A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines.

A previously unknown threat actor that exclusively uses a slew of publicly available and living-off-the-land tools has been targeting Asia-based shipping companies and medical laboratories in an intelligence-gathering operation since October, researchers have found.

Dubbed Hydrochasma by researchers at Symantec, which is owned by Broadcom Software, the group as yet does not appear to have stolen any data, but seems to target industries that are involved in COVID-19-related treatments or vaccines for cyberespionage, Symantec's Threat Hunter Team wrote in a blog post published this week.

"While Symantec researchers didn't observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," researchers wrote.

Judging by its tools and tactics, the group's chief motive appears to be achieving persistent access to victim machines without being detected, "as well as an effort to escalate privileges and spread laterally across victim networks," they noted.

Indeed, the lack of custom malware lends itself to this motive, Brigid O Gorman, senior intelligence analyst with Symantec Threat Hunter team, tells Dark Reading.

"The group's reliance on living-off-the-land and publicly available tools is notable," she says. "This may tell us a number of things about the group, including a desire to stay under the radar and make attribution of their activity more difficult."

**How Hydrochasma Attacks**

Researchers first were alerted to concerning activity on the victim's network when they noticed the presence of SoftEther VPN, a free, open source, and cross-platform VPN software often used by attackers.

Like many other threat groups, Hydrochasma appeared to use phishing as its means of initial access to a targeted network. Indeed, phishing remains one of the most successful ways for attackers to compromise networks, and it continues to grow and evolve at a fast clip.

In this case, the first sign of suspicious activity that researchers found on victim machines was a lure document with a file name in the organization's native language that appeared to be an email attachment for a freight company "product specification," they said. Researchers also found a lure that mimicked a resume for a "development engineer."

Once Hydrochasma gains access to a machine, attackers drop a Fast Reverse Proxy, a tool that can expose a local server protected by a network address translation (NAT) or firewall to the Internet. That in turn drops a legitimate Microsoft Edge update file. That's followed up by another file that's actually a publicly available tool called Meterpreter — which is part of the Metasploit framework — that can be used for remote access, researchers said.

**Everything But the Kitchen Sink**

In fact, in the campaign that researchers observed, the group bombarded the victim organization with what seemed like everything but the kitchen sink in a flurry of publicly available tools aimed to guarantee its presence and persistence on the network.

"It is relatively unusual to see an attack group using only open source malware in an attack chain, so this did make Hydrochasma's activity stand out to us," O Gorman notes.

Other tools being wielded by Hydrochasma in the attack included: Gogo scanning tool, an automated scanning engine; Process Dumper, which allows attackers to dump domain passwords; AlliN scanning tool, which can be used for lateral penetration of the intranet; and Fscan, a publicly available hacktool that can scan for open ports and more.

Researchers also observed Hydrochasma using Cobalt Strike Beacon, a legitimate pen-testing tool that attackers also have widely adopted for executing commands; injecting, elevating, and impersonating processes; and uploading and downloading files on victim networks. The group also deployed a shellcode loader and a corrupted portable executable in the attack.

Their assault on the victim network didn't stop there, however; additional tools that researchers observed being used in the attack included: Procdump, for monitoring an application for CPU spikes and generating crash dumps; BrowserGhost, which can grab passwords from a browser; the tunneling tool Gost proxy; Ntlmrelay for intercepting validated authentication requests to access network services; and HackBrowserData, an open source tool that can decrypt browser data.

**Avoiding Compromise**

Symantec included both file and network indicators of compromise in its blog post to help organizations identify if they're being targeted by Hydrochasma.

The extensive use of dual-use and living-off-the-land tools by the group highlights the need for organizations to have a comprehensive security solution to detect suspicious behavior on network machines, as well as stop malware, O Gorman says: "Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain," she tells Dark Reading. "Organizations should also be aware of and monitor the use of dual-use tools inside their network."

In general, Symantec also advises implementing proper audit and control of administrative account usage, as well as the creation of profiles of usage for admin tools, "as many of these tools are used by attackers to move laterally undetected through a network," O Gorman adds.

Hydrochasma Threat Group Bombards Targets With Slew of Commodity Malware, Tools

A novel threat group, utilizing new malware, is out in the wild. But the who, what, where, and why are yet to be determined, and there's evidence of a false-flag operation.

On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it's calling "Clasiopa." Clasiopa has been observed deploying a unique malware backdoor called "Atharvan" in its campaign against a materials manufacturer based in Asia.

"From what we can see, the main motivation of the attack was spying or information theft," Dick O'Brien, principal intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading. Symantec declined to elaborate on the nature of the victim, the files, or whether the attackers were successful.

**Clasiopa's Stealth Tactics**

Clasiopa's initial intrusion vector is not certain, "although," the researchers noted, "there is some evidence to suggest that the attackers gain access through brute-force attacks on public-facing servers."

The report highlights a few hallmarks of the attack, including checking the IP address of target computers, using "multiple backdoors to build lists of file names and exfiltrate them," clearing multiple event logs on the target system, and running a vaguely named task — "network service" — to list file names.

Two commercial programs also made their way into the maelstrom: the Agile File Distribution Management system, from developers Jiangsu Agile Technology in China, and Domino, from HCL software (though the latter may have been included coincidentally).

Altogether, these methods — the backdoors, the erased logs, the commercial software — begin to tell a story. "They're certainly an attempt at stealthy tactics," O'Brien says. "These kinds of tactics are by no means unique and a lot of similar threat actors will do something similar, with varying levels of success depending on their skills and resources."

"In this case," he adds, "they still left enough evidence behind to piece together much of what they'd done."

That said, some of the evidence the group left behind may have been intentional, meant to point researchers in a specific attribution direction.

**Who Is Clasiopa?**

The clues to learning about Clasiopa may lie in its unique malware, Atharvan — "a classic backdoor," as O'Brien says. "It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers."

Function aside, its name may be its most notable feature. The name derives from "SAPTARISHI ATHARVAN-101," a mutual exclusion object ("mutex") the malware creates after infecting a target machine, to ensure multiple copies of itself aren't running at once. "Saptarishi," in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.

And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^\_^.

However, these clues are actually _so_ obvious that they invite suspicion. "While these details could suggest that the group is based in India," the researchers hypothesized, "it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue."

Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.

Unanswered Questions Cloud the Recent Targeting of an Asian Research Org

Cybercriminals and hacktivists have joined state-backed actors in using sabotage-bent malware in destructive attacks, new report shows.

The increased use of disk wipers in cyberattacks that began with Russia's invasion of Ukraine early last year has continued unabated, and the malware has transformed into a potent threat for organizations in the region and elsewhere.

Researchers at Fortinet recently analyzed attack data from the second half of 2022 and observed a startling 53% increase in threat actor use of disk wipers between the third and fourth quarters of the year. The trajectory suggests there will be no slowing down any time soon, the security vendor said.

Russia-based advanced persistent threat (APT) groups — working in support of the country's military objectives in Ukraine — accounted for a lot of the initial surge in wiper use and continued activity last year. However, Fortinet's data shows that others, including financially motivated cybercriminals, hacktivist groups, and other individuals fueled the increase as well, especially toward the end of 2022.

Leading up to last year, wiper activity tended to be almost nonexistent, according to Geri Revay, security researcher with Fortinet's FortiGuard Labs. But since the conflict between Russia and Ukraine started, threat actor use of the malware has exploded, he says. 

"In 2022 alone we saw 16 different families targeted at 25 countries around the world," Revay says. "In the second half of the year, we also started seeing a new breed of wipers, with some even open source and on GitHub, making it much more readily available for advanced persistent cybercrime campaigns," he says.

**A Wiper Malware Medley**

Fortinet's report highlights several wiper families that it perceives as presenting a major threat to organizations based on threat actor use over the past year. Among the biggest of them is HermeticWiper, a wiper that erases and overwrites a compromised system's master boot record. The wiper first surfaced in attacks against Ukrainian organizations in 2021. Fortinet said it observed a significant spike in activity last year involving HermeticWiper in November that become even more pronounced in December.

Other wipers that the security vendor observed threat actors using widely in attacks last year include WhisperGate, a malware strain that looks like ransomware on the surface but has no data recovery mechanism; NotPetya; DoubleZero; and IsaacWiper. Analysts have previously identified Russia's military intelligence group as likely being behind WhisperGate. Interestingly, Shamoon, a wiper that was used in an attack that bricked thousands of PCs at Saudi Aramco more than a decade ago, also remained popular among actors last year. Fortinet's data showed Shamoon to be one of the most widely used wipers in destructive attacks last year.

Currently, the main motivation for the use of wiper malware appears to be focused around cyberwar and hacktivism, Revay says. But that doesn't mean threat actors won't use it in other ways, like using wipers to sabotage systems or to destroy evidence of a cybercrime.

"Sabotage is the most obvious reason to deploy a wiper," Revay notes. "Just as Stuxnet was used to destroy centrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data, sabotage development, cause financial loss, or just cause chaos." And using wipers to destroy evidence, while noisy, also gets the job done for attackers and is much simpler than removing all log files and malware, he says.

**New Breed of Wipers**

Fortinet's report is among several that have highlighted a sharp increase both in disk wiper use and disk wiper variety over the past year. While Fortinet's research showed that threat actors used 16 wiper families in attacks last year, another report from Max Kersten, a malware analyst at Trellix, identified more than 20 wiper families that threat actors used in destructive attacks last year.

Ukrainian organizations remain primary targets, as one recent attack against the country's main news agency involving the use of five separate wiper variants demonstrated. But organizations in other countries are under growing risk of attack, too. Fortinet, for instance, found WhisperGate and HermeticWiper were both most prevalent outside Europe. More organizations in Africa and Asia experienced attacks involving the two wiper families than organizations in Europe. And North America, overall, continues to experience the least wiper activity, the security vendor said.

"Most of the wiper attacks were targeting Ukrainian organizations in 2022, but that could easily have a spillover effect on other countries," Revay says. As an example, he points to one incident where an attack that targeted a Ukrainian satellite communication provider ended up taking 5,800 German wind turbines offline.

In terms of how to prepare and how to respond to a wiper attack, "it is very similar to a ransomware incident," Revay tells Dark Reading. "If the ransom is not paid, which is the recommended approach, a ransomware can be also considered a wiper, because without the decryption key the encrypted data is as good as lost."

Wiper Malware Surges Ahead, Spiking 53% in 3 Months

Ubuntu Security Notice 5883-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5883-1  
February 22, 2023

linux-hwe vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-hwe: Linux hardware enablement (HWE) kernel

Details:

Kyle Zeng discovered that the sysctl implementation in the Linux kernel  
contained a stack-based buffer overflow. A local attacker could use this to  
cause a denial of service (system crash) or execute arbitrary code.  
(CVE-2022-4378)

It was discovered that an out-of-bounds write vulnerability existed in the  
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-20369)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan  
and Ariel Sabba discovered that some Intel processors with Enhanced  
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET  
instructions after a VM exits. A local attacker could potentially use this  
to expose sensitive information. (CVE-2022-26373)

David Leadbeater discovered that the netfilter IRC protocol tracking  
implementation in the Linux Kernel incorrectly handled certain message  
payloads in some situations. A remote attacker could possibly use this to  
cause a denial of service or bypass firewall filtering. (CVE-2022-2663)

Johannes Wikner and Kaveh Razavi discovered that for some AMD x86-64  
processors, the branch predictor could by mis-trained for return  
instructions in certain circumstances. A local attacker could possibly use  
this to expose sensitive information. (CVE-2022-29900)

Johannes Wikner and Kaveh Razavi discovered that for some Intel x86-64  
processors, the Linux kernel's protections against speculative branch  
target injection attacks were insufficient in some circumstances. A local  
attacker could possibly use this to expose sensitive information.  
(CVE-2022-29901)

It was discovered that a race condition existed in the Kernel Connection  
Multiplexor (KCM) socket implementation in the Linux kernel when releasing  
sockets in certain situations. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2022-3521)

It was discovered that the Netronome Ethernet driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3545)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux  
kernel did not properly perform bounds checking in some situations. A  
physically proximate attacker could use this to craft a malicious USB  
device that when inserted, could cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2022-3628)

It was discovered that a use-after-free vulnerability existed in the  
Bluetooth stack in the Linux kernel. A local attacker could use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3640)

It was discovered that the NILFS2 file system implementation in the Linux  
kernel did not properly deallocate memory in certain error conditions. An  
attacker could use this to cause a denial of service (memory exhaustion).  
(CVE-2022-3646)

Khalid Masum discovered that the NILFS2 file system implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service or possibly execute arbitrary code. (CVE-2022-3649)

Hyunwoo Kim discovered that an integer overflow vulnerability existed in  
the PXA3xx graphics driver in the Linux kernel. A local attacker could  
possibly use this to cause a denial of service (system crash).  
(CVE-2022-39842)

It was discovered that a race condition existed in the SMSC UFX USB driver  
implementation in the Linux kernel, leading to a use-after-free  
vulnerability. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41849)

It was discovered that a race condition existed in the Roccat HID driver in  
the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2022-41850)

It was discovered that a race condition existed in the Xen network backend  
driver in the Linux kernel when handling dropped packets in certain  
circumstances. An attacker could use this to cause a denial of service  
(kernel deadlock). (CVE-2022-42328)

Tamás Koczka discovered that the Bluetooth L2CAP implementation in the  
Linux kernel did not properly initialize memory in some situations. A  
physically proximate attacker could possibly use this to expose sensitive  
information (kernel memory). (CVE-2022-42895)

It was discovered that the USB monitoring (usbmon) component in the Linux  
kernel did not properly set permissions on memory mapped in to user space  
processes. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-43750)

It was discovered that the Upper Level Protocol (ULP) subsystem in the  
Linux kernel did not properly handle sockets entering the LISTEN state in  
certain protocols, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-0461)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  linux-image-4.15.0-206-generic  4.15.0-206.217~16.04.1+1  
  linux-image-4.15.0-206-lowlatency  4.15.0-206.217~16.04.1+1  
  linux-image-generic-hwe-16.04   4.15.0.206.191  
  linux-image-lowlatency-hwe-16.04  4.15.0.206.191  
  linux-image-oem                 4.15.0.206.191  
  linux-image-virtual-hwe-16.04   4.15.0.206.191

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5883-1  
  CVE-2022-20369, CVE-2022-26373, CVE-2022-2663, CVE-2022-29900,  
  CVE-2022-29901, CVE-2022-3521, CVE-2022-3545, CVE-2022-3628,  
  CVE-2022-3640, CVE-2022-3646, CVE-2022-3649, CVE-2022-39842,  
  CVE-2022-41849, CVE-2022-41850, CVE-2022-42328, CVE-2022-42895,  
  CVE-2022-43750, CVE-2022-4378, CVE-2023-0461

Ubuntu Security Notice USN-5883-1

Sharing attestations on software supply chain data that are formed into a policy will give us a framework to interpret risk and develop compliance directives.

Companies are facing two major truths this year: More cybersecurity regulation and fewer resources.

For the former, it's about time. Cybersecurity needs baseline requirements and government regulations can be a useful forcing function. It's encouraging to see a renewed focus on areas that need real attention, especially software supply chain security. Considering the latter, it means companies are facing a steep climb ahead to implement these new regulations in a year of economic uncertainty. Nonetheless, regulations are here, more regulations are coming, and companies need to adapt.

In a recent article, I discussed a few issues with the software bill of materials (SBOM) format as a standard, which includes:

*   Requirements vs. optional fields

*   Complete lack of provenance consideration

But this year, the biggest hurdle will be adoption.

**The Software Vendor Adoption Problem**

ACMECorp is an example of a company that produces software products. We'll refer to one of its products as "Anvil" and its customers as "Clients."

Clients want ACMECorp to release its SBOMs for Anvil so Clients can understand if they're affected by software supply chain issues, vulnerabilities, or license risks. Clients also want to be able to understand quickly if they're affected as new issues arise.

Regulatory bodies want to require ACMECorp to release SBOMs so Clients can be better informed. ACMECorp may very well _want_ to provide this information to Clients as well, but this is a massive undertaking.

For all software products, ACMECorp will now need to:

1.  Identify all software components used as dependencies. This is at minimum dozens and at most tens of thousands of individual software components.
2.  Identify all the _potential_ security issues. This includes a security audit of a product and all of its dependencies.
3.  Investigate each potential security issue and determine ACMECorp's response, which will range somewhere between "we have to fix this now" and "not applicable." The resulting analysis from the software security team charged with performing this work will inevitably meander through teams of lawyers to determine exposure and risk. This is crucial, because ACMECorp will need this information to:
4.  Stand up a new department to handle the barrage of inevitable questions and challenges from Clients to the responses developed.
5.  Release SBOMs to Clients with as little detail as possible to protect intellectual property and limit exposure.
6.  Do the entire process again for every version that is released, in perpetuity, and keep historical records.

It's a heavy lift, but ACMECorp will need to have a version of the above (or at least a start to it) that it expects Clients to accept.

**The Client Adoption Problem**

Clients that wish to consume Anvil's SBOM (and hundreds or thousands of other SBOMs) now have a huge additional workload to adopt any technology.

Companies already have a vulnerability management problem, and this will multiply the burden. As SBOM is a self-reporting mechanism, Clients will not be inclined to simply rely on an SBOM as an authoritative source of truth. Instead, they will require their already overburdened application, product security, and legal teams to find ways to validate ACMECorp's SBOMs after each release.

**Let's Aim for the Better**

I'm bullish on the goals of SBOMs. We must have a complete, up-to-date inventory of components used in a software product. We must understand the implications of security events and issues and how they affect companies, governments, and users. My hope is that we can work together to build a far better process than we have with the current iteration of SBOM.

First, we must release ourselves from the idea that simply sharing data from vendor to customer will solve the challenges SBOM hopes to address. As I outlined above, it is guaranteed only to make additional work. Instead, we should think about how we can share _attestations_ on software supply chain data.

Vendors want to show customers their products' security posture is well-defended. Customers want to have assurance that the security posture of third-party products and services aligns with their threat model and risk tolerance. These goals are achieved by interpreting the software supply chain data and answering questions relevant to the goals. The context around the data is key to these outcomes.

A huge amount of the security goals vendors and customers hope to answer can be codified, then constructed into policies that can be agreed upon by vendor-to-consumer relationships. The tests or attestations for these policies can be open source, with collaboration from both the security and development industries. This will allow open understanding of the value of the attestations, and their weaknesses that can be improved upon. It can give us a shared framework to interpret software supply chain risk.

Groups of attestations in the form of a policy can be quickly tested as vendors develop software to plan for the end-state requirements. Customers can use this to rapidly understand the software supply chain risk of a vendor's product. That might mean opting for an on-premises version hosted in a controlled environment, or contract requirements to better meet the needs of the customer, but it gives vendors and customers a common taxonomy to better align with each other.

Attestations and policies allow us to effectively build compliance directives in a way that vendors can manage through the product and software development life cycle. Changes to attestations can be scheduled and road-mapped without piles of meetings to coordinate individual issues. These compliance directives can be rapidly evaluated to understand regulatory impact, which we know to be on the horizon anyway. These attestations can extend to show transparency and provenance of the vendor data provided as input. Overall, this gives us the required common ground to build trust.

Finally, an enormous part of this process can be automated. We can much more effectively focus the time of our security and development teams where it's needed, instead of preparing and consuming a never-ending stream of SBOM data dumps.

Cheers to the year of the SBOM. We're all in this together.

This Will Be the Year of the SBOM, for Better or for Worse

Lawmakers are increasingly hellbent on punishing the popular social network while efforts to pass a broader privacy law have dwindled.

“We hope that Congress will explore solutions to their concerns about TikTok that won’t have the effect of censoring the voices of millions of Americans,” says TikTok spokesperson Brooke Oberwetter. “The swiftest and most thorough way to address national security concerns is for CFIUS to adopt the proposed agreement that we worked with them on for nearly two years. That plan includes layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to access data or manipulate the platform. These measures go beyond what any peer company is doing today on security.”  

Over in the House, Rubio’s tough-on-tech allies just got new job titles and powers. Representatives Mike Gallagher of Wisconsin, a Republican, and Raja Krishnamoorthi of Illinois, a Democrat, are now the chair and ranking member, respectively, of the new House Select Committee on China established by Speaker Kevin McCarthy. While their new roles go beyond tech and TikTok, the two are eager to use their new perch to punish TikTok, in part, for stonewalling Congress.

“Part of the reason there’s not good data is \[that\] TikTok hasn’t responded to basic questions,” says Gallagher, who’s advocating for TikTok to be fully divested from ByteDance. “We’ve asked for transparency around their algorithms in general. There’s this question about how they intended to use their location tracking service that they would never really answer.”

Bipartisanship has been key to anti-TikTok efforts, but conservatives—and the GOP’s powerful messaging machine—have rallied around what, to them, is a glaring new national security threat. While US tech firms are now the punching bag for America’s right who accuse them of “censoring” them, most Republicans say this TikTok debate supersedes domestic political and corporate squabbles. They say there’s no comparing Silicon Valley to ByteDance.

“Can we just admit that the Chinese Communist Party is an adversary and Silicon Valley is not an actual adversary?” says senator Kevin Cramer of North Dakota, a Republican. “There are similar issues, but they’re not the exact same issues. The Chinese Communist Party is an adversary. Silicon Valley is an unruly child.”

Whether the fears are warranted or ungrounded, Congress isn’t even having the right debate, according to Senate Finance Committee chair Ron Wyden, a Democrat from Oregon. “Banning TikTok would be a godsend for sleazy rip-off data brokers,” the Oregon Democrat says. “TikTok is one piece of the puzzle, but don’t miss the overall challenge—because until you reign in these data brokers … you’re going to have all kinds of people’s personal data in America still on its way to China and hostile powers.”

Nevertheless, bipartisan anti-TikTok energy remains palpable in DC, especially because the app is so popular, with around 113 million users in the US, according to web analytics firm Statista. And with Beijing’s proven willingness to use technology to control its own citizens, US policymakers fear the CCP will soon distort the world for millions of unsuspecting Americans. 

“If you can dial these algorithms to say what kind of content \[people see\], it’s hugely problematic in terms of a propaganda tool,” Warner, the Senate Intelligence Committee chair, says.  

Warner supports reining TikTok in, but he remains skeptical of these new efforts to outright ban the app. He’s been left holding his tongue while awaiting more detailed information and a potential policy solution from the Justice Department. It’s not an either-or, though, according to privacy advocates in Congress. While they argue TikTok is the immediate concern, they also want to regulate Silicon Valley.

“I think there’s a need for both. We still need to get a big privacy bill,” Democratic senator Maria Cantwell of Washington says.

Cantwell chairs the Senate Commerce Committee, which is where many of these bipartisan efforts have died, in part because she’s demanded a higher federal privacy standard—or at least one that doesn’t supersede stout state laws, like California’s—than Republicans have been willing to accept. She says the reason the TikTok ban sailed through in December is that the government funding bill was “held hostage over it” by the GOP.

“With Big Data, there can be abuses, and we need to rein it in. Period,” Cantwell says. “There’s just a lot more work to be done, and my colleagues have to have the same bipartisan zeal to address those issues.”

Why the US Congress Wants to Ban TikTok

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Headwinds Don't Have to Be a Drag on Your Security Effectiveness

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Phishing Fears Ramp Up on Email, Collaboration Platforms

Technology tuck-in enhances industry's broadest XDR security platform.

**DALLAS****,** **Feb. 22, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has announced the signing of a definitive agreement to acquire Anlyz, a leading provider of security operations center (SOC) technology. The acquisition will extend Trend's orchestration, automation and integration capabilities and will enable enterprises and Managed Security Service Providers (MSSPs) to improve operational efficiencies, cost effectiveness and security outcomes.

The deal encompasses intellectual property, industry expertise and more than 40 technical employees all focused on bolstering Trend's security platform strategy. With this acquisition, the company will expand its engineering team of over 3000, adding a new research & development center in Bangalore, India.

Managed Security Service Providers (MSSPs) will be empowered to grow their strategic SOC services while minimizing the complexity of the underlying security stack by reducing the number of technology vendors needed. Trend's enterprise customers will benefit from a comprehensive extended detection and response (XDR) and incident response orchestration platform that can maximize analyst productivity and help relieve resource constraints.

Gartner research stated, "As buyers, both end customers and service providers, continue to consolidate vendors/providers, buyers will seek best-of-suite and integrated solutions over best-of- breed point solutions. Preferred technology vendors will be those that ease integration with other IT and security technology and tools within the environment, supporting efforts toward use-case-based outcomes."\[1\]

"We are happy to welcome the Anlyz team into the Trend family – together we are increasing SOC effectiveness and reducing both the technology and resources burdens," said Kevin Simzer, Chief Operating Officer at Trend Micro. "Due to market pressure, we see organizations moving past security point-solution experiments in preference for platform breadth that allows for vendor consolidation, maximized return on investments and efficiencies."

Trend Micro and Anlyz have been technology alliance partners since 2021 and share more than 30 joint customers that are positioned to move forward quickly to capitalize on the opportunities ahead.

\[1\] Gartner®, Emerging Trends: Future of Security Services, Shawn Eftink, John Collins, November 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Eventus TechSol is one of the many MSSPs powering joint customers delivering measurable "XDR Powered SOC" improvements for clients. "We have reduced the mean-time-to-detect and mean-time-to-respond ratio, down from weeks to hours for incidents," said Jay Thakker, Practice Head at the company. "We use playbooks for log enrichment and automated response as well as threat intelligence and threat hunting capabilities provided by the platform to proactively hunt for known and behavioral attacks."

Anlyz has primarily focused on security orchestration and case management delivering powerful SOAR capabilities for MSSPs to manage the incident response process across multiple clients. It also offers intelligent log aggregation enabling data ingestion and enrichment across a range of data sources and security solutions, using a high performance, scalable architecture. Trend will leverage Anlyz's SOAR solution and rich set of product connectors to broaden its platform and enable additional integration and automation options across customers' IT ecosystems.

Trend's MSSP channel customers will benefit from:

*   An anchor technology platform to manage the SOC function for their clients
*   A reduced requirement to architect individual custom solutions for their customers, thanks to an integrated core stack and multi-tenant view out of the box
*   Visibility, analysis, and automation across Trend, third-party products, and customer instances, making it easier to manage XDR across multiple customers
*   A scalable, flexible, and feature-rich platform to appeal to all types of customers no matter the size and complexity of their IT environment

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These forward-looking statements include, but are not limited to, statements concerning the future plans or prospects for the acquisition. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) data, research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Prospectus) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

SOURCE Trend Micro Incorporated

Trend Micro Acquires SOC Technology Expert Anlyz

Attackers are now using multiple types of distributed denial-of-service (DDoS) attacks to take down sites. Here are some ways to defend and protect.

Distributed denial-of-service (DDoS) attacks occur when an individual device, known as a bot, or a network of devices, known as a botnet, is infected with malware. These bots or botnets flood websites with increased traffic volumes over a period of hours or even days in an attempt to take services offline. Recently, hacktivist groups have begun leveraging DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. This can represent a serious threat for enterprise businesses.

Planning and preparation are key to developing an effective DDoS defense. But first you need to understand how these attacks work.

**DDoS Attack Types**

New DDoS attack vectors emerge every day thanks to innovative artificial intelligence (AI) technology and a growing cybercrime ecosystem. But in general, there are three main types of DDoS attacks, each of which encompasses a variety of cyberattacks. The first is known as a volumetric attack, which primarily focuses on bandwidth and is designed to overwhelm the network layer with traffic. For example, domain name server (DNS) amplification attacks leverage open DNS servers to flood a target with DNS response traffic.

Another type of DDoS is a protocol attack, which exploits weaknesses in Layers 3 and 4 of the protocol stack, targeting critical resources. For example, synchronization packet floods (SYN) will consume all available server resources as a way to make servers unavailable.

Finally, a resource layer attack disrupts data transmission between hosts by targeting web application packets. For example, SQL injection attacks will insert malicious code into strings. These strings are subsequently passed to a SQL server to be parsed and executed.

And while these categories can cover a broad range of DDoS attacks, security teams also need to be aware that cybercriminals can compromise their networks by using multiple attack types from different categories.

**Protecting Against, Responding to DDoS Attacks**

When websites or servers go down, companies risk losing sales and customers, incurring high recovery costs and damaging their reputations. In some regions and industry sectors, they may even be subject to penalties and fines. Here are four ways to respond to DDoS attacks.

**1\. Evaluate Your Risks and Make Sure You're Protected**

The first step is to identify the publicly exposed applications within your organization. Make sure you note typical application behavior patterns so you can identify anomalies and respond accordingly. Because DDoS attacks typically spike during peak business seasons, such as the holidays, organizations should look for scalable DDoS protection services with advanced mitigation capabilities. Specific service features include traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

**2\. Get Prepared With a DDoS Response Strategy**

One proactive measure that all companies should take is to develop a rapid response strategy. Start by forming a DDoS rapid response team that knows how to identify, mitigate, and monitor attacks. This team should also be able to work with internal stakeholders and customers.

**3\. Identify Potential Weaknesses**

Use attack simulations to understand how your services will respond in the event of an attack. These simulations should confirm that your services or applications will be able to function normally without disrupting users' experiences, and they should happen during off-business hours or within a staging environment to minimize business impact. When conducting an attack simulation, make sure you identify potential technology and process gaps to inform your DDoS response strategy.

**4\. Respond, Learn, Adapt In the Face of Attacks**

In the event of an actual DDoS attack, contact an established DDoS response team or other technical professionals to conduct your attack investigation and post-attack analysis. This retrospective analysis is especially critical as it can help to clarify whether service or user disruptions were due to a lack of scalable architecture. Focus your evaluation on which applications or services experienced the greatest disruptions, as well as the effectiveness of your DDoS response strategy.

Of course, DDoS attacks are just one type of emerging cyberthreat. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.

Tag

#intel