The group gained access to the victim network by duping IT employees with high administrative-access privileges.

Source: Scharfsinn via Alamy Stock Photo

Researchers this week shared details of an attack campaign by the infamous FIN7 threat group that targeted a large US-based global automotive manufacturer.

FIN7, a Russian advanced persistent threat (APT) group, also known as Carbon Spider, ELBRUS, and Sangria Tempest, conducted a spear-phishing campaign in late 2023 that was spotted and ultimately halted by BlackBerry's threat and research team. The attackers identified IT employees with high admin-level rights and lured them in by impersonating an IP scanning tool with a malicious URL. Once the employees opened the link, the threat actor ran its Anunak backdoor, allowing them to "gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas)," BlackBerry researchers said in blog post detailing the attack.

BlackBerry said its threat and research team detected and disrupted the attack before FIN7 was able to launch the ransomware portion of the attack.

In the past, FIN7 has targeted US retail, hospitality, and restaurant sectors, though it is now branching out to defense, insurance, and transportation sectors. BlackBerry researchers believe that the threat group is now likely targeting larger entities, with the assumption that they will pay a higher ransom.

BlackBerry did not disclose the name of the targeted automotive manufacturer.

**About the Author(s)**

Russian APT Group Thwarted in Attack on US Automotive Manufacturer

The missing ingredient in NIST's newest cybersecurity framework? Recovery.

Alex Janas, Field Chief Technology Officer, Commvault

April 18, 2024

5 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

As the digital landscape grows more treacherous, companies are finally beginning to treat cybersecurity as a top operational risk. And for enterprises revising their data security strategies, the updated guidance from the National Institute of Standards and Technology (NIST), the US government's key technical standards adviser, is a good starting point. NIST's cybersecurity framework, first released in 2014, has functioned as the leading educational and academic guide. The newest version includes important updates, like the addition of data governance as one of the core pillars. Unfortunately, it falls short in a significant way. It doesn't say nearly enough about the most crucial ingredient of any comprehensive and contemporary cybersecurity plan: the ability to recover from a cyberattack. 

It's important to keep in mind that recovering from an attack is not the same as disaster recovery or business continuity. It's not enough to simply tack the recovery function onto a broader incident response plan. Recovery must be ingrained into the security stack and into your response plans. And even outside a crisis scenario, there must be a continual feedback loop established, where all parts of the cybersecurity function — including recovery — are always sharing information and are a part of the same workflow. 

Given the persistent threat landscape and the growing number of mandatory regulations, such as the EU's Digital Operational Resilience Act (DORA), companies must urgently address the gaps in their cybersecurity preparedness plans.

**Shifting From a Frontline Mentality **

While NIST is a comprehensive framework, the cybersecurity industry (and, by proxy, most companies) put far more attention on the part that focuses on preventing cyberattacks. That's important, but prevention can never be assured and should not be done at the expense of a comprehensive security plan. 

A company that only uses the NIST Cybersecurity Framework will put that company in a position where they are underinvested in responding to current and future cyberattack scenarios. That's a risk no organization can afford to take. You will be breached. In fact, you are breached, you just don't know it yet. This means the restoration platform must be integrated with the security stack to help protect itself and the business environment to ensure the company can get back to business — which is one of the main goals of this work.

Vendors and customers alike must put resources toward returning to a post-attack state: How to get there, and how to test and verify that capability. The secret to a robust recovery is planning. To truly be safe, businesses must take steps now to integrate the technology and people responsible for recovery into the rest of their cybersecurity function. 

Once that happens, although recovery teams can still operate independently, there's a continual feedback loop. So, all the different parts of the security teams can still easily send and receive information to and from the other functions. 

**Test, Test, Test**

While companies often have time frames in mind of how quickly systems must be back online, far fewer have fully considered what it takes to get to that safe state following an attack. 

Testing helps inform how long each step in the identification and remediation of a breach should take, so companies have a benchmark to use when an actual incident occurs. And without adequately testing backup environments, the recovery function becomes much more difficult — and potentially more dangerous. When restoring from an untested backup environment, the company might inadvertently restore implanted malicious code, provide attacker access, or return to a vulnerable state. 

Companies must actively run simulated or real-world drills that test all facets of their cyber resilience to uncover the weak points, including any issues that could impact a company's ability to get their IT systems operational again. 

**Linking the Steps  **

Integrating recovery tools into the larger incident response arsenal can yield valuable intelligence, both in preparing for and responding to an attack. 

These days, modern recovery systems can actively monitor backup repositories and regularly send feeds back to the security teams to detect any abnormal behavior far quicker than in the past — a vital capability as attackers increasingly aim their efforts at the last-mile data centers. And as a cyber-resilient restoration platform becomes integrated into the modern security stack, it must connect with the systems that transform the intelligence from the various systems and services to provide security teams with better context about the events that are happening in their environment as well as better auditing required under the various compliance and regulations around the globe. 

**Aligning the People to the Process **

While many organizations have experts attached to every other process in the NIST framework, few have teams or even individuals dedicated to managing recovery. 

Often, the function falls between the domain of the chief information security officer (CISO) and chief information officers (CIO), which leads to both assuming the other owns it. The overworked security team typically views recovery as tedious — and something that occurs only at the tail end of a chaotic process that should be handled by the IT team. 

Meanwhile, the IT team, unless steeped in security, may not even know what the NIST framework is. Facing a deluge of complaints, their focus is on simply getting the environment back online as quickly as possible, and they may not recognize how perilous an unplanned, hasty recovery can be. 

Taking this seriously involves dedicating resources to oversee recovery, making sure this step doesn't get overlooked in the ongoing planning and testing — let alone in the chaos that often accompanies a breach. 

When given strategic direction from the C-suite, and assigned the right ongoing responsibilities, the recovery individual or team can ensure that the response protocols are regularly tested, as well as serve as the bridge to connecting recovery with the rest of the cybersecurity function.  

**The Most Vital Step**

In this era when every business should assume they are breached, recovery must be recognized as just as important as the other steps in the NIST framework. Or maybe even more important.

Companies that only play cyber defense will eventually lose. They are playing a game where they think the score matters. Defenders can have 1,000 points but will lose to an attacker who scores once. There's simply no way to guarantee victory against an opponent who plays outside the rules and controls when and how the game is played.

Businesses must allocate resources to prepare for cyberattacks. Without a tested response plan to resume operations safely and securely, companies will have no choice but to capitulate to attackers' demands, pay the ransom, and thereby embolden an attacker.

**About the Author(s)**

Field Chief Technology Officer, Commvault

As the Field Chief Technology Officer for Commvault, Alex Janas is responsible for overseeing cybersecurity. He is a distinguished cybersecurity expert with over 20 years of diverse experience, spanning the private sector and the Department of Defense (DOD). 

In his work within the private sector, Alex has excelled in a wide range of security responsibilities; Cyber and Physical Security Penetration Assessments, Incident Response and Forensics, Virtual Chief Information Security Officer (vCISO), Cyber Executive Protection and Technical Surveillance Countermeasures (TSCM).

Alex’s government experience is highlighted by his tenure at the National Security Agency (NSA), where he served for 11 years in the Tailored Access Operations as an Analyst, Operator, and Division Technical Director. Alex is a proud recipient of the Master Operator designation, a prestigious honor bestowed upon a highly select cadre of Computer Network Operations personnel.

Rebalancing NIST: Why 'Recovery' Can't Stand Alone

Industry leaders aim to solve the threat to both the mental health of workers and security of organizations with solutions that recognize the enormous pressures facing cybersecurity professionals.

Source: Roman Samborskyi via Alamy Stock Photo

It's no secret that burnout is an epidemic among cybersecurity professionals that threatens not only the mental health of workers in the field, but also the security of organizations. But how to solve the growing crisis is still something with which the industry is grappling.

Peter Coroneos, founder of Cybermindz, and Kayla Williams, CISO of Devo, have different perspectives on cybersecurity burnout given their distinct roles and perspectives as industry leaders, but together they have a shared vision to find solutions to help break the current cycle of burnout that faces the cybersecurity profession.

Coroneos is founder of Cybermindz, a not-for-profit that offers resilience training for cyber teams, among others; and Williams is chief information security officer (CISO) of Devo, a cloud-native security analytics company.

The two — whose companies already are partners in fighting burnout — will come together at the upcoming RSA Conference to host a session called "Burnout in Cyber: The Intersection of Neuroscience, Gender, and Wellbeing." Their session will present some reasons why cybersecurity burnout has become a vicious cycle, as well as how a combination of empathetic leadership and neuroscience-based training can help break it.

**Security Staff Burnout: A Wake-Up Call**

The "wake-up call" for Coroneos on how serious the burnout problem came when a survey of 200 cybersecurity professionals conducted by Wakefield Research on behalf of Devo released its results last September. The study found that a hefty 83% of those surveyed admit that stress has led them and peers to make errors that have caused data breaches.   

The COVID-19 pandemic-related workplace changes as well as the increased cyberattacks taking advantage of organizations' hasty and often insecure shift to accommodate a remote workforce really threw cybersecurity burnout into high gear, he said.

"COVID brought together a number of factors that have been brewing in the background for a number of years," Coroneos says in a recent interview.

Working remotely, cybersecurity professionals felt even less of a separation between their work and home lives and felt as if they quite literally always took their work home with them. And with cyberattackers exploiting the vulnerable security situation with which many companies were faced at the time, there was even more work for them to do, and thus more pressure than ever, he says.

It was a "perfect storm" of conditions to foster burnout, Coroneos says. "We started to see many more reports of the degradation in the mental health status of cybersecurity teams," he says. "They feel this relentless pressure with no end in sight."

**The Blame Game**

Some of that pressure comes with the often-unfair burden of blame that CISOs and chief security officers (CSOs) in particular shoulder when a data breach or attack goes horribly wrong for a company, says Williams, who in her position as CISO knows all too well.

A key source of stress these executives experience is that they often don't control their budgets and the overall security roadmap at their respective organizations, and thus don't typically get the sufficient funding to execute their vision for a company's security. However, they still will be held accountable if something goes wrong, Williams says.

She cited notable high-profile lawsuits brought against top security executives from Uber and SolarWinds in which they took the brunt of the blame for security incidents at their respective companies as scenarios that are scaring top professionals out of the industry.

"From what I'm seeing and hearing, turnover is incredibly high," Williams says. "Speaking to my peers, they don't want to be CSOs anymore."

Indeed, the Devo survey found that 85% of professionals surveys will leave their role in the next year, while 25% will leave the industry entirely.

The current situation that many security professionals find themselves in is a burnout cycle that keeps those who stay in the profession feeling stressed out and hopeless about their jobs, while creating unprecedented numbers of turnover in a position that already faces job shortages. This circular cycle creates even more burnout for those who stay in cybersecurity roles, Coroneos and Williams say.

**Breaking the Security Fatigue Cycle**

To break this cycle, the two professionals pose a combination of empathetic leadership strategies and a neuroscience-based solution to help retrain people's minds to deal with high levels of stress.

As a CISO herself, Williams says she knows how important it is to communicate effectively with people in various cybersecurity roles within the organization to ensure that their individual needs both professionally and emotionally are being met. This is especially true as a new generation of cyber professionals with different emotional needs is entering the workforce, she says.

"As a people leader, it is my responsibility to ensure that I am communicating to my teams in a way that resonates with them," Williams says. It's important for leaders to take time to understand the needs of individuals on a team and to check in with them as they would with family or friends to ensure they are not feeling overwhelmed by stress or the demands of their responsibilities, she says.

Meanwhile, Cybermindz is taking a page out of the playbook of international armed forces with a training solution called Integrative Restoration (iRest) that has been implemented by the US and Australian military since 2006 and 2016, respectively.

iRest — the result of more than 40 years of observation, research and development by clinical psychologist Richard Miller and his team at an institute of the same name California — is an attention-training technique to help the brain's limbic system return to a restful state after an intense period of high stress.

The problem for cybersecurity pros is that they often get stuck in a constant state of psychological fight-or-flight response pattern due to the constant stress cycle of their jobs, Coroneos explains. iRest is a training that helps them switch out of this cycle to bring them to a deeper state of relaxation to reset that fight-or-flight response. This will help the brain switch off, so it is not constantly creating stress not only in the workplace but throughout their everyday lives, thus creating burnout, he says.

"We need to get them into a position where they can come into a proper relationship into their subconscious," Coroneos says, adding that so far cybersecurity professionals who have experienced the training — which Cybermindz is currently piloting— report they are sleeping better and making clearer decisions after only a few sessions of the program.

Indeed, while burnout remains a serious problem, the message Coroneos and Williams ultimately want to convey is one of hope that there are solutions to solve the burnout problem currently facing cybersecurity professionals, and that the enormous pressures these dedicated professionals face is not being overlooked.

"We want to show them that their mental health need not be the price of their career," Coroneos says.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Break Security Burnout: Combining Leadership With Neuroscience

Two new code-execution techniques, Poison Fiber and Phantom Thread, take advantage of a little-known Windows OS workhorse to sneak shellcode and other malware onto victim machines.

Source: Robert K. Chin via Alamy Stock Photo

BLACK HAT ASIA – Singapore – Windows fibers, little-known components of Windows OS, represent a largely undocumented code-execution pathway that exists exclusively in user mode — and is therefore largely overlooked by endpoint detection and response (EDR) platforms. As such, it's possible for attackers to exploit them to stealthily land on PCs and deploy malicious payloads.

That's according to Daniel Jary, an independent security researcher, who laid out two new proof-of-concept (PoC) attacks using fibers in a session at Black Hat Asia on Thursday.

Fibers are an alternative to the standard "threads" that Windows uses to execute code from the OS or an application, he explains.

"Threads are like workers, essentially, within a Windows process or an application, and traditionally, they've always been the way that you'd execute code and get things done," he tells Dark Reading. "But there's a more niche way of doing it, through fibers."

**Fibers: A Forgotten & Overlooked Windows OS Pathway**

Fibers, when used, exist within threads — they're essentially smaller, more lightweight versions of the bigger thread concept. Fibers were initially developed at a time when CPUs had fewer cores available to them and could accommodate only so many threads. At a high level, the smaller were a way to expand capacity, by allowing developers to split up workloads within a single thread and make processes more efficient.

"But as computers became more powerful, with more memory to play with, fibers became somewhat redundant in the vast majority of scenarios," Jary explains. "That's why a lot of people really haven't heard about them and they're a bit obscure, but they do serve a few purposes for some old legacy applications and a way to port programs from other operating systems over to Windows. And some Windows processes themselves actually still use fibers."

Thus, fibers enjoy the dubious honor of being both a core Windows function and an overlooked one by security teams. To boot, Jary notes that traditional detection mechanisms in EDR platforms and antivirus engines tend to ignore them — making them a perfect stealth avenue to execute malicious code.

"Threads are heavily monitored by EDR agents, which look at syscalls and kernel mode callbacks to capture telemetry and send it to a rules engine to generate detection," Jary says. "But fibers exist purely in user mode and don't show up in kernel collection, so their telemetry is not actually getting recorded by EDRs."

Some open source techniques already exist to take advantage of fibers' under-the-radar status. A PoC from 2022, for instance, details a method for hiding malicious shellcode inside a fiber, thus evading the majority of AV engines.  

Others have created methods for callstack masking, which enables attackers to hide a malicious execution pathway within a thread — in this case, a fiber — behind a different, dormant fiber that's benign, also evading detection. The technique takes advantage of the fact that if fibers are in use, there's always an active fiber, then a dormant fiber that it switches off with. This masking capability that was added into Cobalt Strike's Artefact Kit in 2022.

**New Frontiers in Malicious Fiber Execution**

Jary set off to explore whether it's possible to improve on existing malicious fiber techniques, and came up with two new PoCs, dubbed Phantom Thread and Poison Fiber.

Existing adversarial fiber methods have certain disadvantages for attackers: Some indicators could still be used for EDR detection, and the maliciousness isn't hidden from inline event-based callstack collection. Any collection of dormant fibers, for which several techniques exist, would remove callstack masking.

Phantom Thread is a next-gen callstack masking approach that removes the ability of memory scans to target fibers by having those fibers masquerade as threads. This involves creating a fiber, then patching it so that it self-identifies as a thread. Then it becomes possible to remove any fiber callstack indicators and essentially hide the fibers from any scanning altogether.

The second PoC, Poison Fiber, enumerates any running Windows processes, looking at threads in use and then whether any of those threads are using fibers. Then "it presents you with an opportunity to inject your payload or your shellcode into a dormant fiber," Jary explains.

"You can only one run one fiber per thread at any one time, which means you always have another dormant fiber parked somewhere else on the stack," he says. "When we execute our code using Poison Fiber, this injects our code into a dormant fiber, so we don't have to suspend the thread in order to inject the shellcode, which is a huge indicator for malicious activity. And because we've injected the payload into a dormant fiber, then the application triggers the execution for us, and we don't initiate the execution ourselves." The technique has an added benefit of allowing remote code execution (RCE) as well.

**Wake Up to Fiber's Adversarial Potential**

While they remain somewhat obscure, fibers should be on security teams' list of attack vectors, warns Jary, who has not yet released his evolved PoCs or granular details on the methods publicly. He reasons that it's only a matter of time before others find ways of overcoming drawbacks in existing open source fiber execution methods.  

"Fiber's alternate execution method is valuable to attackers because it helps us sidestep traditional telemetry sources that we get with threads, in particular kernel callbacks," he says. "Fibers aren't a privilege escalation tactic, and they aren't a user access control (UAC) bypass. But it does allow a payload delivery that gets a lot less spotlight and attention from the security community. Fibers are really simple to implement, but they're harder to detect. So that makes them perfect for any script kiddie to use to attack businesses."

Jary advises implementing mature EDR products that can be continually tested against emerging techniques like these.

"Talk to your red teamers about open source fiber methods that are being used in the wild," he says. "Do some research to see what attackers are having joy with, what's popular in the wild, then feed that back into your research team and your EDR product developers. That's going to help build better defenses and probably make your threat hunters' lives a little bit easier as well."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Sneaky Shellcode: Windows Fibers Offer EDR-Proof Code Execution

A survey of cybercrime experts assessing the top cybercrime-producing nations results in some expected leaders — Russia, Ukraine, and China — but also some surprises.

Source: Wavebreakmedia Ltd IFE-221116 via Alamy Stock Photo

An academic research project to gain insight into which nations produce the most cybercrime has ranked the usual suspects of Russia, Ukraine, China, and the United States at the very top but also found some relative surprises with Nigeria at No. 5, Romania at No. 6, and Brazil at No. 9.

Nations with high technology levels typically scored fairly high on the World Cybercrime Index (WCI), especially if those countries also have state-sponsored threat actors that overlap with cybercriminal groups. Yet other nations dominated in one of the five areas, such as Nigeria taking the top score for scams and Romania scoring highly in data and identity theft, according to the university research effort by academic institutions in the United Kingdom, Australia, and France.

While cybersecurity experts have long associated different countries with different types of cybercrime — Russia with banking and ransomware and China with intellectual-property theft and financial crimes, for example — this is the first time that researchers have been able to compare various countries based on specific attributes and cybercriminal approaches, says Miranda Bruce, a postdoctoral fellow in sociology at the University of Oxford.

"If you look closely at these five indices, you'll get more insight into the character of each country as a cybercrime hotspot," she says. "Nigeria is No. 1 in the Scams index, but comes between 5th and 10th in the other four cybercrime types. Clearly they're a significant producer of all types of cybercrime, but it's also clear that, as a country, they specialize."

The researchers collected survey data from 92 cybercrime experts, asking them to pick the top five cybercrime-producing nations in five different categories of crime: technical products and services; attacks and extortion; data and identity theft; scams; and cashing out or money laundering. For each nation, participants were asked to rate the nation on the impact of the crimes, the actors' professionalism, and their technical skill.

The top 15 nations as ranked by their overall World Cybercrime Index. Source: PLOS One

In all, the cybercrime experts nominated 97 different countries, according to a paper the group published in the journal PLOS One.

The WCI scores may not, however, discern between true cybercriminals residing in a nation and those mercenary groups that also conduct operations on behalf of their state sponsors, says Sean McNee, vice president of research and data at DomainTools, a domain security services firm.

"When evaluating cybercrime groups in locales such as Russia, China, Iran, or North Korea, it is always challenging to determine if groups are operating purely on their own accord or operating on behalf of a nation-state sponsor," McNee says. "This makes cybercrime actors in other countries more interesting to look into, such as Nigeria, India, and Brazil."

**Low Technical Score, High Threat**

Nigeria's top marks in the scams category — in which the researchers lumped together advance-fee fraud, business email compromise, and online auction fraud — underscore that a highly developed cybercrime ecosystem does not necessarily require significant depth of technical skills and infrastructure. While Nigeria has prioritized its cybersecurity capabilities, the country remains a bastion for email fraud, as demonstrated by the case of a Nigerian-based group conducting romance scams with a US-based national, who was sentenced earlier this year.

Romania, which ranked No. 6 on the list, has a long history of hosting a cybercriminal ecosystem, so its ranking is a bit of a surprise, says Chester Wisniewski, director and field CTO at cybersecurity firm Sophos.

"Romania has always had elevated cybercrime activity ... likely due to its well-educated population and proximity and relationships with neighboring cybercrime states like Ukraine, Russia, and Moldova," he says. "Romania has been cooperative with cybercrime takedowns, but I am not sure they are very proactive in nature."

The researchers plan to investigate how the World Cybercrime Index correlates with other characteristics of each nation — such as gross domestic product (GDP), income inequality, Internet penetration, and corruption — and how cybercrime policies can impact their scores, the University of Oxford's Bruce says.

"There's still much to learn about how and why countries like Russia, China, and the USA have become major cybercrime hotspots, but the countries that appear lower in the Index will tell us more about the nuances of cyber criminality," she says. "That is, the specific combination of factors that enable a region to become a thriving economic hub of cybercriminal activity. It's important that we pay attention to these countries and regions in the coming years."

**Room for Improvement**

Unfortunately, the data gives little actionable information to defenders, although it could be useful to policymakers and diplomats interested in influencing countries and gaining cooperation, says Sophos' Wisniewski.

"If these stats are accurate, only the countries listed are in a position to address the problem of them being a source country for cybercrime," he says. "Many of those listed might not only be uninterested in reducing their rank, but they may also be proud of it."

The researchers conducted the survey in 2021, so unfortunately, that means that the rankings have aged, and do not include major changes to the cyberthreat landscape, such as Russia's invasion of Ukraine, the most recent rise in romance scams, and an increase in cryptocurrency scams from North Korea, says DomainTools' McNee.

"This suggests that encouraging policies to promote technology sectors in these countries — turn cybercriminals to entrepreneurs — could have a net positive impact on the economy," he says. "It may be more beneficial to track these trends in countries further down the WCI to help encourage such policies before a notable cybercrime industry takes hold."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria &amp; Romania Ranked Among Top Cybercrime Havens

Permiso Security announced Cloud Console Cartographer during Black Hat Asia to help defenders look inside Amazon Web Services events logs for signs of cyberattacks.

Source: Pop Tika via Shutterstock

When investigating a potential attack on cloud services, Daniel Bohannon frequently has to contend with the verbose logging of Amazon Web Services (AWS), a problem that can allow an attacker to hide in an avalanche of data.

While AWS typically produces only a single event for every programmatic API call, accessing the management console through the Web leads to an exponential increase in events, says Bohannon, a principal threat researcher with cloud identity service provider Permiso Security. In one session, for example, 81 clicks on users, workloads, and roles resulted in 5,370 events recorded in the AWS log file.

The sheer volume of events results in so much noise that it becomes hard to determine what a user is actually doing in the AWS console, the threat researcher says. For that reason, Bohannon and fellow threat researcher Andi Ahmeti plan to release an open source tool at the Black Hat Asia conference in Singapore to help security managers and incident responder consolidate cloud log events into a record of user actions.

"The idea is that you input your raw logs — and we \[show\] 100% of those raw logs — but then we enrich the data on top of that, which ... contains all the information about the events that led to those events," he says. "We all have that full signal information, which ... contains the summary, the labels, all that kind of stuff."

Historically, the volume of data in log files have made it difficult to determine the events that led up to a compromise. Sometimes the problem is that the cloud service does not log enough events to determine what happens, such as last year's criticism that Google Cloud Platform (GCP) fails to log adequate data when a user accesses a storage instance.

In other cases, the specific ways that cloud services communicate information to their customers can result in a lack of visibility, especially with the differences that companies face with multicloud use. More than half of companies have open ports undermining their security and take some two months to close the vulnerabilities. 

**AWS Produces Avalanche of Events**

For businesses using AWS, the number of events produced in a log while using the Web console can be significant. Just clicking on a list of users produces 18 events for only three identities, and that's a mild case of AWS's verbosity, says Bohannon. A user who clicks in the AWS console to view the users in the identity and access management (IAM) console will see more than 300 events produced in the logs for CloudTrail, Amazon's auditing capability.

"That number can actually get as high as 100, 300, or even 700 events, depending on the settings you have in your Web browser — all just for one click," he says. "So at a core level, every single action you take produces at least one event, but often it's dozens or sometimes even hundreds of additional events associated with it."

The researchers' open source tool, Cloud Console Cartographer, aims to turn the list of events captured by CloudTrail into a succinct timeline of actions taken by the user. The program adds comments to the cloud log that categorizes a series of captured events into signals — actual user actions.

"We want to show all of our mapping to remove as much noise as we can but still keep all the raw events," Bohannon says. "So anything that's unmapped is great, it's still evidence, and defenders can make the most sense of it."

**No Plans for Other Clouds**

Cloud Console Cartographer, which will be available on GitHub, produces an enriched log of events and has a Web interface that lists the signals in a table. Currently, 240-plus rules for classifying collections of events into user actions — that is, signals — have been created that will be used to enrich log files.

The two threat researchers intend to keep working on expanding the number of classifiers and hope that others will do the same.

Bohannon and Ahmeti may move on to developing the tool for other cloud platforms, but because different cloud providers have different ways of logging, what works for AWS will not work for Microsoft Azure or Google Cloud Platform, they say. AWS is verbose, but Azure is the opposite — its logs are so terse as to be unhelpful, Bohannon says.

"I feel like every platform, every cloud platform has unique challenges that will have to be addressed in different ways," he says. "So we might find in the future that we can integrate other cloud platforms into this, but \[for now\] we at least have plans for additional GUIs related to AWS that we are going to be working on after the initial release."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Tool Looks for Signals in Noisy AWS Cloud Logs

Caller ID spoofing and AI voice deepfakes are supercharging phone scams. Fortunately, we have tools that help organizations and people protect themselves against the devious combination.

Source: Ian Allenden via Alamy Stock Photo

COMMENTARY  
Three seconds of audio is all it takes to clone a voice. Vishing, or voice fraud, has rapidly become a problem many of us know only too well, impacting 15% of the population. Over three-quarters of victims end up losing money, making this the most lucrative type of imposter scam on a per-person basis, according to the US Federal Trade Commission (FTC).

When caller ID spoofing is combined with AI-based deepfake technology, fraudsters can, at very little cost and huge scale, disguise their real numbers and locations and highly convincingly impersonate trusted organizations, such as a bank or local council, or even friends and family.

While artificial intelligence (AI) is presenting all manner of new threats, the ability to falsify caller IDs is still the primary point of entry for sophisticated fraud. This has also posed serious challenges for authenticating genuine calls. Let's delve into the criminal world of caller ID spoofing.

**What's Behind the Rise in Voice Fraud?**

The democratization of spoofing technology, such as spoofing apps, has made it easier for malicious actors to impersonate legitimate caller IDs, leading to an increase in fraudulent activities conducted via voice calls. One journalist, who said she's known for her rational and meticulous nature, fell victim to a sophisticated scam that exploited her fear and concern for her family's safety. Initially contacted through a spoof call that appeared to be from Amazon, she was transferred to someone posing as an FTC investigator, who convincingly presented her with a fabricated story involving identity theft, money laundering, and threats to her safety.

These stories are becoming increasingly common. Individuals are primed to be skeptical of a withheld, international, or unknown number, but if they see the name of a legitimate company flash up on their phones, they are more likely to answer the call in an accommodating manner.

In addition to spoofing, we are also seeing a rise in AI-generated audio deepfakes. Last year in Canada, criminals scammed senior citizens out of more than $200,000 by using AI to mimic the voices of loved ones in trouble. A mother in the US state of Arizona also received a desperate call from her 15-year-old daughter claiming she'd been kidnapped; the call turned out to be AI-generated. When combined with caller ID spoofing, these deepfakes would be almost impossible for the average person to catch.

As generative AI and AI-based tools become more accessible, this kind of fraud is becoming more common. Cybercriminals don't necessarily need to make direct contact to replicate a voice because over half of people willingly share their voice in some form at least once a week on social media, according to McAfee. Nor do they need exceptional digital skills, since apps do the hard work of cloning the voice based on a short audio clip, as highlighted recently by high-profile deepfakes of US President Joe Biden and singer Taylor Swift.

Entire organizations can fall prey to voice fraud, not just individuals. All it takes is one threat actor to convince one employee to share some seemingly insignificant detail about their business over the phone, which is then used to join the dots and enable a cybercriminal to gain access to sensitive data. It's a particularly worrisome trend in industries where voice communication is a key component of customer interaction, such as banking, healthcare, and government services. Many businesses rely on voice calls for verifying identities and authorizing transactions. As such, they are particularly vulnerable to AI-generated voice fraud.

**What We Can Do About It**

Regulators, industry bodies, and businesses increasingly recognize the need for collective action against voice fraud. This could include intelligence to better understand scam patterns across regions and industries, the development of industrywide standards to improve voice call security, and tighter regulations governing reporting for network operators.

Regulators around the world are now tightening the rules around AI-based voice fraud. For instance, the US Federal Communications Commission (FCC) has made it illegal for robocalls to use either AI-generated or prerecorded voices. In Finland, the government has imposed new obligations on telecommunications operators to guard against caller ID spoofing and the transfer of scam calls to recipients. The EU is investigating similar measures, primarily driven by banks and other financial institutions that want to keep their customers safe. In all instances, efforts are underway to close the door on caller ID spoofing and smishing (fake text messages), which often serve as the entry point for more sophisticated, AI-based tactics.

Many promising detection tools in development could, in theory, drastically reduce voice fraud. They include voice biometrics, deepfake detectors, AI anomaly detection analysis, blockchain, signaling firewalls, and so on. However, cybercriminals are adept at outpacing and outwitting technological leaps, so only time will tell what will work best.

For businesses of all sizes and sectors, cybersecurity capabilities will become increasingly important for telecom services. Aside from the communications network level, businesses should establish clear policies and processes, such as multifactor authentication that uses a variety of verification methods.

Companies should also raise awareness of the most common fraud tactics. Regular training for employees should focus on recognizing and responding to scams, while customers should be encouraged to report suspicious calls.

On a consumer level, the UK's communications regulator, Ofcom, revealed that more than 41 million people were targeted by suspicious calls or texts over a three-month period in 2022. In other words, although brands and governments have been reiterating the message that legitimate businesses will never ask for money or sensitive information over the phone, continued vigilance is necessary.

The easy availability of cloning tools and spiraling crime levels have experts like the Electronic Frontier Foundation suggesting that people should agree on a family password to combat AI-based fraud attempts. It's a surprisingly low-fi solution to a high-tech challenge.

**About the Author(s)**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

Countering Voice Fraud in the Age of AI

Modern networks teem with machine accounts tasked with simple automated tasks yet given too many privileges and left unmonitored. Resolve that situation and you close an attack vector.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY  
Over my 32 years in cybersecurity, one painful constant has been managing the risks associated with network service accounts.

Service accounts are supposed to be machine-to-machine accounts that perform repetitive and automated scheduled tasks without human interaction. Common examples of service accounts include running applications on operating systems, databases, automated backups, and network maintenance. They should have extremely limited access rights, disallow human interaction, and only perform their intended function.

Rare is the management model that addresses service account concerns adequately from a security perspective. Best practices reduce the ability of threat actors to use such accounts to move laterally within the enterprise, undetected by our monitoring systems.

**Trouble Points of Service Accounts**

Every organization has service accounts. Every organization would also like to have fewer accounts and better monitoring and control for the accounts they must have. Threat actors understand the security risks of service accounts and take advantage of:

*   Lack of visibility. Service accounts can have complex dependencies in processes, applications, database structures, and programmatic systems. These accounts can be exceedingly difficult, if not impossible, to monitor and properly secure.
    
*   Difficulty in monitoring. Since service accounts are not typically associated with a specific person, monitoring the logs can cause confusion and complicate incident investigations. This can result in networks being exposed to threat actor actions and lateral movements, while the malicious actors remain completely undetected as they move around in the network.
    
*   Complicated nature of evictions. If threat actors breach your network and you need to evict them, every single password must be changed over a brief period, some more than once. This is when service accounts can really become burdensome and complicated. To commit to an eviction, you must change every single service account password. If you do not have a good inventory and understand the functionality of all service accounts, you should not attempt an eviction. In such a case, the few service accounts you could not change will probably be used by the threat actors.
    

**Common Gaps in Knowledge**

Many times during an incident response engagement, I have seen the following tendencies among organizations with regard to service accounts:

*   No one knows how many service accounts exists or how they are used.
    
*   The passwords have not been changed in years, and no one knows how to change the password — or what will break if they do.
    
*   No one knows why a service account exists or who owns the account.
    
*   The organization doesn't have a process for monitoring and securing the service accounts.
    

This is why it makes sense that threat actors gravitate toward service accounts. Often, these accounts have unnecessary rights and access.

**Developing a Comprehensive Strategy**

Understanding the problem is just the first part of developing a comprehensive strategy. Let us now identify the steps to solving security issues concerning service accounts.

*   Inventory all the service accounts. This can be done programmatically, using PowerShell or Active Directory tools.
    
*   Once you have a good inventory, assign an owner to each service account. This brings human insight and accountability. You may find that some service accounts are no longer needed.
    
*   Determine the purpose of all service accounts. How is the account used, and what does it do?
    
*   Document this information very carefully.
    

Finally, now you can formalize your service account program in a way that brings more security and oversight. You could choose to add your service accounts into a privileged access management (PAM) system, which would be ideal. However, remember this can be a long and tedious endeavor. While it is worth the effort, do not think it is not going to require lots of time and effort.

Next, whether or not you used PAM, develop a formalized audit reconciliation program around the use of each service account. This will heavily depend on the service account owners. An organization should require every owner to attest to the continued need for the service account periodically — I did this every six months — and accept the risk associated with the account's continued use. When the account owner accepts the risks associated with the service account, they change the password for the account.

Ideally, you can automate this process by using software platforms designed to manage risks and assist organizations in governance, risk, and compliance (GRC) issues. In such a system, if the automated workflow does not get processed correctly, the service account will be automatically disabled. If the service then remains disabled for a set period, it will automatically be deleted. This brings accountability to the management of service accounts.

This comprehensive strategy will reduce risks around the usage of service accounts. The most important thing is that the strategy ensures all service accounts are documented and holds a specific person accountable for their continued usage. This accountability, along with routine password changes, will dramatically reduce risks and help reconcile this important and often overlooked security weakness.

**About the Author(s)**

Principal Consultant, Secureworks Incident Response Team

Patrick B Barnett is Principal Consultant within the Secureworks Incident Response Team. With more than 26 years of experience in IT and information security, Pat architects and implements custom cybersecurity solutions for networks across the globe and has managed over 1,000 cyber incident responses over the last 25 years. Pat is passionate about seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to any size event. Pat has a Master of Science degree in Computer Engineering and Business Administration and several post-graduate cybersecurity certificates from MIT and Stanford University. Pat holds the following certifications: CISSP, HISSP, PCI QSA, PCPIP, CISM, CEH, and CISA. Professional affiliations include ISSA, EC-Council, ISC2, and PCI DSS.

For Service Accounts, Accountability Is Key to Security

PRESS RELEASE

CAMBRIDGE, April 17, 2024 - Redgate, the end-to-end Database DevOps provider, has launched an enterprise version of its popular database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.

Redgate Monitor Enterprise offers the most comprehensive and advanced capabilities for monitoring large, complex estates, optimizing performance, and ensuring security, compliance and high availability with a single, all-in-one tool.

“In delivering extended monitoring capabilities, Redgate Monitor Enterprise addresses the needs of large organizations, delivering on multiple challenges for those managing multi-platform database estates and allowing people to do far more, far faster,” said David Gummer, Chief Product Officer at Redgate. “Managing security and compliance can be an extremely manual task, often requiring additional tooling and absorbing significant time and resources. With the easy-to-use web-based dashboard built into Redgate Monitor Enterprise, IT leaders benefit from instant visibility into access rights and can significantly improve the efficiency of compliance auditing.”

Redgate Monitor launched as SQL Monitor in 2008 and has grown to become a favored database monitoring tool, offering instant problem diagnosis, customizable alerting, seamless scaling, and a single at-a-glance view of hybrid estates, whether on-premises or in the cloud. Redgate Monitor Enterprise builds yet further on that heritage and is tailored for larger organizations that require advanced features beyond typical monitoring.

Enhancing the proficiencies of DBAs and IT management

Redgate Monitor Enterprise gives those in IT management deliverable and demonstrable business advantages. It minimizes risk by enabling the shifting regulatory landscape to be navigated with ease and helps to avoid the cost of non-compliance. It builds and maintains trust with customers by preventing unauthorized access to sensitive information. It turns compliance into a strategic advantage by removing the administrative burden and freeing up resources for strategic projects. By doing so, it fosters positive relationships with regulatory bodies through transparent and effective communication and an always-on compliance posture.

David Gummer adds, “By helping zcontribute to security, making it everyone’s responsibility.”

“Redgate Monitor Enterprise's capability to gather permissions from all our servers and databases is going to save us so much time! Before, we had to use scripts - hundreds of lines of code. Now, we can just click a button to export this info and give it to our security team. They can check it against our rules, and we can get back to our main jobs. It's a big win for us,” added Redgate customer Patrick Meyer, DBA at Atruvia. 

Advanced enterprise capabilities:

Streamlined user permissions

Accessing a clear overview of user permissions and providing role-based access control is an ongoing headache for database management teams who want to give developers access to database environments yet remain compliant with both internal frameworks and external standards and regulations. The user permissions feature in Redgate Monitor Enterprise provides a streamlined approach to maintaining security and compliance across all environments by addressing the challenge of unauthorized changes and preventing unexpected issues during audits.

Its intuitive interface comprehensively tracks the past and present access rights of users, specifying the server, database, and level of permissions granted, along with identifying all users with access to a particular server. This data provides immediate actionable insights into access rights, speeding up the reporting process. It can also be exported, filtered and searched to meet specific administrative needs, easing the laborious, time-consuming process of access management, and providing full transparency for compliance reporting.

Simplified SQL Server configuration compliance

Many enterprises, particularly in highly regulated sectors, are expected to meet global standards when configuring their SQL Servers, wherever those servers are and on a constant, rolling basis. Redgate Monitor Enterprise centralizes database and server configuration checks from a single dashboard where all configurations can be reviewed and managed against recognized security benchmarks. This enables DBAs to ensure their SQL Servers meet every compliance requirement without having to manually sift through configurations. They can easily monitor configurations and generate reports, especially for large estates with numerous servers, significantly simplifying compliance efforts.

High Availability architecture support

Five 9s availability is a typical SLA for enterprises, with the expectation that applications and websites are operational 99.999% of the time. Redgate Monitor Enterprise fully supports High Availability architectures, enabling it to be installed within a resilient setup, ensuring continuous monitoring by having backup servers ready to take over in case of component failure. This is crucial for enterprises, for whom monitoring is production-critical, allowing them to maintain database visibility without interruption.

Comprehensive and seamless data API

The Data API in Redgate Monitor Enterprise allows direct queries to its data repository by adding a REST API layer for user access. It enables custom reports to be created and monitoring data to be integrated into broader IT infrastructures. This is particularly useful for large corporations with specific reporting needs or those wishing to seamlessly incorporate monitoring data into tools like Power BI dashboards.

Redgate Launches Enterprise Edition of Redgate Monitor

"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Source: Andrew Angelov via Shutterstock

Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed "Kapeka," appears linked to Sandworm, a prolific Russian state-backed threat actor that Google's Mandiant security group this week described as the country's primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

**Destructive Malware**

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow's sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector's network and in the process disabled some 87,000 sensors connected to these gateways.

"The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well," says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack's attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. "To restore \[Moskollector's\] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system."

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT environments in both countries.

But on several occasions, attacks involving tools spawned from the long-standing conflict between the two countries have affected a broader swath of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up impacting tens of thousands of systems worldwide in 2017. In 2023, the UK's National Cyber Security Centre (NCSC) and the US National Security Agency (NSA) warned of a Sandworm malware toolset dubbed "Infamous Chisel" posing a threat to Android users everywhere.

**Kapeka: A Sandworm Replacement for GreyEnergy?**

According to WithSecure, Kapeka is a novel backdoor that attackers can use as an early stage toolkit and for enabling long-term persistence on a victim system. The malware includes a dropper component for dropping the backdoor on a target machine and then removing itself. "Kapeka supports all basic functionalities that allow it to operate as a flexible backdoor in the victim's estate," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure.

Its capabilities include reading and writing files from and to disk, executing shell commands, and launching malicious payloads and processes including living-off-the-land binaries. "After gaining initial access, Kapeka's operator can utilize the backdoor to perform a wide variety of tasks on the victim's machine, such as discovery, deploying additional malware, and staging next stages of their attack," Nejad says.

According to Nejad, WithSecure was able to find evidence suggesting a connection to Sandworm and the group's GreyEnergy malware used in attacks on Ukraine's power grid in 2018. "We believe Kapeka may be a replacement for GreyEnergy in Sandworm's arsenal," Nejad notes. Though the two malware samples do not originate from the same source code, there are some conceptual overlaps between Kapeka and GreyEnergy, just as there were some overlaps between GreyEnergy and its predecessor, BlackEnergy. "This indicates that Sandworm may have upgraded their arsenal with new tooling over time to adapt with the changing threat landscape," Nejad says.

**Fuxnet: A Tool to Disrupt and Destroy**

Meanwhile, Claroty's Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is meant for deploying on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting, and similar use cases.

"Once the malware is deployed, it will brick the gateways by overwriting its NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling the devices," Brizinov says.  

A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communications protocol for remotely reading gas, water, electric, and other meters. "One of the main purposes of Blackjack’s Fuxnet ICS malware \[is\] to attack and destroy the physical sensors themselves after gaining access to the sensor gateway," Brizinov says. To do so, Blackjack chose to fuzz the sensors by sending them an unlimited number of M-Bus packets. "In essence, BlackJack hoped that by endlessly sending the sensor random M-Bus packets, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and place them in an inoperable state," he says.

The key takeaway for organizations from such attacks is to pay attention to the security basics. Blackjack, for instance, appears to have gained root access to target sensor-gateways by abusing weak credentials on the devices. The attack highlights why it "is important to uphold a good password policy, making sure devices do not share the same credentials or use default ones," he says. "It is also important to deploy good network sanitization and segmentation, making sure attackers would not be able to move laterally inside the network, and deploy their malware to all edge devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading