Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

Source: Nick Lylak via Alamy Stock Photo

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert who'll be speaking at next week's RSA Conference.

Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.

Dempsey will moderate a detailed discussion of proposed legal frameworks for software liability at this year's RSA, giving vendors a glimpse at the liability landscape. He'll be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.

"Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products," Dempsey explains.

He uses the example of the Microsoft license on his own laptop to illustrate.

"For example, the Microsoft license for the operating system on my laptop says: 'You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages,'" Dempsey tells Dark Reading. "The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages."

That's how vendors have been evading legal liability for their customer's damages, and in some cases, collecting cyber insurance payouts instead.

Progress Software, whose vulnerable MOVEit file transfer software led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the company's intent to collect on its full $15 million cyber-insurance policy coverage.

While there is a class-action consumer rights litigation against Progress Software for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal "standard of care," according to a recent paper, "Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor," published by Dempsey in Lawfare. The paper outlines Dempsey's theory for the right path toward holding vendors legally liable for the cybersecurity of their products.

Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used Okta as an initial attack vector. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.

By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.

**Why Strong Software Developer Liability Protections Also Matter**

Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.

"Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care," Dempsey's Lawfare article read.

This standard would include defects analysis already widely used in products liability law, the article added.

Dempsey also advocates a software developer "safe harbor" for hard-to-detect flaws. "For that, I would turn to a set of robust coding practices," Dempsey wrote.

Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: "They see this as a 10-year issue."

Dempsey will moderate a detailed discussion of proposed legal framework for software liability on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Software Security: Too Little Vendor Accountability, Experts Say

Two years after a warrant went out for his arrest, Aleksanteri Kivimäki finally has been found guilty of thousands of counts of aggravated attempted blackmail, among other charges.

Source: Taina Sohlman via Alamy Stock Photo

Aleksanteri Kivimäki, a Finnish national, has been sentenced to six years and three months in prison, after stealing thousands of patient records from a psychotherapy clinic and using them to blackmail their owners.

A judge in the district court of Länsi-Uusimaa, Finland, sentenced Kivimäki, 26, on April 30 after finding him guilty of 9,231 counts of aggravated dissemination of information infringing on individuals' private lives, and 20,745 counts of aggravated attempted blackmail. He also was found guilty on 20 counts of aggravated blackmail.

Kivimäki, known online as "Zeekill," breached Psychotherapy Center Vastaamo Oy's IT system in November of 2018. It was after this that sensitive information of the clinic's patients started to be posted online. Kivimäki would demand a ransom of €200 ($213) in order not to leak targets' data, upping the payment to €500 ($534) if the ransom wasn't paid in 24 hours. 

Kivimäki ultimately caused such a ruckus that Finland's crime figures reportedly rose drastically, to more than double the average rate.

A warrant for Kivimäki went out in October of 2022, and he was arrested last year in France. 

In his trial, the court found he was the partial owner of a data center that housed the server used to commit the crimes he was charged with. The encryption key and IP address he used were also discovered.

The district court stated: "Kivimäki's guilt was also supported by the fact that he had published messages related to the data breach and extortion on the forum Ylilauda under his pseudonym in a purposeful and fixed temporal connection with the extortion actions."

**About the Author(s)**

Hacker Sentenced After Years of Extorting Psychotherapy Patients

Threat actor dropped in to Dropbox Sign production environment and accessed emails, passwords, and other PII, along with APIs, OAuth, and MFA info.

Source: Lina Images via Shutterstock

Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services.

The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

Specifically, the actor gained access to a Dropbox Sign automated system configuration tool, compromising a service account used to execute apps and run automated services as part of Sign's back end.

"As such, this account had privileges to take a variety of actions within Sign's production environment," the Dropbox Sign team wrote in the blog post. "The threat actor then used this access to the production environment to access our customer database."

**Customer Credentials Exposed**

Data exposed in the breach includes Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Moreover, anyone who received or signed a document through Dropbox Sign but never created an account had their email addresses and names exposed in the breach.

The threat actor also accessed data from the service itself, such as Dropbox Sign's API keys, OAuth tokens, and multifactor authentication (MFA) details, according to the post. This is all data used by third-party partners to connect to the service and offer seamless integration from their respective online services, with OAuth in particular being weaponized by threat actors for cross-platform compromise. Thus, users of other services could indirectly be affected by the breach.

Dropbox found no evidence that threat actors accessed any of the contents of customer accounts, such as documents or agreements signed through the service, nor any customer payment information. Moreover, as Dropbox Sign's infrastructure is largely separate from other Dropbox services, the company found that none of its other entities were affected by the breach.

As soon as Dropbox discovered the breach, the company brought on forensic investigators to get to the bottom of it; that investigation is ongoing. Dropbox also is in the process of reaching out to all users impacted by the incident and will provide step-by-step instructions on how to further protect their data.

**Mitigation Steps**

As an initial mitigation of the effects of the breach, Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service. From a user perspective, all Dropbox Sign users will be asked to reset their passwords the next time they log into the service, the company said.

API customers will need to rotate their API keys by generating a new one; instructions for doing this are online. That key will then have to be configured with their individual application, along with deleting the current API key to protect their accounts, according to Dropbox.

"As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation," according to the post. As a result, only signature requests and signing capabilities will continue to be operational until the API key is rotated; only then will the restrictions be removed and the product continue to function as normal.

For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action.

Further, if someone reused their Dropbox Sign password on any other services, Dropbox recommends that password be changed and MFA be used whenever available.

Dropbox will continue an "extensive review" of the incident to understand exactly what happened, and to protect its customers against similar threats in the future, the company said, adding its willingness to help any customer who was impacted by the breach.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Dropbox Breach Exposes Customer Credentials, Authentication Data

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Ever feel like you need a little distance from the Internet? Come up with a clever cybersecurity-related caption to describe the scene, above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to, well, voice your ideas before the May 29, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Aaron Foechterle, a data security analyst at The Exchange, is our latest recipient of a $25 Amazon gift card. His winning caption for last month's "Defying Gravity" contest is below. And a big thank you to everyone who submitted their ideas.

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Puppet Master

Establishing a robust BYOD security strategy is imperative for organizations aiming to leverage the benefits of a mobile-first workforce while mitigating associated risks.

Nitin Uttreja, Global Director, Cybersecurity Architecture and Engineering, Estee Lauder Companies

May 2, 2024

4 Min Read

Source: Maria Mikhaylichenko via Alamy Stock Photo

COMMENTARY

The landscape of corporate IT is evolving, primarily due to the widespread adoption of software-as-a-service (SaaS), which is blurring the boundaries of traditional network perimeters. This change is promoting the widespread implementation of bring-your-own-device (BYOD) practices, which aligns with the workforce's need for flexible and mobile work options. As a result, personal mobile devices are becoming essential in business operations, allowing employees to integrate their own devices into their daily work activities.

However, the integration of personal devices into corporate systems has introduced significant security issues. IT departments are now faced with the challenge of managing devices they do not control, resulting in limited visibility regarding whether these BYOD devices possess essential security measures such as antivirus software and disk encryption. Without these protections, BYOD devices are open to numerous threats, including malware, which could compromise the devices and the sensitive corporate data they access.

The challenge for cybersecurity lies in reducing risk and nurturing a secure and efficient BYOD ecosystem. The primary solutions to this challenge are mobile device management (MDM) and secure remote access strategies. Let's delve into how these technologies work.

**Primary Solutions to Cybersecurity Challenges  ****1\. Mobile device management**

Mobile device management are software solutions instrumental in securing, managing, and monitoring mobile devices within an organization, offering administrators the ability to dictate security policies, deploy software updates, and maintain compliance across various endpoints. Two strategic approaches under the MDM umbrella include:

**a) Corporate workspace approach**

Through the corporate workspace approach, companies can establish a secure and separate area on an employee's personal device, essentially creating two zones: one for personal use and the other for business purposes, each secured by strict security protocols. Such business zone environments ensure that corporate emails, calendars, and designated apps are accessed within a protected and encrypted space. Security measures, including rigorous password policies and the capability to remotely wipe data, are critical, providing a safeguard in cases of device loss or when an employee leaves the company.

**b) Application containerization**

Application containerization is a strategy that secures corporate apps and data by enclosing them in isolated containers on a user's device, protecting work-related applications from the wider device environment. This approach involves deploying containerized corporate applications that are protected with data encryption and robust authentication protocols, thus securing corporate information, even in the event that the device is compromised.

**2\. Secure remote access solutions**

Secure remote access solutions involve methods that allow employees to connect to and interact with corporate resources through terminal servers, virtual desktops, or streamed applications. This approach keeps sensitive data within the safety of the corporate network. Strengthening these connections with policies that restrict data transfer between the BYOD device and the corporate network, along with implementing multifactor authentication (MFA), can enhance the security of remote access.

**Enhancing BYOD Security**

To further enhance BYOD security, organizations can implement additional controls on personal devices, introducing extra layers of defense. Here are some examples of these controls:

**1. Mandating antivirus protection on BYOD devices**

When utilizing VPNs for secure remote access, organizations can require that BYOD devices have antivirus software installed. The VPN client on the device could be configured to verify the presence of antivirus and that the system is fully patched before allowing a connection to the network.

**2. Network access control**

Network access control (NAC) solutions can be employed by organizations to conduct security checks on BYOD devices as they connect to the corporate network, whether through wired or wireless methods. Comparable to VPN controls, NAC can check for installed antivirus software and up-to-date system patches before permitting network access.

**3. Multifactor authentication**

Multifactor authentication is an essential aspect of a robust BYOD policy. By adding extra verification steps to access corporate resources, such as biometric authentication (like fingerprints or facial recognition) alongside traditional tokens, MFA can enhance security significantly. This method can strengthen defenses against unauthorized access, contributing to a more secure environment for the organization.

**4. Network segmentation**

Companies can implement network segmentation to isolate BYOD devices from critical internal resources, thereby minimizing the potential impact of security breaches.

**Conclusion**

Establishing a robust BYOD security strategy is imperative for organizations aiming to leverage the benefits of a mobile-first workforce while mitigating associated risks. By implementing solutions such as mobile device management and secure remote access, coupled with additional controls like antivirus protection, network access control, multifactor authentication, and network segmentation, companies can create a secure and efficient BYOD ecosystem. These measures can safeguard sensitive corporate data and ensure the integrity of the organization's network infrastructure.

**About the Author(s)**

Global Director, Cybersecurity Architecture and Engineering, Estee Lauder Companies

Nitin Uttreja is an accomplished cybersecurity expert, with more than 15 years of specialized experience in the field.

Currently serving as the Director, Global Cybersecurity, at Estée Lauder, Nitin spearheads the Security Architecture and Engineering team. His responsibilities encompass the critical tasks of evaluating, designing, and deploying cybersecurity solutions. Before this role, Nitin held various pivotal leadership positions, including managing Cybersecurity Incident Response at LA County and overseeing Information Security at Zocdoc.

Safeguarding Your Mobile Workforce

DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.

Source: Tapati Runchumrus via Shutterstock

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. 

In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. 

Yet three months later, DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. 

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.

"Many organizations are rightly concerned that if they go and they do a DMARC policy and it's not correct, that they could block something that's really material to the business, such as a massive marketing campaign, or that the CEO's email won't land in the right inbox," he says. "There's a concern about getting it wrong."

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com

However, DMARC — and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex — fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.

"The problem comes when you have legacy systems and multiple sending sources and infrastructure," he says. "Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It's straightforward or easy to do at first glance, but if you do something wrong, totally valid emails will be rejected."

Here is what to keep in mind when setting up DMARC for your organization.

**1\. SPF Alerts Recipients to Emails From Nonapproved Sources**

The first DNS record that an organization needs to set up is SPF, a string that lists the IP addresses and domain names of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. 

A typical SPF record is a DNS TXT record and looks like:

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all

The "v=spf1" designates the string as an SPF record and is required for all SPF records. The "ip4" fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The "include" tag lists the third-party domains that are authorized to send email for the domain, while the "-all" flag specifies that every other domain is not allowed. Other variants, such as "~all," are possible and specify that mail from other domains are allowed but marked insecure, while "+all" allows any server to send email on behalf of the domain.

While the SPF record is a good first step, spammers could exploit the fact that other organizations using a common third-party server, such as Google's, would be authorized to send email on behalf of every other organization using that server.

**2\. DKIM Uses PKI to Verify Email Messages**

DKIM solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is generated by your email provider and then registered as a TXT record in your DNS service provider. 

A typical DKIM record is a DNS TXT record with a selector — a name — such as "\[third party\].\_domainkey" and a value of:

v=DKIM1; k=rsa; p={public key string}

The "v=DKIM1" designates the TXT string as a DKIM record and is required for all DKIM records. The "k=rsa" designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The "p=" tag contains the public-key data generated by the email service provider. 

As with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC's Hovannisyan. 

"We have password management systems or rotating passwords for other \[types of\] keys, but we don't do that with DKIM keys," he says. "This is something that should be in place and each time something can be broken, you need to have alerting."

**3\. DMARC Establishes Policies for Email Recipients**

DMARC uses the already-established controls of SPF and DKIM and specifies an organization's email policy — not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that specify a DMARC record gain two benefits: They can tell a receiving server what to do with an email that fails authentication — such as allow delivery, quarantine the message, or reject it — and they direct the receiving server to generate reports about any messages sent to the domain. 

The result is that an organization using DMARC gains visibility into how its domain name and brand is being used by unauthorized parties. 

A typical DMARC record is a DNS TXT record with a "\_DMARC" and a value that is a string with a number of fields, such as:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:\[email protected\]

In this example, the "v=DMARC1" is the required identifier, the authentication policies for both SPF and DKIM at set to strict — as designated by the "aspf=s" and "adkim=s" tags — and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of "none" to gain access to the reporting and move to a policy of "quarantine."

**4\. Check Your DMARC Reports Regularly and Maintain Records**

Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of "none" and then forget about the added threat intelligence, Hovannisyan says.

"One of the biggest mistakes with DMARCs is \[a company saying\] that once it's done, I don't need to do anything more," he says. 

Instead, companies should advance through the different policies, starting with "none" but quickly moving to "quarantine" and then finally "strict."

While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.

"For a small deployment, where you basically just have a Google or an Office 365 on your domain, it's pretty straightforward," says Red Sift's Powar. "I mean, the spec is quite simple, but as soon as you add a little bit of complexity — once you start including a marketing department, an HR department, or maybe a procurement department — you're going to find a lot of senders suddenly start to appear out of your infrastructure."

**5\. Consider BIMI to Increase Trust**

Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification, or BIMI, standard allows companies to register their logos for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policies. 

While almost three-quarters of large organizations (73%) have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: In the US, 77% of companies have a strict policy, while only 40% in Germany and 15% in Japan do, according to data from Red Sift. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, according to the BIMIRadar tracking site.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Haven't You Set Up DMARC Yet?

Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Source: Robert K Chin Storefronts via Alamy Stock Photo

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it's more economical and effective to simply use Microsoft's own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers' malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Recently, for example, Symantec threat hunters discovered a novel malware they call "BirdyClient," used against an organization in Ukraine. BirdyClient's purpose is to connect to the Graph API in order to upload and download files using OneDrive.

Dark Reading is awaiting comment on this story from Microsoft.

**Hackers Abuse Microsoft Graph**

Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by North Korea's APT37 (aka ScarCruft, Reaper, Group123).

"We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it," says Dick O'Brien, principal intelligence analyst at Symantec. "This is the case here. They've realized how they can leverage this, and now all of these major players are jumping on board."

After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.

Last June brought Backdoor.Graphican, used by APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russia's Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium) using the same trick in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.

Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.

"From an organization's perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts," O'Brien says. And this doesn't just apply to malicious attacks. For example, "It's quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags," he says.

"Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

A recent campaign targeting Middle Eastern government organizations plays standard detection tools like a fiddle. With cyberattackers getting more creative, defenders must start keeping pace.

Source: incamerastock via Alamy Stock Photo

If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.

Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers' methods for circumventing them grow more creative and effective.

So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed "DuneQuixote" — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.

As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they're once again gaining the edge?

"It's absolutely trivial to create new malware that evades anti-malware detection," says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. "Even 'advanced' behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do."

**DuneQuixote and Spanish Poetry**

The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.

One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of "1," which has a coded meaning. When it comes time to decrypt the attackers' command-and-control (C2) server address, the 1 value will remove the "h" from "https," so that the C2 URL will begin with only "ttps," and no connection will be made at all.

The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.

Like the first dropper, this second one also has a method for concealing its infrastructure from analysts. It takes the malicious file name plus a line from a Spanish poem, combines them, and runs them through the MD5 algorithm. The resulting hash acts as a key that decrypts the C2 address.

As for payloads: The two in this campaign are straightforward-enough backdoors that facilitate uploading and downloading files, executing commands, and modifying files. To avoid leaving a footprint, each is written directly into memory.

"Among emerging techniques, fileless malware \[is worrying\]," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "This form of malware significantly reduces the digital footprint and evades traditional antivirus solutions that scan for file-based signatures, complicating post-breach analysis and forensics. It is particularly concerning due to its stealth and effectiveness, making it a likely candidate to become increasingly prevalent."

**How to Thwart Advanced Stealth Tactics**

Besides malware in-memory, "The most notable \[stealth tactics\] I've seen were tricks used in supply chain attacks, where malicious code blended with the legitimate code of comprehensive applications. Tough to identify," says Sergey Lozhkin, principal security researcher with Kaspersky's Global Research and Analysis Team.

As much as any individual tricks, threat actors have mastered how to adapt to their targeted environments — staggering at which points they drop their various tools, under what conditions, and to what ends. "At the highest level, you can't analyze what you don't have. Malware authors use this idea and incrementally download new components, perhaps only when given a specific command by the author. Until those components are downloaded, we don't know what they do," Brumley says.

"Beyond that," he adds, "the problem isn't one single anti-analysis technique; it's the sheer number and ability to mix and match them. They may embed 'weird machines,' where the malware has a custom language interpreter and the malware logic runs on top of it. This is hard to analyze because when you try to analyze it, you see the weird machine, not the malware logic itself. Malware authors may encrypt and pack components of the malware, and only incrementally decrypt them. And some parts of the malware may be encrypted with a key that isn't in the malware itself, but is part of the C2 command. Or they could mix all of the above."

To combat all of the stealth tactics and techniques at attackers' disposal, Guenther and Lozhkin recommend layered security: endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access.

For his part, Brumley is less optimistic. "Throughout the ages people have proposed whitelist-only. This means locking down machines hard, and then making sure they only install approved apps (or apps from approved vendors that are signed). Apple is the most famous for taking this approach, at least on mobile, with their walled garden approach," he says.

"Beyond that, this is a place where the attacker just has an asymmetric advantage," Brumley adds. "That's why most effort isn't put on malware analysis, but good hygiene to try and limit what gets installed."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

The quest to keep data private while still being able to search may soon be within reach, with different companies charting their own paths.

Source: Mick House via Alamy Stock Photo

A truly private Internet search — where databases can be queried while keeping search terms and results private — remains a work-in-progress as companies try to balance speed and security.

Companies developing private search technologies focus on making static data more usable through encryption or secure enclaves, where no data is revealed or leaked in the process of querying, retrieval, and transit. Such a technology would function like traditional search where the search engine cannot read the query or use the search results to serve up ads.

"Private Internet search is a sort of holy grail, in a sense," says Vinod Vaikuntanathan, a professor of computer science at MIT and the chief cryptographer at Duality Technologies, which is building its own secure search technology.

**MongoDB & Queryable Encryption**

Customers want to control their data, and are looking at more secure ways to incorporate tools such as search, which is especially important in regulatory environments, says Kenn White, security principal at MongoDB.

"A lot of European customers are concerned about GDPR. We have got a lot of banks and investment banks that care about compliance, ISO, and PCI, but they really care about risk ... they are really focused on breaches," White says.

The latest version of MongoDB, version 7.0, which was released last year, introduces a secure search technology called queryable encryption, which White says "is enhanced so you can do an exact match."

The previous version of MongoDB, 6.0, had a technology called field encryption, in which critical information such as credit card or Social Security numbers were encrypted. An encrypted search query is sent to the encrypted database, and a secure response is sent back. No logs were maintained or plaintext data exposed, and hackers would not have access to encrypted data.

The newer MongoDB 7.0 has made the secure search capabilities more flexible, which is important for searches for more targeted information, such as anonymized financial data or electronic health records.

"We're now enhancing that so that you can do things like encrypted range searches," White says. "You will be able to do prefix and suffix or any text field that contains a certain word but again, where the database is still completely encrypted. It has no idea what you are asking for."

**Fortanix & Generative AI**

In another approach, Fortanix is introducing secure search offerings for searches via generative AI. Fortanix is protecting the AI query prompts, the context, and the augmented retrieval process where companies may use private and public data built into a large language model, says Richard Searle, vice president of confidential computing at Fortanix.

Private AI search is different from conventional search; it retrieves data from constantly learning systems known as vector databases, which is built on relationships between data. There are many considerations in encrypting and securing data compared to traditional search, which extracts data from static databases.

Fortanix's technology is based on confidential computing, which is a hardware-based secure enclave where data is transported for processing. The technology is based on a zero-trust architecture rooted in the hardware, which only grants permission to access the information to validated applications.

For example, Fortanix is working with providers to validate AI models within a secure enclave. The partners will determine whether that model is safe to deploy before executing or exchanging data with it.

"That's particularly relevant where you are taking an open-source model, maybe from a GitHub repository, and there's the potential that it has embedded malware," Searle says.

Fortanix also has plans for a product featuring confidential data collaborations, in which customers can anonymize data to be deployed in secure enclaves. Third parties can use applications within the secure enclave without accessing underlying information. The data is decrypted in the secure enclave, processed, encrypted, and transported out, which makes exfiltration difficult. The customers control cryptographic keys.

"That can be used by an application that is consuming that data either to train a model, or just a standard SQL search, or maybe some analytics," Searle says. "We provide the orchestration for that workload, using an intuitive templated workflow."

**Duality & Lattice-Based Encryption**

Duality is building its own security layer based on a lattice-based encryption scheme. As Vaikuntanathan explains, the technology involves putting encrypted data in a box, which is then sent to the database owner. The database owner breaks it down into smaller boxes of 1s (which implies a match) and 0s (which means not a match), then uses complex mathematics to repackage the response into an encrypted box, which can then be decrypted by a user.

"If you think about the database as being a bunch of numbers, what I'm doing is actually selecting the right row in the database. Of course, I do not know what I am doing in this whole process — I only had the encrypted query. And when I finish this process, I have a box which contains the result, encrypt it, send it back to you," says Vaikuntanathan.

Duality's box is transported via TLS, but the lattice approach suits search better because it allows for computation on encrypted data. The technology has a performance advantage over the widely used AES, which requires data to be decrypted before running search queries.

**Many Paths, One Destination**

Private search is not just about encryption or data privacy algorithms, though; it is more about how the data is processed and where it is exposed during the computation for search queries, says Alex Matrosov, CEO of Binarly.

The challenge will be to prove that the search is truly private. This proof can be difficult with the complexity of the modern computing stack, which includes CPUs, GPUs, and memory, Matrosov says.

"The question of the private Internet search is complicated because even if you try to guarantee that in theory and prove on the paper, the real implementations will be where all the failures will happen," Matrosov says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Private Internet Search Is Still Finding Its Way

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading