Private sector organizations are "hesitant" to seek guidance from the Coast Guard, which isn't sufficiently equipped to help them yet.

Source: Rick Pisio/RWP Photography via Alamy Stock Photo

The Coast Guard is struggling to secure the US maritime supply chain thanks to inadequate staffing, training, authority, and cyber expertise.

A new report from the Department of Homeland Security's Office of Inspector General paints a picture of an industry reluctant to seek cybersecurity support, and a military unable to adequately provide it.

Coast Guard "Cyber Protection Teams" (CPTs) have offered free cybersecurity help to organizations in the Maritime Transportation System (MTS) since 2021, yet only 36% of qualifying organizations have taken them up on it. The private sector is "hesitant," the report says, despite the many security vulnerabilities CPT assessments typically uncover.

Part of the blame lies with the Coast Guard itself. The DHS Inspector General's Office's found that CPT inspections of marine facilities and vessels don't always account for "the full scope of potential cybersecurity threats. This occurred because Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices."

Plus, the service branch lacks staff with cyber expertise, according to the DHS IG.

**Coast Guard Role in Private Sector Cybersecurity**

Earlier this year, the Biden administration issued an executive order that, among other things, empowered the Coast Guard to take an even greater role in private sector security.

The military branch now has the authority to quarterback response efforts after any facilities, harbors, ports, or individual vessels are impacted by cyber incidents, including by inspecting or even controlling the movement of vessels which might otherwise threaten US infrastructure. It was also assigned the task of creating a set of minimum cybersecurity requirements for the industry.

"You don't see the Air Force directly taking on transportation \[security\], but it makes sense here in this case due to their \[the Coast Guard's\] sector expertise," says Itay Glick, operational technology expert and vice president of products at Opswat. "They already have relationships with the different groups — ships, ports, etc. — because of their day- to-day work, and adding that layer of cybersecurity actually makes sense."

In some ways, the Coast Guard has been quite productive so far. Cyber incidents reported to, and reviewed by, the Coast Guard have risen 111% in the past few years. Its vulnerability assessments have uncovered hundreds of incidents involving dozens of vulnerabilities, more than half of "critical" or "high" severity, meaning they could cause complete network, application, or system compromise.

In other ways, though, the service branch has not seemed up to the task. The DHS observed some CPT inspectors ignoring cybersecurity entirely, and found that they "expressed a limited understanding of how to address cybersecurity" thanks to little to no cybersecurity training. And even when vulnerabilities were found, the branch had insufficient means to force companies to comply with its recommendations for remediation.

**Threats to Maritime**

If it wasn't obvious enough in years prior, the world learned just how valuable and sensitive the MTS is from COVID and the Ever Given incident in the Suez Canal. Hackers learned it, too, and now cyber threats to the system are far greater than they ever were before.

A report from the Coast Guard Cyber Command last year found an 80% rise in reported ransomware incidents, with ransom demands tripling on average. Cyber disruptions to marine industries can come in many other forms as well, and cyber espionage — particularly from capable nation-state adversaries — is a persistent risk.

A failure to account for the kinds of vulnerabilities uncovered by plenty of CPT assessments already could, in the worst-case scenarios, lead to physical danger for crew members or marine life, and major disruptions to the global supply chain.

"Years ago, you saw \[how\] you couldn't bring new supplies into countries across the world. This is something that can happen again," Glick Warns, "and this is what we need to fear. If you don't have produce coming in, that might terribly impact the commercial industry here in the US."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DHS Inspector General: Coast Guard Shortcomings Hinder US Maritime Security

As threat actors get smarter about how they target employees, the onus is on organizations to create a strong line of defense — and the human element is a critical component.

Masha Sedova, VP, Human Risk Strategy, Mimecast

July 19, 2024

4 Min Read

Source: Yuliya Volkovska via Alamy Stock Vector

COMMENTARY

As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building.

Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity — it is projected to play a central role in 68% to 90% of breaches in 2024 — and the standard practice of mandated security awareness trainings isn't driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, chief information security officers (CISOs) must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training — one that requires human-by-design cybersecurity.

**Quantifying Risk**

Security awareness training helps, but it doesn't complete the job, as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with great regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organization's distribution of risk.

The first step is pinning down those at the company who are most at risk. Studies have found that just 8% of employees cause 80% of incidents, and many in this subset typically are repeat offenders. Certain individuals are also targeted more frequently, due to their prominence: Managers receive 2.5 times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.

These figures can vary widely between organizations, so it's key for businesses to perform their own analysis. This can be done by analyzing data that's often overlooked — like the logs generated by security endpoints when they prevent employees from executing malware — and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users' individual security risk.

**Managing Risk**

Much like financial institutions with credit scores or insurance companies with premiums, organizations can then begin leveraging these risk scores to create a personalized, adaptive approach to security, beginning with tailored training.

Rather than making all employees complete the same generic security awareness modules (which, let's be honest, most people will just blow through with little attention paid), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.

With detailed insights into behavior patterns, organizations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges — personalized messages sent out at the right time, or context to prevent users from falling victim to attacks — or strategies like tighter email security filtering, stricter browsing permissions, or reducing the time that multifactor authentication tokens are valid on at-risk users' machines.

It's important that these practices are carried out with transparency so employees know how the security team plans on using this collected data. When security teams take a constructive stance — for example, by sending out report cards that affirm positive behavior and suggest areas to improve — employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how the additional training and adaptive measures are designed to help them get better.

**Tracking Improvement**

Collecting and analyzing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviors occurring on the network over time and dial in the best methods of "bubble wrapping" subsets of the user base to reduce future occurrences.

This measurability stands in stark contrast to conventional human risk mitigation practices (i.e., simple awareness training), which can often take the form of a black hole in terms of understanding impact and, in turn, return on investment (ROI). With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.

As threat actors get smarter about how they target employees, the onus is on organizations and their cybersecurity partners to create a strong line of defense — and the human element is a critical component. Companies that take a more intelligent, personalized approach to curbing risky behavior will stand the best chance of safeguarding their organizations against cyberattacks, all while making more efficient use of their security budgets.

**About the Author(s)**

VP, Human Risk Strategy, Mimecast

Masha Sedova, co-founder of Elevate Security, has made her mark in cybersecurity through her practical and human-centered approach to the field. Under her leadership, Elevate Security's innovative platform significantly reduced user-related risks for enterprises. This led to its acquisition by Mimecast in 2024 where she now serves as VP of human risk strategy.

In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training

According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.

Source: Travel mania via Shutterstock

One of China's more prolific threat groups, APT41, is carrying out a sustained cyber espionage campaign targeting organizations in multiple sectors, including global shipping and logistics, media and entertainment, technology, and the automotive industry.

The advanced persistent threat (APT) actor appears to have launched the new campaign sometime in early 2023. Since then, the group has successfully infiltrated multiple victim networks and maintained prolonged access on them, Google's Mandiant security group said this week in a joint analysis with Google's Threat Analysis Group (TAG). Most of the affected organizations are located in the United Kingdom, Italy, Spain, Taiwan, Thailand, and Turkey.

APT41 is sort of an umbrella descriptor for a collective of China-based threat actors engaged in cyber espionage, supply chain attacks, and financially motivated cybercrime around the globe since at least 2012. Over the years security researchers have identified multiple subgroups as being part of the APT41 collective, including Wicked Panda, Winnti, Suckfly, and Barium. These groups have stolen trade secrets, intellectual property, healthcare related data and other sensitive information from US organizations and entities around the word on behalf of the Chinese government. In 2020, the US government indicted five members of APT41 for participating in or contributing to attacks on more than 100 companies worldwide. Those charges have done little to deter the group's activities so far, however.

**APT41's Widespread Geographic Impact**

Nearly all but one of the targeted organizations in the shipping and logistics sector were based in the Middle East and Europe, while all organizations that APT41 targeted in the media and entertainment sector were located in Asia. Many victims within the shipping and logistics sectors have operations across multiple continents, either as subsidiaries or affiliates of large multinational companies in the same sector, Mandiant researchers said.

"An analysis of victim organizations within specific sectors reveals a notable geographic distribution," Mandiant researchers said in its blog post.

Further, "Mandiant has detected reconnaissance activity directed towards similar organizations operating within other countries such as Singapore," the security vendor wrote. "At the time of the publication, neither Mandiant nor Google TAG have any indicators of these organizations being compromised by APT41, but it could potentially indicate an expanded scope of targeting."

**Custom Cyber Espionage Tools**

Mandiant researchers also said it had observed APT41 actors using a range of custom tools in its ongoing campaign, including those for dropping malware on target systems, establishing backdoors, moving laterally in compromised networks, and exfiltrating data from them. The tools include two Web shells for persistence, called AntsWord and BlueBeam, which the threat actor has been using to download a dropper called DustPan, which in turn attempts to load the Beacon post-compromise tool on victim systems.

In addition to this, Mandiant said it observed APT41 use a hitherto unseen multi-stage plugin framework called DustTrap for decrypting malicious payloads and executing them in memory so as to enable communication between the compromised system and APT-41 controlled systems and infrastructure. "DustPan has been used by APT41 as far back as 2021, but DustTrap was first seen in this activity," says Ben Read, head of cyber espionage analysis at Mandiant.

Other tools that APT41 actors have effectively deployed in the current campaign include malware dubbed SQLULDR2 for copying data from Oracle Databases and PineGrove for exfiltrating large volumes of data from a compromised network to a OneDrive account for subsequent analysts.

"APT41 has always had a global mandate, so while their targeting in this campaign likely reflects current PRC priorities, the widespread nature is consistent with what we have seen previously from them," Read says.

So far, Mandiant has found no evidence to suggest that APT41 are seeking to monetize their attacks in the current campaign in any way. "However, we do not have full insight into the post compromise activity, so can't say for sure."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's APT41 Targets Global Logistics, Utilities Companies

Attackers are more likely to target critical infrastructure industries and, when they do, they cause more disruption and ask higher ransoms, with the median payment topping $2.5 million.

Source: Have a nice day Photo via Shutterstock

When ransomware targeted the city of Dallas, Texas last year, it took down city services, the municipal water utility's ability to bill and read meters, and emergency services. The city required more than a month to bring all its systems back online.

Dallas is not alone. In 2023, two-thirds of critical infrastructure operators (67%) in the oil, energy, and utility sectors suffered a ransomware attack, compared to 59% of all industries, according to a survey by Sophos. In addition, attacks on those critical-infrastructure sectors affected an average of 62% of systems, far higher than the 49% of systems across all industries impacted during a ransomware attack.

In fact, the groups collectively tie healthcare as the second-most impacted sectors, with only federal government agencies impacted more often, says Chester Wisniewski, global field CTO at Sophos.

"This sector needs to recognize this as a serious risk and position themselves to not be so vulnerable to ransom demands," he says. "This isn't impossible work. Ultimately it's about getting the basics right, just like in previous years."

Critical infrastructure sectors have been perennial favorites of ransomware gangs, dating back to the Colonial Pipeline incident and even earlier. Ransomware cases in the industrial sector almost doubled between 2022 and 2023 to 1,484 attacks, from 804 incidents, according to data from the NCC Group, a cybersecurity consultancy.

The industrial sector — under which critical-infrastructure companies fall — manages essential services, and disruptions can have severe consequences, prompting quick ransomware payments, says Ian Usher, associate director of threat intelligence operations and service innovation for the NCC Group.

"Organizations that provide a public service or support critical infrastructures are more attractive for ransomware attacks because they face external pressure to restore operations," he says.

**What Makes a Successful Industrial Ransomware Attack?**

Most ransomware attacks against companies in the critical-infrastructure sectors of oil, energy and utilities succeeded through exploiting software vulnerabilities, which accounted for 49% of successful attacks versus 35% the previous year, according to Sophos's report. Compromised credentials (27%) and malicious emails (14%) rounded out the top-3 vectors.

A critical measure is how often an attack led to data being encrypted. In 2023, eight in 10 attacks resulted in encrypted data, the same as the previous year, but significantly higher than the previous two years, says Sophos' Wisniewski.

"This is worrying," he says. "These numbers should be improving as the adoption of extended detection and response (XDR) and managed detection and response (MDR) is becoming increasingly common."

The impact of ransomware attacks are often brutal for businesses. The average respondent in Sophos's survey required more than a month to recover. For the first time, more companies paid the ransom (61%) than used backups for recovery, even while the median payment jumped to $2.54 million. The average cost of recovery from an incident topped $3 million in 2023, matching the previous year. (Note, while Sophos's report is labeled 2024, the data is from 2023, so Dark Reading uses the latter year.)

**Don't Be The Low-Hanging Cyber Fruit**

Organizations that fail to adopt simple technologies, such as multi-factor authentication (MFA), and fail to keep up with software updates, will likely find themselves targeted not just once, but multiple times, says Sophos' Wisniewski.

While the high rate of ransom payments really stood out this year, organizations should no longer consider paying cybercriminals as a solution, he says.

"There isn't a way to buy your way out of situations like a ransomware attack," Wisniewski says. "In rare cases, the payment can expedite recovery, but it is the exception, not the rule ... You are almost guaranteed not to get all of your files back, and you will still need to rebuild ... your systems."

The government needs to help set cybersecurity standards for the critical infrastructure sectors, says NCC Group's Usher. Currently, under the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022, critical-infrastructure operators are required to report significant cyber events within 72 hours and disclose ransom payments within 24 hours, he says.

"The government can...ensure consistent cybersecurity standards across critical infrastructure," he says. "A continued lack of alignment will only serve to create an ever more complex Web of rules. This will likely be counterproductive to delivering better cyber resilience, and contribute to the problem of cybersecurity compliance becoming a 'tick box' exercise."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Has Outsized Impact on Gas, Energy &amp; Utility Firms

The latest version of the Cloud Security Alliance's certification provides a comprehensive catalog of essential skills that cybersecurity professionals need to master.

Source: Ronald Candonga via Pixabay

The Cloud Security Alliance (CSA) has released the Certificate of Cloud Security Knowledge (CCSK) v5, the latest version of its vendor-neutral, cloud security training and certificate.

Designed for security analysts, compliance managers, security engineers, architects, and administrators, the CCSK provides training on topics including cloud incident response, application security, and data encryption. Certification is widely regarded as a benchmark for demonstrating cloud security knowledge and skills.

The "program provides a survey of the most important topics cybersecurity professionals will face day in and day out and is complementary to virtually any other education available," the CSA said.

The CCSK v5 is a "substantial update to CCSK v4," according to CSA. It includes in-depth information, recommendations, and best practices to secure cloud architecture, cloud native security, workloads, virtual networking, data protection, DevSecOps, zero trust, and generative artificial intelligence (GenAI). The CCSK also covers serverless/function-as-a-service, application security, continuous integration and continuous delivery (CI/CD), automation, identity and access management, and incident response.

In addition, CSA has published corresponding security guidance material for the CCSK v5. Students also have access to a variety of training modules, the CCSK v5 Prep Kit, an online self-paced option (which can be completed in 10 hours) and instructor-led classes. Security pros have 120 minutes long to take the exam — a half hour more than the older program's 90 minutes. It is expected to cost $445, though the fee is waived for veterans, according to the CSA.

The CCSK v5 includes "vital information" about managing risks, achieving compliance, optimizing organizational cloud security strategies, and understanding the shared responsibility model between the cloud provider and customer. The GenAI tool CCSK Orb is included in CCSK v5, as well.

CSA Updates Cloud Security Certificate, Training

The manual provides guidance on how to improve the resiliency of critical infrastructure.

Source: Jochen Tack via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA) has published a supplemental manual to its infrastructure resilience planning framework, providing guidance on improving critical infrastructure security and resiliency. The "IRPF Playbook" provides state, local, tribal, territorial (SLTT) government planners and private-sector stakeholders with processes to help reduce the risk of disruption to critical services during a cyberattack on critical infrastructure, as well as to keep recovery and restoration costs low.

The manual also provides "fictional scenarios like a recipe" to help understand how to implement the guidance, CISA said. It outlines key actions for resilience planning, such as establishing incident-response groups, identifying critical infrastructure and dependencies, creating mitigation strategies, and integrating solutions into existing protocols. The narrative hypotheticals illustrate how a community might conduct resilience planning or incorporate resilience into existing planning efforts.

"Reading through the Playbook process, not only are the IRPF steps articulated with clear inputs and outputs, but the additional guidance on resilience concepts will help communities increase their readiness and bounce back quickly after a disaster," said David Mussington, CISA's executive assistant director for infrastructure security, in a statement.

The new playbook is a voluntary planning resource; it does not carry "any regulations, define mandatory practices, provide a checklist for compliance, or carry statutory authority," according to CISA.

**About the Author(s)**

CISA Publishes Resiliency Playbook for Critical Infrastructure

Judge dismisses claims against SolarWinds for actions taken after its systems had been breached, but allows the case to proceed for alleged misstatements prior to the incident.

Source: Tetra Images via Alamy Stock Photo

A judge has dismissed a major portion of the Securities and Exchange Commission (SEC) litigation against SolarWinds and its chief information security officer (CISO), Tim Brown, ruling that they cannot be held liable for statements and filings made after the breach of the company's flagship Orion product.

However, the SEC can proceed with its charge against SolarWinds and Brown for misrepresentations made about the company's cybersecurity posture leading up to the cyberattack, according to the ruling from US District Court Judge Paul A. Engelmayer released on July 18. Court filings refer to the cyber incident as "Sunburst."

The ruling is in response to SolarWinds' motion to dismiss the SEC lawsuit filed in January of this year.

**SolarWinds Information-Sharing "Vindicated"**

Legal and cybersecurity experts say the ruling is a positive move toward providing guidance to other publicly traded companies on how to deal with cybersecurity incident disclosure regulations.

"For public companies rushing both to investigate an incident and make a materiality disclosure, the court's opinion allows the totality of the disclosure to prevail over the nitty-gritty details," says cyber attorney Beth Burgin Waller of Woods, Rogers, Vandeventer, Black PLC. "This decision vindicates SolarWinds' information sharing with the cybersecurity community post-incident."

While the ruling removes many of the charges against SolarWinds and Brown, the SEC will be allowed to pursue action for statements and other claims made about the cybersecurity posture of the company prior to its compromise. Disclosures and statements made about the company's security posture prior to the breach are "viably pled as materially false and misleading in numerous aspects," the judge wrote.

After joining SolarWinds in 2017, Brown internally highlighted deficits in the company's defenses while delivering more rosy assessments to customers, the ruling explained. Notably, the SolarWinds "Security Statement" falsely claimed compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

A SolarWinds spokesperson said the company was "pleased" with the ruling in a statement.

"We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate," the statement said. "We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

**CISO Hot Takes**

Jessica Sica, CISO with Weave, was especially encouraged by the court's decision to toss out internal communications evidence among SolarWinds employees.

"Internally, you need to be able to discuss the state of security — for better or for worse — and not have that get out as if you weren’t doing your job," Sica says. "The SEC keeping that portion in could have led to more companies having a sort of 'don’t ask, don’t tell' policy on security, and that would make things much worse."

The court ruling also loosens some constraints on CISOs, according to Fred Kwong, Ph.D., vice president, and CISO of DeVry University.

"Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations," Kwong says. "While not out of the woods, I'm happy to see that the court has dismissed most of the charges, especially those post-Sunburst."

Regardless of the ultimate outcome of the SEC's action against SolarWinds and Brown, Sica urges fellow CISOs to continue to be transparent.

"I think this doesn’t change the fact that you need to be honest about your security posture, and that’s a good thing," Sica says. "If you are promising publicly that you are doing it."

Sizable Chunk of SEC Charges Against SolarWinds Tossed Out of Court

Though the number of victims has risen, the actual number of breaches has gone down, as fewer, bigger breaches affect more individuals.

Source: B Christopher via Alamy Stock Photo

At the end of the second quarter of 2024, the number of US data breach victims has increased by more than 1,000% over the entire previous year, according to new analysis of publicly reported data breaches in the country.

The analysis, conducted by Identity Theft Resource Center (ITRC), determined that the increase in the number of victims in the second quarter of the year was due to the impact of a small number of very large breaches. So, though the number of victims has increased exponentially, there has been a 12% decrease in the actual number of incidents that occurred during that time frame. 

These large breaches include Prudential Financial and the Infosys McCamish System leaks, which affected Fidelity and Bank of America, among others. Together, these sent the victim count into the millions.

The data breach victim count for the first six months of 2024 was more than 1 billion (1,078,989,742), which is a 490% increase compared to the first half of 2023, which had a victim count of 182.6 million. This tally, however, does not include the Change Healthcare breach, which affected a huge swath of US victims.

"The takeaway from this report is simple," said Eva Velasquez, ITRC president and CEO. "Every person, business, institution and government agency must view data and identity protection with a greater sense of urgency."

**About the Author(s)**

US Data Breach Victim Numbers Increase by 1,000%, Literally

The vulnerability was given the highest CVSS score possible, though few details have been released due to its severity.

Source: designer491 via Alamy Stock Photo

Cisco has released a patch for a maximum-severity vulnerability, tracked as CVE-2024-20419, that allows threat actors to change any user or admin password.

The vulnerability carries a CVSS rating of 10, however, the company has not released many details about the bug, likely due to how high risk it is.

The attack complexity was deemed low, as no privileges or user interaction is necessary to complete the action, but the impact on the product's integrity, availability, and confidentiality are all deemed high.

"An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device," Cisco said in a statement. "A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

This vulnerability affects SSM On-Prem and SSM Satellite. There are no workarounds for the vulnerability, so it's recommended that users apply patches for the bug as soon as possible. 

Cisco has not released any additional information regarding this vulnerability in the wild or how many users have been potentially impacted. SSM On-Prem is primarily used by "financial institutions, utilities, service providers, and government organizations," according to the vendor, so organizations in these sectors should be especially wary. 

**About the Author(s)**

High-Severity Cisco Bug Grants Attackers Password Access

Three newly discovered SMTP smuggling attack techniques can exploit misconfigurations and design decisions made by at least 50 email-hosting providers.

Source: Maksim Kabakou via Adobe Stock Photo

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.

The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies.

The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.

**Email-Hosting, Vulnerable by Default**

The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns in a session at the forthcoming Black Hat USA conference during first week in August, entitled "Into the Inbox: Novel Email Spoofing Attack Patterns."

They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.

"The issue we want to emphasize is that email gateway vendors remain vulnerable to SMTP smuggling in their default configuration," Wang tells Dark Reading in an interview. "This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains."

While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. "Consequently, many large customers continue to use the default, vulnerable setting," he says, creating a wide avenue for attacker abuse.

**Novel Attack Techniques**

The team's research was informed by two previous works from other researchers: a "SpamChannel" talk presented by Marcello Salvati at DefCon 2023, and an innovative SMTP smuggling attack unveiled by Timo Longin in December, Wang says.

The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.

"Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails," Wang explains, adding that the attack has a "high success rate" due to the large number of affected domains and the broad reach of email spoofing.

The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.

The third attack pattern is one that expands upon Longin's SMTP smuggling attack discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the exploit of existing flaws on messaging servers from Microsoft, GMX, and Cisco.

"Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors," Wang says. "The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check."

**SMTP Smuggling Detection and Mitigation **

As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someone's email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.

"This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules," Wang says. "At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack."

Indeed, while the attack patterns discovered can allow email spoofing by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations enforce these measures for their domains as a foundational security baseline.

"Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks," Wang says.

Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.

Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also "is critical for maintaining the security and reliability of email communications," and preventing various forms of email-based attacks."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading