An overlooked library contains a vulnerability that could enable full remote takeover simply by clicking a link.

Researchers have uncovered a vulnerability in a library within the GNOME desktop environment for Linux systems. If embedded in a malicious link, it could enable attackers to perform machine takeover in an instant.

GNOME — short for GNU Object Model Environment — is an open source desktop environment implemented by popular Linux distributions like Ubuntu and Fedora.

According to a new blog from the GitHub Security Lab, within one of GNOME's default applications is a dependency containing a "High" 8.8 out of 10-rated, out-of-bounds array access vulnerability. Because of how the application works, all an attacker would need is one click from a victim in order to execute arbitrary code on a GNOME OS.

It "underscores a critical business risk," says Igor Volovich, VP of compliance strategy at Qmulos. "For businesses, this is a stark reminder that a single vulnerability, even in seemingly benign software components, can be leveraged for wide-scale compromise, especially when these components are interconnected within larger systems or platforms."

**A Bug in a Dependency, App, Environment, or OS**

The new vulnerability — CVE-2023-43641 — isn't with Linux or GNOME, at least directly.

The issue, rather, lies in "libcue," an obscure library with just nine forks on GitHub. libcue is used to parse "cue sheets," a metadata format for describing the layout of tracks on a CD or DVD.

Among other projects, libcue is used by "tracker-miners," a default application in GNOME used for indexing files in the home directory. Of note in this case is that tracker-miners automatically updates when files are added or modified in certain subdirectories, for example the "~/Downloads" folder.

GitHub's researchers took advantage of this fact when designing an exploit for CVE-2023-43641. They wrote a malicious Web page which, when visited, triggers the download of a cue sheet (.cue) file. The file was saved to ~/Downloads, and tracker-miners automatically scanned it using libcue, enabling their code to run (in this case, simply opening a calculator app).

The researchers have successfully tested exploits for the most recent versions of Ubuntu and Fedora. They have also publicly released a harmless, six-line proof-of-concept.

**Implications for Linux Users**

The open source nature of Linux, its applications, libraries, and so on, are both a weakness and a strength where enterprise security is concerned.

"Its open-source nature invites vast community contributions, fostering innovation but also expanding its threat surface," Volovich points out. On one hand, "preparedness lies in the robustness of the Linux community, which is often quick to patch and remediate identified vulnerabilities. However, the sheer scale of Linux deployments and varied custom configurations means that vulnerabilities can persist unnoticed."

That one tiny syntax handling error in one minor component of one easily missed application can be shown to cause such significant consequences means that Linux users cannot be content with simply patching as needed, Volovich thinks. "While patching remains an essential reactive measure in the cybersecurity arsenal, a singular focus on it creates a game of perpetual catch-up. The continuously evolving threat landscape necessitates a shift in mindset."

"Rather than isolating specific vulnerabilities, it's more effective to approach security from a controls perspective. By doing so, organizations can identify and address potential weak spots before they're exploited," he says, pointing to frameworks and standards like NIST and ISO. "When enterprises embed these standards into their operations, they don't merely respond to threats; they anticipate them."

One-Click 'Gnome' Exploit Is a Supply Chain Risk for Linux OSes

Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.

An Internet-wide security vulnerability is at the root of a zero-day attack dubbed "HTTP/2 Rapid Reset," which resulted in a distributed denial-of-service (DDoS) flood that was orders of magnitude larger than any previous attack ever recorded. It marks a new chapter in the evolution of DDoS threats, researchers noted.

Amazon Web Services, Cloudflare, and Google Cloud each independently observed the attack in question, which featured multiple waves of traffic that lasted for just minutes each. They targeted cloud and Internet infrastructure providers, and the attack took place over Aug. 28–29. Unknown perpetrators are behind the event, but it's clear that they exploited a bug in the HTTP/2 protocol, which is used in about 60% of all Web applications.

AWS, Cloudflare, and Google worked with other cloud, DDoS security, and infrastructure vendors in a coordinated effort to minimize any real-world impact of the Rapid Reset attacks, mainly with load balancing and other edge strategies. But that doesn't mean the Internet is protected; plenty of organizations are still susceptible to the attack vector and will need to proactively patch their HTTP/2 instances to be immune to the threat.

The pioneering attack vector represents an important evolution of the DDoS landscape, according to Alex Forster, Cloudflare's technical lead over DDoS engineering.

"The threat of DDoS attacks is evolving quickly, and are far from a low-level annoyance that they used to be thought of as," he says. "This attack – the largest in the history of the Internet – shows just how critical it is to increasingly pay mind to and consider DDoS as a key way for threat actors to disrupt businesses and wreak havoc."  

**How the Rapid Reset DDoS Attacks Work**

The susceptibility to the attack within HTTP/2 is tracked as CVE-2023-44487, and it carries a high-severity CVSS score of 7.5 out of 10.

According to Cloudflare, HTTP/2 is "a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to 'request' to view things like images and text quickly, and all at once no matter how complex the website."

The attack technique involves making hundreds of thousands of HTTP/2 requests at once, then immediately canceling them, according to the company's analysis.

"By automating this 'request, cancel, request, cancel' pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline," according to Cloudflare's advisory on the Rapid Reset attacks, posted on Oct. 10.

During the peak of the August campaign, Cloudflare saw more than 201 million requests per second (rps), it said in a media statement provided to Dark Reading, "with some organizations witnessing even larger numbers due to the timing of their mitigations." That's triple the size of the previous record holder, a DDoS attack last year that peaked at 71 million rps.

Google, meanwhile, observed a peak of 398 million rps, seven and a half times larger than any previous attack against its resources; AWS detected a peak of more than 155 million rps targeted at the Amazon CloudFront service.

"For a sense of scale, this \[peak\] two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September," Google researchers pointed out in a post on Oct. 10.

"We can't predict the future of DDoS attacks, but this recent series of attacks moves the trend in observed attacks closer to the anticipated exponential growth of doubling every 18 months or so," a Google spokesperson tells Dark Reading. "Defending services from attacks like these requires consistent capacity planning, as well as the ability to monitor for attacks and respond quickly."

The power of the method is such that the August tsunami was launched using a modestly sized botnet — fewer than 20,000 nodes. This makes Rapid Reset not only a powerful weapon but a highly efficient one as well.

"Cloudflare regularly detects botnets that are orders of magnitude larger than this — comprising hundreds of thousands and even millions of machines," according to the company's analysis. "For a relatively small botnet to output such a large volume of requests, with the potential to incapacitate nearly any server or application supporting HTTP/2, underscores how menacing this vulnerability is for unprotected networks."  

**Rapid Reset Mitigation**

While the Rapid Reset attacks haven't had the critical impact that the cyberattackers behind them may have hoped, the fact that threat actors were able to pioneer the technique in the first place should put companies on notice, especially given that DDoS attacks continue to be an important tool in cyberattackers' arsenals.

"Cybersecurity is a race," Forster explains. "While attackers carry out increasingly sophisticated and more impactful attacks, defenders develop cutting-edge methods and technology to combat them...After today, threat actors will be largely aware of the HTTP/2 vulnerability. It will inevitably become trivial to exploit and kick off the race between defenders and attacks — first to patch vs. first to exploit. Organizations of all sizes should assume that systems will be tested, and take proactive measures to ensure protection."

And indeed, attackers are launching DDoS attempts on an ongoing basis using the bug, despite extensive mitigations being put into place by cloud providers and DDoS security vendors in the wake of the initial zero-day offensive in August.

"Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood," the cloud giant said in a post today.  

According to Google researchers, "any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable."

They added, "Organizations that are managing or operating their own HTTP/2-capable server (open source or commercial) should apply vendor patches for CVE-2023-44487 when available."

While the HTTP/2 Rapid Reset vulnerability may have been record-breaking in size, the broader takeaways are not novel, Forster adds: "Turn incident management, patching, and evolving your security protections into ongoing processes. Patches for each variant of a vulnerability reduce risk, but they never fully eliminate it."

Forster provided Dark Reading a list of actionable recommendations for shoring up defenses against Rapid Reset and other DDoS threats:

*   Understand your external and partner network’s external connectivity to remediate any Internet facing systems with the mitigations provided by vendors;
*   Understand your existing security protection and capabilities you have to protect, detect, and respond to an attack, and immediately remediate any issues you have in your network;
*   Ensure your DDoS protection resides outside of your data center, because if the traffic gets to your data center, it will be difficult to mitigate a DDoS attack;
*   Ensure you have DDoS protection for applications (Layer 7), and ensure you have Web Application Firewalls. Additionally as a best practice, ensure you have complete DDoS protection for DNS, network traffic (Layer 3), and API firewalls;
*   Ensure Web server and operating system patches are deployed across all Internet-facing Web servers. Also, ensure all automation like Terraform builds and images are fully patched, so older versions of Web servers are not deployed into production over the secure images by accident;
*   As a last resort, consider turning off HTTP/2 and HTTP/3 (potentially also vulnerable) to mitigate the threat. This is a last resort only, because there will be a significant performance issues if you downgrade to HTTP/1.1;
*   And, consider a secondary, cloud-based DDoS Layer 7 provider at perimeter for resilience.

Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

DDoS for hire and live attacks hit both sides as cyber campaigns continue.

Hacktivists are trading cyberattacks on both sides of the Israel-Hamas conflict.

According to detections by ReliaQuest, several pro-Russian hacktivist groups have identified Israeli targets, and Anonymous Sudan's official Telegram channel is discussing how to undermine Israel's Iron Dome defense, a mobile air defense system that intercepts and destroys short-range rockets and artillery shells.

Anonymous Sudan also named the Israeli government in online discussions as a main target and said it had obtained unspecified "zero-day vulnerabilities from Romania" to use in anti-Israel attacks.

The AnonGhost hacktivist group said it had managed to breach the "Red Alert" app to send messages like "The Nuclear Bomb is coming" and "Death to Israel."

Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, says the discussion on Telegram channels should be taken seriously even though their users' intentions and activities are often not verified, or reflect the true nature of a group.

**DDoS for Hire**

The Krypton network has also offered to sell its distributed denial-of-service (DDoS) capabilities to hacktivists wishing to target Israeli organizations. Morgan says Krypton is a known DDoS-for-hire botnet that allegedly includes several features to bypass DDoS mitigation services.

"It is realistically possible that the group saw an opportunity amidst the rush to target Israel, viewing it as a chance to make additional sales," Morgan says.

However, the attacks are not all one way, as ThreatSec reportedly compromised the Palestinian Internet services provider AlfaNet, with "literally every server owned by Alfanet" shut down. The group claimed its original goal was just to get a hold of some infrastructure, but it gained full control of more than 5,000 servers in the Gaza region. Statistics show a decline in Internet connectivity in Gaza over the past few days.

Since the attacks by Hamas began, cybercrime groups have shifted their activities toward the Middle East. More than a dozen threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters. The Jerusalem Post was taken down by a cyberattack this week.

Morgan says Israel is regularly targeted by cyber threats — such as when the Russia-aligned Ragnar Locker group hit the Mayanei Hayeshua Medical Center in Bnei Brak this summer — often by Iranian APTs. Additionally, hacktivist groups frequently target Israel in response to the ongoing conflict with Hamas.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers for Hire Hit Both Sides in Israel-Hamas Conflict

Keyloggers have been used for espionage since the days of the typewriter, but today's threats are easier to get and use than ever.

Keyloggers, the often-unseen sentinels of the digital space, silently and meticulously document a user's every tap and keystroke with the objective of harvesting valuable information. While many consider them tools of the cyber elite, it's startling how readily available and easy to use they are today.

Let's explore their lineage, the different kinds that exist, their multiple (good and bad) purposes, and the pressing need for protective measures.

**Historical Keyloggers**

The concept of spying on communication isn't new. But the 1970s, characterized by the ideological tussle between the East and West, offered a unique twist. Soviet engineers developed the Selectric bug to spy on electric typewriters. This ingenious device both underscored the era's espionage intensity and foreshadowed future digital surveillance.

Fast forward to the 1990s, as the tech revolution was reshaping the world. Computers transitioned from huge rooms to desktops. With this, the keylogger evolved too, from tangible devices to sophisticated software programs. In a twist of irony and to acknowledge digital espionage threats, in 2013 the Russian embassies dusted off their old typewriters.

Today's world paints a complex canvas. While keyloggers have become tools to help agencies like the FBI capture criminals, they've also become the weapon of choice for digital pirates and hackers globally.

**Types of Keyloggers**

There are a host of hardware and software devices that can spy on computer keyboard input today.

*   **USB keyloggers:** It's a stark testimony that anyone can purchase a keylogger as easily as they can buy a book. Retailers such as Amazon list these devices camouflaged as innocuous USB drives. While they might seem harmless, they're digital Trojan horses. For example, in 2017 a university student was expelled for using such a hardware keylogger to change academic scores.
*   **Acoustic keyloggers:** Sound, an elemental form of communication, has been weaponized by acoustic keyloggers. Every key on a computer keyboard has a unique sound. By recording and analyzing these sounds, these keyloggers can recreate entire documents. Research labs at University of California, Berkeley, have demonstrated how over 96% of a document's content can be reconstructed from keystroke sounds.
*   **Electromagnetic keyloggers:** Advancing from sound to the electromagnetic spectrum, keyloggers can eavesdrop on keyboards' faint electromagnetic discharges. Finely calibrated receivers can intercept and decode these emissions, even through physical barriers.
*   **Smartphone-based keyloggers:** In this mobile-first era, the array of sensors on mobile phones offer a fertile ground for innovative keylogging methods. By manipulating sensors designed for motion detection, software can decipher typing habits. Reports have unveiled accuracy levels approaching 97% from using smartphone data alone.
*   **Software-based keyloggers:** The 1980s saw the rise of software-based keyloggers. Some were crafted with malicious objectives, while others, such as those embedded in Windows 10, aimed to amplify the user experience through enhanced predictive text abilities. However, the rise of artificial intelligence and voice-activated devices like Amazon's Alexa becoming household staples creates new concerns. Their "always listening" feature has become a contentious topic.

**Ethical Keyloggers**

While the term "keylogger" often conjures negative imagery, many are used for valid, ethical purposes. Examples include enhancing software user experiences, helping parents monitor their children's digital footprints, aiding IT professionals in diagnosing tech issues, and safeguarding communal tech platforms from inappropriate use.

YouTube's vast informational landscape caters to curious minds, offering guidance on myriad subjects, including creating software. These include keylogger tutorials touted for educational enrichment. While they empower and educate genuine learners, they simultaneously risk aiding malicious intent. This duality underscores the need for discerning content consumption and ethical application of knowledge.

**Counteracting the Keylogger Threat**

Knowledge and proactive defense are the watchwords for decreasing your risk of being a keylogger victim. Regularly updating software, using robust two-factor authentication, leveraging virtual keyboards, employing state-of-the-art anti-keylogger tools, and physical examinations can help ward off these digital spies.

From their humble beginnings as tools of geopolitical subterfuge to their current omnipresence in the digital era, keyloggers have charted a dramatic trajectory. As we hurtle into an increasingly digital future, the history of keyloggers serves as a stark reminder of the delicate balance between technology's boons and banes.

How Keyloggers Have Evolved From the Cold War to Today

An unprecedented collaboration by various APTs within the DPKR makes them harder to track, setting the stage for aggressive, complex cyberattacks that demand strategic response efforts, Mandiant warns.

North Korean advanced persistent threat (APT) groups have become aligned in an unprecedented way since the start of the COVID-19 pandemic, evolving in terms of adaptability and complexity, and allowing for individual threat groups to diversify and expand activities — all while making it more difficult for investigators to keep up.

Historically, threat researchers have tracked North Korea's threat activities as being carried out by individual groups — Lazarus Group and Kimsuky among them. However, the lines are beginning to blur between individual APTs, who increasingly are coordinating efforts, and sharing both tools and information. As a result, it's becoming harder to distinguish who's responsible for what threat activity, researchers from Mandiant revealed in a report published Oct. 10.

While threat researchers scramble to unravel various threads to define activity according to its perpetrator, North Korean actors are moving nimbly to diversify their attacks, sharing tooling and code as they continue to adapt and change to build tailored malware for different platforms — Linux and MacOs among them, the researchers have found.

The supply chain also may be at an increased risk from North Korean APTs, as the groups evolve toward aggressive and broader intrusions that encompass multiple intrusions to multiple networks by multiple APTs, using various supply chain vectors, the researchers noted.

"This flexible approach to tasking makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily with greater speed and adaptability," the researchers noted.

That said, individual groups continue to work on "separate, unrelated efforts such as ransomware, collecting information on conventional weapons, nuclear entity targeting, blockchain- and fintech- targeting efforts, among various others," Mandiant analysts wrote in the report. This includes efforts to steal cryptocurrency to fund the regime of North Korea's Supreme Leader Kim Jong Un, who each of them ultimately serve. While this effort is a broad goal across APTs, several sub-groups have emerged in recent years that are exclusively aimed at this activity.

**A More Organized State-Sponsored Structure**

COVID-19 marked a significant change in how North Korean threat groups operate, with an unprecedented level of coordination and information-sharing directly driven by the closure of borders during that time. This left typically secretive and taciturn operators located outside the country in a lurch, and forced them to communicate with other groups, spurring collaboration that continues to this day, Michael Barnhart, principal analyst at Mandiant, says.

"While it remains uncertain whether this collaboration was intentional or driven by necessity, there is no sign of a decrease in such activities," Barnhart says. "In fact, there is evidence of an increasing trend toward such collaborations."

Mandiant researchers compiled a comprehensive structure of the current North Korean APT landscape to help defenders understand what they're currently up against. In general, all threat groups lead back to Kim Jong Un, and all activity is either to provide funding or intelligence for the regime — or both.

Branching directly from the supreme leader are the General Staff Department of the Korean People's Army — which oversees the Reconnaissance General Bureau (RGB) — and the Minister of State Security, to which APT37, better known as ScarCruft or Reaper, directly reports.

Several threat groups also are aligned with North Korea's RGB, including Kimsuky, which Mandiant tracks as APT43; APT38 (better known as Lazarus, one of North Korea's most prolific threat groups); Temp.HERMIT, also tracked as part of Lazarus' activities and dedicated to cyber espionage; and Andariel, often linked to ransomware activities using bespoke ransomware dubbed Maui.

To complicate matters further, each of these groups has sub-groups operating under them to carry out particular tasks. For example, a group tracked as Apple.Jeus operates under the umbrella of Temp.HERMIT and is tasked exclusively with targeting cryptocurrency industry "with the goal of stealing digital assets to fund the regime's priorities," the researchers wrote.

Muddying the waters further are several groups operating under the direction of the Central Committee of the Workers' Party of Korea — the United Front Department and IT Workers — each of which work domestically and abroad to conduct cyber operations on behalf of the regime.

**DPRK's Threat Evolution Demands Collaborative Response**

Due to the evolving nature of these diverse and varied groups operating on behalf of North Korea, the ultimate takeaway of Mandiant's findings is that defenders would be better served by focusing on the specific nature of a particular activity rather than getting too deep in the weeds of trying to figure out which North Korea-backed group is perpetrating it, Barnhart says.

"These specific threat actors are extremely adaptable and agile, often leading defenders to spend significant time attempting to attribute actions to specific individuals behind the keyboard," he says.

Because this process is "far from straightforward," a more productive approach would be "to prioritize the mission after \[attributing the attacks\] to North Korea, rather than becoming overly preoccupied with specific units, until it becomes necessary to address those specific concerns," Barnhart says.

Future threat intelligence-gathering efforts will rely on defenders engaging in the same collaborative spirit demonstrated by the North Korean APTs themselves to mount "a more effective, collective response to counter this persistent threat actor," he says.

"Our recommendation is for both governments and the private sector to continue their collaborative efforts, presenting a unified front," Barnhart says. "This approach serves to maximize imposed cost on the threat actor."

North Korea's State-Sponsored APTs Organize & Align

Log management tools help IT and security teams monitor and improve a system's performance by identifying bugs, cybersecurity breaches, and other issues that can create outages or compliance problems.

Logs are like digital footprints or a letter that developers write to themselves for the future. They track every action or event that takes place within software, applications, and IT infrastructure. They provide important information, such as when an action happened, the host name, the type of action, and the application used.

Sometimes you must retrace your or a user's steps to determine where something went wrong … or where it could start going wrong. Unfortunately, technical teams may have to sift through several systems' worth of logs because systems and applications create logs for every action, error, file request, or file transfer that occurred within them. Log management makes the whole process less painful and time consuming.

**How Do You Manage Logs?**

There are five steps to log management:

1.  **Collect your logs:** Before you can manage logs, you have to gather them. A company's logs typically exist across servers, applications, infrastructures, network devices, and more. A log collector collects logs from all these locations. Loading data into your system as-is instead of parsing it first allows you to collect this data quickly because the data going into your system does not have to be organized or uniform until you use it.
2.  **Centralize and index your logs:** Once you've collected your logs, put them in one central location so that your team can easily find and sort through them. Index them to make them searchable.
3.  **Search and analyze information within the logs:** Your technical team has the option to analyze the data from these logs manually or by using machine learning to spot outliers in patterns.
4.  **Monitor the logs and receive alerts about anything unusual:** Monitor collected logs for errors or security breaches and use alerts to notify your team about any error that's spotted.
5.  **Create and share reports and dashboards:** Share data through reports and dashboards so that everyone who needs it has access to the same information. You can also reuse these reports and dashboards without having to recreate them. If you want to limit which reports or dashboards someone can access, you can put permissions on them so that only the necessary team members can view them.

**What Is a Log Management System?**

A log management system provides your team a single place to compile and store all your logs across servers, applications, and devices. From there, you can parse, analyze, and organize your logs as needed. Log management tools help DevOps teams monitor and improve a system's performance by identifying issues, bugs, and security breaches (or attempted ones) and alerting the appropriate people who can address them.

Cloud-based log management systems can be accessed anywhere at any time. They also compile all logs into one platform so that you don't have to sort through several systems and applications to find what you need. Thanks to the elastic nature of the cloud, they offer scalability to help manage the seasonality of data.

**Why Is Log Management Important?**

Log management allows your IT and your security teams to:

*   **Check the health of applications and infrastructures:** With a log management system, you have all your logs in one place and can more easily sort through them to figure out where errors may be. Without a log management system, your team may have to spend hours sifting through various applications or systems or contacting cloud providers to find the log information you need. Using log management best practices allows you to proactively monitor for potential problems before they arise.
*   **Ensure an exceptional customer digital experience:** By accessing the right data on the reliability and performance of your applications through insights about the user experience, you can identify anomalies and resolve issues before users are impacted.
*   **Gain insights when there is a security breach:** Similar to checking the health of your applications and tech stacks, log management makes it easier to monitor for security breaches because you have all your logs in one centralized location. More visibility means you can stop a security breach attempt quickly.
*   **Boost customer satisfaction:** Issues or security breaches may impact your users' experience. Slow loading speeds, delayed customer service response, and complete outages can lead to customer churn. Log management helps prevent these issues.
*   **Maintain compliance with policies or requirements:** Some companies and organizations must follow certain cybersecurity, privacy, financial recording, or reporting guidelines. Those who don't comply with their industry's regulations may face fines, loss of licensing, or even imprisonment. Log management helps organizations demonstrate compliance using the data in their logs.

To get the most out of your logs, lean on log management and log analytics tools with the capabilities to help you build and maintain secure and reliable applications.

**About the Author**

    

Manas Sharma is a Principal Product Manager at Sumo Logic responsible for logs and log analytics. Manas has more than 23 years of experience in the technology industry, with a wealth of knowledge and expertise in networking, embedded systems, network management, and observability. Manas has grown from an engineer executing cutting-edge projects to leading various product initiatives as a product manager while working at companies such as Network Programs, Broadcom, 4RF, Symbol, and HPE.

How to Use Log Management to Retrace Your Digital Footsteps

Security firms analyze attack paths and seek out weak identities to find compromise vectors and critical assets that need better controls.

As companies struggle with finding and closing off the paths that attackers could use to infiltrate and compromise their IT environments, security providers are rushing to offer security posture management — also known as exposure management — capabilities in their products.

Security posture management firm Cymulate announced in June its threat exposure management platform that takes data from a variety of sources — including an inventory of the company's assets, its vulnerabilities, potential attack paths, and adversaries tactics — to create a measure of risk. Last week, exposure management firm Tenable announced the release of identity-focused features in its Tenable One platform that can analyze Active Directory and Azure AD instances to find identity-based weaknesses, such as over-permissioned accounts, orphaned users, and anomalous identities.

Giving companies the ability to analyze combined vulnerability and identity data from the current corporate IT environment is a critical part of measuring exposure, says Nico Popp, chief product officer at Tenable.

"If you bring vulnerability management and identity exposure together, then you can actually do really interesting things," he says. "The two together let you really allow us to think as an attacker moving laterally across your environment to basically reach your most important assets."

Exposure management is a relatively young industry segment that has taken off, driven by predictions from analyst firms, such as Gartner, that companies will shift from vulnerability management, attack-surface management, and privileged-account management to the more holistic capability of managing their exposure to threats.

For organizations, exposure management promises better ways to secure their changing information technology environments as attacks evolve. Focusing on not just vulnerabilities and weak identities, but also validating the threats that certain weaknesses represent, can help firms tackle the most critical security issues before they are exploited.

Combining a variety of data — such as the severity of the vulnerabilities, the value of the affected assets, and an attacker's ability to utilize an exploited system — allows companies to better gauge risk, says Erik Nost, a senior analyst in the security and risk group at Forrester Research.

"Organizations are all looking to inventory what they have and provide some perspective as to what they need to worry about," he says. "With attack path analysis, organizations can understand how attacks could be chained, how a vulnerability in an asset might relate to a certain family of malware, and if there are identities that live on this box that, if compromised, could then allow attackers to move to other boxes."

**Exposure Focuses Increasingly on Identity**

While vulnerability management firms have a natural evolution to exposure management, identity management and privileged access management (PAM) providers are increasingly transitioning as well. Typically, exposure management has been about vulnerabilities and misconfigurations, but many companies still have weaknesses due to overentitled accounts or users with a lot of standing privileges.

These are vulnerabilities as well, says Grady Summers, executive vice president of product at SailPoint Technologies.

"For so long, identity management was viewed as this compliance thing," he says. "But now customers are saying, can you show me all the overentitled access or the orphaned access or uncorrelated access — they're just realizing they had this blind spot to it."

Attack surface management and attack-simulation companies are likely to shift their focus to exposure management as well. Cymulate, formerly a breach and attack simulation company, has shifted to continuous threat exposure management (CTEM), an acronym coined by Gartner, as a way of extending its focus on attack surface and validation of vulnerabilities, says Carolyn Crandall, chief security advocate for Cymulate.

"Now, security teams are getting hit by more threats ... \[exposure management\] helps them get ahead of the attackers by better prioritizing the vulnerabilities that need remediation," she says. "There's much more pressure now to do testing ... \[to see if\] we get the outcomes we expected, and if not, how do we quickly understand those and then change."

**Adding Attack Paths Validates Threats**

A key component of exposure management is validating that particular vulnerabilities are both reachable and exploitable by attackers. To determine whether a critical asset is at risk, companies have focusing on constructing the potential path an attacker could take through the environment, using vulnerabilities in different systems to reach an end goal. Such attack paths validate that the combination of vulnerability scanning, analyzing permissions and identities, and measuring the criticality of assets results in a measurable risk.

A common attack path might involve compromising a Web server using an exploit for Log4J, escalating privileges, and then accessing a database. Using simulations to determine if that attack is viable helps organizations prioritizing patching and the implementation of new controls, says Mike DeNapoli, a cybersecurity architect and director at Cymulate.

"We can recreate this attack in a production-safe way — actually run it and determine 'is this merely viable, but we have controls that will compensate for these gaps,' or 'is this validated and this is an attack path that a threat actor could use,'" he says.

Often, compromising identity is a shorter way to achieve the same end, which is why it is so important to exposure management, says Tenable's Popp.

"If there is a very important customer database managed by Nico, and Nico is a privileged user, but his identity has a lot of weaknesses — maybe his password is on the Dark Web, or maybe he doesn't have MFA (multifactor authentication) — then that's a risk," he says. "If Nico gets compromised, which is a pure identity attack, then my customer database will get compromised, because the attacker, who can now pose as Nico, can fully access my customer database."

Exposure Management Looks to Attack Paths, Identity to Better Measure Risk

Guardrails need to be set in place to ensure confidentiality of sensitive information, while still leveraging AI as a force multiplier for productivity.

At the end of June, cybersecurity firm Group-IB revealed a notable security breach that impacted ChatGPT accounts. The company identified a staggering 100,000 compromised devices, each with ChatGPT credentials that were subsequently traded on illicit Dark Web marketplaces over the course of the past year. This breach prompted calls for immediate attention to address the compromised security of ChatGPT accounts, since search queries containing sensitive information become exposed to hackers.

In another incident, within a span of less than a month, Samsung suffered three documented instances in which employees inadvertently leaked sensitive information through ChatGPT. Because ChatGPT retains user input data to improve its own performance, these valuable trade secrets belonging to Samsung are now in the possession of OpenAI, the company behind the AI service. This poses significant concerns regarding the confidentiality and security of Samsung's proprietary information.

Because of such worries about ChatGPT's compliance with the EU's General Data Protection Regulation (GDPR), which mandates strict guidelines for data collection and usage, Italy has imposed a nationwide ban on the use of ChatGPT.

Rapid advancements in AI and generative AI applications have opened up new opportunities for accelerating growth in business intelligence, products, and operations. But cybersecurity program owners need to ensure data privacy while waiting for laws to be developed.

**Public Engine Versus Private Engine**

To better comprehend the concepts, let's start by defining public AI and private AI. Public AI refers to publicly accessible AI software applications that have been trained on datasets, often sourced from users or customers. A prime example of public AI is ChatGPT, which leverages publicly available data from the Internet, including text articles, images, and videos.

Public AI can also encompass algorithms that utilize datasets not exclusive to a specific user or organization. Consequently, customers of public AI should be aware that their data might not remain entirely private.

Private AI, on the other hand, involves training algorithms on data that is unique to a particular user or organization. In this case, if you use machine learning systems to train a model using a specific dataset, such as invoices or tax forms, that model remains exclusive to your organization. Platform vendors do not utilize your data to train their own models, so private AI prevents any use of your data to aid your competitors.

**Integrate AI Into Training Programs and Policies**

In order to experiment, develop, and integrate AI applications into their products and services while adhering to best practices, cybersecurity staff should put the following policies into practice.

**User Awareness and Education:** Educate users about the risks associated with utilizing AI and encourage them to be cautious when transmitting sensitive information. Promote secure communication practices and advise users to verify the authenticity of the AI system.

*   **Data Minimization:** Only provide the AI engine with the minimum amount of data necessary to accomplish the task. Avoid sharing unnecessary or sensitive information that is not relevant to the AI processing.
*   **Anonymization and De-identification:** Whenever possible, anonymize or de-identify the data before inputting it into the AI engine. This involves removing personally identifiable information (PII) or any other sensitive attributes that are not required for the AI processing.

**Secure Data Handling Practices:** Establish strict policies and procedures for handling your sensitive data. Limit access to authorized personnel only and enforce strong authentication mechanisms to prevent unauthorized access. Train employees on data privacy best practices and implement logging and auditing mechanisms to track data access and usage.

**Retention and Disposal:** Define data retention policies and securely dispose of the data once it is no longer needed. Implement proper data disposal mechanisms, such as secure deletion or cryptographic erasure, to ensure that the data cannot be recovered after it is no longer required.

**Legal and Compliance Considerations:** Understand the legal ramifications of the data you are inputting into the AI engine. Ensure that the way users employ the AI complies with relevant regulations, such as data protection laws or industry-specific standards.

**Vendor Assessment:** If you are utilizing an AI engine provided by a third-party vendor, perform a thorough assessment of their security measures. Ensure that the vendor follows industry best practices for data security and privacy, and that they have appropriate safeguards in place to protect your data. ISO and SOC attestation, for example, provide valuable third-party validations of a vendor's adherence to recognized standards and their commitment to information security.

**Formalize an AI Acceptable Use Policy (AUP):** An AI acceptable use policy should outline the purpose and objectives of the policy, emphasizing the responsible and ethical use of AI technologies. It should define acceptable use cases, specifying the scope and boundaries for AI utilization. The AUP should encourage transparency, accountability, and responsible decision-making in AI usage, fostering a culture of ethical AI practices within the organization. Regular reviews and updates ensure the policy's relevance to evolving AI technologies and ethics.

**Conclusions**

By adhering to these guidelines, program owners can effectively leverage AI tools while safeguarding sensitive information and upholding ethical and professional standards. It is crucial to review AI-generated material for accuracy while simultaneously protecting the inputted data that goes into generating response prompts.

How to Safely Architect AI in Your Cybersecurity Programs

Hack The Box launches Capture The Flag competition, including offensive and defensive challenges, to unite teams as cyberattacks increase in 2023 to unprecedented levels.

**London, Monday 3rd July, 2023** **—** Hack The Box, a disruptive cybersecurity upskilling, certification and talent assessment platform, has announced its upcoming global Capture The Flag (CTF) competition, designed specifically for corporate teams. Running from July 14 to July 16 2023, the competition will include offensive and defensive cybersecurity challenges, offering a valuable resource for cybersecurity teams seeking to fortify their skills as the regularity and severity of cyber attacks increase.  

Cyberattacks have risen by 7% in the first quarter of 2023 compared to 2022, and the threat landscape is becoming more diverse and complex for cyber professionals to protect against. In response, Hack The Box has designed its latest online global competition to help cybersecurity professionals learn the latest techniques in defending their organization using real-world scenarios. As cyberattacks grow in number and sophistication, businesses need cybersecurity teams to stay ahead, relying on a range of skills in the offensive and defensive space. 

Themed "The Great Escape," competitors are thrust into a distant dystopian future in a race to colonise Mars. They will be competing to establish Mars as a democracy by hacking into the opponent’s infrastructure, as the opposing team only wishes to occupy the planet for the elites.  

In preparation for the event, participants will have access to interactive workshops before the CTF kicks off, which feature defensive security tactics. The competition itself consists of over 30 challenges covering various domains, including web, cloud, pwn, crypto, forensics, reversing, and machines, all based on real-world scenarios. The CTF offers gamified upskilling, encouraging interactive learning experiences that keep participants engaged and motivated. Corporate IT and security teams can sharpen their hacking skills, showcase their expertise, and compete for the top spot on the global leaderboard.  

**Haris Pylarinos, CEO at Hack The Box, says:** "This competition offers a unique opportunity for not only IT and infosec  teams to enhance their offensive and defensive cybersecurity skills while being part of an immersive storyline, but to include interns and new hires needing to upskill and learn from each other. A business' cybersecurity relies as much on offensive and pre-emptive strategies as it does on those teams that address cyberattacks once they have happened. This inclusive approach to cyber training ensures cyber professionals are as prepared as possible in an ever-changing threat landscape."

**Pablo Ruiz Encinas, Security Consultant at Mnemonic, participated in the 2022 Hack The Box Business CTF and said:** "We used the HTB Business CTF to get our interns into the hacking world at the same time as the new hires and the more experienced members sharpened their skills. It was fun as well as rewarding to spend that weekend working together and sharing knowledge. I will definitely join for similar events in the future." 

**Gabe Lawrence, VP of Information Security Cyber Protection at Toyota, commented:** "There's a stigma of cybersecurity being magic or as easy as it’s portrayed in shows, but it's not. Hack The Box has helped us learn to address that stigma and get prepared for anything by updating our skills and knowledge base. We use the Dedicated Labs instances for CTFs we host every Friday afternoon. It's a fun and casual way for the team to gather and work together to solve challenges — and our favorite way to end the work week!"

In 2022, participation included 657 different businesses competing across 84 countries and territories. This was a 75% YoY team participation increase from 2021 to 2022, demonstrating the demand for immersive team learning. For 2023, over 500 teams have already joined to compete.

To join HTB's Business CTF 2023: The Great Escape, corporate teams can register for free here.   

Hack The Box's CTF 2023: The Great Escape is sponsored by Snyk and ExpressVPN.  

**About Hack The Box:**

Hack The Box is a leading gamified cybersecurity upskilling, certification, and talent assessment platform enabling individuals, businesses, government institutions, and universities to sharpen their offensive and defensive security expertise. Launched in 2017, Hack The Box brings together the largest global cybersecurity community of more than 2m platform members and is on a mission to create and connect cyber-ready humans and organizations through highly engaging hacking experiences that cultivate out-of-the-box thinking. Offering a fully guided and exploratory skills development environment, Hack The Box is the ideal solution for cybersecurity professionals and organizations to continuously enhance their cyber-attack readiness by improving their red, blue, and purple team capabilities. Rapidly growing its international footprint and reach, Hack The Box is headquartered in the UK, with additional offices in Greece and the US.

Global Hacking Competition Addresses Critical Increase in Cybersecurity Threats for Businesses

GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.

Upcoming data privacy regulations are preventing Meta's new microblogging app "Threads" from launching in European Union (EU) markets. Experts say this is only the beginning of the privacy battle facing the Twitter clone.

Meta's attempted coup d'etat against the Twitter kingdom launched on Wednesday in over 100 countries, earning tens of millions of users in only its first day live. That, despite being unavailable to major markets within the EU.

The holdup has to do with "complexities with complying with some of the laws coming into effect next year," Instagram CEO Adam Mosseri hinted on July 5. Mosseri's statement may refer to the new antitrust-oriented Digital Markets Act, but experts also expect Threads to collide head-on with consumer privacy regulations, thanks to its wanton collection of just about every kind of personal data imaginable.

    

Source: Search Engine Journal

"It seems likely that they're worried about the risk of rolling out something new that very clearly violates General Data Protection Regulation (GDPR) guidelines," says Aaron Mendes, CEO and co-founder of PrivacyHawk. But Threads' slow rollout doesn't preclude it from flourishing in the future. "Facebook has a reputation of rolling things out over time — they like to get stuff out fast, and then get information in and iterate."

**Everything Threads Will Know About You**

Meta has a history of conflict with regulators, owing to its liberal approach to consumer privacy. The EU has already fined the media giant to the tune of nine figures or more on multiple occasions.

Judging by its entry in the Apple app store, it's no wonder that Threads is being shielded from EU scrutiny. Browsing history, geolocations, health and financial information, and much more are all up for grabs. There's even a dedicated category for "sensitive information" which, according to Apple's documentation, includes "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."

According to Mendes, there's no reason for users to suddenly freak out. For one thing, even the most egregious data collectors now provide settings for users to toggle what kinds of information they're willing to divulge. And at the end of the day, he points out, "Threads is effectively Instagram. You use Instagram to log into it. So it's all the same data collection, all the same protocols."

Threads does distinguish itself from its parent platform in its supplemental privacy policy. One rule of particular note: It'll only be possible to delete a Threads account by deleting the Instagram account associated with it.

Few of the tens of millions of people who've already signed up for Threads — or the hundreds of millions to come — are likely to know about this rule before it's too late. It just goes to show how "the customers are very, very disempowered," says Jim Killock, executive director of the Open Rights Group. "It's worth remembering that people have invested thousands and thousands of hours into building their networks on these platforms. We wouldn't tolerate this sort of behavior anywhere else."

**Can Meta Keep Up With GDPR?**

Even those who hold no quarter for Meta's approach to privacy may find certain GDPR regulations overly restrictive.

"EU laws make it very difficult to roll out a product, because of how they handle data sharing outside of EU borders," Mendes says. In May, for example, Meta got handed a colossal 1.3 billion Euro fine for transferring EU citizens' data to US servers, "which is kind of required to operate a service."

Initially, the Privacy Shield program provided a framework for data transfer between the US and EU, but the European Court of Justice struck it down on July 16, 2020. A new Trans-Atlantic Data Privacy Framework was agreed on in March, but hasn't been enacted yet.

Even if the EU has good reason to want to maintain legal control over its citizens' data, Mendes says, it's unduly difficult for global brands to keep all their data in one place, "unless you create a copy of your product that's completely siloed and works in the EU, separate from the one that you have, let's say, in the United States, which is an engineering nightmare, because now you have to maintain two versions of your product."

"There's never a simple balance," Killock admits. "It's about respecting the desires of customers on one hand, and on the other hand ensuring that companies can do business."

In some cases, he says, rules can help both regulators and users without being overly restrictive to companies. He points to the UK's right to data portability law as a way to foster competition, and naturally discourage Meta's more unsavory practices. "Whether we're talking about moderation standards or privacy standards, it allows people escape routes, and that creates actual commercial pressure on these companies to behave better."

"That," he thinks, "will empower not just users but also regulators to say: 'Look, people don't like this practice, you shouldn't be doing it."

Source

DARKReading