Workforce IAM and consumer IAM are not interchangeable — they serve different purposes and constituencies.

The world is increasingly becoming more interconnected, and digital identity is evolving to address the unique needs of organizations and consumers. While the two types of identity and access management — workforce IAM and consumer IAM — share some commonalities, they are designed for distinct use cases and fit different requirements.

"The obvious difference between the two use cases is the user constituencies," says Henrique Teixeira, senior research director at Gartner.

Vendors and buyers often separate the use cases into internal identities (workforce) and external identities (consumer) because there may be requirements that apply to one group but not the other. For example, consent and preference management to protect the privacy of customer data is an important part of consumer IAM, but not so much in workforce IAM, Teixeira says.

Many organizations believe that they can use workforce IAM solutions to solve identity issues around securing consumer identities, says David Mahdi, CIO of Transmit Security.

"As organizations deploy more customer-facing digital services \[via mobile and/or Web\], they now need to invest in CIAM solutions to help establish and maintain trust and privacy," he says.

**Securing the Digital Workforce**

Workforce IAM, also known as employee IAM or corporate IAM, is designed to manage and secure the digital identities of an organization's employees, contractors, and partners. The primary goal of workforce IAM is to protect sensitive corporate data and resources by ensuring that the right people have access to the right information, at the right time, and in compliance with regulatory requirements.

Workforce IAM solutions provide strong, multifactor authentication (MFA) to ensure that users are who they claim to be. This often involves a combination of passwords, one-time passcodes, and biometric factors, such as fingerprint or facial recognition. MFA helps organizations prevent unauthorized access to their systems, thereby reducing the risk of data breaches and cyberattacks.

Role-based access control (RBAC) and attribute-based access control (ABAC) are employed to grant users access to specific resources based on their job function, seniority, department, or other attributes. This fine-grained access control helps organizations maintain the principle of least privilege, which minimizes the potential for insider threats and data leakage. These features allow users to access multiple applications within the organization using a single set of credentials, simplifying the login process and improving user experience. Federation extends single sign-on (SSO) across organizational boundaries, enabling seamless collaboration between partners, suppliers, and customers.

Workforce IAM systems manage user accounts from onboarding to offboarding, including provisioning and deprovisioning access, password resets, and profile updates. Automating these processes not only saves time and effort but also reduces the risk of human error and ensures that access rights remain up to date.

Workforce IAM solutions track and monitor user activities, generating audit trails and reports that help organizations maintain compliance with industry regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX). These tools also facilitate the identification of suspicious behavior or potential security incidents, allowing for prompt investigation and remediation.

"Employees that make up the workforce sign employee agreements, which essentially means that they must adhere to any and all access policies. This absolutely shapes the UX and security requirements of workforce IAM solutions," Transmit Security's Mahdi says. "That is simply not the case when dealing with consumer security and identities. If they suffer a poor UX, they can and will go elsewhere, especially when it's an online digital service — where competitors are a simple click away."

**Enhancing the Consumer Experience**

Consumer IAM, or customer IAM, focuses on managing the identities of an organization's customers or end users. The main objectives of consumer IAM are to create seamless and secure user experiences across digital touch points, while safeguarding customer data and maintaining compliance with privacy regulations.

Consumer IAM solutions often allow users to register and log in using their social media accounts or other trusted identity providers, streamlining the authentication process and reducing the need for multiple sets of credentials. This convenience helps organizations attract and retain customers, especially in industries with high levels of competition.

Customers can manage their profiles, preferences, and consent settings through self-service portals, giving them more control over their data and interactions with the organization. This empowers customers to update their information, adjust privacy settings, and manage their communication preferences without relying on customer support, thereby reducing operational costs for the organization.

Consumer IAM systems are designed to handle millions of users and to scale rapidly to accommodate growth in user base or increased traffic during peak times. High-performance IAM solutions ensure that customer-facing applications remain responsive and reliable, even under heavy loads, which is crucial for maintaining customer satisfaction and minimizing churn.

Such solutions collect and analyze customer data, enabling organizations to deliver personalized content, offers, and recommendations based on individual preferences, browsing history, and purchase patterns. This level of personalization can enhance customer loyalty, drive repeat business, and increase conversion rates. Additionally, customer analytics can provide valuable insights into user behavior, helping organizations identify trends, opportunities, and areas for improvement.

Consumer IAM plays a critical role in complying with data protection and privacy regulations, such as GDPR and the California Consumer Privacy Act (CCPA). These solutions help organizations manage customer consent for data processing, store and transmit customer data securely, and respond to data subject access requests. By ensuring compliance, consumer IAM can help organizations avoid costly fines and reputational damage.

These systems use advanced techniques, such as machine learning and behavioral analytics, to identify potentially fraudulent activities and assess the risk level of each login attempt. Based on the risk score, the IAM solution may require additional authentication factors or block access altogether. This helps protect customers' accounts from unauthorized access and reduces the organization's exposure to fraud-related losses.

**Picking the Right IAM**

Workforce IAM emphasizes the protection of corporate resources and data, ensuring that employees and partners have appropriate access to systems and information. In contrast, consumer IAM prioritizes the customer experience, personalization, and privacy, aiming to foster trust and loyalty among end users.

As organizations continue to adapt to the ever-changing digital landscape, understanding these distinctions is crucial for selecting the right IAM solution to meet their specific needs. By implementing the appropriate workforce or consumer IAM system, organizations not only improve security and compliance, but they also enhance user experience, drive customer satisfaction, and, ultimately, achieve business success.

Decoding Identity and Access Management for Organizations and Consumers

To properly secure DNS infrastructure, organizations need strong security hygiene and records management, as well as DNS traffic monitoring and filtering.

As a core backbone of the infrastructure, Domain Name Service (DNS) acts as the phone book of the Internet. It helps route users hunting for a specific domain name and connects them to the resources of the IP address connected to that domain. When it runs the way it is supposed to, it is nearly invisible to the typical user — and even to many technical administrators. This lends an air of obscure simplicity that leads many organizations to assume that DNS is a background service that doesn't require more than basic protection and is covered by other Web and email defenses.

That couldn't be further from the truth. A new report from Dark Reading outlines the threats against DNS and what organizations should do to secure DNS infrastructure.

Some of the most common DNS attacks include:

*   Denial of service, which overwhelms DNS services with traffic to disrupt or disable DNS service at an organization.
*   DNS cache poisoning, which manipulates the DNS cache to redirect users trying to go to a legitimate domain to a malicious IP address.
*   DNS hijacking, which changes the DNS records of a domain to redirect users to a malicious IP.
*   DNS tunneling, which leverages outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' C2 infrastructure.
*   Dangling DNS, which takes over an unused subdomain on cloud and other infrastructure to impersonate a brand or use as a foothold for other attacks.

To ensure the proper security of DNS infrastructure, organizations need a solid combination of strong security hygiene around DNS infrastructure and records management, close monitoring of DNS traffic, effective filtering, and deployment of more advanced protocols, like DNSSEC. The cost of not employing these measures can be high. The average cost of a successful DNS attack is upward of $1 million.

When attacks happen, sometimes the best that many organizations can do is to literally pull the plug on their DNS or network infrastructure.

The Dark Reading report, "Everything You Need to Know About DNS Attacks," explores the nuances of the DNS security awareness gap, including why organizations are struggling to implement a full slate of DNS security measures and what it will take to combat these common DNS attacks. The report examines how to harden DNS infrastructure from attacks, the importance of creating more visibility around DNS, and how DNS protection measures can actually be used to improve other areas of cybersecurity awareness.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Getting Over the DNS Security Awareness Gap

This first-ever event, hosted by the Security Industry Association and ASIS International and designed to advance, connect, and empower women in security, gathered hundreds of industry leaders in Nashville June 12-13, 2023.

**ALEXANDRIA, Va. & SILVER SPRING, Md. –** ASIS International and the Security Industry Association (SIA) closed out the inaugural Security LeadHER conference this week, celebrating a successful and groundbreaking first event held June 12-13 in Nashville, Tennessee. The event was dedicated to advancing, connecting and empowering women in the security profession.

Approximately 300 current and future "LeadHERs" and attendees of all backgrounds and genders gathered for Security LeadHER 2023. This year's Security LeadHER program kicked off on June 12 with a variety of fun and engaging activities, including a behind-the-scenes security tour of Nashville's famed Ryman Auditorium, a tour of the National Museum of African American Music and a women's self-defense class, and wrapped up with a lively networking reception at Johnny Cash’s Bar & BBQ.

On June 13, the Security LeadHER conference programming began with a motivating keynote from author, renowned speaker and sought-after consultant Eliza VanCort on how to "Claim Your Success – Stand Tall, Raise Your Voice and Be Heard." In this dynamic presentation, VanCort shared her personal journey from childhood kidnappings to a near-fatal head injury to becoming a No. 1 bestselling author, addressed some of today's most important women’s leadership issues and offer participants valuable communication and presentation guidance and concrete skills to achieve their goals professionally and in every aspect of their lives.

Additional programming focused on two tracks – Leadership and Security & Innovation – featuring presentations from industry-leading subject matter experts. Track sessions gave actionable guidance on topics such as confidently saying no and setting boundaries, addressing virtual threats and harassment, mitigating our unconscious biases against women in security, anonymizing your digital footprint, protecting data in the cloud, leading by influence and the science of sex and its impact on the industry.

The conference closed with a moving keynote from diversity, equity and inclusion practitioner, spoken word artist, emcee and poetry specialist Charity Blackwell. Attendees enjoyed the immersive spoken word performance and keynote address exploring the meaning of owning your legacy through your work.

"The inaugural Security LeadHER event is a wrap, and what a success it was! My mind is full of new ideas, my LinkedIn account is full of new connections and my heart is full of gratitude for all the hard work done by the SIA and ASIS communities to make this event something to remember," said Elaine Palome, director of human resources, Americas, at Axis Communications and event co-chair for Security LeadHER. "It was so inspiring to see more than 300 women and their allies gathered together to share stories, ideas and knowledge. We are already thinking about next year’s event and hope you will join us."

"Our inaugural Security LeadHER event was a smashing success. The energy in the room was palpable," said Antoinette King, founder of Credo Cyber Consulting LLC and event co-chair for Security LeadHER. "Our opening keynote was delivered by Eliza VanCort. Eliza's insights on communication were incredibly helpful, and I walked away with many new communication tools. The education sessions were super insightful. Our closing keynote, Charity Blackwell, was simply masterful. I left the conference with so much excitement for the future of our industry!"

Security LeadHER 2023 was made possible in part thanks to the generous support of Featured Sponsor Apple; Premier Sponsors dormakaba, Intel and Wesco; Executive Sponsors Axis Communications and Securitas; and Partner Sponsors Allegion, Altronix, Boon Edam, Brivo, GSA Schedules, Inc., IDEMIA, Prosegur and SAGE Integration.

**About ASIS International**

Founded in 1955, ASIS International is the world’s largest membership organization for security management professionals. With 34,000 members hundreds of chapters across the globe, ASIS is recognized as the premier source for learning, networking, standards, and research. Through its board certifications, award-winning Security Management magazine, and Global Security Exchange (GSX) – the most influential event in the profession – ASIS ensures its members and the security community have access to the intelligence and resources necessary to protect their people, property, and information assets.

**About the Security Industry Association**

SIA is the leading trade association for global security solution providers, with over 1,400 innovative member companies representing thousands of security leaders and experts who shape the future of the security industry. SIA protects and advances its members' interests by advocating pro-industry policies and legislation at the federal and state levels, creating open industry standards that enable integration, advancing industry professionalism through education and training, opening global market opportunities, and collaborating with other like-minded organizations. As the premier sponsor of ISC Events expos and conferences, SIA ensures its members have access to top-level buyers and influencers, as well as unparalleled learning and network opportunities. SIA also enhances the position of its members in the security marketplace through SIA GovSummit, which brings together private industry with government decision makers, and Securing New Ground, the security industry's top executive conference for peer-to-peer networking.

Security LeadHER Wraps Groundbreaking Inaugural Conference for Women in Security

This new role of safeguarding cloud deployments requires an exceedingly rare set of technical and soft skills.

A team at a recent cloud-native industry event laughed out loud when they told us, "We just got out of a talk, and apparently we are now infrastructure security engineers." With the rampant layoffs in the tech industry, underlying the amusement of job titles is real uncertainty around expectations for thriving in that new role and associated ecosystem.

In the age of Kubernetes and cloud native application deployment, the infrastructure security engineer is a prize hire. But across dozens of job descriptions and practitioner interviews, we found that this role reflects an exceedingly difficult challenge: to be the best at both indirect influence and hard technical skills.

So what is infrastructure security engineering, anyway? The infrastructure or cloud security team sits at (no surprise) the infrastructure layer, versus the application layer. They are primarily concerned with deployment and the running cloud environment.

The first thing to understand about this role is how much the cloud security shared responsibility model requires of them. In the case of managed Kubernetes platforms, we can assume a general platform-as-a-service (PaaS) model. This implies a shared responsibility model that puts nearly the entire configuration of the cloud in the infrastructure security role's hands. In Google's own words, "For \[Google Kubernetes Engine\], you're responsible for protecting your worker nodes, including deploying patches to the OS, runtime and Kubernetes components, and of course securing your own workload."

But the shared responsibility model is just the start. No role exists in a vacuum, and the third most common requirement in this role, apart from vulnerability management and staying up to date on trends in the space, is imbuing best practices across other teams in the org. As one hiring manager put it, "Your primary responsibility will be to ensure that our engineering teams integrate security best practices into their workflows and deliver secure products and services."

There is an inherent friction in asking a development team to do anything that might slow down the flow of new features into production, even if it has been shown that teams baking security into their DevOps processes actually do deliver more quickly.

**What Infrastructure Security Engineers Need to Succeed**

What do hiring managers think will make candidates successful in the kind of role just described? Not surprisingly, the third most common requirement for this role — behind hands-on experience with cloud platforms and networking — is proficiency in scripting languages, combined with hands-on experience around any combination of infrastructure-as-code (IaC), HashiCorp's Terraform, and the continuous integration/continuous delivery (CI/CD) pipeline. Why? Because if you have never automated deployments with code, it will be impossible to share security best practices with the developers doing it on a daily basis.

The last common requirement in an infrastructure security role is an in-depth understanding of the end-to-end development pipeline. If a security engineer expects to keep up to speed on the latest in the cloud, influence development, and manage cloud vulnerabilities on a day-to-day basis, they need an understanding of efficiency, how it all works together, and how to prioritize.

Here are some more tips from our interviewees:

*   "If you are just looking at the cloud, don't forget Kubernetes. While it is deployed through managed cloud services more often than not these days, it cannot be addressed in the same way one would address vulnerabilities for cloud environments." — Director of cloud security
*   "Triage is critical. When my teams have failed in the past, it was usually because we kept chasing shiny things. By being disciplined and methodical about prioritization, we maintain confidence that we're working on the right problems at \[almost\] any given time." — Manager, infrastructure and IT security
*   "Don't underestimate engineering teams' interest in solving security problems. Empower them with data and context, and see how hungry they are to use it." — Manager, infrastructure and IT security

**Why This Could Be the Hardest Job**

Interestingly, in our research only one job description had a line item for "security reviews," where the role allowed the security team to say yes or no to development changes. This is telling in the context of other observations on the role of direct versus indirect influence over engineering and development; for example, the IaC knowledge is needed not for using it directly, but for being able to tell others how to use it.

Also, communication and mentoring were not listed among the most common job prerequisites, but half of the roles still had high expectations for this soft skill. This was especially true for the more senior positions.

Between the requirement to influence the development teams, the required knowledge of IaC tooling and automation, the need for communication and mentoring, and the near complete absence of formal security reviews, a view of the most successful infrastructure security professional begins to emerge. This person will have broad hands-on experience in the cloud ecosystem, as well as skills to influence and build credibility across skilled teams who are managing highly new, cutting-edge GitOps tools on a daily basis. That is a high bar, indeed!

The Infrastructure Security Engineer Is a Unicorn Among Thoroughbreds

The DDoS collective claims to be teaming up with ReVIL and Anonymous Sudan for destructive financial attacks in retaliation for US aid in Ukraine, but the partnerships (and danger) are far from verified.

The pro-Russian hacktivist collective known as Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

**Killnet's New Besties: Real or Imaginary?**

When it comes to the claimed partnerships, Anonymous Sudan is an emergent DDoS player that targeted entities in France, Germany, the Netherlands, and Sweden earlier this year, ostensibly in retaliation for perceived anti-Islamic activity in each of these countries. However, despite this religious persona, Trustwave researchers in the past have tied Anonymous Sudan to Killnet, noting it could simply be a masked subsidiary.

As for ReVIL, which imploded in 2022 after a Russian takedown, evidence of a re-emergence is one day old: On June 15, a Telegram channel called, fittingly, "REvil," was created. It was used to circulate a shout-out ("Hello Killnet") that went on to be heavily re-posted in a Killnet-affiliated Telegram channel, according to ZeroFox.

"This is the only post in channel to date and no additional evidence substantiating the partnership has been observed," the researchers noted.

A previous whiff of ReVIL's resurrection came more than a year ago, when rumors surfaced that some members were regrouping — but nothing more came of it.

Killnet could be fabricating the ReVIL partnership to lend some heft and gravitas to its threats against some tough targets. While Killnet has successfully gone after big game before, such as the White House and SpaceX satellite comms in Ukraine, these had "limited impact, causing short service outages and disrupting access to information," ZeroFox researchers said. A ReVIL partnership that's more than a flight of fancy "would allow them greater access to vulnerability exploitation, network intrusion, and data exfiltration."

Absent that, "the \[threatened attacks\], if legitimate, are unlikely to result in mass or prolonged outages to Western banking infrastructure, despite the newly claimed relationships with REvil and Anonymous Sudan," they added.

Even so, the publicity push around a supposedly imminent financial catastrophe could be simply an effort to harry Western governments and financial institutions, ZeroFox concluded — or, given Killnet's penchant for shenanigans, just an attempt to garner attention and notoriety.

Killnet Threatens Imminent SWIFT, World Banking Attacks

MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.

Yet another MOVEit Transfer vulnerability, CVE-2023-35708, was discovered this week by Progress Software, the third that the company has disclosed, alongside CVE-2023-34362 and CVE-2023-35036.

The issue itself, detailed in an advisory released June 15 by the company, is another SQL injection vulnerability that could potentially allow unauthenticated attackers to gain access into MOVEit's database. Should attackers present a payload into the MOVEit Transfer application endpoint, they could ultimately modify the database content. Progress Software is encouraging MOVEit Transfer customers to take immediate action to help harden their MOVEit Transfer environments, noting that it is "extremely important" that users act as quickly as possible. 

"As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor," according to a press statement.  

**Government Agencies Under Cl0P Attack**

The release of the advisory detailing the latest vulnerability comes on the heels of CISA disclosing that federal agencies were impacted by the transfer tool at the hands of the Cl0p ransomware gang — part of the ongoing glut of attacks using what was once a zero-day bug in the platform (the first issue patched). In a statement to CNN, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.”

Two Department of Energy victims have been named: 1) Oak Ridge Associated Universities, a not-for-profit research center, and 2) Waste Isolation Pilot Plant - a contractor which disposes atomic energy waste.

Cyberattacks involving the use of the MOVEit Transfer program have now affected several US government agencies, alongside many other companies and organizations, who are now dealing with the loss of stolen information, disrupted systems, and sometimes even the demands of ransom payments. The victim count could reach into the hundreds. 

Though there haven't been any indications that threat actors have yet exploited the new vulnerability, MOVEit has asserted that it is communicating with customers to protect and create safer environments. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Third MOVEit Transfer Vulnerability Disclosed by Progress Software

Mobile users in the Middle East and Africa often download moneylending apps that ask for excessive permissions — an all too common issue in an area where mobile-only is the norm and cyber awareness is low.

Research emerged this week showing that mobile users in the Middle East and Africa are the third most-likely to install suspicious financial mobile apps — mainly in the form of apps purporting to offer microlending services, a popular practice in a region where many residents lack access to mainstream credit markets.

These "seemingly legitimate" financial mobile apps were found to request access to text messages, contacts and photos/videos before a loan can be provided. They then go on to collect personal data from users' smartphones as collateral in the case that the user delays a debt payment.

Unlike more legitimate microfinance options, these apps' operators ask permission to use the data collected from the smartphone in order to force the user to return the debt in various unscrupulous ways, according to Kaspersky's research. For instance, information can be dispatched to all the user's contacts informing them of the user's debt, accompanied by photos from the gallery.

"While users should certainly report any suspicious apps to Google, they also need to stay alert for apps that may ask for a little too much access to the device's resources. For example, why would a loan app need access to your camera, your photos, or other documents on your device? Always think carefully before giving permission to any app you've downloaded," says Chris Hauk, consumer privacy champion at Pixel Privacy.

**Cyber Maturity in Transition**

According to research by Kaspersky, throughout 2022 and the first quarter of 2023, 14% of installs of potentially unwanted mobile financial apps on Android phones were made by users in the Middle East, Turkey, Africa (META) region. Therefore, this region ranks third behind APAC and LATAM in terms of the number of installs of such apps.

There are several reasons that apps like these are making headway in the region. Paul Bischoff, consumer privacy advocate at Comparitech, points out that it's an emerging technology market, where mobile infrastructure an important and necessary tool that enables basic needs, and many users "are not prepared for the barrage of scams and malware on the Internet." For many, their mobile phone is their only computing device, their only banking outlet, their only communications link, and even their only TV.

In the case of the shady microlending apps, the fact that they're being used by people with few traditional financial options could translate to users more concerned with life goals than giving 100% attention to the apps' legitimacy and permissions. 

Another contributing factor is the lack of technology protections typically found elsewhere. For instance, even though Android holds a dominant market share of 78% in the Middle East and 80% in Africa, according to Kaspersky, Bischoff suspects some phones sold in the region may not come with access to standard Google services like the Play Store, leaving users to the vagaries of less-reputable app stores that are more likely to contain malware and other unwanted apps.

Meanwhile, Hauk says while Google does vet the apps it allows into the Google Play Store, the system is not specifically designed to check for apps like these over-permissioned lending apps, anyway.

**A Multifaceted Mobile Problem**

Tom Davison, senior director of engineering international at Lookout, notes that the challenge with mobile apps in the META region is multi-faceted, beyond just fully functioning apps being overzealous with the permissions they request, exposing user data. 

All the other mobile issues are present as well: Outdated versions of apps may contain known software vulnerabilities that can be exploited; and outright malicious versions of apps exist which may impersonate well-known brands, again putting users at risk. But the usual best practices, like only using trusted app stores, scrutinizing permissions requested by apps, and always applying software updates, are for now aspirational goals for many META users.

Davison notes, "The reality is, for most users, without some additional help, it can be very challenging to spot what is legitimate and what is not," especially if apps such as microlending offerings are potentially downloaded in a state of desperation, he adds.

To boot, awareness of bugs can be scattered, at best, especially given that in the Android ecosystem, it's up to every OEM to deploy its own patches, and the schedules can vary wildly between device-makers — it's a lot for a mobile-only, non-cyber-savvy person to keep up with. 

All of this underscores the need for a more institutional, private-sector, and security-company emphasis on boosting cyber fluency and maturity, awareness training, and vendor safety efforts in the region.

Dodgy Microlending Apps Stalk MEA Users, Highlighting Cyber Maturity Gaps

Threat groups created a fake security company, "High Sierra," with faux exploits and fake profiles for security researchers on GitHub and elsewhere, aiming to get targets to install their malware.

During the month of May, an unknown threat group created a malicious GitHub repository that claimed to contain a zero-day exploit for a vulnerability in the Signal messaging app. The attackers supported the credibility of the exploit by creating a fake security company — High Sierra Cyber Security — linked to a number of made-up profiles of security researchers.

That's according to research conducted by threat intelligence firm VulnCheck, which found that the level of effort that the attacker put into create a social presence around the fake security company and the fake exploits is on a whole other level compared to what researchers have seen in the past.

"They put in a decent amount of effort into building personas, if you will, for each of these characters — these actors that who would advertise the GitHub repositories with the actual malware," VulnCheck security researcher William Vu tells Dark Reading. "So they put a lot of time and effort into building, really, a fake security company, and that, to me, is kind of new."

Targeting security researchers is rare, but has a long history. In 2021, for example, Google's Threat Analysis Group (TAG) warned that North Korea-backed hackers had created a faux research blog and multiple fake Twitter profiles. Researchers would then be asked to collaborate on vulnerability research, and those who agreed would be sent a Visual Studio project file that would run custom malware to infect the target's system, according to Google TAG's analysis. Three months later, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the campaign.

A similar attack — also by North Korea — targeted security researchers by using LinkedIn accounts and acting as recruiters, according to research released in March by Mandiant.

The latest attack also uses social engineering to target the supply chain, says Mike Parkin, a senior technical engineer at Vulcan Cyber, a provider of enterprise cyber-risk remediation services.

"One of the core defenses against malicious packages is for developers to actually vet the package before they download and use it, and part of that vetting process is determining if the package was created by a trustworthy source, whether commercial or otherwise," he says. "If threat actors can do a good job of faking that, they have a better chance of getting a victim to download their package and then not give it as close of an inspection as they should."

**GitHub, WhatsApp, What's Next?**

VulnCheck contacted GitHub about the project hosting the fake exploit, and the page was taken down. A day later, however, the same group created a similar page advertising a WhatsApp zero-day exploit, VulnCheck's researchers stated in the advisory. That pattern continued, and each time the company notified GitHub of a new page, it was removed but a new project page would appear. Pages offering a purported Microsoft Exchange remote code execution (RCE) bug, a Discord zero-day RCE, and others continued the cat-and-mouse game, the company stated.

In each case, instead of an exploit, a Python file in the repository would — if run by the target — download an operating-system-specific binary. While most antivirus programs detected the Windows malware that the Python script loaded, only three of the 62 Linux host-based scanners detected that binary, VulnCheck stated.

The threat actor used a variety of social media profiles to push out links to the pages. While the technique has been used as a way to convince software developers to download vulnerable or malicious components as a way of infecting the supply chain, this attack seems more likely to gain access to security professionals' own research, Vu says.

"Security researchers and testers usually have their own research, and if I were going after security researchers this way, I would be looking to obtain their cache of real zero-day exploits, and any kind of corporate IP that they might have access to," he says.

**Not the Sharpest Tool in the Toolbox**

While companies should always educate their developers about the risks that come with online code and how to best vet projects and unknown developers to determine if they are legitimate, researchers need to learn to be wary too, says Erich Kron, security awareness advocate at KnowBe4.

"Running code that others have written, especially when available in free and open websites such as GitHub, always carries some risk," he said. "In this case, researchers looking at the code may even assume that the malicious parts are simply a piece of these zero days being disclosed, when in fact it's designed to infect their own systems."

For most security researchers, a little due diligence will go a long way. A little research would likely discover that the company behind the "security research" has no track record, and that the researchers have no history in the industry, says Vulcan Cyber's Parkin.

"If a package just appeared out of nowhere, and the developers all seem to be new on the scene? Red flags," he says. "The sad thing is that this will have some negative impact on newly active researchers who may not have any history yet, but it's also easy to tell the difference between someone who doesn't have a history because they're just getting started and someone who has no history because they don't exist."

Attackers Create Synthetic Security Researchers to Steal IP

Organizations need to prepare for security threats as summer holidays approach.

Summer is just around the corner, and every cybersecurity professional I know is braced for cybercriminals to take action. The Cybersecurity ad Infrastructure Security Agency (CISA), part of the Department of Homeland Security, warns that holidays are a period of heightened threat. That can be extrapolated to any time cybercriminals think IT security teams might be lean or preoccupied, such as the summer season, when workers typically take more time off and stay out of the office for longer.

Here are four top considerations to help IT security staff manage risks — even when they're short staffed with holidays and vacation schedules.

**1\. Beware of Taking Work and Hardware on Vacation**

From the malicious intentions of a thief to a well-intentioned passerby going through a device to reach its owner and seeing sensitive information, lost hardware can evolve from an inconvenience to a corporate reputation and compliance nightmare.

To avoid the risk of lost hardware, it's best practice for employees to leave company devices at home unless they need to work while traveling — especially when it comes to international travel. As a precaution in the event devices are lost or stolen, employees should keep any devices with company information locked. IT departments should mandate phishing-resistant multifactor authentication, require employees to change passwords at least every six months, implement stringent password requirements, or explore passwordless validation options.

**2\. Avoid Open Wi-fi and Public USB Ports**

While many employees are aware of the risks associated with using public Wi-Fi and charging ports, the convenience of sending a quick email from the airport or using public power outlets may be difficult to resist. It's essential to remain vigilant, because of the dangers of sneaky threat actors tapping into shared networks and infiltrating personal devices or corporate systems.

According to one survey, 40% of respondents had their information compromised while using public Wi-Fi. The Federal Communications Commission warns about "juice jacking," in which bad actors target travelers running low on battery power and load malware onto public USB charging stations to hack into electronic devices.

Work travel and quick check-ins while in transit make it difficult to completely avoid working in public. To avoid the security, compliance, and reputation risk of a hack, instruct employees on secure mobile working practices. Employees should use known, secure hotspots instead of connecting to public Wi-Fi. If Wi-Fi can't be avoided, they should use a virtual private network (VPN). Employees looking for a charge while on the go should only plug their chargers into AC power outlets, rather than public USB ports. This goes for company devices and personal devices that have access to company email or messaging applications, even if their primary use isn't for work.

**3\. Focus Security Training and Messaging About Holiday Cyber-Risks**

Many cyberattacks like ransomware happen on Friday afternoons, and if it's a holiday weekend, the risk is high. Threat actors rightly calculate that a distracted employee trying to wrap up their work week might inadvertently click a phishing link or a security team might be running with a skeleton crew because of vacation schedules. Due to this, organizations must especially fortify their defense posture and check crisis management/business continuity plans as we approach holiday weekends.

Companies should closely monitor networks and systems for suspicious activity by combining employee and AI-led strategies in order to maximize time and cost efficiency, allowing AI monitoring and data protection to fill in the gaps when IT teams are spread thin.

Security departments should also schedule security refresh trainings ahead of summer vacation season. Schedule thoughtfully to ensure employees have dedicated time to review security practices and absorb the information.

**4\. Now Is the Time for IT Security Teams to Mobilize**

It's necessary to develop plans to accomplish the preceding three steps and also ensure business can continue when an attack inevitably does occur. A business continuity plan will help you react appropriately and expeditiously in the event of an attack, thereby limiting the effects and scope of the crisis. Plans should include:

*   An outline of who needs to be involved and their responsibilities, with contingencies in place that account for staff vacation plans
*   Detection and initial analysis of the attack
*   Defining the scope of the attack
*   Determining the origination of the attack (who/what/where/when)
*   Determining if the attack has concluded or is ongoing
*   Determining how the attack occurred
*   Containing the impact and propagation of the attack
*   Eradicating the malware and vulnerabilities that may have permitted its ingress and propagation
*   Recovering data from hardened backups
*   Responding to regulatory and/or contractual obligations as a result of the breach

**Bad Actors Come Prepared, but So Can Companies**

Good security people prepare well. Relationships, training, awareness, technologies and incident response playbooks all help to manage and reduce risk. While long weekends and other time off are rarely true holidays for security professionals, there are steps we can take to prepare and protect our organizations, so employees can remain vigilant while also enjoying well-deserved time off.

Cybercrime Doesn't Take a Vacation

The new privileged access management and secrets management capabilities tackles access issues and secret sprawl across the cloud environment.

Hashi Corp expanded its identity-based security portfolio with new products for privileged access management and secrets management.

With organizations shifting more of their workloads to the cloud, they need to change how they handle privileged access management. Instead of relying on SSH keys and IP address-based security, HashiCorp Boundary enables secure user access across the cloud, the company said. A self-managed commercial offering of HashiCorp Boundary for secure remote user access, HashiCorp Boundary Enterprise relies on just-in-time credentials to provide lead-privileged access to users with single sign-on access to cloud infrastructure. The session recording capability provides an auditable record of all user and application actions so that security teams know what is happening within the environment.

Organizations are struggling with secret sprawl across different systems, tools, and environments. HashiCorp Cloud Platform (HCP) Vault Secrets provides simplified secrets management as a software-as-a-service offering. The new SaaS offering is designed for organizations that want to manage secrets with minimal overhead and cost, the company said. HCP Vault Secrets and secret syncing allow organizations to centrally manage secrets while allowing developers to use their existing cloud-native development workflows.

HCP Vault Secrets is currently in beta. There is a separate capability – Vault Secrets Operator for Kubernets – to synchronize Vault secrets to Kubernetes secrets and automatically rotate secrets without disrupting service. Vault Secrets Operator for Kubernetes is generally available for HCP Vault and Vault Enterprise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading