Bronze Starlight’s use of multiple ransomware families and its victim-targeting suggest there’s more to the group’s activities than just financial gain, security vendor says.

A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.

In all of the attacks, the threat actor has used a malware loader called the HUI Loader — associated exclusively with China-backed groups — to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks who are tracking the group as “Bronze Starlight” say it’s a tactic they have not observed other threat actors use.

Secureworks also says it has identified organizations in multiple countries that the adversary appears to have compromised. The group’s US-based victims include a pharmaceutical company, a law firm, and a media company with offices in Hong Kong and China. Others include electronic component designers and manufacturers in Japan and Lithuania, a pharmaceutical company in Brazil, and the aerospace and defense division of an Indian conglomerate. Some three-quarters of Bronze Starlight’s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber-espionage groups.

**Cycling Through Ransomware Families**

Since it began operations in 2021, Bronze Starlight has used at least five different ransomware tools in its attacks: LockFile, AtomSilo, Rook, Night Sky, and Pandora. Secureworks’ analysis shows that the threat actor used a traditional ransomware model with LockFile, where it encrypted data on a victim network and demanded a ransom for the decryption key. But it switched to a double-extortion model with each of the other ransomware families. In these attacks Bronze Starlight attempted to extort victims by both encrypting their sensitive data and threatening to leak it publicly. Secureworks identified data belonging to at least 21 companies posted on leak sites associated with AtomSilo, Rook, Night Sky, and Pandora.

While Bronze Starlight appears on the surface to be financially motivated, its real mission appears to be cyberespionage and intellectual property theft in support of Chinese economic objectives, says Marc Burnard, senior consultant information security research at Secureworks. The US government last year formally accused China of using threat groups such as Bronze Starlight in state-sponsored cyber-espionage campaigns.

“The victimology, tooling, and rapid cycling through ransomware families suggest that Bronze Starlight’s intent may not be financial gain,” he says. Instead, it’s possible that the threat actor is using ransomware and double extortion as a cover to steal data from organizations of interest to China and destroy evidence of its activity.

Bronze Starlight has consistently targeted only a small number of victims over short periods of time with each ransomware family — something that threat groups don’t often do because of the overhead associated with developing and deploying new ransomware tools. In Bronze Starlight’s case, the threat actor appears to have employed the tactic to prevent drawing too much attention from security researchers, Secureworks said.

**The Chinese Connection**

Burnard says the threat actor’s use of the HUI Loader along with a relatively rare version of PlugX, a remote access Trojan linked exclusively to China-backed threat groups, is another sign that there’s more to Bronze Starlight than its ransomware activity might suggest.

“We believe the HUI Loader is a tool unique to Chinese state-sponsored threat groups,” Burnard says. It is not widely used, but where it has been used, the activity has been attributed to other likely Chinese threat group activity, such as one by a group dubbed Bronze Riverside that is focused on stealing IP from Japanese companies. 

“In terms of the use of the HUI Loader to load Cobalt Strike Beacons, this is one key characteristic of the Bronze Starlight activity that connects the broader campaign and five ransomware families together,” Burnard says.

Another sign that Bronze Starlight is more than just a ransomware operation involves a breach that Secureworks investigated earlier this year, where Bronze Starlight broke into a server at an organization that had previously already been compromised by another China-sponsored threat operation called Bronze University. In this incident, though, Bronze Starlight deployed the HUI Loader with Cobalt Strike Beacon on the compromised server, but it did not deploy any ransomware. 

“Again, this raises an interesting question around links between Bronze Starlight and state-sponsored threat groups in China,” Burnard says.

There’s also evidence that Bronze Starlight is learning from its intrusion activity and improving the HUI Loader’s capabilities, he adds. The version of the loader that the group used in its initial intrusions, for instance, were merely designed to load, decrypt, and execute a payload. But an updated version of the tool that Secureworks came across while responding to a January 2022 incident revealed several improvements. 

“The updated version comes with detection evasion techniques, such as disabling Windows Event Tracing for Windows \[ETW\] and Antimalware Scan Interface \[AMSI\] and Windows API hooking,” Burnard notes. “This indicates the HUI Loader is actively being developed and upgraded.”

Secureworks’ investigation shows that Bronze Starlight primarily compromises Internet-facing servers on victim organizations by exploiting known vulnerabilities. So as part of a multilayered approach to network security, network defenders should ensure that Internet-facing servers are patched in a timely manner, Burnard says. 

“While the focus is often on zero-day exploitation, we often see threat groups like Bronze Starlight exploit vulnerabilities that already have a patch available," he says.

Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft

Johnson Controls will roll out the Tempered Networks platform across deployments of its OpenBlue AI-enabled platform.

**CORK, Ireland, June 23, 2022 —** Johnson Controls (NYSE: JCI), the global leader for smart, healthy, and sustainable buildings, today acquired zero trust cybersecurity provider – Tempered Networks, based in Seattle, Washington. Tempered Networks has created ‘Airwall’ technology, an advanced self-defense system for buildings that enables secure network access across diverse groups of endpoint devices, edge gateways, cloud platforms and service technicians. It represents a step-change in operational technology built on secure transmission pipelines to ensure buildings data exchanges and service actions can only take place between people and devices that are continuously authenticated.

The acquisition gives Johnson Controls the capability to provide zero trust security within the fabric of its OpenBlue secure communications stack, advancing its vision of enabling fully autonomous buildings that are inherently resilient to cyberattack.

**_How Airwall Works_**

Tempered Networks Airwall technology uses the Host Identity Protocol and a cloud-based policy orchestration platform to create new overlay networks built on encrypted and authenticated communication. The policy manager (a.k.a. the conductor) enforces configured digital policies that control connections within the cloaked overlay system. The default position for the policy manager is ‘zero trust’, i.e., only allowing connections between continuously authenticated and authorized entities. Once a communicating device authenticates itself correctly, an encrypted tunnel is created through which data flows. The advantages of this cybersecurity technique are as follows:

1\. The creation of an always-on and software-defined security perimeter protecting device-to-device, device-to-cloud and device-to-user interactions.

2\. Airwall achieves this by using Host Identity Protocol to create a cloaked and micro-segmented network which overlays a building’s existing network infrastructure, making the solution also highly cost-effective.

3\. A new level of authentication for connected building systems is created, allowing for greater system automation of functions such as heating and cooling, lighting, security and airflows.

“When it comes to buildings, we must create easily implementable cybersecurity defenses as we’re often dealing with critical infrastructure, including assets such as data centers and hospitals,” said Vijay Sankaran, vice president and chief technology officer, Johnson Controls. “Tempered Networks Airwall approach is purpose-built for our sector as it’s designed around principles of zero trust, securing device communications as data moves between devices and the cloud – so enabling remote building optimization in the most trusted way possible.”

**_Technology Integration_**

Tempered Networks Airwall technology is being integrated into Johnson Controls OpenBlue platform which is increasingly recognized as a leading smart building software platform with advanced AI-enabled building management capabilities\[1\]. OpenBlue provides a flexible computing approach for converging building technologies and making those technologies more insightful, powerful, and optimized through edge AI and through full machine learning in the cloud. The ultimate goal is to make all buildings smarter, healthier and more sustainable.

Financial terms of the transaction were not disclosed.

To learn more about Johnson Controls' approach to cybersecurity, please visit www.johnsoncontrols.com/cybersolutions.

See an explanation video for Tempered Networks Airwall technology here.

Johnson Controls Acquires Tempered Networks to Bring Zero Trust Cybersecurity to Connected Buildings

ShiftLeft's Manish Gupta join Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about looking at vulnerability management through the lens of "attackability."

Prioritizing vulnerabilities is key to any organization but by looking at them through the lens of “attackability,” security professionals can focus on the vulnerabilities attackers are most likely to exploit, says Manish Gupta, CEO & Founder, ShiftLeft. He also addresses how the company has been able to bridge the occasional gap that forms between AppSec and developer teams that can disrupt collaboration and compromise security. Finally, Gupta offers some previews from ShiftLeft’s recent AppSec progress report and how teams are benefitting from this approach.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ShiftLeft: Focus On 'Attackability' To Better Prioritize Vulnerabilities

Bipartisan legislation allows cybersecurity experts to work across multiple agencies and provides federal support for local governments.

The Biden White House continued its efforts to shore up US cyber defenses by signing two bills into law, both with the goal of helping cybersecurity expertise and resources flow freely between federal agencies and down to municipalities in need of resources. 

The first piece of cybersecurity legislation, called the Federal Rotational Cyber Workforce Program Act of 2021, clears the necessary red tape to allow information technology, cybersecurity, and other related federal workers to provide expertise across multiple agencies. 

The second piece of legislation, the Local Government Cybersecurity Act, enhances coordination between the Department of Homeland Security, and state and local governments. 

“For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attacks,” that bill's House sponsor, Rep. Joe Neguse, a Democratic Congressman from Colorado, said about the passage in a statement. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pair of Brand-New Cybersecurity Bills Become Law

The concept might make us sharp and realistic, but it's not enough on its own.

**The Rise of the Presumption of Compromise**

In cybersecurity, we often say that "prevention is ideal, but detection is a must." But why do we say that? Shouldn't both prevention and detection be musts in a layered, defense-in-depth security approach? Well, this saying is rooted in a realistic view of reality, where we, as cyber-defense professionals, have come to accept that it's almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which, in some cases, can be circumvented) or risking a breach of the system. This notion of failing prevention has become a linchpin in our modern defense strategy and has become known as a "presumption of compromise." That is, assume that you already have been breached and focus on never-ending detection and eradication of the badness lurking in your systems.

Since we failed with prevention, we turned to detection. To paraphrase Churchill: No one pretends that detection is perfect or all-wise. Indeed, it has been said that detection is the worst form of defense except for all those other forms that have been tried.

**The Inevitable Fall of Presumption of Compromise**

Nevertheless, the current form of presumption of compromise — which focuses on rapid detection — is intended to fail because its contemporary version serves merely as a tactical tool rather than as a strategical framework. It tells you what not to rely on but doesn't tell you how to truly solve the problem. Instead of providing a solution, presumption of compromise merely kicks the can down the road.

In a recent thought-provoking experiment, security researchers from Splunk tried to determine the speed of encryption of modern ransomware malware families. They selected 10 ransomware families and measured the time it took each to encrypt 100,000 files on a victim's system. The results were astonishing. It took 45 minutes on average, with the slowest ransomware (Babuk) able to encrypt the files within 3.5 hours, while the fastest ransomware (Lockbit) achieved this goal within only 4 minutes (!).

Other recent research, which analyzed ransomware attacks, concluded that "the average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021."

An additional parameter to consider in this context is breakout time, which measures how much time it takes for an adversary to hop from an initially compromised system on to the next. According to CrowdStrike, the average breakout time in 2021 is 1.5 hours. In 2018, it was almost 2 hours.

Unfortunately, these measurements provide a dismal forecast for our near future. The attackers are getting faster, and the ever-shrinking detection window is under a constant pressure.

**Automation Arms Race**

To detect faster, defenders turn to automation — sometimes by using static signatures and detection rules, and sometimes with the help of machine learning. Unfortunately, automation is not the monopoly of the good guys, and attackers use it as well. Being able to inflict damage faster and with fewer human personnel is serving the attackers' business models well, so the incentive to automate attacks has never been stronger.

Once both sides — the attack and the defense — increasingly turn to automation, we end up in a spiraling automation arms race. The defenders have had a head start in this race, spending the last several years developing and deploying AI-based solutions. Nevertheless, it's frightening to think about the consequences of the mass adoption of such technologies by the attackers, which continues to narrow the detection window.

**The Rebirth of the Presumption of Compromise**

The inevitable shrinkage of the detection window forces us to rethink its foundation. In the long term, it appears that detection alone is no longer a viable defense strategy. Instead, I believe that the focus of defensive strategy will be passed on to resilience — being able to recover quickly from an incident, with automation and volatile computerized systems that can be brought up and down instantly playing a pivotal role.

Make no mistake: A presumption of compromise is a good idea after all. It keeps us sharp and realistic. Nonetheless, its current detection-oriented manifestation looks like a losing strategy over the long term. Instead, we should start focusing on resilient, self-recoverable, and instantly rebuildable systems. Such recoverability will lay out the missing brick of the solution: protection, detection, and resilience. Together, they have the power to form the holy trinity of a truly sustainable defense-in-depth strategy.

The Rise, Fall, and Rebirth of the Presumption of Compromise

Farmers are incorporating high-tech solutions like IoT and drones to address new challenges facing agriculture.

The agriculture industry doesn't typically come to mind when thinking about sectors on the cutting edge. Yet it has been forging ahead through each industrial revolution, and today innovative farmers are starting to incorporate high-tech solutions to address the new challenges the industry is facing.

Automation and robotics, livestock technology, artificial intelligence, and precision agriculture are all opportunities to harness the power of future tech to bring farming into the 21st century.

Farmers face similar challenges regardless of the time period, including inflating operating costs and a shortage of laborers. This is compounded by the world population continuing to rise, increasing the demand on agriculture.

Now, in the Fourth Industrial Revolution, the Internet of Things (IoT) offers an opportunity for the agricultural industry to maximize efficiency while reducing costs, directly addressing the demands and challenges.

**What Is Smart Agriculture?**

Smart agriculture is the use of IoT in agriculture. IoT sensors collect environmental and machine metrics to inform decisions, monitor the state of crops, and optimize efficiency. For example, smart agriculture sensors can track how crops are doing and help farmers use fertilizers and pesticides judiciously.

Overall, the agricultural industry hasn't adopted IoT as quickly as other industries or consumers have, but the market is quite dynamic. The disruptions of the pandemic, including the shortage of workers and supply chain issues, have pushed more farmers to adopt and innovate.

According to reports, the global smart agriculture market size is expected to triple by 2025, reaching $15.3 billion, compared with around $5 billion in 2016.

The market is still developing, but currently IoT can improve agriculture by:

*   Collecting data to track performance and health, such as soil quality, growth progress, cattle health, and weather conditions.
*   Offering control over internal processes and reducing production risks, such as planning for product distribution based on production output.
*   Managing costs and waste with better control over production and risks.
*   Improving business efficiency with automation, such as automated irrigation, fertilization, pest control, and more.
*   Enhancing product volume and quality with better control over the production process, quality, and growth capacity.

**IoT Use Cases in Agriculture**

As the industry adopts more IoT devices, the use cases will likely increase. But here are the primary use cases for IoT in agriculture.

**Precision agriculture:** Precision agriculture offers information to make accurate, data-driven decisions and make operations more efficient. With IoT sensors, farmers can collect virtually any metric that's important for decision-making, including data on temperature, humidity, soil condition, lighting, CO2 levels, pest infestations, and disease. With this data, farmers can estimate the ideal amount of resources to use — like water, pesticides, or fertilizer — to reduce expenses and raise healthier crops and livestock.

**Climate monitoring**:**** Climate monitoring devices, such as weather stations with sensors, can be used to collect data about the environment. Farmers can then map climate controls and optimize crop capacity. These devices are often located in remote areas of the land , providing more accurate measurements in the growth environment and saving travel time.

**Crop management:** Part of the precision agriculture sector, crop management devices operate similarly to weather stations. They can be set up in the field to collect data related to crops, such as precipitation, crop health, and temperature. This allows farmers to monitor crop conditions and growth, as well as to spot any diseases or infestation that can negatively impact the crop yield.

**Cattle monitoring and management:** Similar to crop monitoring, IoT for cattle acts like medical wearables for livestock to monitor their performance and health. These devices can also be used for tracking to determine the location of the herd or an individual animal.

For example, sensors can alert farmers to potentially diseased animals for timely quarantine, sparing the rest of the herd. Drones can also be used for real-time livestock tracking.

**Agriculture drones:** Agricultural drones offer more precise data than planes or satellites. They can replace human labor in a variety of areas, including tracking livestock, combating pests, spraying, crop monitoring, and planting crops.

**Predictive analytics:** Predictive analytics is a component of precision agriculture. Real-time data offers many advantages for farmers, but the analytics aspect helps them use the information for better forecasting and optimization.

Overall, farming is at the whim of weather conditions, and data analytics can help farmers predict and manage the unexpected. For example, predicting upcoming precipitation can help farmers adjust irrigation to avoid over- or underwatering and optimize the use of fertilizers.

**Greenhouse automation:** Greenhouses are typically managed manually, but IoT sensors offer accurate, real-time information on changing greenhouse conditions, like soil quality, humidity levels, temperature, and lighting. Along with gathering data, these sensors allow controls to adjust the conditions to match the ideal parameters.

**End-to-end management:** This is the most complex part of agricultural IoT and includes a variety of IoT devices and sensors with analytical capabilities. Together, these devices offer remote farm monitoring and the capability to streamline operations.

**The Challenges of Smart Farming**

IoT for agriculture has virtually limitless applications, but it's not without its limitations.

**Hardware and sensor quality for accuracy.** The type of information you intend to collect should determine the hardware and sensors for your device, as well as the quality of the data you can collect.

**Data analytics and predictive algorithms.** Data analytics is an important component of smart agriculture, so it's vital to choose an option with robust capabilities.

**Ongoing maintenance.** One of the benefits of smart agriculture is that devices can be in remote or distant environments, but that also comes with challenges related to maintenance.

**Mobility for field use.** Similar to maintenance, smart devices should be designed for field use and enabled for remote access on a computer or smartphone.

**Connectivity.** Like all other smart technology, smart agriculture relies on communication. The connection must be able to travel over distances and be reliable enough for inclement weather.

**Security.** Smart farming involves large data sets, creating potential security vulnerabilities. Data security in IoT is an ongoing challenge, particularly in agriculture, so it's crucial to have AI-based security tools, data traffic monitoring, encryption, and remote access control.

IoT is seeing more and more adoption, but it's new in the farming industry. As farmers face greater obstacles, however, it's likely that IoT adoption will increase along with them. Young farmers are bringing about the Fourth Industrial Revolution in agriculture with future technologies that harness the power of data, automate processes, and optimize operations.

Reinventing How Farming Equipment Is Remotely Controlled and Tracked

Malicious invoices coming from the accounting software's legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a "double-spear" approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isn't spooked and comes from an "allowed" domain, pass the messages right on to inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.

"It presents an invoice and encourages you to call if you think there are any questions," Avanan researchers noted in their analysis. "When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn't correlate with a real one."

Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.

"On this one, we're dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials," Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.

He adds, "Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it's an invoice for what looks like a legitimate company, it might catch some users off-guard."

**Phishing, Cloaked in Legitimacy**

Using the legitimacy of cloud domains to reach the inbox is not a new approach, of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.

"With regards to broader trends that this falls into, we've seen hackers utilize legitimate sites for illegitimate purposes," Fuchs says. "Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we've seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks."

While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.

For instance, in January, a threat actor used the comments function in Google Docs to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

"Organizations can't block Google, so Google-related domains are allowed to come into the inbox," according to Avanan. "These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote."

To guard against attacks like these, Avanan recommends the following:

*   Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
*   Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
*   Encourage users to ask IT if they are unsure about the legitimacy of an email.

Cyberattackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign

Latest Prisma Cloud platform updates help organizations continuously monitor and secure web applications with maximum flexibility.

SANTA CLARA, Calif., June 23, 2022 /PRNewswire/ -- Over the last two years, organizations have expanded their use of cloud environments by more than 25%. Many are now struggling to manage the technical complexity of cloud migration, including the ability to secure their applications across the entire application development lifecycle. Palo Alto Networks (NASDAQ: PANW), a leader in The Forrester Wave™: Cloud Workload Security, Q1 2022, today announced the addition of Out-of-Band Web Application and API Security (Out-of-Band WAAS) to Prisma® Cloud to help organizations secure web applications with maximum flexibility.

Until now, a primary industry approach to securing web applications has been to deploy inline web application firewalls (WAFs). Some organizations are reluctant to introduce WAFs or API security solutions inline, however, due to performance and scalability concerns. With today's announcement, Prisma Cloud can provide organizations with deep web and API security both inline and out of band, allowing them to choose how to protect their applications in the cloud.

"Companies no longer have to decide between application security and performance. By adding Out-of-Band WAAS to Prisma Cloud, we are empowering customers with flexible security options that fit their evolving application needs," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As more organizations move workloads to the cloud, the capabilities that make up Prisma Cloud help provide the most complete protection, reducing complexity and increasing visibility across infrastructure, workloads, identities and applications."

"As organizations increasingly build and deploy their applications in the cloud, protecting their business-critical applications without impacting performance has been a challenge," said Melinda Marks, senior analyst, ESG. "Adding the option of Out-of-Band WAAS helps both developer and security teams secure their applications with the same level of security as traditional in-line WAFs and API security without impacting performance."

In addition to Out-of-Band WAAS, Prisma Cloud is getting new threat detection, alert prioritization and permissions management capabilities to help provide organizations with deeper, unified visibility across their entire cloud application portfolio:

*   **Multicloud Graph View for Cloud Infrastructure Entitlement Management (CIEM):** Discover over-privileged accounts and understand access risk across multicloud environments. Prisma Cloud now provides a graph view of the net effective permissions across AWS, Microsoft Azure and Google Cloud.
*   **Multicloud Agentless Cloud Workload Protection:** Extend visibility into cloud workloads and application risks across Azure and Google Cloud, in addition to AWS, to complement existing agent-based protection.
*   **DNS-Based Threat Detection:** Surface malicious activity and anomalous behavior in cloud environments. Prisma Cloud Threat Detection now leverages machine learning (ML) and advanced threat intelligence to identify bad actors hiding in DNS traffic.
*   **MITRE ATT&CK**® **Alert Prioritization:** Enable security teams to prioritize risks and incidents based on the industry's most widely adopted framework.

**Availability**

Out-of-band WAAS is available today for Prisma Cloud Compute Edition and will be available in the Enterprise Edition over the next month. The additional features will also roll out for Prisma Cloud Enterprise Edition over the next month.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Networks Bolsters Its Cloud Native Security Offerings With Out-of-Band WAAS

To prevent these attacks, businesses must have complete visibility into, and access and management over, disparate devices.

Most of the news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more damaging attacks from inside a victim's network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a clever new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence inside a network. This type of advanced persistent threat (APT) is likely to increase in the near future, so it's important for companies to understand the risks.

**A Critical Blind Spot**

Purpose-built IoT and OT devices that are network-connected and disallow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations can't identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?

Consequently, unmanaged devices regularly have high- and critical-level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we've found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found, 50% use default passwords, and 25% are at end of life and no longer supported.

**Compromising and Maintaining Persistence on IoT, OT & Network Devices**

Taken collectively, all of these issues play directly into the hands of attackers. Because network, IoT, and OT devices don't support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and turn on services within these devices without being detected. They can then maintain persistence because vulnerabilities and credentials aren't being managed and firmware isn't being updated.

**Staging Attacks Within the Victim Environment**

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network.

To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker will likely use ordinary, expected network communication such as API calls and device management protocols to avoid detection.

**Surviving Incident Response**

The same problems that make network, IoT, and OT devices an ideal place for staging secondary attacks also make them well-suited for surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It's very difficult to completely kill off attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks — even if the attacker's malware and toolkits are completely removed from the company's IT network, command-and-control channels are disrupted, software versions are updated to eliminate previously exploitable vulnerabilities, and individual endpoints are physically replaced.

**How to Reduce Corporate Risk**

The only way for businesses to prevent these attacks is to have complete visibility into, and access and management over, their disparate IoT, OT, and network devices.

The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create an inventory of all purpose-built devices and identify vulnerabilities. Next, companies should remediate risks at scale related to weak passwords, outdated firmware, extraneous services, expired certificates, and high- to critical-level vulnerabilities. Finally, organizations must continuously monitor these devices for environmental drift to ensure that what's fixed stays fixed.

These are the same basic steps companies follow for traditional IT assets. It's time to show the same level of care to IoT, OT, and network devices.

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

False positives and staff shortages are inspiring a massive managed detection and response (MDR) services migration, research finds.

Organizations drowning in security tasks with too few analysts and resources to handle them are moving in droves away from legacy services from managed security service providers (MSSPs) to more automated managed detection and response options. 

According to a LogicHub survey of IT professionals out this week, 79% of respondents using MSSPs to aggregate alerts are planning an upgrade to MDR services. Nearly a third (30%) already use MDR, with another 42% actively planning an upgrade in the next 12 months, LogicHub said.   

The promise of MDR's ability to stretch strapped security teams and resources with automated response, better threat detection, cloud support, and around-the-clock operations is supercharging the surge, according to the survey's respondents. In fact, 60% of respondents told LogicHub they had false-positive rates above 25%, creating mountains of unnecessary work for analysts. 

"This study has found a significant change in how organizations plan to address today's security challenges," Michael Sampson, senior analyst at Osterman Research, said in a statement about the new MDR service research. "The perfect storm of too many security tools creating too many alerts for overstretched security teams has created an urgent need for many organizations to move to more advanced managed security services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading