Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.

**Key Findings**

· Phishing attacks rose 29% globally to a new record of 873.9M attacks observed in the Zscaler**TM** cloud last year

· Retail and wholesale were the most targeted industries, experiencing over a 400% increase in phishing attacks over the last 12 months

· The United States, Singapore, Germany, Netherlands, and the United Kingdom were the most frequently targeted by phishing scams

· Emerging phishing vectors, such as SMS phishing, are increasing faster than other methods as end users become more wary of suspicious emails

· Rising phishing activity is directly linked to “phishing- as-a-service” options, which provide a marketplace of pre-built attack tools that reduce technical barriers to entry for criminals

**SAN JOSE, Calif. – April 20, 2022** – Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of its 2022 ThreatLabz Phishing Report that reviews 12 months of global phishing data from the Zscaler security cloud to identify key trends, industries and geographies at risk, and emerging tactics. According to the FBI Internet Crime Complaint Center (IC3), phishing attempts are the most frequently-reported cyberattack. Zscaler’s ThreatLabz research team analyzed data from more than 200 billion daily transactions, and 150 million daily blocked attacks in order to identify emerging threats and track malicious actors from across the globe. This year’s report showed dramatic 29% growth in overall phishing attacks compared to previous years, with retail and wholesale companies bearing the brunt of the increase. The report also showed an emerging reliance on phishing-as-a-service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.

“Phishing attacks are impacting businesses and consumers with alarming frequency, complexity, and scope - with the rise in phishing-as-a-service making it easier than ever for non-sophisticated actors to launch successful attacks. Our annual report highlights how cybercriminals continue to escalate their usage of phishing as a starting point to breach organizations to deliver ransomware or steal sensitive data,” said Deepen Desai, CISO and VP of Security Research and Operations at Zscaler. “To defend against advanced phishing attacks, organizations must leverage a multi-pronged defensive strategy anchored on a cloud native zero trust platform that unifies full SSL inspection with AI/ML-powered detection to stop the most sophisticated phishing attempts and phishing kits, lateral movement prevention and integrated deception to limit the blast radius of a compromised user, proactive controls to block high risk destinations such as newly registered domains that are often abused by threat actors, and in-line DLP to safeguard against data theft.”

Phishing has always been one of the most pervasive cyberthreats, with various methods used to steal private information. One of the reasons this type of attack grows in prevalence every year is its low barrier to entry. Cybercriminals use current events, such as the COVID-19 pandemic or cryptocurrency, to convince unwitting victims to hand over confidential data, such as passwords, credit card information, and login credentials.

The 2022 ThreatLabz Phishing Report found that phishing attacks lure victims by posing as top brands or promoting topical events. The top phishing themes in 2021 included categories such as productivity tools, illegal streaming sites, shopping sites, social media platforms, financial institutions, and logistical services.

**A Global Problem**

In 2021, the U.S. was the most-targeted country globally, accounting for over 60% of all phishing attacks blocked by the Zscaler security cloud. The next most frequently attacked countries include Singapore, Germany, the Netherlands, and the United Kingdom.

Not all countries experienced the same attention from phishing attacks. For example, the Netherlands experienced a decrease of 38 %, which may have resulted from recently-passed legislation that increased the penalties for online fraud.

Phishing attacks were also not evenly distributed across different industries. Retail and wholesale businesses experienced an increase of over 400% in phishing attempts - the most out of all tracked industries. These businesses were followed by financial and government sectors, with organizations in these industries seeing over 100% increases in attacks on average. However, some industries experienced partial relief from phishing attacks last year. Healthcare saw a notable drop of 59 %, while the services industry saw a decline of 33 %.

**Phishing-as-a-Service - The Growing Threat**

While phishing has long been one of the most common tactics used in cyberattacks by sophisticated threat actors, it's becoming more accessible to non-technical cybercriminals due to a maturing underground marketplace for attack frameworks and services. By selling their pre-built phishing tools and services on the dark web, cybercriminals are making it easier to deploy phishing scams at scale, creating a greater chance for more phishing activity in 2022.

**Countering Phishing Attacks**

According to the Zscaler ThreatLabz research team, an average-sized organization receives dozens of phishing emails every day. This means that employees at all levels must be aware of the most common phishing tactics and empowered to spot phishing attempts that can result in financial losses and damage to the business’ brand.

Facing the threats outlined in the 2022 ThreatLabz Phishing Report can be daunting, and while it's impossible to eliminate phishing risk, effective management can prevent business-critical information from falling into the hands of cybercriminals. Among other recommendations, Zscaler suggests the following tactics for countering phishing growth:

· Learning and understanding the risks posed by phishing to better inform policy and technology decisions

· Leveraging automated tools and actionable intelligence to empower employees with the tools needed to reduce phishing incidents

· Delivering timely employee training to build security awareness and promote user reporting

· Simulating phishing attacks to identify gaps in security policies and procedures

· Evaluating security infrastructure to ensure access to the latest research and system capabilities

**How the Zscaler Zero Trust Exchange****TM Can Mitigate Phishing Attacks**

User compromise is one of the most difficult security challenges to defend against. The Zscaler Zero Trust Exchange incorporates phishing prevention controls into a holistic zero trust architecture that disrupts every stage of attacks and minimizes damages. Capabilities include:

· **Preventing compromise** with full SSL inspection at scale, threat analysis using natively integrated threat intel and IPS signature detection, AI/ML phishing detection, and policy-defined high-risk URL categories commonly used for phishing such as newly observed and newly registered domains.

· **Eliminating lateral movement** by connecting users directly to apps, not the network, to limit the blast radius of a potential incident.

· **Shutting down compromised users and insider threats** with in-line application inspection and integrated deception capabilities to trick and detect attackers.

· **Stopping data loss** by inspecting data both in motion and at rest to prevent theft by an active attacker.

To download the full report, see the ThreatLabz 2022 Phishing Report.

**Methodology**

The ThreatLabz team evaluated data from the Zscaler security cloud, which monitors over 200 billion transactions daily across the globe. ThreatLabz analyzed a year’s worth of global phishing data from the Zscaler cloud from January 2021 through December 2021 to identify key trends, industries and geographies at risk, and emerging tactics.

New Zscaler Research Shows Over 400% Increase in Phishing Attacks With Retail and Wholesale Industries at Greatest Risk

Cybereason MalOp Detection Engine augmented with Nuanced DFIR Intelligence reduces the mean-time-to-detect and remediate incidents.

BOSTON, April 21, 2022 /PRNewswire-PRWeb/ -- Cybereason, the XDR company, today launched Cybereason DFIR (Digital Forensics Incident Response), a solution designed to automate incident response (IR) investigations by incorporating nuanced forensics artifacts into threat hunting, reducing remediation time by enabling security analysts to contain cyberattacks in minutes.

Today, many organizations find themselves vulnerable to breaches because security analysts lack the tools to quickly investigate and remediate all aspects of a threat. By offering incident response solutions driven by forensics, Cybereason can extend deeper value to Defenders. With the Cybereason MalOp™ Detection Engine augmented by Cybereason DFIR, security analysts can leverage the industry's most comprehensive detections from root cause across every impacted asset.

With forensics data added to the MalOp, security analysts have instant visibility into a wider range of intelligence sources to enable rapid decisions and remediate threats more efficiently. Cybereason DFIR includes the following capabilities:

Forensic Data Ingestion: Feed a treasure trove of forensic data to the MalOp™ Detection Engine for deeper insights, enrichment and contextualization.

Live File Search: Search for any suspicious file in the environment based on a wide variety of search criteria without the need for prior collection.

IR Tools Deployment: Streamline cumbersome IR investigations and work seamlessly with similar DFIR tools by deploying them via the Cybereason Sensor.

ExpressIR: IR Partners and large customers with internal DFIR teams can deploy a pre-provisioned IR environment to begin the investigation within hours of an incident.

"Cybereason DFIR enhances the performance of the Cybereason XDR Platform in our customers' environments enabling security analyst teams to detect, identify, analyze and respond to sophisticated threats before adversaries can inflict harm, and when needed, conduct a thorough post-mortem analysis of a complex incident. The merging of our powerful Cybereason XDR Platform with Cybereason DFIR provides the industry with the most powerful tools available," said Cybereason Chief Technology Officer and Co-founder Yonatan Striem-Amit.

Anything connected to the internet is part of an organization's attack surface, yet Defenders are forced to use multiple siloed solutions producing uncorrelated alerts to try to find and end these complex malicious operations. Now, Defenders can leverage Cybereason DFIR to centralize DFIR investigative work and end sophisticated attacks with the only solution on the market to deliver:

\--Comprehensive Response: Cybereason DFIR has a number of tailored remediation actions analysts can perform directly from the investigation screen. The solution empowers analysts to reduce Mean-Time- To-Detect and Mean-Time-To-Remediate. Cybereason DFIR also allows Defenders to contain attacks by executing commands directly on the host in question with remote shell and real-time response actions.

\--Uncover Advanced Adversaries: Fully reveal sophisticated adversaries and analyze complex TTP's by tracing the attacker path back to root cause. Defenders will have a better understanding of the full scope and timeline of an incident using enriched forensics to identify all impacted systems and users. Security analysts can investigate relevant files and forensic artifacts of interest through wide-ranging criteria to collect files as needed.

\--Fully Supported Technology: With a shortage of Tier III qualified security analysts, many security teams are understaffed and lack in-house IR expertise. Cybereason automates most aspects of a DFIR investigation and up-levels the capabilities of Level 1 and 2 analysts to perform complex forensic tasks. In addition, the Cybereason Services Teams fully supports investigations, breach recovery, forensic audits and deep-dive analysis.

About Cybereason  
Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Learn more: https://www.cybereason.com

Cybereason Launches Digital Forensics Incident Response

Seedrs Ltd. deployed and configured Alert Logic Intelligent Response in minutes, and immediately began blocking critical threats.

HOUSTON, April 21, 2022 /PRNewswire/ -- Alert Logic by HelpSystems today announced general availability of its new intelligent response capabilities. The innovations, including simple mode and a mobile application, relieve IT and security departments of repetitive response tasks and the need for constant administration through human-guided and fully automated workflows. Seedrs, Europe's leading online private investment platform, is among the first adopters of the new capabilities, now available at no additional cost to Alert Logic MDR® customers.

Alert Logic Intelligent Response™ is designed to minimize the impact of a breach via embedded SOAR capabilities with workflows to enable response actions across network, endpoints, and cloud environments. This provides a backstop if attacks bypass prevention tools, improving an organization's security posture while allowing them to adopt automation at their own pace. As part of a holistic response strategy, the solution addresses detection, notification, and containment with multiple actions and use cases in a simplified user experience, making it easy for any organization to create automated response actions.

"The wizard-based user interface of Alert Logic's simple mode made the whole intelligent response configuration possible in just minutes," said Jonas Pereira, Senior DevOps Engineer, Seedrs. "I also have full visibility of our infrastructure, and our safety, literally in my pocket with the Alert Logic mobile application, ensuring we can effectively respond to any potential threat instantly."

Intelligent response simple mode focuses on the three most commonly needed actions:

*   **Shun an attacker** at the edge of a network, for Alert Logic and AWS WAFs
*   **Isolate a host** for SentinelOne or Microsoft Defender for Endpoint users
*   **Disable user** credentials that may be compromised, via AWS IAM or Azure Active Directory (including Office 365)

These three use cases are vital for preventing attacks or reducing the impact of successful attacks. Organizations may introduce the human touch anywhere in the process and increase the level of automation to suit their needs. Customizable response playbooks also save time by helping security experts integrate automated response actions into their business processes.

In addition to simple mode, the Alert Logic mobile application streamlines human-guided response, allowing security teams to remotely execute decisions for response actions immediately. Using the mobile application, CISOs can instantly approve response actions from anywhere, for a more flexible work environment.

"The beta customers who helped guide development of Alert Logic Intelligent Response told us they needed a flexible solution that allowed them to adopt automation at their own pace to increase their security posture," said Onkar Birk, Managing Director, Alert Logic by HelpSystems. "We're putting response in front of people in an intuitive way, getting them involved in the process, taking security actions to contain problems, and enabling resource-stretched teams to deploy best practice security."

To learn more about Alert Logic Intelligent Response, visit https://www.alertlogic.com/why-alert-logic/intelligent-response/.

**About Alert Logic** **by HelpSystems  
**Alert Logic by HelpSystems is the only managed detection and response (MDR) provider that delivers comprehensive coverage for public clouds, SaaS, on-premises, and hybrid environments. Since no level of investment prevents or blocks 100% of attacks, you need to continuously identify and address breaches or gaps before they cause real damage. With limited expertise and a cloud-centric strategy, this level of security can seem out of reach. Our cloud-native technology and white-glove team of security experts protect your organization 24/7 and ensure you have the most effective response to resolve whatever threats may come. Founded in 2002, Alert Logic is headquartered in Houston, Texas and has business operations, team members, and channel partners located worldwide. Learn more at alertlogic.com. Alert Logic – unrivaled security for your cloud journey.

**About HelpSystems  
**HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at www.helpsystems.com.

© HelpSystems, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.

Alert Logic®, Alert Logic MDR®, and Alert Logic Managed Detection and Response® are registered trademarks of Alert Logic, Inc.

Alert Logic Intelligent Response™ is a trademark of Alert Logic, Inc.

Alert Logic Releases MDR Incident Response Capability for Addressing a Breach

To better manage risks, companies can concentrate on resilience, sharing information to protect from cyber threats, and making the cybersecurity tent bigger by looking at workers with nontraditional skill sets.

As we look ahead, there are many reasons for optimism in cybersecurity. Defenders are maturing in their approach, we're getting better at articulating cyber threats in the language of business risk, and we're continually improving cross-sector collaboration.

But we still face a challenge navigating the changing threat landscape, something I discussed with industry peers on an HP-hosted CISO panel. I believe the cybersecurity industry needs to build on the positives by understanding cyber strategy more clearly in the context of good corporate governance, and by addressing the growing diversity and skills gap within our cybersecurity talent pool.

**When Change Is the Only Constant  
**As IT modernizes to support remote work, new customer experiences and evolving business processes, we're seeing attack surfaces expand exponentially. On the one hand, this contributed to a record number of compromises in 2021, while the number of published vulnerabilities surged to an all-time high.

Yet there's another story behind the headlines. For years, we've been talking about the same old paradigm of attacker and victim. In this one-to-one relationship, the attacker targets a victim and either succeeds or doesn't. Today, we're seeing more of what I would call "one-to-many" attacks. Supply chain attacks are nothing new, but we're seeing an uptick in their sophistication and ambition. Attackers have realized they don't need to constantly go one-to-one. They can find a common hub that connects hundreds or even thousands of potential victims and compromise it. For close to the same effort expelled, they have a significant step up in ROI.

As organizations look to manage supplier risk, spiraling costs, and geopolitical tension in the post-pandemic world, the complex web of interdependencies upon which they rely is growing. This is most apparent in the airline industry. It was fascinating to hear United Airlines VP and CISO, Deneen DeFiore, explain how the mindset in cyber is shifting from data protection to resilience. Understanding these supplier dependencies is critical to managing risk effectively, to minimize the operational impact of cyber threats.

**Collaboration Will Be Key  
**This mounting complexity also makes industry collaboration more important. It's only via collaboration with the right public and private sector organizations that we can understand how attackers are operating. Part of this involves organizations thinking about what is and isn't helpful to disclose around breaches. We can all agree that indicators of compromise (IoCs) are out of date as soon as they're published. So, what is relevant that can be shared between organizations?

Today's conversation is too centered around whether an organization was breached or not. If breaches are close to inevitable, we should focus more on sharing breach findings and post-mortem results that will help others.

The way CISA coordinated information sharing during the early days of the Log4Shell saga offers a useful model. The agency did an amazing job organizing and sharing information from different industry sources. Let's learn from it. Because as Ian Pratt, HP's global head of security for personal systems, explained, cybercriminal organizations are run like businesses now. They've become masters at sharing intelligence, information, and tooling to further their objectives.

**A People Problem  
**This touches on another critical point. The industry is short of more than 2 million cybersecurity professionals globally. In this moment of crisis, we should nurture the beginnings of something far bigger and better by growing our talent pool and breaking down the barriers to joining our sector.

There's an opportunity to make the cybersecurity tent bigger by looking outside of the industry. We could bring in more nontraditionally educated people, as we don't necessarily need college degrees for every role. We could target workers mid-to-late in their careers who have a rich set of skills in areas such as risk management or communication.

Diversity is also critical, but much work needs to be done. According to findings in an HP-commissioned study, 30% of women in the US applied for a promotion last year. However, of those that applied, only 40% of women were successful, vs. 52% of men. Cybersecurity, like the tech industry as whole, has a diversity issue, particularly with getting women into senior roles. We must understand how to best support women and their careers, as this is key for fostering a diverse workforce and attracting new talent.

Employers must do better at harnessing this large pool of untapped talent. As Siemens USA Chief Cybersecurity Officer Kurt John explained, diversity is the No. 1 way to drive creativity in response to the threats that we all face.

The good news is that boardrooms are starting to appreciate the importance of diversity and cybersecurity — just as CISOs are beginning to talk about cyber in the language of business risk. That offers definite grounds for optimism.

What has increasingly dawned on me is that, as cybersecurity leaders, we're much more likely to make the right decisions for the enterprise by viewing cyber in the context of effective corporate governance. I believe that's the way to craft an enterprise-specific strategy. Let's make the "G" in _environmental, social, and governance_ (_ESG_) really mean something for cybersecurity and get ourselves onto the front foot.

3 Ways We Can Improve Cybersecurity

Intel, FiVerity, and Fortanix team up to launch an AI-driven fraud detection platform into a confidential computing environment.

A new partnership will bring confidential computing to financial services companies in their fight against digital identity fraud.

Confidential computing tackles the challenge of securing data during processing or runtime by using hardware-based trusted execution environments (TEE), an environment that focuses on data integrity, data confidentiality, and code integrity. The data, as well as the application processing that data, are isolated within secure enclaves so that nothing else can access that data, even if the infrastructure is compromised. This way, enterprises can run sensitive applications on public clouds or other hosted environments without worrying about the possibility of data exposure.

The partnership is between Intel, digital fraud prevention platform FiVerity, and Fortanix, a cloud security company. FiVerity's anti-fraud platform relies on artificial intelligence (AI) to detect fraud and incorporates the latest data privacy technologies. FiVerity will rely on Intel Software Guard Extensions to protect the data and control access, while Fortanix will deliver the confidential computing environment for FiVerity's fraud-detection models and transaction data from financial institutions.

Financial institutions would be able to analyze intelligence on fraud activity without exposing personally identifiable information, keeping banks in compliance with security and privacy requirements and reducing their exposure to digital fraud, the three companies said in a joint statement.

The confidential computing market is estimated to grow to $54 billion by 2026, according to a recent report from the Linux Foundation and Confidential Computing Consortium and conducted by the Everest Group.

"We believe that digital fraud detection is a particularly important and timely challenge for the industry which can be addressed with this technology," said Fortanix CEO Ambuj Kumar in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Anti-Fraud Partnership Brings Confidential Computing to Financial Services

New research shows threat actors increasingly leveraging social networks for attacks, with LinkedIn being used in 52% of global phishing attacks.

Shipping, retail, and tech companies are no longer the most popular brands used to hide phishing attacks. Instead, social media platforms have become the brands of choice used to dupe victims and steal their personal data, with LinkedIn-related lures accounting for a full 52% of all global phishing attacks during January, February, and March of 2022, according to new data.

LinkedIn phishing-lure use exploded by 44% over the previous quarter, when it was used in just 8% of phishing attempts, according to Check Point's latest Brand Phishing Report.

"As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide," the report said.

Shipping is still a draw, even though LinkedIn overtook DHL as the brand most often used in phishing attacks. DHL is now the second-most abused brand, behind 14% of attempts during the same time period. FedEx moved up from seventh place to fifth over the past quarter, with 6% of all phishing attempts spoofing its brand.

**Check Point's List of Top 10 Abused Brands**  

1.  LinkedIn (accounting for 52% of all global phishing attacks over the quarter)
2.  DHL (14%)
3.  Google (7%)
4.  Microsoft (6%)
5.  FedEx (6%)
6.  WhatsApp (4%)
7.  Amazon (2%)
8.  Maersk (1%)
9.  AliExpress (0.8%)
10.  Apple (0.8%)

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LinkedIn Brand Now the Most Abused in Phishing Attempts

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

Identity cloud provider Okta concluded its investigation into a recent breach of its systems by the Lapsus$ extortion group, which gained access to some of company's systems through a third-party contract firm and then revealed the compromise in March.

The breach impacted only two customers, with the hackers maintaining control of a single computer at contract firm Sitel for a 25-minute period, Okta said in the postmortem analysis published on Tuesday. While the identity and access management firm had initially considered as many as 366 customers at risk, the impact ended up being far less, David Bradbury, chief security officer at Okta, stated in the analysis.

The breach caused consternation within the security community because of the lack of notice from Okta and worries that access to the company's systems could undermine much of the security of its single sign-on (SSO) services — an issue of trust that Bradbury acknowledged.

"While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta," he said, adding: "The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents."

To head off attacks in the future, Okta intends to create more stringent security requirements for third-party contractors and have processes in place to confirm compliance. The company has already cut ties with Sitel, according to the postmortem report.

The Okta breach raised the profile of attacks on software supply chains and third-party providers, adding on to lessons from previous compromises such as SolarWinds and Kaseya, says Merritt Maxim, vice president at business intelligence firm Forrester Research. Third-party firms and service providers need to have measures in place to continuously assure customers that their services are secure, he says.

"This is an issue that has to be front and center for security organizations, to push beyond doing just security questionnaires for providers, to doing actual assessments and auditing of third parties," he says. "Simulate breaches and test your incident response plans, and rather than rely on the vendors to do it perfectly, you should be determining what you can do in response to a breach."

**Conduct Your Own Investigation**  
When a breach happens in a third-party provider, such as Okta or its own third-party provider Sitel, companies either are left in the dark or must pursue their own investigation. Whether Okta knew of the breach and failed to notify customers for two months, or the company failed to understand that a contractor's computer had been compromised, businesses need to be ready to verify the details of an incident, members of Cloudflare's security team argued in a March blog post.

Cloudflare has to verify its own systems, since some of the screenshots in leaked by Lapsus$ group appeared to indicate that they may have had access to Cloudflare's instance of Okta. As soon as a provider is breached, companies should have a playbook in place to spell out the steps that need to be taken to assure the integrity of their systems, such as checking all passwords and verifying changes to multifactor authentication with special attention paid to any event initiated by the support group.

To facilitate future investigations, Cloudflare's security team recommended that companies store logs from third-party services on their own premises to have a verifiable copy.

"For years, it has been a struggle to work with different software as a service provider to get all the logs ourselves," says Joe Sullivan, chief security officer at Cloudflare. "Too many times in the past, we have thought there was a risk and we did not have the logs, so we are very proactive."

For its part, Okta maintains that the company did not know about the severity of the issue until March 17, when Sitel sent their summary report, which they then connected with the Lapsus$ screenshots a few days later. "We recognized what appeared to be a connection to the January failed takeover attempt we observed and reported to Sitel," an Okta spokesman said. "We've publicly said we didn't understand the extent of the Sitel compromise in January, and if we had, our actions would have been different."

**Cloud Rife With Single Points of Failure**  
The incident also underscores that while cloud providers typically raise their customers' level of security, the cloud attracts attacks because so much access is concentrated in a small number of providers. Companies should always start by conducting a threat assessment to understand the risks presented by any infrastructure that they move to the cloud, Sullivan says.

"You look at what is the worst that could happen, and how do you mitigate that risk," he says. "If a compromise of a system could lead to a bunch of customer data getting exposed or intellectual property being accessed, then you need to go further."

In the end, while the cloud model asserts that responsibility for security is shared, companies need to understand that that they need to take their fate into their own collective hands, says Forrester Research's Maxim.

"Don't assume that the vendor is going to take care of security and will do it all perfectly," he says. "Have the right playbooks and policies ready to go, so if there is an incident, you can take action whether the vendor is ready or not."

For its own part, Okta plans to directly manage even third-party devices that access its customer-support tools so as to maximize visibility into potential security threats, and it will limit the amount of information that support personnel can view, Bradbury said in the company's postmortem analysis. In addition, as a third-party provider itself, Okta plans to review how to better communicate incidents with its customers.

_Editor's note: This story was updated on April 21 with a quote from an Okta spokesman._

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Cloud security is constantly evolving and consistently different than defending on-premises assets. Denonia, a recently discovered serverless cryptominer drives home the point.

One of the more important points to get across when addressing cloud security is to make it clear to all involved that cloud security is not only different, but that it keeps evolving. If security professionals needed a reminder of this, they need to look no further than the recent discovery of Denonia, a cryptominer that operates in serverless environments.

Denonia was found by the Cado Security research team, and it released details a few days ago. Denonia is a Go-based cryptominer malware, and it appears to be the first such malware to specifically exploit AWS Lambda, the well-known serverless function execution service. The researchers indicate that Denonia was not widely disseminated and that it executes the XMRig mining software for stealing CPU cycles for mining Morero, while using techniques such as DNS-over-HTTPS (DoH) for evasion. The initial deployment mechanism is unknown but may be a matter of overprivileged environments.

While small in scope, Denonia is notable for its use of the cloud technology stack as intended —it's a Lambda function executing on a Linux environment like any other. This is interesting, as it means similar malware can execute in other serverless function execution environments from other cloud providers as well.

**How the Vulnerabilities Differ**  
To be clear, this is different than some of the vulnerabilities that have been reported across major providers recently, such as ChaosDB (a flaw in Azure's CosmosDB service found by the Wiz security team last year), AWS CloudFormation and AWS Glue issues found by Orca Security, and some of the Google Cloud GKE vulnerabilities raised by the Palo Alto Networks Unit 42 security research team. In those cases, the cloud providers worked directly with the research teams to address those issues.

When discussing cloud security, too often we hear some confusion about security responsibilities. While cloud providers have worked to clarify some of this via their different "shared responsibility models," end-user organizations retain the overall responsibility for securing their cloud estates. Cloud providers are responsible for the structural security of the cloud environment itself, but customers are responsible for the workloads. This includes both ensuring that environments have been properly configured with the adequate mixture of configurations that yield capabilities and privileges — often the realm of cloud security posture management (CSPM) and cloud permissions management (CPM) offerings — and also ongoing monitoring of the multiple events taking place within those cloud estates, which may fall under cloud workload protection platforms (CWPP) or even cloud detection and response (CDR).

The lesson, then, to be learned from the discovery of Denonia is that cloud security keeps evolving: Runtime threats against an organization are not simply the same malware that would execute on a virtual machine but evolve into containers — indeed, exposed container management interfaces or those with poor authentication are often used to launch unauthorized workloads — and now serverless workloads. Organizations looking to address this dynamic need to have the right elements of people, processes, and technology to properly understand the new threat landscape, to look deeply into their cloud stack, and to work together with their cloud engineering and development teams.

Denonia Malware Shows Evolving Cloud Threats

The Russian government is ratcheting up malicious cyberattacks against critical infrastructure in countries supporting Ukraine.

The US, Australia, Canada, New Zealand, and the UK today issued a detailed joint advisory on the increased risk of cyberattacks out of Russia — both nation-state espionage and cybercriminal activity.

The advisory, issued by the Cybersecurity and Infrastructure Security Agency (CISA), warns that Russia's invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity and that the Russian government is actively trying to use cyberattacks against global organizations as a weapon in its war on Ukraine.

Security teams, including those with critical infrastructure providers in the US and beyond, need to prepare for these threats and shore up their defenses against malware, ransomware, distributed denial-of-service (DDoS) attacks, and cyber espionage. The Russian government is attempting to use cyberattacks in retaliation for sanctions as well as support being provided to the Ukraine defense efforts, according to the advisory.

Cybercrime groups have "threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine," according to the advisory. "Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive."

In a related development, CISA Director Jen Easterly today also announced the addition of a number of industrial control systems (ICS) companies have now joined the Joint Cyber Defense Collaborative (JCDC), a CISA initiative of government and private industry experts to coordinate on US cyber-defense operation plans for protecting and responding to cyberattacks and threats. Members of the JCDC co-authored the joint advisory CISA published today with its international partners.

The new ICS vendors include Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem, among others. 

 "As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise, and ingenuity of the ICS community," Easterly said in her announcement of the JCDC news during the ICS conference S4x22 in Miami. "I’m excited to leverage our evolving JCDC platform to enable us to plan, exercise, and collaborate with industry leaders to drive down risk to the systems and networks we depend on so greatly as a nation.”

CISA, Australia, Canada, New Zealand, & UK Issue Joint Advisory on Russian Cyber Threats

Stuxnet was the first known malware built to attack operational technology environment. Since then, there have been several others.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading