Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs.

Ian Campbell, Senior Security Operations Engineer, DomainTools

November 7, 2024

5 Min Read

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The quality of information security guidance has increased in recent years — especially regarding the focus on fundamentals — but our industry often fails to emphasize establishing those fundamentals as replicable processes. 

Fundamentals, policies, training, tabletop exercises, and technology are resources that are limited in their respective usefulness — each is a finite and frequently subjective piece of a puzzle. In an industry epitomized by the executive phrase "Learn to do more with less," achieving consistent end goals requires recognizable, replicable, and flexible processes from start to finish.  

In order to adopt a common lexicon, let us define "process" as instituting, training on, evaluating, and rehabilitating a series of practitioner-defined expected actions a person may take in response to a stimulus. Examples of stimuli include a 911 call, endpoint detection, or an onboarding ticket from HR. Importantly, the process provides a framework for activity, is replicable, generalizable, and is driven by the practitioner's physical, mental, and digital capabilities. 

Psychology professor and human error expert James T. Reason first formally proposed the "Swiss Cheese Model" of causation in 1990. His model theorizes that the breakdown of complex systems often involves weaknesses across multiple defenses (slices) aligning across a moment of opportunity that results in the breakdown. Writer and technologist Cory Doctorow recently illustrated an excellent example of this in the alignment that results in a successful financial scam. In the context of security, the Swiss Cheese Model tells us that one cannot reliably anticipate how and when the weaknesses in your systems will line up to present an attacker opportunity without maintaining focus from the start on integrating replicable, dependable processes into your workflows. 

As a nascent technologist working technical support in Congress, my daily commute into Washington, DC, often centered around podcast listening. One favorite was the defense-themed podcast Bombshell, often repeating mid-episode the tagline "Process is my Valentine," analogizing the criticality of process to something as important and unpredictable as national security. The phrase resonated with me not only due to autism (after all, we love our self-imposed routines) but also because of my decade of experience in emergency services response prior to my career in tech.  

As a 911 dispatcher responsible for responding to thousands of people myself, the process became necessary. I had to work out: 

*   Order of actions: What needs to happen and when? 
    

*   Kinetics of actions: Does the order line up with the environment? Are the suitable radios and keyboards in the right places? Are the right tools within reach and in the right direction? 
    

*   Laterality of actions: What can I parallelize, moving from initiating one to the next, that will then develop alongside each other with minimal direct interaction and minimal viable attention diverted? 
    

*   Assessment: What can I measure? How can I evaluate the systems that interact here? How well did they adopt the process or warp it into a one-off? What needs improving? 
    

Figuring this out was the only way to move forward in an unpredictable environment with countless important elements demanding simultaneous attention. Tech security, like dispatch work, requires one to master the process. Hurtling into the Capitol from suburban Virginia to pound the marble amidst a never-ending ticket queue, and later helping to stand up a robust and thriving security program from scratch in private employment, process became my valentine once again.  

**The Policy Is Prescriptive, the Process Is Kinetic**

Consider it a stimulus response through muscle memory. The process directly considers the physiology, neurology, biases, and capabilities of the practitioner it seeks to guide. It can't be a product of the back office. Process is necessarily practitioner-centric; sit in their chair, see it with their eyes, run it with their tools, and most of all, challenge the process with practitioner's fatigue. Can someone on their 13th hour of a double shift carry it out effectively?  

Although forming process is also interactive and not necessarily consensus-based, it is at least consensus informed. It requires stakeholder input and buy-in from both the immediate team and from those who touch the scenario around it.   

Once the first iteration of the process is constructed, document it in a way that emphasizes revision. Build the living nature of it into the documentation, including after-action assessment around specific and measurable elements. Do not discount the subjective, as it invariably affects how any situation plays out. How your practitioners encounter the process determines how successfully the process survives reality.  

Then revise, take a breath, and start all over.  

Establishing a realistic, practitioner-driven process wherever possible is critical for running a successful security program. It prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. By centering practitioners, evaluating environments, and instituting flexible frameworks alongside attention to fundamentals and proactive communications schemas, we can all move toward a more secure posture. Let's make it harder for the bad actors out there. 

**About the Author**

Senior Security Operations Engineer, DomainTools

Ian Campbell is a senior security operations engineer with DomainTools, with previous experience in the US House of Representatives and Silicon Valley. Before working in technology, he spent a decade in emergency services, a period that continues to inform his evolving perspective on security.

The Power of Process in Creating a Successful Security Posture

The company comes out of stealth with a tool that integrates directly into the developer's IDE to find flaws, offer remediation advice, and training materials to write secure code.

Source: Kirbyphoto via iStock Photo

The concept of shift left, or integrating security earlier in the software development life cycle, is important for application security, but it can be difficult to achieve. Developers need to take on some security responsibilities, but that means they need to be properly equipped with integrated security tools that fit their workflows.

This is the issue that Symbiotic Security, which launched this week, is tackling with its software-as-a-service platform, which integrates vulnerability detection and remediation capabilities directly into the application developer's integrated development environment (IDE). The platform also provides just-in-time training to developers so that they have the information on how to write secure code.

"Using Symbiotic is like having a personal security coach right next to you as you code," says Jerome Robert, co-founder and CEO of Symbiotic Security. "It provides real-time feedback on the security mistakes you're making, and it's training you so you don't repeat these mistakes."

The plug-in in the developer's IDE continuously scans code — as the developer types as well as the code that has already been written — and identifies potential security threats. The developer gets contextual remediation advice right in the IDE.

"Our security nudges are perceived as coaching," Robert says. "It's a tool that'll make them save time by not having to come back to fix old code."

Developers can also access the training materials — in the form of capture-the-flag (CTF) content — to learn what the problem is and why it is a problem. They see examples of secure and vulnerable code and are presented with a snippet of insecure code to find and fix as part of a game to help improve secure coding skills.

The difference between Symbiotic Security's plug-in and other code security tools is where the issues are identified, Robert says. Many of the others catch mistakes after the code has been written, often during code commits or when integrated with the rest of the build.

"Nobody feels bad making a few mistakes here and there in a draft, and that's the mental state we want developers to be when we advise them on security," Robert says. "If we were at commit \[or, more commonly, in the CI\], we'd be basically flagging issues after a developer said, 'This is my final release, this code is good to go.'"

As part of the launch, Symbiotic Security also raised $3 million in seed funding from investors including Lerer Hippeau, Axeleo Capital, and Factorial Capital. Symbiotic Security said its product is currently deployed at eight companies.

**About the Author**

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Symbiotic Security Launches Scanning Tool to Help Fix Flaws in Code

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

Campaigns like Silver Fox and Void Arachne are deploying the framework, using social media and messaging platforms to lure in victims.

Source: RaymondAsiaPhotography via Alamy Stock Photo

Researchers are warning of an advanced malicious framework called Winos4.0 that's getting distributed in the installation tools, speed boosters, and optimization utilities for gaming applications.

The framework is rebuilt from Gh0strat with several modular components, each of them handling different functions; the framework has been deployed in several attack campaigns such as Silver Fox and Void Arachne.

"Winos4.0 is an advanced malicious framework that oﬀers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions," Fortinet FortiGuard Labs researchers stated.

The campaigns using this framework have been previously documented by Trend Micro and the KnownSec 404 Team and have been observed targeting Chinese-speaking users, leveraging SEO tactics, social media, and messaging platforms like Telegram to distribute the malware.

Once the victim runs the application, it retrieves a fake BMP file from the server ad59t82g\[.\]com. The file then extracts the DLL, which is responsible for setting up the execution environment, according to the researchers.

The attack chain involves multiple encrypted data and C2 communication to complete the injection of the malware.

"Threat campaigns leverage game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system," the Fortinet researchers added. Users should be wary of any new applications' source and only download software from reputable sources.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Chinese Gamers Targeted in Winos4.0 Framework Scam

Google Cloud will take a phased approach to make multifactor authentication mandatory for all users.

Source: Genius Studio via Adobe Stock Photo

In a bid to improve account security, Google will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. Currently, 70% of Google users have MFA enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users; it will not apply to general consumer Google accounts. The company will begin the first phase of a year-long implementation this month.

*   In Phase 1, Google Cloud administrators will receive information on how to prepare for the transition. Phase 1 will raise awareness and provide materials to help plan a rollout and conduct testing.
    
*   Phase 2, to begin in early 2025, will require all new users and existing Google Cloud users who use passwords for authentication to enable MFA on their accounts. The notifications and guidance will be displayed in Google Cloud Console, Firebase Console, gCloud, and other platforms.
    
*   Phase 3, at the end of 2025, will require users who federate authentication into Google Cloud to turn on MFA. Users can enable MFA with their primary identity providers before accessing Google Cloud — or add an extra layer of MFA through the Google account.
    

"Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users," the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design initiative. The shift to mandatory MFA is happening throughout the industry. In June, Amazon started requiring mandatory MFA for Amazon Web Services. Customers signing into the AWS Management Console with the root user of an AWS Organizations management account also had to start using MFA, which has since been extended to stand-alone accounts outside of AWS Organizations.

Mandatory MFA has also be adopted by Snowflake, which in July introduced an option to allow administrators to enforce mandatory MFA for all users. The following monty, Microsoft announced its rollout for Microsoft Azure. Microsoft's plan, similar to Google Cloud's, takes a phased approach. Phase 1 for Microsoft started last month, with MFA required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning early next year, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not foolproof.

"Mandatory MFA is necessary but not sufficient for enterprise security," says Jasson Casey, CEO of Beyond Identity. "This is because MFA is not created equal and doesn't offer the same level of security assurances."

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement. Threat actors are increasingly launching phishing operations that can bypass legacy MFA, which is why the National Institute of Standards and Technology and CISA have urged adopting phishing-resistant MFA.

Google Cloud to Enforce MFA on Accounts in 2025

The draft amendment also includes prison time for those who access systems to maliciously spy or intercept data.

Source: Simon Tilley via Alamy Stock Photo

Germany's Federal Ministry of Justice has drafted legislation that would protect security researchers who discover and report security flaws to vendors.

The draft eliminates criminal liability for people who choose to warn businesses, and ultimately the public, of cyber vulnerabilities. The proposed law amends an existing law that protects IT security researchers, companies, and hackers from punishment.

Certain criteria must be met for the act to be considered security research. The action must aim to identify a vulnerability or security risk in an IT system, and the researcher who discovers the flaw must have the intent of reporting the vulnerability to those responsible for addressing the issue. They should also only be accessing a system to identify a vulnerability.

The draft proposes a penalty of three to five months in prison for severe cases of malicious data spying and data interception that include criminal acts, acts motivated by profit, or those that result in substantial financial damage.

"Those who want to close IT security gaps deserve recognition — not a letter from the prosecutor," stated Marco Buschmann, the Federal Minister of Justice.

**About the Author**

German Law Could Protect Researchers Reporting Vulns

SANS's "2024 State of ICS.OT Cybersecurity report" highlights the most common types of attack vectors used against ICT/OT networks.

Attacks against industrial-control systems (ICS) and operational technology (OT) systems are increasing, as adversaries find weaknesses in IT networks that allow them to move into OT networks, according to a recent report from the SANS Institute.

The "State of ICS/OT Cybersecurity 2024" report is based on responses from cybersecurity professionals in various critical-infrastructure sectors. More non-ransomware incidents (74.4%) were reported than ransomware (11.7%) over the past year, according to the report.

Other initial attack vectors involved in OT/ICS incidents include compromising these systems by use of external remote services (23.7%) or Internet-accessible devices (23.7%), compromising employee workstations (20.3%) and removable media (20.3%), and a supply chain compromise (20.3%). It's worth noting that 18.6% of respondents said attackers attempted spear-phishing with an email attachment for the initial compromise.

Nearly one out of five (19%) of respondents reported one or more security incidents over the past year.

While only 12% of respondents reported being the targets of ransomware attacks in the past 12 months, the impact on the OT/ICS environment remains "potentially catastrophic," SANS said in the report. Of the organizations that reported a ransomware incident, 38% said only their IT network systems were impacted, while 28.6% said their OT/ICS networks were affected. Just 21% said both networks were impacted, and 38.1% said reliability and safety were compromised during those attacks.

"Although the overall trend \[of ransomware\] seems to have decreased, the impacts are still potentially catastrophic and should be considered for all ICS/OT-specific incident response programs," SANS said.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems

Interpol disrupts 22,000 malicious IP addresses, 59 servers, 43 electronic devices, and arrests 41 suspected cybercriminals.

Source: Timon Schneider via Alamy Stock Photo

Operation Synergia II, an international law enforcement effort supported by the private cybersecurity sector, successfully dismantled a widespread cybercrime operation stretching from Hong Kong to Estonia, Interpol said this week.

Operation Synergia II was launched in April, with law enforcement collaborating with cybersecurity experts from Group-IB, Trend Micro, Kaspersky, and Team Cymru to track down thousands of servers used to commit cybercrimes involving phishing, infostealers, and ransomware attacks. Interpol discovered 30,000 malicious IP addresses and has already taken down 22,000, along with 59 servers.

Law enforcement across several countries contributed on-the-ground resources to perform house searches and seize electronics believed to support the cybercriminal operation — leading to the arrest of 41 people, with 65 others still under investigation, according to Interpol.

As part of the coordinated response, police in Hong Kong took down 1,037 servers, while in Mongolia police conducted 21 house searches and were able to identify 93 individuals believed to be linked to cybercrimes. Macau cops took 291 servers offline, and in Madagascar police tracked down 11 people linked to the servers and seized multiple devices. And in Estonia, authorities confisacted more than 80GB of server data, which is still being analyzed at Interpol.

"The global nature of cybercrime requires a global response which is evident by the support member countries provided to Operation Synergia II," Neal Jetton, Interpol's director of the Cybercrime Directorate, said in a statement. "Together, we've not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime."

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

International Police Effort Obliterates Cybercrime Network

Omdia Principal Analyst Hollie Hennessy says that until a promising new set of regulations around the world comes online, connected device security entails a shared responsibility among consumers, enterprises, and manufacturers.

Hollie Hennessy, Principal Analyst, IoT Cybersecurity, Omdia

November 6, 2024

4 Min Read

COMMENTARY

A broad array of Internet-connected devices have become a part of our lives, whether the mobile devices that we use daily, the Internet of Things (IoT) devices often spread throughout our "smart" homes, or even the medical devices that help provide us care when we need it.

These devices are now a fixture of our lives, professionally and personally. Unfortunately, they bring with them a countless number of cybersecurity challenges.

**Consumers Must Watch for Insecure Devices, Scams**

Historically, home IoT devices in particular have been neglected when it comes to cybersecurity. Security was rarely a concern for consumer device makers.

However, we've seen positive movement by governments globally, offering up new guidelines and regulations to facilitate better security of these products for consumers. In October alone, the Cyber Resilience Act (EU) was adopted by the council, and Australia announced its Cybersecurity Bill 2024, which proposes new security guidelines for smart devices.

That said, consumers should be aware that manufacturers might not yet be doing the best they can regarding cybersecurity. Cheap devices sold on online marketplaces often are riddled with vulnerabilities, despite looking like a good deal. Fortunately, once a number of promising new and proposed regulations take effect in many regions, this will no longer be the case — but for now, consumers must still largely look out for themselves.

Related:Any IoT Device Can Be Hacked, Even Grills

Scams are one of the most common cybersecurity issues for consumers, and IoT and mobile devices can make these scams easier to perpetrate. Mobile devices have put everything in the palm of our hand, even our financial transactions; a seemingly legitimate mobile application or a well-timed smishing message can do great harm. Consumers should be wary of anyone telling them to download an application or take any other unusual action, especially if they are asking for payment without receiving any services.

For example, in Singapore, millions of dollars are lost to scams — whether through social engineering, or malware-enabled. Scams have proliferated social media too, including Facebook, Instagram, and LinkedIn. While the government, banks, and device makers are working to address issues like this, consumers must practice vigilance throughout daily life.

**IT-OT Combination Is Emerging Issue**

For enterprises, even though information technology and operational technology (IT and OT) security are generally handled separately, Omdia believes a holistic strategy incorporating both will be increasingly important.

Organizations are also increasingly relying on IoT and other cyber-physical devices — many of which fall into critical national infrastructure sectors such as energy, transport, wastewater, and healthcare. Often, IT security tends to get a lot of focus, but it's the entire landscape, including IoT and OT, and the gaps in between that need to be adequately secured.

Enterprises will increasingly be affected by regulation as well. October also saw the deadline for European Union member states to implement the NIS 2 Directive — which is intended to enhance the security and resiliency of networking and information systems in the EU — into national law. Requirements are broadly focused on reporting, accountability, risk management, and business continuity, with minimum requirements spanning these categories, such as incident response planning, cybersecurity training, and tooling such as multifactor authentication and employee and asset access.

Despite regulatory burdens, Omdia's research suggests that cybersecurity maturity — at least for cyber-physical assets — isn't quite where it needs to be. Omdia's 2024 Cybersecurity Decision Maker Survey revealed that only 37% of organizations are confident that their business could continue to operate efficiently in the event of a cyber-physical system compromise, yet around a third do not have an adequate strategy for securing IoT devices.

**Device Manufacturers Facing Major Strategic, Operational Adjustments**

For device manufacturers, it's time to start thinking about how to adapt to an evolving regulatory environment. Even small manufacturers hoping to sell into regulated regions will need to adhere to cybersecurity requirements — setting up the product security teams, processes, and supporting technology will take a significant period of time. Collaborating effectively between product security and cybersecurity teams is no mean feat.

Considering the software and firmware element of product security also will be key. This will require new and enhanced communication between engineering and cybersecurity teams, alongside DevSecOps processes. Omdia's research suggests that consumers see security as a purchase driver for IoT devices, so it's best to start to ensure devices are secure sooner rather than later.

**About the Author**

Principal Analyst, IoT Cybersecurity, Omdia

Hollie works as a Principal Analyst within the Omdia team, providing insight into the fascinating and fast-moving domain of IoT Cybersecurity.

Hollie has a range of experience in research. She began her career in the legal sector, writing and researching for expert witness reports on the labour market. She then moved into product testing, with a consumer protection focus. In this role she was responsible for managing comparative tests of various tech products, as well as regular testing and investigative work into the security of these products.

She has published various articles for Which?, the UK's largest consumer organisation and one of the largest subscription magazines, and Computing magazine.

Despite Emerging Regulations, Mobile Device, IoT Security Requires More Industry Attention

The mobile device maker continues to investigate IntelBroker's claims of another high-profile data breach, with the cybercriminal group posting on BreachForums internal data allegedly stolen from Nokia through a third-party contractor.

Source: Nico El Nino via Alamy Stock Photo

Nokia is investigating an alleged cyberattack in which threat actors claim to have stolen sensitive internal data. However, the company says that so far there is no evidence that either its data or systems were affected by a breach.

Known threat actor IntelBroker on Tuesday posted what it claimed is Nokia's online internal data — including SSH keys, source code, and internal credentials — putting it up for sale on the BreachForums cybercrime site for $20,000, according to a published report on HackRead.

The group claimed to have obtained the data through a breach of a third-party contractor linked to Nokia’s internal tool development, though no customer data seems to have been affected by the breach, according to the report.

"Nokia is aware of reports that an unauthorized actor has alleged to have gained access to certain third-party contractor data and possibly data of Nokia," a Nokia spokesperson tells Dark Reading. "Nokia takes this allegation seriously and we are investigating."

However, at this time, the company's investigation "has found no evidence that any of our systems or data being impacted," though Nokia continues "to closely monitor the situation," the spokesperson says.

**Group Known for High-Profile Data Heists**

Given that IntelBroker is a notorious threat actor that already has pulled off a series of high-profile data heists, the chance that Nokia eventually will find that its data has been stolen seems likely. The Serbian-based entity began operations in 2022 and is linked to data breaches that affected Apple, the US House of Representatives, Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

If IntelBroker's claim turns out to be true, data stolen in the heist and then sold to a malicious actor or actors potentially could be used to engage in other cybercriminal activity against Nokia. For example, stolen using credentials to gain unauthorized access to Nokia systems and breach other sensitive data or propagate malware. Depending on the nature of the data, other organizations also could be at risk.

The incident also demonstrates yet another example of how organizations are exposed to security risks through third-parties that contract with the company, observes Jim Routh, chief trust officer at cybersecurity firm Saviynt. However, that the breach itself occurred through a third party is not a huge surprise, he tells Dark Reading via email.

**Mitigating Third-Party Risk**

In fact, numerous high-profile cyberattacks at global multinational organizations have been the result of breaches through third parties, including incidents that occurred at credit card company American Express, Spanish banking institution Santander, and US-based financial organization Bank of America.

However, Routh says that the alleged Nokia breach "represents a bit of a head-scratcher" because it involves the compromise of "third-party credentials for access to the software supply chain."

"The head-scratching comes from why a third party has access to Nokia source code," he notes. However, it's possible that attackers gained access through a software engineer contributing to an internal project, Routh adds, speculating that hackers exploited "credential management for access to the software build process."

One potential way that organizations can protect themselves from a similar incident, he says, is to improve identity management for cloud accounts with access to the software supply chain to avoid inadvertently exposing sensitive data to threat actors.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading