Bipartisan legislation allows cybersecurity experts to work across multiple agencies and provides federal support for local governments.

The Biden White House continued its efforts to shore up US cyber defenses by signing two bills into law, both with the goal of helping cybersecurity expertise and resources flow freely between federal agencies and down to municipalities in need of resources. 

The first piece of cybersecurity legislation, called the Federal Rotational Cyber Workforce Program Act of 2021, clears the necessary red tape to allow information technology, cybersecurity, and other related federal workers to provide expertise across multiple agencies. 

The second piece of legislation, the Local Government Cybersecurity Act, enhances coordination between the Department of Homeland Security, and state and local governments. 

“For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attacks,” that bill's House sponsor, Rep. Joe Neguse, a Democratic Congressman from Colorado, said about the passage in a statement. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pair of Brand-New Cybersecurity Bills Become Law

The concept might make us sharp and realistic, but it's not enough on its own.

**The Rise of the Presumption of Compromise**

In cybersecurity, we often say that "prevention is ideal, but detection is a must." But why do we say that? Shouldn't both prevention and detection be musts in a layered, defense-in-depth security approach? Well, this saying is rooted in a realistic view of reality, where we, as cyber-defense professionals, have come to accept that it's almost impossible to prevent the bad guys from breaking into connected systems. The choices are either total isolation (which, in some cases, can be circumvented) or risking a breach of the system. This notion of failing prevention has become a linchpin in our modern defense strategy and has become known as a "presumption of compromise." That is, assume that you already have been breached and focus on never-ending detection and eradication of the badness lurking in your systems.

Since we failed with prevention, we turned to detection. To paraphrase Churchill: No one pretends that detection is perfect or all-wise. Indeed, it has been said that detection is the worst form of defense except for all those other forms that have been tried.

**The Inevitable Fall of Presumption of Compromise**

Nevertheless, the current form of presumption of compromise — which focuses on rapid detection — is intended to fail because its contemporary version serves merely as a tactical tool rather than as a strategical framework. It tells you what not to rely on but doesn't tell you how to truly solve the problem. Instead of providing a solution, presumption of compromise merely kicks the can down the road.

In a recent thought-provoking experiment, security researchers from Splunk tried to determine the speed of encryption of modern ransomware malware families. They selected 10 ransomware families and measured the time it took each to encrypt 100,000 files on a victim's system. The results were astonishing. It took 45 minutes on average, with the slowest ransomware (Babuk) able to encrypt the files within 3.5 hours, while the fastest ransomware (Lockbit) achieved this goal within only 4 minutes (!).

Other recent research, which analyzed ransomware attacks, concluded that "the average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021."

An additional parameter to consider in this context is breakout time, which measures how much time it takes for an adversary to hop from an initially compromised system on to the next. According to CrowdStrike, the average breakout time in 2021 is 1.5 hours. In 2018, it was almost 2 hours.

Unfortunately, these measurements provide a dismal forecast for our near future. The attackers are getting faster, and the ever-shrinking detection window is under a constant pressure.

**Automation Arms Race**

To detect faster, defenders turn to automation — sometimes by using static signatures and detection rules, and sometimes with the help of machine learning. Unfortunately, automation is not the monopoly of the good guys, and attackers use it as well. Being able to inflict damage faster and with fewer human personnel is serving the attackers' business models well, so the incentive to automate attacks has never been stronger.

Once both sides — the attack and the defense — increasingly turn to automation, we end up in a spiraling automation arms race. The defenders have had a head start in this race, spending the last several years developing and deploying AI-based solutions. Nevertheless, it's frightening to think about the consequences of the mass adoption of such technologies by the attackers, which continues to narrow the detection window.

**The Rebirth of the Presumption of Compromise**

The inevitable shrinkage of the detection window forces us to rethink its foundation. In the long term, it appears that detection alone is no longer a viable defense strategy. Instead, I believe that the focus of defensive strategy will be passed on to resilience — being able to recover quickly from an incident, with automation and volatile computerized systems that can be brought up and down instantly playing a pivotal role.

Make no mistake: A presumption of compromise is a good idea after all. It keeps us sharp and realistic. Nonetheless, its current detection-oriented manifestation looks like a losing strategy over the long term. Instead, we should start focusing on resilient, self-recoverable, and instantly rebuildable systems. Such recoverability will lay out the missing brick of the solution: protection, detection, and resilience. Together, they have the power to form the holy trinity of a truly sustainable defense-in-depth strategy.

The Rise, Fall, and Rebirth of the Presumption of Compromise

Farmers are incorporating high-tech solutions like IoT and drones to address new challenges facing agriculture.

The agriculture industry doesn't typically come to mind when thinking about sectors on the cutting edge. Yet it has been forging ahead through each industrial revolution, and today innovative farmers are starting to incorporate high-tech solutions to address the new challenges the industry is facing.

Automation and robotics, livestock technology, artificial intelligence, and precision agriculture are all opportunities to harness the power of future tech to bring farming into the 21st century.

Farmers face similar challenges regardless of the time period, including inflating operating costs and a shortage of laborers. This is compounded by the world population continuing to rise, increasing the demand on agriculture.

Now, in the Fourth Industrial Revolution, the Internet of Things (IoT) offers an opportunity for the agricultural industry to maximize efficiency while reducing costs, directly addressing the demands and challenges.

**What Is Smart Agriculture?**

Smart agriculture is the use of IoT in agriculture. IoT sensors collect environmental and machine metrics to inform decisions, monitor the state of crops, and optimize efficiency. For example, smart agriculture sensors can track how crops are doing and help farmers use fertilizers and pesticides judiciously.

Overall, the agricultural industry hasn't adopted IoT as quickly as other industries or consumers have, but the market is quite dynamic. The disruptions of the pandemic, including the shortage of workers and supply chain issues, have pushed more farmers to adopt and innovate.

According to reports, the global smart agriculture market size is expected to triple by 2025, reaching $15.3 billion, compared with around $5 billion in 2016.

The market is still developing, but currently IoT can improve agriculture by:

*   Collecting data to track performance and health, such as soil quality, growth progress, cattle health, and weather conditions.
*   Offering control over internal processes and reducing production risks, such as planning for product distribution based on production output.
*   Managing costs and waste with better control over production and risks.
*   Improving business efficiency with automation, such as automated irrigation, fertilization, pest control, and more.
*   Enhancing product volume and quality with better control over the production process, quality, and growth capacity.

**IoT Use Cases in Agriculture**

As the industry adopts more IoT devices, the use cases will likely increase. But here are the primary use cases for IoT in agriculture.

**Precision agriculture:** Precision agriculture offers information to make accurate, data-driven decisions and make operations more efficient. With IoT sensors, farmers can collect virtually any metric that's important for decision-making, including data on temperature, humidity, soil condition, lighting, CO2 levels, pest infestations, and disease. With this data, farmers can estimate the ideal amount of resources to use — like water, pesticides, or fertilizer — to reduce expenses and raise healthier crops and livestock.

**Climate monitoring**:**** Climate monitoring devices, such as weather stations with sensors, can be used to collect data about the environment. Farmers can then map climate controls and optimize crop capacity. These devices are often located in remote areas of the land , providing more accurate measurements in the growth environment and saving travel time.

**Crop management:** Part of the precision agriculture sector, crop management devices operate similarly to weather stations. They can be set up in the field to collect data related to crops, such as precipitation, crop health, and temperature. This allows farmers to monitor crop conditions and growth, as well as to spot any diseases or infestation that can negatively impact the crop yield.

**Cattle monitoring and management:** Similar to crop monitoring, IoT for cattle acts like medical wearables for livestock to monitor their performance and health. These devices can also be used for tracking to determine the location of the herd or an individual animal.

For example, sensors can alert farmers to potentially diseased animals for timely quarantine, sparing the rest of the herd. Drones can also be used for real-time livestock tracking.

**Agriculture drones:** Agricultural drones offer more precise data than planes or satellites. They can replace human labor in a variety of areas, including tracking livestock, combating pests, spraying, crop monitoring, and planting crops.

**Predictive analytics:** Predictive analytics is a component of precision agriculture. Real-time data offers many advantages for farmers, but the analytics aspect helps them use the information for better forecasting and optimization.

Overall, farming is at the whim of weather conditions, and data analytics can help farmers predict and manage the unexpected. For example, predicting upcoming precipitation can help farmers adjust irrigation to avoid over- or underwatering and optimize the use of fertilizers.

**Greenhouse automation:** Greenhouses are typically managed manually, but IoT sensors offer accurate, real-time information on changing greenhouse conditions, like soil quality, humidity levels, temperature, and lighting. Along with gathering data, these sensors allow controls to adjust the conditions to match the ideal parameters.

**End-to-end management:** This is the most complex part of agricultural IoT and includes a variety of IoT devices and sensors with analytical capabilities. Together, these devices offer remote farm monitoring and the capability to streamline operations.

**The Challenges of Smart Farming**

IoT for agriculture has virtually limitless applications, but it's not without its limitations.

**Hardware and sensor quality for accuracy.** The type of information you intend to collect should determine the hardware and sensors for your device, as well as the quality of the data you can collect.

**Data analytics and predictive algorithms.** Data analytics is an important component of smart agriculture, so it's vital to choose an option with robust capabilities.

**Ongoing maintenance.** One of the benefits of smart agriculture is that devices can be in remote or distant environments, but that also comes with challenges related to maintenance.

**Mobility for field use.** Similar to maintenance, smart devices should be designed for field use and enabled for remote access on a computer or smartphone.

**Connectivity.** Like all other smart technology, smart agriculture relies on communication. The connection must be able to travel over distances and be reliable enough for inclement weather.

**Security.** Smart farming involves large data sets, creating potential security vulnerabilities. Data security in IoT is an ongoing challenge, particularly in agriculture, so it's crucial to have AI-based security tools, data traffic monitoring, encryption, and remote access control.

IoT is seeing more and more adoption, but it's new in the farming industry. As farmers face greater obstacles, however, it's likely that IoT adoption will increase along with them. Young farmers are bringing about the Fourth Industrial Revolution in agriculture with future technologies that harness the power of data, automate processes, and optimize operations.

Reinventing How Farming Equipment Is Remotely Controlled and Tracked

Malicious invoices coming from the accounting software's legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a "double-spear" approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isn't spooked and comes from an "allowed" domain, pass the messages right on to inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.

"It presents an invoice and encourages you to call if you think there are any questions," Avanan researchers noted in their analysis. "When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn't correlate with a real one."

Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.

"On this one, we're dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials," Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.

He adds, "Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it's an invoice for what looks like a legitimate company, it might catch some users off-guard."

**Phishing, Cloaked in Legitimacy**

Using the legitimacy of cloud domains to reach the inbox is not a new approach, of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.

"With regards to broader trends that this falls into, we've seen hackers utilize legitimate sites for illegitimate purposes," Fuchs says. "Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we've seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks."

While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.

For instance, in January, a threat actor used the comments function in Google Docs to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

"Organizations can't block Google, so Google-related domains are allowed to come into the inbox," according to Avanan. "These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote."

To guard against attacks like these, Avanan recommends the following:

*   Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
*   Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
*   Encourage users to ask IT if they are unsure about the legitimacy of an email.

Cyberattackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign

Latest Prisma Cloud platform updates help organizations continuously monitor and secure web applications with maximum flexibility.

SANTA CLARA, Calif., June 23, 2022 /PRNewswire/ -- Over the last two years, organizations have expanded their use of cloud environments by more than 25%. Many are now struggling to manage the technical complexity of cloud migration, including the ability to secure their applications across the entire application development lifecycle. Palo Alto Networks (NASDAQ: PANW), a leader in The Forrester Wave™: Cloud Workload Security, Q1 2022, today announced the addition of Out-of-Band Web Application and API Security (Out-of-Band WAAS) to Prisma® Cloud to help organizations secure web applications with maximum flexibility.

Until now, a primary industry approach to securing web applications has been to deploy inline web application firewalls (WAFs). Some organizations are reluctant to introduce WAFs or API security solutions inline, however, due to performance and scalability concerns. With today's announcement, Prisma Cloud can provide organizations with deep web and API security both inline and out of band, allowing them to choose how to protect their applications in the cloud.

"Companies no longer have to decide between application security and performance. By adding Out-of-Band WAAS to Prisma Cloud, we are empowering customers with flexible security options that fit their evolving application needs," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As more organizations move workloads to the cloud, the capabilities that make up Prisma Cloud help provide the most complete protection, reducing complexity and increasing visibility across infrastructure, workloads, identities and applications."

"As organizations increasingly build and deploy their applications in the cloud, protecting their business-critical applications without impacting performance has been a challenge," said Melinda Marks, senior analyst, ESG. "Adding the option of Out-of-Band WAAS helps both developer and security teams secure their applications with the same level of security as traditional in-line WAFs and API security without impacting performance."

In addition to Out-of-Band WAAS, Prisma Cloud is getting new threat detection, alert prioritization and permissions management capabilities to help provide organizations with deeper, unified visibility across their entire cloud application portfolio:

*   **Multicloud Graph View for Cloud Infrastructure Entitlement Management (CIEM):** Discover over-privileged accounts and understand access risk across multicloud environments. Prisma Cloud now provides a graph view of the net effective permissions across AWS, Microsoft Azure and Google Cloud.
*   **Multicloud Agentless Cloud Workload Protection:** Extend visibility into cloud workloads and application risks across Azure and Google Cloud, in addition to AWS, to complement existing agent-based protection.
*   **DNS-Based Threat Detection:** Surface malicious activity and anomalous behavior in cloud environments. Prisma Cloud Threat Detection now leverages machine learning (ML) and advanced threat intelligence to identify bad actors hiding in DNS traffic.
*   **MITRE ATT&CK**® **Alert Prioritization:** Enable security teams to prioritize risks and incidents based on the industry's most widely adopted framework.

**Availability**

Out-of-band WAAS is available today for Prisma Cloud Compute Edition and will be available in the Enterprise Edition over the next month. The additional features will also roll out for Prisma Cloud Enterprise Edition over the next month.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Networks Bolsters Its Cloud Native Security Offerings With Out-of-Band WAAS

To prevent these attacks, businesses must have complete visibility into, and access and management over, disparate devices.

Most of the news about Internet of Things (IoT) attacks has been focused on botnets and cryptomining malware. However, these devices also offer an ideal target for staging more damaging attacks from inside a victim's network, similar to the methodology used by UNC3524. Described in a Mandiant report, UNC3524 is a clever new tactic that exploits the insecurity of network, IoT, and operational technology (OT) devices to achieve long-term persistence inside a network. This type of advanced persistent threat (APT) is likely to increase in the near future, so it's important for companies to understand the risks.

**A Critical Blind Spot**

Purpose-built IoT and OT devices that are network-connected and disallow the installation of endpoint security software can be easily compromised and used for a wide variety of malicious purposes.

One reason is that these devices are not monitored as closely as traditional IT devices. My company has found that more than 80% of organizations can't identify the majority of IoT and OT devices in their networks. There is also confusion about who is responsible for managing them. Is it IT, IT security, network operations, facilities, physical security, or a device vendor?

Consequently, unmanaged devices regularly have high- and critical-level vulnerabilities and lack firmware updates, hardening, and certificate validation. My company has analyzed millions of IoT, OT, and network devices that are deployed in large organizations, and we've found that 70% have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10. Further, we found, 50% use default passwords, and 25% are at end of life and no longer supported.

**Compromising and Maintaining Persistence on IoT, OT & Network Devices**

Taken collectively, all of these issues play directly into the hands of attackers. Because network, IoT, and OT devices don't support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and turn on services within these devices without being detected. They can then maintain persistence because vulnerabilities and credentials aren't being managed and firmware isn't being updated.

**Staging Attacks Within the Victim Environment**

Due to the low security and visibility of these devices, they are an ideal environment for staging secondary attacks on more valuable targets inside the victim's network.

To do this, an attacker will first get into the company's network through traditional approaches like phishing. Attackers can also gain access by targeting an Internet-facing IoT device such as a VoIP phone, smart printer, or camera system, or an OT system such as a building access control system. Since most of these devices use default passwords, this type of breach is often trivial to achieve.

Once on the network, the attacker will move laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and network devices. Once those devices have been compromised, the attacker just needs to establish a communication tunnel between the compromised device and the attacker's environment at a remote location. In the case of UNC3524, attackers used a specialized version of Dropbear, which provides a client-server SSH tunnel and is compiled to operate on the Linux, Android, or BSD variants that are common on those devices.

At this point, the attacker can remotely control victim devices to go after IT, cloud, or other IoT, OT, and network device assets. The attacker will likely use ordinary, expected network communication such as API calls and device management protocols to avoid detection.

**Surviving Incident Response**

The same problems that make network, IoT, and OT devices an ideal place for staging secondary attacks also make them well-suited for surviving incident response efforts.

One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It's very difficult to completely kill off attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks — even if the attacker's malware and toolkits are completely removed from the company's IT network, command-and-control channels are disrupted, software versions are updated to eliminate previously exploitable vulnerabilities, and individual endpoints are physically replaced.

**How to Reduce Corporate Risk**

The only way for businesses to prevent these attacks is to have complete visibility into, and access and management over, their disparate IoT, OT, and network devices.

The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

The first step companies should take is to create an inventory of all purpose-built devices and identify vulnerabilities. Next, companies should remediate risks at scale related to weak passwords, outdated firmware, extraneous services, expired certificates, and high- to critical-level vulnerabilities. Finally, organizations must continuously monitor these devices for environmental drift to ensure that what's fixed stays fixed.

These are the same basic steps companies follow for traditional IT assets. It's time to show the same level of care to IoT, OT, and network devices.

How APTs Are Achieving Persistence Through IoT, OT, and Network Devices

False positives and staff shortages are inspiring a massive managed detection and response (MDR) services migration, research finds.

Organizations drowning in security tasks with too few analysts and resources to handle them are moving in droves away from legacy services from managed security service providers (MSSPs) to more automated managed detection and response options. 

According to a LogicHub survey of IT professionals out this week, 79% of respondents using MSSPs to aggregate alerts are planning an upgrade to MDR services. Nearly a third (30%) already use MDR, with another 42% actively planning an upgrade in the next 12 months, LogicHub said.   

The promise of MDR's ability to stretch strapped security teams and resources with automated response, better threat detection, cloud support, and around-the-clock operations is supercharging the surge, according to the survey's respondents. In fact, 60% of respondents told LogicHub they had false-positive rates above 25%, creating mountains of unnecessary work for analysts. 

"This study has found a significant change in how organizations plan to address today's security challenges," Michael Sampson, senior analyst at Osterman Research, said in a statement about the new MDR service research. "The perfect storm of too many security tools creating too many alerts for overstretched security teams has created an urgent need for many organizations to move to more advanced managed security services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

80% of Legacy MSSP Users Planning MDR Upgrade

The credential-phishing attack leverages social engineering and brand impersonation techniques to lead users to a spoofed MetaMask verification page.

Researchers have uncovered an email-based credential-phishing attack targeting users of MetaMask, a cryptocurrency wallet used to interact with the Ethereum blockchain.

The campaign is directed at Microsoft 365 (formerly Microsoft Office 365) users and has targeted multiple organizations across the financial industry. It starts with a socially engineered email that looks like a MetaMask verification email, according to the Armorblox research team, containing a link.

Upon clicking the link, users are taken to a spoofed MetaMask verification page, where they are asked to verify their wallet, claiming that non-compliance would result in limited access to their wallets.

The fake landing page uses MetaMask logos and branding to closely resemble the real log-in page, and it deploys a language of urgency to encourage compliance with the Know Your Customer (KYC) verification request.

"In order to get the victim to comply with the request and exfiltrate sensitive data, attackers included language within both the body of the email and the fake landing page that denoted a sense of urgency, making it known that time was of the essence," the Armorblox post notes.

The research team also pointed out that the attack leverages the curiosity effect, a cognitive bias that can be used to exploit the user's inherent urge to resolve doubt.

"Each further engagement through the attack flow further aimed to increase this trust through legitimate logo inclusions, branding, and key attributes that are only affiliated with the spoofed brand," the post continues.

**Attack Skates Past Microsoft Security**

Even though the email came from an invalid domain, the attackers were still able to slip through Microsoft's security controls, using a "gamut of techniques" to bypass secure email gateway (SEG) filters.

Armorblox CSO Brian Johnson notes while the company's research team does not have access to Microsoft threat detection details, they have seen a large amount of modern attacks spawn zero-day malicious links that are ephemeral in nature.

"With the advent of cloud services, it is easy to spin up and spin down malicious links in minutes," he explains. "These attacks can only be detected when you combine natural language understanding with artificial intelligence to go beyond static checks on known malicious links."

To protect against these types of attacks, Johnson says the basic steps include ensuring multifactor authentication (MFA) across all the organization's accounts — specifically, the ones that provide access to financial accounts.

The Armorblox post also recommends keeping an eye out for social-engineering cues, for example any logical inconsistencies within the email, and to augment native email security with additional controls.

**Cryptocurrency Attacks Evolving, Targeting Startups**

Johnson adds that crypto-wallet phishing has become more targeted and mainstream.

"As the use of cryptocurrency gains traction in both personal and business environments, it opens up another vector for malicious actors," Johnson warns.

Hackers' approaches to compromising cryptocurrency and digital asset exchanges continue to evolve, as a series of attacks against small and midsize businesses has led to major cryptocurrency losses for the victims.

Among these malicious actors is BlueNoroff, an advanced persistent threat (APT) group that's part of the larger Lazarus Group associated with North Korea, which carried out the SnatchCrypto campaign in January.

Meanwhile, cryptocurrency mixing — a technique that uses pools of cryptocurrency to complicate the tracking of electronic transactions — is set to grow, as ransomware and other cybercriminal enterprises increasingly lean into cryptocurrency, a November 2021 report from Intel 471 warned.

MetaMask Crypto-Wallet Theft Skates Past Microsoft 365 Security

Organizations may not frequently encounter malware targeting cloud systems or networking equipment, but the array of malware they do encounter just occasionally is no less disruptive or damaging. That is where the focus needs to be.

Enterprise defenders contend with a dizzying variety of threats as attackers regularly evolve their arsenals of attack tools. But a recent survey suggests that in many cases, tried-and-tested attacks remain more prevalent than more sophisticated ones.

According to Dark Reading's "The State of Malware Threats" report, security professionals encounter common viruses and phishing attacks delivering malware more than any other type of malware threat.

When asked which types of online attacks their organizations detected frequently or very frequently, half of IT security professionals pointed to common viruses, followed by 47% for phishing attacks delivering malware and 30% for malware designed to steal credentials. These statistics highlight just how big a security headache phishing and credential theft are for organizations.

**Not Yet Frequent, Thank Goodness**

Nowadays, the focus is on ransomware because of its destructiveness: Business operations are disrupted, technical remediation is difficult, organizations often have to shut down temporarily as they attempt to recover, and attacks are costly (regardless of whether the ransom has been paid). And recent research from Cybereason suggests that paying the ransom doesn’t protect organizations from being hit again, with many reporting a second ransomware attack within a month of the first.

Assuredly, just under a quarter of respondents in our survey said their organizations detect ransomware attacks frequently or very frequently.

That’s not to say defenders don’t have to worry about ransomware attacks – attackers are increasingly opting for ransomware over other attack methods. As the "2022 Verizon Data Breach Investigations Report" notes, a quarter of breaches last year involved ransomware. And ransomware is top of mind for IT security professionals: When asked which types of attacks worried them most, 61% cited ransomware, followed by 54% for phishing.

**Occasional/Rare Still Induces Headaches**

Even so, IT security teams can’t only pay attention to frequent attacks. Many threats – such as malware designed to infect routers or other networking equipment, or malware compromises that are the result of a security breach with a supplier – may occur less frequently, but they are no less calamitous when they hit. A quarter of respondents said they’ve occasionally detected malware targeting cloud systems, 24% occasionally detected malware targeting networking equipment, and 21% occasionally encountered malware that was triggered by a security incident or compromise on supplier networks and systems.

Many of the sophisticated malware attacks remain rare. Multivector malware that behaves differently depending on the system it infects is frequently used in targeted attacks, which explains why 28% of IT security professionals said their organizations have never detected this threat. Similarly, despite the lack of basic security controls in the Internet of Things (IoT), more than half of IT security professionals said their organizations rarely, or never, detected attacks targeting IoT and other non-traditional systems. Also rarely detected are fileless malware that resides in memory (44%) and cross-platform malware designed to target more than one platform or operating system (50%).

There is a lot of rumbling right now about how automation can help with security defense. That is particularly true in this case, as automating malware detection and remediation for the more commonly seen threats could free up defenders to focus on the “occasional” and “rare” attacks that can be just as problematic for the organization, if not more.

Organizations Battling Phishing Malware, Viruses the Most

A voicemail-themed phishing campaign is hitting specific industry verticals across the country, bent on scavenging credentials that can be used for a range of nefarious purposes.

Microsoft 365 and Outlook customers in the US are in the crosshairs of a successful credential-stealing campaign that uses voicemail-themed emails as phishing lures. The flood of malicious emails anchoring the threat is emblematic of the larger problem of securing Microsoft 365 environments, researchers say.

According to an analysis from Zscaler's ThreatLabz, a highly targeted offensive has been ongoing since May, aiming at specific verticals, including software security, the US military, security-solution providers, healthcare/pharmaceuticals, and the manufacturing supply chain.

The campaign has been successful in compromising swaths of credentials, which can be used for a variety of cybercrime endgames. These include taking over accounts in order to access documents and steal information, eavesdropping on correspondence, sending believable business email compromise (BEC) emails, implanting malware, and burrowing deeper into corporate networks. The user ID/password combos can also be added to credential-stuffing lists in hopes that victims have made the mistake of reusing passwords for other types of accounts (such as online banking).

"Microsoft 365 accounts are often a treasure trove of data, which can be downloaded en masse," says Robin Bell, CISO of Egress. "Furthermore, hackers can use compromised Microsoft 365 accounts to send phishing emails to the victim’s contacts, maximizing the effectiveness of their attacks.”

**Voicemail Phishing Attack Chain**

From a technical perspective, the attacks follow a classic phishing flow — with a couple of quirks that make them more successful.

The attacks start out with purported missed-voicemail notifications being sent via email, which contain HTML attachments.

HTML attachments often get past email gateway filters because they aren't in and of themselves malicious. They also don't tend to raise red flags for users in a voicemail notification setting, since that's how legitimate Office notifications are sent. And for added verisimilitude, the "From" fields in the emails are crafted specifically to align with the targeted organization's name, according to a recent Zscaler blog post.

If a target clicks on the attachment, JavaScript code will redirect the victim to an attacker-controlled credential-harvesting website. Each of these URLs are custom-created to match the targeted company, according to the researchers.

"For instance, when an individual in Zscaler was targeted, the URL used the following format: zscaler.zscaler.briccorp\[.\]com/<base64\_encoded\_email>," they noted in the blog post, which detailed the attacks. "It is important to note that if the URL does not contain the base64-encoded email at the end; it instead redirects the user to the Wikipedia page of MS Office or to office.com."

Before the mark can access the page however, a Google reCAPTCHA check pops up — an increasingly popular technique for evading automated URL analysis tools.

CAPTCHAs are familiar to most Internet users as the challenges that are used to confirm that they're human. The Turing test-ish puzzles usually involve clicking all photos in a grid that contain a certain object, or typing in a word presented as blurred or distorted text. The idea is to weed out bots on e-commerce and online account sites — and they serve the same purpose for crooks.

Once the targets solve the CAPTCHAs successfully, they're sent onto the phishing page, where they're asked to enter their Microsoft 365 credentials — which, of course, are promptly captured by the bad guys on the other end of the URL.

"When faced with a login prompt that looks like a typical O365 login, the person is likely to feel comfortable entering their information without looking at the browser's URL bar to ensure they are at the real login website," Erich Kron, security awareness advocate with KnowBe4, tells Dark Reading. "This familiarity, and the high odds that an intended victim regularly uses O365 for something in their workday, makes this a great lure for attackers."

Using voicemail as a lure isn't a new technique — but it's a successful one. The current campaign is actually a resurgence of earlier activity seen in July 2020, the researchers noted, given significant overlap in the tactics, techniques, and procedures (TTPs) between the two phishing waves.

"These attacks target human nature, manipulating their victims using techniques that play on our psychology," Egress' Bell tells Dark Reading. "That's why, despite investing in security awareness training, many organizations still fall victim to phishing. In addition to this, threat actors are crafting increasingly sophisticated, highly convincing attacks that many people simply can’t distinguish from the 'real thing.' This is exacerbated by the increasing use of mobile devices, as users often can’t see details like the sender’s real information."

**Microsoft 365 Continues to Be a Popular Target**

The cloud version of Microsoft's productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by more than 1 million companies and more than 250 million users. As such, it acts as a siren song to cybercrooks.

According to a 2022 Egress report, "Fighting Phishing: The IT Leader’s View," 85% of organizations using Microsoft 365 reported being victims of phishing during the last 12 months, with 40% of organizations falling victim to credential theft.

"Microsoft O365 and Outlook are used by an estimated 1 million companies, so there’s a good chance that their victim, and the victim's organization, use these services," Bell says. "With such a high volume of accounts, the hackers have a better chance of reaching targets with a low level of tech awareness, who are more likely to fall for an attack."

Microsoft 365 phishes also are popular attack vectors because the blend in with normal workday activities, Kron notes.

"We spend a lot of our workday in a near autopilot mode, doing repeated tasks almost automatically, as long as the tasks are expected," he explains. "It’s only when something unexpected occurs that people tend to take notice and apply critical thinking. For many of us, the action of logging in to an O365 portal is not unusual enough to raise our suspicions. Many times, when people log in to these fake portals, the credential stealing software invisibly forwards the information to the legitimate login portal resulting in a successful login, and the victim is never aware that they were tricked.”

**How CISOs Can Defend Against Social Engineering**

There are significant challenges for CISOs in shutting down this type of threat vector, researchers say, mainly due to the fact that it's impossible to patch human nature. That said, user training to encourage employees to perform basic protections, like checking the URL before logging in, can go a long way.

"We have to face the fact that social-engineering attacks, which include phishing, vishing, and smishing, are here to stay," says Kron. "Phishing has been prevalent almost since email began, and the damage done and losses sustained are simply too high to ignore, while hoping for the best. CISOs need to understand these risks, and employees need to understand that in our modern world where everyone uses computers and processes information in some way, cybersecurity is a part of everyone’s job, and will be for the foreseeable future.”

Beyond this basic best practice, CISOs should also take back-end technology steps to fill in for when people make mistakes, as they inevitably will. And this should go beyond standard secure email gateway filters, according to Bell.

"To truly mitigate the risk, organizations need the right technology," he advises. "CISOs need to evaluate their security stack, ensuring that they are augmenting their email platforms with additional layers of protection to ensure that their people and data are protected. Technology should partner with employees to help them to identify even the most sophisticated attacks, ensuring that credentials and email accounts cannot be compromised by threat actors.”

Kron recommends a commonsense defense approach that combines both technology and training.

"For CISOs that do not recognize this and attempt to counter these attacks with purely technical tools, the odds of success are quite low," he says. "For CISOs that understand that these attacks are exploiting human vulnerabilities and deploy a mix of technical controls as well as tackling the human issue through education and training, the results are often much better."

Source

DARKReading