Tony Lauro, director of security technology and strategy at Akamai, discusses reducing your company's attack surface and the "blast radius" of a potential attack.

Tony Lauro, director of security technology and strategy at Akamai, discusses reducing your company’s attack surface and the “blast radius” of a potential attack.

Lately, I’ve started wondering if the biggest risk concerning cyberattacks is that we’re becoming desensitized to them. After all, businesses experience a ransomware attack every 11 seconds—the majority of which the public never hears about. Faced with this reality, it may seem like your efforts to safeguard the enterprise are futile. But that’s all the more reason to strengthen your resolve—and switch up your cyber defense strategy. The core of this strategy is the concept of “reducing the blast radius” of an attack. Since you can’t completely eliminate cyberattacks, you need to take steps to contain the impact.

Let’s review some elements of this strategy, starting with some basic blocking and tackling that you should already be doing (and if you’re not, consider this your wake-up call!).

****Zero Trust Remote Access****

With the advent of ubiquitous remote access, every laptop, phone and tablet has become a potential threat vector for malware seeking to access the corporate network. A virtual private network (VPN) can’t address this if a “trusted” device seeking access is infected. You need a Zero Trust approach to remote access.

Zero Trust ensures that all access to your corporate systems is tightly controlled according to a “least privilege” principle, replacing implicit trust with verification. In the most robust Zero Trust implementations, access requests are sent to a reverse proxy that applies policy-based security controls before sending a virtualized version of the connection to the remote device. This effectively eliminates any physical connection to the corporate network—isolating it from a potential malware “blast.”

****Inspecting Traffic****

Data breaches are often discovered when third-party companies examine corporate network activity and find large amounts of data being transferred from a compromised device to a foreign server, undetected by the victimized organization. Panic ensues.

Minimizing this risk requires that you keep a close, continuous eye on passive signals, either leaving the corporate network or originating from the home network of a remote user. This involves intercepting and inspecting these signals—through a recursive DNS inspection or via a secure web gateway—to detect potential indicators of compromise and contain them in time to avert disaster.

****It’s Not Enough****

You need to be doing those things—but it’s not enough. Bad cyber actors are continually probing for weaknesses and cracks in the armor. Effective risk mitigation assumes that, sooner or later, a breach will occur. So how can you reduce the blast radius once malware is inside?

The answer is network segmentation. This divides devices and workloads into logical segments with policies providing access controls between them. Just as the watertight bulkheads in a ship prevent a breach in the hull from sinking the vessel, segmentation prevents the lateral movement of malware across your network, preventing it from accessing critical assets.

Segmentation is a well-established security concept. But, as with any technology solution, it all depends on how it’s implemented. Taking a hardware-based approach to segmentation has drawbacks. Today’s IT environments are constantly changing and evolving. But legacy hardware-based segmentation tools like firewall appliances and VLANs don’t change readily. Policies governing what devices can communicate with each other can become stale, restricting access in ways that hamper business agility. When this happens, human nature can take over, seeking ways to work around the controls—defeating the whole purpose of segmentation.

In addition, hardware-based tools are not easily scalable, making it difficult to keep pace with growth. This can create vulnerabilities that are easy to overlook. What’s needed is a more intelligent and dynamic approach to segmentation.

****Software-based Micro-Segmentation****

Micro-segmentation based on a software-defined model overcomes these shortcomings. Instead of using infrastructure for segmentation, software creates a segmentation overlay that works across data center and cloud environments to manage all segmentation policies. This offers greater flexibility, precision and scaling, while maintaining effective segmentation even as the hardware environment evolves.

Software-based micro-segmentation also provides a higher degree of visibility, enabling you to easily see what systems or devices are talking to each other. This goes beyond a static policy audit, which only shows permissions, rather than actual observed activity. By providing a clear view of activity across all on-premises and cloud environments, software-based micro-segmentation enables continuous monitoring. That view can be presented visually, making management extremely intuitive.

This makes it easy to map relationships, dependencies and traffic flows between entities. Then you can easily implement policies by selecting from a policy library. Policies can be very granular and context-based—down to the level of individual processes and users, if needed.

****Agility and Consistency****

Software-based micro-segmentation offers advantages that make it preferable for the real world, where the environment is dynamic and constantly evolving. Policies are defined at the network stack level of the device that is communicating. This creates assurance that the policy will be enforced even as things change in the infrastructure.

Being able to easily discover and visualize relationships between devices, with both real-time and historical views, also provides valuable insight to help inform decisions on how the network should be segmented to provide effective protection of critical assets.

A software-based approach also helps ensure a consistent security posture across the entire infrastructure, including on-premise, cloud and hybrid resources, according to corporate standards. With a “single pane of glass” for your entire segmented environment, you have the information needed to quickly assess and update policies as things change.

****Reducing Your Attack Surface****

Managing the onslaught of ransomware and other cyberattacks requires a multi-dimensional approach—one that assumes a breach will eventually occur despite your efforts to prevent it. In concert with other Zero Trust strategies, software-based micro-segmentation offers a solution for reducing your attack surface, together with the flexibility and precision to keep pace with continuous change. The result is a more resilient infrastructure with less management complexity.

Breaches are a fact of life in the digital enterprise. But by reducing the blast radius of an attack by containing the bad actors, you can save the day.

_**Tony Lauro is director of security technology and strategy at Akamai.**_

_**Enjoy additional insights from Threatpost’s Infosec Insiders community by**_ **_visiting our microsite_**_**.**_

You Can’t Eliminate Cyberattacks, So Focus on Reducing the Blast Radius

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

May 11, 2022 — Like many things since 2020, Dark Reading News Desk has had to adapt. Instead of broadcasting live interviews with security researchers presenting at Black Hat, News Desk shifted to prerecorded interviews with the speakers. 

For Black Hat Asia 2022, Dark Reading News Desk is staying virtual, even as the conference goes hybrid. Black Hat attendees have the option to tune in virtually or attend in person at the Marina Bay Sands in Singapore. Dark Reading News Desk is keeping its virtual format.

News Desk interviewed some speakers presenting at Black Hat Asia 2022 about their sessions. These interviews will be available on-demand at Black Hat Virtual (under the show's "Dark Reading News Desk" tab) and right here on Dark Reading:

**DAY 1: Thursday, May 12**

Speakers from Binarly, Immune GmbH, and Red Hat discuss the complexity of the firmware ecosystem and the challenges of identifying and fixing flaws in hardware devices in "The Firmware Supply-Chain Security Is Broken: Can We Fix It?"

Watch the speakers try to distill the challenges in less than 15 minutes in this News Desk segment:  

No Black Hat is complete without at least one dissection of a cyber espionage operation. SideWinder (also known as RattleSnake and T-APT-04) is an aggressive threat actor that has been active since at least 2012. Details on the techniques and methods used by this advanced cyber espionage team will be part of "SideWinder Uncoils to Strike." Dark Reading editor-in-chief Kelly Jackson Higgins offers a sneak peak in this preview. 

Check out the News Desk segment:  

****DAY 2: Friday, May 13****

Trend Micro researchers discuss their discovery of a botnet infrastructure masquerading as an SMS phone-verified account service in "SMS PVA Services Fueled by Compromised Supply-Chain Mobile Botnets."

Watch the News Desk segment on this mobile threat:  

With the Russian invasion of Ukraine in February, the world has had a front-row seat to information warfare. A security expert with experience in security intelligence, policy, and Ukraine dissects what is happening in "The Virtual Battlefield in 2022: Russia-Ukraine War & Its Policy Implications."

Watch this News Desk segment with Very Good Security’s Kenneth Geers:  

It's a fact that every operating system has vulnerabilities, but it still takes many by surprise when there are "macOS Vulnerabilities Hiding in Plain Sight."

Watch Offensive Security's Csaba Fitzl describe what he found:  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

On the Air With Dark Reading News Desk at Black Hat Asia 2022

The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

The **U.S. Drug Enforcement Administration** (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

Unidentified hackers shared this screenshot of alleged access to the Drug Enforcement Administration’s intelligence sharing portal.

On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of **esp.usdoj.gov**, which is the **Law Enforcement Inquiry and Alerts** (LEIA) system managed by the DEA.

KrebsOnSecurity shared information about the allegedly hijacked account with the DEA, the **Federal Bureau of Investigation** (FBI), and the **Department of Justice**, which houses both agencies. The DEA declined to comment on the validity of the claims, and issued only the briefest of statements about the matter in response to being notified.

“DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent,” the agency said in a statement shared via email.

According to this page at the Justice Department website, LEIA “provides federated search capabilities for both EPIC and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive” to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community.

EPIC and LEIA also have access to the DEA’s **National Seizure System** (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins).

“The **EPIC System Portal (ESP)** enables vetted users to remotely and securely share intelligence, access the National Seizure System, conduct data analytics, and obtain information in support of criminal investigations or law enforcement operations,” the 2016 White House document reads. “Law Enforcement Inquiry and Alerts (LEIA) allows for a federated search of 16 Federal law enforcement databases.”

The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

Claims about the purloined DEA access were shared with this author by “**KT**,” the current administrator of the **Doxbin** — a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.

\[SIDE NOTE: Nearly two dozen domain names used by Doxbin were very recently included on the “**Domain Block List**” (DBL) maintained by Spamhaus, an anti-abuse group that many Internet service providers work with to block spam and malicious activity online. As a result, the Doxbin is currently unreachable on the open Internet\].

As KrebsOnSecurity reported earlier this year, the previous owner of the Doxbin has been identified as the leader of **LAPSUS$**, a data extortion group that hacked into some of the world’s largest tech companies this year — including Microsoft, NVIDIA, Okta, Samsung and T-Mobile.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said **Nicholas Weaver**, a researcher for the International Computer Science Institute at **University of California, Berkeley**.

Weaver said it’s clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases.

“I don’t think these \[people\] realize what they got, how much money the cartels would pay for access to this,” Weaver said. “Especially because as a cartel you don’t search for yourself you search for your enemies, so that even if it’s discovered there is no loss to you of putting things ONTO the DEA’s radar.”

The DEA’s EPIC portal login page.

**ANALYSIS**

The login page for esp.usdoj.gov (above) suggests that authorized users can access the site using a “Personal Identity Verification” or PIV card, which is a fairly strong form of authentication used government-wide to control access to federal facilities and information systems at each user’s appropriate security level.

However, the EPIC portal also appears to accept just a username and password, which would seem to radically diminish the security value of requiring users to present (or prove possession of) an authorized PIV card. Indeed, KT said the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet big money that this DEA portal is not only offender here. The DEA portal esp.usdoj.gov is listed on _Page 87_ of a Justice Department “data inventory,” which catalogs all of the data repositories that correspond to DOJ agencies.

_There are 3,330 results_. Granted, only some of those results are login portals, but that’s just within the Department of Justice.

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

I’ll say it because it needs to be said: The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect _any_ federal government agency data portals that fail to enforce strong, multi-factor authentication.

I realize this may be far more complex than it sounds, particularly when it comes to authenticating law enforcement personnel who access these systems without the benefit of a PIV card or government-issued device (state and local authorities, for example). It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape.

But when hackers can plunder 16 law enforcement databases, arbitrarily send out law enforcement alerts for specific people or vehicles, or potentially disrupt ongoing law enforcement operations — all because someone stole, found or bought a username and password — it’s time for drastic measures.

DEA Investigating Breach of Law Enforcement Data Portal

A group of human rights lawyers and investigators has called on the Hague to bring the first-ever “cyber war crimes” charges against Russia’s most dangerous hackers.

For weeks, evidence has been piling up of the Russian military's apparent war crimes in the midst of its brutal invasion of Ukraine: mass graves, bombed hospitals, even makeshift torture chambers. But amidst those atrocities—and the push to hold the perpetrators accountable—one group is making the counterintuitive case that another arm of the Russian military should be included in any international war crimes charges: the Kremlin's most disruptive and dangerous hackers.

In late March, a group of human rights lawyers and investigators in the Human Rights Center at UC Berkeley's School of Law sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in the Hague. It urges the ICC to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine—even as the prosecutors gather evidence of more traditional, ongoing war crimes there. Specifically, the Human Rights Center's international criminal investigations team points in its detailed brief to Sandworm, a notorious group of hackers within Russia's GRU military intelligence agency, and to two of Sandworm's most egregious acts of cyberwarfare: blackouts that those hackers triggered by targeting electric utilities in Western Ukraine in December 2015 and in the capital, Kyiv, a year later, affecting hundreds of thousands of civilians.

The Berkeley group's document was sent under a provision of the Rome Statute treaty, which gives the ICC its authority, allowing recommendations from nongovernmental organizations. It asks the ICC's prosecutor, Karim Khan, “to expand the scope of his investigation to include the cyber domain in addition to traditional domains of warfare–land, air, maritime, and space–given the Russian Federation’s history of hostile cyber activities in Ukraine.” The brief acknowledges that charges against Sandworm would represent the first case of “cyber war crimes” ever brought by the ICC. But it argues that precedent would help not only to seek justice for those harmed by Sandworm's cyberattacks, but also to deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world.

“In fact, in the absence of consequences or any mechanisms for meaningful accountability, State-sponsored cyberattacks have escalated in the shadows,” reads the Human Rights Center's Article 15 document sent to the ICC and shared with WIRED. “An investigation into Russia’s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.”

Lindsay Freeman, the director of technology, law, and policy at the Human Rights Center, tells WIRED the ICC prosecutor's office responded privately to the group, saying it had received and is considering the group's recommendations. The ICC prosecutor's office didn't respond to WIRED's request for comment.

Freeman argues that the ICC prosecutor's office, which has been investigating ongoing war crimes in Russia's Ukraine invasion—along with the governments of Ukraine, Poland, and Lithuania and the European law enforcement agency—needs to demonstrate that its remit includes cyberattacks that violate the international laws of armed conflict. “We would like to make sure they're seeing the cyber domain as an actual domain of warfare, because in this case, it truly is,” says Freeman. She emphasizes that any cyber war crime charges should be in addition to, not instead of, charges for the ongoing massacres, reckless killing of civilians, and mass deportations in Ukraine. But she adds that “the only way you can properly investigate and understand this conflict is through seeing not just what's happening in the physical world, but also what's happening in the cyber and information spaces, and this is not something war crimes investigators have ever paid attention to.”

Since Russia's last major invasion of Ukraine began in 2014, Russia has targeted the country with a years-long bombardment of cyberattacks of a kind never before seen in history. The GRU's Sandworm hackers alone have attempted three blackouts in the country—at least two of which succeeded; destroyed the networks of media outlets, private companies, and government agencies in targeted attacks; and in 2017 released the destructive, self-spreading NotPetya malware that infected hundreds of organizations across Ukraine and eventually many more around the world, causing a record-breaking $10 billion in damage.

With the current, larger-scale invasion Russia launched on February 24, the Kremlin's state-sponsored hackers have unleashed a broad new campaign of destructive hacking against hundreds of Ukrainian targets, often carefully coordinated with physical military tactics. That new barrage included one cyberattack in which GRU hackers targeted Viasat satellite systems, knocking out broadband connections across Ukraine and Europe, including those of thousands of wind turbines in Germany.

Freeman says that the UC Berkeley Human Rights Center's recommendations for war crime charges, which was sent to the ICC before some of the most recent cyberattacks fully came to light, single out Sandworm's two blackout attacks in 2015 and 2016 for legal and practical reasons: They've already been thoroughly investigated and pinned on Sandworm's hackers through both private sector and government detective work. Six of the group's hackers were indicted by the US Department of Justice in October 2020 with a long rap sheet that includes those blackouts. The cyberattacks occurred in the early years of Russia's war in Ukraine, during active fighting in the eastern region of the country, which makes it easier to argue they occurred in the context of a military conflict and thus constitute a war crime. They have a clear civilian target, given that no military operations were occurring in Western Ukraine or Kyiv at the times of the blackouts there. And perhaps most importantly, they had a clear and direct physical result, which makes for a simpler case that they were equivalent to the sort of physical attacks that war crimes tribunals have charged in the past.

On top of all of that, Freeman points to the seriousness of Sandworm's attacks on civilian power grids. In the 2016 incident in Kyiv in particular, the hackers used a piece of malware known as Industroyer or Crash Override to automatically trigger that power outage. Although that blackout in Ukraine's capital lasted only about an hour, a 2019 analysis of the attack found that a component of the malware intended to disable safety systems was designed to cause physical destruction of electrical equipment, and only failed due to a misconfiguration in the malware. “A cyber weapon that is able to interact with an actual electrical system or an industrial control system and result in kinetic harm is extremely dangerous,” says Freeman. “The power grid attacks are the ones that really cross the line where it's clear we should just say, ‘No state should be attacking critical infrastructure for civilians.’”

If war crimes charges could serve as a punitive measure capable of deterring that sort of critical infrastructure cyberattack, it makes sense to bring them against a group like Sandworm now, says John Hultquist, who leads threat intelligence at cybersecurity firm Mandiant and has tracked Sandworm for the better part of a decade, even naming the group in 2014. The Biden administration has repeatedly warned that Western sanctions against Russia may lead the country to lash out with cyberattacks against targets in the United States or Europe. “We need to be doing everything we can right now to prepare for Sandworm or deter them,” says Hultquist. “If you're going to do this, now is the time.”

On the other hand, Hultquist, a combat veteran who served in Afghanistan and Iraq, also wonders whether cyber war crimes should be a priority given Russia's ongoing physical war crimes in Ukraine. “There's a stark difference between cyberattacks and attacks on the physical ground right now,” he says. “You simply cannot achieve the same effects with cyberattacks that you can when you're bombing things and tanks are rolling down streets.”

Berkeley's Freeman agrees that any ICC charges against Sandworm for cyber war crimes shouldn't detract or distract from its investigation of traditional war crimes in Ukraine. But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, she says; the investigation and prosecution of war crimes in Yugoslavia's 1990s conflict, for instance, took decades. Freeman argues that prosecuting Sandworm for Russia's 2015 and 2016 cyberattacks, by contrast, would be “low-hanging fruit,” given the evidence already assembled by security researchers and Western governments of the group's culpability. That means it could offer immediate results while other Russian war crimes investigations continue. “A lot of what you need to try this case is there,” says Freeman. “You could bring this case to get _some_ justice, as a first step, while other investigations are ongoing.”

Sandworm's hackers already face criminal charges in the US. And last month, the State Department went so far as to issue a bounty of up to $10 million for information that could lead to the capture of the six hackers. But Freeman argues that the gravity of convicting the hackers as war criminals would have a larger deterrent effect, and might help actually lead to their arrest, as well. She points out that 123 countries are parties to the Rome Statute and obliged to help capture convicted war criminals—including some countries that don't have extradition treaties with the United States, such as Switzerland, Ecuador, and Cuba, which might otherwise serve as safe havens for the hackers.

If ICC prosecutors did bring war crimes charges against Sandworm for its blackout attacks, the case would have to clear certain legal hurdles, says Bobby Chesney, director of the Strauss Center for International Security and Law at the University of Texas Law School. They'd have to convince the court that the attacks occurred in the context of war, for instance, and that the power grid wasn't a military target, or that the attacks disproportionately affected civilians, he says.

But the more fundamental idea of extending the international laws of war to cover cyberattacks with physical effects—while unprecedented in ICC cases—is an easy argument to make, he says.

“All you have to do is ask, ‘What if the Russians had set up bombs at the relevant electrical substations to achieve the same effect? Is that a war crime?’ That's the exact same sort of question,” says Chesney. He compares the new “cyber domain” of warfare to other kinds of warfare like aerial and submarine warfare, which were once new modes of war but no less subject to international law. “For all these new operational domains, extending the existing law-of-war concepts of proportionality and distinctions to them is a no-brainer.”

But the cyber domain _is_ nonetheless different, says Freeman: It has no borders, and it allows attackers to instantly reach across the world, regardless of distance. And that makes holding Russia's most dangerous hackers accountable all the more urgent. “Sandworm is continually active, and continually executing serious attacks with impunity,” she says. “The risk it presents is incredibly serious, and it puts the entire world at the front lines of this conflict.”

The Case for War Crimes Charges Against Russia’s Sandworm Hackers

In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including:

T-Mobile (April 23, 2022)
Globant 
Okta
Ubisoft
Samsung
Nvidia
Microsoft
Vodafone

In addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the Brazilian Ministry of Health.
While

In recent months, a cybercriminal gang known as LAPSUS$ has claimed responsibility for a number of high-profile attacks against technology companies, including:

*   T-Mobile (April 23, 2022)
*   Globant
*   Okta
*   Ubisoft
*   Samsung
*   Nvidia
*   Microsoft
*   Vodafone

In addition to these attacks, LAPSUS$ was also able to successfully launch a ransomware attack against the Brazilian Ministry of Health.

While high-profile cyber-attacks are certainly nothing new, there are several things that make LAPSUS$ unique.

*   The alleged mastermind of these attacks and several other alleged accomplices were all teenagers.
*   Unlike more traditional ransomware gangs, LAPSUS$ has a very strong social media presence.
*   The gang is best known for data exfiltration. It has stolen source code and other proprietary information and has often leaked this information on the Internet.

**LAPSUS$ stolen credentials**

In the case of Nvidia, for example, the attackers gained access to hundreds of gigabytes of proprietary data, including information about chips that the company is developing. Perhaps more disturbing; however, LAPSUS$ claims to have stolen the credentials of thousands of Nvidia employees. The exact number of credentials stolen is somewhat unclear, with various tech news sites reporting differing numbers. However, Specops was able to obtain approximately 30,000 passwords that were compromised in the breach.

**The rise of cyber extortion**

There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid.

A technology company could conceivably suffer irreparable harm by having its source code, product roadmap, or research and development data leaked, especially if that data were to be made available to competitors.

Even though the LAPSUS$ attacks have thus far focused primarily on technology companies, any organization could conceivably become a victim of such an attack. As such, all companies must carefully consider what they can be doing to keep their most sensitive data out of the hands of cybercriminals.

**Weak passwords at play**

The other important takeaway from the LAPSUS$ attacks was that while there is no definitive information about how the attackers gained access to their victim's networks, the list of leaked Nvidia credentials that was acquired by Specops clearly reveals that many employees were using extremely weak passwords. Some of these passwords were common words (welcome, password, September, etc.), which are extremely susceptible to dictionary attacks. Many other passwords included the company name as a part of the password (nvidia3d, mynvidia3d, etc.). At least one employee even went so far as to use the word Nvidia as their password!

While it is entirely possible that the attackers used an initial penetration method that was not based on the use of harvested credentials, it is far more likely that these weak credentials played a pivotal role in the attack.

This, of course, raises the question of what other companies can do to prevent their employees from using similarly weak passwords, making the organization vulnerable to attack. Setting up a password policy that requires lengthy and complex passwords is a good start, but there is more that companies should be doing.

**Protecting your own organization from a similar attack**

One key measure that organizations can use to prevent the use of weak passwords is to create a custom dictionary of words or phrases that are not permitted to be used as a part of the password. Remember that in the Nvidia attack, employees often used the word Nvidia either as their password or as a component of their password. A custom dictionary could have been used to prevent any password from containing the word Nvidia.

Another, even more important way that an organization can prevent the use of weak passwords is to create a policy preventing users from using any password that is known to have been leaked. When a password is leaked, that password is hashed and the hash is usually added to a database of password hashes. If an attacker acquires a password hash they can simply compare the hash to the hash database, quickly revealing the password without having to perform a time-consuming brute force or dictionary-based crack.

Specops Password Policy gives admins the tools that they need in order to ensure that users avoid using weak passwords or passwords that are known to have been compromised. Specops makes it easy to create a password policy that complies with common password standards, such as those defined by NIST. In addition to setting length and complexity requirements, however, Specops allows admins to create dictionaries of words that are not to be used as a part of a password. Additionally, Specops maintains a database of billions of leaked passwords. User's passwords can be automatically checked against this database, thereby preventing users from using a password that is known to have been compromised.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Everything We Learned From the LAPSUS$ Attacks

Researchers have detailed a previously undocumented .NET-based post-exploitation framework called IceApple that has been deployed on Microsoft Exchange server instances to facilitate reconnaissance and data exfiltration.
"Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as

Researchers have detailed a previously undocumented .NET-based post-exploitation framework called IceApple that has been deployed on Microsoft Exchange server instances to facilitate reconnaissance and data exfiltration.

"Suspected to be the work of a state-nexus adversary, IceApple remains under active development, with 18 modules observed in use across a number of enterprise environments, as of May 2022," CrowdStrike said in a Wednesday report.

The cybersecurity firm, which discovered the sophisticated malware in late 2021, noted its presence in multiple victim networks and in geographically distinct locations. Targeted victims span a wide range of sectors, including technology, academic, and government entities.

A post-exploitation toolset, as the name implies, is not used to provide initial access, but is rather employed to carry out follow-on attacks after having already compromised the hosts in question.

IceApple is notable for the fact that it's an in-memory framework, indicating an attempt on the part of the threat actor to maintain a low forensic footprint and evade detection, which, in turn, bears all hallmarks of a long-term intelligence-gathering mission.

While intrusions observed so far have involved the malware being loaded on Microsoft Exchange Servers, IceApple is capable of running under any Internet Information Services (IIS) web application, making it a potent threat.

The different modules that come with the framework equip the malware to list and delete files and directories, write data, steal credentials, query Active Directory, and export sensitive data. Build timestamps on these components date back to May 2021.

"At its core, IceApple is a post-exploitation framework focused on increasing an adversary's visibility of a target through acquisition of credentials and exfiltration of data," the researchers concluded.

"IceApple has been developed by an adversary with detailed knowledge of the inner workings of IIS. Ensuring all web applications are regularly and fully patched is critical to preventing IceApple from ending up in your environment."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Deploy IceApple Exploitation Framework on Hacked MS Exchange Servers

Foxit PDF Reader and PDF Editor before 11.2.2 have a Type Confusion issue that causes a crash because of Unsigned32 mishandling during JavaScript execution.

CVE-2022-30557: Security Bulletins | Foxit Software

The technique, called store-now, decrypt later (SNDL), means organizations need to prepare now for post-quantum cryptography.

Although quantum computing is years away from commercial availability, business leaders, CIOs, and CISOs need to act now to prepare for the technology's inevitable ability to crack RSA-encrypted data. Failure to start adopting a post-quantum cryptography (PQC) strategy will put all existing encrypted data assets at risk of exposure, according to a stark warning from key technical cryptography experts issued on Wednesday.

A peer-reviewed paper chronicling that threat with a technical road map for transitioning to PQC appeared Wednesday in _Nature_, a leading journal for the science and technology communities.

The cybersecurity experts who wrote the paper, titled "Transitioning organizations to post-quantum cryptography," underscored the fact that when large and fault-tolerant (LFT) quantum computers become available, attackers will be able to use them to crack most existing public key crypto systems, including RSA and elliptic curve cryptography (ECC).

**SNDL Threat**

The paper points to three critical issues that the authors contend organizations must address. First is the existence of an active and critical threat called store-now, decrypt later (SNDL), a practice wherein attackers steal sensitive data and hold onto it with the intent of decrypting it once quantum computing becomes available.

Second, the authors warn that quantum computers will be able to break the most commonly relied on RSA and ECC to forge signatures. That would put at risk all SSL-based websites, zero-trust architectures, and cryptocurrencies, among other things, according to the authors.

And third, they highlight how the National Institute of Standards and Technology (NIST) is poised to select a set of PQC candidates that it will recommend as standards. Although the paper was written months ago before Wednesday's publication, NIST is poised to reveal the candidates within a few weeks and potentially sooner.

Dustin Moody, a NIST mathematician, confirmed the imminent announcement of the PQC algorithm candidates. Among cybersecurity standards, it is one of NIST's largest undertakings since developing Advanced Encryption Standard (AES) and Secure Hash Algorithm-3 (SHA-3). The new PQC standard will likely include more than one algorithm, Moody told Dark Reading.

"Security-wise, we want to make sure we're not putting all our eggs in one basket," Moody says. NIST is considering public key digital signatures as well as encryption or equivalently key establishment, Moody adds: "There will be at least one for each of these."

NIST's pending announcement was presaged by two directives last week from the Biden administration aimed at recognizing and addressing PQC.

**Impact on Existing Data Assets**

While the paper provides a detailed technical breakdown of PQC issues, it also aims to bring awareness of the implications of quantum computing for existing information assets and emphasize the need to develop a plan.

"For those organizations that have not started integrating PQC in their systems or even planning for it, we highly recommend starting their efforts now," the paper warns. "Those organizations and enterprises with sensitive data with time value exceeding five years should consider PQC immediately."

One of the co-authors of the paper is Jack Hidary, founder and CEO of Sandbox AQ, a software-as-a-service (SaaS) provider focused on bringing together quantum computing and artificial intelligence technology to address complex processing issues. The primary processing issue it is dedicated to is helping organizations understand the risk of quantum computing by identifying critical data assets that are encrypted and developing a strategy to protect them with the forthcoming PQC algorithms.

The first thing companies must do is undergo a discovery process to determine the value of all their data, particularly information that is encrypted. For example, a large pharmaceutical company could have IP for patented drugs that are worth billions of dollars per year in revenues and royalties. If that data were to end up in the wrong hands, it could render that IP worthless, Hidary warns.

"We realized that a white paper was necessary to give context to CISOs and to engineering teams and other leaders in the C-suite as to how this migration would occur," Hidary told Dark Reading. "And that's the motivation for this paper."

Hidary emphasizes that with SNDL, state-sponsored and independent attackers have already begun exfiltrating RSA encrypted data. "It's happening right now — they're storing that information, then they will decrypt in the future in a few years when they have additional computing power," he said. "That's the concern."

**PQC Attracts Powerful Friends**

Sandbox AQ may not be a well-known company today, having just come out of stealth mode. But it is a well-capitalized startup incubated by Google parent Alphabet, which spun out Sandbox AQ in March as a standalone company.

The company has a prominent advisory board consisting of former Google chairman and CEO Eric Schmidt, former U.S. Secretary of Defense Ashton Carter, former principal deputy director of National Intelligence Susan Gordon, and retired Admiral Mike Rogers, former Commander of the U.S. Cyber Command and a onetime director of the National Security Agency.

Before meeting with Hidary in January, Ernst & Young Americas cybersecurity lead David Burg said he knew PQC was an issue that his company would eventually have to address with its clients. But Burg acknowledges he was taken off guard over the need for EY to work on it with companies immediately.

"We left that meeting realizing that this is actually a problem set that our clients in the United States and around the world will need to deal with sooner than we thought," Burg says. The two companies formed a partnership to address the issue together.

**Protecting Health Information at Mount Sinai**

One of the clients EY is working with is the Mount Sinai Health System, which has 43,000 employees throughout its eight hospital campuses in the New York City area. Kristin Myers, who is Mount Sinai's CIO and dean of technology for its medical school, says cybersecurity is her No. 1 priority.

"In regard to quantum computing, the reality is that because of this innovation, it's going to be possible to decrypt data that is currently encrypted in the future," Myers says. "And as you can imagine for healthcare, an unauthorized disclosure of sensitive PHI \[personal health information\] would really impact patients, whether it happened now, five years from now, or beyond."

Myers says she signed up Mount Sinai with Sandbox AQ and will start conducting a review and inventory of all the encryption methods now in use. Sandbox AQ will then provide recommendations on how to move forward.

"We'll do a feasibility study of some of the products that we'll need to implement with them," she says. "This is going to be a multiyear journey with them, but just to be able to get started is going to be important for us."

Threat Actors Are Stealing Data Now to Decrypt When Quantum Computing Comes

A Texas man was sentenced today to five years in prison followed by three years of supervised release for his conduct in connection with a scheme to buy 38,000 compromised PayPal account credentials from an illegal online marketplace, and then use those credentials to steal money from the rightful PayPal account owners. In addition to the term of imprisonment, the defendant was ordered to pay $1.4 million in restitution.

Marcos Ponce, 37, of Austin, pleaded guilty to conspiracy to commit wire fraud in October 2021. According to court documents, from at least as early as November 2015 and continuing through in or about November 2018, Ponce and his co-conspirators worked together to establish buyer accounts on a particular illegal online marketplace (Marketplace A). Marketplace A functioned as an illegal market for stolen payment account credentials and associated personally identifying information (PII). The co-conspirators purchased over 38,000 stolen PayPal account login credentials.

In addition, Ponce and his co-conspirators developed social engineering techniques in order to trick unwitting third parties into accepting money transfers from the compromised PayPal accounts, and then transferring the money into accounts controlled by members of the conspiracy.

“The Justice Department remains firmly committed to protecting the American people from fraudsters like this defendant,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “May today’s sentencing send a clear message to would-be thieves: there are real-world consequences for online crimes.”

“This prosecution and sentence send a powerful message that the cyberworld is not a haven for criminals, and law enforcement will work tirelessly to bring cybercriminals to justice,” said U.S. Attorney Ashley C. Hoff for the Western District of Texas.

“Today’s sentencing sends a message that the FBI will pursue cybercriminals across the globe. Hiding behind a computer does not mean you can stay anonymous or out of reach of law enforcement,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “With the assistance of FBI cyber task forces across the country, the FBI will diligently and aggressively work to identify and locate criminals, regardless of where they operate.”

The case was investigated by the FBI’s Washington Field Office, with significant assistance from the FBI San Antonio - Austin Cyber Task Force.

Senior Counsel Laura-Kate Bernstein of the Justice Department’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney Matthew Devlin for the Western District of Texas prosecuted the case, with substantial assistance from Assistant U.S. Attorney Demian Ahn for the District of Columbia.

Man Sentenced for Stealing from PayPal Accounts in Wire Fraud Scheme

Round of $14.5M to support team of AI experts and cybersecurity leaders targeting overshared data with AI-based solutions for data access governance and loss prevention.

SAN JOSE, Calif., May 11, 2022 — Concentric Inc., a leading vendor of intelligent AI-based solutions for protecting business-critical data, announced today it has raised $14.5 million in Series A funding. Led by Ballistic Ventures, a new VC firm solely dedicated to advising and funding early-stage cybersecurity startups, this investment targets the $19B market for data security, access governance, and loss prevention. Citi Ventures also participated in the round as a strategic investment, as did current investors Core Ventures Group, Engineering Capital, and Clear Ventures.

As a result of the investment, Ballistic Ventures’ Barmak Meftah will join Concentric’s Board of Directors. Recognized globally as one of the most successful business leaders in enterprise software and cybersecurity, Mr. Meftah served as the President of AT&T Cybersecurity, a role assumed after the successful acquisition of AlienVault, where he led the company for six years as CEO. Under Mr. Meftah’s leadership, AT&T established itself as a cybersecurity leader and one of the world’s top-five largest managed security services providers (MSSPs).

“Data security and access governance – especially for information hidden in unstructured content – is an enormous unaddressed market,” said Mr. Meftah. “Concentric has the right technology and team to deliver tremendous customer value and take data security to the next level. With the help of Ballistic’s expertise and our extensive network of security contacts, their growth potential is virtually unlimited.”

Concentric serves organizations awash in business-critical data that they can’t protect. Using the company’s autonomous data security solution, security professionals can now discover, evaluate, and remediate security issues without resorting to armies of analysts or asking end-users for help. Automation is a highly effective cybersecurity strategy: According to the 2021 “Cost of a Data Breach” report from IBM, the cost of a data breach continues to climb up 10 percent YOY to $4.24M in 2021, with remote work contributing $1M more in average cost per data breach. However, adopting security AI/automation drove breach costs down by 84.4 percent (from an average per-breach cost of $6.71M to $2.90M). Out of the 26 cost factors evaluated in the report, automation drove the biggest savings.

Citi Ventures’ Vibhor Rastogi, Global Director, AI/ML Investments also sees automation’s potential: “Artificial intelligence and machine learning continue to transform how large global financial institutions can protect their most important asset, their data. Data security professionals face the twin threats of sophisticated cybercriminals and a cybersecurity staff shortage. Concentric has the team and solution needed to capitalize on the need for autonomous data security for better protection with lower costs, and we look forward to supporting them on this journey of continued growth.”

Concentric co-founders Karthik Krishnan (CEO), Madhu Shashanka (Chief Data Scientist), and Shankar Subramaniam (CTO and VP, Engineering) believe emerging deep learning technologies are the answer. Their pioneering Semantic Intelligence™ solution includes patented capabilities such as Risk Distance™ analysis for autonomous risk assessment and Concentric MIND for an AI-assisted deep learning model and policy management/curation. Customers use Semantic Intelligence to meet regulatory requirements, protect sensitive client information, control internal data flows, and more. Learn more about Concentric’s solutions here.

“Our mission is simple: We are remaking the multi-billion dollar data security market with an autonomous solution capable of discovering, evaluating, and protecting structured and unstructured content across the entire cloud and on-premises landscape,” said Krishnan. “The teams at Ballistic and Citi Ventures are packed with high-powered cybersecurity creators and industry luminaries who see our potential and share our vision. Together we’ll establish Concentric as one of the industry’s leading cybersecurity players.”

With these investments, the company will grow its existing roster of corporate customers through expanded sales and marketing efforts and extend its solution to protect an expanding menu of content, locations, and use cases.

**About Ballistic Ventures**

Ballistic Ventures is solely dedicated to early-stage cybersecurity and cyber-related companies. Our partners have spent their entire careers defending against every cyber threat conceivable. Members of the firm have founded, operated, or funded over 90 successful cybersecurity firms, led over ten thousand security professionals globally, and have 40+ years of experience in venture capital. Our experience provides entrepreneurs impactful support from people focused on the same mission. Our networks and relationships open doors for our founders.

Learn more at ballisticventures.com.

Ballistic features a slate of heavyweight co-founders and general partners, including Ted Schlein (Kleiner Perkins, Fortify), Barmak Meftah (AlienVault, AT&T Cybersecurity, Fortify), Jake Seid (Lightspeed Venture Partners), Derek Smith (Oakley Networks, Shape Security) and Roger Thornton, (AlienVault, AT&T Cybersecurity, Fortify).

**About Citi Ventures**

Citi Ventures harnesses the power of Citi to help people, businesses, and communities thrive in a world of technological change. Headquartered in San Francisco with offices in New York, London, Palo Alto, Tel Aviv, and Singapore, Citi Ventures accelerates discovery of new sources of value by exploring, incubating, and investing in new ideas, in partnership with Citi colleagues, clients, and the innovation ecosystem.

**About Concentric AI**

With Concentric, organizations can finally address their unmet data security needs by discovering and protecting business-critical content. Concentric protects intellectual property, financial documents, PII/PCI content, customer data, business confidential data and more, across on-premises and cloud-based data stores. The Concentric Semantic Intelligence™ Data Access Governance solution uses deep learning and Risk Distance™ analysis to accurately categorize data, assess risk, and remediate security issues – without relying on upfront rules or complex configuration. Concentric is venture-backed by leading Silicon Valley VCs and is headquartered in San Jose, Calif. For more information, see https://www.concentric.ai.

Tag

#intel