

Researchers at Kaspersky who first detected the group's activities this week described the tools as malware designed to enable long-term persistence on an organization's public-facing Web servers and giving attackers the ability to move laterally and penetrate deeply into compromised networks.

The malware tools have features that allow their functionality to be extended at will, but Kaspersky has been unable so far to determine the full range of their capabilities, the vendor noted.

**Attacks Targeted ProxyLogon Exchange Server Flaw**

Kaspersky is tracking the previously unknown group as "ToddyCat." In a report this week, the security vendor said the adversary's victim targeting and certain operational overlaps with at least one known Chinese threat actor suggest that members of ToddyCat are Chinese-speaking as well.

"This group targets high-profile organizations, usually government, diplomatic, military organizations, and military contractors," says Giampaolo Dedola, security researcher at Kaspersky. It may be possible that the threat actor has compromised victims in the US as well. But currently Kaspersky has no information to suggest this is indeed the case, Dedola says.

Kaspersky's analysis showed that ToddyCat's campaign began in December 2020 with attacks targeting selected Exchange Servers belonging to three organizations in Vietnam and Taiwan. The attackers used an unknown exploit to breach the Exchange Servers and deploy the popular China Chopper Web shell on the systems. They then used the Web shell to initiate a multi-stage infection chain involving custom loaders that ended with one of the new malware tools — a backdoor called "Samurai" — being deployed on the compromised system.

**Sophisticated Malware**

Samurai is a passive backdoor designed to give the attackers persistent access on Internet-facing Web servers. The backdoor works on ports 80 and 443 and is designed primarily to execute arbitrary C# code on infected systems.

"Based on our investigation, we were able to detect some of the source codes uploaded by the attacker and we know that it was used to execute arbitrary commands, download files, forward TCP packets to internal hosts," Dedola says. As one example, he points to the attacker using Samurai to communicate with internal Active Directory servers. "The ability to run arbitrary C# code allows attackers to infinitely extend the malware's capabilities," he says.

Kaspersky's research showed the attackers also used Samurai to launch "Ninja," the other previously unseen malware tool that ToddyCat is using in its attacks. Ninja is Cobalt Strike-like malware for executing post-exploitation activities on already compromised systems.

"It allows the attackers to control the remote system, manipulate the file system, manipulate processes, inject arbitrary code in other processes, forward TCP packets, and load new modules in its memory," Dedola says.

Ninja agents can be configured to act like servers. So, the adversary can use the malware to designate specific machines as internal command and control servers (C2s), thereby limiting connections to external servers and reducing the chances of being detected. This feature, combined with the TCP command forwarding functionality, gives the attackers a way to manage even those systems that are not directly connected to the Internet, Dedola says.

Between Dec. 2020 and early Feb. 2021, ToddyCat remained tightly focused on a handful of organizations in Vietnam and Taiwan. But then, for a brief period between late February and early March, the threat actor quickly escalated its attacks by targeting the ProxyLogon vulnerability to compromise organizations in multiple countries. The group's victims included organizations in Russia, UK, Slovakia, India, Iran, and Malaysia, and belonged to industries and sectors that have traditionally been of interest to China-based groups, Kaspersky said.

**A Change in Tactics**

Almost all of ToddyCat's early attacks targeted Exchange Server flaws. But starting Sept. 2021, Kaspersky observed what it described as "waves of attacks" against desktop systems involving the use of malicious loaders sent via the Telegram messaging service. It's unclear how many organizations ToddyCat has compromised, but the number is likely less than 30, Dedola says.

What makes Samurai and Ninja dangerous is the anti-forensic and anti-analysis technique incorporated into the malware, according to Kaspersky. For example. Samurai is designed to share TCP port 80 and 443 with Microsoft Exchange and cannot be detected by monitoring the ports. The malware also uses a complex loading scheme to avoid detection and maintain persistence. It addition, it uses a technique called "control-code flattening" to avoid detection by static analysis tools, Dedola says.

"The Ninja Trojan is also another modular malware, with capabilities that can be easily extended by the attacker," he tells Dark Reading, adding that the malware runs only in memory and never appears on file systems, making it harder to detect. "It is usually executed with a loader, which decrypts the payload from a third file. The file with the encrypted payload is immediately deleted by the loader."

Christopher Prewitt, CTO at Inversion6, says Kaspersky's research shows that the malware authors have gone to great lengths to hide and obfuscate their methods. While the Samurai backdoor features some relatively common features, ToddyCat's bespoke Ninja post-exploit tool appears more interesting.

"It is loaded in memory, making it much more difficult to analyze and detect," Prewitt says. "The threat actor could continue to reuse this part of their toolkit, while only swapping out or updating the initial infection point and backdoor tooling."

China-Linked ToddyCat APT Pioneers Novel Spyware

After the Raccoon Stealer Trojan disappeared, the RIG Exploit Kit seamlessly adopted Dridex for credential theft.

The cybercriminals behind the RIG Exploit Kit earlier this year traded out the credential-stealer Trojan Raccoon Stealer after its lead developer was killed in the Russian invasion of Ukraine.

According to analysts with Bitdefender, the cybercrime group behind the RIG Exploit Kit was able to quickly substitute in the tried-and-true financial Trojan Dridex, which has a range of functions, including keylogging and the ability to steal screenshots. 

"The move to Dridex was a strategic decision to save the operation," Bogdan Botezatu, director, Threat Research and Reporting at Bitdefender, tells Dark Reading. "Cybercriminals running this campaign had to move to a different option or lose the money they had already invested in renting out access to the RIG EK panel. Dridex is a powerful information-stealer that, to some extent, provides similar functionality to Raccoon. Unlike Raccoon, it is still operational and can offer 'business continuity' to the cybercriminals behind this campaign."

The RIG Exploit Kit lets cybercriminals quickly swap out payloads to avoid detection or in case of compromise, according to researchers at Bitdefender, making adaptability part of its product. 

"This once again demonstrates that threat actors are agile and quick to adapt to change," the analysts wrote in their report on the malware campaign. 

"In order to be prepared, defenders should patch the known vulnerabilities in software used across the organization and monitor for the indicators of compromise (IOCs), Botezatu counsels. "A security solution with machine-learning capabilities can detect and block the payload at various execution stages as well."

It's also worth noting that Racoon is likely to make a reappearance, Botezatu notes.

"The Raccoon group has hit a temporary stop with the death of one of its operators, but we believe the team will regroup," he says. "Usually, such groups suspend their operations when teams get arrested or when they voluntarily decide to shift to a more lucrative business. Loss of a team member is a temporary road block and we presume that they will get back online as soon as they manage to recruit a replacement."

RIG Exploit Kit Replaces Raccoon Stealer Trojan With Dridex

Experts tell teams to prepare for more regulation, platform consolidation, management scrutiny, and attackers with the ability to claim human casualties.

Security teams should prepare for what researchers say will be a challenging environment through 2023, with increased pressure from government regulators, partners, and threat actors.   

Gartner kicked off its Security & Risk Management Summit with the release of its analysts' assessments of the work ahead, which Richard Addiscott, the company's senior director analyst, discussed during his opening keynote address.

“We can’t fall into old habits and try to treat everything the same as we did in the past,” Addiscott said. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program, and our architecture.”

Topping Gartner's list of eight predictions is a rise in the government regulation of consumer privacy rights and ransomware response, a widespread shift by enterprises to unify security platforms, more zero trust, and, troublingly, the prediction that by 2025 threat actors will likely have figured out how to "weaponize operational technology environments successfully to cause human casualties, the cybersecurity report said. 

The eight specific predictions are:

1.  Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of the global GDP.
2.  By 2025, 80% of enterprises will adopt a strategy to unify Web, cloud services, and private application access from a single vendor’s security service edge (SSE) platform.
3.  Sixty percent of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits.
4.  By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
5.  Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines, and negotiations, up from less than 1% in 2021.
6.  By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.
7.  By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest, and political instabilities.
8.  By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Gartner: Regulation, Human Costs Will Create Stormy Cybersecurity Weather Ahead

Open source is here to stay, and it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of digital transformation.

Following the trio of the Log4J vulnerability and the more recent compromise of two open source libraries in the NPM ecosystem and one in Spring Core, supply chain security is weighing heavily on cyber defenders' minds. While the financial services sector has hardened its cyber defenses compared with other industries and become one of the earliest adopters of zero-trust security, institutions must continue to embrace open source technology while actively engaging in risk mitigation.

With so many foundational components of the global tech stack originating from open source code repositories like GitHub, recent exploits have heightened worries that this open ecosystem is inherently vulnerable to attack. This is especially true given the finance industry's finance industry's embrace of open source, as shown by Goldman Sachs contributing source code of several of its data modules as open source in 2020.

**Keeping Open Source Environments Protected**

First off, financial institutions must assume a more active role in the funding of open source foundations and direct-to-maintainer grants to help limit exposures from critical code dependencies, as illustrated by the Log4Shell debacle. To this end, public-private sector partnerships will be vital for financial institutions looking to harden their open source security postures. Confronting the inherent DevSecOps of the open source ecosystem requires a financial and strategic commitment from institutions willing to support the whole spectrum of open source maintainers — and not just the Apache Software Foundations of this world. Projects like the OpenSSF Alpha-Omega initiative are a great example of this approach.

Financial institutions also need to adopt a more robust software bill of materials (SBOMs), a key point highlighted in President Biden’s executive order from last June. Modern SBOMs deploy machine-readable processing, a technology that enables systems to ingest incoming structured report data, to autonomously analyze the state of SBOM readiness by organizations around the world. SBOMs can thus help financial institutions rapidly identify patterns across their industry and across borders, helping them spot critical risk issues before they metastasize into larger problems.

A table-stakes strategy for financial institutions to mitigate open source risks on the consumption side include the implementation of stronger internal license and IP controls and tools to track and monitor inbound open source projects. More granular strategic solutions start with financial institutions taking time to understand the defenders that are focused on securing the open source realm. Organizations like Mend, Sonatype, and Synk are key players in this world.

The broader sustainability of the open source ecosystem is another reason for financial institutions to assume a more hands-on role in the development of code repositories and other active-source artifacts. Institutions should consider offering secure coding training as part of their onboarding, something too often overlooked in academic curricula.

Encouraging in-house developers to contribute "sweat equity" to the ecosystem will increase the number of eyes on open source artifacts, thus enhancing the odds that financial institutions will be able to spot code vulnerabilities before they threaten a SolarWinds type of breach. This approach will effectively reduce the probability and blast radius of future vulnerabilities.

**Benefits of Open Source Outweigh the Risks**

Despite recent, worrisome supply chain attacks, financial institutions should not be deterred by these challenges. The global financial industry is now very seriously democratizing software through open source, not only as a cost reduction but as a powerful collaboration model that goes beyond code to be used to address challenges like data standardization and industrywide interoperable workflows. Open source is here to stay, and therefore it is no longer optional — it's imperative that CIOs have a mature, open source engagement strategy, across consumption, contribution, and funding as a pillar of their digital transformation endeavors.

Institutions are doing more than just implementing code that another developer has updated. Financial organizations should look to invest internal developer resources to actively contribute to code repositories. Developers should be contributing code not just in their spare time, but more appropriately, while they're on the job within the expected scope of their organizational roles.

By taking a proprietary stake in the open-innovation ecosystem, financial institutions can better mitigate vulnerabilities and exposures emanating from their tech stacks. This type of risk management also requires the articulation of companywide policies, learning, and collaboration resources throughout the firm. Naturally, financial institutions need to delegate and establish leadership roles to oversee the effort.

Whether through open source foundations or direct monetary or sweat-equity contributions to projects, financial institutions must realize the importance of professional software supply chain management. They should also understand the roles that consumers must play in securing the open source IT stack, which underpins the modern digital economy.

Source

DARKReading