A decentralized future is a grand ideal, but secure management of private keys is the prerequisite to ensure the integrity of decentralized applications and services.

The lyrics to the 1937 song of the same title, "Me, Myself, and I" speak to individual identity – me, the whole person, and nobody else. In the context of the emerging paradigm of decentralized applications and services, often wrapped in the cloak of Web 3.0, one of the promised benefits for the individual is control over their personal data. Central to this anticipated benefit is the irrefutability and verifiability of a "digital self," comprising the "digital twin" of our actual person. 

The central thesis of the decentralized future is that I should be able to demonstrate certain aspects of my identity in the digital domain that are manifest in the physical domain – for example, my valid passport, academic record, Social Security details, and financial transactions. These characteristics, or "claims," about my identity should be able to be verified, independently, by a relying party, to establish the necessary trust for some transaction between us. The change from existing federated identity methods is that I choose whether to disclose my personal data for a specific purpose and I retain control of the disclosure process under the concept of self-sovereign identity (SSI).

How do I gain this control over my identity? The answer is through the use of public key cryptography, where I provide a public key that others can use to verify my unique cryptographic signature, generated using a private key to which only I have access. This system of digital signature and verification is in widespread use today and is the basis for secure communications between the server hosting this article and your Web browser. To enable decentralized verification of credentials, public keys are written to a distributed ledger using a decentralized identifier (DID) that represents my uniqueness within the decentralized environment. DID standardization is currently being worked on by the World Wide Web Consortium (W3C), with the aim of establishing interoperability across discrete, decentralized networks. 

Crucially, the public key associated with an individual or machine participating within a decentralized network forms part of the DID that all relying parties within a decentralized network use to validate my identity and my transactions. The distributed ledger provides irrefutable and immutable evidence of those transactions, based upon the use of my public-private key pair. In a decentralized world, your private keys become your identity. Your private keys are, therefore, not only a source of control, restricting who can access your data, they are also a source of acute vulnerability.

**Identity Loss**  
The consequences of either loss of your private keys or someone gaining unauthorized access to them are evident in several well-publicized examples of cryptocurrency theft, notably the separate attacks perpetrated against Mt. Gox, Bitfinex, and Coincheck. Once access had been gained to the private keys used to authorize cryptocurrency transactions, hundreds of millions of dollars in crypto-asset value were lost from user wallets. Ironically, in the case of the Bitfinex theft, it was a lack of adequate security to protect the alleged perpetrators' private keys that enabled law enforcement agencies to recover approximately $3.6 billion in Bitcoin assets that were stolen in 2016.

We are now witnessing a societal transition to the use of DID verification and associated ownership and custody of digital assets. As decentralized services proliferate, DID claims will also be enriched. Credentials issued by traditional identity providers, such as governments and banks, will be complemented by information from other sources. Not only will my digital persona reflect my activities and interests in the physical domain, but transactions made with my DID will be recorded across disparate blockchains, creating an immutable record of my life history.

With my private keys controlling the use of my identity in tomorrow's decentralized context, unauthorized access to those keys could be catastrophic. A malicious entity appropriating my private keys could not only gain access to wallets holding valuable cryptocurrencies and tokens, but they could also perform any variety of fraudulent transactions. In a worst-case scenario, my physical identity could become completely decoupled from my digital twin, rendering a demonstration of my identity virtually impossible in the digital domain. The problem being that where my DID is misused, the nature of distributed ledger transactions makes it extremely difficult to refute their authenticity after the event. How can I deny knowledge of a fraudulent application for a credit card or bank loan where my private key was used to sign the digital contract? How can I assert the continuity of my physical residence, after the use of my DID with a claim based on a fraudulent address?

Global initiatives such as the World Bank's Identification for Development (ID4D) project and the W3C's DID standardization activity are providing a framework for SSI management within a decentralized world. Secure management of private keys remains, however, the prerequisite for robust identity management and the integrity of decentralized applications and services. As the recent problems at Okta indicate, SSI can mitigate the risks associated with contemporary identity management services. Nevertheless, independent, secure, and available key management solutions represent the foundation of this new identity management model. While it is tempting to focus on the opportunities of the decentralized future, there is still much to resolve when it comes to securing our individual identities in this new ontological domain.

Me, My Digital Self, and I: Why Identity Is the Foundation of a Decentralized Future

Cyber-researchers are testing the bounds of optical attacks with a technique that allows attackers to recover voice audio from meetings if there are shiny, lightweight objects nearby.

BLACK HAT ASIA — A soda can, a smartphone stand, or any shiny, lightweight desk decoration could pose a threat of eavesdropping, even in a soundproof room, if an attacker can see the object, according to a team of researchers from Ben-Gurion University of the Negev.

At the Black Hat Asia security conference on Thursday, and aiming to expand on previous research into optical speech eavesdropping, the research team showed that audio conversations at the volume of a typical meeting or conference call could be captured from up to 35 meters, or about 114 feet, away. The researchers used a telescope to collect the light reflected from an object near the speaker and a light sensor — a photodiode — to sample the changes in the light as the object vibrated.

A lightweight object with a shiny surface reflects the signal with enough fidelity to recover the audio, said Ben Nassi, an information security researcher at the university.

"Many shiny, lightweight objects can serve as optical implants that can be exploited to recover speech," he said. "In some cases, they are completely innocent objects, such as a smartphone stand or an empty beverage can, but all of these devices — because they share the same two characteristics, they are lightweight and shiny — can be used to eavesdrop when there is enough light."

The eavesdropping experiment is not the first time that researchers have attempted side-channel attacks that pick up audio from surrounding objects.

**Improving on Past Optical Eavesdropping  
**In 2016, for example, researchers demonstrated ways to reconfigure the audio-out jack on a computer to an audio-in jack and thereby use speakers as microphones. In 2014, a group of MIT researchers found a way to use a potato chip bag to capture sound waves. And in 2008, a group of researchers created a process to capture the keys typed on a keyboard by their sounds and the time between keystrokes.

The MIT research is similar to the technique pursued by the Ben-Gurion University researchers, except that exploitation required more restrictive placement of the reflective object and required substantial processing power to recover the audio, said Raz Swissa, a researcher with Ben-Gurion University of the Negev.

"This \[older\] method cannot be applied in real time because it requires a lot of computational resources to recover just a few seconds of sound," he said. And other well-known techniques, such as a laser microphone, require a detectable light signal to work.

The researchers thus focused on creating a process that could be accomplished with everyday objects already in the targeted area and using instruments that are readily available. Using objects 25 centimeters — about 10 inches — away from the speaker, the researchers could capture fluctuations in the light reflected off of them up to 35 meters away. The recovered speech was quite clear at 15 meters and somewhat understandable at 35 meters.

Overall, the experimental setup, which the researchers call the Little Seal Bug, could be used to capture audio with everyday objects The attacker can be external to the target, thus less detectable, while the low computational requirements make capture available in real time.

**Great Seal, Little Seal and Beyond  
**The Little Seal Bug is a nod to a well-known early espionage incident, known as the Great Seal Bug. In 1945, the Soviet Union gifted the US ambassador a crimson, embossed eagle seemingly celebrating the US-Soviet collaboration to defeat Nazi Germany. Yet the Great Seal also had a hidden audio recorder that allowed Soviet spies to eavesdrop on high-level conversations in the embassy.

Similarly, the Little Seal Bug could use common items around an office to capture audio via reflected light. In addition, most mobile devices come with a photosensor that does not require special permission to access. While the researchers have not come up with an attack chain using the sensor, such a resource could very well be used by future attackers.

However, there are many more likely threats for espionage attacks, Nassi said. From compromising systems with malware and capturing the audio that way, to using microphones already embedded in Internet of Things devices, such as AI assistants and video cameras, our world is quickly becoming filled with potential eavesdropping devices.

"A smartphone, a laptop, an IP camera, and a smart watch are probably more risky in terms of privacy than these devices or objects," he said.

How to Turn a Coke Can Into an Eavesdropping Device

The Budapest Convention is a multinational coalition that agrees to share electronic evidence across international jurisdictions to track down cybercriminals.

The US Department of Justice has signed on to the Budapest Convention international treaty, which allows its 66 member countries to expedite the sharing of electronic evidence to more effectively track down cybercriminals, wherever they are on the globe.

"The Budapest Convention is a truly remarkable international instrument," Deputy Assistant Attorney General Richard Downing said. "Its technology-neutral approach to cybercrime has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods.”

Signed by Downing, the agreement, according to the DoJ, makes it easier for law enforcement agencies to obtain subscriber and traffic data from service providers for cybercrime investigations. The agreement followed nearly four years of negotiations, the DoJ noted. 

“It is our collective vision that every country that is serious about fighting cybercrime and that provides for the protection of human rights should become party to the Budapest Convention," Downing added. "The Convention strikes the right balance between imposing obligations on nations to have robust laws and capabilities and providing the flexibility necessary for nations with different legal systems to join."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Agrees to International Electronic Cybercrime Evidence Swap

In a keynote address at Black Hat Asia in Singapore this week, CISO and former NASA security engineer George Do discussed his go-to model for measuring security effectiveness – and getting others in the organization to listen.

BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.

During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO's office. It starts, he said, with quantifying that security effectively.

"All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?" he asked during the presentation, entitled, "Moving the Security Needle From the Security Trenches to the Boardroom." "You have to be able to answer that" and show why.

**Communications Breakdown  
**Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone's lives harder. Do referred to it as "ivory tower security," where the security apparatus appears to everyone else to be removed and prone to delivering a litany of "no's."

"Many of our organizations view the security team as a technical obstacle," Do said. "We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we don't understand the impact of the business or at least understand, you know, the pain points the business is having. There's mistrust of the security team."

He added, "The more processes and the more gates that we set up slow down the business and add friction. We often don't weigh that heavily enough in our selection of how we're going to design something."

Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But it's vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.

"It's not for the CISO to say, 'Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it,'" he explained. "The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, there's a plan of attack, and we can communicate on how we're doing against that plan of attack."

Another important strategy is to remind board members that they have skin in the game.

"Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and it's found that the board members were not focusing on that risk area for the organization, they can be held liable," Do said.

Do encouraged audience members to consider the overhead with every security addition or program.

"Each logo you add to your security program will add a bit of technical debt," he explained. "You have to consider the cost to set up new processes, the man-hours, the impact on the business, \[and\] the cost of the product itself."

**5 Key Tips for Communicating Security Effectiveness  
**Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.

**1\. Know your audience:** When trying to communicate security results, it's important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.

It's also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.

"These are all very different questions, all equally important," Do said.

**2\. Don't start with metrics:** It may seem counterintuitive, Do said, but it's important to start with the business objectives when framing security effectiveness.

"You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that," Do advised. "This is how we generate revenue. This is what we're providing to the industry. What are the cyber-risks to that business, given whether or not you're in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be."

**3\. Be quantitative:** Once the metrics are defined, an organization's security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.

"The metrics should be public information, so every single team in the company knows what your goals are and that it's been signed off on. This isn't something security is cooking in the kitchen in a silo," Do noted.

It's important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: "You have to be able to measure it and repeat it."

**4\. Remember that security is a team effort:** Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.

"Even areas like the procurement team may need to own some part of security processes, for instance," Do said. "Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over who's responsible, who's accountable, who's consulted, and who's informed. It's critically important because it sets the expectations upfront with your stakeholders on who owns what."

**5\. Pair empowerment with accountability:** Once security roles have been determined and it's clear who's accountable for what, it's important to also empower those individuals.

"Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what I'm accountable for?" Do explained.

To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.

"Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that we're moving the needle with security?" he said.

Do added, "Some organizations can turn on a dime; they can go to this model quickly," he said. "Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say don't let that detract you from pushing toward this model."

CISO Shares Top Strategies to Communicate Security's Value to the Biz

The conference opens with stark outlook on the future of global democracy — currently squeezed between Silicon Valley and China.

BLACK HAT ASIA 2022 – Technology is an existential threat to global democracy — requiring a shift to a transnationally regulated, culturally sensitive tech ecosystem that provides space for democracies to flourish.

That's the word from Samir Saran, president of the Observer Research Foundation, in the opening keynote for Black Hat Asia 2022.

"Democracy is turning on itself, and technology is the tool," Saran said. "If democracy is to survive, technology will have to be tamed." 

**Big Tech vs. Red Tech** Caught between Big Tech in Silicon Valley and what Saran called the "Red Tech" of the Chinese Communist Party, it's time for the world to establish meaningful global regulation of massive social and enablement platforms, which have often run amok and been used against the populations they purport to serve, Saran explained during the address, titled "#HackingDemocracy." 

Silicon Valley's ability to pick and choose who has a platform, seemingly based on the whims of owners, and its unwillingness to control the spread of hate speech and disinformation, primarily because it's good for business, are suffocating American democracy and should be reined in, he argued.

Big Tech in the US enjoys a quasi-utility status but uses its immense influence to fend off any sort of meaningful regulation, he explained from his bookshelf-lined office in India (his talk was remote). However, compared with the untamed censorship, malicious intent, and brutal wielding of Red Tech against populations, US-based companies are still the best hope for establishing new ground rules that can hold boardrooms and powerful figures accountable. "Perhaps even elected ones ...," Saran suggested. 

**China's Plan to Divide Democracies** China's Red Tech is more dangerous to democracy because, as Saran explained, it's used to "control the domestic population and also make mischief abroad." 

Chinese Big Tech has been able to insert itself into global democratic discourse and divide wherever possible through the use of deepfakes, fake news, and its formidable troll army, Saran warned. 

"The business model of China tech is to divide democracies," he said. "The Chinese are ensuring they are part of any conversation, any political discourse in free societies — democratic countries." 

Saran credits Chinese tech for maintaining the country's "brand" despite the COVID-19 outbreak in Wuhan by dominating and gaming the news cycle. "They were never held accountable for what happened in Wuhan," Saran said. 

But thanks to the so-called Great Firewall of China, no other countries have the same access to make similar troubles for the Chinese Communist Party. This is no longer tenable, and Saran recommends a global ultimatum to Beijing: Let the world in or we'll block you from the world. 

**Can China Be Held Accountable?** Saran said global tech's reaction to Russia's invasion of Ukraine by blocking Russian interests proves the sector has the ability to hold power accountable. 

"Can these same platforms work together to see that Chinese propaganda is offloaded?" he asked. "Can they take action against Chinese manipulation?" 

The question is whether they're willing to give up the Chinese market in the name of democracy. 

**Going for a Transnational Future  
**Transnational tech platforms also have an obligation to provide services with more cultural nuance, he said. 

"Facebook in India will have to have a different texture than Meta in the United States," Saran said, adding that ultimately, it's about taking better care of the people behind the usernames.   

Regulations could be an important part of the picture given that regional laws aren't one-size-fits-all for a culturally diverse globe, Saran added. 

"Transnational corporations need to have another level of regulation with some standards and accountability."

Black Hat Asia: Democracy's Survival Depends on Taming Technology

The White House and tech industry pledge $150 million over two years to boost open source resiliency and supply chain security.

Marking the one-year anniversary of President Biden's Executive Order on Improving the Nation's Cybersecurity, the Linux Foundation and the Open Source Software Security Foundation joined with 90 private-sector executives and government leadership to create a 10-point plan to improve the security of open source software. 

The plan has three primary goals — secure open source software production, improve vulnerability discovery and remediation, and shorten ecosystem patching response time — according to the announcement. 

The Open Source Software Security Mobilization Plan proposes 10 specific streams of investment in open source security including: education, risk assessment, digital signatures, memory safety, incident response, better scanning, code audits, data sharing, SBOMs, and improved software supply chain. The plan outlines the need for about $150 million in additional funding over the next two years. Amazon, Google, Ericsson, Intel, Microsoft, and VMware have pledged an initial investment of $30 million between them.

"What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it," Brian Behlendorf, executive director, Open Source Security Foundation (OpenSSF), said in a statement announcing the group's new initiative. **"**The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux, OpenSSF Champion Plan to Improve Open Source Security

A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars.

Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found.

Generally, organizations are focused on ingesting as many data points for training an AI or algorithm that they can, with an eye toward privacy — but all too often, they're skipping over hardening the security of the data lakes themselves.

According to research from Zectonal, the Log4Shell bug can be triggered once it is ingested into a target data lake or data repository via a data pipeline, bypassing conventional safeguards, such as application firewalls and traditional scanning devices.

As with the original attacks targeting the ubiquitous Java Log4j library, exploitation requires only a single string of text. An attacker could simply embed the string within a malicious big-data file payload to open up a shell inside the data lake, and from there can initiate a data-poisoning attack, researchers say. And, since the big-data file carrying the poison payload is often encrypted or compressed, the difficulty of detection is much greater.

“The simplicity of the Log4jShell exploit is what makes it so nefarious,” says David Hirko, founder at Zectonal. “This particular attack vector is difficult to monitor and identify as a threat due to the fact that it blends in with normal operations of data pipelines, big-data distributed systems, and machine-learning training algorithms."

**Leveraging RCE Exploits to Access Data Lakes  
**One of the ways to accomplish this attack is by targeting vulnerable versions of the no-code, open source extract-transform-load (ETL) software application — one of the most popular tools for populating data lakes. An attacker could access the ETL service running in a private subnet from the public Internet via a known remote code execution (RCE) exploit, researchers explain in the report.

The Zectonal team put together a working proof-of-concept (PoC) exploit that used this vector, successfully gaining remote access to subnet IP addresses that were part of a virtual private cloud hosted by a public cloud provider.

While ETL patched the RCE issue last year, the components have been downloaded millions of times, and it appears that security teams have lagged in applying the fix. The Zectonal team was successful in "triggering an RCE exploit for multiple unpatched releases of the ETL software that spanned a two-year period," according to the report, shared with Dark Reading prior to publication.

"This attack vector isn't as simple as just kind of sending a text string to a Web server," Hirko says, noting the need to penetrate the data supply chain. "An attacker needs to compromise a file somewhere upstream and then have it be flowed into the target data lake. Say you were considering weather data — you might be able to manipulate a file from a weather sensor so that it contained this particular string."

This particular exploit and vulnerability has patches available, but there are likely many different avenues to achieving this kind of Log4Shell attack.

"There are probably many, many previously unknown or undisclosed vulnerabilities that allow the same thing," Hirko says. "This is one of the first data poisoning-specific attack vectors that we've seen, but we believe that data poisoning as a subset of AI poisoning is going to be one of the new attack vectors of the future."

**Real-World Consequences  
**So far, Zectonal hasn't seen such attacks in the wild, but researchers hope the threat is on security teams' radar screens. Such attacks may be rare, but they can have outsized consequences. For instance, consider the case of autonomous vehicles, which rely on AI and sensors to navigate city streets.

"Automakers are training their AI to look at stoplights, to know when to stop, slow down, or go in the classic red, yellow, green format," Hirko explains. "If you were to start poisoning your data lake that was training your AI, it's possible to manipulate the AI software to behave in unforeseen ways. Perhaps your car unintentionally gets trained to go when the traffic light turns red and stop when it turns green. So, that's the type of attack vector that we suspect we'll be seeing in the future."

**Security Protections Lag  
**The risks are gaining a higher profile among practitioners, Hirko tells Dark Reading — many of whom understand the danger but are at a loss for how to tackle it. Among the challenges is the fact that approaching the problem requires a new way of implementing security, as well as new tools.

"We were able to send the poisoned payload through a pretty common data pipeline," Hirko says. "Traditionally, these kinds of files and data pipelines don't come through your standard front-door set of firewalls. How data comes into the enterprise, how data comes into the data lake, hasn't really been part of the classic security posture of defense in depth or zero trust. If you're using any of the major cloud providers, data that comes in from an object storage bucket won't necessarily come through that firewall."

He adds that the file formats that these types of attacks can be bundled into are relatively new and somewhat obscure — and because they're specific to the big data and AI world, they're not as easy to scan with typical security tools, which are made to scan documents or spreadsheets.

Thus, for their part, security vendors need to focus on the development of different types of products to gain that further visibility, he notes.

"Companies are looking at the quality of the data, components, individual data points — and it just makes sense to look at the security vulnerability of that data as well," Hirko says. "We suspect that data observability will be built into quality assurance as well as data security. This is an emerging kind of data and AI security domain."

Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning

Three RSA 2022 sessions take deep dives into the security considerations around data cloud transformation.

For the past decade — and more so during the past three years — cybersecurity has become an epicenter of two equally transformative revolutions taking place at once: the cloud revolution and the data revolution. The true impact of these transformations on the cybersecurity industry and on business as we know it has yet to fully manifest itself, which makes them timely and urgent topics for deep discussion and consideration. The theme of 2022's RSA Conference, which takes place June 6–9 in San Francisco and online, captures these and other trends. In this article, I share recommendations for three RSA 2022 sessions that will provide a deep dive into the world of data cloud security.

**1\.** **How to Protect Healthcare Data in the Cloud  
**The cloud revolution is hardly new: More than 94% of global organizations use cloud platforms, and more than 76% leverage multicloud services such as Google Cloud, AWS, and Microsoft Azure to increase business velocity and efficiency. Meanwhile, data has always been a business driver, regarded as the "crown jewels" of customer-facing business.

As organizations accumulate more and more data — a large portion of it sensitive, proprietary, and personal — there can be a natural reluctance to trust emerging cloud technologies with these valuable assets. With new technology come new risks known to both security professionals and malicious actors, including misconfigurations and unauthorized access leading to exposure or destruction. The sheer number of cloud technologies and interested parties, combined with the dynamic nature of data in the cloud, presents an overwhelming challenge for security teams. Instead of restricting innovation, there must be a way to harness it and ensure its security simultaneously. Hear more about how this is done in healthcare, one of the most sensitive and highly regulated sectors, at this RSA 2022 session taking place June 7.

**2\.** **Data Inventory Workshop  
**Overwhelmed with the amount of data and adoption of new technologies, some security teams opt to restrict the use of certain cloud platforms — even if that means, for example, using spreadsheets for tasks such as inventorying and tracking data. The goal may be to gain more control, but the result is inhibited innovation and stunted organizational growth. Furthermore, as organizations strive to scale and evolve, such restrictions may turn the CISO into an obstruction in the eyes of business leaders within the organization. The data revolution demands a complete overhaul of the way organizations inventory and manage their data. Hear more about how to navigate regulations and business processes while championing innovative data inventory technology at this RSA session taking place June 7.

**3\.** **DLP: An Implementation Story  
**Multicloud environments have become a business necessity for modern organizations, increasing their efficiency and allowing them to scale more rapidly. As data leaves organizational networks and flows into the cloud, it is no longer centralized, and its use can no longer be accurately predicted by security teams. In the age of remote work and growing risk, data loss prevention (DLP) must adapt to ensure that security is granular and able to monitor all data uses and locations. Hear more about the challenges of implementing a modern DLP program and how to overcome them at this RSA 2022 session taking place June 8.

**Conclusion  
**Data transformation will increase in scale and impact across organizations, as development and business teams leverage and create cloud data stores faster than security teams can keep up — and often without their knowledge. We anticipate that, moving forward, this transformation will be the source of innovation and disruption. Click here for more on the 2022 RSA Conference and information about all of the sessions.

Data Transformation: 3 Sessions to Attend at RSA 2022

The group that shut down the second largest city in Greece was not new but a relaunch of DoppelPaymer.

In July 2021, the second largest city in Greece fell victim to a cyberattack orchestrated by an apparently amateur ransomware group. PayOrGrief appeared to have existed for just a couple of weeks when it broke through Thessaloniki's security systems.

The group exfiltrated and encrypted numerous files before issuing a devastating $20 million ransom demand. Unsure of just how far the breach went, the municipality's security team was forced to shut down all of the Thessaloniki website's public-facing services and launch a full investigation into the breach before it could even consider whether to pay the immense ransom.

**Spot the Difference: PayOrGrief and DoppelPaymer  
**It didn't take long for PayOrGrief to gain a reputation for disruption. Its use of double extortion ransomware tactics has proved effective in targeting organizations in all kinds of industries, including numerous manufacturers and municipalities like Thessaloniki.

The novelty of PayOrGrief's operation made it easy for it to beat security tools based on historical attacks, particularly in those first few weeks. Security experts had their suspicions, however, that PayOrGrief was more than the latest budding group to join the ransomware scene. Its attack playbook suggested experience.

Further investigations more or less confirmed that PayOrGrief was not a new group but a rebrand of an older one called DoppelPaymer, which ended its operations in May 2021. With the new PayOrGrief moniker and a slightly shifted set of tactics, techniques, and procedures (TTPs), the group has seen success to the tune of over $10 million in ransom payments.

The success of the PayOrGrief rebrand demonstrates just how easily a group can obscure itself from the sight of tools based on historical data. Altering its TTPs allowed PayOrGrief to beat security tools, but these changes were far from substantial, and for analysts the DoppelPaymer playbook was still plain to see.

**How PayOrGrief Orchestrates an Attack  
**This playbook was thrown open when, in July 2021, PayOrGrief targeted a European manufacturing company. The company in question had deployed Darktrace's self-learning artificial intelligence (AI) technology, which was continuously updating its understanding of the digital business and looking for anomalous behavior indicative of a threat. This technology was able to reveal the life cycle of PayOrGrief's attack.

PayOrGrief often begins its attacks with phishing emails containing fake updates or malicious documents through which it can inject malware strains like Dridex into target devices. In this case, four devices were compromised, likely by a single phishing campaign, and began to make command-and-control (C2) connections to several rare external IPs.

These connections, encrypted with an invalid SSL certificate, were followed by a 50MB upload of data to the company's corporate server. With this escalated position, the attackers established keep-alive beacons and were then ready to begin the exfiltration stage of this double extortion ransomware attack.

    

AI-generated summary of the incident, showing the data exfiltration from a single device. (Source: Darktrace)

In just a few hours, over 100GB of data was exfiltrated via HTTPS to the file storage platform Mega. The attackers had targeted more than this, but the company's autonomous defenses stood in their way.

Having recognized that this behavior was highly unusual in the context of the business' normal "pattern of life," the AI could have stopped the threat at its earliest stages if not mostly blocked from intervening by the company's configuration settings. The AI took what limited action it had permission to and limited the scope of the data exfiltration. By detecting and blocking anomalous file activity, it obstructed some of the exfiltration efforts, while continuing to monitor those parts of the digital estate in which it couldn't take direct action.

The attackers continued to move laterally through the digital estate, using RDP and SMB for internal reconnaissance and exploiting administrative privileges and processes. And then, only 10 hours after the first compromised devices began making malicious connections, PayOrGrief deployed its ransomware.

Encryption spread through the company, with an SMB write with the ".pay0rgrief" file extension seen on 137 devices. Once again, the AI cybersecurity system was able to protect certain devices from anomalous file activities and narrow the scope of the attack considerably. Through each stage of the attack — including C2, lateral movement, internal reconnaissance, exfiltration, and encryption — the AI suggested actions to block specific connections and enforce devices' patterns of life in order to halt the threat without disrupting the business itself.

**Stopping the Next Big Name in Ransomware  
**PayOrGrief is no longer an unfamiliar name, a fact that will now be reflected in the OSINT of many rules-based cybersecurity solutions. But if organizations continue with this approach, looking at historical attacks and playing continual catch-up with the latest ransomware strains and TTPs, they will always be vulnerable to whatever is coming next. As the speed and efficacy of the DoppelPaymer rebrand demonstrates, focusing on the specificities of the attacker is a short-sighted solution.

Businesses should instead adopt cybersecurity tools that stop threats regardless of whether they have been seen before. By continuously updating their understanding of how your business should behave normally, AI-driven solutions like Darktrace can piece together anomalies to detect emerging attacks and even take autonomous action to stop them. That means no matter what they call themselves, or how they operate, attackers will be seen for what they are — and stopped.

How to Avoid Falling Victim to PayOrGrief's Next Rebrand

A team of university researchers finds a machine learning-based approach to generating HTTP requests that slip past Web application firewalls.

BLACK HAT ASIA 2022 — A team of university researchers used basic machine learning to identify patterns that common Web application firewalls (WAFs) fail to detect as malicious, but which can still deliver an attacker's payload, one of the researchers said in a presentation at the Black Hat Asia security conference in Singapore on Thursday.

The researchers from Zhejiang University in China started with common ways of transforming injection attacks to target Web-application databases using the common Structured Query Language (SQL). Rather than using a brute-force search of potential bypasses, the team created a tool, AutoSpear, that uses a pool of potential bypasses that can be combined using a weighted mutation strategy and then tested to determine the effectiveness of the bypasses at evading the security of WAF-as-a-service offerings.

The tool successfully bypassed — as measured by a false negative rate — all seven of the tested cloud-based WAFs with a variety of success, from a low of 3% for ModSecurity to a high of 63% for Amazon Web Services' and Cloudflare's WAFs, said Zhenqing Qu, a Zhejiang University graduate student and member of the AutoSpear team.

"The case studies have shown the potential \[of the tool\], because detection signatures were not robust due to various vulnerabilities," he said. "Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs."

Web application firewalls are a common way to defend important cloud software and Web services from attack, filtering out common application attacks and attempts at injecting database commands, also known as SQL injection (SQLi). A 2020 study, for example, found that 4 in 10 security professionals believed that 50% of application-layer attacks that targeted their cloud application bypassed their WAF. Other attacks focus on compromising the WAF through its inspection of traffic.

In their presentation, the team from Zhejiang University focused on ways of transforming requests using 10 different techniques for the four common request methods: POST and GET requests, either using JSON encoding or not. The researchers found that the four different types of requests were treated the same by four different WAF vendors, while others approached the inputs differently.

By systematically mutating the requests with different combinations of the 10 techniques — such as inline comments, substituting whitespace, and substituting the common tautologies (that is, "1=1") for others (such as, "2<3") — the researchers found a set of transformations that performed best against each of the seven different WAFs.

"\[C\]ombining multiple mutation methods, AutoSpear is much more effective in bypassing mainstream WAF-as-a-service solutions due to their vulnerable detection signatures for semantic matching and regular expression matching," the researchers stated in their presentation slides.

SQL injection attacks continue to be a major risk for many companies. The OWASP Top-10 Web Security Risks rated the Injection class of vulnerabilities at the top of its list of risks in 2013 and 2017, and as the No. 3 risk in 2021. The list, released approximately every four years, uses more than 400 broad classes of weaknesses to determine the most significant threats for web applications.

The research team started with creating Web applications that had specific vulnerabilities, and then used its approach to transforms the known exploits into a unique request that the WAF would not catch.

Bypassing Web application firewalls typically focus on three broad approaches. At the architectural level, attackers can find ways to circumvent the WAF and directly access the origin server. At the protocol level, a variety of techniques can use errors or mismatches in encoding assumptions, such as HTTP request smuggling, to bypass WAFs. Finally, at the payload level, attackers can use a variety of encoding transformation to fool the WAF into failing to detect an attack, while still producing a valid request from the standpoint of the database server.

The transformations allowed the attacks to be successful anywhere from 9% of the time to nearly 100% of the time, depending on the WAF and the request format, the team stated in their presentation. In one case, the researcher found that just adding a newline character, "/n", bypassed a major WAF-as-a-service.

**AWS, Cloudflare Affected**

The research team reported the vulnerabilities to all seven WAF providers: AWS, Cloudflare, CSC, F5, Fortinet, ModSecurity, and Wallarm. Cloudflare, F5, and Wallarm have fixed their issues, Zhenqing said. The team also provided the vendors with bypass patterns that can be used to detect the most common types of transformations.

"The other four are still working with us, since the flaws cannot be easily patched," he said.

Source

DARKReading