Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

You don't have to be in the security biz for safety to be your top concern. What do you think is going on here? Send us your caption ideas for the above cartoon, and the winner of The Edge's July contest will receive a $25 Amazon gift card. We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, July 28, 2022.

**Last Month's Winner**

Many readers stepped up to the plate with witty captions for last month's cartoon contest. (We thank you!) Congratulations go to Beth Lawler, case manager at Lowenstein Sandler LLP, for the caption appears below. Your Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: On Guard

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

OpenSea warns users that they are likely to be targeted in phishing attacks after a vendor employee accessed and downloaded its email list.

OpenSea, the largest nonfungible token (NFT) marketplace, this week announced that an employee of one of its email vendors, Customer.io, accessed and downloaded the company's email list. It added that anyone who has ever shared their email address with the platform in the past should assume they are impacted. 

OpenSea currently has nearly 2 million users. 

"Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation)," the company told its users in a statement about the data leak. 

Paul Laudanski, head of threat intelligence at email security company Tessian, notes that insider abuse is inherently difficult to discover and even more so when the individual is an authorized user. He advises all organizations to examine third-party risk management protocols and have a clear understanding of how and where data is stored.

“The data breach disclosed today is a stark reminder of the dangers of insider threats," he says. "In this case, an authorized user misused their employee access to download and share email addresses of OpenSea’s users and newsletter subscribers with an unauthorized external party."

The company is working with law enforcement to investigate the incident, according to the OpenSea statement.

**Lucrative Dataset for Cybercrooks**

Stephen Banda, a senior manager at Lookout, says the breach was most likely financially motivated, given that the OpenSea email list is a potentially lucrative dataset for cybercriminals.

"There is a lucrative market for stolen information and credentials.," he notes. "In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks."

It's also likely that attackers will use the email list to steal NFTs from unsuspecting OpenSea users, predicts Karl Steinkamp, director at Coalfire. 

"The disclosure of the email list certainly gives the attacker a solid base of active individuals from which to attempt to steal their NFTs and, likely, distribute malware," Steinkamp warns. "Individuals and companies who receive emails from OpenSea about new and ongoing activities should instead conduct these manually through the opensea.io website." 

As more businesses turn to NFTs for marketing and brand-awareness purposes, Laudanski says they should keep in mind that the OpenSea incident is part of a larger phenomenon of cybercriminals taking notice of the segment.

"Generally, we are seeing a trend emerge with attacks on crypto startups with hackers attempting to get transactions signed by wallet owners through fraudulent means," he notes. "Today’s announcement should serve as a wake-up call for all crypto startups to take audit of their security measures and practices and those of their third-party partners and outside vendors."

OpenSea NFT Marketplace Faces Insider Hack

Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.

The increasingly complex threat landscape and the porous IT environment – driven by the shift to permanent remote/hybrid work and digital transformation – make the need for a security-aware workforce and healthy security culture more critical than ever. Enterprise defenders say that phishing and social-engineering attacks, ransomware, and business email compromise (BEC) are among their biggest day-to-day headaches.

Security awareness programs can help lessen them, but no one seems to have time to create them, according to the "SANS 2022 Security Awareness Report." The three top challenges for building a mature awareness program cited are lack of time for project management, limits on time available to train employees, and not having enough time to focus on security awareness because of staffing shortages. Lack of budget and lack of leadership support also made the list.

“People have become the primary attack vector for cyberattackers around the world,” says Lance Spitzner, SANS Security Awareness director and co-author of the SANS report. "Humans rather than technology represent the greatest risk to organizations, and the professionals who oversee security awareness programs are the key to effectively managing that risk."

Security awareness professionals lack relevant skills, the report shows. Security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce and communicate security risks in simple-to-understand terms, according to the report.

More than 69% of security awareness professionals are spending less than half their time on security awareness, the report also shows. That's because they have other security responsibilities. Enterprises should focus on having more professionals focused on security awareness rather than making it part of an already long to-do list. The report encourages documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk in order to create a case for a more dedicated team.

The report suggests that a successful security awareness program requires strong leadership support, a larger dedicated team, and a training schedule for employees that emphasizes frequency. Organizations should also communicate to, interact with, or train their workforces at least once a month. Keeping training simple and easy to follow is key toward an engaged workforce, the report says.

“Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources, and tools to manage their human risk effectively," said Spitzner.

Time Constraints Hamper Security Awareness Programs

The latest evolution in social engineering could put fraudsters in a position to commit insider threats.

Security experts are on the alert for the next evolution of social engineering in business settings: deepfake employment interviews. The latest trend offers a glimpse into the future arsenal of criminals who use convincing, faked personae against business users to steal data and commit fraud.

The concern comes following a new advisory this week from the FBI Internet Crime Complaint Center (IC3), which warned of increased activity from fraudsters trying to game the online interview process for remote-work positions. The advisory said that criminals are using a combination of deepfake videos and stolen personal data to misrepresent themselves and gain employment in a range of work-from-home positions that include information technology, computer programming, database maintenance, and software-related job functions.

Federal law-enforcement officials said in the advisory that they’ve received a rash of complaints from businesses.

“In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking,” the advisory said. “At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”

The complaints also noted that criminals were using stolen personally identifiable information (PII) in conjunction with these fake videos to better impersonate applicants, with later background checks digging up discrepancies between the individual who interviewed and the identity presented in the application.

**Potential Motives of Deepfake Attacks**

While the advisory didn’t specify the motives for these attacks, it did note that the positions applied for by these fraudsters were ones with some level of corporate access to sensitive data or systems.

Thus, security experts believe one of the most obvious goals in deepfaking one's way through a remote interview is to get a criminal into a position to infiltrate an organization for anything from corporate espionage to common theft.

“Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information,” the advisory said.

“A fraudster that hooks a remote job takes several giant steps toward stealing the organization’s data crown jewels or locking them up for ransomware,” says Gil Dabah, co-founder and CEO of Piiano. “Now they are an insider threat and much harder to detect.”

Additionally, short-term impersonation might also be a way for applicants with a “tainted personal profile” to get past security checks, says DJ Sampath, co-founder and CEO of Armorblox. 

“These deepfake profiles are set up to bypass the checks and balances to get through the company's recruitment policy," he says.

There’s potential that in addition to getting access for stealing information, foreign actors could be attempting to deepfake their way into US firms to fund other hacking enterprises.

“This FBI security warning is one of many that have been reported by federal agencies in the past several months. Recently, the US Treasury, State Department, and FBI released an official warning indicating that companies must be cautious of North Korean IT workers pretending to be freelance contractors to infiltrate companies and collect revenue for their country,” explains Stuart Wells, CTO of Jumio. “Organizations that unknowingly pay North Korean hackers potentially face legal consequences and violate government sanctions.”

**What This Means for CISOs**

A lot of the deepfake warnings of the past few years have been primarily around political or social issues. However, this latest evolution in the use of synthetic media by criminals points to the increasing relevance of deepfake detection in business settings.

“I think this is a valid concern,” says Dr. Amit Roy-Chowdhury, professor of electrical and computer engineering at University of California at Riverside. “Doing a deepfake video for the duration of a meeting is challenging and relatively easy to detect. However, small companies may not have the technology to be able to do this detection and hence may be fooled by the deepfake videos. Deepfakes, especially images, can be very convincing and if paired with personal data can be used to create workplace fraud.”

Sampath warns that one of the most disconcerting parts of this attack is the use of stolen PII to help with the impersonation.

“As the prevalence of the DarkNet with compromised credentials continues to grow, we should expect these malicious threats to continue in scale,” he says. “CISOs have to go the extra mile to upgrade their security posture when it comes to background checks in recruiting. Very often these processes are outsourced, and a tighter procedure is warranted to mitigate these risks.”

**Future Deepfake Concerns**

Prior to this, the most public examples of criminal use of deepfakes in corporate settings have been as a tool to support business email compromise (BEC) attacks. For example, in 2019 an attacker used deepfake software to impersonate the voice of a German company’s CEO to convince another executive at the company to urgently send a wire transfer of $243,000 in support of a made-up business emergency. More dramatically, last fall a criminal used deepfake audio and forged email to convince an employee of a United Arab Emirates company to transfer $35 million to an account owned by the bad guys, tricking the victim into thinking it was in support of a company acquisition.

According to Matthew Canham, CEO of Beyond Layer 7 and a faculty member at George Mason University, attackers are increasingly going to use deepfake technology as a creative tool in their arsenals to help make their social engineering attempts more effective.

“Synthetic media like deepfakes is going to just take social engineering to another level,” says Canham, who last year at Black Hat presented research on countermeasures to combat deepfake technology.

The good news is that researchers like Canham and Roy-Chowdhury are making headway on coming up with detection and countermeasures for deepfakes. In May, Roy-Chowdhury’s team developed a framework for detecting manipulated facial expressions in deepfaked videos with unprecedented levels of accuracy.

He believes that new methods of detection like this can be put into use relatively quickly by the cybersecurity community.

“I think they can be operationalized in the short term -- one or two years -- with collaboration with professional software development that can take the research to the software product phase,” he says.

Criminals Use Deepfake Videos to Interview for Remote Work

The hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.

The hacktivist group DragonForce Malaysia has released an exploit that allows Windows Server local privilege escalation (LPE) to grant access to local distribution router (LDR) capabilities. It also announced that it's adding ransomware attacks to its arsenal.  

The group posted a proof of concept (PoC) of the exploit on its Telegram channel on June 23, which was subsequently analyzed by CloudSEK this week. While there's no known CVE for the bug, the group claims that the exploit can be used to bypass authentication "remotely in one second" in order to access the LDR layer, which is used to interconnect local networks at various locations of an organization.

The group says it would be using the exploit in campaigns targeted at businesses operating in India, which falls directly within its wheelhouse. During the past three months, DragonForce Malaysia has launched several campaigns targeting numerous government agencies and organizations across the Middle East and Asia.

“DragonForce Malaysia is adding to a year that will long be remembered for geopolitical unrest," says Daniel Smith, head of research for Radware’s cyber threat intelligence division. "In combination with other hacktivists, the threat group has successfully filled the void left by Anonymous while remaining independent during the resurgence of hacktivists related to the Russian/Ukrainian war."

The most recent, dubbed "OpsPatuk" and launched in June, has already seen several government agencies and organizations across the country targeted by data leaks and denial-of-service attacks, with the number of defacements topping 100 websites.

“DragonForce Malaysia is expected to continue defining and launching new reactionary campaigns based on their social, political, and religious affiliations for the foreseeable future," Smith says. "The recent operations by DragonForce Malaysia ... should remind organizations worldwide that they should remain vigilant during these times and aware that threats exist outside the current cyber conflict in Eastern Europe.”

**Why LPE Should Be on the Patching Radar**

While not as flashy as remote code execution (RCE), LPE exploits provide a path from a normal user to SYSTEM, essentially the highest privilege level in the Windows environment. If exploited, LPE vulnerabilities not only allow an attacker a step in the door but also provide local admin privileges — and access to the most sensitive data on the network.

With this heightened level of access, attackers can make system modifications, recover credentials from stored services, or recover credentials from other users who are using or have authenticated to that system. Recovering other users' credentials can allow an attacker to impersonate those users, providing paths for lateral movement on a network.

With escalated privileges, an attacker can also perform admin tasks, execute malware, steal data, execute a backdoor to gain persistent access, and much more.

Darshit Ashara, principal threat researcher for CloudSEK, offers one sample attack scenario.

“The attacker from the team can easily exploit any simple Web application-based vulnerability to gain aninitial foothold and place a Web-based backdoor,” Ashara says. “Usually, the machine on which Web server is hosted will have user privilege. That is where the LPE exploit will enable the threat actor to gain higher privileges and compromise not only a single website but other websites hosted on the server.”

**LPE Exploits often Remain Unpatched**

Tim McGuffin, director of adversarial engineering at LARES Consulting, an information-security consulting firm, explains that most organizations wait to patch LPE exploits because they typically require initial access to the network or endpoint in the first place.

“A lot of effort is placed on the initial prevention of access, but the further you move into the attack chain, the lesser effort is placed on tactics like privilege escalation, lateral movement, and persistence,” he says. “These patches are typically prioritized and patched on a quarterly basis and do not use an emergency 'patch now' process.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, notes that the importance of every vulnerability is different, whether it's LPE or RCE.

“Not all vulnerabilities can be exploited, meaning not every vulnerability requires immediate attention. It is a case-by-case basis,” she says. “Several LPE vulnerabilities have other dependencies, such as needing a username and password to carry out the attack. That's not impossible to obtain but requires a higher level of sophistication.”

Many organizations also create local admin accounts for individual users, so they can carry out everyday IT functions such as installing their own software on their own machines, Hoffman adds.

“If many users have local admin privileges, it is more difficult to detect malicious local admin actions in a network,” she says. “It would be easy for an attacker to blend into normal operations due to poor security practices that are widely used.”

Any time an exploit is released into the wild, she explains, it doesn't take long before cybercriminals with varying levels of sophistication take advantage and perform opportunistic attacks.

“An exploit takes out some of this legwork,” she notes. “It is realistically possible mass scanning is already taking place for this vulnerability.”

Hoffman adds that vertical privilege escalation requires more sophistication and is typically more in line with advanced persistent threat (APT) methodologies.

**DragonForce Plans Shift to Ransomware**

In a video and through social-media channels, the hacktivist group also announced its plans to start conducting mass ransomware attacks. Researchers say this could be an adjunct to its hacktivist activities rather than a departure.

“DragonForce mentioned carrying out widespread ransomware attacks leveraging the exploit they created,” Hoffman explains. “The WannaCry ransomware attack was a great example of how widespread ransomware attacks all at the same time are challenging if financial gain is the end goal.”

She also points out that it is not uncommon to see these announcements from cybercriminal threat groups, as it draws attention to the group.

From the perspective of McGuffin, however, the public announcement of a shift in tactics is “a curiosity,” especially for a hacktivist group.

“Their motives may be more around destruction and denial of service and less around making a profit like typical ransomware groups, but they may be using the funding to enhance their hacktivist capabilities or awareness of their cause,” he says.

Ashara agrees that DragonForce’s planned shift is worth highlighting, as the group’s motive is to cause as much of an impact as possible, boost their ideology, and spread their message.

“Hence, the group's motivation with the announcement of ransomware is not for financial cause but to cause damage,” he says. “We have seen similar wiper malwares in the past where they would use ransomware and pretend the motivation is financial, but the root motivation is damage.”

DragonForce Malaysia Releases LPE Exploit, Threatens Ransomware

The RSA conference in San Francisco always feels like drinking from a fire hose but especially this year at the first in-person RSA since the pandemic began.

It had been a few years, so with much anticipation, and not a little trepidation, 26,000 people descended on San Francisco for the RSA Conference. Vendors were eager to get back out in front of a live audience and the expo floor was tightly packed with more than 400 exhibitors. Themes emerged in numerous services.

Let’s start with data security. With all the talk of application security needing to "shift left", (i.e., embedding security processes into the development pipeline to reduce the attack surface of code before it enters production), it is only natural that data security should move in the same direction.

Keys and certificates associated with applications and containers need to be protected, as any organization that has adopted a DevSecOps approach will be aware. Indeed, in an ideal scenario, capabilities such as key management and encryption are baked into the workflows of developers and DevSecOps teams and "just work."

Identity was at the center of many a discussion. Achieving "zero trust" transformation with passwordless authentication received renewed attention at the show. Getting rid of passwords has been the holy grail for many organizations and individuals over the past 30 years, and Omdia believes that 2022 will be the year that we finally start to properly phase out passwords.

When it comes to infrastructure security, figuring out the 'risk' of cloud environments was a key topic of interest. Vendors such as Palo Alto Networks, Orca, Wiz, Check Point, and many, many others highlighted tooling to enable deeper understanding of one's cloud estate, with an increasing emphasis on cloud permissions management as a key focus area.

Working to secure the development process for creating cloud environments was another area much discussed, with Infrastructure as Code (IaC) a key pattern for achieving necessary scale. The broad interest in API security was also noteworthy. Specialized vendors such as Salt Security, Wallarm, Cequence, and others joined several of the cloud security vendors in adding API security capabilities to their offerings.

Wrapping up the key topics around infrastructure security, it was noticeable how prevalent the conversations around Secure Access Service Edge (SASE) were, in terms of major security vendors aligning themselves to the broader SASE theme or to its subset known as SSE. Cisco, Netskope, Versa Networks, Forcepoint, among others, demonstrated integrated offerings in this space.

Moving on to SecOps, RSA Conference 2022 will perhaps be seen as the first big opportunity for extended detection and response (XDR) vendors to make their case. Numerous vendors made significant XDR announcements, including BitDefender (launching GravityZone XDR solution), CrowdStrike (expanding Falcon's XDR module), and RSA Group (debuting NetWitness XDR), among others. XDR has the potential to revolutionize enterprise threat detection and incident response (TDIR), making it faster, easier, and potentially even cheaper to find, analyze, and fix cybersecurity threats.

Proactive approaches such as risk-based vulnerability management and attack surface management (ASM) were also in the spotlight. It has been clear throughout 2022 that ASM products are quickly becoming an important component of broader proactive posture management strategies. The market, particularly for external ASM (EASM) solutions, has been busy with both investment and M&A activity.

RSA 2022: Omdia Research Take Aways

Transitive dependencies can complicate the process of developing software bills of materials.

If you're building software applications, you're familiar — or should be familiar — with SBOMs, or software bills of materials. Think of an SBOMs as a list of ingredients in your application. The urgency for organizations to create and maintain accurate SBOMs has increased in the wake of recent software supply chain vulnerabilities such as Log4Shell and Spring4Shell. What's more, if you do business with the US government, an accurate and up-to-date SBOM is now a requirement, based on the May 2021 Executive Order issued by the White House in response to the far-reaching repercussions of the SolarWinds attack.

According to Gartner, "by 2025, 60% of organizations building or procuring critical infrastructure software will mandate and standardize SBOMs in their software engineering practice, up from less than 20% in 2022." Gartner also acknowledges that "keeping software bills of materials (SBOMs) data in sync with corresponding software artifacts presents a key challenge."1

Are organizations keeping pace with such market dynamics? A recent Tidelift survey shows that only 37% of organizations are aware of new government software supply chain requirements around security and SBOMs. Of these organizations, only 20% are using SBOMs for most or all applications today.

However, change is coming quickly: The vast majority of organizations — 78% — are either already using SBOMs in at least some applications or have plans to do so in the next year, according to the survey.

**Open Source Complicates SBOM Matters**

Developing SBOMs can be challenging, but if you are using open source components in your applications — as most modern software development teams do — then the process for building an SBOM and keeping it up to date becomes even more complex because of the impact of transitive dependencies.

Open source components that other open source components rely on, transitive dependencies can be difficult to track down. For example, many organizations affected by Log4Shell weren't immediately aware of their exposure because it came through transitive dependencies. It is therefore critical that your SBOM identifies not only direct open source dependencies but also transitive dependencies.

In addition, because developers are constantly committing code to deliver enhanced functionality to applications, it is critical that SBOMs are dynamic, capturing changes to the open source components up and down the open source software supply chain.

**Conclusion: Get a Handle on SBOMs**

To ensure the integrity of software supply chains, the use of SBOMs will become more common — and will often be required. To ensure that your organization is delivering accurate and up-to-date SBOMs for the applications it develops and delivers, it's important to get a handle not just on your list of ingredients, but also the ingredients your ingredients are using.

1 Gartner, "Innovation Insight for SBOMs," Manjunath Bhat, Dale Gardner, Mark Horvath, 14 February 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

When It Comes to SBOMs, Do You Know the Ingredients in Your Ingredients?

With more staff working remotely, identity, authentication, and access (IAA) has never been more important. Microsoft has a new response.

At the start of June 2022, just before RSAC 2022, Microsoft announced a new product family, Microsoft Entra, which encompasses all of Microsoft’s identity and access capabilities. Microsoft Entra products include:

*   Azure Active Directory (Azure AD) as well as two new product categories:
*   Microsoft Entra Permissions Management (a Cloud Permissions management (CPM) / Cloud Infrastructure Entitlement Management (CIEM) solution)
*   Microsoft Entra Verified ID (a decentralized identity product offering)

According to Microsoft, Entra is part of the company’s expanded vision for identity and access. The plan is to verify all types of identities and secure, manage, and govern their access to any resource, by:

*   Protecting access to any app or resource for any user;
*   Securing and verifying every identity across hybrid and multicloud environments;
*   Discovering and governing permissions in multicloud environments; and
*   Simplifying the user experience with real-time intelligent access decisions.

**Azure Active Directory (Azure AD)**  

**Microsoft Azure AD**, is also part of the Microsoft Entra family, and all its capabilities, such as conditional access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be the vendor’s identity solution for customers and partners under the Microsoft Entra family.

Identity Governance for employees and partners is another area of focus for Microsoft. It’s a significant challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. At the other end, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization (the dangerous "orphan account" scenario that can be exploited by threat actors).  

Microsoft believes that their **Identity Governance (in Azure AD)** offering addresses this with identity lifecycle management, which simplifies and speeds up the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights and monitoring and tracking access as user attributes change. Lifecycle workflows enhancements in Identity Governance are scheduled to enter public preview in July 2022.

Omdia believes that automating identity, authentication, and access features and tasks is a key trend within this space. There is an ever-increasing amount of data that companies need to keep secure and interpret when things go wrong, the automating of features and tasks will continue to accelerate in the coming years. This increase in data is helping to drive automation in a number of segments within the identity, authentication and access sector.

**Microsoft Entra Permissions Management** (Cloud Permissions Management)

Microsoft stated that the Microsoft Entra Permissions Management product/solution will be a standalone offering, be integrated within the Defender for Cloud dashboard, extending Microsoft Defender for Cloud's protection into the CPM realm (a.k.a. CIEM). It is worth recalling the history and development of this product. In July 2021, Microsoft **acquired CloudKnox Security, which was the market leader in CPM technology, with a view to enabling businesses using its Azure Active Directory service to exercise tighter control over employees’ access rights to their cloud assets, regardless of which cloud they reside in.**

CPM is an emerging technology segment, with most of the start-ups offering the capability dating from the late 2010s. CloudKnox was among the first, having been founded in 2017. So recent is the technology that it still has no standard name: one analyst firm calls it cloud infrastructure entitlements management (CIEM), which is both excessively wordy and confusing, given its similarity to security incident and event management (SIEM) and customer identity and access management (CIAM). Another calls it cloud identity governance, which is less self-explanatory than Omdia's preferred name, cloud permissions management. The permissions management product/solution will be available worldwide in July 2022.

It is also worth noting that the Permissions Management product is cloud agnostic, i.e. it will be able to enforce the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platforms.

**Microsoft Entra Verified ID** (Decentralized Identity)

Microsoft Entra Verified ID is a new product offering based on decentralized identity standards that makes portable, self-owned identity possible. Verified ID represents Microsoft's commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when and with whom they share it, and—when necessary—to take it back by rescinding access rights. The Verified ID product will be available from early August 2022. Omdia believes that decentralized identity is gaining traction and this announcement by Microsoft to launch a product in this space will help to turbocharge the segment.

**Expansion of the Microsoft Entra product family – Which IAA segments next?**

It was interesting to note in Microsoft's recent press release that they stated this launch "is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family." So what areas are they likely to expand into? PAM? CPM technology looks like a natural adjacency for privileged access management (PAM) vendors, and indeed, the largest player in PAM, CyberArk, launched a CPM module in late 2020. Meanwhile Zscaler, which delivers security as a service from the cloud, acquired CPM start-up Trustdome in April 2021, reportedly for $31M, and XDR vendor SentinelOne's $616M acquisition of Attivo in March this year brought it, among other things, a CPM capability.

If Microsoft were to enter the PAM market, then what other areas of identity, authentication and access are logical to look at?

In recent years, segments such as PAM and IGA have undergone the cloudification of their products/solutions. Enterprise applications were already moving to the cloud long before the pandemic, to be delivered as a service. However, the impact of the pandemic was to turbocharge that process, and with it, the need for cloud-based identity management capabilities.

This backdrop explains the importance Omdia attributes to the cloud in the identity services market, not only as a locus from which to deliver IGA, but also as the place where an increasing number of corporate assets now reside, which puts a new level of requirement for entitlements management. It is also worth noting that Okta, the 800 pound gorilla of cloud-native identity management, is planning to launch IGA and PAM products in Q4 2022 and Q1 2023.

There has also been an expansion of diverse access points over the last couple of years and an overlapping of identity and access tools. All of this helps to explain why Microsoft has expanded its identity, authentication, and access product portfolio and why it sees this area as being central to secure access in a connected world.

**Identity As a Trust Fabric**

By launching Entra, Microsoft plans to move forward, by expanding their identity and access solutions so that they can serve as a "trust fabric" for the _entire_ digital ecosystem, now and long into the future.

The "trust fabric" is an identity mesh of connections that secures, governs, and manages for Microsoft products. To make this vision a reality, identity must evolve. This interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions.

**Conclusions**

Microsoft has traditionally been seen as the unspoken giant of identity. With the Entra announcements it is now entering the fray in a more direct fashion, and other IAA vendors need to sit up and take notice of these developments. Where once they simply played nicely with Active Directory as the backend identity repository for their technology, Microsoft may now be coming for their lunch.

The next few years will certainly be an interesting time in the identity space, with new entrants, new product launches and more mergers and acquisitions. Omdia predicts disruption and displacement, with Microsoft as the disruptor in chief!

Microsoft Going Big on Identity with the Launch of Entra

Cyber mercenaries in countries like India, Russia, and the UAE are carrying out data theft and hacking missions for a wide range of clients across regions, a couple of new reports said.

The threat associated with nation-state-backed hacking groups has been well-researched and chronicled in recent times, but there's another, equally dangerous set of adversaries that's operated comparatively in the shadows for years.

These are hack-for-hire groups that specialize in breaking into systems and stealing email and other data as a service. Their clients can be private investigators, law firms, business rivals, and others that don't have the capabilities to carry out these attacks on their own. Such cyber mercenaries often openly advertise their services and target any entity of interest to their clients, unlike state-backed advanced persistent threat (APT) actors, which tend to be stealthy and have specific missions and a tight target focus.

Researchers from Google's Threat Analysis Group (TAG) this week released a report on the threat, using hack-for-hire ecosystems in India, Russia, and the United Arab Emirates as examples of the prolific nature of the criminal activity. The TAG researchers identified the services offered by cyber mercenaries as different from that offered by surveillance vendors that sell tools and capabilities for others — such as intelligence agencies and law enforcement — to use.

**Broad Range of Targets**

"The breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations, which often have a clearer delineation of mission and targets," said Shane Huntley, director of Google TAG, in a blog Thursday.

As an example, he pointed to a recent operation that Google observed where an Indian hack-for-hire outfit targeted an IT company in Cyprus, a shopping company in Israel, a financial technology company in the Balkans, and an academic entity in Nigeria. In other campaigns, Google has observed these groups targeting human rights advocates, journalists, and political activists.

"They also conduct corporate espionage, handily obscuring their clients' role," Huntley wrote.

Google's report on hack-for-hire activity coincided with a lengthy Reuters investigative report on how parties involved in courtroom litigation have in recent years hired Indian cyber mercenaries to steal information from the other side that would give them an edge in the battle.

Reuters said it was able to identify at least 35 instances going back to 2013, when someone involved in a lawsuit hired Indian hackers to obtain information from the entity they were litigating against. One of them involved a $1.5 billion legal battle between the Nigerian government and the heirs of an Italian businessman over control of an oil company.

In each of these instances, the hackers sent phishing emails to targeted victims with malware for stealing credentials for their email accounts and other data.

**Numerous Hacking-for-Hire Victims**

Reuters said it identified some 75 US and European companies, three dozen advocacy groups, and numerous business executives in western countries that were the targets of these attacks. In all, over the seven-year period that was the focus of the investigation, Indian hackers sent some 80,000 phishing emails to 13,000 targets across multiple countries.

Among those whose email inboxes the attackers tried to access were at least 1,000 attorneys at 108 law firms, such as Baker McKenzie and Cooley and Cleary Gottlieb in the US and Clyde & Co. and LALIVE in Europe.

Reuters described the report as being based on information from victim interviews, US government officials, lawyers, and court documents from seven countries. Also helping with the investigation was a database of those tens of thousands of emails sent by the Indian hackers that Reuters said it received from two email providers.

"The database is effectively the hackers' hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020," the Reuters story stated.

Among the Indian entities that Reuters named in its report were Appin, BellTroX, and Cyberoot — all of which shared infrastructure and staff at some point.

**Tracking Cyber Campaigns**

Google said it also has been tracking Indian hack-for-hire operators, many of which were associated with Appin and BellTroX, since 2012. A lot of the activity has focused on organizations in the government, telecom, and healthcare sectors in the UAE, Saudi Arabia, and Bahrain, according to TAG.

Google's report also described hack-for-hire operators that TAG researchers have been tracking in Russia and the UAE. One of them is a previously known Russian actor that others have referred to as Void Balaur, which has spied on thousands of individuals and stolen private information about them for sale to various clients.

This is not the first time that security researchers have sounded a warning on hackers-for-hire. Trend Micro, for instance, reported on the Void Balaur threat in November 2021. A year prior, BlackBerry security researchers reported on a hack-for-hire group it had observed called CostaRicto, which targeted victims in multiple countries, many of them in South Asia.

"The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," TAG's Huntley wrote.

Source

DARKReading