Secure email gateways and end users alike are being fooled by a cyberattack campaign that's enjoying skyrocketing volumes against businesses in every industry, globally.

A high-volume credential-harvesting campaign is using a legitimate email newsletter program named SuperMailer to blast out a significant number of phishing emails designed to evade secure email gateway (SEG) protections.

According to a report from Cofense on May 23, the campaign has snowballed so much that SuperMailer-created emails account for a significant 5% of all credential phishes within the firm's telemetry in the month of May so far. The threat seems to be exponentially growing: The monthly volume of the activity overall has more than doubled in three out of the past four months — notable even in a landscape where credential phishing is growing overall.

"Combining SuperMailer's customization features and sending capabilities with evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes spanning every industry," explained Brad Haas, cyber threat intelligence analyst at Cofense and author of the research.

And indeed, Cofense reports that the threat actors behind the activity are casting a wide net, hoping to haul in victims in a varied sea of industries, including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, technology, transportation, and utilities.

**Supersized Phishing With SuperMailer**

What makes the numbers even more interesting is the fact that SuperMailer is a somewhat obscure German-based newsletter product that has nowhere near the scale of more well-known email generators such as ExpertSender or SendGrid, Hass tells Dark Reading — yet it's still behind wide swathes of malicious emails.

"SuperMailer is desktop software that can be downloaded for free or for a nominal fee from a number of sites that may be completely unassociated with the developer," he says. "A free version of SuperMailer was released on CNET in 2019, and since that point has had approximately 1,700 downloads. This number is low in comparison to many popular software downloads, but we do not have any other information on the number of legitimate organizational users."

SuperMailer did not immediately respond to Dark Reading's request for comment. But since the clients are propagated via third-party websites and have no server or cloud component, Haas notes that SuperMailer's metaphorical hands are tied when it comes to rooting out the activity.

"In the past, we've seen large, cloud-based services abused to send phishing emails or create unique URL redirects pointing to phishing pages, but those services often catch and combat the activity after a period of time," he says. "We do not know the extent to which the SuperMailer developer is capable of fighting this abuse."

That in of itself makes SuperMailer attractive to cybercriminals. But the other reason is that it offers an attractive disguise for getting past SEGs and ultimately end users, thanks to some unique features.

**Evading Email Security With Ease**

"This is another example of threat actors abusing tools that were designed for legitimate purposes," Haas notes, adding that features that legitimate users find helpful will also appeal to crooks. "This already happens in the penetration testing arena, where open source penetration testing tools are regularly abused by threat actors to conduct actual threat activity," he says.

In this case, SuperMailer offers compatibility with several email systems, which allows threat actors to spread their sending operation across multiple services — this decreases the risk that a SEG or upstream email server will classify emails as unwanted due to reputation.

"The threat actors likely have access to a variety of compromised accounts, and they use SuperMailer's sending features to rotate through them," Haas wrote in his report on the threat.

The SuperMailer-generated campaigns also take advantage of template customization features, like the ability to automatically populate a recipient's name, email, organization name, email reply chains, and more — all of which boosts the legitimacy of the email for targets.

The software also doesn't flag open redirects — legitimate Web pages that automatically redirect to any URL included as a parameter. That allows bad actors to use completely legitimate URLs as first-stage phishing links.

"If a SEG does not follow the redirect, it will only check the content or reputation of the legitimate website," Haas said in the report. "Although open redirects are generally considered to be a weakness, they can often be found even on high-profile sites. For example, the campaigns we analyzed used an open redirect on YouTube."

**Defending Against the SuperMailer Threat**

Cofense has been able to track the SuperMailer activity thanks to a coding mistake that the attackers made while crafting the email templates: The emails have all included a unique string showing that they were produced by SuperMailer. However, parsing messages for that string or more broadly blocking entire legitimate mailing services isn't the answer.

"We haven't yet uncovered any default characteristics that would allow us to broadly block emails generated by SuperMailer," Haas says. "In this case, the identifiable characteristics were discoverable only due to a mistake by the threat actor. Without the mistake, it wouldn't be feasible, as those characteristics are not visible in every SuperMailer email."

However, he notes that there are other characteristics that would identify the emails as potential security threats, even without knowing their origin — including their content. An example would be non-target-specific email reply chains appended to the messages.

This is especially important given that Cofense has discovered that the SuperMailer phishes are part of a larger set of activity that has accounted for a full 14% of phishing emails landing in inboxes in May in the Cofense telemetry. Haas explained that all of the emails — SuperMailer-sent and the others — share certain indicators that tie them all together, such as the use of URL randomization.

"Human intuition is often much better at recognizing these differences," Haas says "so training employees to be vigilant against phishing threats is a critical element of good cyber defense."

SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft

Widespread cyber incidents will happen, but unlike natural disasters, specific security controls can help prevent a catastrophe.

Risk aggregation is not a new phenomenon. The insurance industry, for example, has long examined how shared assets and similarities between organizations in their books bundle potential risk. Risk aggregation is the grouping of compounded risks together to understand the overall risk to an organization, a region, an industry, and more. For example, if a hurricane hit a specific region, the potential property damage could result in a cluster of insurance claims; this is considered an aggregate risk.

Insurance providers have to consider both the implications of aggregate risk and those risks compounding to create a singular, catastrophic event that affects a large number of policyholders. Think of this like an insurer choosing to sell home insurance to everyone in a city, then a hurricane destroys every house in that city — it would lead to massive volumes of claims.

We haven't seen such an event in cyber _yet_, but the worry is that one massive cyber incident could result in an unmanageable chain of technological events that becomes catastrophic for businesses, even economies, around the world. And as cybercriminals get bolder, the possibility of compounding cyber-risk factors becomes a more significant concern.

However, aggregate risk plays out a little differently in cyber. During a hurricane, you cannot move the houses in the path of a hurricane to a different location to avoid damage. But organizations _can_ implement specific security controls to help prevent a catastrophe during a cyber incident. Whether that's implementing defensive measures against distributed denial-of-service attacks, patching the latest severe vulnerability, or deploying applications to multicloud or regional clouds, there are many ways to reduce aggregate risk — and even avoid a catastrophe — in cyber.

When considering aggregate cyber-risk, security professionals shouldn't get caught up in clickbait headlines. They need to understand two things in order to proactively secure their organizations: One, cyber-risk is constantly changing, and two, when informed by data-driven insights, aggregate cyber-risk does not need to become catastrophic.

**Cyber-Risk Is Volatile and Dynamic, But So Is Technology**

Cyber-risk is ever-changing because new vulnerabilities crop up daily, making it especially hard to predict how risk will evolve. Case in point: Coalition estimates that the number of Common Vulnerabilities and Exposures (CVEs) will increase by 13% from 2022 to 2023. This number will likely continue to grow year-over-year as more researchers enter the field and more technology is introduced.

However, the rising number of CVEs should not scare security professionals into thinking all hope is lost. There is still a ceiling for the number of organizations that attackers can target and the volume of vulnerabilities they can exploit. The dynamics of the growing risk landscape parallel mitigation: Detection speeds are also increasing, and software updates and patches are getting released more quickly to resolve newly detected issues. Basically, we're getting smarter along with our attackers.

Instead, it would serve the industry to think about risk aggregation at a more personal, granular level: Address the most significant risk areas specific to your organization or industry first because that's often where the most pain can be inflicted.

Security professionals may also need to change how they typically discuss risk to make it a broader C-suite conversation. For example, communicating about risk in terms of dollar signs — not vulnerability severity scores — can help a CFO decide how much insurance coverage they should purchase.

**A Data-Driven Approach to Modeling Cyber-Risk**

The truth is that cybersecurity is manageable and can be properly underwritten, given the right data and technical expertise. Ironically, more data exists about cyber-risk than any other risk in the world. Using this massive amount of data to our advantage can help dramatically impact aggregate cyber-risk’s impact on organizations.

In a Coalition simulation modeled against a sampling of 5,000 top-growth US companies, we discovered that a cyber event with a one-in-250-year likelihood could cost more than $370 million in losses. When extrapolated across the entire US economy, a catastrophic cyber event could cost $30 billion in total losses.

But our model also uncovered that a catastrophic event is far more likely to be localized. Looking at aggregation technologies and vendors — the shared technology infrastructure on which aggregate cyber-risk is built — we can see that cyber-risks aren't as interconnected as you'd think. Assets aren't all located in the same homogeneous physical locations or virtual environments.

For example, if a cloud services provider were to go out, it's highly improbable that this would happen globally; it would more likely impact only a specific segment. While cloud computing providers operate hundreds of thousands of physical servers and millions of virtual machines around the globe, their infrastructure and operations are highly segmented, which would prevent the failure of any one element from spilling over to another.

**It's Not About Eliminating Risk, but Managing It**

We can't prevent a catastrophic cyber event or know the extent to which risk aggregation could be catastrophic, especially because there are no historical examples to guide the way. Cyber is a dynamic and complex type of risk, and insurance providers can't treat it with the same typical aggregation techniques used in the past.

Understanding cyber-risk starts with being comfortable with change and using the right skills and mindset to chip away at the unknowns. Cyber-risk is knowable and quantifiable, even if it will likely be unpredictable.

What Security Professionals Need to Know About Aggregate Cyber-Risk

Victims of the cybercrime schemes are coerced to participate through violence and having their belongings taken away.

The FBI is warning US citizens that are traveling to or living abroad in Southeast Asia of false advertisements leading to labor trafficking, where individuals are intimidated and forced to involve themselves in international cryptocurrency investment fraud schemes.

Criminal actors, primarily belonging to Chinese crime groups, post fake job advertisements on employment sites and social media, offering jobs such as call center customer service representatives and beauty salon technicians. These fake advertisements reach potential victims on a global scale, including those from countries like Bangladesh, Brazil, China, Ethiopia, Hong Kong, India, Japan, Russia, Vietnam, Zimbabwe, as well as the US.

By reeling in their victims' interest with promises of competitive salaries and a wide range of supposed benefits, criminal actors manage to convince these individuals to travel to the "job location" where they are ultimately coerced to commit criminal cryptocurrency acts, by confiscating their personal items and threatening them with violence.

"This activity continues to expand at an alarming rate, with thousands of new victims trafficked every month, while industrial sized scam and money laundering operations expand far beyond the pace of any response," Jason Tower, Myanmar country director at the United States Institute of Peace and cyber trafficking expert, said in a column.

The FBI is encouraging people to do their research on any company and job opportunity before accepting a position, to be careful when the benefits and salary do not align with a job offer, and to share their contact information and employment details with those close to them.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FBI: Human Trafficking Rings Force Job Seekers Into Cryptojacking Schemes

Changes in the way risk is viewed are leading to changes in the way training is conducted.

Cybersecurity awareness training has always, at one level, been about risk. Whether you subscribe to the notion that employees are your first line of defense (they're not) or that employees are your last line of defense (there you go), it really can't be argued that employee behavior plays no role in the risk facing an organization. This statement is true whether we're talking about cybersecurity or construction site safety, but the last year has seen a dramatic change in the ways that companies talk about, think about, and act on the connection between risk and employee training.

One of the strongest drivers of this change has been the role of cyber-insurance providers in the cybersecurity industry. Cyber insurance is now seen as a product as necessary as property and casualty insurance for most companies. And since cyber-insurance companies charge for their product — a product based on risk — the cost of that product, and therefore the cost of risk, has bubbled to the top of the business conversation topic list.

**A New Goal**

Today, the goal of cybersecurity awareness training is less about creating an educated workforce and more about reducing the risk of an uneducated workforce. Those might seem to be two sides of the same coin, but there is a critical difference: how success is demonstrated. If the goal is to produce an educated workforce, then assessing training success can come through tests that ask questions about the lesson just taught. The key is finding out whether the student gained information from the lesson.

If, on the other hand, the goal is to reduce the risk of an uneducated workforce, then assessing training success must come through a demonstration of changed behavior. The issue is not whether the student acquired information but whether the student puts that information to use to behave in a way that is less risky for the organization. Put simply, it's not what the employees _know_ but what they _do_ that matters.

**The New/Old Training**

Cybersecurity awareness training has always been a two-part educational service. The first part is knowledge transfer, while the second part is changed behavior. The new goals and new conversations don't change that fundamental makeup, but they do change the emphasis of the process and how it is thought of throughout the organization.

With the emphasis shifting to reduced risk, the spotlight is on changed employee behavior. Customers, then, will force training providers to discuss how they change behavior (and measure that change) rather than how they engage employees or keep employees' interest over the length of a training course. Many companies will frankly not care how a training product works as long as it produces the desired, measurable change in risk.

Some training providers are beginning to recognize the shift and more change is on the way. During the training evolution, it is likely that the industry will see muddied messages, new ways of describing the product and new ways of measuring training success. Customers who make the most of the changing reality will be those who remember that the two primary pieces of cybersecurity awareness training haven't changed — the training providers who have produced the best results in the past are likely to have a solid starting advantage as we move into the future.

A New Look for Risk in Awareness Training

Threat actors are circumventing geo-location-based security detections, using a combination of cybercrime-as-a-service platforms and the purchasing of local IP addresses.

Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common "impossible travel" security detection, Microsoft is warning.

An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides "the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts" from anywhere, Microsoft researchers wrote in a blog post.

Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed. 

BulletProftLink sells an end-to-end service, including templates, hosting, and automated services for committing BEC — essentially providing cybercrime-as-a-service (CaaS). The abuse of residential IP addresses meanwhile allows for higher volumes of BEC attacks, the researchers warned. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks," according to Microsoft, which added that threat actors in Asia and Eastern Europe are the ones most frequently deploying this tactic.

**A Growing Tide of Business Email Compromise**

The warning comes against a backdrop of escalating numbers of BEC campaigns. Indeed, the FBI reported that in 2022, it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion. Microsoft said that nearly all forms of BEC attacks are on the rise, with the top lures among the socially engineered campaigns including payroll topics, invoices, gift cards, and business information.

"Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers," the researchers wrote in the post.

Top targets for BEC cybercriminals are executives and other senior leaders, finance managers, and human resources staff with access to employee records like Social Security numbers, tax statements, or other personally identifiable information, the company said.

Attackers also like to target new employees who may be less likely to verify unknown sender email addresses, the researchers said. Indeed, attackers successfully breached security vendor Dragos by targeting a new employee with a socially engineered attack, allowing them to log into the company's employee-onboarding process.

**Protection & Mitigation Against Local IP Tactics**

While "masquerading behind different IPs/proxies" has been in use by threat actors for more than a decade, its increased use in BEC attacks should serve as a reminder to organizations that they need to practice more vigilance in flagging suspicious network activity, notes one security expert.

In particular, organizations need to use more than geo-location to evaluate the authenticity of an attempt to access a network, says Roy Akerman, co-founder and CEO of cloud and SaaS security firm Rezonate. Instead, full behavioral analysis is the way to go.

"Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities," he says in an email to Dark Reading.

There are also other steps that enterprises can take to stop BEC campaigns that attempt to circumvent the impossible travel flag, Microsoft said. The company suggested that enterprises configure mail systems to flag messages sent from external parties, as well as enable DMARC and notifications for when email senders are not verified.

Organizations also should block senders with identities that they cannot independently confirm and report their mails as phishing or spam in email apps, the researchers said.

Setting up strong authentication policies, such as multifactor authentication (MFA), can also help thwart BEC campaigns, making accounts **"**more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use," the researchers also noted.

Employee training in how to spot fraudulent and malicious emails should be commonplace among organizations at this point given the frequency with which attackers use BEC and phishing to compromise accounts, as well as their continued success rate and the cost associated with these attacks, the researchers said.

Microsoft: BEC Attackers Evade 'Impossible Travel' Flags With Residential IP Addresses

A February 2022 attack knocked the giant tire maker's North American operations offline for several days.

As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen.

Not having a clear-cut line of action at the executive level in advance can exacerbate the consequences of a cyberattack and allow the attacker an opportunity to create more damage, Corridon said in an interview at Accenture's third annual virtual OT cybersecurity summit last week..

"When you want to pull a lever, when you want to make a decision about disconnecting networks, or paying a ransom, who makes those decisions?" Corridon said. "To know that going in is really, really important because then you are not caught flatfooted. You are not caught looking around the room going, 'is that you, or is that me?'"

The February 2022 ransomware attack on Bridgestone led to the tire giant to shut down its networks at manufacturing and retreading facilities in North America and Latin America for several days. The well-known ransomware group LockBit 2.0 later claimed credit for the attack and announced plans to publicly leak data accessed from Bridgestone's systems if the company did not comply with the group's ransomware demand.

Bridgestone later disclosed that the cyberattackers had accessed business records as well as files containing Social Security numbers, bank information, and other sensitive data on some of its customers. But the company has released no other details of the attack since then, including whether it paid the LockBit gang a ransom or not. 

The attack was one of several last year that affected operating technology (OT) networks at industrial and manufacturing companies in the US and elsewhere. A second-quarter 2022 analysis of ransomware attacks from Dragos showed most attacks (68%) on industrial organizations targeted the manufacturing sector.

**Tabletop Exercises for Executives**

Corridon's interview at the Accenture virtual event steered clear of the details of the attack, the damage it had caused, and the recovery effort. However, it focused on several lessons the company was able to take away from the attack. The biggest, according to Corridon, is knowing who makes crucial decisions during an unfolding crisis, and how.

Corridon advocates that organizations that do tabletop exercises for their technical team need to have a parallel scenario-based exercise that involves key executives and decision-makers. Just like incident management processes have two threads — one technical and one for executives — so, too, should tabletop exercises.

Another key consideration is that the executives in charge of making critical decisions during a ransomware attack need to be comfortable making them without a lot of data. 

"They need to be comfortable making decisions in the moment that are going to feel like gut decisions or rash decisions," Corridon noted. "But we need to be prepared for that because the longer you sit on a decision and you analyze it and think it through and wait for that perfect decision to land in your lap, the more time the threat actor has to go further into your environment and do more damage."

**Never Let a Good Crisis Go to Waste**

According to Corridon, who was interim CISO at Bridgestone when the attack happened, one silver lining with major security events is the heightened awareness and willingness to change that it can foster. In the year since the attack, Bridgestone has implemented security changes that would otherwise have taken years to convince executives of, push through, and enable, he said.

He advised that security teams take a never-let-a-good-crisis-go-to waste approach to push through change, if they are unfortunate enough to experience a major security breach. 

"In an incident, your executives have a front-row seat to the action," Corridon said. "So, they are walking away with a better understanding of terms they never wanted to understand or wanted to know." 

That heightened awareness and understanding often means they are more prepared to give security teams the money and resources they need to implement a stronger security posture moving forward. "They are prepared for change \[because\] they have a taste in their mouth of a bad experience," he says.

Similar change can be harder to achieve in the lower echelons, where concerns over everyday jobs and goals can quickly relegate security concerns to the backburner once an immediate crisis has passed, Corridon acknowledged. Therefore, it's important to always keep cybersecurity a relevant and top of mind topic for employees. In much the same way that OT environments emphasize physical safety precautions, organizations need to make cybersecurity a part of the daily routine for employees.

One way to begin getting stakeholders to think differently about cyber resilience is to stop describing breaches and attacks as security incidents. "An incident is when you trip and fall or somebody unplugs something by accident," he said. A ransomware attack, on the other hand, is a criminal act against the company. 

"Having that reframing of thought can go a long way," Corridon said. "The words you use as you are going through the event and actually recognizing it as a crime against the organization is a first step."

Bridgestone CISO: Lessons From Ransomware Attack Include Acting, Not Thinking

Shorter certificate lifespans are beneficial, but they require a rethink of how to properly manage them.

On March 3, Google (via The Chromium Projects, which it controls) proposed a plan to drastically shorten the lifespan of Transport Layer Security (TLS) digital certificates, from 398 days to 90 days. This will spur significant changes in how organizations manage their certificates, particularly regarding automated processes.

The proposal by the open source body behind the Google Chrome browser and Chrome OS, included in a road map called "Moving Forward, Together," is a positive step toward ensuring more reliable, robust Web operations. But it will require companies and other organizations to significantly transform their certificate processes.

The lifespan of digital certificates has fallen steadily over the past decade, from five years in 2012 to a little more than two years in 2018 to 13 months, or 398 days, in July 2020. The shorter lifespans help ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.

Google said the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to move away from time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.

**A Wake-up Call for Certificate Monitoring**

If adopted, the Chromium Projects' proposal to the CA/Browser Forum — a consortium of certification authorities (CA), browser makers, and others — would most likely take effect by the end of 2024. And although the changes are not set in stone, the prospects of a considerably shorter lifespan should serve as a wake-up call for organizations. They need to get greater control and visibility over their public keys and certificates, because the proposal is a sure sign that the game has changed.

The five-year life of certificates from a decade ago reflected a different time, when teams could get a certificate for, say, a Web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.

As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it's about automating the process.

Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they'll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.

**Centralized Monitoring Is Critical**

To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it's still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as "severe."

Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It's not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what's running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.

The interconnected nature of business operations may also require that TLS visibility extend to supply chains, because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.

**Looking Ahead**

The full impact of the Chromium Projects' proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates, or if it's limited to just Web servers.

But no matter what happens with the proposal, it reflects the reality of today's environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can properly manage them.

Enterprises Must Prepare Now for Shorter TLS Certificate Lifespans

Security vendors, businesses, and US government agencies need to work together to fight ransomware and protect critical infrastructure.

Cyber threats have a long reach. What seems like a low-level cyber incident can have a larger ripple effect, impacting millions of innocent people. A password breach that occurs in a private company, such as Colonial Pipeline, can end up taking down sections of the critical infrastructure, for example. The line between attacks on the public sector and private interests are blurring, and now, with new directives and initiatives from the Biden administration — along with new departments within federal agencies — the government seems committed to collaborating with companies to address emerging cyber threats.

Both government agencies and private vendors already see the value in building partnerships.

"Partnering with the private sector is critical for advancing our mission of accelerating commercial adoption of technology across many sectors, especially in cybersecurity," says Pat Gould, director of the Defense Innovation Unit (DIU) Cyber Portfolio.

The private-sector view is similar — the need to collaborate is critical, and it is about time that efforts are being made to facilitate such a partnership. Initiatives like the National Cybersecurity Strategy, for example, are bringing in private-sector security vendors to share threat information or provide solutions and tools that are beyond government scope.

Mick Baccio, global security advisor with Splunk, admits the ability to work together has been hindered by the private sector's inherent distrust of government, especially as administrations and congressional leadership change.

"Building credibility is tough to do in this atmosphere," says Baccio, "but thanks to a push by the current administration, the continuity that cybersecurity and the private-public partnership needed is finally in place."

Executive orders with guidelines to facilitate improved security across the supply chain, for example, can be canceled the moment a new president takes office. The Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agency's attempts to bake public-private cybersecurity efforts into its mission.

**Government's Role in Collaboration**

A few agencies are uniquely set up to focus on collaboration with the private sector. Beyond its high-profile work in keeping voting systems safe, CISA is responsible for securing critical infrastructure in cooperation with companies.

The FBI has worked closely with both public and private entities for years, but as cybercrime — particularly ransomware — ramps up, so too has the outreach from the FBI to the private sector.

Many other agencies also have similar security-related outreach built in, like the Department of Energy. Because many areas of the energy critical infrastructure are owned and operated by corporations, the department needs to build partnerships not only to keep the infrastructure safe but also to prevent disinformation and misinformation that could cause a national panic. (The Colonial Pipeline cyber incident is a prime example, when poor communication led to gas shortages on the East Coast two years ago.)

The Cybersecurity Collaboration Center (CCC), part of the National Security Agency, was established three years ago, and it signifies a shift in how the government works with private-sector vendors to share information and expertise to scale mitigations, according to the center's chief, Morgan Adamski.

"We're looking at the quality of our relationships over the quantity," Adamski said during a 2023 RSA Conference panel on public-private partnerships. She said CCC will share threat analytics with cybersecurity companies that have the broadest outreach, which could provide protection for billions of customers.

However, some argue that this trickle-down information sharing hampers security efforts.

"The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they'll have more threat intel to share," wrote Mike Wiacek, founder and CEO of Stairwell, in a Dark Reading article. "But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems."

**What Private Vendors Bring**

Innovation comes from small companies, which file more than 14 times more patents in the US than larger businesses and universities do. Government and large enterprises rely on strategic partnerships with smaller security vendors to build out their cybersecurity programs.

Government is more than federal agencies, says Merlin Cyber CEO David Phelps. States, counties, and especially municipalities don't have large budgets or staffing to manage cybersecurity needs.

"They need the outreach to the private sector to help address cybersecurity concerns," Phelps says.

Vendors may have a better — or at least different — view into the threat landscape and can work quickly to come up with the right tools or solution for a government entity at a more affordable rate than is charged to the private sector. Not only can community governments take advantage of the lower cost, but because they are using an approved government vendor, they now have federal oversight.

Having similar tools, knowledge base, threat landscape, and product behavior as businesses gives CISA a broader view of what's happening across a larger swath of the critical infrastructure.

"By actually having government entities of all sizes using the same platforms, threats will be a lot more visible as an ecosystem," says Phelps.

The value of having partnerships like this is having a private sector that has the flexibility and funding to investigate threats in ways that the government can't. Larger businesses within the private sector can invest in startups that are developing cutting-edge technologies. This agility and scalability are among the most important contributions the private sector provides.

**United Against Ransomware**

The fight against ransomware is a good example of a public-private collaboration. The FBI actively works with private vendors to not only identify ransomware, but also to defend against ransomware crime rings and nation-state actors. Partnering on this type of attack works well because ransomware attacks tend to have a lot of similarities.

"Because all of the actors use the same tools and services, all of our options increase," explained Cynthia Kaiser, deputy assistant director with the FBI, during the RSA panel.

For example, in 2019 government agencies learned that a global Russian-distributed botnet was using a US company to implant malware in millions of devices. The FBI worked closely with that company and different government agencies to find a solution to counter this malicious activity and cut off the command-and-control infrastructure of the global botnet before it could do any more damage.

When an incident occurs, the most vital pieces of information come from the victimized organization. The victims become partners with government agencies, sharing details about what happened and what they continue to see happening in their networks. The government agencies gather that information and help the companies put the threats into context.

"A key part of collaboration is that it is bidirectional, and it's critical that people come early and often to that trusted relationship to have the \[cybersecurity\] conversation," CCC's Adamski said.

Improving Cybersecurity Requires Building Better Public-Private Cooperation

The climate of concern around open source security and supply chain attacks may have caused a small story to become a big one.

Following a temporary suspension of all new users and package uploads, the Python Package Index (PyPI) repository is back up and running. Many noted that the culprit was the flooding of the site with a glut of malicious packages -- but a PyPI administrator noted that there was no unusual glut, simply fewer people than usual to address the usual glut.

PyPI is the official software repository for Python, serving over 700,000 users and over 450,000 projects, according to the site's homepage. Its popularity has attracted not just developers but hackers who like to upload malicious packages as a first step in supply chain breaches.

Beginning Saturday afternoon (UTC), PyPI temporarily suspended new user and project registrations. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the site's admins wrote in an incident report.

The statement raised eyebrows across the security community, with many news sites reporting the site as falling victim to either an anomalous wave of malicious activity or even an outright cyberattack. And, the research firm Checkmarx in a blog characterized the situation as part of an uptick in “actors publishing overwhelming amounts of malicious packages in several open-source registries.”

But Ee Durbin, director of infrastructure for the Python Software Foundation, tells Dark Reading that the actual circumstances of the shutdown were much less dramatic than they were made out to be.

"This weekend was just a matter of human capacity," Durbin says. "Effectively, there was just one PyPI admin available to handle reports out of the usual three, and they (I) needed a weekend."

As of the evening of May 21 (UTC), PyPI was once again operating as usual, with its administrative team available in force.

**Why We Worry About Open Source Software Repos**

At least some portion of the hubbub around PyPI's 30-hour shutdown can be explained by growing fears around the state of open source security.

"We've seen the number of attacks skyrocket over the past two years," says Peter Morgan, co-founder and CSO of Phylum. In the first quarter of 2023, Phylum analyzed 2.8 million packages published to popular repos like PyPI, npm, and Nuget, 18,016 of which executed suspicious code upon installation, 6,099 referenced known malicious URLs, and 2,189 targeted specific organizations.

Malicious packages run so rampant today that some hackers hardly feel the need to hide them anymore.

"More and more attackers are realizing how easy this is to do. It doesn't require any skill. You can download scripts off of the Internet and use them to pollute the open source supply chain," Morgan explains. "Also, it's costless. You don't need to spend any money. You can do it for free with anonymous accounts."

With software today, Morgan continues, "there are so many dependencies. All an attacker has to do is get one foot in the dependency chain to get a hold in your computer. So the defender \[has a\] massive disadvantage here. The attacker only has to win once."

By contrast, organizations that utilize open source software — read: _all_ organizations — have a far more difficult time defending against even such low-level attackers, prompting calls for better package inspection, the development of new tools to track dependencies, and software bills of materials (SBOMs).

Those in charge of maintaining the repos acknowledge these issues as much as anybody. "Regular caution should always be exercised when installing from a public index, whether in your projects or on the command line with 'pip install,'" Durbin says.

**Repos Make Changes to Battle Malicious Packages**

Historically, repositories have struggled to keep up with their far more numerous adversaries. To assuage concerns, though, Durbin tells of how "we have exciting developments that will allow for much more sustainable and potentially automated handling of malware reports coming soon."

The Python Software Foundation also recently added a security developer-in-residence role, meant to improve Python security at large. And just a couple of weeks ago, Durbin announced that PyPI will bring on a safety and security engineer, whose job will be to focus on PyPI's security in particular.

Supply chain security in years to come will turn on our ability to keep public repos clean and protect ourselves when they're not. "Everyone is very, very focused on finding things that have vulnerabilities," Durbin concludes, "but software vulnerabilities are not what attackers are using to break into computers today. They're creating malicious packages."

PyPI Shuts Down Over the Weekend, Says Incident Was Overblown

The technology conglomerate has until later this year to end its transfer of European user's data across the Atlantic.

Meta, owner of Facebook and Instagram, has been fined $1.3 billion (€1.2 billion) for violating the European Union's General Data Protection Regulation (GDPR) by the Irish Data Protection Commission, for the transfer of EU users' personal data to US servers.

This penalty is the biggest that's been dealt out after the European Union's strict data privacy policies went into effect in 2016; this fine far surpasses even Amazon's previously record-breaking $808 million (€746 million) tab in 2021 due to data protection violations.

Because the European Court of Justice nullified the Privacy Shield, the EU and the US continue to search for alternatives on a new data flow. Privacy Shield originally served as a data transfer mechanism under the GDPR, enabling participating companies to meet the EU requirements for transferring personal data to third countries. Though a replacement is expected later in the year, there are multiple multinational companies, including Meta, that illegally rely on the former agreement — specifically with the use of standard contractual clauses.

"The fine regarding a GDPR violation serves as a stark reminder of the importance of data protection in today's dominant digital landscape and the consequences organizations may face if they fail to meet these obligations," Eduardo Azanza, CEO of Veridas, said in a statement in response to the announcement. "The GDPR is designed to safeguard the rights and privacy of individuals. Thus, it's fundamental for organizations to respect these laws and regulations to not only maintain customer trust and confidentiality but to also avoid such public scrutiny and reputational damage."

Meta has a deadline of Oct. 12, 2023, to cease its reliance on standard contractual clauses for data transfers of users' private data.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading