Any multifactor authentication adds protection, but a physical token is the best bet when it really counts.

In August,  the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, _key_ accounts.

The Password Isn’t Dead Yet. You Need a Hardware Key

The toasts, triumphs, and biggest security wins of the year

The toasts, triumphs, and biggest security wins of the year

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Yesterday we showcased the year’s biggest fails – the security disasters, industry calamities, and the emergence of vulnerabilities so stupid they’ll make your eyes roll.

Today, we’re celebrating the times that organizations, governments, and the infosec community have shown laudable skill, judgement, and commitment to better securing the cyber sphere in 2022.

**CCFA changes**

This year saw major progress made in protecting ethical hacking from unfair legal consequences. Current laws worldwide often enable prosecution of security researchers motivated to protect rather than harm users, creating risks for ethical hackers in the course of doing their job.

In the US, the Department of Justice (DoJ) announced it will no longer prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.

The amendment, announced back in May, laid out changes to prosecution criteria under the Computer Fraud and Abuse Act (CFAA).

Good faith in this case refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

RELATED Stupid security 2022 – this year’s infosec fails

**Decriminalizing UK ethical hackers**

Across the pond, UK legislators proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill back in June that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).

Critics argue that the law, which came into effect in 1990, is outdated and unduly prosecutes security researchers, ethical hackers, and pen testers who responsibly hunt for or report vulnerabilities.

Campaigners continue to call for legal clarification of legitimate hacking activities, which they argue include responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

The UK government continues to hold talks on the proposed law changes. A call for information was closed in September.

**Making disclosure smoother**

Progress was also made in helping security researchers to make the vulnerability disclosure process smoother.

HackerOne encouraged customers to adopt its new standard policy, released in November, that goes further to protect hackers from legal problems.

The Gold Standard Safe Harbour agreement “is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”, said HackerOne.

“This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Catch up on the latest bug bounty news

Meanwhile, the maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference in November.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

**In defence of Ukraine**

The Russian invasion of Ukraine dominated headlines this year, and as individuals across the world stepped up to help, so did the hacking community.

In March, Hackers Without Borders (HWB) a Geneva-based non-governmental organization (NGO), was launched to offer emergency infosec assistance to other NGOs and providers of critical services affected by conflicts around the world.

Staffed by volunteer hackers and infosec experts, the organization helps individuals or organizations handle the fallout of cyber-attacks, protect them from further assaults, and bolster their cyber-resilience – free of charge.

In an interview with The Daily Swig, co-founder Florent Curtet said: “We are here to be like firefighters for people, companies, institutions that don’t have the money, skills, or information to protect themselves from today’s digital threats.”

Also speaking in defence of Ukraine, WithSecure’s Mikko Hyppönen told the cybersecurity company’s first ever conference attendees this year that “Russia is trying, but it is largely failing”, in its efforts to ignite cyberwarfare.

Speaking at Sphere 2022 in neighbouring Finland, Hyppönen said: “Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.”

**Back to Hacker Summer Camp**

This year saw the return of in-person conferences, in particular Black Hat, which was held online in previous years due to the coronavirus pandemic.

In May, Black Hat Asia attendees in Singapore heard keynote speaker Samir Aran warn that “if democracy is to survive, technology will have to be tamed”.

At Black Hat USA, held in Las Vegas in August, former CISA director Chris Krebs also spoke out about geopolitical tensions, urging organizations worldwide to bolster their online infrastructure amid Taiwan tensions.

And at Black Hat Europe, held in London in November, renowned security researcher Daniel Cuthbert told attendees that a defendable internet is possible – “but only with industry makeover”.

The conferences also saw the release of various hacking tools built by the community for the community.

**Securing the open source ecosystem**

Finally, efforts to secure the open source supply chain were ramped up for 2022, with a number of new initiatives launched.

The Secure Open Source Rewards (SOS.dev) scheme was set up to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

The Open Source Security Foundation (OpenSSF) also launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.

And a summit held at the White House resulted in a plan to better secure the government’s software supply chain, in the wake of the Log4j incident back in 2021.

DON’T MISS Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

Security done right – infosec wins of 2022

Concerns about recessionary trends impacting the cybersecurity sector in 2022 remained largely unfounded in Q4, as investment activity surged after a Q3 slowdown.

Mergers and acquisition (M&A) activity and investments in cybersecurity picked up once again in the fourth quarter after dropping off somewhat sharply in Q3. The activity put the sector on track to close out the year in better shape than many had expected, with overall funding topping 2020's pace (even though it dipped compared to 2021).

"M&A and financing deal count and volume in 2022 are still above 2020 levels despite current economic uncertainty," says Eric McAlpine, managing partner at Momentum Cyber. "Cybersecurity is still a very active market relative to historical levels over the past decade."

McAlpine says Momentum tracked a total of 37 M&A deals in Q4 through November. That compares to 50 total acquisitions in Q4 2021.

"M&A activity in the cybersecurity services market continues to be higher than any other sector in the industry," he says. In fact, M&A volumes in 2021 and 2022 year-to-date in cybersecurity services top total volumes for the previous five years combined, he adds.

To boot, McAlpine predicts that M&A activity in cybersecurity will continue its momentum in 2023 as startups run into challenges with raising more capital, or run out of money, or adjust their valuation expectations downward. He predicts a "sea change in thinking by investors away from growth at all costs to funding profitable growth."

**M&A Activity Regained Momentum After 3Q Slowdown**

Two major cybersecurity acquisitions in October had an outsize impact on overall deal volumes in the last quarter of the year. One was Vista Equity Partners' $4.6 billion acquisition of KnowBe4 on Oct. 12. Like many other private equity (PE) firms, Vista plans to make the publicly traded KnowBe4 a private firm once the acquisition is complete.

The other major fourth-quarter deal was PE giant Thoma Bravo's all-cash purchase of ForgeRock for $2.3 billion on Oct. 11.

But that's not to say there weren't other significant deals during the quarter. As examples, McAlpine points to Palo Alto Networks' $195 million acquisition of Cider Security in November; Proofpoint's purchase of Illusive for an undisclosed sum in December; and 1Password's acquisition of Passage in November, for an unknown sum.

According to numbers that S&P Global Market Intelligence tracked, the first three weeks of October alone saw more M&A money move through the cybersecurity sector than the entire third quarter.

"Between Oct. 1 and Oct. 24, cybersecurity acquirers disclosed an aggregate $6.90 billion in deal values from nine announced transactions," the analyst firm said in a recent market report. In comparison, the aggregate deal values for all M&A transactions with disclosed values during the third quarter was just $3.06 billion — down more than 75% from the $13.77 billion during the same period in 2022, S&P Global Market Intelligence said.

**A Flurry of Funding Activity**

Meanwhile, the last quarter of 2022 also had its fair share of funding activity in the cybersecurity sector. Notable examples include Arctic Wolf's closing of a $401 million convertible notes offering in October; Drata's $200 million Series C funding round in December that valued the firm at $2 billion; and a BlackRock-led $120 million pre-IPO financing round in Versa Networks.

"Keeping in mind that the year is not over yet, there have been 396 funding rounds totaling $16.6 billion in new investments" in 2022, says Richard Stiennon, chief research analyst at IT-Harvest. "While this does not match last year's $24 billion, it exceeds the record funding of 2020 by 60%."

The numbers are not too shabby for a year for which disaster was predicted, Stiennon notes: "And the year is not over. I would not be surprised if we hit $17 billion."

By IT-Harvest's count, there were nearly two dozen cybersecurity funding rounds disclosed in the last three months of 2022. These included a $196.5 million series G funding round at Snyk that valued the firm at a $7.4 billion; NetSPI landing $410 million in growth funding; and Akeyless raising $65 million for its secrets management technology.

Data that Momentum tracked showed that through the end of November, the most active sectors for M&A deals were managed security service providers; risk and compliance; and security consulting and services segments. The most active segments for financing deals during the same period were risk and compliance; identity and access management; application security; and network and infrastructure security.

**The Impact of Industry Activity on Enterprise Security Teams**

Marc van Zadelhoff, CEO at Devo, expects that the cybersecurity market will weather any recession that might materialize, better than other sectors.

"In the second half of 2022, security was the last industry to observe a slowdown in spending, let alone IT spending," he says. "Before midway through 2023, I firmly believe that security will be the first industry to emerge out of the recession, given the explosion of data and threats and the need for a solid security posture."

However, security teams must show their capabilities and provide immediate ROI, van Zadelhoff says. "Now is the time to lay the groundwork for cybersecurity investment and for security decision-makers to learn the language of the CFO and practice their cyber pitch."

At the same time, some say a prolonged recession — or fears of one — could put a damper on security spending and trigger other changes in the industry over the next year and in the short term. They advocate that enterprise security team be aware of the potential implications of these changes and be prepared for them.

Security teams, for instance, need to be prepared to show measurable return on investments and do more with less in situations where their organizations might be looking to cut security spending, says Richard Caralli, senior cybersecurity advisor at Axio.

This is in anticipation of a slowdown in core spending in 2023 on technology acquisition, which could lead to some contraction in certain cybersecurity sectors and more potential consolidation and acquisition activity.

"At that point, you can expect to have to reevaluate any technologies that are caught up in these activities," Caralli says.

The fact that CISOs and people in charge of purchasing decisions are increasingly looking for more integrated platforms could be another driver for funding activity in the cybersecurity sector in 2023.

"The cybersecurity market is approaching bloated status," says Hank Thomas, CEO at Strategic Cyber Ventures. "There are far too many vendors chasing the same dollars with comparable technology. PE firms and other later-stage investors are looking to bring in larger players to serve as anchors for rollups and bolt-on acquisitions. This will create new more comprehensive, cost efficient, and effective security platforms."

New Year's Surprise: Cybersecurity M&A, Funding Activity Snowballs in Q4

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

**Published Firmwares in 2022**

**V2.01 : 11.11.2022**

2304

Bug fix

Moxa Real TTY driver update

2397

Security

OpenSSL: fix CVE-2020-1971

2406

Security

PAM: fix 'Empty Password improper authentication' (CWE-287)

2424

Bug fix

DA-820 and DA-820C: fix 'empty slot' command

2438

Bug fix

DA-820C: fix network error messages at bootup

2442

Security

sudo: fix CVE-2021-3156

2455

Security

OpenLDAP: fix multiple CVE

2464

Bug fix

Cellular modems: fix USB disconnect/connect problem

2470

Security

OpenSSL: fix multiple CVE (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2482

Bug fix

Postgres: fix the running state view

2491

Bug fix

Firmware update: improved the management of the postgresql service

2556

Add-on

Virtual: VirtIO NIC driver added for some KVM based hypervisors

2560

Add-on

DA-820C: support for I350-T4 and CP102U cards added

2561

Bug fix

DA-820C: fix comment update on slot 2

2590

Bug fix

Mono: moved "ApplicationData" and "CommonApplicationData" folders to /opt partition

2620

Bug fix

DA-820C: improvement of the firmware update (TPM related)

2743

Add-on

APU2: support for additional serial ports from P3

2812

Bug fix

IG2: fix EtherCAT driver for ARM64.

2857

Security

DA-820C: SysRq commands disabled

2858

Bug fix

Boot process, automatically fix potential mount errors

2873

Bug fix

NTP Server, fix the 'jump backwards in time

2878

Security

rsyslog: fix CVE-2022-24903

2897

Security

Force password change during the first login (CVE-2022-4780)

2940

Security

Virtual, open-vm-tools: fix CVE-2022-31676

2951

Bug fix

OpenLDAP: files integrated into the backup

2970

Bug fix

RADIUS: files integrated into the backup

 

Add-on

IG2: support for digital inputs/outputs

 

Security

RADIUS Integration

 

Security

Firmware Integrity Check integration

 

Security

Manage rate limiting (avoid DoS)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup 6.05.00 (StreamConfig: version 35 of the parameters)

**V2.00d - 22.04.2022 (only for CX9020)**

2825

Add-on

Staging: images for 2GB and 4GB SD cards.

 

Bug fix

StreamX Setup v6.04.25 of 07.04.2022 (StreamConfig: version 34 of the parameters)

**V2.00c - 24.02.2022 (only for CX9020)**

 

Add-on

earlyoom: memory watchdog to protect EtherLAB from an 'out of memory'.

 

Bug fix

StreamX Setup v6.04.17 of 18.02.2022 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2021**

**V2.00 : 24.02.2021**

1279

Bug fix

Fix StreamView HTML serialization errors

1715

Bug fix

Fix StreamDaemon is no more responding on ARM architectures

1867

Bug fix

Fix general Mono memory leaks

1980

Bug fix

Mono: major upgrade to version 6.10.0.104

2135

Security

Sudo: fix potential vulnerability (CVE-2019-18684)

2157

Security

Fix CVE-2019-14899 : Inferring and hijacking VPN-tunneled TCP connections

2175

Bug fix

EtherCAT: etherlab stack update

2189

Bug fix

CX9020: fix speed of second LAN which was sometimes fixed at 10 Mbit/s

2283

Bug fix

Virtual: open-vm-Tools produces no more messages continuously.

2297

Add-on

Support of stunnel for all hardwares

2298

Add-on

CX9020: support of the LEDs TC, FB1, FB2

2327

Add-on

Backup of Postgresql configuration files

2332

Add-on

Postgresql: log file rotate mechanism

2340

Bug fix

Network: fix manual lan won't goes up at boot

2343

Bug fix

APC910: fix lan1 detection on TS17.04

2362

Security

OpenLDAP: fix CVE-2020-25709 and CVE-2020-25710

2382

Add-on

APC910: support for USB1 to USB4 ports added for model TS17

2429

Bug fix

Cellular modems: fix the enable/disable NMEA feature

 

Add-on

First integration of the hardware Elvexys IG2

 

Add-on

CX9020: bootloader version 5 for kernel compatibility

 

Security

CX9020: StreamBridge is no more executed with root account (least privilege)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup v6.02.90 of 10.02.2021 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2020**

**V1.99 : 17.06.2020**

1827

Add-on

Cellular: PPP as default gateway is now listed into the network section in StreamConsole

1880

Add-on

Virtual hardware: OVF file compatibility for ESX 5.5

1893

Security

PostgreSQL: fixed multiple vulnerabilities

1897

Add-on

Virtual hardware: changed from generic to Intel network adapter

1906

Security

StrongSwan: upgrades to fix CVE-2018-16151 / CVE-2018-16152

1908

Security

Kernel: upgrades to fix CVE-2018-14634

1931

Bug fix

Cellular: fix for the configuration migration

1939

Bug fix

Cellular: fix USAN management when receiveing a SMS

1940

Bug fix

Fix to no more generate duplicate paths after a firmware migration

1954

Security

OpenSSL: fix multiple vulnerabilities

1984

Bug fix

LEDs: swapped the management of Storage and SNMP Agent

1985

Bug fix

Firmwares files with special chars are now possibles

2002

Bug fix

LEDs: no more turned off after a long period of time

2023

Bug fix

Bonds on B&R APC910 are now working as expected

2060

Add-on

CX9020: compatibility with HW rev. 3

2088

Security

Kernel: upgrades to fix CVE-2019-11477 (SACK Panic)

2095

Add-on

Virtual hardware: drivers for VMXNET3 added

2106

Bug fix

Cellular: fix infinite loop in ppp restart Under certain conditions

2112

Security

SysRq commands over serial ports is now disable for all hardware

2127

Security

Sudo: fix CVE-2019-14287 Potential bypass of Runas user restrictions

2138

Security

Unable to use SCP anymore

2142

Bug fix

APC910: fix the use of lan2 without the additional 4 lans board

2150

Add-on

Firmware update: error codes 24 and 25 added

2151

Bug fix

Default Gateway no more lost after changing the IP on the interface binded to the default gateway

2165

Security

OpenSSL : fix CVE-2019-1551

2167

Bug fix

SSL Certificates for StreamX applications are now backuped

2180

Add-on

Beckhoff CX9020: support of the new HW revision of TOSIBOX 4G modem (based on Quectel EC25 chip)

2199

Add-on

Firewall: extend ports range for StreamX services.

2218

Add-on

Fsck package added (File System Consistency Check)

2269

Bug fix

Moxa DA-820, fix the receive mechanism on serial ports P1 and P2 when used in RS485 2 wires mode.

 

Bug fix

PFC100/PFC200: use Wago BSP v. 2.8.35

 

Add-on

First integration of the hardware B&R APC910

 

Add-on

First integration of the hardware APU4

 

Add-on

First integration of the hardware Moxa DA-820C

 

Add-on

APU2 and APU4: support for the LEDs and the dual power boards

 

Add-on

APU2: support for two dual LAN mPCIe boards

 

Add-on

APU4: support for one dual mPCIe board

 

Add-on

UC-8112: first LEDs management

 

Add-on

Support of PRP for Moxa DA-820 and Moxa DA-820C from StreamConsole

 

Add-on

Support of stunnel for Virtual hardware

 

Add-on

Firewall: added UDP port 123 for NTP server

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup of 08.05.2020 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2018**

**V1.98 : 05.07.2018**

1738

Security

Kernel: upgrades to fix Meltdown and Spectre vulnerabilities

1826

Security

Moxa DA-820, fix the process to disable physical USB ports

 

Add-on

PostgreSQL, migration process updated for future major upgrades

 

Add-on

First integration of virtual hardware (VMWare) with the configinit tool

 

Bug fix

Moxa DA-681A, fix the RS485

 

Bug fix

Moxa DA-720, fix the RS485 2 wires mode on P2

 

Add-on

Moxa UC-8100, new bootloader for Linux kernel 4.1

 

Bug fix

All libraries: update to the latest stable version

 

Security

Improving hardening like using ASLR and Stack Smaching Protection

 

Bug fix

Cellular: fix the use of CTS and DTS signals

 

Bug fix

StreamX Setup of 22.06.2018 (StreamConfig: version 32 of the parameters)

**V1.97 : 05.03.2018 (only for DA-681A, DA-720, UC-81xx and APU2)**

1743

Security

Moxa Nport: the owner of the remote serial ports is now the group streamx\_apps instead of root

1729

Bug fix

WD Cellular: prevent rebooting the system if a firmware upgrade is in progress

1782

Bug fix

WD Cellular: don't block anymore in case of huge system time changes

 

Add-on

WD Cellular: the RSSI and the cellular antenna ID are now published in memory files for other programs

1748

Add-on

DHCP Client: new default settings for interoperability with slow DHCP servers

 

Add-on

First integration of the hardware Moxa DA-720

 

Bug fix

StreamX Setup of 27.02.2018 (StreamConfig: version 32 of the parameters)

CVE-2022-4780: ISOS release notes - Elvexys SA

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Why Cyber Pros and Forensic Accountants Should Work Together to Mitigate Security Risk

Will the bottom falling out of the cryptocurrency market have a profound impact on cybercriminal tactics and business models? Experts weigh in on what to expect.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?

Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.

Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

**Shifting Crypto Trends & Tactics in 2022**

Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.

"The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid," she explains. "The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it."

Her analysis has shown that threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.

"Threat actors are also playing on people’s desperation to recoup their losses," she says.

While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren't watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.

"Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed," Allen says. "This has led to a 79% rise in crypto account takeover attacks."

By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.

"In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods," she says. "Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each."

This is in line with another shift in cybercriminal tactics in 2022 that Short says she's witnessed. It's not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.

"We're seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds," she says.

**Ransomware Is Here to Stay**

One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn't going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that's more attributable to other variables like the war in Ukraine. 

There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.

"It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions," Karimi says. "I don’t estimate any slowdown in cybercriminal or extortionary activity."

Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it's not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they're likely going to convert it into tangible funds before further volatility impacts the total.

"Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD," Rudis says. "They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators." 

In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are "still real law enforcement hurdles to curb that flow," which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.

Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks' bottom line through claw-back transactions, seizures, and more.

"Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests," she says. "It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out."

Ryan Kovar, distinguished strategist and leader of Splunk's SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market's perceived anonymity.

“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability," Kovar says. "Ultimately, crypto is not really anonymous."

He adds, "If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.” 

**Evolution to Expect in 2023**

Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don't depend on cryptocurrency, like business email compromise (BEC).

"The FBI's annual IC3 report \[PDF\] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality," GreyNoise's Rudis says. "Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they'd apply their technical skills to conduct more advanced BEC schemes as well. 

In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.

"Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds," Short says. "We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value 'cash out as-a-service' offerings."

She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.

"It is likely that cybercriminals will continue to convert to stable assets to secure value," she says, "and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace."

Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.
This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.
"BlueNoroff

Cyber Attack / Windows Security

**BlueNoroff**, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows **Mark of the Web** (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor's financial motivations as opposed to espionage has made it an unusual nation-state actor in the threat landscape, allowing for a "wider geographic spread" and enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia.

It has since been associated with high-profile cyber assaults aimed at the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.

To that end, Kaspersky earlier this year disclosed details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims' cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are set up to lure unwitting victims into installing benign-looking applications that eventually receive backdoored updates.

The latest activity identified by the Russian cybersecurity company introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear-phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that's executed when the target clicks a link in the PowerPoint file.

In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that's used to fetch and execute a remote payload.

Also uncovered by Kaspersky is a .VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing remove user-mode hooks.

While the exact backdoor delivered is not clear, it's assessed to be similar to a persistence backdoor utilized in the SnatchCrypto attacks.

The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.

Cyber warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It has also emerged as a major source of income for the cash-strapped country.

Indeed, according to South Korea's National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and other digital assets from targets around the world over the last five years.

"This group has a strong financial motivation and actually succeeds in making profits from their cyberattacks," Park said. "This also suggests that attacks by this group are unlikely to decrease in the near future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel