Organizations that can break out of siloed data and apply context can transform intelligence into actionable, relevant security knowledge.

For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.

To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.

For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?

**Three Tips**

Use these tips for turning your threat intel into security knowledge:

1\. **Use multiple sources of data.** By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.

2\. **Make the data actionable.** Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.

The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.

3**. Adopt a security knowledge mindset.** Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.

Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.

**Conclusion**

Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.

Why We Need Security Knowledge and Not Just Threat Intel

Username and password combinations offered for sale on the Dark Web by criminals has increased 65% since 2020.

Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.

That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.

The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.  

Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them. 

**'Endless List' of Breached Data**

Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.

“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.

**Passwordless to the Rescue?**

This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords. 

The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.

One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb. 

Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.

But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.

“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far

Here's a rundown of Dark Reading's reporting and commentary from and surrounding the first in-person RSA Conference since the pandemic began in 2020.

RSA Conference 2022 — If you didn't make the trip to San Francisco last week for the RSA Conference or were too busy watching the Golden State Warriors battle the Boston Celtics in the NBA Finals, Dark Reading has you covered. Here's a compilation of our news analysis and commentary before, during, and after the show:

Beware the 'Secret Agent' Cloud Middleware

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War  
In 1985, a group of klezmer musicians from the US rendezvoused with underground dissidents in Tbilisi, Georgia. This is the story of how they pulled it off with homebrew cryptography.

An Emerging Threat: Attacking 5G via Network Slices

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

Why AIs Will Become Hackers

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSAC Startup Competition Focuses on Post-Cloud IT Infrastructure

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

Now Is the Time to Plan for Post-Quantum Cryptography

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSAC Opens With Message of Transformation

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

Ransomware's ROI Retreat Will Drive More BEC Attacks

Crackdowns are driving down ransomware profits, and analysts see signs that operators are pivoting to business email compromise attacks, security researcher warned.

Communication Is Key to CISO Success

A panel of CISOs at the RSA Conference outlined what a successful first 90-day plan looks like, and it boiled down to effective communication and listening.

IBM to Buy Attack Surface-Management Firm Randori

Randori's attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.

The CISO Shortlist: Top Priorities at RSAC 2022

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

Data Transformation: 3 Sessions to Attend at RSAC 2022

Three RSAC 2022 sessions take deep dives into the security considerations around data cloud transformation.

MITRE Creates Framework for Supply Chain Security

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

5 Years That Altered the Ransomware Landscape

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

In Case You Missed RSA Conference 2022: A News Digest

Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.

Microsoft today issued a patch for the recently disclosed and widely exploited "Follina" zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.

The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.

Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as "important."

Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.

**Fix for Follina Flaw**

Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.

Andy Gill, senior security consultant at Lares Consulting, says Microsoft's new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. "Therefore, while the main risk of code execution is mitigated the software is still launched," he says.

Johannes Ullrich, dean of research at the SANS Institute, says it's a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. "Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.

"Follina has been actively exploited for a couple weeks now," Ullrich says. "\[Microsoft's\] workaround, will prevent msdt.exe from launching \[and\] should probably stay in place if it doesn't cause any problems."

**Three Critical Flaws to Patch Now**

In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month's update fixes the bug in NFS V4.1, while last month's update pertained to two older NFS versions, he said.

"It's not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix," Childs said.

Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. "But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities," he says.

The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.

Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.

Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. "Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered," Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft's fix for it, he said.

**'Dig a Bit Deeper'**

ZDI's analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.

Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.

Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.

The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says. 

"The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven," Goettl says. "But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used."

Goettl also recommends that organizations review Microsoft's FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.

The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.

Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update

The distributed denial-as-a-service websites were behind more than 200K attacks on targets including schools and hospitals.

The operator of a distributed denial-of-service (DDoS) attack business was sentenced to two years in federal prison after being found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Matthew Gatrel offered DDoS attacks as a service on sites including DownThem.org and AmpNode.com, along with what was billed as "bulletproof" hosting. The sites offered subscription plans with varying degrees of attack capacity, power, and durations, according to the US Attorney's Office in the Central District of California, which prosecuted the case. 

Records show Gatrel's services were behind more than 200,000 attacks on victims that included homes, schools, universities, local and municipal governments, and financial institutions. 

"Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers," prosecutors explained in court documents. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Gatrel's co-defendant, California resident Juan Martinez, pleaded guilty to participating in the cybercrime and was sentenced to five years' probation, the US Attorney's office said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Subscription Service Operator Gets 2 Years in Prison

Organizations do not have good visibility into all the software-as-a-service applications that connect to and access data stored in core business.

While software-as-a-service helps organizations improve productivity and agility, it also adds complexity to the enterprise environment as IT security teams need to have visibility over the data stored in each of the applications.

And when organizations integrate SaaS applications with other SaaS applications, the attack surface grows even more because more applications have access to the corporate data. For example, connecting Asana to Google Workspace gives the task management platform access to data stored in the productivity suite.

In a recent report from Valence Threat Labs, 56% of CISOs said they don't have a process in place, or are not satisfied with the process they have, for discovering and managing SaaS-to-SaaS connections and integrations.

**Understanding SaaS Mesh**

_SaaS mesh_ refers to connecting a SaaS application with another SaaS, using methods such as OAuth and API tokens, low-code/no-code workflow, and SaaS marketplaces. Examples include using third-party platforms such as Heroku to access GitHub repositories via OAuth user tokens, or creating and sending email campaigns from the organization's website using the API instead of logging into Mailchimp's platform. It is possible to complete a task in Asana and have a corresponding notification message be printed in Slack.

Connecting SaaS tools to core business applications such as Office 365, Salesforce, and Google Workspace within a SaaS mesh helps enhance the organization's agility, productivity, and collaboration. However, if the mesh isn't managed correctly, it can expose data stored in business-critical applications, according to Valence Threat Labs.

The average organization uses around 80 SaaS applications — BetterCloud estimates that organizations with more than 1,000 employees use more than 150 applications, while organizations with 50 employees or less use only 16 SaaS applications. When asked how many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications (such as Office 365, Salesforce, and Google Workspace), 50% of CISOs said they have 200 or fewer integrations, or that they didn't know, Valence Threat Labs found.

    

How many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications? (Source: Valence Threat Labs)

In actuality, the average organization has 917 SaaS-to-SaaS third-party integrations, according to Valence Threat Labs.

While 76% of CISOs think under 20 new integrations are added every month to their environment, in reality, 76 new third-party integrations are onboarded every 30 days.

**Over-Provisioned Connections**

When asked if they had a process in place to determine if an integration is overprivileged, 53% of CISOs in the Valence Threat Labs report said they didn’t. This is a problem because nearly half, or 48%, of SaaS integrations (443 integrations, to be specific) are unused, and many of them have more privileges than they need. A SaaS-to-SaaS integration is usually inactive because someone forgot to turn it off after testing out the integration and then deciding not to use it. But because the integration is still there, someone else who gains access to one application now has access to the other and can move laterally.

"Most organizations do not have a continuous process in place that allows them to assess the business justification of non-human identities and properly offboard unnecessary third-party vendors," Valence Threat Labs said in its report.

Low-code/no-code platforms such as Workato, Zapier, and Microsoft Power Platform are powerful because non-developers can pull together workflows to access data from multiple sources. However, if they aren't configured correctly, they can expose data erroneously. Because these platforms often are not managed by application security or IT security teams, CISOs may not even know these tools exist or are accessing business applications. In the Valence Threat Labs report, 35% of CISOs said they do not have low-code/no-code platforms in their environment, when it turns out over 96% of companies have at least one such platform in use. In fact, the average organization has four or five, according to the report.

In the report, 85% of CISOs said they did not have appropriate visibility and protection from the risks of SaaS-to-SaaS connections and third-party integrations. "The fact that 85% of CISOs were unhappy with the current solutions suggests the need for more solutions specifically designed to protect the SaaS mesh," Valence Threat Labs said in its report.

Quantifying the SaaS Supply Chain and Its Risks

Mobile apps that rely on facial recognition for identity proofing can now detect fraudulent attempts to fake liveness.

**Palo Alto, CA -- June 14, 2022 --** Mobile authentication pioneer Incognia, today announced the launch of a new location identity fraud detection module to support mobile fraud prevention for mobile apps across finserv, crypto, social networks, online gaming and more. Incognia’s latest solution module is Location-based Liveness Spoofing Detection which prevents fraud at onboarding caused by biometric liveness spoofing.

Fraudsters are creating online accounts using fake identities to take advantage of sign-up bonuses and to create “money mule” accounts for money laundering. To verify a new user’s identity on a mobile app, the onboarding process today typically involves taking a selfie and passing a biometric “liveness test.” Fraudsters are now using techniques to spoof liveness to trick the selfie liveness detection algorithms. A common method is the use of facial images downloaded from the web to create deepfake videos. The use of free or low cost software packages and apps can be used to create effective deepfakes that can trick even award winning liveness detection tools. The Incognia Location-based Liveness Spoofing Detection solution is designed to prevent both injection and presentation deepfake attacks in real-time with no added friction to the mobile user.

Incognia enables enhanced mobile fraud prevention by using information from a user’s device to detect use of emulators, rooted or jailbroken devices, that are the main ways fraudsters leverage deepfakes to spoof legitimate liveness detection apps. The Incognia Location-based Liveness Spoofing Detection solution module goes beyond traditional biometric systems and addresses the device integrity and also the device location to accurately determine risk whenever a user performs a selfie and submits a biometric proof of liveness. This module can be used in conjunction with the Incognia Location Spoofing Detection and Global Mobile Address Validation modules.

Key benefits and features include:

*   Reduced friction during the onboarding process for legitimate good users
*   Detects biometric liveness spoofing, multiple app installs and high risk devices
*   Produces highly accurate risk-assessments
*   Performs device integrity checks, evaluates device/account behavioral analytics and checks Watchlists for known bad devices

“As fraudsters advance their techniques to trick liveness detection tools, it is critical that there is a solution on the market that can successfully combat the use of deepfakes at onboarding,” said André Ferraz, founder and CEO of Incognia. “We’re excited to expand Incognia’s fraud prevention capabilities even further with our latest solution module, which uses device integrity checks, device watchlists and emulator detection to prevent liveness detection spoofing caused by deepfakes. With this new module, we’re ensuring that customers across crypto, finserv, online gaming and more are protected during onboarding with a completely frictionless solution.”

Incognia fraud prevention modules are available now. To get started, visit www.incognia.com.

**About Incognia**

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 200 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Incognia Introduces Location-Based Liveness Spoofing Detection Solution

SBOMs should be connected with vulnerability databases to fulfill their promise of reducing risk, Google security team says.

Software bills of materials (SBOMs) — a detailed list of components, modules, and libraries used to build products — are being endorsed by the National Institute of Standards and Technology (NIST) and US regulators as a way to drive down supply chain cybersecurity risks for consumers. 

But Google's Open Source Security Team points out in a blog post today that SBOM use alone isn't an effective tool for assessing exposure. Rather, the documentation should be compared with a database of known vulnerabilities to identify any known software flaws. 

"By connecting these two sources of information, consumers will know not just what's in ... their software, but also its risks and whether they need to remediate any issues," the team explains. 

The Google analysts detail how they were able to map a Kubernetes SBOM document using the Open Source Vulnerabilities (OSV) database. The OSV database offers both a standardized format for comparison across several databases, including the Github Advisory Database (GHSA) and Global Security Database (GSD), as well as aggregated data across multiple ecosystems, ranging from Python and Golang to Rust, according to the post.  

"Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX (Vulnerability-Exploitability eXchange), which provides additional context around whether vulnerabilities in software have been mitigated," the blog states. 

To make it easier for security teams to assess the full risk picture, the Google researchers recommend that SBOM creators begin to include a reference using a naming convention like a Purl URL for all packages in the software supply chain. 

"This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above," they say. 

**SBOM Evolution  
**Steps toward marrying the software components with known flaws will help SBOMs fulfill their intended purpose: to help manage the prospect of cyberattack, the Google security blog states. 

"Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume," they said.

Google: SBOMs Effective Only if They Map to Known Vulns

"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.

One of the primary hallmarks of an advanced persistent threat (APT) group is its ability to operate undetected for years while carrying out its specific mission.

The newest example is "Aoqin Dragon," a China-based APT actor that researchers at SentinelOne recently discovered has been spying on organizations across multiple countries for the past 10 years. The group's primary mission appears to be cyber espionage, and its targets have included organizations in the government, telecommunications, and education sectors in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

In its analysis of the threat actor's targets, SentinelOne said infrastructure and malware shows the group likely comprises a small Chinese-speaking team with potential links to an adversary that Mandiant has been tracking for some time as UNC94. Aoqin Dragon’s targeting suggests its interests are aligned with those of the Chinese government, though SentinelOne has not been able to confirm that.

In a report last week, SentinelOne said it was able to identify Aoqin Dragon activity going back to at least 2013 and continuing through today. Over that period, the threat actor — like other APT groups — has been constantly refining and tweaking its tactics, techniques, and procedures (TTPs), SentinelOne said.

In the initial stages, Aoqin Dragon relied heavily on exploits targeting a couple of old Microsoft vulnerabilities (CVE-2012-0158 and CVE-2010-3333) to compromise targets. Later the group began using various document lures to try and infect target systems. Lures included documents with political themes pertaining to the Asia-Pacific region and content with pornographic themes. Individuals who fell for these lures were infected with a backdoor called Mongall, or sometimes with a modified version of Heyoka, a tool based on an open source proof of concept for exfiltrating data from compromised systems via DNS tunneling.

According to SentinelOne, Mongall is not especially feature-rich. Even so, it is effective and can create a remote shell for uploading files from an infected machine to the attacker's command-and-control servers (C2). The malware embeds three C2 servers in its code, making it dangerous, SentinelOne said.

**Rarely Used Tactic**

Since at least 2018, Aoqin Dragon has been using fake removable devices — in addition to its usual document exploits — as a vector for gaining initial access on target systems. In cyberattacks involving removable devices, SentinelOne observed the threat actor placing a removable disk shortcut file on a compromised system. When clicked, the file initiates a sequence of activity that ends with a malicious loader being placed on the system.

Joey Chen, threat intelligence researcher at SentinelOne, says Aoqin Dragon's use of a removable device for initial access is noteworthy because few actors use the approach these days. Instead of an actual physical removable device — such as an USB or DVD — the threat actors have been trying to lure users into clicking on a malicious removable disk shortcut file forged to look like a normal removable device. 

"The USB shortcut file contains a specific path to execute the Evernote Tray Application and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe," Chen says. "The advantage of using a removable device as an initial access vector is that malicious files don't need to land into the victim's host machine."   

Mike Parkin, senior technical engineer at Vulcan Cyber, says the use of fake removable devices for initial access can be very effective, but it has never been the most common attack vector. 

"There was a time when leaving infected USB thumb drives, DVDs, and CD-ROMs was a common penetration testing technique that mimicked what we saw threat actors doing in the wild," he says. "Downloading and mounting an ISO file is the same idea, only entirely file-based."

For threat actors, removable devices are another tool that they can deploy to infect their targets, Parkin says. 

"If the victim can be enticed to download and launch the malware, the attacker has gotten around the need to breach the external defenses," he says. "The victim did it for them."

Several of Aoqin Dragon’s TTPs — such as DLL hijacking and DNS tunneling to evade detection — are similar to those that other threat actors use, says Chen. However, the threat actor's use of removable devices as an initial access vector is somewhat different. 

"In addition, the entire spread module and install module of the malware are all written by actors themselves," he says. This has made it harder for typical endpoint protection systems to detect the malware, he notes.

Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign

Martyn Ryder from Morphean explains why forging trusted partnerships is integral to the future of physical security in a world of networks, systems, and the cloud.

Physical security and cybersecurity have traditionally been regarded as two quite separate practices.

While the role of the physical security professional has commonly involved the installation of hardware, such as CCTV cameras, to protect people and premises, the primary focus of their cybersecurity counterparts has been networks, systems, and software in the drive to mitigate threats.

Digital transformation has seen both industries evolve rapidly over the last decade, while simultaneously drawing much closer together, united against a threat that can traverse both the physical and cyber realms. The opportunity this presents is significant, yet there are also risks.

Forward-thinking organizations are now looking to protect their entire operation from both a physical and cybersecurity perspective, in a single homogenized approach. But what does this mean for the physical security professional, and how are the roles of physical security and IT technicians set to change as physical security hosted in the cloud increasingly becomes the norm?

**Moving Away From Security Silos**

Advancements in cloud, the IoT, and the sharing of data mean that legacy analog security technologies are rapidly becoming obsolete, in favor of intelligent, connected physical security solutions capable of sharing data to improve security and enhance business operations. Yet without the correct network security protocols in place, vulnerabilities can be inadvertently introduced, such as exposing backdoors into a network as a result of unsecured devices, or other paths that security antagonists could take to target the enterprise.

While modern businesses should look to employ the highest levels of physical and cyber protection, such measures become difficult to achieve when implemented in a siloed way. In May 2019, vulnerabilities were discovered in network physical access control systems that allowed hackers to hijack credentials, take control of doors, install malware, and launch distributed denial-of-service (DDoS) attacks, all while circumventing the security measures in place. In this scenario, it was the physical security system that was compromised leaving the business wide open to attack.

Convergence, therefore, between cybersecurity and physical security offers a solution to bring the two security facets together in partnership, increasing resilience and enhancing preparedness to identify and mitigate threats. The resulting overarching, holistic view of an organization’s security posture will enable all points of connectivity to be thoroughly assessed and managed; this is critical as cyber and physical assets become increasingly intertwined and the attack surface is increased.

**Physical Security in a Cloud-Enabled World**

Yet as digitalization and cloud migration make network-connected devices and services the preferred configuration, there is a risk that those physical security professionals who are unprepared for the new era may be left behind. Connecting physical security to the cloud has countless security and intelligence benefits for the end user. But those physical security installers who do not understand the language of IT or fully grasp the benefits of cloud physical security solutions will be unable to pass these benefits to their customers, resulting in a smaller pool of low-scale projects.

In order to remain competitive, physical security specialists must begin arming themselves with knowledge of network connectivity, data collection, and the power of analytics. This will help them position physical security technology as more than just business protection, but rather a business opportunity. Close integration with IT and cybersecurity partners will be key to achieving this objective and will place the physical security professional in a far better position to work with the latest devices, technologies, and platforms to improve business operations for their customers.

**Zero Trust and the Safety of Cloud-Based Physical Security**

While the dangers associated with adding any device to a network cannot be ignored, recognizing the risks will help businesses ensure the most appropriate security protocols are in place for maximum protection of networks and systems. An increasing number of vulnerable endpoints creates copious opportunity for network exposure, and malicious threat actors are lying in wait to take advantage. A perimeter firewall is no longer enough to ensure network integrity, and unauthorized access to data and services must be made as granular as possible.

This is why the principle of zero trust, based on a framework from NIST, has emerged as cybersecurity best practice. The premise is a simple one: Give no implicit trust. This means ensuring access is only granted to areas of the network as and when they are needed. Multifactor authentication methods can help establish trust, verifying user activity to help protect the network from malicious intent. While it’s still a relatively new concept, physical security integrators must quickly come to grips with such principles to ensure they can deliver surveillance systems that do more than just deliver physical security.

As physical and IT security increasingly converge, security professionals should be looking to align themselves with vendors through trusted partnerships. This will help them to expand their capabilities and take their skill sets to the next level. Working with a provider that can help them understand the benefits of cloud physical security and the importance of working collaboratively with IT will enable the physical security professional to work with confidence, applying cutting-edge technologies to meet today’s business requirements without compromising network and system security.

_Martyn Ryder is VP Sales & Marketing at Morphean._

__This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.__

Source

DARKReading