Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Boot Guard and Intel® TXT Advisory**

**Summary: **

A potential security vulnerability in Intel® Boot Guard and Intel® Trusted Execution Technology (TXT) for some Intel® processors may allow escalation of privilege.  Intel is releasing firmware updates and prescriptive guidance to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-0004

Description: Hardware debug modes and processor INIT setting that allow override of locks for some Intel(R) Processors in Intel(R) Boot Guard and Intel(R) TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (Physical, unauthenticated)

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N (Adjacent network, authenticated)

**Affected Products:**

10th Gen Intel® Core™ processor

11th Gen Intel® Core™ processor

12th Gen Intel® Core™ processor

8th Gen Intel® Core™ processor

Celeron® processor 4000 series

Celeron® processor 6000 series

Celeron® processor J3000/N3000 series

Celeron® processor J4000/N4000 series

Celeron® processor N series

Intel Atom® processor P5000 series

Intel Atom® processor X E3900 series

Intel Atom® x6000E series

Intel Pentium® and Celeron® N and J Series processors

Intel® 100 series chipset

Intel® 200 series chipset

Intel® 300 series chipset

Intel® 400 series chipset

Intel® 500 series chipset

Intel® C230 series chipset

Intel® C240 series chipset

Intel® C250 Series chipset

Intel® C420 chipset

Intel® C620 series chipset

Intel® C620A series chipset

Intel® Core™ i5 L16G7 and Intel® Core™ i3 L13G4

Intel® Pentium® processor J4000/N4000 series

Intel® Pentium® processor J5000/N5000 series

Intel® X299 chipset

Intel® Xeon® D processor 2000 series

Intel® Xeon® W processor 1300 series

Pentium® Gold processor series

Pentium® Gold processor series (G54XXU)

Pentium® Silver processor series

**Recommendations:**

Intel recommends updating Intel® CSME to the latest version (see provided table).

Intel also recommends following the previously published guidance on disabling the CPU Debug feature when Intel® Boot Guard is enabled. Please consult this Intel Debug paper for more details.

Intel also recommends disabling the BSP (Bootstrap Processor) INIT (DBI) bit to enable protections against an INIT bypassing the startup Authenticated Code Module (ACM). This setting change is available in the latest version of Intel® CSME.

Intel recommends that users of Intel® CSME update to the latest version provided by the system manufacturer that addresses these issues.

**Chipset/System on Chip/Multi Chip Package**

**Mitigated version or higher**

**Client Desktop and Mobile Platforms**

12th Gen Intel® Core™ processor

16.0.15

Intel® 500 series chipset

11th Gen Intel® Core™ processor

Intel® Xeon® W processor 1300 series

15.0.40

Pentium® Gold processor series

Celeron® processor 6000 series

15.0.40

Intel® 400 series chipset

14.1.65

Pentium® Silver processor series

Celeron® processor N series

13.50.20

10th Gen Intel® Core™ processor

13.0.60

Intel® Core™ i5 L16G7 and Intel® Core™ i3 L13G4

13.30.30

Intel® 300 series chipset

12.0.90

Pentium® Gold processor series (G54XXU)

Celeron® processor 4000 series

12.0.90

8th Gen Intel® Core™ processor

11.8.92

Intel® 200 series chipset

11.8.92

Intel® 100 series chipset

11.8.92

**Expert Workstation and Scalable Server Platforms**

Intel® C620A series chipset

Consult prescriptive guidance

Intel® C620 series chipset

11.22.92

**Entry Workstation Platforms**

Intel® C250 Series chipset

15.0.40

Intel® C240 series chipset

12.0.90

Intel® C230 series chipset

11.8.92

**Mainstream Workstation and High-End Desktop Platforms**

Intel® C420 chipset

Intel® X299 chipset

11.12.92

**Microserver Platforms**

Intel Atom® processor P5000 series

Consult prescriptive guidance

Intel® Xeon® D processor 2000 series

Consult prescriptive guidance

**Entry Desktop and Mobile Platforms**

Intel Atom® processor X E3900 series

Intel® Pentium® processor J4000/N4000 series

Celeron® processor J3000/N3000 series

3.1.92

Intel® Pentium® processor J5000/N5000 series

Celeron® processor J4000/N4000 series

4.0.45

**Embedded Platforms**

Intel Atom® x6000E series

Intel Pentium® and Celeron® N and J Series processors

15.40.20

Prescriptive guidance: Intel is not releasing updated Intel® SPS firmware to disable the CPU debug feature on server products.  

Intel recommends users follow existing security best practices and alternate security controls, including:

·         Ensure physical security of server systems, and secure BMC access if BMC has adjacent-network JTAG access.

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Ki W Yoon.

Subsequently, this issue was reported by Mickey Shkatov. Intel would like to thank Mickey Shkatov from Eclypsium for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-0004: INTEL-SA-00613

One year after it was issued, has President Biden's Cyber Executive Order had an impact?

When it was signed a year ago today, Executive Order 14028, Improving the Nation's Cybersecurity, was a measured response to an urgent problem. Just days prior, the Colonial Pipeline was shut down by a ransomware attack, thrusting the issue of cyber-risk to critical US infrastructure into the spotlight. One year later, what progress has been made? Here's a scorecard to help you keep track.

**Section 1: Policy  
**Last October, the president signed the K-12 Cybersecurity Act into law, providing resources for school districts to combat cyberattacks. In March, he signed the Strengthening American Cybersecurity Act of 2022. Still, huge swaths of US critical infrastructure are in private hands, and questions remain about how to improve private sector cybersecurity and resilience.

**Grade:** B

**What would earn an "A"?** To really put a dent in cyberattacks against the US, the federal government, new laws, and regulations need to set a high bar and impose high costs on firms for failing to clear that bar.

**Section 2: Removing Barriers to Sharing Threat Information  
**Under the direction of Director Jen Easterly, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted many successful efforts to promote sharing of threat intelligence. These include coordinated responses to threats, like the Shields Up initiative, in response to Log4j. The Strengthening American Cybersecurity Act also contains substantive new requirements for federal agencies for information sharing.

**Grade:** B+

**What would earn an "A"?** Information sharing within critical industry sectors is still a patchwork effort and often limited to the largest and wealthiest organizations. CISA needs to improve threat intelligence sharing in sectors where it's not the norm and draw in smaller organizations that are often left out of the loop due to operational immaturities.

**Section 3: Modernizing Federal Government Cybersecurity  
**Section 3 of the Executive Order lays out requirements for the federal government to address cyber-risk by promoting movement to cloud-based services and adoption of zero-trust architectures. A year after the EO was signed, we see some progress on that. CISA published a Cloud Security Technical Reference and guidance for building zero-trust architectures. Government and defense organizations are adopting cloud-native security solutions and building cloud-first approaches.

**Grade:** B

**What would earn an "A"?** Incremental approaches to modernization aren't enough. An April 2021 report by Government Accountability Office found that the US government spends substantial portions of its $100 billion IT budget to operate and maintain legacy systems. Breaking that cycle and grasping the holy grail of zero trust requires a "whole of government" approach.

**Section 4: Enhanced Software Supply Chain  
**Not much has been done here. As we noted in February, NIST published Version 1.1 of the Secure Software Development Framework (SSDF) but punted on guidance for software bills of materials (SBOMs). Also, the guidance exempted software development organizations working within the federal government.

**Grade:** C

**What would earn an "A"?** Development organizations within the federal government should be bound by the same rules and standards as third parties who sell to Uncle Sam. Guidance on the use of SBOMs also needs to be clarified and enforced.

**Section 5: Establishing the Cyber Safety Review Board  
**This is one of the more concrete elements of the EO and, so far, the federal government has complied with the EO's requirement. The Department of Homeland Security launched the Cyber Safety Review Board in February 2022. As part of the launch, CSRB said its first review will focus on the Log4j vulnerabilities, but a report on that is not due out until the summer.

**Grade:** A

**Section 6: Standardize Federal Playbooks for Incident Response (IR) and Vulnerability Management  
**This is another concrete deliverable in the Executive Order. CISA published the playbooks in November 2021. The question is whether they are being put to use, and that is hard to know without a mechanism that can anonymize and share an aggregate MRT (mean time to response) per industry.

**Grade:** B+

**What would earn an "A"?** With playbooks in hand, the question is how to operationalize them across the federal government (and its contractors and partners). Keeping close tabs on agencies' use of the playbooks and progress on IR and vulnerability management is a good start.

**Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks  
**Section 7 of the EO exhorts federal agencies to improve their vulnerability and threat detection capabilities. The goal is to empower federal agencies to engage in cyber hunt, detection, and response. News of successful attacks on federal IT infrastructure suggest that there is still much work to be done, however.

**Grade:** C

**What would earn an "A"?** The private sector has embraced automation and new tooling. At the federal level, there is scant evidence that such efforts are underway. The federal government should mount an effort to deploy more tools like Sigma, Suricata, and YARA rules to improve IR.

**Section 8: Improve Federal Government Investigative & Remediation Capabilities  
**This part of the EO directs federal agencies to improve logging and data retention to facilitate investigations, but the government's investigative and remediation capabilities are little improved from a year ago, with no modern frameworks deployed (to the best of my knowledge).

**Grade:** D

**What would earn an "A"?** The federal government needs to leverage automation and modern threat intelligence and IR frameworks, taking a "whole of government" approach to threat hunting.

**Section 9: National Security Systems  
**This section requires the secretary of defense and the director of national intelligence (DNI) to implement requirements for national security systems that are equivalent to or exceed the requirements in the EO. Much of this work is classified, but I see a strategic shift to adopt CTO leadership philosophies and build agile approaches to decentralizing risks.

**Grade:** B

**What would earn an "A"?** With Avril Haines recently sworn in as the DNI, we expect there to be progress for improved execution, although the breadth and focus of the Ukraine-Russia conflict might take precedence before real results are evident.

Needs Improvement: Scoring Biden's Cyber Executive Order

resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.

**Finalità e modalità operative**

**CVE-2022-29539 – RESI S.p.A**

**CVE-2022-29538 – RESI S.p.A**

**CVE-2022-28862 – ARCHIBUS Web Central**

**CVE-2022-27880 – F5 Traffix Signal Delivery Controller**

**CVE-2022-27662 – F5 Traffix Signal Delivery Controller**

**CVE-2022-26484 – Veritas Operations Manager**

**CVE-2022-26483 – Veritas Operations Manager**

**CVE-2022-25344 – Olivetti d-COLOR MF3555**

**CVE-2022-25343 – Olivetti d-COLOR MF3555**

**CVE-2022-25342 – Olivetti d-COLOR MF3555**

**CVE-2021-41555 – ARCHIBUS Web Central**

**CVE-2021-41554 – ARCHIBUS Web Central**

**CVE-2021-41553 – ARCHIBUS Web Central**

**CVE-2021-38123 – Micro Focus Network Automation**

**CVE-2021-35492 – Wowza Streaming Engine**

**CVE-2021-35491 – Wowza Streaming Engine**

**CVE-2021-35490 – Thruk**

**CVE-2021-35489 – Thruk**

**CVE-2021-35488 – Thruk**

**CVE-2021-32571 – Ericsson OSS-RC**

**CVE-2021-32569 – Ericsson OSS-RC**

**CVE-2021-31540 - WOWZA Streaming Engine**

**CVE-2021-31539 - WOWZA Streaming Engine**

**CVE-2021-29661 – Softing AG OPC Toolbox**

**CVE-2021-29660 – Softing AG OPC Toolbox**

**CVE-2021-28979 - Thales SafeNet KeySecure Management Console**

**CVE-2021-28488 – Ericsson Network Manager**

**CVE-2021-28250 – CA eHealth Performance Manager**

**CVE-2021-28249 – CA eHealth Performance Manager**

**CVE-2021-28248 – CA eHealth Performance Manager**

**CVE-2021-28247 – CA eHealth Performance Manager**

**CVE-2021-28246 – CA eHealth Performance Manager**

**CVE-2021-26597 – NOKIA NetAct**

**CVE-2021-26596 – NOKIA NetAct**

**CVE-2021-3314 - Oracle GlassFish Server**

**CVE-2021-2005 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-35589 – WordPress Plugin Limit Login Attempts Reloaded**

**CVE-2020-28209 – Schneider Electric StruxureWare Building Operation Enterprise Server Installer – Enterprise Central Installer**

**CVE-2020-27583 – IBM InfoSphere Information Server**

**CVE-2020-17458 – MultiUX**

**CVE-2020-17457 – Fujitsu ServerView Suite iRMC**

**CVE-2020-15794 – Siemens Desigo Insight**

**CVE-2020-15793 – Siemens Desigo Insight**

**CVE-2020-15792 – Siemens Desigo Insight**

**CVE-2020-14843 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14842 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-14690 – ORACLE Business Intelligence Enterprise Edition of Oracle Fusion Middleware**

**CVE-2020-12081 – FlexNet Publisher**

**CVE-2020-9050 – Johnson Controls Metasys MREWeb Service**

**CVE-2020-7573 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7572 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7571 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7570 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-7569 – Schneider Electric StruxureWare Building Operation WebReports**

**CVE-2020-2505 – QNAP QES**

**CVE-2020-2504 – QNAP QES**

**CVE-2020-2503 – QNAP QES**

**CVE-2019-19994 - Selesta Visual Access Manager**

**CVE-2019-19993 - Selesta Visual Access Manager**

**CVE-2019-19992 - Selesta Visual Access Manager**

**CVE-2019-19991 - Selesta Visual Access Manager**

**CVE-2019-19990 - Selesta Visual Access Manager**

**CVE-2019-19989 - Selesta Visual Access Manager**

**CVE-2019-19988 – Selesta Visual Access Manager**

**CVE-2019-19987 - Selesta Visual Access Manager**

**CVE-2019-19986 - Selesta Visual Access Manager**

**CVE-2019-19456 - WOWZA Streaming Engine**

**CVE-2019-19455 - WOWZA Streaming Engine**

**CVE-2019-19454 - WOWZA Streaming Engine**

**CVE-2019-19453 - WOWZA Streaming Engine**

**CVE-2019-17406 - NOKIA IMPACT**

**CVE-2019-17405 - NOKIA IMPACT**

**CVE-2019-17404 - NOKIA IMPACT**

**CVE-2019-17403 - NOKIA IMPACT**

CVE-2022-29539: Vulnerability Research & Advisor

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.
Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35,

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.

Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

"Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target's VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

"The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage," the researchers concluded.

"While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

A biotech threat intelligence group is gaining supporters as urgency mounts around an overlooked vulnerable sector.

A new partnership between the cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) and the Johns Hopkins University Applied Physics Laboratory (APL), which works on emerging research with US government agencies, is highlighting the need for more resources to better secure biomedical, bioindustrial, and biomanufacturing entities.

The Covid-19 pandemic sparked regular people around the world to think about the logistics of vaccine development and production in a tangible and immediate way. But the so-called bioeconomy is silently embedded everywhere, from breeding programs used in agriculture to the development of biofuels. And as industry after industry faces a reckoning about the state of their cybersecurity defenses, researchers are increasingly realizing that the bioeconomy is vulnerable. During the pandemic, for example, Russia, China, and other state actors raced to hack vaccine makers and distributors for intelligence gathering, in a scramble that US officials warned could have been disruptive.

“A lot of the bioeconomy is small companies; that’s the real lifeblood of American biotech,” says BIO-ISAC cofounder Charles Fracchia. “Imagine if Moderna got hacked four years ago, even with some totally non-sophisticated malware, or they faced a ransomware attack. Small companies can go bankrupt really easily, and then we lose the work they're doing for the future. I'm very grateful that APL understood the mission of the BIO-ISAC and joined as a founding member. They want to help.”

Information sharing and analysis centers exist for many industries, from financial services to health care. And Charles Frick, a principal staff member at APL, says that the lab has been supporting ISACs and collaborating with them for many years. During the George W. Bush and Barack Obama administrations, Frick says, APL collaborated with the Department of Homeland Security and the National Security Agency to study the most efficient methods for large-scale threat intelligence sharing and security automation. APL participated in a 2018 financial services pilot for automatically screening and processing machine-readable threat intelligence data in which a process that had one taken 14 hours got whittled down to eight minutes.

All of this matters, because digital attacks on critical services and trends in attacks creep up quickly. The more information an organization can not only gather but also share, the better chance others have of defending themselves against similar hacks. APL's funding for the BIO-ISAC will go toward regular operations, including research, information sharing, and public disclosures. And crucially, it will also support incident response services the BIO-ISAC is launching so biotech and biomanufacturing organizations have someone to call if they're dealing with a digital attack or otherwise suspect that something is wrong. The services will be pay what you can to make them accessible to as many organizations as possible. Depending on demand, though, the BIO-ISAC may not have the capacity immediately to respond to every request. But the group hopes to begin filling a crucial gap in the services that are currently available.

“As we start identifying threats, it's a natural fit for us to say, well, we have an existing set of capabilities and skills that can be applied to this area, and we've demonstrated our ability to work with ISACs in collaboration," says Brian Haberman, an APL program area manager. "So this accomplishes our mission of supporting national priorities in a much faster way when you’re not going it alone. It's the biggest bang for your buck."

A few years ago, the idea of designating US election systems as government “critical infrastructure” was controversial to some. The designation simply unlocks funding and expanded resources from US government agencies, including the Cybersecurity and Infrastructure Security Agency, for critical sectors that work in the public interest. But while health care, food, and agriculture industries obviously have critical infrastructure designations that cover parts of the bioeconomy, the sector as a whole doesn't specifically have its own designation. Instead the US government has classified the bioeconomy with a “critical emerging tech” label.  As a result, groups like the BIO-ISAC are working ad hoc in a largely open field.

“The bioeconomy is an emerging sector of our economy if we really want to make meaningful change and impact, now is the time to get involved—not after it’s already this big thing and we try to go in reverse," says Andrew Kilianski, senior director for emerging infectious diseases at the International AIDS Vaccine Initiative. "We’ve done some of these sectors where we try to build out IT infrastructure and cybersecurity defenses later and it doesn’t work well." Kiliansk worked closely with the US government's Covid Operation Warp Speed initiative and a new member of the BIO-ISAC's national security advisory board.

“There's that squishy, beautiful life sciences spirit that, hey, we share everything, we’re open," Kilianski adds. "But now these discoveries have huge commercial value, not just societal value, and that makes all of this even more sensitive.”

The Hidden Race to Protect the US Bioeconomy From Hacker Threats

Tony Lauro, director of security technology and strategy at Akamai, discusses reducing your company's attack surface and the "blast radius" of a potential attack.

Tony Lauro, director of security technology and strategy at Akamai, discusses reducing your company’s attack surface and the “blast radius” of a potential attack.

Lately, I’ve started wondering if the biggest risk concerning cyberattacks is that we’re becoming desensitized to them. After all, businesses experience a ransomware attack every 11 seconds—the majority of which the public never hears about. Faced with this reality, it may seem like your efforts to safeguard the enterprise are futile. But that’s all the more reason to strengthen your resolve—and switch up your cyber defense strategy. The core of this strategy is the concept of “reducing the blast radius” of an attack. Since you can’t completely eliminate cyberattacks, you need to take steps to contain the impact.

Let’s review some elements of this strategy, starting with some basic blocking and tackling that you should already be doing (and if you’re not, consider this your wake-up call!).

****Zero Trust Remote Access****

With the advent of ubiquitous remote access, every laptop, phone and tablet has become a potential threat vector for malware seeking to access the corporate network. A virtual private network (VPN) can’t address this if a “trusted” device seeking access is infected. You need a Zero Trust approach to remote access.

Zero Trust ensures that all access to your corporate systems is tightly controlled according to a “least privilege” principle, replacing implicit trust with verification. In the most robust Zero Trust implementations, access requests are sent to a reverse proxy that applies policy-based security controls before sending a virtualized version of the connection to the remote device. This effectively eliminates any physical connection to the corporate network—isolating it from a potential malware “blast.”

****Inspecting Traffic****

Data breaches are often discovered when third-party companies examine corporate network activity and find large amounts of data being transferred from a compromised device to a foreign server, undetected by the victimized organization. Panic ensues.

Minimizing this risk requires that you keep a close, continuous eye on passive signals, either leaving the corporate network or originating from the home network of a remote user. This involves intercepting and inspecting these signals—through a recursive DNS inspection or via a secure web gateway—to detect potential indicators of compromise and contain them in time to avert disaster.

****It’s Not Enough****

You need to be doing those things—but it’s not enough. Bad cyber actors are continually probing for weaknesses and cracks in the armor. Effective risk mitigation assumes that, sooner or later, a breach will occur. So how can you reduce the blast radius once malware is inside?

The answer is network segmentation. This divides devices and workloads into logical segments with policies providing access controls between them. Just as the watertight bulkheads in a ship prevent a breach in the hull from sinking the vessel, segmentation prevents the lateral movement of malware across your network, preventing it from accessing critical assets.

Segmentation is a well-established security concept. But, as with any technology solution, it all depends on how it’s implemented. Taking a hardware-based approach to segmentation has drawbacks. Today’s IT environments are constantly changing and evolving. But legacy hardware-based segmentation tools like firewall appliances and VLANs don’t change readily. Policies governing what devices can communicate with each other can become stale, restricting access in ways that hamper business agility. When this happens, human nature can take over, seeking ways to work around the controls—defeating the whole purpose of segmentation.

In addition, hardware-based tools are not easily scalable, making it difficult to keep pace with growth. This can create vulnerabilities that are easy to overlook. What’s needed is a more intelligent and dynamic approach to segmentation.

****Software-based Micro-Segmentation****

Micro-segmentation based on a software-defined model overcomes these shortcomings. Instead of using infrastructure for segmentation, software creates a segmentation overlay that works across data center and cloud environments to manage all segmentation policies. This offers greater flexibility, precision and scaling, while maintaining effective segmentation even as the hardware environment evolves.

Software-based micro-segmentation also provides a higher degree of visibility, enabling you to easily see what systems or devices are talking to each other. This goes beyond a static policy audit, which only shows permissions, rather than actual observed activity. By providing a clear view of activity across all on-premises and cloud environments, software-based micro-segmentation enables continuous monitoring. That view can be presented visually, making management extremely intuitive.

This makes it easy to map relationships, dependencies and traffic flows between entities. Then you can easily implement policies by selecting from a policy library. Policies can be very granular and context-based—down to the level of individual processes and users, if needed.

****Agility and Consistency****

Software-based micro-segmentation offers advantages that make it preferable for the real world, where the environment is dynamic and constantly evolving. Policies are defined at the network stack level of the device that is communicating. This creates assurance that the policy will be enforced even as things change in the infrastructure.

Being able to easily discover and visualize relationships between devices, with both real-time and historical views, also provides valuable insight to help inform decisions on how the network should be segmented to provide effective protection of critical assets.

A software-based approach also helps ensure a consistent security posture across the entire infrastructure, including on-premise, cloud and hybrid resources, according to corporate standards. With a “single pane of glass” for your entire segmented environment, you have the information needed to quickly assess and update policies as things change.

****Reducing Your Attack Surface****

Managing the onslaught of ransomware and other cyberattacks requires a multi-dimensional approach—one that assumes a breach will eventually occur despite your efforts to prevent it. In concert with other Zero Trust strategies, software-based micro-segmentation offers a solution for reducing your attack surface, together with the flexibility and precision to keep pace with continuous change. The result is a more resilient infrastructure with less management complexity.

Breaches are a fact of life in the digital enterprise. But by reducing the blast radius of an attack by containing the bad actors, you can save the day.

_**Tony Lauro is director of security technology and strategy at Akamai.**_

_**Enjoy additional insights from Threatpost’s Infosec Insiders community by**_ **_visiting our microsite_**_**.**_

You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

May 11, 2022 — Like many things since 2020, Dark Reading News Desk has had to adapt. Instead of broadcasting live interviews with security researchers presenting at Black Hat, News Desk shifted to prerecorded interviews with the speakers. 

For Black Hat Asia 2022, Dark Reading News Desk is staying virtual, even as the conference goes hybrid. Black Hat attendees have the option to tune in virtually or attend in person at the Marina Bay Sands in Singapore. Dark Reading News Desk is keeping its virtual format.

News Desk interviewed some speakers presenting at Black Hat Asia 2022 about their sessions. These interviews will be available on-demand at Black Hat Virtual (under the show's "Dark Reading News Desk" tab) and right here on Dark Reading:

**DAY 1: Thursday, May 12**

Speakers from Binarly, Immune GmbH, and Red Hat discuss the complexity of the firmware ecosystem and the challenges of identifying and fixing flaws in hardware devices in "The Firmware Supply-Chain Security Is Broken: Can We Fix It?"

Watch the speakers try to distill the challenges in less than 15 minutes in this News Desk segment:  

No Black Hat is complete without at least one dissection of a cyber espionage operation. SideWinder (also known as RattleSnake and T-APT-04) is an aggressive threat actor that has been active since at least 2012. Details on the techniques and methods used by this advanced cyber espionage team will be part of "SideWinder Uncoils to Strike." Dark Reading editor-in-chief Kelly Jackson Higgins offers a sneak peak in this preview. 

Check out the News Desk segment:  

****DAY 2: Friday, May 13****

Trend Micro researchers discuss their discovery of a botnet infrastructure masquerading as an SMS phone-verified account service in "SMS PVA Services Fueled by Compromised Supply-Chain Mobile Botnets."

Watch the News Desk segment on this mobile threat:  

With the Russian invasion of Ukraine in February, the world has had a front-row seat to information warfare. A security expert with experience in security intelligence, policy, and Ukraine dissects what is happening in "The Virtual Battlefield in 2022: Russia-Ukraine War & Its Policy Implications."

Watch this News Desk segment with Very Good Security’s Kenneth Geers:  

It's a fact that every operating system has vulnerabilities, but it still takes many by surprise when there are "macOS Vulnerabilities Hiding in Plain Sight."

Watch Offensive Security's Csaba Fitzl describe what he found:  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

On the Air With Dark Reading News Desk at Black Hat Asia 2022

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

The **U.S. Drug Enforcement Administration** (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of **esp.usdoj.gov**, which is the **Law Enforcement Inquiry and Alerts** (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the **Federal Bureau of Investigation** (FBI), and the **Department of Justice**, which houses both agencies. The DEA declined to comment on the validity of the claims, and issued only the briefest of statements about the matter in response to being notified.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s **National Seizure System** (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The **EPIC System Portal (ESP)** enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “**KT**,” the current administrator of the **Doxbin** — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

\[SIDE NOTE: Nearly two dozen domain names used by Doxbin were very recently included on the “**Domain Block List**” (DBL) maintained by Spamhaus, an anti-abuse group that many Internet service providers work with to block spam and malicious activity online. As a result, the Doxbin is currently unreachable on the open Internet\].

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of **LAPSUS$**, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said **Nicholas Weaver**, a researcher for the International Computer Science Institute at **University of California, Berkeley**.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these \[people\] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

**ANALYSIS**

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on _Page 87_ of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

_There are 3,330 results_. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect _any_ federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

DEA Investigating Breach of Law Enforcement Data Portal

A group of human rights lawyers and investigators has called on the Hague to bring the first-ever “cyber war crimes” charges against Russia’s most dangerous hackers.

For weeks, evidence has been piling up of the Russian military's apparent war crimes in the midst of its brutal invasion of Ukraine: mass graves, bombed hospitals, even makeshift torture chambers. But amidst those atrocities—and the push to hold the perpetrators accountable—one group is making the counterintuitive case that another arm of the Russian military should be included in any international war crimes charges: the Kremlin's most disruptive and dangerous hackers.

In late March, a group of human rights lawyers and investigators in the Human Rights Center at UC Berkeley's School of Law sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in the Hague. It urges the ICC to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine—even as the prosecutors gather evidence of more traditional, ongoing war crimes there. Specifically, the Human Rights Center's international criminal investigations team points in its detailed brief to Sandworm, a notorious group of hackers within Russia's GRU military intelligence agency, and to two of Sandworm's most egregious acts of cyberwarfare: blackouts that those hackers triggered by targeting electric utilities in Western Ukraine in December 2015 and in the capital, Kyiv, a year later, affecting hundreds of thousands of civilians.

The Berkeley group's document was sent under a provision of the Rome Statute treaty, which gives the ICC its authority, allowing recommendations from nongovernmental organizations. It asks the ICC's prosecutor, Karim Khan, “to expand the scope of his investigation to include the cyber domain in addition to traditional domains of warfare–land, air, maritime, and space–given the Russian Federation’s history of hostile cyber activities in Ukraine.” The brief acknowledges that charges against Sandworm would represent the first case of “cyber war crimes” ever brought by the ICC. But it argues that precedent would help not only to seek justice for those harmed by Sandworm's cyberattacks, but also to deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world.

“In fact, in the absence of consequences or any mechanisms for meaningful accountability, State-sponsored cyberattacks have escalated in the shadows,” reads the Human Rights Center's Article 15 document sent to the ICC and shared with WIRED. “An investigation into Russia’s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.”

Lindsay Freeman, the director of technology, law, and policy at the Human Rights Center, tells WIRED the ICC prosecutor's office responded privately to the group, saying it had received and is considering the group's recommendations. The ICC prosecutor's office didn't respond to WIRED's request for comment.

Freeman argues that the ICC prosecutor's office, which has been investigating ongoing war crimes in Russia's Ukraine invasion—along with the governments of Ukraine, Poland, and Lithuania and the European law enforcement agency—needs to demonstrate that its remit includes cyberattacks that violate the international laws of armed conflict. “We would like to make sure they're seeing the cyber domain as an actual domain of warfare, because in this case, it truly is,” says Freeman. She emphasizes that any cyber war crime charges should be in addition to, not instead of, charges for the ongoing massacres, reckless killing of civilians, and mass deportations in Ukraine. But she adds that “the only way you can properly investigate and understand this conflict is through seeing not just what's happening in the physical world, but also what's happening in the cyber and information spaces, and this is not something war crimes investigators have ever paid attention to.”

Since Russia's last major invasion of Ukraine began in 2014, Russia has targeted the country with a years-long bombardment of cyberattacks of a kind never before seen in history. The GRU's Sandworm hackers alone have attempted three blackouts in the country—at least two of which succeeded; destroyed the networks of media outlets, private companies, and government agencies in targeted attacks; and in 2017 released the destructive, self-spreading NotPetya malware that infected hundreds of organizations across Ukraine and eventually many more around the world, causing a record-breaking $10 billion in damage.

With the current, larger-scale invasion Russia launched on February 24, the Kremlin's state-sponsored hackers have unleashed a broad new campaign of destructive hacking against hundreds of Ukrainian targets, often carefully coordinated with physical military tactics. That new barrage included one cyberattack in which GRU hackers targeted Viasat satellite systems, knocking out broadband connections across Ukraine and Europe, including those of thousands of wind turbines in Germany.

Freeman says that the UC Berkeley Human Rights Center's recommendations for war crime charges, which was sent to the ICC before some of the most recent cyberattacks fully came to light, single out Sandworm's two blackout attacks in 2015 and 2016 for legal and practical reasons: They've already been thoroughly investigated and pinned on Sandworm's hackers through both private sector and government detective work. Six of the group's hackers were indicted by the US Department of Justice in October 2020 with a long rap sheet that includes those blackouts. The cyberattacks occurred in the early years of Russia's war in Ukraine, during active fighting in the eastern region of the country, which makes it easier to argue they occurred in the context of a military conflict and thus constitute a war crime. They have a clear civilian target, given that no military operations were occurring in Western Ukraine or Kyiv at the times of the blackouts there. And perhaps most importantly, they had a clear and direct physical result, which makes for a simpler case that they were equivalent to the sort of physical attacks that war crimes tribunals have charged in the past.

On top of all of that, Freeman points to the seriousness of Sandworm's attacks on civilian power grids. In the 2016 incident in Kyiv in particular, the hackers used a piece of malware known as Industroyer or Crash Override to automatically trigger that power outage. Although that blackout in Ukraine's capital lasted only about an hour, a 2019 analysis of the attack found that a component of the malware intended to disable safety systems was designed to cause physical destruction of electrical equipment, and only failed due to a misconfiguration in the malware. “A cyber weapon that is able to interact with an actual electrical system or an industrial control system and result in kinetic harm is extremely dangerous,” says Freeman. “The power grid attacks are the ones that really cross the line where it's clear we should just say, ‘No state should be attacking critical infrastructure for civilians.’”

If war crimes charges could serve as a punitive measure capable of deterring that sort of critical infrastructure cyberattack, it makes sense to bring them against a group like Sandworm now, says John Hultquist, who leads threat intelligence at cybersecurity firm Mandiant and has tracked Sandworm for the better part of a decade, even naming the group in 2014. The Biden administration has repeatedly warned that Western sanctions against Russia may lead the country to lash out with cyberattacks against targets in the United States or Europe. “We need to be doing everything we can right now to prepare for Sandworm or deter them,” says Hultquist. “If you're going to do this, now is the time.”

On the other hand, Hultquist, a combat veteran who served in Afghanistan and Iraq, also wonders whether cyber war crimes should be a priority given Russia's ongoing physical war crimes in Ukraine. “There's a stark difference between cyberattacks and attacks on the physical ground right now,” he says. “You simply cannot achieve the same effects with cyberattacks that you can when you're bombing things and tanks are rolling down streets.”

Berkeley's Freeman agrees that any ICC charges against Sandworm for cyber war crimes shouldn't detract or distract from its investigation of traditional war crimes in Ukraine. But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, she says; the investigation and prosecution of war crimes in Yugoslavia's 1990s conflict, for instance, took decades. Freeman argues that prosecuting Sandworm for Russia's 2015 and 2016 cyberattacks, by contrast, would be “low-hanging fruit,” given the evidence already assembled by security researchers and Western governments of the group's culpability. That means it could offer immediate results while other Russian war crimes investigations continue. “A lot of what you need to try this case is there,” says Freeman. “You could bring this case to get _some_ justice, as a first step, while other investigations are ongoing.”

Sandworm's hackers already face criminal charges in the US. And last month, the State Department went so far as to issue a bounty of up to $10 million for information that could lead to the capture of the six hackers. But Freeman argues that the gravity of convicting the hackers as war criminals would have a larger deterrent effect, and might help actually lead to their arrest, as well. She points out that 123 countries are parties to the Rome Statute and obliged to help capture convicted war criminals—including some countries that don't have extradition treaties with the United States, such as Switzerland, Ecuador, and Cuba, which might otherwise serve as safe havens for the hackers.

If ICC prosecutors did bring war crimes charges against Sandworm for its blackout attacks, the case would have to clear certain legal hurdles, says Bobby Chesney, director of the Strauss Center for International Security and Law at the University of Texas Law School. They'd have to convince the court that the attacks occurred in the context of war, for instance, and that the power grid wasn't a military target, or that the attacks disproportionately affected civilians, he says.

But the more fundamental idea of extending the international laws of war to cover cyberattacks with physical effects—while unprecedented in ICC cases—is an easy argument to make, he says.

“All you have to do is ask, ‘What if the Russians had set up bombs at the relevant electrical substations to achieve the same effect? Is that a war crime?’ That's the exact same sort of question,” says Chesney. He compares the new “cyber domain” of warfare to other kinds of warfare like aerial and submarine warfare, which were once new modes of war but no less subject to international law. “For all these new operational domains, extending the existing law-of-war concepts of proportionality and distinctions to them is a no-brainer.”

But the cyber domain _is_ nonetheless different, says Freeman: It has no borders, and it allows attackers to instantly reach across the world, regardless of distance. And that makes holding Russia's most dangerous hackers accountable all the more urgent. “Sandworm is continually active, and continually executing serious attacks with impunity,” she says. “The risk it presents is incredibly serious, and it puts the entire world at the front lines of this conflict.”

The Case for War Crimes Charges Against Russia’s Sandworm Hackers

In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including:

T-Mobile (April 23, 2022)
Globant 
Okta
Ubisoft
Samsung
Nvidia
Microsoft
Vodafone

In addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the Brazilian Ministry of Health.
While

In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including:

*   T-Mobile (April 23, 2022)
*   Globant
*   Okta
*   Ubisoft
*   Samsung
*   Nvidia
*   Microsoft
*   Vodafone

In addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the Brazilian Ministry of Health.

While high-profile cyber-attacks are certainly nothing new, there are several things that make LAPSUS$ unique.

*   The alleged mastermind of these attacks and several other alleged accomplices were all teenagers.
*   Unlike more traditional ransomware gangs, LAPSUS$ has a very strong social media presence.
*   The gang is best known for data exfiltration. It has stolen source code and other proprietary information and has often leaked this information on the Internet.

**LAPSUS$ stolen credentials**

In the case of Nvidia, for example, the attackers gained access to hundreds of gigabytes of proprietary data, including information about chips that the company is developing. Perhaps more disturbing; however, LAPSUS$ claims to have stolen the credentials of thousands of Nvidia employees. The exact number of credentials stolen is somewhat unclear, with various tech news sites reporting differing numbers. However, Specops was able to obtain approximately 30,000 passwords that were compromised in the breach.

**The rise of cyber extortion**

There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid.

A technology company could conceivably suffer irreparable harm by having its source code, product roadmap, or research and development data leaked, especially if that data were to be made available to competitors.

Even though the LAPSUS$ attacks have thus far focused primarily on technology companies, any organization could conceivably become a victim of such an attack. As such, all companies must carefully consider what they can be doing to keep their most sensitive data out of the hands of cybercriminals.

**Weak passwords at play**

The other important takeaway from the LAPSUS$ attacks was that while there is no definitive information about how the attackers gained access to their victim's networks, the list of leaked Nvidia credentials that was acquired by Specops clearly reveals that many employees were using extremely weak passwords. Some of these passwords were common words (welcome, password, September, etc.), which are extremely susceptible to dictionary attacks. Many other passwords included the company name as a part of the password (nvidia3d, mynvidia3d, etc.). At least one employee even went so far as to use the word Nvidia as their password!

While it is entirely possible that the attackers used an initial penetration method that was not based on the use of harvested credentials, it is far more likely that these weak credentials played a pivotal role in the attack.

This, of course, raises the question of what other companies can do to prevent their employees from using similarly weak passwords, making the organization vulnerable to attack. Setting up a password policy that requires lengthy and complex passwords is a good start, but there is more that companies should be doing.

**Protecting your own organization from a similar attack**

One key measure that organizations can use to prevent the use of weak passwords is to create a custom dictionary of words or phrases that are not permitted to be used as a part of the password. Remember that in the Nvidia attack, employees often used the word Nvidia either as their password or as a component of their password. A custom dictionary could have been used to prevent any password from containing the word Nvidia.

Another, even more important way that an organization can prevent the use of weak passwords is to create a policy preventing users from using any password that is known to have been leaked. When a password is leaked, that password is hashed and the hash is usually added to a database of password hashes. If an attacker acquires a password hash they can simply compare the hash to the hash database, quickly revealing the password without having to perform a time-consuming brute force or dictionary-based crack.

Specops Password Policy gives admins the tools that they need in order to ensure that users avoid using weak passwords or passwords that are known to have been compromised. Specops makes it easy to create a password policy that complies with common password standards, such as those defined by NIST. In addition to setting length and complexity requirements, however, Specops allows admins to create dictionaries of words that are not to be used as a part of a password. Additionally, Specops maintains a database of billions of leaked passwords. User's passwords can be automatically checked against this database, thereby preventing users from using a password that is known to have been compromised.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel