Three vulnerabilities in the service's Apache Airflow integration could have allowed attackers to take shadow administrative control over an enterprise cloud infrastructure, gain access to and exfiltrate data, and deploy malware.

Source: Aleksia via Alamy Stock Photo

Three flaws discovered in the way Microsoft's Azure-based data integration service leverages an open source workflow orchestration platform could have allowed an attacker to achieve administrative control over companies' Azure cloud infrastructures, exposing enterprises to data exfiltration, malware deployment, and unauthorized data access.

Researchers at Palo Alto Networks' Unit 42 discovered the vulnerabilities — two of which were misconfigurations and the third involved weak authentication — in Azure Data Factory's Apache Airflow integration. Data Factory enables users to manage data pipelines when moving information between different sources, while Apache Airflow facilitates the scheduling and orchestration of complex workflows.

While Microsoft classified the flaws as low-severity vulnerabilities, Unit 42 researchers found that exploiting them successfully could allow an attacker to gain persistent access as a shadow administrator over the entire Airflow Azure Kubernetes Service (AKS) cluster, they revealed in a blog post published Dec. 17.

Specifically, the flaws discovered in Data Factory were: a misconfigured Kubernetes role-based access control (RBAC) in Airflow cluster; a misconfigured secret handling of the Azure's internal Geneva service, which is responsible for managing critical logs and metrics; and weak authentication for Geneva.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

The Airflow instance's use of default, unchangeable configurations combined with the cluster admin role's attachment to the Airflow runner "caused a security issue" that could be manipulated "to control the Airflow cluster and related infrastructure," the researchers explained.

If an attacker was able to breach the cluster, they also could manipulate Geneva, allowing attackers "to potentially tamper with log data or access other sensitive Azure resources," Unit 42 AI and security research manager Ofir Balassiano and senior security researcher David Orlovsky wrote in the post.

Overall, the flaws highlight the importance of managing service permissions and monitoring the operations of critical third-party services within a cloud environment to prevent unauthorized access to a cluster.

Unit 42 informed Microsoft Azure of the flaws, which ultimately were resolved by the Microsoft Security Response Center. The researchers did not specify what fixes were made to mitigate the vulnerabilities, and Microsoft did not immediately respond to request for comment.

**How Cyberattackers Gain Initial Administrative Access**

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

An initial exploit scenario lies in an attacker's ability to gain unauthorized write permissions to a directed acyclic graph (DAG) file used by Apache Airflow. DAG files define the workflow structure as Python code; they specify the sequence in which tasks should be executed, the dependencies between tasks, and scheduling rules.

Attackers have two ways to gain access to and tamper with DAG files. They could gain write permissions to the storage account containing DAG files by leveraging a principal account with write permissions; or they could use a shared access signature (SAS) token, which grants temporary and limited access to a DAG file.

In this scenario, once a DAG file is tampered with, "it lies dormant until the DAG files are imported by the victim," the researchers explained.

The second way is to gain access to a Git repository using leaked credentials or a misconfigured repository. Once this occurs, the attacker can create a malicious DAG file or modify an existing one, and the directory containing the malicious DAG file is imported automatically.

In their attack flow, Unit 42 researchers used the Git repository leaked credentials scenario to access a DAG file. "In this case, once the attacker manipulates the compromised DAG file, Airflow executes it, and the attacker gets a reverse shell," they explained in the post.

Related:336K Prometheus Instances Exposed to DoS, 'Repojacking'

The basic exploit workflow, then, involves an attacker first crafting a DAG file that opens a reverse shell to a remote server and runs automatically when imported. The malicious DAG file is then uploaded to a private GitHub repository connected to the Airflow cluster.

"Airflow imports and runs the DAG file automatically from the connected Git repository, opening a reverse shell on an Airflow worker," the researchers explained. "At this point, we gained cluster admin privileges due to a Kubernetes service account that was attached to an Airflow worker."

The attack can then escalate from there to take over a cluster; use the shadow admin access to create shadow workloads for cryptomining or running other malware; exfiltrate data from the enterprise cloud; and exploit Geneva to reach other Azure endpoints for further malicious activity, the researchers wrote.

**Cloud Security Should Extend Beyond the Cluster**

Cloud-based attacks often begin with attackers pouncing on local misconfigurations, and the exploit flow again highlights how an entire cloud environment can be exposed to risk due to flaws exploited within a single node or cluster.

The scenario demonstrates the importance of going beyond merely securing the perimeter of a cloud cluster to a more comprehensive approach to cloud security that takes into consideration what happens if attackers break this boundary, according to Unit 42.

This strategy should include "securing permissions and configurations within the environment itself, and using policy and audit engines to help detect and prevent future incidents both within the cluster and in the cloud," the researchers wrote.

Enterprises also should safeguard sensitive data assets that interact with different services in the cloud to understand which data is being processed with which data service, they added. This will ensure that service dependencies are taken into consideration when securing the cloud.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Azure Data Factory Bugs Expose Cloud Infrastructure

Program designed to validate and sharpen cybersecurity skills for working professionals.

PRESS RELEASE

DOWNERS GROVE, Ill., Dec. 17, 2024 /PRNewswire/ -- A new vendor-neutral expert-level cybersecurity certification for cybersecurity professionals continues the comprehensive efforts to strengthen today's dynamic workforce by CompTIA, the global leader in IT certifications and training.

CompTIA SecurityX is the second of multiple new certifications included in the CompTIA Xpert Series, which was developed for IT professionals with multiple years of work experience who want to confirm their expert-level knowledge of business-critical technologies. CompTIA DataX was introduced earlier this year, and CompTIA CloudNetX for advanced network and systems architects will be introduced in coming months.

CompTIA SecurityX, which replaces CompTIA Advanced Security Practitioner (CASP+), is designed for security architects and senior security engineers charged with leading and improving an enterprise's cybersecurity readiness. The name change does not affect the certification status of current CASP+ certification holders or the continuing education (CE) program.

"CompTIA SecurityX is the only hands-on, performance-based certification for advanced practitioners — not managers — at the advanced skill level of cybersecurity," said Patrick Lane, director, cybersecurity product management at CompTIA. "This program is the only certification on the market that qualifies technical leaders to assess cyber readiness within an enterprise, and design and implement the proper solutions to ensure the organization is ready for the next attack."

According to new data from CyberSeek™, the most comprehensive source of information on the U.S. cybersecurity workforce, nearly 265,000 more cybersecurity workers are required to address current staffing needs. Although the cybersecurity workforce has expanded each year since 2013, there are only enough workers to fill only 83% of the available cybersecurity jobs.

CompTIA SecurityX covers the technical knowledge and skills required to architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise while considering the impact of governance, risk, and compliance requirements.

CompTIA SecurityX is compliant with ISO/ANSI 17024 standards and maps to DCWF work roles used by U.S. DoD Directive 8140.03M.

All certifications in the CompTIA Xpert Series are complemented with CertMaster Perform, which fills specific knowledge gaps rather than devoting time to already mastered materials. Learners are assessed at the beginning and throughout the learning process, focusing on key skills and tasks that are essential for an expert to know and understand.

The SecurityX CAS-005 learning product will upgrade to CertMaster Perform, which focuses on key hands-on security architect and senior security engineer skills within live environments. All of the Xpert series products will focus on more advanced, high-level hands-on skills using live labs.

CertMaster Perform for SecurityX assumes that the person who is taking the course already has years of experience in the fields of security architecture and senior security engineering. CertMaster Perform is designed to fill holes in knowledge rather than spend time on topics they already know. Learners will be assessed at the beginning of and throughout the learning process with a focus on key skills and tasks that are essential for an expert to know and understand.

Additional new features include enhanced virtual machine labs including challenge labs to cover each exam domain; demonstration videos to cover key topics from the course; podcast videos with cybersecurity professionals in the field; robust assessment content in CertMaster Perform and CertMaster Practice; and interactive activities throughout the course.

For complete information on CompTIA SecurityX and related CompTIA Learning resources visit https://www.comptia.org/certifications/securityx .

CompTIA Xpert Series Expands With SecurityX Professional Certification

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target.

Ben Barrontine, Vice President of Executive Services & Partnerships, 360 Privacy

December 17, 2024

4 Min Read

Source: Igor Stevanovic via Alamy Stock Photo

COMMENTARY

What are cybercriminals thinking? Inside the mind of a threat actor, the devil is in the details. Cybersecurity is composed of so many details that it's easy to miss some of them. For instance, even if you have all other employees protected, just one person not using two-factor authentication could put them all at risk.

Back in the day, a 99% success rate for security solutions was considered good. But the problem is that there's still a 1% chance of an attack getting through. To defeat that 1% chance, you must have layers of security. If you've got 10 layers of 99% success, you stack the odds in your favor that you will catch just about every security threat.

Defenses are getting more advanced, so threat actors will always search for the point of least resistance. In our day and age, that point is the human element. According to IBM, 41% of all cybersecurity incidents start with phishing as the initial attack vector. Fortunately, though, it's not all doom and gloom. By understanding the enemy, you can better prepare your organization against cyberattacks.

**The State of Security: Understanding Where Threat Actors Look**

Many threat actors are returning to the basics of social engineering by using information they get from data brokers. They're using basic phishing tactics to hook a target, because it avoids the automated cybersecurity tools and directly engages the individual human.

Cybercriminals rarely commit direct attacks against the designated target person. They typically find someone in the target's support system: an executive assistant, a spouse, kids, or the live-in grandmother. Whoever is the softest target in that support system will be the one who clicks a link. It doesn't matter if they have the latest, greatest security software update. Think of the Trojan horse story: A walled city's defenses were no match for a clever scheme that went right past all those defenses. In fact, the defenders opened the gates wide and unwittingly let the threat in.

**Train the Company's Cyber-Spidey Senses**

You have to develop a certain level of "Spidey sense" in employees, and it can be as simple as realizing that they need a second opinion before clicking a link. They don't have to be subject matter experts; they just have to know enough to recognize when they should ask someone else. After all, the Verizon "2024 Data Breach Investigations Report" notes that more than two-thirds (68%) of breaches analyzed included a nonmalicious human element, which involves insider errors or falling for social engineering schemes.

Part of developing this sense is looking for red flags in emails. While this may be getting harder with AI, there are still some obvious signs. Misspellings, odd phrasing, strange fonts, or out-of-character requests are all good indicators that something is amiss. For example, you would never get an email from your mom saying, "Hello, I need you to buy me gift cards." In addition, train employees to hover over the sender's name to see the email address. If the subject line says "Comcast," but the email address ends in "gmail.com," they can bet the email is a scam.

If a bad actor can access someone's packets by Wi-Fi sniffing or other means, the actor doesn't have to follow the person — they can just build out an electronic pattern of life and figure out where the target is going. That jeopardizes physical and digital safety. So, employees need to know not to connect to free Wi-Fi without a VPN and to turn Wi-Fi off when not using it.

People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene.

Basic cyber hygiene is essential and easy. Steps to train employees on include:

*   Be more stringent about the info they share online
    
*   Review and adjust privacy settings
    
*   Use strong and unique passwords
    
*   Enable two-factor authentication
    

*   Be skeptical of unsolicited requests
    
*   Regularly audit third-party apps
    

*   Separate personal and professional identities
    

All of these points can be taught and tested via ongoing training.

**Outmaneuvering the Cybercriminals**

Getting inside the mind of a threat actor can help security pros understand how they operate and what they're looking for — in essence, what makes a soft target. Criminals go after the low-hanging fruit, such as people who click on suspicious links. Your job is to harden all targets at your organization. 

One of the security layers needed to close that 1% gap mentioned earlier is ongoing cyber-hygiene training for all employees from the bottom to the top. This aspect of a full-spectrum security plan is crucial, as humans are typically the weakest link in the security chain. However, with the proper education and training, they can become a solid first line of defense that helps keep everyone in the organization safe.

**About the Author**

Vice President of Executive Services & Partnerships, 360 Privacy

Ben Barrontine joined 360 Privacy in 2021 and currently holds the position of vice president of executive services and partnerships. Prior to 360 Privacy, Ben worked as a targeting specialist with the National Security Agency (NSA) under the US Army’s CSS Program. During his time in service he has worked with the US Marshalls, Special Forces, and US Embassy Security Teams as a cyber and signals intelligence collector and targeting subject matter expert. Ben created and leads the Executive Services Division at 360 Privacy, which helps to educate and protect families, family offices, business executives, professional athletes, and entertainers.

To Defeat Cybercriminals, Understand How They Think

The cybersecurity startup's data loss protection platform uses contextual redaction to help organizations safely use private business information across AI platforms.

Source: f:nalinframe via Alamy Stock Photo

NEWS BRIEF

As more organizations explore ways to use AI tools such as ChatGPT, Gemini, Claude, and Llama, they are grappling with the challenge of using business information while protecting personally identifiable information and other confidential data.

Wald.ai, which launched its data loss protection platform on Dec. 10, offers contextual redaction, where sensitive information is sanitized from conversations with AI assistants. The Wald Context Intelligence platform connects businesses with AI assistants while protecting confidential data and managing regulatory compliance. The platform redacts any sensitive or proprietary information and inserts intelligent data substitutions so that the AI model can still respond with optimal results, the company said in a statement. The sensitive data is repopulated – outside of the AI – before the end user sees the query response.

Wald.ai allows generative AI to integrate into daily workflows, making it safe, accessible, affordable, and seamless for users, the company said. All user data is encrypted end-to-end, so even Wald is unable to access the sensitive information. The platform also offers organizations the ability to create secure Custom Assistants using internal knowledge bases.

“As companies face the risk of data leakage, the solution is not to block use of these platforms, but to put in place effective, user friendly guardrails to enable employee productivity,” Vinay Goel, co-founder and CEO of Wald.ai, said in a statement.

Wald’s platform is already in use in various industry sectors including healthcare, financial services, and legal. The company named two customers – Kiavi, who provides bridge loans to real estate investors, and Suki, a provider of AI-powered voice solutions for healthcare organizations. The platform is available as a software-as-a-service officering priced at $19.99 per user per month and customers can start with a 14-day free trial. Developers should contact Wald.ai to discuss their use cases for early access to the Context Intelligence API, the company said.

The company also announced it has closed a $4 million seed round from Inventus Capital, Entrada Ventures, and several angel investors.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Wald.ai Launches Data Loss Protection for AI Platforms

Arctic Wolf plans to integrate Cylance's endpoint detection and response (EDR) technology into its extended detection and response (XDR) platform.

Source: DigtialStorm via iStock

NEWS BRIEF

Arctic Wolf has announced plans to acquire Cylance from its owner, BlackBerry, to add endpoint security to its Aurora Platform, which also includes managed detection and response, vulnerability management, managed security awareness, and cloud security capabilities.

The integration addresses a growing demand for unified security solutions and could potentially position Arctic Wolf to take on competitors, such as CrowdStrike and SentinelOne. Arctic Wolf will be offering a native endpoint security solution as well as giving customers the option to work with any of the 15 supported endpoint products.

"By adding endpoint security to our platform, we will be delivering the security outcomes organizations want in one, frictionless operational platform to go toe-to-toe with today's advanced threats, while maintaining our commitment to customers and partners leveraging other endpoint solutions," said Dan Schiappa, Arctic Wolf's chief product and services officer, in a statement.

In a separate blog post, Schiappa said Aurora has integrated with Cylance for over seven years, and the "ability to stop 98% of endpoint attacks before they begin is something we have seen first-hand in our SOC." He assured existing Cylance customers that their endpoint security products will continue to be fully supported.

The transaction is a mix of $160 million in cash and 5.5 million Arctic Wolf common shares of Arctic Wolf. Arctic Wolf is currently privately owned but has IPO plans. The deal is expected to close in BlackBerry's fourth fiscal quarter, which ends in February.

The combination of Cylance and Arctic Wolf would "rapidly eliminate alert fatigue, reduce total risk exposure, and help customers unlock further value with our warranty and insurability programs," said Nick Schneider, president and chief executive officer of Arctic Wolf, said in a statement.

Cylance is Arctic Wolf's sixth acquisition. Previous deals include secure intelligence platform RootSecure, threat-hunting platform Rank Software, security training company Habitu8, digital forensics firm Tetra Defense, and security orchestration software developer Revelstoke.

Arctic Wolf is getting Cylance at a significant discount. BlackBerry originally paid $1.4 billion to acquire Cylance in 2018. Cylance was key to BlackBerry's transformation away from a mobile handset company into a provider of cybersecurity services.

"As Arctic Wolf leverages its scale to build upon and grow the Cylance business, BlackBerry will benefit as a reseller of the portfolio to our large government customers and as a shareholder of the company," said BlackBerry CEO John Giammatteo in a statement.

BlackBerry will retain its Secure Communications portfolio, including Unified Endpoint Management (UEM) for securing devices, AtHoc for critical event management, and SecuSUITE for secure messaging and phone calls.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

BlackBerry to Sell Cylance to Arctic Wolf

Artificial intelligence capabilities are coming to a desktop near you — with Microsoft 365 Copilot, Google Gemini with Project Jarvis, and Apple Intelligence all arriving (or having arrived). But what are the risks?

Source: 'Who is Danny' via Shutterstock

Artificial intelligence has come to the desktop.

Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis.

The integration of large language models (LLMs) that sift through business information and provide automated scripting of actions — so-called "agentic" capabilities — holds massive promise for knowledge workers but also significant concerns for business leaders and chief information security officers (CISOs). Companies already suffer from significant issues with the oversharing of information and a failure to limit access permissions — 40% of firms delayed their rollout of Microsoft 365 Copilot by three months or more because of such security worries, according to a Gartner survey.

The broad range of capabilities offered by desktop AI systems, combined with the lack of rigorous information security at many businesses, poses a significant risk, says Jim Alkove, CEO of Oleria, an identity and access management platform for cloud services.

"It's the combinatorics here that actually should make everyone concerned," he says. "These categorical risks exist in the larger \[native language\] model-based technology, and when you combine them with the sort of runtime security risks that we've been dealing with — and information access and auditability risks — it ends up having a multiplicative effect on risk."

Related:Citizen Development Moves Too Fast for Its Own Good

Desktop AI will likely take off in 2025. Companies are already looking to rapidly adopt Microsoft 365 Copilot and other desktop AI technologies, but only 16% have pushed past initial pilot projects to roll out the technology to all workers, according to Gartner's "The State of Microsoft 365 Copilot: Survey Results." The overwhelming majority (60%) are still evaluating the technology in a pilot project, while a fifth of businesses haven't even reached that far and are still in the planning stage.

Most workers are looking forward to having a desktop AI system to assist them with daily tasks. Some 90% of respondents believe their users would fight to retain access to their AI assistant, and 89% agree that the technology has improved productivity, according to Gartner.

**Bringing Security to the AI Assistant**

Unfortunately, the technologies are black boxes in terms of their architecture and protections, and that means they lack trust. With a human personal assistant, companies can do background checks, limit their access to certain technologies, and audit their work — measures that have no analogous control with desktop AI systems at present, says Oleria's Alkove.

Related:Cleo MFT Zero-Day Exploits Are About to Escalate, Analysts Warn

AI assistants — whether they are on the desktop, on a mobile device, or in the cloud — will have far more access to information than they need, he says.

"If you think about how ill-equipped modern technology is to deal with the fact that my assistant should be able to do a certain set of electronic tasks on my behalf, but nothing else," Alkove says. "You can grant your assistant access to email and your calendar, but you cannot restrict your assistant from seeing certain emails and certain calendar events. They can see everything."

This ability to delegate tasks needs to become part of the security fabric of AI assistants, he says.

**Cyber-Risk: Social Engineering Both Users & AI**

Without such security design and controls, attacks will likely follow.

Earlier this year, a prompt injection attack scenario highlighted the risks to businesses. Security researcher Johann Rehberger found that an indirect prompt injection attack through email, a Word document, or a website could trick Microsoft 365 Copilot into taking on the role of a scammer, extracting personal information, and leaking it to an attacker. Rehberger initially notified Microsoft of the issue in January and provided the company with information throughout the year. It's unknown whether Microsoft has a comprehensive fix for the issue.

Related:Generative AI Security Tools Go Open Source

The ability to access the capabilities of an operating system or device will make desktop AI assistants another target for fraudsters who have been trying to get a user to take actions. Instead, they will now focus on getting an LLM to take actions, says Ben Kilger, CEO of Zenity, an AI agent security firm.

"An LLM gives them the ability to do things on your behalf without any specific consent or control," he says. "So many of these prompt injection attacks are trying to social engineer the system — trying to go around other controls that you have in your network without having to socially engineer a human."

**Visibility Into AI's Black Box**

Most companies lack visibility into and control of the security of AI technology in general. To adequately vet the technology, companies need to be able to examine what the AI system is doing, how employees are interacting with the technology, and what actions are being delegated to the AI, Kilger says.

"These are all things that the organization needs to control, not the agentic platform," he says. "You need to break it down and to actually look deeper into how those platforms actually being utilized, and how do people build and interact with those platforms."

The first step to evaluating the risk of Microsoft 365 Copilot, Google's purported Project Jarvis, Apple Intelligence, and other technologies is to gain this visibility and have the controls in place to limit an AI assistant's access on a granular level, says Oleria's Alkove.

Rather than a big bucket of data that a desktop AI system can always access, companies need to be able to control access by the eventual recipient of the data, their role, and the sensitivity of the information, he says.

"How do you grant access to portions of your information and portions of the actions that you would normally take as an individual, to that agent, and also only for a period of time?" Alkove asks. "You might only want the agent to take an action once, or you may only want them to do it for 24 hours, and so making sure that you have those kind of controls today is critical."

Microsoft, for its part, acknowledges the data-governance challenges, but argues that they are not new, just made more apparent due to AI’s arrival.

"AI is simply the latest call to action for enterprises to take proactive management of controls their unique, respective policies, industry compliance regulations, and risk tolerance should inform – such as determining which employee identities should have access to different types of files, workspaces, and other resources," a company spokesperson said in a statement.

The company pointed to its Microsoft Purview portal as a way that organizations can continuously manage identities, permission, and other controls. Using the portal, IT admins can help secure data for AI apps and proactively monitor AI use though a single management location, the company said. Google declined to comment about its forthcoming AI agent.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Desktop AI Come With a Side of Risk?

While low-code/no-code tools can speed up application development, sometimes it's worth taking a slower approach for a safer product.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY

Say you're working on an important financial report for your company, with a strict deadline. You need to share it with external financial advisers, but security restrictions are preventing you from adding them directly. You grab the report, open your personal email, upload the report — and just before you hit send, you realize this is probably not a wise decision. You delete your draft.

I'm sure you can think of many other examples where you got into a similar situation in the heat of the moment; hopefully you bumped into a security guardrail that made you think twice. Sometimes some friction is needed to slow us down and get us to rethink.

**Low-Code/No-Code Makes Things Too Easy**

Business units can't wait around for IT and development units to get to their items on an ever-growing backlog. Low-code/no-code platforms have really made a difference in large enterprises in the past few years, and generative artificial intelligence has turbocharged this trend. Nontechnical users are empowered to create applications by describing them to a chatbot that does everything from generate the database to the user interface. They are also creating automations to streamline business processes, either by chatting with a chatbot or using drag-and-drop. This is all happening at the heart of the enterprise and is wonderful for productivity.

Security controls provided by low-code/no-code platforms typically focus on the point that an application inherits its user's permissions. That means that, theoretically, a user could manually do everything the application or automation does on their behalf. So what's the problem?

People are not robots. We don't move the same amount of data, we are not consistent when we do something again and again, and — most importantly — we have common sense. A human can understand that sharing a financial report externally is not a good idea, while sharing nonsensitive files might be all right. But if an automation is set up to sync data between you and your external vendors, with the intent of sharing nonsensitive files, no one is going to be there to flag it or second-guess when sensitive files are also transferred unintentionally.

You could say that the person who created the automation should have thought about it, and you're right. But that requires them to stop and think. If you can create an automation by talking to a chatbot, then you quickly get into a situation where you're creating automations left and right without fully thinking through the consequences. Low-code/no-code platforms are lowering the bar to be creative within the enterprise, which is wonderful but also dangerous.

**Tapping the Brakes, Not Taking the Keys**

Some friction could make all the difference in the world, if carefully used. Allowing citizen developers to create automations and applications is great, but perhaps if there are external data sources or vendors, somebody needs to take a second look. Low-code/no-code doesn't really follow the software development life cycle process, but notifying the security team or center of excellence for selective reviews where it matters is feasible. We must be careful not to add too much friction, however, or we'll lose the productivity benefits that citizen development brings — or people are going to find ways around our controls.

To hit the right balance, we should let citizen developers build freely but intervene where needed. We should set up automated guardrails that catch when developers go outside of our approved risk zone and intervene — even if just by nudging them to stop and rethink.

**About the Author**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

Citizen Development Moves Too Fast for Its Own Good

The sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment.

Vichai Levy, Vice President of R&D, Overseeing Architecture, Protegrity 

December 16, 2024

4 Min Read

Source: Aleksei Gorodenkov via Alamy Stock Photo

COMMENTARY

We often think of high-risk industries like finance or healthcare when considering the risks of data being targeted and exfiltrated. However, the education industry and its infrastructure — which require personal identifiable information (PII) — are often overlooked.

For many, this exchange of PII for goods and services (in this case, enrolling in school) may not seem worrisome. But for K-12 students, it's a potentially early introduction to cybercrime and its damages.

With some schools already under cyber threat, the urgency of reevaluating data protection strategies becomes increasingly clear.

**Identity Theft Before High School**

In 2023, educational institutions saw increased data breach activity. For many adults, the reality of data breaches is well-known and often just a part of daily life — don't click on suspicious links, enable credit monitoring, and be wary of scam calls. This is a faraway concept for younger students in K-12 schools, yet their data is some of the most vulnerable.

One vulnerability in an application used across the education sector can have a huge attack surface for these students. For example, schools use apps and online resources to support teaching materials. Still, educators can't ensure these vendors are appropriately safeguarding the PII, such as names and emails. Examples like Los Angeles Unified School District and its experience with a chatbot named "Ed." On the surface, Ed was meant to be a personal assistant to the district's students and used their data. However, when the bot's startup company, AllHere, went dark and the chatbot disappeared, questions remained regarding where precisely the student data went.

Schools across the United States are well into their school year, meaning parents have already provided shot records, medical history, and other sensitive information regarding their children. That information is stored across school servers, possibly even in third-party databases like AllHere's chatbot.

These parents of K-12 students may be unknowingly giving threat actors the information they need to steal their child's identity before they ever enter college.

Tucson Unified School District experienced its own run-in with cybercriminals and ransomware in 2023 when the ransomware group Royal extorted what they claimed to be all student personal information — including passports, Social Security numbers, birth certificate information, and more.

Research from Comparitech shows that data breaches have affected more than 37.6 million records across K-12 schools and higher education since 2005. Between 2018 and 2021, 61% of targeted institutions in the United States education sector were K-12 schools. While more records were affected in ransomware attacks targeting universities and colleges, this interest in our youth's data highlights their vulnerability to cyberattacks.

Instances like the Tucson incident are not as rare as many educators and parents would hope. Our youth, lacking the same access or abilities to monitor their credit or make informed decisions after cyber events, are particularly vulnerable. The full effects of a successful ransomware attack like the one Tucson Unified School District experienced can be devastating for the incredibly vulnerable student demographic.

**Misconceptions Regarding Data Thieves**

We've reached record-breaking ransomware attacks in 2024, and our data across all industries is at risk. However, the inundation of data breaches and data theft paired with daily organizational demand for consumer data has created an interesting phenomenon: Consumers don't trust their data will ever be secured.

Cybercriminals are opportunistic and self-serving, often looking for the easiest way to steal valuable information they can exfiltrate and extort for money. They are exploiting vulnerabilities and pushing out phishing campaigns to steal data for their own benefit, but this behavior doesn't just affect adults.

While historically the education sector has not been a priority target for these groups, the outbreak of 2023 highlights a new reality. Threat actors are becoming more aggressive in their methods, and data protection across K-12 and higher education institutions must be prioritized moving forward.

**Preventing Data Theft in the Education Sector**

Higher and lower education organizations have reported increasing ransomware attack rates starting in 2021 according to the "2024 Sophos State of Education" report.

The same report also shows attacks across both lower and higher education institutions are becoming more dangerous:

*   Eighty-five percent of ransomware attacks in lower education institutions and 77% of higher education organizations in the last year ended in threat actors encrypting the school's data.
    
*   Across lower and higher education organizations, the cost of recovery from these attacks doubled and quadrupled in 2024 compared with 2023.
    
*   Most worryingly, the education sector is the least likely to report data theft from cyberattacks, with lower education facilities tied with the healthcare industry at 22% reporting.
    

While creating an impenetrable defense is impossible, current strategies rely on creating barriers like firewalls, intrusion detection systems, and regular security audits that are proving inadequate against sophisticated threats. The education sector must reassess its data security.

The education sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment. By doing so, schools and universities can mitigate identity theft and ransomware risks, ensuring data security for students and faculty. Moving forward, it is crucial for the education sector to recognize its vulnerability and take proactive steps to strengthen its defenses, protecting the future of our children and educators.

**About the Author**

Vice President of R&D, Overseeing Architecture, Protegrity 

Vichai Levy currently serves as the Vice President of Research and Development at Protegrity. He is an experienced software engineer with over two decades in the field, and a career rooted in creating impactful and resilient technology. Levy specializes in designing, developing, and implementing enterprise data security solutions driven by passion for innovation and robust software design.

The Education Industry: Why Its Data Must Be Protected

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft Teams Vishing Spreads DarkGate RAT

PRESS RELEASE

BOSTON — December 12, 2024 — Zerto, a Hewlett Packard Enterprise company, today announced the launch of the Zerto Cloud Vault, which delivers Zerto’s best-in-class cyber resilience capabilities as a service through managed service providers (MSPs). Zerto’s security-focused MSP partners at launch include Assurestor, Converge, LincolnIT, and Verinext. Built on the capabilities of the Zerto Cyber Resilience Vault, the Zerto Cloud Vault is a cloud-based, fully managed solution that offers logical air-gapping, immutability, and clean room recovery.

Ransomware attacks remain a harsh fact of life for most businesses with collective ransomware losses totaling over $1 billion in 2023 alone. This financial toll is exacerbated by the resulting data loss and downtime, with some estimates suggesting upwards of $1 million in losses per hour of downtime for larger businesses.

With Zerto Cloud Vault, customers can leverage MSPs that deliver tailored cyber resilience strategies to meet the specific requirements of their organizations. Cloud Vault is the latest offering in HPE’s comprehensive cyber resilience portfolio and complements the existing Zerto Cyber Resilience Vault, which is deployed as a self-hosted, on-premises stack.

Zerto Cloud Vault capabilities include:

*   Managed Cyber Services: Take advantage of MSP experts who know how to prevent and mitigate attacks and have built their services on top of Zerto’s award-winning technology.
    
*   Real-Time Encryption Detection: Detect encryption anomalies in real-time and be alerted within seconds to potential issues through integration with cybersecurity dashboards.
    
*   Immutable Data Copies: Retain data for up to 12 months and protect against ransomware attacks through immutable copies, all without impacting production workloads, without any agents or snapshots.
    
*   Clean Room Recovery: Leverage the elasticity of the cloud to create clean environments on demand with isolated networks that are protected from attackers. Use it to validate data, scrub malware, and perform forensics before recovering back into production.
    
*   Non-Disruptive Testing: With Zerto’s non-disruptive solutions, businesses can test more frequently and comprehensively, including conducting cyber recovery tests at any time on entire sites, multiple sites, or individual VMs. These tests can be used to validate recovery plans and train incident response teams.
    
*   Fully isolated from production environments: Ability to run different security postures within product and vault environments.
    

“Zerto’s disaster recovery and cyber resilience solutions offer peace of mind to businesses struggling to combat ransomware attacks,” said Jim O’Dorisio, senior vice president and general manager, HPE Storage. “Leveraging our cyber resilience capabilities, MSPs will be able to bring fully managed Cloud Vault services to even more organizations, helping them thwart the plans of attackers and keep precious business assets safe.”

Coupled with the expertise of Zerto’s vetted MSP partners, the hosted Zerto Cloud Vault mitigates the most devastating ransomware scenarios while keeping businesses in compliance with state and federal regulations — reducing the risk of substantial fines or prosecution. Where other solutions offer detrimental lengthy recovery point objectives (RPOs) and recovery time objectives (RTOs), Zerto Cloud Vault slashes both, minimizing the risks of disruption and allowing businesses to get back on their feet as fast as possible after the inevitable happens. Zerto is a part of HPE’s hybrid cloud business, helping HPE customers protect workloads and data across hybrid IT environments.

Partner Quotes

“Our Gold Standard for cyber recovery considers a product’s recoverability readiness, non-disruptive testing capability, and speed of data recovery; we found that Zerto substantially delivered on all these points. Combined with Cloud Vault, the protection provided from ransomware attacks was robust and allowed pinpoint recovery faster than any other products evaluated,” said Stephen Young, executive director, Assurestor.

“Ransomware attacks are a real threat to the data and operations of organizations of all sizes. Having the ability to offer a cloud vault with Zerto technology gives our clients added protection against ransomware and peace of mind that they can recover successfully,” said John Antimisiaris, executive vice president, LincolnIT.

“Some of our clients’ infrastructure protection needs to be kept with a very tight RPO, but they still need some deeper recovery options than simple replication can provide. A cyberattack is seldom clearly understood, even when recovery efforts have begun. Zerto Cloud Vault provides immutable protection history that can be leveraged to find the latest clean point in time for replicated hosts,” said Jeremy Brovage, product engineer and solutions architect, Converge Enterprise Cloud.

“Cyberattacks that encrypt data are one of the primary disruptors requiring data recovery. Zerto provides the best tools to recover quickly and with the least data loss in a cloud vault,” said Nick Martino, product manager, managed services, Verinext.

Explore the Zerto Cloud Vault and discover how it empowers businesses to safeguard their data and operations: Learn More. 

About Zerto

Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto eliminates the risk and complexity of modernization and cloud adoption across private, public, and hybrid deployments. The simple, software-only solution uses continuous data protection at scale to solve for ransomware resilience, disaster recovery, and multi-cloud mobility. Zerto is trusted by over 9,500 customers globally, and is powering offerings for Microsoft Azure, IBM Cloud, Google Cloud, Oracle Cloud, and more than 350 managed service providers.

Source

DARKReading