Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.

According to the "2022 Verizon Data Breach Investigations Report," stolen credentials were the top path leading to data breaches. More often than phishing or exploiting vulnerabilities, attackers gain direct access to credentials, letting them virtually walk into victim organizations using the front door.

Low-code/no-code platforms make it extremely easy for users to share their credentials and embed their credentials into applications, thus drastically increasing the risk that employee mistakes will result in credentials leakage. Unintentionally, low-code/no-code development makes the No. 1 resource for attackers easier to obtain.

**How Low-Code/No-Code Platforms Sacrifice Security For Productivity**

Getting the required permissions to do your job in an enterprise can be very frustrating. It's not uncommon for new employees to wait more than a month before they have the full scope of permissions they need to access business data, review KPI dashboards, or join an internal communication channel.

The same thing is true, maybe even worse, for setting up a new application in the enterprise. Permissions requests typically need to be approved by your direct manager, their manager, and the team who owns the data/service. Some of the approvers might be in another continent with a time zone difference. It's next to impossible to start building an application without the required access to data/services, and so you end up waiting.

After you manage to get the right access for your application, you are finally ready to start building. A few months go by. Suddenly, you get a notification that your application has failed. A quick analysis shows that its permissions have been revoked. Enterprises typically set up an automated process that revokes access every few months, unless permissions are explicitly asked for by the application maker. This process is necessary to comply with regulations and reduce over-permissions, but it has its downsides — namely a periodic manual process that could hinder productivity.

Low-code/no-code is an attempt to empower every employee, especially business professionals, to address their own issues with custom-built applications and automations. Vendors do this by systematically identifying and removing roadblocks for building applications. Is learning to code challenging or scary? A drag-and-drop interface can help lower the barrier to entry. Is integration difficult? A wide range of managed connectors will remove the need to know what an application programming interface (API) is or how to interact with it. Is asking for permissions slowing you down? Sharing identities and leveraging existing user access can provide a quick alternative.

To boost innovation, low-code/no-code platforms allow their users to leverage their existing user identity, embed it within an application, and by doing so circumvent the enterprise permissions model entirely. For an outside viewer in security or IT, the application doesn't exist, and everyone using it is actually running it on its maker's account.

**Wait, But How?**

If you're thinking that there are better solutions out there than letting the application impersonate its maker, you are partially right.

In recent years, OAuth has been the de-facto standard for granting application access. Any time you go to a software-as-a-service (SaaS) marketplace, pick up a third-party integration, and get prompted with a small login and consent pop-up, you're most likely using OAuth. OAuth has many different consent flows, all resulting in the familiar pop-up experience. A key distinction is whether consent is granted to the application directly or on behalf of its currently signed-in user. Although this might sound like a minor detail, it is actually the root cause of the low-code/no-code identity problem.

When an application is granted consent directly, it is issued its own identity, separate from that of the user who granted the consent. The application identity can be monitored for suspicious authentication or access patterns, and its permissions can be revoked at any time by a security or IT admin. Controls like IP restriction can be put in place to take advantage of the static nature of the infrastructure that the application runs on. Every application can have a separate identity, with separate access restrictions, and can be monitored and acted up--on separately. Another useful implication of application identity is admin control.

Granting consent on behalf of the currently signed-in application user, however, has very different implications. The application gains access to resources using its user's identity for the limited time when the user uses the app. On-behalf access means that the application is actually using its user's identity directly when querying external resources. Moreover, using multiple applications will result in all of them using the same identity: the user's identity. IT or security admins looking at logs will not be able to easily distinguish between the user or any application used by the user. Granting application access on behalf of users was originally designed to allow temporary access only while a user is actively using the application.

In many cases, services allow applications to gain access on behalf of users but deny applications direct access to service APIs. This raises an interesting question: If an application can only gain access to data on behalf of a user, how can it access data when no user is interacting with it? Creative engineers have come up with a solution. The application logs in as a user once, then records its authentication token and keeps on using it even after the user has logged off the application. In the case of low-code/no-code applications, that user is typically the application's creator. User authentication tokens are supposed to be short-lived in order to prevent this workaround. In practice, however, most services issue tokens that are valid for 12 months.

Let's say a business professional creates an application. Instead of having to wait for approval of an application identity or permissions, they use access on behalf of a user — in this case, their own. The application requires them to log in once (say to Salesforce or SharePoint), records their own private authentication token, and reuses it at will. Even if another user is using the application, it will still use its maker's identity.

There are ways to build low-code/no-code applications with dedicated identities — for example, by using service accounts. However, the methods are not very widely used.

Recall the positive properties of application identity stated above: The application can be monitored, its access to data can be controlled, and its privileges can be revoked. None of this is true when low-code/no-code platforms are embedded with their creator's identity. Every application a business professional makes might have their user identity built into it. Security and IT teams analyzing access logs will have no way to know that these applications even exist.

**Impersonation-as-a-Service**

Recording and replaying user authentication tokens as a way to grant applications access to resources has another implication: They open the door to simple and easy identity sharing among users. This manifests in a common low-code/no-code feature typically referred to as connections. Connections are how low-code/no-code applications gain access to resources like Slack, NetSuite, or BambooHR. They allow read operations, like reading employee HR data; write operations, like the ERP on recent sales; and delete operations, like permanently deleting a Slack channel. Connections are first-class objects, which means they can be created by one user and shared with another user, an entire team, or even an entire organization. Technically speaking, these are wrappers around user authentication tokens or hard-coded credentials.

When a user creates and shares a connection to Microsoft Office, for example, it is akin to them sharing their password. However, if a team of developers is collaborating on a project, they often need to be able to share an application identity with each other. Connection sharing enables working together in a team on a shared project, but unfortunately it can also enable users to share their identities with each other. Since many low-code/no-code applications are built with the creator's identity embedded within, identity sharing is a common risk low-code/no-code platforms introduce.

To make matters worse, credential sharing is just way too easy on many platforms. A single checkbox stands between you and sharing your identity — for example, your ServiceNow or Salesforce account — with your entire organization. In some cases, sharing an application with other users implicitly shares its underlying connections too.

This is a crucial point. Under certain circumstances, users who gain access to a business application will gain direct access to its underlying database implicitly, without direct consent or knowledge. Take an expense management application, for example. There's a big difference between letting people use the application to submit their expense reports and giving them access to the underlying database with everyone's expense reports within it.

Unintentionally, low-code/no-code applications make credentials — the No. 1 resource that attackers are after — easier to obtain.

**Where Do We Go From Here?**

As we've seen, low-code/no-code platforms had to overcome many challenges in making enterprise applications easy to build for everyone from professional to business developers. Sometimes, the solutions come at a cost. In the case of credentials, the ability to move fast is unfortunately coupled with the ability to break things — namely, the enterprise identity model.

It is important to mention here the immense value that low-code/no-code platforms create for the enterprise: reducing the time between idea and execution, lowering the bar for application development, and increasing business velocity.

Platforms cannot be expected to resolve security concerns on their own; it is a responsibility shared between the platform and its customers. To reduce the risk, security teams should familiarize themselves with the ways identities are treated as part of the low-code/no-code platforms their organizations use. Most platforms can be configured to reduce the level of credential sharing and turn off implicit sharing.

More importantly, security teams must realize that low-code/no-code platforms introduce an inherent new risk into the enterprise that cannot be mitigated by traditional monitoring approaches because of the confusion between application and user identities. Therefore, security teams should invest in guiding business developers, reviewing potentially risky applications, and taking action to mitigate risk.

Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code

Security defenders working for large venues and international events need to be able to move at machine speed because they have a limited time to detect and recover from attacks. The show must go on, always.

Live events such as concerts and sports games are generally chock-full of action, both on the field and behind the scenes. IT and security teams managing these venues navigate a complex environment that includes a traditional corporate infrastructure, special equipment required for the event, a large army of suppliers and contractors, and all of the devices brought in by spectators. And the prospect of a cyberattack during the actual event always looms large.  

Securing live events can be the most complicated and most complex to protect, says Karim Benslimane, director of cyber intelligence at Darktrace. Running a stadium can be split into a “business perspective,” which is akin to managing the technology infrastructure for a very large enterprise, and the “event perspective,” which includes all the people and equipment involved with setting up and hosting the event itself.

“When there is no event doesn’t mean the IT guys don’t have anything to do,” Benslimane says. “They are already busy running the business.” He speaks from experience. Prior to joining Darktrace, he was head of information and communications technology and cybersecurity for various international venues and events.

**Understanding the Cyber Paradox**

The business infrastructure depends on much of the same technologies and enterprise applications – Active Directory, telephony, wired and wireless networking, ERP, CRM, databases, and e-commerce applications, to name just a few – as a large organization  requires to manage the day-to-day operations. Payroll needs to make sure people are paid, employees need to be able to communicate internally and with clients and customers, and tickets have to be printed and sold.

The event has its own infrastructure, and managing the event requires a completely different mindset because of what Benslimane refers to as the “cyber paradox.” The traditional security mindset is to deploy technology and control to add layers to make it harder for attackers to access systems and restrict what is added to the network. Setting up an event, by definition, involves hiring suppliers and contractors (along with their sub-suppliers and subcontractors) who bring their own assets and need access to the venue’s infrastructure, such as VoIP and Wi-Fi. For example, the venue may own the jumbo screens, but the immersive elements and special effects that make the event come alive are pushed onto the screens from third-party systems.

“From a cybersecurity point of view, it’s obviously a paradox where you are trying to secure your assets on the left, but on the right, you are forced to allow external people and external devices to come physically into your venue and use your infrastructure,” Benslimane says. It doesn’t make sense to talk about securing the perimeter when people are already inside, he notes.

On top of that is the live event itself, or “D-Day,” which requires letting even more people physically enter the venue with their own devices and access services such as Wi-Fi.

“It was a big challenge. You have nothing to control and protect you,” Benslimane says.

**Limited Time to Respond**

As the saying goes, the show must go on. Security teams in the events industry have to “rush and run” to mitigate security incidents as they occur so that the event can go off as scheduled and associated services (such as broadcasts and streaming contracts) are not impacted.

“If something happened during the 100-meter men’s final \[at the Olympics\] or the \[FIFA\] World Cup final, think about the brand impact,” Benslimane says. Interrupting the broadcast would mean millions of TV and screens will see a black screen, which would result in immense financial losses for the brand. There will be penalties from lost advertising. This would also affect the host country’s reputation.

Those were the same challenges Wired reporter Andy Greenberg wrote about in his book about Olympic Destroyer, the malware that knocked out the domain resolvers during the opening ceremonies. As a result of the attack, some attendees couldn’t print tickets to enter the stadium, the Wi-Fi network was offline, TVs around the stadium and other facilities could not show the ceremony, the RFID-based security gates for Olympic facilities were not working, and the official Olympic app was broken. If the systems remained offline after the opening ceremony ended, athletes, visiting dignitaries, and spectators would find they had no access to the Olympics app full of schedules, hotel information, and maps. 

“The result would be a humiliating confusion,” Andy Greenberg wrote for Wired.

Attackers realize that events can’t be delayed and take advantage of that time constraint to cause the most damage, Benslimane says. There is no time to recover when the match ends in a few minutes.

**Holding the Event Hostage**

Ransomware attacks encrypt documents and make it hard for organizations to function. A ransomware attack on a live event cripples the technology and interrupts the show. Cybercriminals clearly understand that the venue cannot postpone, or replay, D-Day. Imagine if a cyberattack disrupted the systems to the point that the game cannot continue, and the venue asks the crowd to leave and come back next week. 

“Just imagine the fights,” Benslimane says.

Organizations rely on the metrics MTTK (mean time to know) and MTTR (mean time to repair) to identify, investigate, and mitigate the incidents. Those metrics highlight the challenges facing live events because the clock is already ticking. If the security team takes more than 10 or 15 minutes to detect and investigate an incident, that is already halfway through the first half of the game and the halftime show is coming up, Benslimane says. This is the biggest advertising window, and not being able to broadcast the ads would be a significant blow to the organization, which makes it even more likely that these venues would pay the ransom.

“The cybercriminals clearly understand that if something happens during D-Day, there won’t be enough time to respond,” Benslimane says.

**Moving Faster than the Attackers**

Attackers move faster than defenders, which makes it difficult for security teams to respond during an event. For defenders to be able to respond effectively, they need to be operating at machine speed, which means using artificial intelligence (AI) as part of the security response, Benslimane says, noting that he deployed Darktrace’s technology in his past roles. The AI can look at all of the events happening in the network and correlate them quickly to identify which issues are problematic. If the investigation finds that the issue is actually not a problem, then the AI doesn’t take any action. And if there is an issue, the AI already has the information it needs from the investigation to neutralize the threat and remediate, such as by blocking a particular connection or isolating the affected system.

The AI is like a “sponge” for knowledge. 

“As long as you put in water, the sponge will absorb it. The AI brain will absorb everything you give it,” Benslimane says.

Speed is paramount for detection, investigation, and making the decision on how to respond, especially when the environment is complex and constantly evolving. The infrastructure for a live events venue is not static, so the AI is constantly learning, analyzing, and making decisions.

The AI is “much faster than 1000 cybersecurity guys in a SOC – even if it’s the best SOC in the world,” Benslimane says.

Security Lessons From Protecting Live Events

Companies need to fill some of the 3.5 million empty cybersecurity seats with workers who bring different experiences, perspectives, and cultures to the table. Cut a few doors and windows into the security hiring box.

In the past year, we've had to grapple with the impact of a quickly growing threat landscape. Debilitating cyberattacks against our critical infrastructure, threats against our already weak supply chains, and the continued ripple effect of the Log4j incident have fueled the need for more intentional investment in security tools and services.

With cybercrime growing, it's no secret that there is a dire need for cybersecurity talent globally, so let's break down what the industry looks like for a moment. For security spots already filled, only 4% are Hispanic, 9% are Black, and 24% identify as women, according to the Aspen Institute. There is a clear picture painted for us: Not only do we need to fill the empty seats, but we need to fill them with workers who are bringing different experiences, perspectives, and cultures to the table.

**Unlocking Innovation with Diversity**

So, why does this matter? Diversity and inclusion have become notorious for being buzzwords within organizations, with companies increasingly touting their respective campaigns, and programs around diversity efforts.

In every industry — but particularly in an industry like cybersecurity that is changing by the minute — we need the brightest ideas, the most well-rounded teams, and the most creative practitioners. Having diverse thoughts, backgrounds, and experiences leads to better and more informed decision-making. At SPHERE, the diversity of our team has improved our ability to overcome business challenges. Our array of talent has also enhanced our culture, reduced turnover, and led to a greater sense of satisfaction throughout the organization.

Another key reason diversity should be a vital thread in the fabric of your cybersecurity business is that it's exactly what the new wave of job seekers is looking for.

Millennials now make up more than one of every three people employed in the United States. And data shows that this powerful group is no longer satisfied with the way workplace benefits and culture have traditionally been measured. According to Weber Shandwick, 47% of millennials consider diversity and inclusion an important factor in considering a new job, 14% more than Gen-Xers. Cybersecurity organizations and teams are the backbone of our infrastructure and daily activities, and thus should be communicating their values, beliefs, and missions so that they are attracting the most ambitious, creative professionals.

**A Tool Set for Progress**

We must take this information and run with it, strategizing ways to nurture a healthy pipeline of diverse talent. The first and most important step to doing this is being confident that there is a problem but that your organization is more than capable of solving it. To begin, recognize that there are many technical and nontechnical roles available in security. The points of entry into this industry are vast and go beyond engineering — from governance, risk, compliance, and IT to business development, product marketing, and communications.

Secondly, partner with local colleges and universities, tapping into educational programs outside of engineering or software development, as well. Organizations such as Cyversity, Women in Cybersecurity (WiCyS), and Women in Security and Privacy (WISP) are doing phenomenal work opening the door of opportunity to populations historically locked out.

Last, and in my opinion one of the most important strategies, is to leverage your networks to initiate open conversations about the work you are doing. As a woman founder and CEO of a cybersecurity company, I am committed to using the platform and resources I have to nurture the next generation of diverse cybersecurity professionals.

We can't sit back and watch as the talent and skills gap within our industry widens. At SPHERE, we've set out to empower young women to achieve greatness in the cybersecurity industry. As such, we're launching a program, SP(HER)E, that partners established women leaders with younger women who are new or are looking to break into the industry.

**The Way Forward — Perspectives From a Woman Leader**

I've faced a fair share of challenges being a woman leader in this space. When I started my business, I was a young woman launching a niche company in a male-dominated industry, and there was doubt around my ability due to inexperience combined with the unfortunate reality that some folks tend to consider women less capable than men. I understand that this is an issue and a gap we can't fill overnight. But we _can_ commit to daily, small steps that will compound into meaningful results in the next few years.

The cybercriminal landscape is only getting more sophisticated, cunning, and large. Hiring diverse talent – and sustaining this progress with investments into professional development and retention – are the first steps toward a well-equipped and thriving cybersecurity team!

The Cybersecurity Diversity Gap: Advice for Organizations Looking to Thrive

Security teams —  who are already fighting off malware challenges — are also facing renewed attacks on cloud assets and remote systems.

Big picture, security professionals worry about how to defend their organizations against increasingly sophisticated attacks exploiting zero-day vulnerabilities or nation-state attackers, but their day-to-day security concerns appear to be far more prosaic. According to Dark Reading's "The State of Malware Threats" report, ransomware and phishing attacks are top-of-mind for security professionals.

When asked which type of attacks worried them most, 61% of IT security professionals cited ransomware, followed by 54% for phishing attacks. These statistics are significantly higher than last year's survey, where 41% said they were concerned about ransomware and 31% about phishing attacks.

Ransomware attacks are on the rise, and they are increasingly expensive. Even if an organization doesn't paying the ransom, the recovery cost is high, and there is the risk that the attackers might dump sensitive data online. Phishing is also another big concern, as that tactic is used in pretty much every kind of attack to download malware onto user machines or to steal information and credentials.

Even as more employees return to the office in the wake of the COVID-19 pandemic, the changes that two years of remote work wrought on business operations remain intact. Cloud implementation, which was already rising back in 2019, accelerated even more than predicted.

The increased reliance on the cloud may be why 27% of IT security professionals cited attacks on cloud systems and services as most worrisome.

Some threats may be of heightened concern due to highly publicized breaches. The 2019 SolarWinds attack, for one, kicked off what the report calls "a new wave of breach-once-compromise-many attacks via the software supply chain." Add in the July 2021 Kaseya ransomware kerfuffle, and it's easy to see why concern about malware and other compromises triggered by suppliers or other trading partners hit 20% in 2022, compared with 14% in 2021. Incidents such as the Microsoft Exchange Server exploit in March 2021 truly unnerved security professionals: Concerns and vulnerabilities in applications and operating systems more than doubled, from 11% in 2021 to 29% in 2022.

Polymorphic fileless malware was cited as another area of concern for 24% of respondents, up from 14% last year. This type of malware modifies functions and processes without needing to be a standalone file, which makes it difficult to detect. Cross-platform malware such as Hajime (a new category in the survey, which 7% of respondents cited) often targets Internet of Things (IoT) devices, an attack vector whose profile doubled, from 12% in the 2021 survey to 24% in 2022.

Surprisingly, concern about malware that uses artificial intelligence stayed nearly flat, rising only 1% to 18% this year. That's still a well-recognized threat, but it's interesting that fear around it has cooled.

Ransomware and Phishing Remain IT's Biggest Concerns

The code injection vulnerability is being actively exploited in the wild, researchers say.

A new security update to the Ninja Forms WordPress plug-in — which has more than 1 million active installations — patches a code injection vulnerability researchers say is being actively exploited in the wild. 

The Wordfence team analyzed a recent Ninja Forms update and discovered the patch was for a critical code injection bug that could allow several exploits, including remote code execution (RCE) through deserialization of the content provided by users of the WordPress site form builder. 

Wordfence analysts note WordPress has pushed out a forced automatic update for the Ninja Forms plug-in; however, they suggest administrators double check they're running the latest versions, 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

"We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection," the Wordfence research team wrote in its advisory about the Ninja Forms bug. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Plug-in Ninja Forms Issues Update for Critical Bug

The QNAP network-connected devices, used to store video surveillance footage, are a juicy target for attackers, experts warn.

QNAP network-attached storage (NAS) devices running out-of-date software are under snowballing numbers of active attacks in a new DeadBolt ransomware campaign, an advisory has warned.

The company is investigating the situation, but meanwhile, QNAP recommends updating its QTS and QuTS hero to the latest versions as soon as possible. This is the second spate of attacks in the past few weeks.

QNAP NAS devices are used to store video surveillance footage and the data. In the hands of ransomware threat actors, the data could be used to extort any number of organizations and individuals, experts warned.

"Ransomware is starting to shift towards data theft, as the cybercriminals can gain from both being paid the ransom as well as sale of the data," Bud Broomhead, CEO of Viakoo, told Dark Reading in reaction to the campaign. "Threats against NAS devices will increase along with the shift to extending ransomware into data theft."

**Why NAS Devices Are Easy Targets**

Besides the potential data bonanza stored inside, Broomhead added that NAS devices are soft targets for cybercriminals because they're often not set up properly or protected by a firewall. They're also often not managed by IT teams, meaning there isn't a robust security patching or monitoring strategy in place to protect them from attack, he said.

"QNAP (and NAS drives in general) have been part of CISA's Known Exploited Vulnerability Catalog for some time," Broomhead added. "Out of 778 currently exploited vulnerabilities, 10 are specific to QNAP."

The company is offering support for customers who have already been compromised.

"If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then, upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page," QNAP wrote in its security advisory on DeadBolt ransomware.

DeadBolt Ransomware Actively Targets QNAP NAS Devices — Again

Most of the attacks involve the use of automated exploits, security vendor says.

A recently disclosed critical remote code execution (RCE) vulnerability in Atlassian's Confluence Server collaboration platform is now under active attack, in a spate of attacks bent on deploying a variety of malware, including ransomware.  

Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday.

Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity informed the company about the issue, which they discovered while investigating a breach at a customer location. 

The bug — present in all current versions of Atlassian Confluence Server and Confluence Data Center — basically gives unauthenticated attackers a way to drop a remotely accessible in-memory-only Web shell on systems running a vulnerable version of the collaboration software. In the attack that Volexity investigated, the threat actors then used the Web shell access to drop other malware on the compromised system, which, among other things, gave them persistent backdoor access to it.

The bug stirred some concern because it gave attackers a way to access potentially sensitive project, customer, and other data in Confluence environments. At the time the bug was disclosed, Atlassian did not have a patch for it. However, the company released a fix one a day later, on June 3.

**Ongoing Confluence Attacks**

According to Sophos, while the number of vulnerable Confluence servers has been dwindling since then, attacks continue, making it more important than ever to patch. In most of the attacks that the security vendor observed, threat actors appeared to be using the fileless Web shell to try and spread an existing collection of malware tools more widely. 

The various payloads that Sophos observed include Mirai bot variants, a cryptominer known as z0miner, and pwnkit, a tool for gaining root access on most Linux distributions. Sophos said it also observed attackers exploiting the Atlassian Confluence vulnerability to drop ASP- and PHP-based Web shells on vulnerable systems, likely as a precursor to dropping other malware on them.

Sophos said it also has observed attackers running PowerShell commands and downloading shell code for deploying the post-compromise Cobalt Strike toolkit on Windows servers running a vulnerable version of Confluence. In two incidents, a threat actor tried to deploy Cerber ransomware via the Confluence exploit using an encoded PowerShell command to download and execute the malware. In both incidents, the attackers suggested they had also stolen data from the victims for use as additional leverage for extracting a ransom payment. 

However, there was no evidence that the threat actors had actually exfiltrated any data, Sophos said.

**Double-Extortion Threats**

Double-extortion ransomware attacks like the Cerber incidents have become increasingly common since the Maze ransomware group started the trend back in early 2020. With these attacks, threat actors not only encrypt data, but they also threaten to publicly release the data if their ransom demands are not met.

A recent study of the practice by Rapid7 showed that threat actors trying to coerce victims into paying a ransom most frequently leaked a company’s financial data (63%) first, followed by customer data (48%). However, Rapid7 found variances by industry in the types of data that attackers tend to leak initially. 

For instance, with financial services victims, attackers generally tended to leak customer data first (83% of the time), instead of the victim's internal financial data. However, when it came to organizations in the healthcare and pharmaceutical sectors, ransomware actors leaked the victim's financial data 71% of the time, which was more substantially more frequent than incidents involving leaks of customer data.

Rapid7 also discovered differences among ransomware actors when it comes to the type of data they leaked. For instance, 81% of the incidents involving Conti ransomware featured publicly leaked financial data. The Cl0p group, on the other hand, disclosed employee information (70%) more than any other type of information.

Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware

The energy sector remains susceptible to both espionage between nation-states and cybercrime, and recent developments keep pointing toward more attacks.

The connected world brings people together, but connectivity also brings risk. Cybercriminals can use the same tools that bring us together to spread chaos. Every organization is concerned about cybersecurity.

During the last several years, the energy industry has been subject to high-profile attacks, including an extremely disruptive ransomware strike on Colonial Pipeline that affected fuel supplies in the US for days. While this and other high-profile attacks were the work of cybercriminals looking for a huge payday, the energy sector remains susceptible to both espionage between nation-states and cybercrime. Recent developments keep pointing toward more attacks.

The cybersecurity community needs to take global, unified action to create new rules governing and protecting the energy industry worldwide. Failure to do so will only encourage more attacks on critical, lifesaving services and hamper economic growth around the world.

**The Future Is Uncertain, but It Is Electric**

Everything from our finances to heating and communications relies on electricity. Even cybersecurity relies on electricity. I believe that when we have access to reliable energy and electricity we can create a more just, unified world.

For example, German and French leaders met in Switzerland in the aftermath of World War II to discuss creating a cross-border electrical grid between the former enemies. The wounds of war were still fresh, yet a group of determined engineers hammered out a deal that would strengthen both countries' economic recovery through resilient electrical infrastructure.

Nearly 75 years later, the need to guarantee the steady flow of electricity continues to unify people, countries, and organizations in an increasingly unstable world.

**Risks Increase as Grid Grows More Decentralized**

The necessary decentralizing of energy production infrastructures dramatically increases attack surfaces in the electrical grid, creating cybersecurity gaps and vulnerabilities. Digitization of the energy infrastructure will deliver huge value in enabling a clean energy future but poses additional cybersecurity challenges if these technologies are operated in a traditional way. For instance, these developments have created decentralized energy products like solar panels on private homes and digitized assets that were previously analog, such as substations. Meanwhile, automated systems buy and sell power and communication networks span entire transmission and distribution lines. That's millions of miles of connectivity we didn't have before.

Unfortunately, utilities and energy companies are still approaching this 21st century problem with 20th century solutions built for static, centralized, monolithic grid architecture. Today's grids are dynamic, flexible, and decentralized — requiring connectivity with numerous equipment manufacturers and preventing operators from simply digitally and physically walling off the grid. Utilities need to stop breaches from occurring, of course, but traditional perimeter defense needs to be supplemented by an approach that continuously monitors assets and network communications to identify abnormal or potentially malicious behavior. On their side, manufacturers need to deliver additional cybersecurity capabilities and also ensure interoperability for cybersecurity operations.

It's critical that we create a global consensus on supporting and protecting the electricity grid as it grows in complexity and importance. Here are three ways the world can come together to better protect electricity infrastructure.

**An Agreement to Share**

The first step would be to share information across utilities, energy companies, equipment manufacturers, and government agencies. Similar to the International Atomic Energy Agency (IAEA), a global organization should be set up to encourage transparency throughout the industry and share data and information about potential attacks, vulnerabilities, and remediation techniques.

Data connectivity between grids would be crucial, giving regulators and cybersecurity professionals access to real-time critical intelligence that could potentially prevent an attack in advance. We could set up a "black box" exchange, similar to data recording devices on commercial airlines to prevent similar attacks from occurring again. The technology already exists to enable this transparency through remote monitoring and asset management solutions that automate grid connectivity. The key would be trust. Fortunately, we have two great examples of information sharing in the nuclear energy and airline industry.

**Consensus on Cybersecurity Rules and Regulations**

Today we have a highly decentralized regulation environment with different rules around the world. For example, sign-in credential standards vary among Asia, Europe, and the US – requiring manufacturers to develop slightly different product models for each region. Standardizing regulations would streamline compliance for utilities and equipment manufacturers, strengthening asset protection while freeing up money that could then be invested in more robust cybersecurity capabilities.

**A Legal Framework for Protection**

One day, I hope we'll amend the Geneva Conventions to protect the world's energy infrastructure from cyberattacks and, in turn, protect countless lives. However, given today's political environment, such an agreement is unlikely. Instead, we'll need to look to self-governance within the industry. Utilities, equipment manufacturers, and other stakeholders will need to come together to form a strong alliance that has the power to create and enforce global cybersecurity standards. We have the technology and the will to embed cybersecurity directly into grid infrastructure, making security implicit as grids continue to grow and decentralize. The power to enact positive change is in our court.

Can We Make a Global Agreement to Halt Attacks on Our Energy Infrastructure?

The stakes are high when protecting CNI from destructive malware and other threats.

Organizations in every industry now face sophisticated, and often novel, cyber threats. But for organizations operating critical national infrastructure (CNI), the scale and multiplicity of these threats can be overwhelming. These organizations are under immense pressure to avoid downtime, maintain safety standards, and comply with government legislation, while protecting themselves from a high frequency of incisive cyberattacks.

Here's a breakdown of some of the main cybersecurity challenges facing CNI and how organizations can tackle them.

**1\. Attack Tools for Hire**

CNI organizations make particularly favorable targets for ransomware gangs, as the high cost of downtime means they are often more likely to pay a ransom in the hope of quickly restarting their systems. These organizations face the same financial pressures as other industries, but the potential social, political, and safety implications of downtime make them especially vulnerable.

When DarkSide targeted Colonial Pipeline with ransomware last year, the group received the ransom it had demanded just hours after the attack detonated. Even so, it took six days for Colonial to restore the pipeline's operations using DarkSide's IT tool, causing significant oil shortages across the East Coast of the US.

It's not just organized ransomware gangs targeting these organizations, but also individual threat actors using for-hire ransomware-as-a-service (RaaS) tools. The increasing availability of these tools means we are seeing more small-fry attackers taking on big-game targets in the hope of large payouts.

Tools reliant on threat intelligence will struggle to keep up with this dispersed threat landscape. To fight it, organizations will need to employ security approaches that account for novel threats to both their IT and OT systems.

**2\. Ransomware Groups With Nation-State Backing**

Though ransomware affects organizations in all industries, CNI organizations face the added threat of nation-state-backed groups, which cause disruption to aid government or military action and may not be looking for ransom payments at all.

Because of their government backing, these groups have the funding to quickly develop novel tools and are incredibly difficult to combat with legislation or arrests. If an attack of this nature had struck Colonial Pipeline, the time it took to bring systems back online — and the socioeconomic disruption — could have been considerably worse.

At the Royal United Services Institute, Darktrace CEO Poppy Gustafsson addressed Russia's use of cyber warfare in its invasion of Ukraine.

"The attack on the Viasat satellite that disabled Ukrainian military communications one hour before the invasion was a key component of the beginning of this war," she said. "We have seen UK, US, and EU officials jointly attribute this attack to Russia, an immensely political act. That is unprecedented."

**3\. Destructive Malware**

With cyberattacks becoming an increasingly common fixture in military arsenals, CNI organizations are recognizing the need to bolster their defenses against tenacious and well-funded attackers who are employing novel malware strains. Increasingly, that includes destructive malware.

This year the Russian invasion of Ukraine brought another CNI threat into the headlines. HermeticWiper is a disk wiper that struck several Ukrainian organizations a day prior to the invasion, fragmenting and then overwriting files on disk in an attempt to cause disruption. This is a form of destructive malware: malware that does not hold systems for ransom but is simply designed to damage them, wiping data and breaking processes. The average estimated cost of one of these incidents to a large, multinational company is $239 million.

The nature of destructive malware makes it primarily a political or military tool, and in the wake of the invasion of Ukraine, the Five Eyes intelligence alliance issued a warning regarding the heightened risk of cyberattacks. The stakes of such an attack make it paramount that organizations are prepared for novel threats, rather than relying on rules-based security systems.

**4\. Government Compliance Requirements**

The social implications of CNI shutdowns mean that these organizations receive far greater attention from governments. In recent years, legislation has often followed high-profile attacks, leaving organizations limited time to update their procedures and remain compliant. A recent of case this in the US was the Cyber Incident Reporting for Critical Infrastructure Act. The act, signed earlier this year, requires critical infrastructure operators to report cyber incidents to CISA within 72 hours, meaning reports must be hastily drawn together during the immediate aftermath of an attack.

Having advanced threat investigation technology deployed across the digital environment can help CNI operators piece together cohesive threat narratives from disparate and sometimes subtle events, reducing the time to understanding massively for security teams. Beyond meeting government deadlines, this insight into how attacks emerge and move through the network massively increases an organization's ability to detect sophisticated threats and seek out potential vulnerabilities within their systems.

**5\. Converged Infrastructures That Need Protecting**

An earlier article covered the future of IT/OT convergence and how artificial intelligence (AI) can help organizations embrace it. In brief: Deploying technology that considers IT and OT as a single environment prevents gaps in security posture and aids the detection of wide-ranging attacks.

IT/OT convergence is one of the biggest points of anxiety for security professionals in CNI organizations. Technologies such as the Industrial Internet of Things (IIoT) devices and industrial control systems as-a-service (ICSaaS) make network segmentation increasingly ineffective.

When a phishing attack can lead to OT system shutdowns — and potentially put human lives in jeopardy — security approaches need to be able to stop threats with speed and precision. AI-driven tools can make convergence a strength, using data from one set of systems to inform detections within another.

Tackling 5 Challenges Facing Critical National Infrastructure Today

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organizations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organizations still running IE.

"Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing," says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. "For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers."

Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.

"This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use," Schell says. It's hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.

Any organization that hasn't already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. "The end of support means that new vulnerabilities will not get security patches if they don't meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates," she says.

**Bugs Still Abound**

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.

According to Maddie Stone, security researcher at Google's Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.

"It's not clear to me how Microsoft may or may not lock down access to MSHTML in the future," Stone says. "But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year" with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.

Tenable's Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

"Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities," Tills notes.

**The Usual Mitigations**

Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti's Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.

"MSHTML is now just one of many libraries that we have in Windows 11," says Johannes Ullrich, dean of research at the SANS Institute. "Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface," he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.

"IE is still popular enough to be a worthwhile target" for attackers, Ullrich adds.

Even so, the continuing number of zero-days being discovered in IE doesn't necessarily mean that attackers have suddenly intensified their interest in attacking it. "It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase," Ullrich says.

Source

DARKReading