How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Source: Timon Schneider via Alamy Stock Photo

As a longtime information security professional at Johnson & Johnson, Mike Wagner helped shape the Fortune 100 company's security approach and security stack. Wagner recently became the first CISO of Kenvue, J&J's year-old spin-off, which was previously J&J's consumer healthcare division. In his new role, Wagner aims to combine the best of J&J with an efficient and modern approach that fits the new standalone company.

"We wanted to create a streamlined and cost-effective architecture with maximum security," Wagner explains.

The first step was defining key roles required to build an effective security program. That included architects and engineers to implement tools, identity and access management (IAM) experts to enable secure authentication, risk management leaders to align security with business priorities, security operations staff for incident response, and dedicated staff for each cyber function.

To ensure maximum effectiveness and future scalability for the cyber architecture, the newly created cyber team knew it wanted to embed machine learning and artificial intelligence (AI). That included automating IAM, streamlining supplier assessments through automated questionnaires, implementing AI for behavioral analysis, and using machine learning to improve threat detection.

**Deciding Which Cyber Tools to Keep or Replace**

With the basics ironed out, the next step was choosing which tools and processes should be retained from J&J and which should be replaced. While J&J's cybersecurity architecture was solid, it was a patchwork of systems created by decades of acquisitions.

To make their determinations, Wagner's team first inventoried J&J's tools, mapping them to Kenvue's operating model and choosing the ones with capabilities Kenvue would need. In many cases, the team found that J&J's security tools were more full-featured than the smaller spin-off needed. In other cases, J&J's technology was duplicative. In still others, existing J&J technology wasn't affordable or didn't provide the maximum security footprint for Kenvue's mission.

And, sometimes, it simply came down to how well-integrated J&J's security architecture was.

"Take something like endpoint detection and response," Wagner says. "Where J&J may have had two to three pieces of software on the endpoint to accomplish that mission due to different acquisitions over time, we consolidated it into one more modern solution."

The ultimate decision for each type of security function also depended on the number and types of dependencies. For example, applications tend to be dependent on IAM, which meant that for the time being, Kenvue is going to stick with J&J's IAM systems. Over time, though, Wagner plans to migrate to a more modern IAM system.

In the end, Kenvue chose to adopt about half of its tech stack from J&J.

Choosing what to retain and what to replace can be tricky, notes Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence. Typically, though, it comes down to weighing the tool's functionality and how well it will fit into the new company's architecture against other options that might be a better fit. In some cases, new investments may be required, while in others, subscription or licensing terms will have to be determined as part of spin-off costs, he says.

**The Right People, Working Together**

Another challenge Wagner faced was assembling the right combination of expertise for his cyber team. After evaluating the capabilities of existing J&J employees along with external candidates, he chose a combination of former J&J employees with deep business knowledge and new hires with modern technical and cyber skills. They included architects and engineers to implement defense controls, IAM experts, risk management leaders, and SecOps staff.

Wagner also chose to add one other type of personnel to his team: business information security officers (BISO), who act as intermediaries between the cyber organization and different business units. Wagner says that the BISO role is critical to his team's success.

"They focus on scouting what's new, the direction it's going, and how we can make sure the business is going about it securely," he explains.

With the tools and team in place, the final challenge was maintaining security for both J&J and Kenvue during the transition. It required constant communication among different functions, with daily meetings that included J&J leaders, Kenvue leaders, and suppliers to ensure that everything went smoothly.

With the foundation in place, Kenvue's security team is operating steadily, but Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

Continuing to improve cybersecurity programs is critical to helping ensure scalability and adaptability over the long term, Crawford says. That means making greater use of automation to handle overwhelming volumes of data at speed and scale.

"Automation will have to become even more trusted to handle problems at the scale and level of detail," he said. "Forward-thinking CISOs are, without doubt, looking at these opportunities seriously."

**About the Author(s)**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

J&amp;J Spin-Off CISO on Maximizing Cybersecurity

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC's four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

Tom Tovar, CEO & Co-Creator, Appdome

April 25, 2024

4 Min Read

Source: Vladimir Zuev via Alamy Stock Photo

COMMENTARY

In an earlier article, I covered what the Securities and Exchange Commission's (SEC) SolarWinds' indictments and four-day rule mean for DevSecOps. Today, let's ask a different question: Where do cyber disclosures go from here?

Before I joined the cybersecurity industry, I was a securities lawyer. I spent a lot of time navigating the SEC rules and worked with the SEC on a regular basis. This article isn't legal advice. It's practical advice from someone with real, albeit distant, familiarity with the SEC.

**The SEC Indictment in a Nutshell**

On Oct. 30, 2023, the SEC filed a complaint against SolarWinds and its chief information security officer, charging "fraud and internal control failures" and "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks," including the impact of an actual attack on its systems and customers. 

**Putting the "Should" Question Aside **

I want to put aside whether the SEC should have taken action. There are a lot of voices on this topic already. Some argue that SolarWinds’ public cybersecurity statements were aspirational, not factual. Others take the position that the CISO shouldn’t be targeted because his department could not deliver the required defenses. He relied on others to do so. Finally, the amicus briefs filed in support of SolarWinds and its CISO argued that the case will have a chilling effect on hiring and retention of CISO roles, internal communication, efforts at improving cybersecurity, and more. 

**The Cyber-Disclosure Problem **

The SEC began its complaint by pointing out that the company filed its IPO registration statement in October 2018. That document had a boilerplate and hypothetical cybersecurity risk-factor disclosure. The same month, the SEC's complaint reads, "Brown wrote in an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets.'"

This discrepancy is a big one, and the SEC said it only got worse. Even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds' products over time, "SolarWinds' cybersecurity risk disclosures did not disclose them in any way." To illustrate its point, the SEC listed all the public SEC filings following the IPO that included the same, unchanged, hypothetical, boilerplate cybersecurity risk disclosure. 

To paraphrase the SEC's complaint: "Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading." Worse still, according to the SEC, SolarWinds repeated the generic boilerplate disclosures even as an accumulating number of red flags piled up. 

One of the first things you learn as a securities lawyer is that disclosures, risk factors, and changes to risk factors in a company's SEC filings are vastly important. They're used by investors and securities analysts in evaluating and recommending stock purchases and sales. I was surprised to read in one of the amicus briefs that "CISOs are not typically responsible for drafting or approving" public disclosures. Maybe they should be. 

**Proposing a Remediation Safe Harbor **

I want to propose something different: a remediation safe harbor for cybersecurity risks and incidents. The SEC wasn't blind to the question of remediation. In this regard, it said:

"SolarWinds also failed to remediate the issues described above ahead of its IPO in October 2018, and for many of them, for months or years afterwards. Thus, threat actors were able to later exploit the still unremediated VPN vulnerability to access SolarWinds' internal systems in January 2019, avoid detection for nearly two years, and ultimately insert malicious code resulting in the SUNBURST cyberattack."

In my proposal, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident. This may not have helped SolarWinds. When it disclosed the situation, its 8K said that the company's software "contained malicious code that had been inserted by threat actors" without any reference to remediation. Still, for countless other public companies facing the never-ending battle between attacker and defender, a remediation safe harbor would allow them the full four-day time frame to evaluate and respond to the incident. Then, if remediated, take the time to disclose the incident properly. The other benefit of this "remediate first" approach is that there will be more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents. 

**Conclusion**

No matter where you come out on the question of whether the SEC should have acted or not, the question of how, when, and where we disclose cybersecurity incidents is going to be a big one for all cyber professionals. For my part, I think the CISO should control or, at the very least, approve the company's disclosures when cybersecurity incidents arise. More than that, the CISO should look for platforms that provide a single pane of glass to "see it and solve it" fast, with the least dependencies as possible. If we can encourage the SEC to embrace a remediate-first mindset, we just might open the door to better cybersecurity disclosure for everyone. 

**About the Author(s)**

CEO & Co-Creator, Appdome

Tom Tovar is the co-creator and CEO of Appdome, a one-stop shop for mobile app defense. He's a self-taught product creator, mobile app coder, hacker. He's serves as product advisor on several venture funded cyber companies, and previously as executive chairman of Badgeville, an enterprise digital motivation platform acquired by CallidusCloud, in several executive positions, including CEO, of Nominum, an intelligent-DNS security and services provider that was acquired by Akamai, and chief compliance officer, and operational executive in charge of business and corporate development, legal and channel at Netscreen Technologies acquired by Juniper Networks for $5B. He began his career as a corporate and securities attorney with Cooley Godward LLP. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.

SolarWinds 2024: Where Do Cyber Disclosures Go From Here?

By Uzair Amir
The role of Network Detection and Response (NDR) in cybersecurity. Learn how NDR tools empower organizations to tackle evolving threats effectively.
This is a post from HackRead.com Read the original post: NDR in the Modern Cybersecurity Landscape

In today’s information age, businesses are increasingly reliant on interconnected networks and cloud infrastructures, and **protecting digital assets against cyber threats** has become a paramount concern.

Network Detection and Response (NDR) is a critical component in the arsenal of cybersecurity tools, offering advanced capabilities to monitor, analyze, and respond to threats traversing network environments.

As organizations confront the complexities of modern cyber threats, understanding the role and significance of NDR is essential for bolstering their cybersecurity posture.

****Understanding NDR in Cybersecurity****

Modern cybersecurity uses the concept of Network Detection and Response (NDR) as an active approach to fortifying network defences against threats. But what exactly is NDR in cybersecurity, and how does it function within the broader security landscape?

**What is NDR in cyber security?** NDR, also known as network detection and response, covers a set of cybersecurity techniques designed to monitor and analyze network traffic for potential security threats.

Unlike traditional security measures that focus primarily on endpoint protection or perimeter defence, NDR operates within the network infrastructure, using advanced detection techniques such as artificial intelligence and machine learning to identify anomalous behaviour and potential indicators of compromise (IOCs).

NDR serves as an active defence mechanism, providing organizations with real-time visibility into their network traffic and enabling rapid response to threats. By continuously monitoring network activity and analyzing patterns, NDR solutions empower security teams to detect and neutralize potential threats before they can cause huge harm or compromise sensitive data.

****The Purpose of NDR****

The primary objective of NDR is to enhance network visibility and security by providing organizations with the means to detect and respond to security incidents in a timely and effective manner. But what specific purposes does NDR serve within cybersecurity, and how does it contribute to threat mitigation?

****Early Threat Detection****

By optimizing network visibility, NDR enables organizations to identify malicious activity and **indicators of compromise (IOCs)** at an early stage. Through the analysis of network traffic data, security teams can detect unauthorized activity, unusual communication patterns, and anomalous behaviours, allowing them to take proactive measures to neutralize threats before they escalate.

****Rapid Incident Response****

Enhanced network visibility facilitated by NDR enables real-time monitoring and analysis of network traffic, empowering organizations to respond swiftly to security incidents as they occur. By tracking the source, extent, and impact of an event, security teams can implement prompt remediation measures to mitigate its effects and minimize potential damage.

****Comprehensive Threat Analysis****

Increased network visibility provided by NDR facilitates in-depth examination of network data, enabling organizations to gain insights into potential threat proliferation. By analyzing network communication patterns, traffic flows, and data transfers, security teams can identify malicious behaviour, detect malware infections, and uncover hidden threats, thereby enhancing their understanding of attacker tactics, techniques, and procedures (TTPs).

For organizations seeking to strengthen their defences against emerging threats, selecting the right NDR solution is important. While several vendors offer NDR capabilities, a few stand out for their innovative features and comprehensive security offerings.

****Arctic Wolf****

As a managed NDR provider, Arctic Wolf offers a suite of security solutions aimed at identifying, tracking, and mitigating cyber threats. With its Security Operations Center-as-a-Service (SOC-as-a-Service), Arctic Wolf helps organizations detect security flaws, proactively mitigate risks, and prioritize remediation efforts.

****Attivo Networks****

Leveraging deception methods, Attivo Networks’ threat defence platform detects and neutralizes post-compromise threats, including in-network threat activity and lateral movement by attackers. Through its ThreatDirect and BOTsink components, Attivo Networks extends network deception tactics to cloud, remote distributed, and micro-segmented systems, providing organizations with enhanced threat detection capabilities.

****Stellar Cyber** **

Stellar Cyber is an NDR solution that enables organizations to safeguard their data and maximize the effectiveness of their security investments. By aggregating and analyzing log data, it helps organizations prioritize security alerts for investigation, providing knowledge to enhance their security posture.

****Darktrace****

Built on self-learning cyber-AI, Darktrace’s Enterprise Immune System employs advanced AI and machine-learning techniques to detect attacks and insider threats. Without relying on rules or signatures, Darktrace identifies subtle indicators of sophisticated attacks, providing organizations with comprehensive threat detection capabilities.

****Emerging Trends in NDR****

Several new trends are shaping the future of network detection and response. These trends reflect the nature of cyber threats and the need for innovative approaches to combating them effectively.

****AI-Powered Threat Detection****

As cyber threats become more sophisticated and difficult to detect, NDR solutions are increasingly using artificial intelligence (AI) and machine learning (ML) algorithms to enhance threat detection capabilities. By analyzing vast amounts of network data and identifying patterns indicative of malicious activity, AI-powered NDR solutions can detect and respond to threats in real-time, even as attackers evolve their tactics.

****Behavioral Analytics****

Traditional signature-based detection methods are often ineffective against zero-day attacks. To address this challenge, NDR solutions are incorporating behavioural analytics techniques to identify anomalous behaviour and deviations from normal network patterns. By establishing baselines of “normal” network behaviour, NDR solutions can detect and alert suspicious activities that may indicate a security threat.

****Cloud-Native NDR****

With the widespread adoption of cloud computing and hybrid infrastructures, NDR solutions are evolving to provide native support for cloud environments. Cloud-native NDR solutions offer easy integration with cloud platforms, enabling organizations to monitor and protect their cloud-based assets effectively. By extending visibility and threat detection capabilities to the cloud, these solutions help organizations maintain a consistent security posture across their entire infrastructure.

****Threat Intelligence Integration****

Integrating threat intelligence feeds into NDR solutions enhances their ability to identify and respond to threats. By using up-to-date threat intelligence data from reputable sources, NDR solutions can prioritize alerts and provide insights to security teams. This approach enables organizations to stay ahead of new threats and mitigate potential risks before they escalate.

****Automation and Orchestration****

The growing cyber threats and limited security resources, as well as automation and orchestration, are becoming essential components of NDR solutions. By automating repetitive tasks and orchestrating incident response processes, NDR solutions enable security teams to streamline operations and respond to threats more effectively. This allows organizations to maximize the efficiency of their security operations and focus their resources on high-priority tasks.

****Market Dynamics and Future Trends****

The network detection and response market continues to change rapidly, driven by new technologies and new threats. Reports from Quadrant Knowledge Solutions offer insights into market dynamics and future trends, enabling organizations to scale through the NDR security landscape and select the most suitable platform for their needs.

By harnessing the insights and capabilities offered by NDR solutions, organizations can strengthen their cybersecurity posture and ensure protection for their digital assets. Integrating NDR into their security stack empowers organizations to detect, analyze, and respond to threats effectively, mitigating potential risks and safeguarding against cyber attacks.

****Conclusion****

Network Detection and Response (NDR) plays a vital role in the modern cybersecurity space, offering organizations the ability to actively identify, analyze, and mitigate security threats in real-time. By providing enhanced network visibility and threat detection capabilities, NDR solutions empower security teams to detect and respond to the latest threats swiftly and effectively.

As organizations continue to confront the complexities of modern cyber threats, understanding the need for NDR and selecting the right solution is **essential for boosting their cybersecurity defences**. By using the insights and capabilities offered by NDR solutions, organizations can enhance their resilience against cyber attacks and safeguard their digital assets.

NDR in the Modern Cybersecurity Landscape

By Deeba Ahmed
Popular File Transfer Software Hit by Zero-Day Exploit: Millions Potentially Exposed - Install Patches Right Now!
This is a post from HackRead.com Read the original post: Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

A critical zero-day vulnerability in CrushFTP, a popular file transfer software, allows attackers to download sensitive system files. This puts millions of users at risk! Learn how to protect yourself from this exploit and secure your file transfers.

Attention file transfer users! A recently discovered zero-day exploit in CrushFTP, a popular enterprise file transfer software solution, has sent security researchers scrambling. This critical vulnerability could allow attackers to download sensitive system files, potentially compromising the security of millions of users worldwide.

****What is CrushFTP and Why Should You Care?****

CrushFTP is a widely used software program that enables secure file transfers between computers and servers, offering functionalities like FTP, SFTP, FTPS, WebDAV, and more. However, the recent discovery of a zero-day exploit raises concerns about the potential for unauthorized access and data breaches, making businesses/organizations using it for data exchanges vulnerable.

****How Does the Exploit Work?****

The vulnerability (CVE-2024-4040), identified by Simon Garrelou of Airbus CERT, allows attackers to bypass the software’s virtual file system (VFS) restrictions and download system files that are typically off-limits. This unauthorized access could lead to the theft of sensitive data, the installation of malicious software, and disruption of file transfer operations or server inoperability.

****Who is Affected?****

The exact number of affected users is unknown, but CrushFTP boasts a significant user base across various industries. Organizations of all sizes, from small businesses to large enterprises, could be at risk if they haven’t applied the latest security patch, details of which can be found in CrushFTP’s advisory.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0,” the advisory read.

It must be noted that customers operating CrushFTP instances within a demilitarized zone (DMZ) are safe from the attacks. The flaw is yet to receive a CVE identifier.

Cybersecurity firm CrowdStrike reported an exploit for the CrushFTP Zero-Day flaw targeting U.S. entities in what it believes is a politically motivated intelligence-gathering activity.

However, CrushFTP’s founder, Ben Spink, claims the company hasn’t received any user complaints as yet whereas the vulnerability was patched within hours of identification.

To update CrushFTP to the latest version v11.1.0, log in to the dashboard, click the About tab, and click Update> Update Now. Wait 5 minutes for files to download, unzip, and copy, then auto-restart CrushFTP.

1.  WinRAR users update software as 0-day vulnerability is found
2.  WeTransfer phishing attack spoofs file-sharing to steal credential
3.  APT Winter Vivern Exploits Roundcube 0-Day against European Entities

Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

PRESS RELEASE

Tampa Bay, FL (April 24, 2024) – KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced it has entered into a definitive agreement to acquire Egress, a leader in adaptive and integrated cloud email security. Egress’ Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats. Further terms of the transaction were not disclosed.

Organizations globally struggle to contain behavioral-based data breaches, with 74 percent of incidents involving the human element according to Verizon’s Data Breach Investigations Report. By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk. 

“The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture,” said Stu Sjouwerman, CEO, KnowBe4. “As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.”

“KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee,” said Tony Pepper, CEO, Egress. “One of the biggest challenges organizations face is accurately identifying who the next source of compromise is – and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most.”

The announcement comes on the heels of significant achievements for both companies thus far in 2024. KnowBe4 recently announced its AI-native platform, Artificial Intelligence Defense Agents (AIDA), which incorporates advanced AI agents to power efficacy and speed. Recent notable awards include being recognized as a Top Software Winner by G2 and a winner of Energage’s Top Workplaces USA for 2024. Meanwhile, Egress launched its AI-powered Automated Abuse Mailbox in early April and received several award recognitions, including Security Innovation of the Year (Computing Security Excellence Awards), Best Email Security Solution, Best Data Leak Prevention Solution (SC Awards Europe) and Best Place to Work in the UK (Great Places to Work 2024).

The transaction is expected to close in the coming months subject to customary closing conditions and regulatory approvals.

Egress is backed by FTV Capital and AlbionVC. Citi served as exclusive financial advisor to Egress and Orrick, Herrington & Sutcliffe LLP served as legal counsel to Egress.

For more information on KnowBe4, visit www.knowbe4.com. For more information on Egress, visit www.egress.com. 

About KnowBe4   
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 65,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organizations rely on KnowBe4 to mobilize their end users as their last line of defense and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email. 

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

KnowBe4 to Acquire Egress

PRESS RELEASE

Houston, Texas – Black Girls Do Engineer recently signed an Education Partnership Agreement (EPA) with the National Security Agency in an effort to continue playing a key role in developing science and technology talent for possible national security challenges.

The National Security Agency (NSA) partners with select universities and nonprofit organizations as part of the Agency’s Minority Serving Institution (MSI) Hacking 4 Intelligence (H4I) program. It is a program where the U.S. Government and industry partners, collaborate to solve national security problems. The program engages HBCU students and college bound students studying STEM disciplines.

Black Girls Do Engineer, a 501c3 nonprofit organization that provides access, education and resources to Black students K-12 in STEM was selected to participate because of its stellar reputation in hosting cohorts of students through various STEM subjects including co-ed HBCU and High School programs, utilizing Microsoft technology to do so.

The NSA’s collaborative H4I program is for students to have the opportunity to cultivate essential skills by deconstructing and analyzing NSA and Microsoft problem sets, all while collaborating and networking with government and industry partners. Students will form interdisciplinary teams and work to solve real-world NSA and Microsoft problem sets. At the end of a 12-week cohort, students exit the program with a minimum viable product ready for deployment.

“This partnership with NSA will allow our program to provide our cybersecurity resources and curriculum to Higher Education institutions through our developed BGDE digital infrastructure enhanced by Microsoft tools,” states Kara Branch the Founder and CEO of Black Girls Do Engineer.

Black Girls Do Engineer’s licensed STEM curriculum is committed to excellence in cyber defense education and research. Some of its programs include cybersecurity, artificial intelligence, data science and a host of technical training. Higher education programs include their design Badge A Thon event offered for college students.

“This collaboration will allow our national impact to reach new heights with higher education students,” concludes Kara Branch, Founder and CEO of Black Girls Do Engineer.

About Black Girls Do Engineer

As the fastest growing nationwide program for Black girls in STEM., BGDE has been dubbed “The Ivy League of Nonprofits.” The program is application-based and offers full-time membership-based STEM camps and workshops to Black girls in grades K through 12, with mentorship and individual workshops offered to college students up through age 21. The program currently has a 100% college acceptance rate and 100% job placement rate among its members. Since its launch in 2019, BGDE has served 4,000 girls though its program. The nonprofit has also helped secure its members $44,000 in STEM-related college scholarships.

BGDE futuristic programs of study include: A.I., Energy, Audio/Visual, Aerospace, Engineering, Medical, Robotics and Coding. Mentoring includes: College Prep, Financial Literacy, Upskilling, and Mentorship from professionals working in these fields offering real life experience.

Black Girls Do Engineer Signs Education Partnership Agreement With NSA

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Tag

#intel