Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets.

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. \[1\] Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

CVE-2023-24104: Proxy: Domain Fronting, Sub-technique T1090.004 - Enterprise

With Russia regularly knocking out Ukraine’s power grid, the country has turned to high-capacity batteries to keep it connected to the world—and itself.

In January 2022, Valeria Shashenok uploaded a TikTok video of herself playing tourist in Paris: red beret, fresh croissants, posing in front of the Eiffel Tower. A month later, her videos took on a much different character: Touring the bombed-out buildings of her town, Chernihiv, Ukraine; racing for cover as the air raid sirens sounded; reviewing the military rations served in her local bomb shelter.

Through the next year, Shashenok’s social media documented her life in the early days of the war, before seeking refuge in Western Europe—and then returning to Ukraine. In October, Shashenok uploaded a video promising to show her followers “how people live without electricity in Ukraine.” More than 3 million people watched the tour of her darkened city, all set to George Michael’s “Careless Whisper.”

Since Russia invaded Ukraine a year ago tomorrow, it has worked feverishly to stop Ukrainians like Shashenok from broadcasting to the world. Yet, even with the power out, Shashenok continued streaming to the world. The enormous work that has gone on behind the scenes to make that possible is a story of resiliency, planning, and batteries.

In the early days of the war, Russian airstrikes hit cell towers, hackers targeted Ukrainian internet service providers, and soldiers cut fiber optic cables. In the areas that Russian forces managed to occupy, internet traffic was rerouted through Russia’s heavily censored and aggressively monitored version of the internet. As the war raged on—and Moscow’s territorial ambitions were rebuffed by fierce Ukrainian resistance—Moscow resorted to even more desperate tactics, like shelling energy infrastructure, plunging Ukrainians like Shashenok into the dark.

“One thing that was demonstrated by the war is how important communication is for us,” Yurii Shchyhol, the head of Ukraine’s State Service for Special Communications and Information Protection, said in a media briefing last month. “When it’s up and running, everyone thinks that everything is normal—and this is how things should be. But when the communication disappears, we realize that we cannot get in touch with our loved ones, with our relatives.”

From the first month of Russia’s full-scale invasion, SpaceX’s Starlink service helped keep Ukraine online, even as the country’s communication infrastructure was being knocked offline. “We cannot ignore the fact that Starlink has been the signal of life for Ukraine,” Olha Stefanishyna, a deputy prime minister of Ukraine, told journalists late last year. “Our government has been able to be operational because I had Starlink over my head.”

While Starlink has been a critical stopgap, Kyiv has turned its attention to getting its regular infrastructure back up and running—thanks in no small part to SpaceX CEO Elon Musk’s hot-and-cold routine with Ukraine. Just this month, SpaceX president and chief operating officer Gwynne Shotwell said the company cut off Ukraine from using Starlink to connect its fleet of drones.

“Given this huge range of instability in the position of the SpaceX CEO—from the willingness and then unwillingness to continue financial support—we’re doing contingency planning for ourselves,” Stefanishyna said.

That’s where Shchyhol’s ministry comes in. Working with private industry, his agency has laid or repaired 3,200 kilometers of fiber optic cable and built or rebuilt 1,500 mobile base stations—another name for cell towers—since the war began. That work has returned Ukraine’s mobile communications to about 77 percent of its pre-war capacity. The biggest problems are in the areas along the front lines, such as Zaporizhzhya and Odessa, and towns occupied by the Russians in Luhansk and Donetsk regions. 

Kherson, which was liberated in November, has had a particularly hard time getting back online. “When the occupiers leave the occupied areas of Ukraine, they destroy the base stations, they destroy the fiber optic cables. So in the south of the country, we rebuilt the internet from scratch,” Shchyhol said during the press conference, adding that they have managed to repair about 20 percent of Kherson’s infrastructure. That’s only one part of the challenge, Shchyhol said. There’s still “the issue of electric power supply.”

Mobile base stations are normally hooked up to the power grid, using that electricity to amplify the cell signal to the broader area. During a power outage, an on-site battery kicks in to keep the tower running. If the outage persists, a crew could arrive with a diesel generator to keep powering the tower. That means Shashenok can keep uploading TikToks by candlelight in her neighborhood restaurant.

But Ukraine hasn’t just experienced a few short outages. Since October, it has faced an onslaught of attacks against its power grid, causing long periods of darkness. Ukraine responded by outfitting around 5,000 base stations with better generators. But those generators, and the diesel they rely on, are increasingly scarce, expensive, and in high demand everywhere in Ukraine. But they’ve been necessary, as the old lead batteries attached to its base stations only run for two or three hours, if that.

So Kyiv has turned to a simple solution: better batteries.

High-capacity lithium-ion batteries mean the base stations, Shchyhol said, “should have reserve power sources for at least three days.” And they can recharge themselves when the power comes back online.

Two of the biggest telecommunications firms in Ukraine have, between them, already sourced and installed 22,000 new high-capacity batteries. Shchyhol said his ministry has identified another 8,000 base stations that need to become “energy independent.” With demand for those batteries only increasing as Russia mounts a more serious offensive to break a stalemate in eastern Ukraine, there is a scramble to source more. And not every cell company is about to source tens of thousands of those batteries on their own.

“The main reason why we can still talk and have access to the internet, first of all, is because we have a very diverse market of internet providers,” says Vitaliy Moroz, a Kyiv-based outreach and support consultant for cybersecurity firm eQualitie. “This is quite a good situation for the customers because they can switch from one ISP to another.”

The Montreal-based firm has stood up an array of tools to help Ukrainians defend themselves against Russian cyberattacks and connect Ukrainians living under occupation to uncensored news and information, creating peer-to-peer connections that aren’t reliant on local internet access.

Late last year, eQualitie began crowdfunding to source batteries for some smaller ISPs in Ukraine. The money they raised helped them buy 172 batteries from Poland—the shipment weighed about 6.5 tons. Some of those batteries went to a small ISP in Chernihiv, which services hundreds of large residential buildings in the north-central Ukrainian city. ”With just five batteries, which they received within this donation, it means that tens of thousands of residents of Chernihiv remain connected,” Moroz says—residents like Valeria Shashenok.

“The issue of connectivity is not very clear for everyone,” Moroz says the morning after another wave of airstrikes on the country’s energy grid. “Ukrainians have, for example, apps or websites where they can follow all the air alarms, which may happen almost every day.”

Internet and mobile service in Ukraine is surprisingly good, even by American standards. Moroz points out that for about $8 per month, Ukrainians can get download speeds of around 100 megabytes per second. “People now need immediate information. They want to know, right now, what's happening,” he says. “So access to internet … means security for people, it means being connected with their families and friends.”

Staying connected also means staying hopeful.

When the Ukrainian Army liberated Izium, which is near the border of Dontesk, they also liberated the residents from Russian propaganda—the only source of news for many in the city. “They believed Kharkiv was also surrounded by Russians. And it was under Russian control, which is not true,” Moroz says. 

“So all this, the combined efforts to keep Ukraine connected, is because everyone understands that the ultimate goal of Russia is to demoralize civilians—because if civilians are demoralized, the government will lose support,” Moroz says. “Instead, it’s the opposite: Civilians realize they might have some hardship in their lives, but still they manage to build their lives around all these difficulties.”

eQualitie is still raising money to purchase a new shipment of batteries to Ukraine. Shchyhol, meanwhile, is bullish that he could get Ukraine’s mobile networks back to 100 percent.

But, like many aspects of this war, Ukraine continues preparing for the worst. Late last year, after waves of brutal assaults on Ukraine’s cities and critical infrastructure, president Volodmyr Zelensky announced the creation of thousands of Points of Invincibility across the country—in government buildings, pharmacies, gas stations, and banks.

“All basic services will be there, including electricity, mobile communications and the Internet, heat, water, and a first-aid kit,” Zelensky posted on Telegram. “Absolutely free and 24/7.” The sites will be powered by generators and connected to the world via Starlink.

“This is what the Russian flag means—complete desolation,” Zelensky said in another address in November. “There is no electricity, no communication, no internet, no television. The occupiers destroyed everything themselves—on purpose.”

Batteries Are Ukraine’s Secret Weapon Against Russia

Lawmakers are increasingly hellbent on punishing the popular social network while efforts to pass a broader privacy law have dwindled.

“We hope that Congress will explore solutions to their concerns about TikTok that won’t have the effect of censoring the voices of millions of Americans,” says TikTok spokesperson Brooke Oberwetter. “The swiftest and most thorough way to address national security concerns is for CFIUS to adopt the proposed agreement that we worked with them on for nearly two years. That plan includes layers of government and independent oversight to ensure that there are no backdoors into TikTok that could be used to access data or manipulate the platform. These measures go beyond what any peer company is doing today on security.”  

Over in the House, Rubio’s tough-on-tech allies just got new job titles and powers. Representatives Mike Gallagher of Wisconsin, a Republican, and Raja Krishnamoorthi of Illinois, a Democrat, are now the chair and ranking member, respectively, of the new House Select Committee on China established by Speaker Kevin McCarthy. While their new roles go beyond tech and TikTok, the two are eager to use their new perch to punish TikTok, in part, for stonewalling Congress.

“Part of the reason there’s not good data is \[that\] TikTok hasn’t responded to basic questions,” says Gallagher, who’s advocating for TikTok to be fully divested from ByteDance. “We’ve asked for transparency around their algorithms in general. There’s this question about how they intended to use their location tracking service that they would never really answer.”

Bipartisanship has been key to anti-TikTok efforts, but conservatives—and the GOP’s powerful messaging machine—have rallied around what, to them, is a glaring new national security threat. While US tech firms are now the punching bag for America’s right who accuse them of “censoring” them, most Republicans say this TikTok debate supersedes domestic political and corporate squabbles. They say there’s no comparing Silicon Valley to ByteDance.

“Can we just admit that the Chinese Communist Party is an adversary and Silicon Valley is not an actual adversary?” says senator Kevin Cramer of North Dakota, a Republican. “There are similar issues, but they’re not the exact same issues. The Chinese Communist Party is an adversary. Silicon Valley is an unruly child.”

Whether the fears are warranted or ungrounded, Congress isn’t even having the right debate, according to Senate Finance Committee chair Ron Wyden, a Democrat from Oregon. “Banning TikTok would be a godsend for sleazy rip-off data brokers,” the Oregon Democrat says. “TikTok is one piece of the puzzle, but don’t miss the overall challenge—because until you reign in these data brokers … you’re going to have all kinds of people’s personal data in America still on its way to China and hostile powers.”

Nevertheless, bipartisan anti-TikTok energy remains palpable in DC, especially because the app is so popular, with around 113 million users in the US, according to web analytics firm Statista. And with Beijing’s proven willingness to use technology to control its own citizens, US policymakers fear the CCP will soon distort the world for millions of unsuspecting Americans. 

“If you can dial these algorithms to say what kind of content \[people see\], it’s hugely problematic in terms of a propaganda tool,” Warner, the Senate Intelligence Committee chair, says.  

Warner supports reining TikTok in, but he remains skeptical of these new efforts to outright ban the app. He’s been left holding his tongue while awaiting more detailed information and a potential policy solution from the Justice Department. It’s not an either-or, though, according to privacy advocates in Congress. While they argue TikTok is the immediate concern, they also want to regulate Silicon Valley.

“I think there’s a need for both. We still need to get a big privacy bill,” Democratic senator Maria Cantwell of Washington says.

Cantwell chairs the Senate Commerce Committee, which is where many of these bipartisan efforts have died, in part because she’s demanded a higher federal privacy standard—or at least one that doesn’t supersede stout state laws, like California’s—than Republicans have been willing to accept. She says the reason the TikTok ban sailed through in December is that the government funding bill was “held hostage over it” by the GOP.

“With Big Data, there can be abuses, and we need to rein it in. Period,” Cantwell says. “There’s just a lot more work to be done, and my colleagues have to have the same bipartisan zeal to address those issues.”

Why the US Congress Wants to Ban TikTok

A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal.
The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine.

Cyber Threat / Data Security

A new backdoor associated with a malware downloader named **Wslink** has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal.

The payload, dubbed **WinorDLL64** by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine.

Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories.

Wslink was first documented by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory.

"The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka said. "The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads."

Intrusions leveraging the malware are said to be highly targeted owing to the fact that only a handful of detections have been observed to date in Central Europe, North America, and the Middle East.

In March 2022, ESET elaborated on the malware's use of an "advanced multi-layered virtual machine" obfuscator to evade detection and resist reverse engineering.

The links to Lazarus Group stem from overlaps in behavior and code to that of previous campaigns – Operation GhostSecret and Bankshot – which have been attributed to the advanced persistent threat.

This includes similarities with the GhostSecret samples detailed by McAfee in 2018, which come with a "data-gathering and implant-installation component" that runs as a service, mirroring the same behavior of Wslink.

ESET said the payload was uploaded to the VirusTotal malware database from South Korea, where some of the victims are located, adding credence to the Lazarus involvement.

The findings are once again demonstrative of the vast arsenal of hacking tools employed by the Lazarus Group to infiltrate its targets.

"Wslink's payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement," ESET said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)

CVE-2023-26462: ThingsBoard Release Notes

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

**CVE-2022-45600**

CVE URL:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45600

Reported by:

TanYeeTat

Product:

Aztech WMB250AC Wireless Mesh Routers

Affected Firmware:

2020 Release (topaz-linux.lzma.img)

Firmware download:

closed source

> Product Manual: https://kylaconnect.com/download-center/

> Vulnerability was reported to Aztech's security team via security@aztech.com on **7th June 2022**, with no response as of 21st February 2023
> 
> *   Kylaconnect Vulnerability Disclosure

**Vulnerability Details**

A Command Injection vulnerability (that leads to Privilege Escalation) exists in multiple webpages (list below), that allows a web-authenticated user to execute arbitrary shell commands on the device as the root user. The root user account could not be accessed in any other conventional methods (e.g., Telnet), and has been locked down by the firmware's configuration. This vulnerability bypasses that configuration and escalates an attacker's privileges to root.

List of affected webpages

*   Line 283 in status_wireless.php
*   Line 54 in config_wps.php
*   Line 81 in assoc_table.php
*   Line 55 in config_macfilter.php
*   Line 54 in config_wps.php

There is a lack of input validation and sanitization in the above list of web pages affecting the processing of a GET parameter,id, which is fed into a shell command that is executed as the root user. Command injection is performed by terminating the preceeding legitimate shell command with a semicolon ;, followed by an arbitrary shell command to inject.

> Snippet of retrieving the GET parameter id
> 
> *   the value of id is stored into interface_id variable

> Further down the PHP codes, the interface_id is fed into multiple exec() calls without validation or sanitization

**Proof of Concept**

The following steps will list how to reproduce this vulnerability

1.  Start the product physically or emulated
2.  Modify the PoC bash script's credentials to authenticate to the web service
3.  Execute the PoC bash script to obtain a root shell on the device

CVE-2022-45600: GitHub - ethancunt/CVE-2022-45600

By Waqas
If you use EmEditor, this user-friendly tutorial will explain how to remove duplicate lines in the popular EmEditor text editor software.
This is a post from HackRead.com Read the original post: How to Remove Duplicate Lines in EmEditor (2023)

EmEditor is a smart text editor software for Windows that supports a wide range of file formats, including plain text files, programming languages, Unicode, and large files.

EmEditor is developed by Emurasoft, Inc. The brain behind creating EmEditor is Emurasoft’s president Yutaka Emura who is based in the United States. Emura is also known for developing the EmTerm communication program.

EmEditor offers various features, including syntax highlighting, code folding, regular expressions, macros, multiple document support, and more.

EmEditor also supports plugins that extend its functionality and can be used for advanced tasks such as code debugging, web development, and text manipulation. It is available in both free and paid versions, with the paid version providing additional features and capabilities for power users.

**How to Remove Duplicate Lines in EmEditor?**

Although EmEditor is user-friendly software, with loads of options and features, it is not easy to find a quick solution at once. Therefore, we have decided to break down for our readers how they can remove duplicate lines in EmEditor.

To remove duplicate lines in EmEditor, you can follow these steps:

*   Open the document in EmEditor.
*   Select the lines that you want to remove duplicates from.
*   Click on the “Sort” button on the toolbar or go to the “Sort” menu and choose “Sort Ascending” or “Sort Descending“. This will arrange the selected lines in alphabetical or reverse alphabetical order.
*   After sorting the lines, go to the “Edit” menu and select “Remove Duplicate Lines“. This will remove all the duplicate lines from the selected lines.

Alternatively, you can also use EmEditor’s built-in macro to remove duplicate lines. Here are the steps:

*   Open the document in EmEditor.
*   Press “Ctrl + Shift +R” to open the “Record Micro” dialog box.
*   Enter a name for the macro and click “OK“.
*   Go to the “Edit” menu and select “Remove Duplicate Lines“.
*   Press “Ctrl + Shift +R” again to stop recording the macro.
*   Go to the “Macro” menu and select “Save” to save the macro.
*   To run the macro, go to the “Macro” menu and select the macro you just created.

If this How-To was helpful, don’t forget to share it, and let us know which other How-To you’d like to see us work on.

1.  Crucial Tips for Secure Form Submissions
2.  How to Craft Rich Data-Driven Infographics
3.  How to Dual Boot Android and Windows Easily
4.  How to Create ISO Files from Discs – 3 Best Ways
5.  How to Optimize Your Database Storage in MySQL
6.  How to configure cPanel and WHM Panel on your VPS
7.  MySQL Performance Tuning: Tips for Blazing Fast Queries

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

How to Remove Duplicate Lines in EmEditor (2023)

The platform uses no-code policy workflows to automate the provisioning and revoking of permissions.

To keep businesses running smoothly in a multicloud environment, people and applications both need a web of permissions to access all the tools required to complete their tasks. Getting the balance right, however, is a perennial challenge at which most companies fail. A startup named Entitle aims to change that.

The company is debuting a permissioning system that the company says spreads decision-making responsibility beyond the IT department, to the business unit leaders who actually know who the users are and what they need in the way of permissions.

The fundamental problem has been around for years. In 2021, CloudKnox revealed that nearly all of the identities on the major cloud platforms (90% to 95%, depending on platform) used no more than 5% of the permissions granted. And a 2022 year-end wrap-up from Permiso showed that the average user and role still only uses 5.3% of their permissions. 

The more lax the permission situation, the more likely it is that a bad actor will leverage their way into the network via an insecure account that has more access than it needs.

Entitle works to remedy that risk by issuing just-in-time permissions that can be revoked after a certain period or when a task has been completed. It also makes it easy to grant, change, and revoke permissions in bulk for people — employees or third parties — who are joining, leaving, or changing jobs, with what the startup calls "one-click on/offboarding." An access review panel collects the details of all permissions each human or machine identity has for overview, auditing, and compliance purposes.

    

Entitle's Workflows function. Source: Entitle

Perhaps the most unusual aspect of the Entitle platform is its Workflows function, shown above, which is where a company can set rules to automatically approve permissions requests or send them to the proper role (for instance, direct manager or app admin) for approval. That should cut down on manual work and improve the ability of programs and people to get emergency access in order to reduce bottlenecks — a serious consideration when balancing productivity and security.

Of course, Entitle is not the first or only company to embrace the principle of least privilege. Authomize, for example, launched in 2020 with its own version of automated permissioning, and Delinea created a way for users to execute a privileged action without having to expand their role. But considering the security and business risks posed by access creep, ensuring that every user gets only the access they need is an important function.

Entitle Brings Fine-Grained Cloud Permissions Management Out of Stealth

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Headwinds Don't Have to Be a Drag on Your Security Effectiveness

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Tag

#mac