DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.

Source: Tapati Runchumrus via Shutterstock

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. 

In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. 

Yet three months later, DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. 

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.

"Many organizations are rightly concerned that if they go and they do a DMARC policy and it's not correct, that they could block something that's really material to the business, such as a massive marketing campaign, or that the CEO's email won't land in the right inbox," he says. "There's a concern about getting it wrong."

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com

However, DMARC — and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex — fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.

"The problem comes when you have legacy systems and multiple sending sources and infrastructure," he says. "Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It's straightforward or easy to do at first glance, but if you do something wrong, totally valid emails will be rejected."

Here is what to keep in mind when setting up DMARC for your organization.

**1\. SPF Alerts Recipients to Emails From Nonapproved Sources**

The first DNS record that an organization needs to set up is SPF, a string that lists the IP addresses and domain names of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. 

A typical SPF record is a DNS TXT record and looks like:

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all

The "v=spf1" designates the string as an SPF record and is required for all SPF records. The "ip4" fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The "include" tag lists the third-party domains that are authorized to send email for the domain, while the "-all" flag specifies that every other domain is not allowed. Other variants, such as "~all," are possible and specify that mail from other domains are allowed but marked insecure, while "+all" allows any server to send email on behalf of the domain.

While the SPF record is a good first step, spammers could exploit the fact that other organizations using a common third-party server, such as Google's, would be authorized to send email on behalf of every other organization using that server.

**2\. DKIM Uses PKI to Verify Email Messages**

DKIM solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is generated by your email provider and then registered as a TXT record in your DNS service provider. 

A typical DKIM record is a DNS TXT record with a selector — a name — such as "\[third party\].\_domainkey" and a value of:

v=DKIM1; k=rsa; p={public key string}

The "v=DKIM1" designates the TXT string as a DKIM record and is required for all DKIM records. The "k=rsa" designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The "p=" tag contains the public-key data generated by the email service provider. 

As with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC's Hovannisyan. 

"We have password management systems or rotating passwords for other \[types of\] keys, but we don't do that with DKIM keys," he says. "This is something that should be in place and each time something can be broken, you need to have alerting."

**3\. DMARC Establishes Policies for Email Recipients**

DMARC uses the already-established controls of SPF and DKIM and specifies an organization's email policy — not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that specify a DMARC record gain two benefits: They can tell a receiving server what to do with an email that fails authentication — such as allow delivery, quarantine the message, or reject it — and they direct the receiving server to generate reports about any messages sent to the domain. 

The result is that an organization using DMARC gains visibility into how its domain name and brand is being used by unauthorized parties. 

A typical DMARC record is a DNS TXT record with a "\_DMARC" and a value that is a string with a number of fields, such as:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:\[email protected\]

In this example, the "v=DMARC1" is the required identifier, the authentication policies for both SPF and DKIM at set to strict — as designated by the "aspf=s" and "adkim=s" tags — and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of "none" to gain access to the reporting and move to a policy of "quarantine."

**4\. Check Your DMARC Reports Regularly and Maintain Records**

Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of "none" and then forget about the added threat intelligence, Hovannisyan says.

"One of the biggest mistakes with DMARCs is \[a company saying\] that once it's done, I don't need to do anything more," he says. 

Instead, companies should advance through the different policies, starting with "none" but quickly moving to "quarantine" and then finally "strict."

While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.

"For a small deployment, where you basically just have a Google or an Office 365 on your domain, it's pretty straightforward," says Red Sift's Powar. "I mean, the spec is quite simple, but as soon as you add a little bit of complexity — once you start including a marketing department, an HR department, or maybe a procurement department — you're going to find a lot of senders suddenly start to appear out of your infrastructure."

**5\. Consider BIMI to Increase Trust**

Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification, or BIMI, standard allows companies to register their logos for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policies. 

While almost three-quarters of large organizations (73%) have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: In the US, 77% of companies have a strict policy, while only 40% in Germany and 15% in Japan do, according to data from Red Sift. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, according to the BIMIRadar tracking site.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Haven't You Set Up DMARC Yet?

Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Source: Robert K Chin Storefronts via Alamy Stock Photo

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it's more economical and effective to simply use Microsoft's own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers' malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Recently, for example, Symantec threat hunters discovered a novel malware they call "BirdyClient," used against an organization in Ukraine. BirdyClient's purpose is to connect to the Graph API in order to upload and download files using OneDrive.

Dark Reading is awaiting comment on this story from Microsoft.

**Hackers Abuse Microsoft Graph**

Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by North Korea's APT37 (aka ScarCruft, Reaper, Group123).

"We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it," says Dick O'Brien, principal intelligence analyst at Symantec. "This is the case here. They've realized how they can leverage this, and now all of these major players are jumping on board."

After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.

Last June brought Backdoor.Graphican, used by APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russia's Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium) using the same trick in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.

Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.

"From an organization's perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts," O'Brien says. And this doesn't just apply to malicious attacks. For example, "It's quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags," he says.

"Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

A recent campaign targeting Middle Eastern government organizations plays standard detection tools like a fiddle. With cyberattackers getting more creative, defenders must start keeping pace.

Source: incamerastock via Alamy Stock Photo

If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.

Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers' methods for circumventing them grow more creative and effective.

So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed "DuneQuixote" — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.

As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they're once again gaining the edge?

"It's absolutely trivial to create new malware that evades anti-malware detection," says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. "Even 'advanced' behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do."

**DuneQuixote and Spanish Poetry**

The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.

One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of "1," which has a coded meaning. When it comes time to decrypt the attackers' command-and-control (C2) server address, the 1 value will remove the "h" from "https," so that the C2 URL will begin with only "ttps," and no connection will be made at all.

The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.

Like the first dropper, this second one also has a method for concealing its infrastructure from analysts. It takes the malicious file name plus a line from a Spanish poem, combines them, and runs them through the MD5 algorithm. The resulting hash acts as a key that decrypts the C2 address.

As for payloads: The two in this campaign are straightforward-enough backdoors that facilitate uploading and downloading files, executing commands, and modifying files. To avoid leaving a footprint, each is written directly into memory.

"Among emerging techniques, fileless malware \[is worrying\]," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "This form of malware significantly reduces the digital footprint and evades traditional antivirus solutions that scan for file-based signatures, complicating post-breach analysis and forensics. It is particularly concerning due to its stealth and effectiveness, making it a likely candidate to become increasingly prevalent."

**How to Thwart Advanced Stealth Tactics**

Besides malware in-memory, "The most notable \[stealth tactics\] I've seen were tricks used in supply chain attacks, where malicious code blended with the legitimate code of comprehensive applications. Tough to identify," says Sergey Lozhkin, principal security researcher with Kaspersky's Global Research and Analysis Team.

As much as any individual tricks, threat actors have mastered how to adapt to their targeted environments — staggering at which points they drop their various tools, under what conditions, and to what ends. "At the highest level, you can't analyze what you don't have. Malware authors use this idea and incrementally download new components, perhaps only when given a specific command by the author. Until those components are downloaded, we don't know what they do," Brumley says.

"Beyond that," he adds, "the problem isn't one single anti-analysis technique; it's the sheer number and ability to mix and match them. They may embed 'weird machines,' where the malware has a custom language interpreter and the malware logic runs on top of it. This is hard to analyze because when you try to analyze it, you see the weird machine, not the malware logic itself. Malware authors may encrypt and pack components of the malware, and only incrementally decrypt them. And some parts of the malware may be encrypted with a key that isn't in the malware itself, but is part of the C2 command. Or they could mix all of the above."

To combat all of the stealth tactics and techniques at attackers' disposal, Guenther and Lozhkin recommend layered security: endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access.

For his part, Brumley is less optimistic. "Throughout the ages people have proposed whitelist-only. This means locking down machines hard, and then making sure they only install approved apps (or apps from approved vendors that are signed). Apple is the most famous for taking this approach, at least on mobile, with their walled garden approach," he says.

"Beyond that, this is a place where the attacker just has an asymmetric advantage," Brumley adds. "That's why most effort isn't put on malware analysis, but good hygiene to try and limit what gets installed."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'DuneQuixote' Shows Stealth Cyberattack Methods Are Evolving. Can Defenders Keep Up?

The quest to keep data private while still being able to search may soon be within reach, with different companies charting their own paths.

Source: Mick House via Alamy Stock Photo

A truly private Internet search — where databases can be queried while keeping search terms and results private — remains a work-in-progress as companies try to balance speed and security.

Companies developing private search technologies focus on making static data more usable through encryption or secure enclaves, where no data is revealed or leaked in the process of querying, retrieval, and transit. Such a technology would function like traditional search where the search engine cannot read the query or use the search results to serve up ads.

"Private Internet search is a sort of holy grail, in a sense," says Vinod Vaikuntanathan, a professor of computer science at MIT and the chief cryptographer at Duality Technologies, which is building its own secure search technology.

**MongoDB & Queryable Encryption**

Customers want to control their data, and are looking at more secure ways to incorporate tools such as search, which is especially important in regulatory environments, says Kenn White, security principal at MongoDB.

"A lot of European customers are concerned about GDPR. We have got a lot of banks and investment banks that care about compliance, ISO, and PCI, but they really care about risk ... they are really focused on breaches," White says.

The latest version of MongoDB, version 7.0, which was released last year, introduces a secure search technology called queryable encryption, which White says "is enhanced so you can do an exact match."

The previous version of MongoDB, 6.0, had a technology called field encryption, in which critical information such as credit card or Social Security numbers were encrypted. An encrypted search query is sent to the encrypted database, and a secure response is sent back. No logs were maintained or plaintext data exposed, and hackers would not have access to encrypted data.

The newer MongoDB 7.0 has made the secure search capabilities more flexible, which is important for searches for more targeted information, such as anonymized financial data or electronic health records.

"We're now enhancing that so that you can do things like encrypted range searches," White says. "You will be able to do prefix and suffix or any text field that contains a certain word but again, where the database is still completely encrypted. It has no idea what you are asking for."

**Fortanix & Generative AI**

In another approach, Fortanix is introducing secure search offerings for searches via generative AI. Fortanix is protecting the AI query prompts, the context, and the augmented retrieval process where companies may use private and public data built into a large language model, says Richard Searle, vice president of confidential computing at Fortanix.

Private AI search is different from conventional search; it retrieves data from constantly learning systems known as vector databases, which is built on relationships between data. There are many considerations in encrypting and securing data compared to traditional search, which extracts data from static databases.

Fortanix's technology is based on confidential computing, which is a hardware-based secure enclave where data is transported for processing. The technology is based on a zero-trust architecture rooted in the hardware, which only grants permission to access the information to validated applications.

For example, Fortanix is working with providers to validate AI models within a secure enclave. The partners will determine whether that model is safe to deploy before executing or exchanging data with it.

"That's particularly relevant where you are taking an open-source model, maybe from a GitHub repository, and there's the potential that it has embedded malware," Searle says.

Fortanix also has plans for a product featuring confidential data collaborations, in which customers can anonymize data to be deployed in secure enclaves. Third parties can use applications within the secure enclave without accessing underlying information. The data is decrypted in the secure enclave, processed, encrypted, and transported out, which makes exfiltration difficult. The customers control cryptographic keys.

"That can be used by an application that is consuming that data either to train a model, or just a standard SQL search, or maybe some analytics," Searle says. "We provide the orchestration for that workload, using an intuitive templated workflow."

**Duality & Lattice-Based Encryption**

Duality is building its own security layer based on a lattice-based encryption scheme. As Vaikuntanathan explains, the technology involves putting encrypted data in a box, which is then sent to the database owner. The database owner breaks it down into smaller boxes of 1s (which implies a match) and 0s (which means not a match), then uses complex mathematics to repackage the response into an encrypted box, which can then be decrypted by a user.

"If you think about the database as being a bunch of numbers, what I'm doing is actually selecting the right row in the database. Of course, I do not know what I am doing in this whole process — I only had the encrypted query. And when I finish this process, I have a box which contains the result, encrypt it, send it back to you," says Vaikuntanathan.

Duality's box is transported via TLS, but the lattice approach suits search better because it allows for computation on encrypted data. The technology has a performance advantage over the widely used AES, which requires data to be decrypted before running search queries.

**Many Paths, One Destination**

Private search is not just about encryption or data privacy algorithms, though; it is more about how the data is processed and where it is exposed during the computation for search queries, says Alex Matrosov, CEO of Binarly.

The challenge will be to prove that the search is truly private. This proof can be difficult with the complexity of the modern computing stack, which includes CPUs, GPUs, and memory, Matrosov says.

"The question of the private Internet search is complicated because even if you try to guarantee that in theory and prove on the paper, the real implementations will be where all the failures will happen," Matrosov says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Private Internet Search Is Still Finding Its Way

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

PRESS RELEASE

Intel 471, a global provider of cyber threat intelligence (CTI) solutions, today announced that the company acquired Cyborg Security, founded in 2019, to provide organizations with advanced threat hunting capabilities and expertise. With this acquisition, Intel 471 is setting the standard for intelligence-led threat hunting by cementing CTI as a key requirement to enable accurate hunts and proper measurements for operational success, ensuring return on investment for customers’ threat hunt programs. 

“We are excited to add Cyborg Security’s innovative platform and approach to threat hunting to our solution portfolio," said Jason Passwaters, CEO and Co-Founder of Intel 471. “Our customers have grown to rely upon Intel 471’s expertise to unlock the power of cyber threat intelligence and support all aspects of their business. This acquisition is a natural extension of our leadership by including advanced behavioral threat hunting packages that are fully customized to the client’s environment. Customers will benefit from the HUNTER Platform fueled by our premier cyber threat intelligence to streamline the hunt process, improve their team’s efficiency, and stay ahead of emerging threats.”

The convergence of CTI and threat hunting practices across the cybersecurity industry is evidenced by the rapid adoption of complementary use cases, defined methodologies, and a growing trend to integrate the two within the same organizational construct and budget. Economic buyers and practitioners alike increasingly recognize the need for intelligence-led threat hunting as a core component of their overall cybersecurity program. Intel 471 is well-positioned to meet these emerging security requirements with the merging of Cyborg Security and its innovative Hunter Platform into its solution portfolio.

“Intel 471 is a company that embraces the same values as Cyborg Security. Our organizations were built by practitioners – threat hunters, threat intelligence analysts, and security researchers who appreciate the importance of defending the threat landscape,” said David Amsler, CEO and Founder of Cyborg Security. “Threat hunting requires continuous monitoring of the threat landscape, which includes ever-evolving cyber adversary behaviors, TTPs and targeted technologies, as observed across various phases of the attack lifecycle. Intel 471’s CTI prowess and data contextualization deliver those relevant and timely insights. Together, our capabilities provide enterprises the tools and systems to deliver best-in-class threat hunting.”

For more information, please visit: https://intel471.com/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

You May Also Like

Intel 471 Acquires Cyborg Security

PRESS RELEASE

SAN FRANCISCO, April 30, 2024 /PRNewswire-PRWeb/ -- Cobalt, the pioneers of Pentest as a Service (PtaaS) and leading provider of offensive security solutions, today announced its sixth annual State of Pentesting Report. In addition to a deep dive into pentesting trends, this year's report uncovers an industry deeply grappling with how to both use and protect from AI amidst significant resource and staffing constraints.

Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications. As part of the report, Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year (from Cobalt State of Pentesting Report 2022), aligning with increases in Common Vulnerabilities and Exposures (CVE) records. Additionally, findings indicated that the median time to fix vulnerabilities also increased in comparison to previous years.

In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change. Some of the most critical findings include:

*   Challenges In the Eye of the AI Storm: The study highlights the push-pull relationships cyber security teams have with AI. A huge majority (86%) cite their teams have adopted AI-powered tools on their teams, while on the flip side, seven in ten respondents also cite an increase in threats coming from AI. This aligns with the growth Cobalt experienced in its business. Throughout 2023, Cobalt performed an increasing number of pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience. The most common vulnerabilities uncovered included prompt injection (including jailbreak), model denial of service, and prompt leaking (sensitive information disclosure). Despite the increased investment, many teams (59%) worry they are still trailing behind the AI threat.
    
*   Short Staffing Shifts From Concerning to Significant Risk: The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels. Thirty-one percent of respondents said their organization conducted layoffs during the past six months, and ⅓ of those agree their organization faces greater cyber risk due to those departures. Most concerning is that there are no signs of a strong staffing recovery. Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year. Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year. This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.
    
*   C-Suite Pressures: As attacks rise, C-suite executives are increasingly finding themselves at the top of the accountability and liability food chains. It's clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it's impacting their physical health. Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats. Among all groups surveyed, they are the most concerned about AI adoption (33% more than non-C-suite respondents). Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.
    

"With cybersecurity teams strained by staffing shortages and concerns rising about AI's potential to enhance cyberattacks, the importance of pentesting as a proactive measure is key," said Caroline Wong, Chief Strategy Officer at Cobalt. "Our data reinforces the actions we as an industry need to take: prioritizing talent acquisition, exercising caution in AI integration to safeguard against evolving threats, and leveraging pentesting."

"Enterprises today not only face digital threats but the personal toll that these challenges take on their executives," said Chris Manton-Jones, CEO at Cobalt." As leaders, it is crucial to understand that cybersecurity is not just about securing our digital assets but also about ensuring the safety of our entire organization, including ourselves. This is where Cobalt can help make a difference. We close the gaps with security expertise and provide scalable offensive security testing across the entire attack surface. It adds a community of trusted security experts to your team and takes your security program to the next level."

Cobalt will be discussing the report at its booth #4324 in Moscone North Expo during RSA. Visit https://www.cobalt.io/ to learn how Cobalt can help your organization and to download the full 2024 State of Pentesting Report.

About Cobalt   
Cobalt combines talent and technology with speed, scalability and resilience. Our award-winning Pentest as a Service (PtaaS) model empowers organizations to keep pace with their evolving attack surface and agile software development lifecycles. Thousands of customers and hundreds of partners rely on Cobalt's modern SaaS platform and exclusive community of more than 400 trusted security experts to secure applications, networks, and devices. We deliver security testing that supports business drivers, maximizes internal resources, and creates stronger security programs so that organizations can operate fearlessly and innovate securely.

You May Also Like

Cobalt's 2024 State of Pentesting Report Reveals Cybersecurity Industry Needs

Unmanaged and unknown Web services endpoints are just some of the challenges organizations must address to improve API security.

Source: Wright Studio via Shutterstock

Organizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.

Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Application and security teams need to find such APIs and ensure each one is either documented or decommissioned to mitigate the significant risk they present, says Rupesh Chokshi, senior vice president, application security at Akamai.

**The Risk From Unmanaged APIs**

Chokshi is scheduled to present a talk on the topic at the upcoming RSA Conference 2024 in San Francisco next week. In a presentation titled "The Secret Life of APIs: Latest Attack Data Shows What Your APIs are Doing," Chokshi identifies shadow APIs as one of several postural — or implementation-related — issues that organizations must prioritize when tackling API security.

One of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, Chokshi says. The first step to enabling better API security is to discover these shadow endpoint and either eliminate them or incorporate them into the API security program, he notes.

API security has become an increasingly pressing challenge for IT and security leaders. In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes and boost operational efficiencies. APIs have also played a central role in enabling digital transformation initiatives by giving companies a way to modernize legacy applications, adopt cloud services, and engage more efficiently with customers, partners, and other third parties.

**The API Proliferation Challenge**

The resulting proliferation of APIs has significantly expanded the attack surface at many organizations and exposed them to greater risks, Chokshi says. He points to research from Akamai earlier this year that found that 29% of all Web attacks in 2023 targeted APIs. Common attack vectors included SQL injection, cross-site scripting, session hijacking/session manipulation, and data harvesting attacks. Attackers targeted organizations in certain sectors more frequently than others. More than 44% of all Web attacks in the e-commerce sector, for instance, targeted APIs. Similarly, nearly 32% and 19% of the Web application attacks that business services organizations and healthcare organizations, respectively, encountered last year targeted application programming interfaces.

Chokshi says the API security challenges that most organizations encounter fall under two broad categories: postural and runtime related. Postural issues result from implementation weaknesses, such as those related to shadow APIs. An October 2022 research report from Cequence Security identified more than 31% of all malicious requests — or some 5 billion of 16.7 billion — targeted unknown and unmanaged APIs.

Other common postural problems include unauthenticated resource access, sensitive data in the URL, overly permissive cross-origin resource sharing, and excessive client errors, which can include issues like improper authentication.

The most common runtime problems — or active threats — that organizations typically encounter include unauthenticated attempts to access sensitive API resources; API activity with unusual JSON payloads, like unexpected data types; unexpected or malformed data as part of API requests; and data scraping attempts.

Given the rapidly evolving nature of the API threat landscape, organizations need to ensure they have proper visibility over their API environment, Chokshi notes. In addition to detecting and decommissioning shadow APIs, organizations need to maintain an inventory of their APIs. They also need to harden their API posture by, for instance, correcting flaws in API code and addressing misconfiguration issues; bolstering threat detection and response capabilities; and establishing an API threat hunting capability.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Shadow APIs: An Overlooked Cyber-Risk for Orgs

Some customers found that they had the ability to cancel a stranger's flight to another country after opening the app, which was showing other individuals' flight details.

Source: Stonemeadow Photography via Alamy Stock Photo

Qantas, the flagship Australian airline, is investigating a privacy breach after its customers were able to see other individuals' boarding passes, flight details, and frequent flyer information.

Josh Withers, a Qantas customer, said he was able to see another passenger's name and flight details when he opened the Qantas app. Each time he re-opened the flight portal, the app would pull up a different customer's flight information. Other passengers reportedly had the ability to cancel passengers' flights to Europe via the app.

The airline reports that there was "no indication of a cyber security incident," though it also said its investigation is pointing to a technology issue that could potentially have caused system changes leading to this privacy breach.

Qantas was able to resolve the issue roughly three hours after it was discovered but is urging the customers that were affected to remain vigilant of social engineering scams using the exposed information.

**About the Author(s)**

Qantas Customers' Boarding Passes Exposed in Flight App Mishap

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.

Source: David Fleetham via Alamy Stock Photo

A never-before-seen malware strain is targeting enterprise-grade and SOHO routers to steal authentication details and other data from behind the network edge. It also performs DNS and HTTP hijacking attacks on connections to private IP addresses.

The packet-sniffing malware — dubbed "Cuttlefish" by the Black Lotus Labs team at Lumen Technologies who discovered it —features a zero-click approach to capturing data from users and devices, according to a blog post published May 1.

"Any data sent across network equipment infiltrated by this malware is potentially exposed," according to Black Lotus Labs. Attackers designed the modular malware to be triggered by a specific rule set, in particular to acquire authentication data, with an emphasis on public cloud-based services, the researchers said.

"To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources," according to the post. "By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials."

Cuttlefish also has a secondary function that gives it the capacity to perform both DNS and HTTP hijacking for connections to private IP space that's associated with communications on an internal network. It can also interact with other devices on the LAN and move material or introduce new agents.

**Cuttlefish's Unique Malware Behavior**

Cuttlefish's capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking "has seldom been observed;" however, campaigns such as ZuoRat, VPNFilter, Attor, and Plead exhibited similar behavior, according to Black Lotus Labs.

Unique to Cuttlefish, however, is its capability to zero in on private IP address connections for potential hijack, which is the first time the researchers have observed this capability and is likely for the purposes of anti-detection and persistence, they noted.

"We suspect that targeting these cloud services allows the attackers to gain access to many of the same materials hosted internally, without having to contend with security controls like EDR \[extended detection and response\] or network segmentation," according to the blog post.

The malware's combination of targeting networking equipment that's frequently unmonitored, as well as gaining access to cloud environments that often lack logging is intended to grant long-term persistent access to targeted ecosystems, the researchers noted.

**Turkish Telcos & Links to HiatusRAT**

Cuttlefish has been active since at least last July, with its latest campaign running from October through last month. The bulk of the infections occurred within Turkey via two telecommunications providers (a segment that's frequently targeted by cyberespionage malware), accounting for about 93% of infections, or 600 unique IP addresses.

There also have been "a handful" of non-Turkish victims, including IP addresses of clients likely associated with global satellite phone providers, and potentially a US-based data center, according to Black Lotus Labs.   

Researchers found links — specifically, code similarities and embedded build paths — to HiatusRat, thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. However, so far Black Lotus Labs has not found shared victimology, surmising that the two malware clusters are operating concurrently.

**Infection Process and Execution**

While the researchers have not determined the initial infection vector, they did track the path of Cuttlefish once the targeted device was exploited, they said. The threat actor first deploys a bash script that gathers certain host-based data to send to the command-and-control server (C2). It also downloads and executes Cuttlefish in the form of a malicious binary compiled for all major architectures used by SOHO operating systems.

"This agent implements a multi-step process that begins with installing a packet filter for the inspection of all outbound connections and use of specific ports, protocols, and destination IP addresses," according to the post. "Cuttlefish constantly monitors all traffic through the device and only engages when it sees a particular set of activities."

The C2 sends updated and specified rules of engagement through a configuration file after it receives the host-based enumeration from the initial entry. The rule set directs the malware to hijack traffic destined to a private IP address; if heading to a public IP, it will initiate a sniffer function to steal credentials if certain parameters are met.

**Defending Against Router Attacks**

Aside from including a list of indicators of compromise (IoCs) in its post, the researchers also had separate advice for both corporate network defenders and those with SOHO routers to avoid and detect compromise by Cuttlefish.

Enterprise organizations should look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. They also should encrypt network traffic with TLS/SSL to prevent sniffing when retrieving or sending data located remotely, such as when using cloud-based services or performing any type of authentication, the researchers advised.

Organizations that manage these types of routers should ensure that devices do not rely upon common default passwords, as well as that the management interfaces are properly secured and not accessible via the Internet. Inspection of SOHO devices for abnormal files such as binaries located in the /tmp directory or rogue iptables entries, as well as routinely power-cycling these devices to help remove malware samples in-memory can also help organizations avoid compromise. Enterprises also should implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.

Consumers with SOHO routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as retiring and replacing routers that reach their end of life and thus support from their respective vendors.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading