GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.

Organizations hosting significant parts of the open source software supply chain continue to adopt security measures that give developers and maintainers more tools to harden their projects against attacks and malicious code commits.

On Monday, GitHub announced that the company — which owns and maintains the Node Package Manager (npm) service — had called for developers to comment on a plan to adopt sigstore, which simplifies the signing of code components produced by projects as well as linking them back to the source code. The sigstore project has made digitally signing source code easier because individual maintainers no longer have to manage their own cryptographic infrastructure.

The technology service allows software developers to confirm what code has been used to generate a particular software application or component, says Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), which maintains sigstore with the Linux Foundation.

"The assembly of components into software platforms and applications — all of that has been done with the same kind of security we had on the Internet before TLS \[Transport Layer Security\], frankly," he says. "We depended on a not necessarily misplaced but  high degree of trust that the infrastructure just did things for us or that there were not bad actors out there."

The proposal is the latest effort to make tools available to developers to secure the software supply chain. GitHub's npm, the Python Package Index (PyPI), and others have already urged developers to adopt two-factor authentication (2FA) to secure their accounts to prevent a compromise through a simple credential-based attack. GitHub, for example, has already moved the top 500 most-popular npm projects to 2FA and plans to require the security technology for any project with more than a million downloads per week.

Adopting digital signing of software packages is another critical step. In March, software security firm Sonatype announced it had "every intent to adopt sigstore as part of the Maven Central platform." Maven is the most popular source of Java software components and is maintained by Sonatype. PyPI has a specification called The Update Framework (TUF) that calls for digital signing of software packages, and the repository has a sigstore module under development.

The ability to attest that a program or executable came from a certain source code repository is an important step in securing the software supply chain, Justin Hutchings, director of project management for GitHub's security features, wrote in the blog post.

"When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository," Hutchings said. "Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys."

GitHub acquired the Node Package Manager (npm) in 2020.

**SBOMs and "Salsa"**

The ability to sign code is fundamental to supply chain security. For example, a software bill of materials (SBOM) is a way to communicate to developers and security tools the components that make up a software project. Determining what software components and libraries are used in modern software projects is not always straightforward. Already, the US government has created requirements that any software sold to a federal agency needs to have an SBOM, but only a third of companies currently use SBOMs.

Another initiative, the Supply Chain Levels for Software Artifacts (SLSA), pronounced "salsa," provides developers and application security managers with a road map for securing software projects and communicating the software provenance.

"You need to have integrity, and you need to understand the quality — SLSA is really around that integrity part," says Kim Lewandowski, one of the original creators of SLSA and a co-founder at Chainguard, a software security firm. "A developer knows they're getting this piece of software that is built around these dependencies and these are the \[software\] artifacts that went into it."

Sigstore works because the technology makes signing code much easier for developers. OpenSSF's Behlendorf likens the platform to the Let's Encrypt service, which makes the keys for securing websites freely available and easy to deploy. Making any security technology easy to use is critical, he says.

"Greater security in open source software is going to come, not just by helping people write better code," he says. "It is not just going to come from a lot of people finding zero-days, and getting those fixed and fixes pushed out. It is going to come from having tooling that will make having better security throughout the supply chain a 'zero lift' for developers. If they even have to have a feature flag turned on, that is too much."

Software Supply Chain Chalks Up a Security Win With New Crypto Effort

Unusually, SOVA, which targets US users, now allows lateral movement for deeper data access. Version 5 adds an encryption capability.

The Android banking Trojan SOVA is back and sporting updated capabilities — with an additional version in development that contains a ransomware module.  

Researchers at Cleafy, which documented the resurgence of SOVA, say that version 4 appears to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Spain appears to be the country most targeted by the malware, followed by the Philippines and the US.

The SOVA v4 malware is hidden within fake Android applications disguised by the logos of popular apps including Chrome and Amazon. The latest version includes a refactored and improved cookie-stealer mechanism, which can now specify a list of targeted Google services and other applications. In addition, the update allows the malware to protect itself by intercepting and deflecting attempts made by victims to uninstall the app.

Also in the latest versions of SOVA, attackers can control the specific targets via the command-and- control (C2) interface. This increases the adaptability of the malware to a large variety of attack scenarios.

In addition, it has capabilities that allow attackers to grab screenshots, and to record and execute commands. This enables an attacker to look for ways to laterally move around to other systems or applications that might be more lucrative.

"The most interesting part is related to the \[virtual network computing\] capability," the report notes. "This feature has been in the SOVA roadmap since September 2021 and that is strong evidence that \[threat actors\] are constantly updating the malware with new features and capabilities."

**Ransomware on the Horizon**

The Cleafy team also found evidence that suggested that an additional version of the malware, version 5, is in development and will include a ransomware module that had previously been announced in a September 2021 development roadmap.

"The ransomware feature is quite interesting as it’s still not a common one in the Android banking-trojan landscape," Cleafy researchers note. "It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data."

Cory Cline, senior cyber security consultant at nVisium, says that adding ransomware capabilities to a banking Trojan offers plenty of upside to cybercriminals.

"No longer do they need to steal your personal data to get access to your financial information," he explains. "With ransomware capabilities, attackers can now encrypt affected devices."

He adds that with more and more people storing nearly every aspect of their lives on their mobile devices, attackers will be able to more easily find targets willing to pay to get access to their data returned.

"The team behind SOVA has demonstrated a new level of sophistication," he says. "The feature set is fairly unique to the Android banking Trojan scene, and SOVA is one of the most feature-rich Android banking Trojans available."

However, he points out that the team behind SOVA has opted to implement RetroFit for C2 as opposed to writing its own solution.

"This could speak to some limitations in the development team," Cline says.

**Banking Trojans Get Boost From Added Capabilities**

Other banking Trojans have also resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by joint international task force in January 2021.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says that improving and evolving existing Android banking Trojans has many advantages.

"The significant improvements to SOVA v4 and SOVA v5 show that attackers can simply expand existing features such as the cookies stealer, which now includes more payment services and applications to exploit," he points out. "New modules such as those targeting cryptowallets demonstrate that attackers see cryptocurrencies as a lucrative target."

He explains that adding ransomware capabilities can have multiple advantages for attackers, such as destroying evidence. That makes it difficult for digital forensics to discover any traces or attribution of the attacker, and gives the attacker an additional option to get paid when stealing credentials or cookies is not successful.

"As new Internet services specifically in the financial industry get adopted," Carson says, "attackers will need to keep updating banking Trojans with new modules just like any other software company to stay compatible with newer technologies."

Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan

Back-end complexity of cloud computing means there's plenty of potential for security problems. Here's how to get a better handle on SaaS application security.

Many security practitioners take their eye off cloud and software-as-a-service (SaaS) security based on the faulty assumption that the providers are inherently secure. While most providers are, the cloud is so flexible and customizable that every organization might open different doors – ones that they're responsible for closing. Ones that traditional security tools often overlook.

Some 89% of organizations have a multicloud strategy, with 48% using multiple public and private clouds. By the end of 2021, it was estimated that 99% of organizations would be using one or more SaaS solutions. With so many resources now in the cloud, it's a complex responsibility to secure each one.

Security risks continue to plague organizations. According to Varonis' "2021 SaaS Risk Report," 44% of cloud user privileges are misconfigured and 43% of all cloud identities are unused and exposed to threats. By rightsizing your cloud footprint, adopting new security controls, and emphasizing SaaS security management, you can be confident enough in your security to achieve cloud nirvana – security that's so automated, intuitive, and frictionless that you never have to think about it. There are three phases to getting there.

**Understand Your Cloud Footprint**

You must take a strategic view of cloud security. The first step is to undertake an inventory to find what SaaS services are in use. Which business areas are dependent on what SaaS services? Which SaaS services are common across the enterprise?

Then create an inventory focused on where your most sensitive data is. What information is leaving your applications or being exchanged with other applications? The next question is: Which users, resources, and applications have access to your data? Only once you understand your cloud footprint, data in the cloud, and resources accessing it, can you work to secure it.

Make no mistake: cloud and SaaS sprawl are difficult to audit. According to Productiv's recent report, the average SaaS portfolio size is 254 applications but only 45% of those apps are used on a regular basis. Taking that deep dive and reflecting on the business purposes of those apps may identify some ways to reduce your organization's overall risk (and your SaaS spend). Auditing your cloud footprint is important so that you have a clear picture of your risk, and so you can ensure you're meeting compliance, regulatory, and customer obligations.

Before you can start chipping away at the inhibitors of SaaS security, you need to make sure you're covering all your bases. Does your security scope include management of third-party applications and data? What about any necessary compliance or regulatory policies for checking misconfigurations and anomalies? While most companies stop there, it's important to have deep security coverage for your most business-critical SaaS applications, including threat detection and continuous monitoring.

**Protect Your Cloud Footprint**

Once you understand your cloud footprint, and where most sensitive data is, you need to assess whether your data is protected. Are appropriate security controls in place to ensure all applicable layers of encryption and masking? Are only appropriate people able to access sensitive data? Are configurations being scanned on a regular basis to detect misconfigurations and, more importantly, are those misconfigurations being remediated in a timely manner?

You need to define security controls to protect the data and configurations. Once you've defined security controls, you need to replicate the process for the multitude of SaaS vendors you're working with across your ecosystem.

In addition to, say, Microsoft 365, you probably also have some combination of Workday, Salesforce, ServiceNow, Atlassian, and potentially dozens of other applications that keep your business running. Interestingly, the Productiv report shows an inverse relationship between the size of an organization and its application engagement. Smaller organizations, according to the report, engage with 49% of apps while enterprises only use 39%.

The fragmentation of the SaaS market means that not only do you have multiple vendors to consider, but they all operate based on different standards and with different levels of security. Unfortunately, there's no common framework for SaaS security.

The Center for Internet Security (CIS) has developed critical controls for the cloud, but they haven't yet become so widely adopted that they provide consistency across the entire industry. For now, you need visibility into the security of each SaaS application.

**Cloud Nirvana: Eliminate the Need to Think About Security**

Getting closer to cloud nirvana means finding efficiency as the cloud continues to scale. SaaS leads the way in the expansion of cloud adoption, with end-user spending expected to hit more than $176 billion this year, according to Gartner, and increase nearly 18% next year.

Adhering to the industry standard framework like CIS controls will make for a clearer picture of your SaaS security, but there's even more you can do. By adopting a DevSecOps structure, you involve security teams at the beginning of the development lifecycle so there are no surprises or delays down the road.

Reaching true cloud nirvana, though, typically comes through SaaS security management that can monitor, detect, and protect against threats. This includes automating security for instant visibility, 24/7 monitoring, and alerts for common SaaS security risks like misconfigured data access, overly broad permissions for user accounts, and exposed data.

How to Clear Security Obstacles and Achieve Cloud Nirvana

The head of Microsoft's Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.

BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company's vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.

In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.

For most vulnerabilities, Microsoft's current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. "If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," Gupta says.

**Sparse Vulnerability Information?**

Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.

However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft's current practice of putting vulnerabilities into an "Exploitation More Likely" or an "Exploitation Less Likely" bucket does not provide enough information to make risk-based prioritization decisions.

More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable's CEO Amit Yoran accused the company of "silently" patching a couple of Azure vulnerabilities that Tenable's researchers had discovered and reported.

"Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service," Yoran wrote. "After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," and without notifying customers.

Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.

**Consistent with MITRE's CVE Policies**

Gupta says Microsoft's decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE's CVE program.

"As per their policy, if there is no customer action needed, we are not required to issue a CVE," she says. "The goal is to keep the noise level down for organizations and not burden them with information they can do little with."

"You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis," she notes.

Gupta points to last year's disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft's strategy was to directly contact organizations that are impacted.

"What we do is send one-to-one notifications to customers because we don't want this info to get lost," she says "We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly."

Sometimes an organization might wonder why they were not notified of an issue — that's likely because they are not impacted, Gupta says.

Microsoft: We Don't Want to Zero-Day Our Customers

During a keynote at Black Hat 2022, former CISA director Chris Krebs outlined the biggest risk areas for the public and private sectors for the next few years.

BLACK HAT USA — Las Vegas — A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.

That's the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He took to the stage at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.

Krebs was fired from CISA for insisting the 2020 election was secure and fraudless ("We insist that we were successful — it was a singularly important moment in American history," he said at Black Hat. "And I think we did a pretty damn good job.") In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.

"I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people," he said.

In addition to geopolitical headwinds, Krebs noted that digital transformation, along with ever-increasing cyber-offensive capabilities from the bad guys, should have both the public and the private sectors on notice — or they risk falling hopelessly behind.

**Taiwan Looms as Geopolitical Pressures Accelerate**

In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, Taiwan is a hotspot to watch.

"Leaders need to plan out beyond the next two quarters," he noted. "You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around what's happening in the Taiwan Strait."

A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.

"Political headwinds have big effects and you have to game these things out," Krebs noted. "I don't know if it's going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, they're pretty confident that's going to come to a head between China and Taiwan."

He added, "And if you want to be in a position to de-risk your operations, you have to start that yesterday."

While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.

"Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance," he warned. "And yeah, they're also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future."

Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.

"You have to have a set of principles," he said. "You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, we're not impacted by sanctions, so we're good, we don't really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, you're going to have a problem. You're continuing to support the Russian war machine."

**Insecurity in the Cloud, by Design**

Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products far outweigh the downsides.

"That's because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market," he explained. "So we're building more products that are insecure by design because of the market pressures."

Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see what's happening across their infrastructure.

"We've made it more complex, and we've also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there," Krebs said. "Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors and how you interact with it?"

Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.

Further complicating matters is the ongoing proliferation of connected things, which all come with potentially insecure cloud apps.

"I think we all agree there's going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly," he said. "Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and it's becoming more complex, not less."

He noted that William Gibson had this reality pegged when he released the book _Neuromancer_ in 1984.

"He coined the term 'cyberspace,'" Krebs said. "But it's how he described cyberspace that was so captivating — the unthinkable complexity of cyberspace. We're there right now."

**Public Sector Concerns: Security Work to Do**

The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.

"We see an overreliance on checklists and compliance rather than performance-based outcomes, so we're not getting the security-related outcomes we want," he noted, adding that to boot, what oversight does exist isn't implemented well.

"Congress needs to figure it out as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch," Krebs said. "We have 101 civilian agencies, and every single one of them is running their own email service. So, we've got to fix that."

On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called "the right moves."

"They're going more aggressively at the adversary at the command-and-control level," he explained. "But we need to shift from longer-term investigations towards more disruptive actions aimed at imposing costs and eliminating ransomware's ability to extract value from companies here in the US.

Ransomware has become professionalized, he noted, and cyberattackers' capabilities just keep getting better and better.

"The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation-states," he said. "They're profiting, and it's not costing them anything; they're getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to."

**Workforce Challenges Continue**

When it comes to the infamous lack of qualified people to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.

"The first thing is, it's fun. Second is, it's lucrative," he noted. "We get paid pretty well in this industry. And third, relatedly, it's durable; we're going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission we're doing is incredibly important."

That said, the US workforce over all is becoming increasingly tech-native, which he's optimistic about.

"We're getting critical thinking skills coming along with the technology savviness that we're looking for," he said.

While there's much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.

"As evidenced by Black Hat USA at 25, we have a maturing industry," he said. "We're producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure."

Krebs: Taiwan, Geopolitical Headwinds Loom Large

In her keynote address at Black Hat USA 2022, Kim Zetter gives a scathing rebuke of Colonial Pipeline for not foreseeing the attack.

BLACK HAT USA — Las Vegas — The unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructure operators have made little progress in protecting their networks 12 years after the discovery of Stuxnet. Author and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline during the keynote session opening the second day of Black Hat USA, its leaders had plenty of warnings that could have prevented the crippling attack.

Zetter, who has covered many major cyber-incidents over more than two decades, is author of the book _Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon_ (Crown: 2015). Stuxnet, the malicious worm that security experts discovered at an Iranian uranium enrichment facility in 2010, explicitly targeted the Siemens S7-400 system. The discovery heralded a new generation of targeted attacks, according to Zetter.

"When Stuxnet was discovered in 2010, it shed a light on vulnerabilities and critical infrastructure that few had noticed before," Zetter said. "The security community largely focused on IT networks. They had previously ignored what are known as operational networks, OT networks, industrial control systems, all of those systems that manage pipelines and railways and the electric grid and water treatment plants and manufacturing, and so many other pivotal industries."

Stuxnet was more significant for what it portended than any damage resulting from it at the time. Introduced to a network via a USB drive, Stuxnet consists of worming malware, a Windows LNK file designed to propagate it, and a rootkit that hides the malicious files.

The discovery of Stuxnet shouldn't have come as a surprise back then, but it opened some eyes for the first time, according to Zetter.

"Stuxnet provided stark evidence that physical destruction of critical infrastructure using nothing more than code was possible," she said. "But no one should have been surprised. There have been warnings about the use of digital weapons to disrupt or destroy critical infrastructure a decade prior to Stuxnet."

Zetter said the impact of Stuxnet was significant, pointing to four major changes it brought to security: Stuxnet created a trickle-down effect in the form of techniques and tools, kicked off today's cyber-arms race, established the politicization of security research and cyber-defense, and shed light on the vulnerability of critical infrastructure.

Coinciding with Stuxnet was the discovery of an advanced persistent threat (APT) called Aurora, which exposed the growing capabilities of nation-state hackers, Zetter noted.

"Many of you probably remember this was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories of Google, Adobe, and Juniper," she said. "And \[it\] included one of the first significant supply chain operations targeting the RSA C repository, the engine for its multifactor authentication systems."

**Risks Remain High for Industrial Control Systems**

The high-profile attack that locked up Colonial Pipeline, which distributes 45% of fuel across the US East Coast, forced it to shut down its 5,500 miles of pipeline until it paid over $4.4 million in ransom. Zetter suggested there is no reason last year's ransomware attack should have blindsided the company's top leaders.

"What happened with Colonial Pipeline last year was foreseeable, as was the growing threat of ransomware," Zetter said. "As the company CEO told lawmakers on Capitol Hill months later, although it did have an emergency response plan, that response plan didn't include a ransomware attack — even though ransomware attackers had been targeting critical infrastructure since 2015, so the signs were there if Colonial Pipeline had looked."

Zetter pointed to Critical Infrastructure Ransomware Attacks (CIRA) statistics compiled by Temple University in 2019, just two years before the Colonial Pipeline attack. The researchers counted some 400 ransomware attacks on critical infrastructure in 2020 and 1,246 attacks between Nov. 2013 and July 31, 2022.

"These weren't just attacks on hospitals, which of course had been a big target for ransomware actors in 2016," she said. "But these were also targeting oil and gas facilities. And the attackers weren't just targeting IT systems. They were already going after the OT networks that are controlling the critical processes."

Further, Zetter noted that in 2020, the year before the Colonial Pipeline attack, Mandiant reported that seven ransomware families had struck organizations that operate industrial control systems since 2017. The attacks created major disruptions and production and delivery delays.

Also in 2020, 10 months before the Colonial Pipeline attack, the Cybersecurity & Infrastructure Security Agency (CISA) issued a reminder of the Department of Homeland Security's (DHS) Pipeline Cybersecurity Initiative. The effort, created by DHS in 2018, was a joint effort of CISA, the Transportation Security Administration (TSA), and various federal and private sector stakeholders.

Zetter indicated that it is probably not ironic that DHS announced new cybersecurity requirements for those who own and operate critical pipelines two months after the Colonial Pipeline attack. "I don't mean to beat up on Colonial Pipeline — they're just a convenient example, because the attack was so significant," she said. "But other critical infrastructure is in the same position or worse."

After Colonial Pipeline, Critical Infrastructure Operators Remain Blind to Cyber-Risks

Up-and-coming companies shoot their shot in a new feature introduced at the 25th annual cybersecurity conference.

BLACK HAT USA 2022 -- Las Vegas — At an intimate stage area in the Innovation City section located at the back of the Business Hall, Phylum beat out three other cybersecurity startups to take the title at the inaugural Innovation Spotlight competition, held on Wednesday evening at the 25th Black Hat USA.

The four finalists were Phylum, a software supply chain security company; KeyCaliber, a company that uses asset behavior analytics to help clients prioritize protective measures; Normalyze, which identifies sensitive data and vulnerable access paths ripe for exploitation; and Tromzo, with a product security operating platform (PSOP) for building applications more securely.

Dark Reading's editor-in-chief, Kelly Jackson Higgins, hosted the awards. Judges picked finalists back in July after viewing video submissions from candidates -- companies that were 2 years old or less and had fewer than 50 employees.

**The Final Four**

The finalists presented in alphabetical order, starting with KeyCaliber. Roselle Safran, cofounder and CEO, explained how her company's analytics engine helps continuously identify and protect an organization's most valuable data, aka "crown jewels" — indeed, the company's brand representatives were men dressed in royal robes and costume crowns. Safran said KeyCaliber's software can run on her company's network, on the customer's network, or on premises, a flexibility that meets prospective clients' need to balance resources and security.

    

KeyCaliber's two kings. (Photo by Karen Spiegelman for Dark Reading)

Next up was Normalyze cofounder and CEO Amer Deeba. His company is in a similar risk management space as KeyCaliber, but emphasizes "holistic data security" rather than crown jewels. The company offers "data-first cloud security" that scans for sensitive data on Google Cloud, AWS, and Microsoft Azure. His co-founder, CTO Ravi Ithal, was standing to the side recording his partner's presentation, in a perfect example of the supportive atmosphere of the event.

The specter of Log4j hung over the presentations, none more so than Phylum's. Cofounder and president Peter Morgan said his company focuses on the security of open source packages, using deductive analysis of risk indicators to create what he likened to a "credit score for packages." The company offers a community edition that has "feature parity" with the paid edition, limiting it to one user and five projects at a time. He said the automated analysis takes 12-15 minutes to complete. "We're walking really well, and the system is learning to run as we speak," Morgan said.

The last to present was Harshil Parikh, CEO and cofounder of Tromzo, a product security operating platform designed to make the entire software development pipeline more secure. In response to a question from the judges, Parikh explained that the company wrote its own no-code platform for automating security processes and remediation.

**The Winners**

First, all four finalists were winners in that they got booth space at Black Hat USA, as well as a receptive audience for their presentations and a consultation with an Omdia analyst. There were decision-makers in the audience Wednesday, with a few CEOs filling the seats and a standing-room crowd watching the competition.

Tromzo definitely had the flashiest presentation. Parikh opened by using a DVD as a prop to illustrate the outdated former cutting-edge technology. He closed by tossing the DVD over his shoulder, warning, "Don't get left behind." That jazz might be why Tromzo took first place in the audience poll.

Ultimately, however, the opinions that mattered most in the contest were those of the judges, and they favored the open source-emphasizing Phylum. The seven judges were Ketaki Borade, senior analyst in Omdia’s Infrastructure Security research practice; Trey Ford, deputy CISO at Vista Consulting Group; Hollie Hennessy, senior analyst in Omdia's IoT cybersecurity practice; Maria Markstedter, founder and CEO of Azeria Labs; Lucas Nelson, founding partner at Lytical Ventures; Robert J. Stratton III, principal & strategist at Polymathics and venture partner at Nextgen Venture Partners; and Rik Turner, principal analyst in Omdia's IT security and technology team.

Supply Chain Security Startup Phylum Wins the First Black Hat Innovation Spotlight

Even among businesses with cyber insurance, they lack coverage for basic costs of many cyberattacks, according to a BlackBerry survey.

Organizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.  

These were among the findings of a BlackBerry and Corvus Insurance survey of 450 business decision-makers for IT and security solutions, which also revealed more than a third (37%) of respondents currently lack coverage for any ransomware payment demands.

Nearly six in 10 (59%) of respondents said they hoped the government would cover damages when future attacks are linked to other nation-states, and fully half of small to medium-size business (SMB) respondents said they hoped Uncle Sam would increase financial aid in all ransomware incidents.

Gary Davis, senior director of cybersecurity at BlackBerry, says these statistics were the most surprising — and concerning — findings from the survey.

"I think that would establish a dangerous precedent and only encourage more nefarious attacks," he says.

Davis explains he believes the best option for SMBs is to hire a cybersecurity managed service provider (MSP) to deliver the essential capabilities required by insurance providers in the most affordable and comprehensive way possible.

"Demonstrating compliance will go a long way toward an effective negotiation with the insurance providers," he says. "Also, I would encourage SMBs to share their security posture insights with their insurance provider."

The good news is, most organizations are happy to share this type of information.

"To me, that’s very much akin to how many car insurers operate today when they offer better rates for those willing to have a device in their car that reports their driving behavior to the insurance company," Davis says. "Hopefully, sharing these details will have a similar impact on what insurance providers charge for cyber insurance."

**Cyber Insurance Lacking Critical Coverage**

The survey also revealed that the increased software requirements demanded by insurance brokers is making cyber insurance harder to get — more than a third of respondents said they had been denied coverage due to unfulfilled endpoint detection and response (EDR) software requirements.

Overall, the findings indicated that even when organizations do have cyber insurance, the coverage lacks critical elements, with 43% of survey respondents not covered for auxiliary costs, including court fees or employee downtime.

Davis points out he has not seen any evidence that the bad actors are slowing down, which suggests that organizations of every size and type should increasingly rely on cyber insurance as another means of helping to combat the problem.

"Ideally, we will also see stronger ties between cybersecurity vendors and insurance providers to collaborate on ways we can help companies minimize their risk of being successfully attacked," he says.

**As Cyber-Insurance Market Evolves, Complications Arise**

The BlackBerry report follows a June study by Proofpoint, which found less than half of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed.

The increasing volume of ransomware and other cyberthreats is jacking up the price of cyber insurance, while insurers are simultaneously starting to demand more direct access to organizational metrics and measures.

They argue this access will allow them to make more accurate risk assessments – however, some businesses may be loath to reveal such closely held information, in part because it may wind up preventing them from receiving coverage.

At the same time, some insurers are pulling out of the market, including global insurance giant AXA, which said in May that it would stop reimbursing French companies for ransomware payments to cybercriminals.

Amid a dynamic environment where insurers have started to charge more for policies and begun setting higher requirements, debates over standards, baseline security controls, and new exclusions and limitations on coverage types continue to wreak havoc on this burgeoning market.

Cyber-Insurance Fail: Most Businesses Lack Ransomware Coverage

More than 1 million instances of firewalls running Cisco Adaptive Security Appliance (ASA) software have four vulnerabilities that undermine its security, a researcher finds.

BLACK HAT USA — Las Vegas — Cisco's enterprise-class firewalls have at least a dozen vulnerabilities — four of which have been assigned CVE identifiers — that could allow attackers to infiltrate networks protected by the devices, a security researcher from vulnerability management firm Rapid7 plans to say in a presentation at the Black Hat USA conference on Aug. 11.

The vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) software, the operating system for the company's enterprise-class firewalls, and its ecosystem. The most significant security weakness (CVE-2022-20829) is that the Adaptive Security Device Manager (ASDM) binary packages are not digitally signed, which — along with the failure to verify a server's SSL certificate — allows an attacker to deploy customized ASA binaries that can then install files onto administrators' computers.

Because administrators just expect the ASDM software to come preinstalled on devices, the fact that the binaries are not signed gives attackers a significant supply chain attack, says Jake Baines, lead security researcher at Rapid7.

"If someone buys an ASA device on which the attacker has installed their own code, the attackers don't get shell on the ASA device, but when an administrator connects to the device, now \[the attackers\] have a shell on \[the administrator's\] computer," he says. "To me, that is the most dangerous attack."

The dozen security weaknesses include issues that impact devices and virtual instances running the ASA software, as well as vulnerabilities in the Firepower next-generation firewall module. More than 1 million ASA devices are deployed worldwide by Cisco's customers, although a Shodan search shows that only about 20% have the management interface exposed to the Internet, Baines says.

As a supply chain attack, the vulnerabilities would give threat actors the ability to compromise a virtual device at the edge of the network — an environment that most security teams would not analyze for security threats, he says.

**Full Access**

"If you have access to the virtual machine, you have full access inside the network, but more importantly, you can sniff all the traffic going through, including decrypted VPN traffic," Baines says. "So, it is a really great place for an attacker to chill out and pivot, but probably just sniff for credentials or monitor the traffic flowing into the network."

Baines discovered the issue when he was investigating the Cisco ASDM to get "a level set on how the GUI (graphical user interface) works" and pull apart the protocol, he says.

A component installed on administrators' systems, known as the ASDM launcher, could be used by attackers to deliver malicious code in Java class files or through the ASDM Web portal. As a result, attackers could create a malicious ASDM package to compromise the administrator's system through installers, malicious Web pages, and malicious Java components.

The ASDM vulnerabilities discovered by Rapid7 include a known vulnerability (CVE-2021-1585) that allows an unauthenticated remote code execution (RCE) attack, which Cisco claimed was patched in a recent update, but Baines discovered it remained.

In addition to the ASDM issues, Rapid7 found a handful of security weaknesses in the Firepower next-generation firewall module, including an authenticated remote command injection vulnerability (CVE-2022-20828). The Firepower module is a Linux-based virtual machine hosted on the ASA device, and it runs the Snort scanning software to classify traffic, according to Rapid7's advisory.

"The final takeaway for this issue should be that exposing ASDM to the internet could be very dangerous for ASA that use the Firepower module," the advisory states. "While this might be a credentialed attack, as noted previously, ASDM's default authentication scheme discloses username and passwords to active MitM \[machine-in-the-middle\] attackers."

Updating can be complex for Cisco ASA appliances, presenting a problem for companies in mitigating the vulnerabilities. The most widely deployed version of the ASA software is five years old, Baines says. Only about half a percent of installations updated their ASA software within seven days to the latest version, he adds.

"There is no auto-patch feature, so the most popular version of the appliance operating system is quite old," Baines says.

Cisco has had to deal with security issues in its other products as well. Last week, Cisco disclosed a trio of vulnerabilities in its RV series of small business routers. The vulnerabilities could be used together to allow an attacker to execute arbitrary code on Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers without authenticating first.

4 Flaws, Other Weaknesses Undermine Cisco ASA Firewalls

Eighteen companies, led by Amazon and Splunk, announced the OCSF framework to provide a standard way for sharing threat detection telemetry among different monitoring tools and applications.

BLACK HAT USA – LAS VEGAS – Amazon Web Services (AWS) and Splunk are leading an industry effort of 18 systems and security vendors to standardize how different monitoring systems share security alerts. The goal is to deliver a simplified and vendor-agnostic taxonomy to help security teams ingest and analyze security data faster.

The companies announced the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA conference on Wednesday in Las Vegas. The participating companies are Broadcom (Symantec), Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.

Detecting and stopping today's cyberattacks requires coordination across cybersecurity tools, but many of these tools are not interoperable and there are too many different data formats. The OCSF specification will normalize security telemetry across various security products and services, said Mark Ryland, director of the office of the CISO at AWS, in a blog post announcing the project.

"Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats," Ryland wrote. "Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response."

OCSF, which extends the ICD Schema specifications originally developed by Broadcom’s Symantec division, offers a collection of data types, an attribute dictionary, and taxonomy written in JSON, according to an overview of the specification available on GitHub. Contributors can utilize and extend the framework and map the various data ingestion and normalization schemas in a common threat detection language.

"As practitioners, one of the most challenging problems in technology is connecting finding and event information across multiple vendor tools, operating systems, and versions," says Jamie Scott, product manager at Endor Labs. "A standard data format will reduce cost and accelerate incident triage for our industry as a whole," 

**An Extensible Framework for Interoperability**

As an open source project, OCSF seeks to provide an extensible framework for providing interoperable core security schema not tied to a specific provider, Splunk distinguished engineer Paul Agbabian wrote in a white paper documenting OCSF. Licensed under the Apache License 2.0, OCSF features an agnostic storage format, data collection, and extract, transform, and load (ETL) processes. The schema browser represents categories, event classes, dictionaries, data types, profiles, and extensions.  

"Vendors and other data producers can adopt and extend the schema for their specific domains," Agbabian explained in a separate blog post. "Data engineers can map existing schemas to help security teams simplify data ingestion and normalization so that data scientists and analysts can work with a common language for threat detection and investigation."

"Having a common data format for these events to be shared across tooling will make both consumers and producers lives’ easier. Producers can more easily integrate with other solutions and consumers can aggregate and triage incidents," Scott says.

The OCSF shares some similar taxonomy with the widely used MITRE ATT&CK Framework, according to the white paper, though it also noted some stark differences. The most notable is that OCSF is extensible by vendors and customers, while MITRE releases all content for ATT&CK.

An Enterprise Strategy Group and Information Systems Security Association (ISSA) survey found that 77% of cybersecurity professionals want to see the industry forge support for open standards. The same survey found that 85% see integration among products as essential. 

"Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation," Aghabian noted.

**Normalizing Security Telemetry**

The project is open to other providers wishing to participate and contribute, according to Ryland.

"We see value in contributing our engineering efforts and also projects, tools, training, and guidelines to help standardize security telemetry across the industry," he wrote. "Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently."

The status of the OCSF and when vendors will begin testing wasn’t immediately apparent. And it remains to be seen to what extent the vendors will ultimately contribute to OCSF and implement it.

"The biggest threat to an early-stage effort like OCSF is the steering committee composition itself. Since the committee is made largely of vendors, representative consumer organizations will need a seat at the table to help drive adoption across vendors," Scott says. "As the OCSF continues to collaborate with the industry, it should ensure that the steering committee has reserved spots for industry practitioners who are willing to make an investment in their mission."

Erkang Zheng, founder and CEO of cyber operations platform provider JupiterOne, is pledging to embrace and participate in extending OCSF.

"Over time, we will continue to contribute to the OCSF initiative by extending the framework to cover both time-series event data and stateful/structural asset data, leveraging JupiterOne’s open-source data model," Zheng wrote. "Our hope in participating in this initiative is to inspire more cross-industry collaboration."

Scott adds: "Solving a problem like this is a journey that will require learnings across the industry. But the destination makes the journey worth it."

Source

DARKReading