It's time to include messaging tool security in your cloud security program. Good first steps include tightening filter parameters on Slack and Teams.

Today, an increasing number of large enterprises, from financial institutions to healthcare, are using messaging and collaboration tools. According to a report by industry analyst firm International Data Corporation (IDC), worldwide revenue in the collaboration applications market grew 28.4% year over year in 2021 to $29.1 billion. "This growth was driven by a series of factors including companies expanding collaboration to more people, the purchase and integration of multiple solutions to better meet corporate needs, and price increases and/or feature upgrades." Yet these apps can instill a false sense of security, putting millions of users at risk for cyberattacks.

**Redefine What Makes a Trusted Environment**

When it comes to messaging security, organizations tend to have a myopic view that it's only about "email, email, email." True — email is far from dead. In fact, business email is increasing and remains the main incursion vector. Yet more sophisticated attacks are happening over Teams and Slack. People just don't realize it because they view these apps as internal tools and aren't taking the necessary steps to secure these platforms.

Let me explain. Access tokens, the keys to the Slack platform, tie together the scopes and permissions your app has obtained that allow it to read, write, and interact. I've seen attacks that target, exfiltrate, and abuse specific tokens. Let's say I steal your Slack token and send a message, as you, to all your colleagues and make them click on a link or download and execute something. Your device will never know about it. Slack will know that I'm coming from a different IP address, but it's a script that I executed. It's nothing that anybody else would see.

With Slack, you can impersonate another user or create a new app. With that I can use it as the a user or the app and write messages to everyone in the organization, messages like, "Click on this link," "Hey, here's the executable for you to update a Windows computer with the second half of this year's security updates," OR, "Hey, please reset my password" or whatever. Your colleagues — or whoever received this message — believe they're in a trusted environment, so they're more inclined to follow the instruction or click on that link or download that executable.

**Build Messaging Security into Overall Cloud Program**

Today, attackers are more likely to succeed when abusing messaging tools versus email because emails have a lot of safeguards in place, from spam and malware filters to sender authentication standards. In addition, email users are frequently warned by the FBI, security awareness training programs, their preferred retailers, banks, and other organizations to follow basic common sense security protocols such as, "Don't trust emails when they ask for urgent things." For messaging tools, however, there is little security guidance.

The wake-up call to the risks that these apps present will be when an organization goes through its logs and realizes the Slack token was compromised — something they don't have visibility into today. Instead, they'll only be able to realize that something weird was happening in their organization. Efforts by collaboration software providers to incorporate security features into their products are still in their infancy. Companies need more than basic malware scanning as zero-day malware or social engineering is still being missed.

Organizations need to include these messaging tools as part of their overall comprehensive cloud security strategy. In the meantime, below are a few immediate countermeasures you can take:

● **Don't federate with everybody.** If Company B wants to interact with Company A on Slack or another messaging app, you need to establish a relationship, also known as a federation. If you put a security flag in place, there's a handshake that happens that confirms: "Yes, both of us want to participate." It's not a one-way relationship that can be established.

Federate with the partners that you want to partner with, but don't be open to everybody. Build a workflow so that you can initiate a federation with interested parties, but not everybody can federate with your tenants.

● **It's the intention.** Just because you feel secure in Slack or in Teams doesn't mean you're secure. Just as we have learned with business email compromise, you should question the intention of the sender of the message to ensure their request is legitimate.

● **Watch that executable.** People still exchange executables on Slack and Teams, including malicious executables. Leverage  the filter capabilities built into Slack and Teams to only allow document exchange, no code exchange.

The intimate nature of these messaging tools may foster a false sense of security. In addition to the steps mentioned above, be sure to also continue to build a culture of security at your organization that educates your users on the potential risks these tools may pose. Your business depends on it. 

● **Enhance behavioral analytics and monitoring.** Leverage tools like CASB to inspect what users or apps are posting. This not only helps fend off common risks like malicious files or sensitive requests, but it also provides visibility into behaviors that are out of norm to then allow remediation.

How Popular Messaging Tools Instill a False Sense of Security

By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors in the future.

As the war in Ukraine extends into its second year, Russian threat actors have expanded the scope of their war-related espionage. This is part of a larger trend in which Russia is leveraging hybrid warfare tactics, such as cyber weapons, influence operations, and military force, in an attempt to overrun Ukrainian defenses. 

While most Russia-backed propaganda campaigns aimed at Ukraine have had little impact, Russian state-affiliated cyber and influence actors have not been deterred. These groups continue to seek alternative strategies inside and outside Ukraine. In the first six weeks of this year alone, Microsoft Threat Intelligence analysts found indications of Russian threat activity against organizations in at least 17 European nations. Many of these intrusions targeted the government sector.

By examining the lessons learned from Russian state operations and Ukraine's resilience, security leaders can create a broader playbook for defending against authoritarian aggression in the digital space. 

Moscow has relied heavily on cyber weapons and influence operations to access and conduct attacks on desired targets throughout the duration of its hybrid war. Its methods span a broad range of attack vectors, but three notable trends have emerged over the course of the conflict.

**Using Diverse Means To Gain Initial Access**

Russian threat actors have leveraged everything from exploiting Internet-facing applications to backdoored pirated software and ubiquitous spear-phishing to gain initial access to targets within and outside of Ukraine.

Seashell Blizzard (formerly Iridium), for example, has backdoored pirated versions of Microsoft Office to gain access to targeted organizations in Ukraine. The actor is also responsible for uploading a weaponized version of Windows 10 to Ukrainian forums, exploiting demand for low-cost versions of the software to gain access to government and other sensitive organizations in Ukraine.

Russian threat actors are also actively abusing technical trust relationships, targeting IT providers to reach more sensitive targets downstream without immediately triggering alerts. Hacker groups Forest Blizzard (formerly Strontium) and Secret Blizzard (formerly Krypton) both attempted to access an IT provider in Poland that counts sensitive sectors among its client base. Midnight Blizzard (formerly known as Nobelium), the same actor behind the SolarWinds intrusion, regularly attempts to compromise diplomatic organizations worldwide and foreign policy think tanks by first compromising cloud solutions and managed services providers that serve those organizations.

**Weaponizing 'Fact-Checking' To Spread Kremlin-Aligned Narratives**

Russian influence actors will often attempt to gain credibility by using the language and techniques associated with fact-checking to spread false claims. Social media accounts purporting to be fact-checking entities, like the Telegram channel War on Fakes, spread claims of "Ukrainian fakes" and allegedly "debunked" reports of Russian attacks on civilian and critical infrastructure. In reality, these operations attempt to turn the truth on its head and spread Russian propaganda.

**Spreading Leaked Information To Target Political Opponents**

Pro-Russian actors consistently spread purportedly leaked information online to target political figures and governments supportive of Kyiv. While this is not a new tactic for Russia, hack-and-leak operations have become increasingly prevalent during the war. These operations can be more effective than other types of influence operations because leaks are often difficult to authenticate or debunk, making them an effective tool to amplify existing divisions and tensions by allegedly exposing sensitive information.

Throughout the course of the war, Russia's destructive cyberattacks and influence operations have been used to sporadically amplify military operations in Ukraine. While Kremlin-backed digital operations have not yet successfully deterred Ukrainian resistance or degraded foreign support to Ukraine, there are many indicators we might look for to detect Russian escalation in the digital space. By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors moving forward.

Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine

The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.

Microsoft’s Patch Tuesday security update for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.

Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not disclose any zero-days, vulnerabilities that are already under active attack.

**Prioritizing Patches for Critical Bugs**

The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.

The critical elevation of privilege vulnerability in Microsoft SharePoint Server (CVE-2023-29357) was one of the bugs chained together in a successful exploit during the Pwn2Own competition, Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDI's team had not yet tested the workaround but said that the "best bet is to test and deploy the update as soon as possible."

The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015) all have the same base severity score of 9.8 — and this is the third month that Microsoft is addressing critical severity flaws in PGM. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.

The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed. Mitigations should not be considered substitutes for patching, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.

The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and the denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).

**Prioritize the "More Likely" to Be Exploited Ones, Too**

There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them "more likely" to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.

Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (CVE-2022-41082 was a zero-day flaw disclosed last September and patched in November, and CVE-2023-21529 patched in Feburary). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called "ProxyNotShell" flaws in Exchange Server and has been used in ransomware attacks in the past.

Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.

Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.

Microsoft Fixes 69 Bugs, but None Are Zero-Days

**SAN FRANCISCO, June 12, 2023** – Cycode, the leading application security platform, today announced the launch of Cimon, a seamless solution that enhances the security of CI/CD pipelines to prevent software supply chain attacks such as those that targeted SolarWinds and Codecov.  

CI/CD pipelines currently lack visibility, making them the most sensitive link in the SDLC, and many organizations have thousands of unmonitored pipelines prone to supply chain attacks. Cimon stops these attacks by utilizing the innovative solution of eBPF (extended Berkeley Packet Filter), a technology that provides visibility into the build system, including thwarting malicious behavior, with minimal disruption.

With this visibility, Cimon can inspect - network connections, running processes and file modifications within the CI pipeline — to learn standard behaviors. This knowledge enables Cimon to detect and prevent abnormalities, including real-time threats and zero-day attacks.  

"We offer free and easy integration with many CI/CD tools for organizations to secure their pipelines without delay time or errors," said Ronen Slavin, co-founder and CTO of Cycode. "As Cimon saves time in vulnerability and threat response procedures, teams can implement and adopt security measures without worry of error or exhaustion."

With Cimon, organizations can expect: 

● **Prevention of CI Attacks:** With low effort and seamless integration, users remain protected against all possible attacks on the CI pipeline, including zero-day attacks 

● **Instant Threat Detection:** Cimon prevents attacks such as malicious package installation, typosquatting, repojacking, dependency confusion, dependency hijacking and other dependency attacks 

● **Easy Integration:** Cimon is developer friendly and is easily integrated with popular CI/CD tools, comprehensive documentation requiring minimal configuration and integration with the development environment, such as GitHub 

Cimon is the new superhero for organizations' CI/CD pipelines and is free to use. More information about Cycode and Cimon is available online. 

**About Cycode**

Cycode's modern approach to application security enables organizations to effectively secure their cloud-native applications with cost-efficient use of tooling and staff across the SDLC. The Cycode platform makes AppSec tools better through its Knowledge Graph, which provides complete context of the SDLC to improve accuracy and reduce mean-time-to-remediation (MTTR). Cycode merges the top eight AppSec tools into the industry’s most advanced and comprehensive AppSec platform. By correlating data across these tools Cycode offers new capabilities, like Pipeline Composition Analysis which identifies vulnerable dependencies and security issues missed by legacy tools like SCA and SAST — across the entire SDLC; pinpoints vulnerable dependency locations; and prioritizes threats by exploitability.

Cycode Launches CI/CD Pipeline Monitoring Solution (Cimon) to Prevent Supply Chain Attacks

Threat actors have grown increasingly sophisticated in applying social engineering tactics against their victims, which is key to this oft-underrated cybercriminal scam's success.

Business email compromise (BEC) continues to evolve on the back of sophisticated targeting and social engineering, costing business worldwide more than $50 billion in the last 10 years — a figure that reflected a growth in business losses to BEC of 17% year-over-year in 2022, according to the FBI.

The agency's Internet Crime Complaint Center (IC3) 2022 report on BEC found that US business have lost more than $17 billion to these types of scams between October 2013 and December 2022, with global businesses counting losses of nearly $51 billion for the same period, according reports that the IC3 receives from organizations.

The number of organizations that have reported falling victim to BEC in the US alone over these years is 137, 601 across all 50 states — a number that's likely higher as it represents only the incidents that have been reported to the FBI, security professionals say. This means the total losses attributed to BEC for companies not just in the US but also globally is probably a lot higher than reported numbers as well, they say.

Despite organizations' overall increased awareness of and defense against BEC — which has been an attack vector for more than a decade — it continues to represent a thriving cybercriminal activity.

Security professionals attribute BEC's continued dominance in the cyber threat landscape to a number of reasons. A key one is that attackers have become increasingly savvy in how to socially-engineer messages so that they appear authentic to users, which is the key to being successful at this scam, Oren Falkowitz, field chief security officer for Cloudflare, tells Dark Reading.

"Successful BEC is not about being clever, it is about authenticity and achieving legitimacy in the eyes of the victim," Falkowitz says in an email. "Part of seeming legitimate is following physical events and trends in the news closely — which end up being leveraged and having resonance in cyberspace."

One example of this is the IC3's call-out of an uptick in attacks on the real estate sector, which reported a loss of $446.1 million to BEC in 2022. While this represented only a slight increase over a reported loss of $430.5 million from that sector in 2021, that figure showed nearly a doubling of BEC losses in real estate from 2020, during which real-estate organizations reported a loss of $258.4 million, according to the IC3.

This surge in BEC attacks on real estate appears to be continuing due to struggles in that sector, of which threat actors have noted and are taking advantage, Falkowitz says. "BEC having a nexus to the real estate sector in this year's report could be traced back to the commercial real estate crunch and the repurposing of cities," he says.

**Silent, But Deadly**

BEC is a type of attack in which threat actors use deception and impersonation to compromise legitimate business or personal email accounts to conduct an unauthorized transfer of funds or otherwise defraud a victim by obtaining access to personally identifiable information (PII) related to financial accounts.

Due to its inherent nature, BEC is well known for causing major financial loss not only for companies but also individuals. However, the rise in notoriety of ransomware over the past couple of years has allowed BEC attackers to fly somewhat under the radar while significantly boosting their impact, another contributing factor to its rise, notes one security expert.

"While ransomware has been grabbing the headlines over the past two years, BEC has quietly said 'hold my beer,' while surpassing itself as the most prolific and costliest form of cybercrime," Mika Aalto, co-founder and CEO at enterprise security awareness firm Hoxhunt**,** says.

He cited the Verizon DBIR reported released last week, which found that the cost and incidence of BEC doubled over 2022. In fact, the security industry's focus on ransomware may have actually contributed to BEC's rise during this time, as law enforcement have pursued ransomware gangs, imposing sanctions and leading to tightened cyber-insurance policies, while "BEC remains low-risk and highly profitable," Aalto says.

The rise of social engineering in general as a successful tactic by cybercriminals also is adding to the insidious and robust nature of BEC, security professionals say. In fact, another notable finding of Verizon DBIR report is that phishing and "pretexting," — i.e., impersonation of the sort commonly used in BEC attacks — dominated social-engineering scene last year. In 2022, pretexting gambits — which add to the perceived legitimacy of BEC attacks — nearly doubled since the year before and now represent 50% of all social engineering attacks, the report found.

"Social engineering is all about trust, and by gaining access to someone's account — usually someone in a position of authority — and masquerading as that person, the attacker lowers the barrier of trust immensely as they manipulate victims into ill-advised activities," Aalto notes.

**How the Enterprise Can Respond**

The continued success of BEC means these attacks are here to stay, which means organizations will be forced to respond with even stronger security measures, security experts say.

"The problem isn't going away," concurs Avkash Kathiriya, senior vice president of research and innovation at threat intelligence management firm Cyware. "While enterprises have made significant progress, they are still vulnerable to social engineering, while smaller businesses and individuals are being targeted by increasingly sophisticated scams."

Due to the key success factor of these scams — exploitation of the human element and weak points in an organization's security infrastructure — it is "particularly challenging to defend against using traditional security measures alone," observes Igor Volovich, vice president of compliance strategy at compliance firm Qmulos.

For this reason, he advises that organizations move towards continuous monitoring and assessment of their internal security controls in real time, which will allow them to "promptly detect control anomalies or failures that can lead to successful BEC incidents," he says.

"This approach provides organizations with the agility to respond swiftly to emerging threats, reducing the window of opportunity for scammers to exploit vulnerabilities, converging the timelines between security, compliance, and risk management to deliver a unified, real-time picture of enterprise risk posture," Volovich says.

Generative AI — which BEC attackers are increasingly using in the form of ChatGPT and other technologies to help them craft socially engineered messages — could also be leveraged by organizations to defend against attacks, says Patrick Harr, CEO at anti-phishing firm SlashNext.

"IT security pros need to implement AI capabilities which combine natural language processing, computer vision, and machine learning with relationship graphs and deep contextualization to thwart sophisticated multi-channel messaging attacks," he says.

Organizations should also strengthen workforce education efforts to help employees identify malicious campaigns and messages — which typically employ fake social media profiles, blogs, email accounts, and the like to establish trust and rapport — leveraged by BEC attackers, Harr adds.

Indeed, as BEC attacks commonly originate from phishing campaigns or social engineering methods, "it's paramount that organizations foster a robust cyber awareness training culture," concurs Jay Gohil, risk manager at Cowbell, a provider of AI-powered cyber insurance.

Analysis: Social Engineering Drives BEC Losses to $50B Globally

Mandiant's ongoing investigation of UNC3886 has uncovered new details of threat actors' TTPs.

A Chinese cyber-espionage group that researchers previously have spotted targeting VMware ESXi hosts has quietly been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest virtual machines (VMs).

Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been following for some time and whom they reported on last year. They disclosed the vulnerability to VMware, which released a patch addressing the flaw on Tuesday.

**Authentication Bypass Zero-Day**

The zero-day vulnerability (CVE-2023-208670) is present in VMware Tools, a set of services and modules for enhanced management of guest operating systems.

The bug gives attackers a way to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest virtual machines without the need for guest credentials — and without any default logging of the activity happening. VMware assessed the flaw as being of medium severity because to exploit it an attacker already needs to have root access over an ESXi host.

Mandiant found UNC3886 using CVE-2023-208670 as part of a larger and sophisticated attack chain that its researchers have been unraveling over the past several months.

In September 2022, Mandiant reported uncovering UNC3886 using poisoned vSphere Installation Bundles, or VIBs, to install multiple backdoors — collectively dubbed VirtualPITA and VirtualPIE — on ESXi hypervisors. The backdoors enabled the attackers to maintain persistent administrative access to the hypervisor, to route commands through the hypervisor for execution on guest VMs, and for transferring files between the hypervisor and guest machines. The malware bundle also allowed UNC3886 actor to tamper with the hypervisor's logging service and to execute arbitrary commend between guest VMs on the same hypervisor.

Mandiant's analysis at the time showed the threat actor required admin-level privileges on the ESXi hypervisor to deploy the backdoors. But it found no evidence of UNC3886 actors leveraging any zero-day vulnerability to break into the ESXi environment or to deploy the weaponized VIBs.

**New Details on Threat Actor's Tactics and Methods**

The security vendor's continuing investigation of UNC3886's campaign — summarized in a technical report this week — uncovered new details on the threat actor's tactics and methods. They found, for instance, the threat actor harvesting credentials for connected ESXi service accounts from vCenter Server appliance and exploiting CVE-2023-20867 to execute privileged commands across guest virtual machines. Mandiant's research also showed UNC3886 actors deploying backdoors — including VirtualPITA and another called VirtualGATE — using the Virtual Machine Communication Interface (VMCI) socket for lateral movement and additional persistence. "This … enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place," Mandiant said.

Mandiant's report this week goes into the technical details on the entire attack chain beginning with the threat actor gaining privileged access to an organization's vCenter server and retrieving service account credentials for all connected ESXi hosts. The report goes on to describe how UNC3886 actors used the credentials to connect to ESXi hosts, deploy VirtualPITA and VirtualPIE backdoors on them using VIBs and then exploiting CVE-2023-208670 to execute commands for transferring files to and from guess VMs.

The threat actor targeted ESXi hosts belonging to defense, technology and telecommunications companies, Mandiant said.

"To enable connections to many ESXi hosts at once, UNC3886 targeted vCenter servers, each \[of which\] administrate multiple ESXi hosts," says Alex Marvi, a consultant at Google Cloud's Mandiant. "Each ESXi host creates a service account called the 'vpxuser' when it is initially connected to a vCenter server. UNC3886 was seen harvesting this vpxuser account on vCenter servers so they could connect with administrative rights to all connected ESXi hosts." Once connected to the ESXi hosts, the threat actor leveraged CVE-2023-20867 to run commands and transfer files on running guest machines without the need for the guest’s credentials, he says.

**Previously Unseen Techniques**

The harvesting of connected ESXi service account credentials on vCenter servers and the capabilities of the VMCI socket backdoor are two new techniques that Mandiant has not seen utilized by other attackers in the past, Marvi says. "This should help organizations detect and respond to this attack path, regardless of the exact malware being deployed or commands being used."

Mandiant has assessed UNC3886 as a threat actor that is particularly adept at targeting and exploiting zero-day bugs in firewall and virtualization technologies that do not support endpoint detection and response technologies. Its primary targets have been in the US and on organizations in the Asia-Pacific region and Japan. According to Marvi, UNC3886 has demonstrated the ability to switch up attacker paths and tactics when needed. He points to a novel set of malware tools the threat actor deployed on Fortinet devices as evidence of its abilities and access to resources needed to carry out highly sophisticated attacks.

"UNC3886 has shown itself to be a flexible, yet highly capable threat actor, which will modify open source projects to complete their mission," he says. "I would argue that this group’s TTPs are more dynamic than unique, built around the exact needs to either regain access or persist in an environment with whatever they are given access to."

Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs

Threat actors have created over 3,000 domains, some as old as two years, to lure in customers to false, name brand websites for personal financial gain.

Threat actors have been impersonating more than 100 apparel, clothing, and footwear brands such as Nike, New Balance, and Vans to lure customers as part of a malicious phishing scam since June 2022.

The threat research team from Bolster.ai identified more than 3,000 registered domains and around 6,000 sites carried out by threat actors with the intent to target the customers of these popular brands to steal account credentials and financial information. Other brands that have been affected include Doc Martens, Miu Miu, Converse, and Etsy, an American e-commerce company that hosts countless small businesses on its site.

As the height of its campaign activity between November 2022 and February 2023, the malicious actors were adding around 300 new fraudulent sites on a monthly basis, the researchers said. The attackers followed a simple naming convention for these domains: combining the brand name with a city or country, followed by a generic top-level domain such as .com.

Many of the domains were old, some even two years old, which helped boost the success of this scam. The older a domain name, the less likely they are to be flagged by security tools as being malicious. Old domains also help boost global malvertising campaigns because those sites have time to be indexed by Google, tend to rank higher in search terms, and can lure in users who assume that a page ranking high in search must be credible. 

**Notable for Fraud Risk**

These domains were traced back to Autonomous System number AS48950, (which refers to IP prefixes run by network operators) — and the domains' IP addresses are hosted by Packet Exchange Limited and Global Colocation Limited. Both Internet service providers are known for fraud risk, according to Bolster.ai. 

Companies can mitigate these risks by training employees to be aware and take note of the signs for impersonation attempts and phishing scams, using cybersecurity software to block attempts to begin with, and even using artificial intelligence (AI) to automate these processes.

Popular Apparel, Clothing Brands Being Used in Massive Phishing Scam

The average cost of a data breach is $4.35 million. Understand the power of public key infrastructure (PKI) and its role in encrypting data and battling breaches.

Identity is the key to unlocking zero-trust environments, but it is also the key to a lucrative payday for cybercriminals selling prized company data and personal information.

In recent years, data breaches (and their impact on companies and affected individuals) have made headlines. Data breaches have affected a variety of industries including financial services organizations Equifax and CapitalOne, energy company Colonial Pipeline, and fast-food chain Chick-Fil-A. While these companies were well-known before their data breaches, if the world did not know their names prior to making headlines for breaches, they do now.

**Understanding the Power of PKI**

The best way to protect anything is by keeping it under lock and key, but for information stored in the cloud or exchanged electronically, a physical lock and key is futile. Public key infrastructure (PKI) serves as a cybersecurity lock-and-key system that protects data and resources, as well as authenticates access, secures communications, and provides data integrity and non-repudiation. PKI is widely used in secure email communication, digital signatures, secure Web browsing (HTTPS), virtual private networks (VPNs), and secure online transactions, and other applications.

At PKI's core is asymmetric cryptography, which uses key pairs: a public key and a private key. The public key is widely distributed and used to encrypt information while the corresponding private key is kept secret and used for decryption. Once these keys are inserted into individual devices and applications, they work to encrypt data and authenticate connected devices and applications.

Imagine your organization has a mailroom that houses feedback boxes for all the departments in the company. Each department's feedback box and the mailroom have a public key that allows anyone in the company to unlock any department's box and drop a message into it. However, the head of each department has a private key that only they possess. This private key is mathematically related to the public key and is the only key in the entire company that can unlock a department's feedback box to access messages or decrypt anything in the box that is encrypted.

**How PKI Encrypts Data**

Since PKI uses mathematically related keys to encrypt and decrypt data, only the private key can decrypt data that is encrypted with the public key. Therefore, data in transit cannot be intercepted, and when at rest on a device or database, encrypted data cannot be read even if stolen because thieves will not have the private key to unlock it.

If you deploy and use PKI across a corporate network, you can establish a zero-trust environment by authenticating and encrypting everything that is written to or retrieved from a server or device. For example, if your website uses a TLS/SSL certificate to encrypt communications between a customer's browsers and your website's server, you are using PKI encryption. As the backbone of enterprise network security, deploying PKI is extremely complex.

**Benefits of Cloud-Based PKI**

Deploying and maintaining PKI requires a lot of resources and talent, but it's critical for protecting company data. Many organizations find deploying PKI in the cloud and as a service (PKIaaS) to be a better option than doing it all in-house. Cloud PKIaaS offers several benefits for enterprises of all sizes, such as:

**Rapid deployment:** PKI has come a long way since its inception. While it used to be a system that required on-premises deployment, it can now be deployed entirely through the cloud. Cloud PKI can be integrated into existing security systems and operational within a matter of days.

**Agility:** PKI has been around for decades and is already deployed in most infrastructures with Microsoft Certificate Authority (CA). PKIaaS provides a straightforward way to migrate from Microsoft CA without changing your enterprise infrastructure.

**Scalability:** Cloud PKIaaS enables organizations to scale as they grow and expand use cases without incurring additional hardware or infrastructure costs.

**Security:** Not only is encrypted data useless without the decryption key but so are your keys to the kingdom: private keys. PKIaaS protects private keys in Federal Information Process Standards (FIPS)-compliant hardware security modules (HSMs) stored in geographically dispersed data centers capable of withstanding nuclear attacks.

**Cost savings:** By leveraging the existing capabilities of your organization's devices, software, and hardware, cloud PKI maximizes your IT investment by eliminating costs of acquiring new devices or tools.

With the average cost of a data breach at $4.35 million in 2022, deploying PKI and encrypting data are more cost-effective than becoming the victim of a breach. For more information on PKI encryption, we recommend reading our Encrypt Everything e-book for strategies to help develop a data breach battle plan.

**About the Author**

    

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

Harness the Power of PKI to Battle Data Breaches

Vendors and buyers both have the power to make the industry a better place. What's needed is more collaboration, mutual support, and respect.

Security leaders are tired of aggressive sales tactics, and cybersecurity companies must change the way they go about acquiring customers. Thankfully, more and more people are becoming vocal about this problem, so I am optimistic it will get better over time. I have been reading a lot of great advice about how cybersecurity startups should engage with security leaders. Some of the best ones, in my opinion, are CISO Manifesto: Rules for Vendors (I would call this one by Gary Hayslip a required read for any security vendor) and 63 CISO Buyer Insights Carefully Curated for Cybersecurity Marketers.

The topic that doesn't get any attention, however, is how security leaders can make the lives of cybersecurity vendors easier. You see, a market is a two-way street, and only when both parties do their best to treat one another well can we make security a better place to be in. I previously discussed how security leaders can accelerate innovation in cybersecurity. In this piece, I will examine how chief information security officers (CISOs) should approach cybersecurity startups.

**Start From a Place of Curiosity**

Although some startup founders are in it exclusively for the money, most of the ones I meet are genuinely passionate about solving hard problems. Cybersecurity companies are started by security practitioners and CISOs, and they don't typically quit their jobs so they can make the industry a terrible place to be in (at least, not intentionally). While you may not agree with a founder's view of the world, recognizing that it has the right to exist and being curious about it is a great start. Without innovative founders willing to take risks, our industry would not have been able to evolve.

**Articulate the Problem You're Trying to Solve and Provide Context**

When asked, "What does your product do?" the only right answer is often this: "It depends." Without understanding the context and the problem you are looking to solve, vendors have no choice but to offload the list of features instead of explaining how (and if) their offerings can address your needs. This doesn't make it easier for the buyer to understand how all of these features can be useful for their particular need. Conversations that start by clearly articulating a problem instead of listing abbreviations a customer is looking to buy, tend to be the most productive for everyone involved.

**Remember That People Who Work for Vendors Are Also Trying to Feed Their Families**

Sales development representative is one of the lowest-paid and hardest occupations, and it's not uncommon for companies to hire fresh graduates and entry-level workers for these roles. Companies that use aggressive sales tactics should be held accountable. To do that, it's a good idea to leave a review online, call out the vendor on social media, tell your peers, and don't buy from the company. However, there is no need to tell the poor person trying to put bread on their table what you think of them, their family, and their life. Remember: They probably hate their job anyway and do it to survive; cold-calling is a soul-crushing grind.

**Proactively Offer Transparent Feedback**

As someone who works in product, I know firsthand how hard it can be to get users to provide feedback and ideas, or even report gaps. Most people, even those working for companies you don't agree with, are genuinely trying to do work they can be proud of. Hearing new ideas and perspectives helps startups innovate and prioritize solving the right problems — the bug that has been annoying your team could probably have been fixed a year ago, if it had been reported.

**Recommend Companies You Trust to Your Peers**

Early-stage startups are struggling to get the word out about their work. To discourage companies from using unethical, aggressive sales methods, it is important to not only bring attention to the bad in the industry, but also to evangelize the good. If there is a company you believe in, tell your peers about it, make an introduction to someone who may benefit from their work, publish a good review on social media, or even give them a testimonial they can put on their website. Best of all — you can do all or some of this even if you aren't able to adopt the product at your organization.

**Say It How It Is**

It is painful to witness security leaders and their teams ghost vendors after spending time going through demos, and even doing a few weeks-long proof of concepts. Managing expectations should be simple: If you see that you won't be able to implement the solution within the timelines you've initially communicated — just say so and provide a new target. This will help the vendor to update its forecasting and plan capacity of support teams. If you decide to not go ahead with the solution — send the people you spoke with a brief email — "Here is what we decided and here is why." If you want to be extra helpful, you can also share some feedback about the experience, what went well, and what the vendor can do better.

Both parties — vendors and buyers — have the power to help make the industry a better place. What we need is more collaboration, mutual support, and respect. At the end of the day, we are all fighting on the same side.

How Security Leaders Should Approach Cybersecurity Startups

While protecting critical infrastructure seems daunting, here are some critical steps the industry can take now to become more cyber resilient and mitigate risks.

There continues to be a lot of pressure on security leaders to do more with less, but today's sophisticated and frequent cyberattacks only exacerbate the situation. And the bad news is these cyber incidents, particularly ransomware attacks, are not going away any time soon. In fact, they are becoming more prevalent in areas like critical infrastructure, supply chain, and financial institutions. For example, the Cybersecurity and Infrastructure Security Agency (CISA) observed ransomware incidents against 14 of the 16 US critical infrastructure sectors in 2021.

As one of the fastest growing types of cybercrime, the financial implications of ransomware have become more pronounced in recent years. These attacks cause more widespread damage than other single-target attacks, so it makes sense that we are seeing an increased response from government and technology vendors to fight off ransomware events. Is it enough?

**RVWP: An Important First Step**

In March 2022, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program aimed at helping critical infrastructure organizations protect their systems against ransomware attacks by fixing vulnerabilities. While a good first step, to fully protect against ransomware and other cyberattacks, organizations need a security plan with multiple layers that includes technology measures, employee training, and well-defined and enforced security policies. However, it's clear that not all critical infrastructure providers employ best security practices, which is why the RVWP was initiated. But it doesn't go far enough.

While ransomware operators will absolutely take advantage of newly discovered vulnerabilities to infect targets, these are attacks of opportunity. Widespread network exploitation events impacting critical infrastructure are relatively infrequent these days, although smaller-scale attacks against well-known vulnerabilities persist and still have some level of success.

It's important to note that in the downtime between major vulnerability discoveries, ransomware operators most often use watering-hole attacks, spear phishing, malicious advertising, and other social-engineering tactics that exploit humans to gain a foothold in network environments. No amount of network scanning and reporting will mitigate these risks, so critical infrastructure will continue to be impacted by ransomware.

**GootLoader: An Example of Malware's Spread**

To better understand the potential impact, take a look at GootLoader, a popular malware that gives threat actors initial access to the victim's IT environment. GootLoader is a prime example of a ransomware tactic that can infiltrate an organization's network, and no amount of preventative scanning can stop it. At a high level, GootLoader uses search engine optimization (SEO) poisoning to lure and infect victims and compromise legitimate WordPress websites. If a user clicks on one of these websites and deploys the malware, it gives the threat actors a foothold on the network.

GootLoader does not seem to specifically target critical infrastructure entities, but they should still be concerned. In monitoring GootLoader, we have tracked over 700,000 URLs injected with the malware, and those contain around 3.5 million phrases that someone might use in a keyword search. I did a quick search, and here is a partial list of terms seen in the GootLoader landing pages that someone working in critical infrastructure might search for:

*   Advance Payment in Government Contracts
*   Agreement on Government Procurement
*   Aviation Service Agreement
*   Bermuda Agreement Aviation
*   Civil Aviation Agreement
*   Electricity Meter Operator Agreement
*   General Terms Agreement Aviation
*   Georgia Utility Laws
*   Joint Operating Agreement Oil And Gas
*   Nuclear Power Construction Labor Agreement
*   Oil And Gas Commercial Agreements
*   Oil And Gas Confidentiality Agreement
*   Oil and Gas Asset Purchase Agreement
*   Service Agreement Oil And Gas
*   Signature Aviation Cooperation Agreement
*   Sustainable Aviation Fuel Agreement
*   Texas Utility Laws
*   Transportation Lease Agreement
*   Types of Oil and Gas Joint Venture Agreements
*   Utility Company Agreement
*   Utility Easement Laws in Florida
*   Utility Services Agreement
*   What Is a Master Service Agreement Oil and Gas

**Next Steps to Mitigate Risks**

While protecting critical infrastructure may seem daunting, there are some critical first steps the industry can take now to become more cyber resilient and mitigate risks:

1.  **Training:** In an ideal world, CISA would expand on the RVWP to provide free end-user training and phishing simulations to critical infrastructure providers through third-party security providers.
2.  **Improving search engines:** The industry needs to encourage search engine companies to proactively search for and remove malicious ads and search results from their platforms. CISA could also implement a program to scan for and report malicious ads and search results directly to the responsible teams at the major search engines for rapid mitigation.
3.  **Understanding malware:** Security teams need better insight into ransomware operations' kill chain. For example, remapping dangerous file extensions to open in Notepad instead of executing an application can break the chain so that many types of malware cannot gain a foothold on the network.

Adding these measures could have a far greater impact on stopping the proliferation of ransomware than the current program alone.

Source

DARKReading