Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

Source: Ianni Dimitrov Pictures via Alamy Stock Photo

COMMENTARY

In October 2023, the British Library underwent a crippling cyberattack that took down its website, a majority of its online services, including card transitions, reader registrations, and ticket sales, along with access to its digital library catalog. The attack cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year. 

Analyzing the British Library's initial response reveals that it effectively executed a carefully planned response strategy. With its vast store of 170 million items, the national library of Great Britain acknowledged a critical oversight in not having a security team on retainer and readily available, resulting in overreliance on an external team unfamiliar with the environment and scrambling in the eleventh hour. 

Welcoming transparency, the institution issued its report outlining details of the attack and sharing valuable lessons of benefit to other organizations in their cyber preparedness and mitigation efforts. 

**How Did Attackers Breach the British Library?**

While the exact method of entry is unknown due to the extensive damage caused by the attackers, investigators were able to trace unauthorized access at the Terminal Services server, which was installed in 2020 — COVID era — to facilitate remote access for external partners and internal IT administrators. 

Many of these outside parties had privileged access to specific servers and software. It is believed that the root cause behind the attack could have been the compromise of privileged account credentials, possibly via phishing, spear-phishing, or brute-forcing credentials. The library admitted to having an unusually diverse and complex technology estate comprising a stack of legacy tools and infrastructure that led to the severity of the incident. Although the Terminal Services server was protected by a firewall and antivirus software, it lacked standard multifactor authentication (MFA) protection — a gross oversight.

**What Did Hackers Steal?**

Like most ransomware attacks, these adversaries stole sensitive data that could be either monetized on underground marketplaces or used to demand a ransom payment. Threat actors are said to have copied 600GB of files. Attackers used three methods to identify sensitive data: 

*   Network drives were copied from finance, technology, and HR departments. 
    
*   Keyword attacks were launched to scan the network for sensitive words such as "passport" and "confidential." Files were also copied from the personal drives of staff members. 
    
*   Native utilities used to administer networks were hijacked, then used to create backup copies of 22 databases, including contact details of external users and customers.
    

**What Else Is Known About the Attackers?**

The infamous ransomware-as-a-service provider Rhysida claimed responsibility for the attack. This criminal group is also known for its attacks on the Chilean army, as well as attacks on schools, power plants, universities, and government institutions across Europe. Rhysida and its affiliates have an attack methodology that typically involves defense evasion, exfiltration of data for ransom, and destruction of servers to inhibit system recovery. It uses a host of anti-forensics tactics, covering its tracks by deleting log files, making it difficult to trace its activities. Rhysida demanded some 20 bitcoins from the British Library. UK government policy forbids the payment of ransom, so when the library refused to cooperate with the extortionists, the gang released images of employee passports and leaked most of the material to the Dark Web. 

**Takeaway Lessons Learned From the Library Attack**

*   Assess your technical debt: When a decision is made to use hardware and software beyond their supportable or useful life, it can leave gaping holes in the security posture. It is important that organizations know and evaluate this technical debt from a cyber perspective. Remember that recovery times and costs are far greater than building something new from scratch.
    
*   Maintain a holistic view of cyber-risk: Ensure that essential business stakeholders tasked with deciding on whether to accept, mitigate, or transfer cyber-risks have a thorough understanding of these risks. Such comprehension is crucial for effectively allocating resources, prioritizing necessary actions, and determining the order in which they should be conducted.
    
*   Practice good information governance: Contemporary threat actors often target specific assets for seizure. Lacking a solid grasp of your information governance can result in uncertainty regarding the location and significance of your most critical assets, leading to a protracted, arduous, and costly recovery process. That's why it's advisable to run simulation exercises frequently, just to understand where weaknesses reside. By urgently mobilizing needed resources within the first hour, organizations can significantly limit the blast radius.
    
*   Adopt a defense-in-depth approach: A defense-in-depth security approach is a type of layered security that can help curtail the blast radius and limit the damage even when an adversary infiltrates your environment. For example, had the British Library activated MFA on its servers, or had it segregated its network into multiple segments, it would have been in a superior position to detect the attacker’s presence early, limiting their progression to make lateral movements, and preventing data exfiltration.
    

The British Library attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow the above best practices to help protect themselves from sophisticated and destructive cyberattacks.

**About the Author(s)**

CEO, Information Security Forum

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions that meet the business needs of its members. He is a frequent speaker on the board's role in cybersecurity and technology.

Key Takeaways From the British Library Cyberattack

For a while, the botnet spread but did essentially nothing. All the malicious payloads came well after.

Source: Phil Degginger via Alamy Stock Photo

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.

The unimaginatively named "P2PInfect" is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was first discovered about a year ago, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.

This is not the case anymore. According to Cado Security, an update has been propagated across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.

"Last year we were sitting there, scratching our heads, going: 'Why?,'" Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. "It wasn't until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs."

**How PRPInfect Started**

On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldn't.

First, the known: P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis' leader-follower topology, in which a designated "leader" node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.

This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasn't being used for much at all.

Researchers did note, though, that the word "miner" popped up in P2PInfect's code — a potential indication of what was to come, perhaps, but nothing more.

"Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because they'll have a significant number of hosts," Carchrie says.

That prediction has now come to fruition.

**How P2PInfect Is Going**

P2PInfect has been updated with a usermode rootkit, and its "miner" binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.

Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.

For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.

More to the point: Redis doesn't save any data to disk by default—its whole value proposition surrounds storage in-memory. It can be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. "With that in mind," Cado wrote, "it's unclear what the ransomware is actually designed to ransom."

**What to Do**

From Carchrie's vantage point, P2PInfect infections appear to be most concentrated in East Asia.

Redis is commonly used in businesses across the globe, though. Its open source version has more than four billion Docker pulls, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.

So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.

And while it's not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. "The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. You'll be looking for indications of those," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'P2PInfect' Worm Grows Teeth With Miner, Ransomware &amp; Rootkit

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.

Source: kmls via Shutterstock

At least three cyber-espionage groups have compromised telecommunications operators in multiple countries in the Asia-Pacific region, placing backdoors inside the communications providers' networks, stealing credentials, and using custom malware to gain control and compromise other systems, according to analyses published by two cybersecurity firms in the past week.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime, says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team.

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," O'Brien says. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

In April, senior US officials warned that China-linked attackers had begun compromising critical infrastructure as a way to pre-position their offensive cyber operations for future conflicts. Japan and the Philippines created a trilateral alliance for sharing information on cyber threats, especially those from China. The alliance is similar to another trilateral information-sharing agreement between Japan and South Korea.

The attacks come as other Asian nations continue to struggle with increasing cyberattacks. On June 24, Indonesia's government acknowledged that cybercriminals had compromised its National Data Center and demanded an $8 million ransom. Rather than pay, the government is trying to recover, but the attack has disrupted services for more than 200 agencies.

Taiwan is currently dealing with a spate of attacks by a Chinese state-sponsored group, dubbed RedJuliett, which has attacked 24 different government agencies, educational institutions, and technology firms, threat-intelligence firm Recorded Future stated in an analysis published on June 24.

**Cyberattackers Reach Out and Call**

The focus on telecommunications companies is unsurprising: The infrastructure operators are the hub for most traffic on the Internet, making compromising their infrastructure extremely valuable, says Sergey Shykevich, threat intelligence group manager at cybersecurity firm Check Point Software.

"The ultimate jackpot for an attacker with access to telecom networks is the CRM database of telco clients, allowing real-time access to SMS messages, locations, and other sensitive information," he says. "Disruption of telecommunications companies can definitely be devastating for countries and users, as it happened just several month ago in Ukraine. However, in most instances, I believe the primary objective of targeting telecommunication companies is espionage and the valuable data they possess."

In October 2023, Check Point Research released details of an Iran-linked espionage campaign that had primarily targeted government agencies and telecommunications providers.

Another example: Pakistan has become a focus of communications-based attacks, as the quickly digitalization of the country and its geopolitical environment has made it the leading target of reflection-based distributed denial-of-service (DDoS) attacks by a significant margin last year, says Donny Chong, director at Nexusguard, a Singapore-based firm focused on defenses against denial-of-service attacks.

"The risk surrounding telecoms is that if you disrupt telecoms infrastructure, you also disrupt a lot of other critical infrastructure," he says. "There are other sectors, too, which we frequently see targeted by application and multivector attacks — the tech, finance, banking, and insurance sectors in particular have had a hard time with these attacks."

**Multiple Threat Groups**

The attack on the unnamed Asian telecommunications firm included three custom attack tools, executing code in memory to avoid detection, and using legitimate software to load in malicious code — a technique known as sideloading. (Symantec would not name the targeted firms nor the two countries where they were investigating attacks.)

The threat group, or groups, are relatively sophisticated, says Symantec's O'Brien.

"The fact that most of the payloads run in memory means that they can be difficult to detect," he says. "The technique of sideloading using legitimate executables is favored by APT actors, presumably because the legitimate files they leverage are less likely to raise red flags."

The analysis suggested that, while the threat groups could be collaborating with one another — say, different arms of the Chinese government working together — other connections are possible, such as different groups using the same tools or a single group using all three tools.

The connections between actors are often complicated. In 2021, a campaign of espionage attacks — dubbed "Stayin' Alive" — targeted the telecommunications industry and governments of Vietnam, Uzbekistan, and Kazakhstan, using a simple downloader known as CurKeep. The attackers used the same infrastructure as a group known as ToddyCat by cybersecurity firm Kaspersky, which considers the threat actor fairly sophisticated.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China-Linked Cyber-Espionage Teams Target Asian Telecoms

Daily operations at some 15,000 automotive dealers remain impacted as CDK works to restore its dealer management system, following what appears to be a ransomware attack last week.

Source: Jonathan Weiss via Shutterstock

The nationwide impact of a cyberattack on CDK Global last week has focused attention on the need for organizations to have robust contingency plans when they rely heavily on SaaS providers for critical business functions.

The attack disrupted operations at some 15,000 automotive dealers around the country, forcing many to go back to using paper forms and manual processes for their daily operations. In forms filed with the Securities and Exchange Commission (SEC), some companies affected by the attack said CDK had informed them about requiring several days — but likely not weeks — to restore its systems. Companies that notified the SEC about being impacted by the CDK breach included Penske, Group I Automotive, and Lithia Motors.

**Ransomware Attack?**

CDK, which provides a suite of cloud software and services for the automotive retail industry, has not yet publicly disclosed the nature of the attack that crippled its systems. But some media outlets have attributed the attack to an East European ransomware group called BlackSuit. They have described the threat actor as demanding millions of dollars in ransom from CDK to unlock the company's systems.

CDK did not respond immediately to a Dark Reading request seeking an update on the status of the company's systems restoration efforts and whether it had been able to attribute the attack to the BlackSuit ransomware group.

Attacks like these underscore the critical need for organizations to extend their cybersecurity protections to their entire network of vendors and partners, says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance. "For organizations in sectors heavily reliant on a limited number of software vendors or SaaS providers, mitigating exposure and containing disruptions via the software supply chain requires a multifaceted approach," he says. "Firstly, diversifying vendor relationships where possible can distribute risk and reduce dependency on single providers."

**Contingency Planning for SaaS Apps**

Organizations that use SaaS services should implement formal risk management frameworks that include stringent security assessments and contractual obligations for cybersecurity standards, Steinhauer says. Collaborative initiatives within industry sectors to share threat intelligence and best practices can also help strengthen collective defenses against evolving cyber threats, he notes.

Mark Ostrowski, head of engineering at Check Point Software, says the broader takeaway from attacks like this is for organizations to assume their infrastructure is a target wherever the resources — applications, servers, and users — might reside.

It's a good idea to determine the service providers and vendors that are most crucial to your business and identify what their measures are for protecting against an attack, and for mitigating and responding to one, if needed.

Ostrowski advises that organizations keep on top of what's going on in the immediate aftermath of a disruptive cyberattack. For instance, following the attack on CDK, threat actors have been calling customers, apparently with information related to the breach, in what would seem to be phishing attempts.

**The Rush to Repair**

There are lessons in CDK's apparent recovery struggles as well. Soon after the company began recovery efforts last week, it experienced a second attack, right in the midst of its recovery efforts. CDK has not disclosed much about the second attack beyond saying it forced the company to shut down most systems and take them offline.

Pieter Arntz, malware analyst at Malwarebytes, perceives that as an indication of CDK attempting to restore its systems too quickly.

"Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time," Arntz said in an emailed comment. "Restoring systems from, say, a week ago is often not far enough."

The CDK attack also highlights the continued — and growing — exposure that organizations in all sectors face via the software supply chain. According to a study by Data Theorem, 91% of organizations have experienced some kind of security incident tied to their software suppliers and service providers over the past 12 months.

Attacks targeting major players like CDK reveal significant vulnerabilities in critical infrastructure sectors and key industries that rely heavily on software supply chains, Steinhauer says.

"These incidents expose the potential for widespread disruption and economic impact when essential services and operations are compromised," he notes. "They highlight the need for stringent regulatory oversight, enhanced cybersecurity standards, and proactive defense measures to safeguard against targeted attacks on software supply chain leaders."

Strengthening cybersecurity resilience through continuous assessment, response readiness, and collaborative risk management efforts are also critical to mitigating the growing threat landscape posed by sophisticated cyber adversaries, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CDK Attack: Why Contingency Planning Is Critical for SaaS Customers

AppSec is hard for traditional software development, let alone citizen developers. So how did two people resolve 70,000 vulnerabilities in three months?

Source: David Grossman / Alamy Stock Photo

Application security (AppSec) programs are difficult to use and filled with vulnerabilities. Overloaded staff face an inadequate budget. Communication with developers is challenging. These sayings are so true, so ubiquitous, that they've become tropes. This is why meeting a team of two who managed to resolve 70,000 security vulnerabilities in three months made me gasp.

**70,000 Vulnerabilities? Really?**

Actually, they found 80,000, 70,000 of which they were able to fix within 90 days. These numbers do not indicate particularly vulnerable applications. They indicate taking a real look in the mirror, beyond the usual lines drawn in the sand between professional development and citizen development, which we sometimes call shadow IT.

Citizen developers are now embedded in every part of large enterprises. Yes, that includes yours. Last year, Microsoft announced that Power Platform, its popular low-code/no-code platform built into M365, had surpassed 33 million users, growing 50% year over year. These users work for the enterprise — your enterprise. They build critical applications, from finance to risk and customer care. It's a real boost to digital transformation, for the business and by the business (user).

**Citizen Development Security Challenges**

A few aspects of citizen development make building an AppSec program around it particularly challenging:

*   The scale of citizen development is between 10x and 100x that of professional development, whether you measure it in terms of numbers of developers, number of applications, or any other metric.
    
*   The variance of business units can be so big that it is easier to think of some business units as separate entities. Indeed, in a large enough corporation, some business units fall under different laws and regulation and have a different risk appetite.
    
*   Citizen developers, as business users, are not security-savvy. If you try to explain injection attacks to a business user, it would probably not be a fruitful conversation or a good use of anyone's time. Citizen developers should do what they do best: move the business forward.
    
*   Finally, the lack of process can be tricky — citizen development is all about moving fast. You edit right in production, adapt quickly, and move forward.
    

Fortunately, some standards have emerged that document and categorize the security vulnerabilities in low-code/no-code apps built by citizen developers.

**AppSec for Citizen Development**

The good news is that the unique challenges of citizen development force us to think outside of the box. Any manual review or process goes out the window. Blocking business users from developing software is never a real option, even when we pretend it is.

Building a successful AppSec program for citizen developers requires heavy reliance on automation and self-service. We need to design a process, think about the edge cases, and automate it completely. For example, when a developer says they have fixed an issue, can you retest to confirm? Is there a clear route for escalation and asking for exemptions? What happens when service-level agreements (SLAs) aren't met? We have answers to all of these questions for traditional AppSec, relying on the software development life cycle and years of working with developers. Though none of the established processes work as is with citizen development, we can use our learnings from pro developers to design a solution that does.

To build your program, start with the basics:

1.  Inventory. Know what you have, but don't stop there. Ask: Who is the owner for each app?
    
2.  Policy. Clarify your risk appetite. Which applications are outside of your accepted use cases? Which should never have been built?
    
3.  Security assessment and retesting. Know your risk, and have a way to automatically test whether this risk has been mitigated.
    
4.  Self-service. Provide clear documentation. Create a self-service portal where citizen developers can learn about issues and how to fix them, where they can ask for clarification or exemptions.
    
5.  Enforce SLAs. What happens if a vulnerability isn't fixed under an SLA? Take preventive action where possible.
    
6.  Track and report. Ensure you get and maintain executive tailwinds by keeping everything informed on progress.
    

The team I mentioned at the beginning of this article followed all of these points and more. They invested time in designing the process, down to its nooks and crannies. This gave them the confidence to hit "play" on the campaign and drastically reduce the security risk in their environment.

It's an incredible success — two employees, three months, 70,000 vulnerabilities, no business disruption. Those results may be exceptional, but you can achieve incredible results at your business as well.

**About the Author(s)**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

What Building Application Security Into Shadow IT Looks Like

In an incident with direct parallels to the recent Ticketmaster compromise, an Aussie live events giant says it was breached via a third-party cloud provider, as ShinyHunters takes credit.

Source: Jon Arnold Images Ltd via Alamy Stock Photo

The ShinyHunters cybercrime gang has claimed another victim, this time in Australia. The group recently posted information on a Dark Web forum that it says is for about 30 million users of Ticketek, Down Under's top live events ticketing organization.

Ticketek Entertainment Group (TEG) had already disclosed the breach in late May. According to a statement on its website, it noted that information had been heisted via an unnamed third-party cloud provider, with hackers making off with customer names, dates of birth, and email addresses. No user accounts were compromised, and payment information wasn't caught up in the incident, TEG stressed.

The circumstances are eerily similar to the Ticketmaster breach, which came to light at the beginning of June after ShinyHunters posted information impacting 560 million customers on the BreachForums underground market. That breach was also due to the compromise of a third-party cloud account, which was quickly revealed by researchers to be Snowflake.

Researchers subsequently determined that the Ticketmaster incident was part of a much broader cyber campaign against poorly secured Snowflake accounts that hit as many as 165 organizations, including Advanced Auto Parts and (most likely) Santander Bank. The attackers targeted low-hanging fruit: cloud accounts that lacked multifactor authentication (MFA), using credentials from previous breaches. Some of the passwords hadn't been rotated for three years, according to a recent analysis from Mandiant.

Despite researcher speculation, TEG has not confirmed a Snowflake connection nor ShinyHunters as the culprit for the cyberincident, though a 2022 case study (PDF) names the cloud provider as a technology partner for the ticketing giant. Neither company immediately returned a request for comment from Dark Reading.

**About the Author(s)**

30M Potentially Affected in Tickettek Australia Cloud Breach

The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

June 24, 2024

3 Min Read

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

The recent settlement between the US Securities and Exchange Commission (SEC) and Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), highlights significant issues within the realm of cybersecurity and corporate accountability. Below, we'll dissect the incident, scrutinize the involved parties' actions and responsibilities, and suggest practical measures to prevent future occurrences.

In 2018, a severe cyberattack on a subsidiary of ICE exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems. As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

The SEC's role in this scenario is crucial but paramount. It is responsible for regulatory oversight and enforcement, ensuring the market's integrity. The commission's proactive investigation and subsequent action against ICE demonstrate its unwavering commitment. However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

The primary gap lies in ICE's cybersecurity framework. Despite the known threats to financial institutions, ICE's subsidiary needed to prepare for a cyberattack. This highlights a broader issue within the industry, where cybersecurity is often deprioritized in favor of operational and financial concerns.

**An Inadequate Response**

The response to the cyberattack was inadequate. A well-prepared organization should have an incident response plan with immediate containment, investigation, and remediation steps. ICE's delayed and insufficient response allowed the attackers to exploit vulnerabilities extensively.

While the SEC's enforcement action is justifiable, it also reveals the pressing need for regulatory enhancements. The SEC should consider implementing more stringent guidelines and conducting regular audits to ensure financial institutions adhere to robust cybersecurity practices. This will help prevent similar incidents in the future.

Implementing a comprehensive cybersecurity strategy is necessary and practical for ICE and similar institutions. This includes regular vulnerability assessments, penetration testing, and advanced threat-detection systems. Adopting a zero-trust architecture, a security model that requires strict identity verification for every user and device attempting to access resources on a network, can significantly reduce the risk of unauthorized access, providing a practical and effective solution.

Human error is a critical factor in cybersecurity breaches. Regular employee training and awareness programs can reduce the risk of phishing and other social engineering attacks. Employees should be educated about the latest threats and the importance of following security protocols.

**Have a Clear Response Plan**

Organizations must develop and regularly update their incident response plans. These plans should outline clear steps for detecting, responding to, and recovering from cyberattacks. Regular drills and simulations can ensure that all stakeholders are prepared to act swiftly during a breach.

The SEC should consider implementing more rigorous cybersecurity requirements for financial institutions. Regular audits and compliance checks can ensure that these entities maintain high-security standards. Additionally, increasing penalties for non-compliance can serve as a stronger deterrent.

Financial institutions must unite and share information about threats and vulnerabilities. Establishing industry-wide forums or joining existing ones can help organizations stay informed about the latest cyber threats and best practices for mitigating them. This collaborative approach is not just beneficial but essential in the fight against cyber threats.

The $10 million settlement between the SEC and ICE is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks. While the SEC's actions highlight the importance of regulatory oversight, there is a clear need for enhanced cybersecurity measures, better incident response strategies, and more stringent regulatory requirements. By addressing these gaps, financial institutions can better protect sensitive information and maintain the integrity of the financial markets. 

Ensuring robust cybersecurity is a regulatory requirement and a fundamental aspect of modern business operations that demands continuous attention and improvement. Financial institutions must not establish only strong cybersecurity measures, but also regularly update and enhance them to keep pace with evolving threats.

**About the Author(s)**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

The NYSE's $10M Wake-up Call

After Sept. 29, 2024, organizations and individuals that continue using the vendor's products will no longer receive any updates or support.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

US businesses and consumers using Kaspersky's antivirus software products and services have until Sept. 29 to stop using them, following a Biden Administration ban earlier this week on sales of the company's technologies in the country over national security concerns.

Companies and individuals that continue to use Kaspersky products past that date will be doing so at their own — considerable — risk, because Kaspersky will no longer be able to offer any support or updates for its products after the deadline.

"It's a good time for CISOs along with other C-suite executives and board members to revisit their organizational use of the software and, frankly, to begin preparing for this to be a long-term aspect of government commercial cybersecurity regulation," says Andrew Borene, executive director at threat intelligence firm Flashpoint. "That means immediately evaluating the scope of any Kaspersky deployment, capturing current requirements, and identifying alternatives for delivering on those requirements once the ban takes full effect at the end of September."

**US Concerns About Kaspersky's Moscow Ties**

In a first-of-its-kind move, the US Department of Commerce, on June 20 formally banned Kaspersky from selling its products and services in the US, citing continued use of the company's software as presenting an "undue or unacceptable national security risk."

The Commerce Department's concerns have to do with Kaspersky being a Russian company and therefore apparently being obligated to turn over customer data to the government there, whenever asked for it.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive US information," the Commerce department said.

The ban marks the first time the Commerce Department has used its authority under a Trump Administration 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain (ICT).

As part of its action, the department also "designated" Kaspersky entities in Russia and the UK, meaning that US organizations and individuals are restricted from transacting business with them. In a related announcement, the US Department of Treasury placed similar restrictions on 12 key executives at Kaspersky, but notably not on the company's founder Eugene Kaspersky.

A Kaspersky spokesman described the Department of Commerce decision as likely motivated by the "current geopolitical climate and theoretical concerns rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services." Kaspersky will pursue all available legal options to fight the decision, the spokesman said in an emailed statement. He added, "Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interests and allies."

The US government decision does not impact Kaspersky's ability to continue selling its threat intelligence services or its cybersecurity training programs in the US, the statement noted.

**Death Knell for Kaspersky in the US?**

Even so, the US government's moves this week could effectively mean the end for Kaspersky in the country. In September 2017 the US Department of Homeland Security banned Kaspersky from selling to US federal civilian executive branch agencies over similar national security concerns. Though the company appealed that decision, the Federal Acquisition Regulation Council made it an official and permanent ban in September 2019. With this week's actions, the US government has formally blocked it from selling to US private sector companies and individuals as well.

"The US government has had its eye on Kaspersky for quite a while, so the ban is not particularly surprising," says Eric Parizo, an analyst with Omdia. The 2019 Executive Order bans the use of IT products and services that are owned or directed by a foreign adversary and pose an unacceptable risk to US national security, he says.

This week's US government action does not explicitly prohibit US individuals and organizations from using Kaspersky products after Sept. 29, 2024. But since the vendor cannot provide software updates for existing customers after that date, continued use of the product would represent a clear security risk, Parizo says. "In light of these events, it would be prudent for Kaspersky customers in the US to immediately seek alternatives." What heightens the urgency is the fact that Kaspersky's software products — like all anti-virus tools — have a lot of access to sensitive data on systems on which they are installed, he says.

**Countdown to Kaspersky Sunset**

Adam Maruyama, field CTO at Garrison Technology, recommends that companies which need to replace Kaspersky software make sure to catalog and identify unmanaged corporate devices that may be running the company's software. This includes looking at systems belonging to contractors on the corporate network as well as employees using personal devices at work.

"In the longer term, companies need to be conscious that a 'rip and replace' of antivirus software may not fully remove root-level access points from their systems, as antivirus programs often require root level access that is not easily removed by uninstallers," Maruyama cautions.

Given the concerns that the Commerce Department has raised about data theft and the potential weaponization of Kaspersky software, organizations should closely monitor network security suites and technical behavior of systems where Kaspersky was previously installed, he says.

The focus should be on anomalous behavior such as continued callbacks to Kaspersky or other unidentified servers. "For users with the highest levels of access to high-risk data and administrative privileges, organizations with a critical infrastructure mission may even want to consider replacing devices that previously used Kaspersky antivirus products to guard against residual risk," he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Kaspersky's US Customers Face Tight Deadline Following Govt. Ban

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Abstract Security Announces General Availability of its AI-Powered Data Streaming Platform for Security

Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading