Recent trends in breaches and attack methods offer a valuable road map to cybersecurity professionals tasked with detecting and preventing the next big thing.

Source: YAY Media AS via Alamy Stock Photo

Cybersecurity is constantly evolving and, as such, requires regular vigilance.

Microsoft analyzes more than 78 trillion security signals every day to better understand the latest attack vectors and techniques. Since last year, we noticed a shift in how threat actors are scaling and leveraging nation-state support. It's clear that organizations continue to experience more attacks than ever before, and attack chains are growing more complex. Dwell times have shortened and tactics, techniques, and procedures (TTPs) have evolved to become nimbler and more evasive in nature. 

Informed by these insights, here are five attack trends end-user organizations should be monitoring regularly.

**Achieving Stealth By Avoiding Custom Tools and Malware**

Some threat actor groups are prioritizing stealth by leveraging tools and processes that already exist on their victims' devices. This allows adversaries to slip under the radar and go undetected by obscuring their actions alongside other threat actors that are using similar methods to launch attacks. 

An example of this trend can be seen with Volt Typhoon, a Chinese state-sponsored actor that made headlines for targeting US critical infrastructure with living-off-the-land techniques.

**Combining Cyber and Influence Operations for Greater Impact**

Nation-state actors have also created a new category of tactics that combines cyber operations and influence operations (IO) methods. Known as "cyber-enabled influence operations," this hybrid combines cyber methods — such as data theft, defacement, distributed denial-of-service, and ransomware — with influence methods — like data leaks, sockpuppets, victim impersonation, misleading social media posts, and malicious SMS/email communication — to boost, exaggerate, or compensate for shortcomings in adversaries' network access or cyberattack capabilities. 

For example, Microsoft has observed multiple Iranian actors attempting to use bulk SMS messaging to enhance the amplification and psychological effects of their cyber-influence operations. We're also seeing more cyber-enabled influence operations attempt to impersonate purported victim organizations or leading figures in those organizations to add credibility to the effects of the cyberattack or compromise.

**Creating Covert Networks By Targeting SOHO Network Edge Devices**

Particularly relevant for distributed or remote employees is the rising abuse of small-office/home-office (SOHO) network edge devices. More and more, we're seeing threat actors use target SOHO devices — such as the router in a local coffee shop — to assemble covert networks. Some adversaries will even use programs to locate vulnerable endpoints around the world and identify jumping-off points for their next attack. This technique complicates attribution, making attacks appear from virtually anywhere.

**Rapidly Adopting Publicly Disclosed POCs for Initial Access and Persistence **

Microsoft has increasingly observed certain nation-state subgroups adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in Internet-facing applications.

This trend can be seen in threat groups like Mint Sandstorm, an Iranian nation-state actor that rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly targeted phishing campaigns to quickly and successfully access environments of interest.

**Prioritizing Specialization Within the Ransomware Economy**

We've been observing a continued move toward ransomware specialization. Rather than carry out an end-to-end ransomware operation, threat actors are choosing to focus on a small range of capabilities and services. 

This specialization has a splintering effect, spreading components of a ransomware attack across multiple providers in a complex underground economy. No longer can companies think of ransomware attacks as just coming from an individual threat actor or group. Instead, they may be combating the entire ransomware-as-a-service economy. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, noting which groups traffic in initial access and which offer other services.

As cyber defenders look for more effective ways to harden their security posture, it's important to reference and learn from significant trends and breaches in years past. By analyzing these incidents and understanding different adversaries' motives and favored TTPs, we can better prevent similar breaches from happening in the future.

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

5 Attack Trends Organizations of All Sizes Should Be Monitoring

Hackers can influence voters with media and breach campaigns, or try tampering with votes. Or they can combine these tactics to even greater effect.

Source: Lennart Worthmann via Alamy Stock Photo

If history has anything to tell us, the most significant cyber threat to this year's elections won't be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.

In cyberspace's salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.

So too with elections. In 2006, aides to Joe Lieberman's presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.

"In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others," the firm wrote in a new report.

**Combination Election Attacks**

One case study Mandiant pointed to occurred in 2014 when Ukraine's presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia's invasion of Crimea.

A week before election day, Russian actors hiding behind the hacktivist moniker "Cyber Berkut" struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country's central election computers and deleted files and rendered the vote tallying system inoperable.

A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country's Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.

This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.

In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states' voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.

"Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media," says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.

The breach/fake news ploy is a potent concoction. "These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran," warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma's 5th district. "Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity."

**The Threat From Cybercrime**

It's not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.

In most cases, "The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous," Horn warns.

From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden's and Donald Trump's presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).

Fake Trump site. Source: BrandShield

Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.

"They can be used to get people's information, and maybe try to influence their views by distributing fake news," says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. "I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways."

"I don't want to give too many good ideas to the bad guys," he says, "but they usually come up with them before I do."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains

Mobile malware-as-a-service operators are upping their game by automatically churning out hundreds of unique samples on a whim.

Source: Wodthikorn Phutthasatchathum via Alamy Stock Photo

North of 1,000 samples of the Godfather mobile banking Trojan are circulating in dozens of countries worldwide, targeting hundreds of banking apps.

First discovered in 2022, Godfather — which can record screens and keystrokes, intercepts two-factor authentication (2FA) calls and texts, initiates bank transfers, and more — has quickly become one of the most widespread malware-as-a-service offerings in cybercrime, especially mobile cybercrime. According to Zimperium's 2023 "Mobile Banking Heists Report," as of late last year, Godfather was targeting 237 banking apps spread across 57 countries. Its affiliates exfiltrated stolen financial information to at least nine countries, primarily in Europe and including the US.

All that success drew attention, so, to prevent security software from spoiling the party, Godfather's developers have been automatically generating new samples for their customers at a near industrial scale.

Other mobile malware developers across the spectrum have started doing the same thing. "What we're seeing is that malware campaigns are starting to get bigger and bigger," warns Nico Chiaraviglio, chief scientist at Zimperium, who will host a session on this and other mobile malware trends at RSAC in May.

Besides Godfather and other known families, Chiaraviglio is tracking an even bigger, still-under-wraps mobile malware family with more than 100,000 unique samples in the wild. "So that's crazy," he says. "We haven't seen that number of samples in a single malware before, ever. This is definitely a trend."

**Banking Trojans Spawn Hundreds of Samples**

Mobile security is already lagging far behind security for desktops. "In the '90s, no one was really using antivirus on desktop computers, and that's kind of where we are now. Today, only one of four users are really using some sort of mobile protection. Twenty-five percent of devices are completely unprotected, compared with desktop, at 85%," Chiaraviglio laments.

Mobile threats, meanwhile, are leveling up fast. One way they're doing so is by generating so many different iterations that antivirus programs — which profile malware by their unique signatures — have trouble correlating one infection with the next.

Consider that at the time of its initial discovery in 2022, according to Chiaraviglio, there were fewer than 10 samples of Godfather in the wild. By the end of last year, that number had risen a hundredfold.

Its developers have clearly been autogenerating unique samples for customers to help them avoid detection. "They could just be scripting everything — that would be a way to automate it. Another way would be to use large language models, as code assistance can really speed up the development process," Chiaraviglio says.

Other banking Trojan developers have followed the same approach, if at a lesser scale. In December, Zimperium tallied 498 samples of Godfather's close competitor, Nexus, 300 samples of Saderat, and 123 of PixPirate.

**Can Security Software Keep Up?**

Security solutions that tag malware by signature will find difficulty keeping track of hundreds and thousands of samples per family.

"Maybe there is a lot of code reuse between different samples," Chiaraviglio says, something he suggests adaptive solutions can use to correlate related malware with different signatures. Alternatively, instead of the code itself, defenders can use artificial intelligence (AI) to focus on the behaviors of the malware. With a model that can do that, Chiaraviglio says, "it doesn't really matter how much you change the code or the way the application looks, we will still be able to detect it."

But, he admits, "at the same time, this is always a race. We do something \[to adjust\], then the attacker does something to evolve to our predictions. \[For example\], they can ask \[a large language model\] to mutate their code as much as it can. This would be the realm of polymorphic malware, which is not something that happens a lot on mobile, but we might start seeing way more of that."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Godfather Banking Trojan Spawns 1.2K Samples Across 57 Countries

Caliptra 1.0 offers a blueprint for integrating security features directly into microprocessors.

Source: Alexmillos via Alamy Stock Vector

A consortium of top chip makers have finalized the first version of Caliptra, a specification to add zero-trust security features directly inside silicon.

The Caliptra 1.0 specification has hardware and software blocks providing multiple protection layers for encrypted data on chips.

"We believe Caliptra is a foundational aspect to the future of confidential computing and couldn't be more excited to reach our 1.0 milestone," says Andrés Lagar-Cavilla, a distinguished engineer at Google. Caliptra is currently being integrated by companies across the ecosystem into chips that will start to appear in the market in 2026.

Security-focused hardware exists, but usually as separate components on the hardware. At the moment, chips typically access security features that are available as separate hardware components on the motherboard. The Caliptra specification provides a blueprint to embed the security features into the chip instead of accessing those hardware cores.

For example, the Trusted Platform Module (TPM), which is required on all machines running Windows 11, is a secure processor carrying out cryptographic functions, such as Windows Hello authentication and BitLocker drive encryption. Caliptra could make possible an on-silicon version of TPM.

The specification was built around the concept of confidential computing, an emerging technology focused on building walls to protect data and programs during storage, transport, and execution. Users and code are verified before being allowed to enter the secure area, after which they can run programs.

**Caliptra-Spec Chips on the Way?**

The Caliptra specification aims to fend off cyberattacks and protect from vulnerabilities, such as Meltdown and Spectre, which exposed confidential user data to hackers.

Caliptra's protection layers on silicon include a root-of-trust block, in which code, users, and firmware are isolated, verified, and authenticated. The spec extends to protecting firmware and ROMs. The root-of-trust layer also detects and recovers data that may be corrupted.

The specification is now available for tape-in, which means it is also ready for testing for chips that may be going into production. Google's Lagar-Cavilla says the company is actively integrating Caliptra in first-party silicon designs and collaborating with suppliers to ensure their system-on-chips — across CPUs, GPUs, DPUs, BMCs, SSDs, and more — include Caliptra.

Caliptra is an open source technology, so chip makers can adopt and modify it for free.

A company called Antmicro is developing a Caliptra-based security core for an emerging chip architecture called RISC-V. The technology is an alternative to the dominant x86 and ARM instruction set architectures. RISC-V has a modular design that makes it easier to include technologies like Caliptra in production-level silicon.

Google is a lead developer of Caliptra, working alongside Advanced Micro Devices, Microsoft, Marvell, and NVIDIA. The Linux Foundation's CHIPS Alliance is managing the development of the specification.

Intel is one of the big names in chips missing from the group of companies developing Caliptra. Intel is pushing its own on-chip security technology to protect user data and chips from hackers.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Chip Giants Finalize Specs Baking Security Into Silicon

Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous.

Chahak Mittal, Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

April 25, 2024

5 Min Read

Source: Rawf8 via Alamy Stock Photo

COMMENTARY

Imagine you're standing in a bustling city, surrounded by the symphony of commerce. The exchange of goods and the flow of transportation are all around you. This is the heartbeat of our global economy. But what would happen if this heartbeat were to be disrupted? If the very lifeblood of our interconnected world were to falter — or worse, come to a grinding halt?

The consequences would be catastrophic. Imagine empty shelves in grocery stores, gas stations running out of fuel, and hospitals unable to get the supplies they need. Imagine widespread panic and social unrest.

This is not just a hypothetical scenario. It's a real threat we need to take seriously. Cyberattacks on logistics are becoming increasingly common, and the potential impact is enormous. Logistics is the backbone of our global economy. It's the process that keeps the world's shelves stocked and the wheels of commerce turning.

**Cyberattacks on Logistics May Have Severe Ramifications**

Let's first discuss why cyberattacks on logistics are so concerning.

Remember back to the haunting early days of the pandemic. Lockdown measures paralyzed entire nations, factories fell silent, and transportation came to a grinding halt. The repercussions were profound, as essential goods faced severe delays, and shortages left many in dire straits. The fabric of our interconnected world was put to the test, and the challenges were immense.

Four years later, we see news headlines about cyberattacks on Ukraine's logistics and its global impact. Think for a moment about the unimaginable consequences if a cyberattack were to disrupt logistics on a larger scale than COVID-19 or even exceed its impact.

It is unsettling that a nation could be brought to its knees not by an army or weapons but by code on a computer. This prospect cannot be ignored, especially given that the transport and logistics industry is undergoing a digital transformation.

Companies are increasingly using digitalization tools to streamline all processes, from warehouse inventory management to vehicle tracking. This is a good thing, of course. Digitalization can help to improve efficiency, reduce costs, and improve customer service. But there is a dark side to digitalization. The more digitized a company is, the more vulnerable it is to cyberattacks.

**An Expanded Battlefield**

Let's now delve into the second part of our journey: understanding how cyberattacks on logistics can be weaponized. Throughout history, proper logistics have always been the secret weapon behind any victorious endeavor, whether in war or other ventures. From the days of the Civil War, where horses, mules, and wagons provided armies the food, equipment, and ammunition they needed, to the modern era with colossal military operations with intricate supply chains, logistics have always been the beating heart of success.

Now the battlefield has expanded into the digital realm. The logistics that have propelled economies and nations forward are now vulnerable to a new kind of adversary –— one that wields not swords and shields, but lines of code and malicious intent.

But let's go even deeper. What if these cyberattacks on logistics were not just the work of lone hackers seeking chaos? What if they were orchestrated by state actors with strategic intent? The Russia-Ukraine conflict has demonstrated the potential of such scenarios. The cyber offensive aimed at Ukraine reached far beyond its borders, affecting global supply chains and sending shockwaves through economies. 

In this ever-evolving digital landscape, a new kind of arsenal is being amassed in the shadows: stockpiled zero-day vulnerabilities. Just as nations once accumulated weapons to safeguard their sovereignty, they now amass vulnerabilities as digital ammunition. These zero-day vulnerabilities, arcane exploits unknown even to software creators, have become potent tools of cyber warfare.

Imagine the power of a nation armed with a stockpile of these vulnerabilities. It can strike silently, crippling logistical infrastructures without firing a single shot. This reality becomes more tangible as each day passes. The Russia-Ukraine conflict showcases this new arsenal's alarming potential, serving as a reminder that our reliance on interconnected logistics is both a strength and a vulnerability.

**Fortifying Our Defenses**

So, where do we go from here? How can we fortify our logistical arteries against these emerging threats? Just as the strength of a nation's military once depended on its ability to ensure a steady flow of supplies to the frontlines, today's battles are won by safeguarding the flow of data, goods, and services.

The lessons of history remain relevant — a robust logistics network is not only essential for prosperity, but it is also a fundamental pillar of security. We must invest in cyber-defense strategies that mirror the importance we place on physical defense. Collaboration between governments, industries, and international partners is paramount. The private sector, too, holds a pivotal role.

As we embrace digitalization, we must do so with cybersecurity at the forefront. Companies must not only prioritize efficiency but also fortify their digital infrastructure against potential attacks. 

Strong alliances, collaborative diplomacy, and international cooperation are essential to our defense strategy. Just as alliances between nations bolster our military might, alliances between industries and governments can fortify cybersecurity. By harnessing the power of cyber and soft power in harmony, we can navigate the intricate dance of modern warfare.

The time to act is now. We stand at a crossroads where the path of progress intersects with the shadows of uncertainty. The interconnectedness that has fueled our global economy is also its Achilles' heel. Cyberattacks on logistics are not a distant possibility; they are a sobering reality.

The disruption of our supply chains, the paralysis of our economies — these are the stakes we face. But history has shown us that challenges can become catalysts for innovation. We can forge a new paradigm, one where technology and diplomacy converge to safeguard our way of life.

It is a future where alliances are not just forged on battlefields, but in virtual boardrooms and digital summits, and where the strength of a nation's cybersecurity is as integral to its defense strategy as its military might.

**About the Author(s)**

Cybersecurity GRC Manager, Universal Logistics Holdings, Inc.

Chahak Mittal is a Certified Information Systems Security Professional (CISSP) and Cybersecurity Governance, Risk, and Compliance Manager at Universal Logistics. She is a cybersecurity leader deeply committed to knowledge sharing and community engagement. Through her roles as a Judge at Globee Awards, Major League Hacking (MLH) Hackathons, and as a dedicated cybersecurity instructor volunteer in the Microsoft TEALS Program, she has actively contributed to the cybersecurity ecosystem. Chahak's active involvement in organizations such as the Information Systems Security Association and SecureWorld's Detroit Advisory Council has been instrumental in her pursuit of staying at the forefront of industry trends and challenges. Furthermore, she has channeled her insights into thought-provoking cybersecurity articles, published on SecureWorld.io, ISC2, and CyberDefense Magazine, making a meaningful contribution to the field's intellectual discourse.

Digital Blitzkrieg: Unveiling Cyber-Logistics Warfare

Attacks by a previously unknown threat actor leveraged two bugs in firewall devices to install custom backdoors on several government networks globally.

Source: Znakki via Shutterstock

A state-sponsored threat actor has exploited two Cisco zero-day vulnerabilities in firewall devices to target the perimeter of government networks with two custom-built backdoors, in a global cyber-espionage campaign.

Dubbed "ArcaneDoor," the campaign by the previously unknown actor — which researchers from Cisco Talos track as UAT4356 — has targeted Cisco Adaptive Security Appliance (ASA) firewall devices of several Cisco customers since at least December 2023, Cisco Talos researchers revealed in a blog post.

While the actor's initial access vector remains unknown, once it occurs, UAT4356 used a "sophisticated attack chain" involving exploit of the two vulnerabilities — a denial-of-service flaw tracked as CVE-2024-20353 and a persistent local execution flaw tracked as CVE-2024-20359 that have since been patched — to implant malware and execute commands across a small set of Cisco customers. Cisco Talos also flagged a third flaw in ASA, CVE-2024-20358, that was not used in the ArcaneDoor campaign.

The researchers also found evidence that the actor has interest in and potentially will attack devices from Microsoft and other vendors, making it crucial that organizations ensure that all perimeter devices "are properly patched, logging to a central, secure location, and configured to have strong multifactor authentication (MFA)," Cisco Talos wrote in the post.

**Custom Backdoor Malware for Global Governments**

The first sign of suspicious activity in the campaign came in early 2024 when a customer reached out to Cisco's Product Security Incident Response Team (PSIRT) and Cisco Talos about security concerns with its ASA firewall devices.

A subsequent several-months-long investigation conducted by Cisco and intelligence partners uncovered threat actor-controlled infrastructure dating back to early November 2023. Most of the attacks — all of which targeted government networks globally —occurred between December and early January. There is also evidence that the actor — which Microsoft also is now tracking as STORM-1849 — was testing and developing its capability as early as last July.

The primary payloads of the campaign are two custom backdoors— "Line Dancer" and "Line Runner" — which were used together by UAT4356 to conduct malicious activities on the network, such as configuration and modification; reconnaissance; network traffic capture/exfiltration; and potentially lateral movement.  

Line Dancer is a memory-resident shellcode interpreter that enables adversaries to upload and execute arbitrary shellcode payloads. In the campaign, Cisco Talos observed the malware being used to execute various commands on an ASA device, including: disabling the syslog; running and exfiltrating the command show configuration; creating and exfiltrating packet captures; and executing commands present in the shellcode, among other activities.

Line Runner meanwhile is a persistence mechanism deployed on the ASA device using functionality related to a legacy capability that allowed for the pre-loading of VPN clients and plugins on the device during booting that can be exploited as CVE-2024-20359, according to Cisco Talos. In at least one case, the threat actor also abused CVE-2024-20353 to facilitate this process.

"The attackers were able to leverage this vulnerability to cause the target ASA device to reboot, triggering the unzipping and installing" of Line Runner, according to the researchers.

**Protect the Perimeter From Cyberattackers**

Perimeter devices, which sit at the edge between an organization's internal network and the Internet, "are the perfect intrusion point for espionage-focused campaigns," providing threat actors a way to gain a foothold to "directly pivot into an organization, reroute or modify traffic, and monitor network communications into the secure network, according to Cisco Talos.

Zero-days on these devices are an especially attractive attack surface on these devices, notes Andrew Costis, chapter lead of the Adversary Research Team at MITRE ATT&CK testing firm AttackIQ.

"We've seen time and time again critical zero and n-day vulnerabilities being exploited with all of the mainstream security appliances and software," he says, noting previous attacks on bugs in devices from Ivanti, Palo Alto Networks, and others.

The threat to these devices highlights the need for organizations to "routinely and promptly" patch them using up-to-date hardware and software versions and configurations, as well as maintain close security monitoring of them, according to Cisco Talos.

Organizations also should focus on post-compromise TTPs of threat actors and test known adversary behaviors as part of "a layered approach" to defensive network operations, Costis says.

**Detecting ArcaneDoor Cyberattack Activity**

Indicators of compromise (IoCs) that customers can look for if they suspect they may have been targeted by ArcaneDoor include any flows to/from ASA devices to any of the IP addresses present in the IOC list included in the blog.

Organizations also can issue the command "show memory region | include lina" to identify another IOC. "If the output indicates more than one executable memory region … especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering," Cisco Talos wrote.  

And, Cisco provided two sets of steps that network administrators can take to identify and remove the ArcaneDoor persistence backdoor Line Runner on an ASA device once the patch is applied. The first is to conduct a review of the contents of disk0; if a new file (e.g., "client\_bundle\_install.zip" or any other unusual .zip file) appears on the disk, it means that Line Runner had been present but is no longer active due to the update.

Administrators also can follow a series of commands provided that will create an innocuous file with a .zip extension that will be read by the ASA at reboot. If it appears on disk0, it means that Line Runner likely was present on the device in question. Administrators can then delete the "client\_bundle\_install.zip" file to remove the backdoor.

If administrators find a newly created .zip file on their ASA devices, they should copy that file off the device and email \[email protected\] using a reference to CVE-2024-20359 and including the outputs of the "dir disk0:" and "show version" commands from the device, as well as the .zip file that they extracted.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign

How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Source: Timon Schneider via Alamy Stock Photo

As a longtime information security professional at Johnson & Johnson, Mike Wagner helped shape the Fortune 100 company's security approach and security stack. Wagner recently became the first CISO of Kenvue, J&J's year-old spin-off, which was previously J&J's consumer healthcare division. In his new role, Wagner aims to combine the best of J&J with an efficient and modern approach that fits the new standalone company.

"We wanted to create a streamlined and cost-effective architecture with maximum security," Wagner explains.

The first step was defining key roles required to build an effective security program. That included architects and engineers to implement tools, identity and access management (IAM) experts to enable secure authentication, risk management leaders to align security with business priorities, security operations staff for incident response, and dedicated staff for each cyber function.

To ensure maximum effectiveness and future scalability for the cyber architecture, the newly created cyber team knew it wanted to embed machine learning and artificial intelligence (AI). That included automating IAM, streamlining supplier assessments through automated questionnaires, implementing AI for behavioral analysis, and using machine learning to improve threat detection.

**Deciding Which Cyber Tools to Keep or Replace**

With the basics ironed out, the next step was choosing which tools and processes should be retained from J&J and which should be replaced. While J&J's cybersecurity architecture was solid, it was a patchwork of systems created by decades of acquisitions.

To make their determinations, Wagner's team first inventoried J&J's tools, mapping them to Kenvue's operating model and choosing the ones with capabilities Kenvue would need. In many cases, the team found that J&J's security tools were more full-featured than the smaller spin-off needed. In other cases, J&J's technology was duplicative. In still others, existing J&J technology wasn't affordable or didn't provide the maximum security footprint for Kenvue's mission.

And, sometimes, it simply came down to how well-integrated J&J's security architecture was.

"Take something like endpoint detection and response," Wagner says. "Where J&J may have had two to three pieces of software on the endpoint to accomplish that mission due to different acquisitions over time, we consolidated it into one more modern solution."

The ultimate decision for each type of security function also depended on the number and types of dependencies. For example, applications tend to be dependent on IAM, which meant that for the time being, Kenvue is going to stick with J&J's IAM systems. Over time, though, Wagner plans to migrate to a more modern IAM system.

In the end, Kenvue chose to adopt about half of its tech stack from J&J.

Choosing what to retain and what to replace can be tricky, notes Scott Crawford, research director for the 451 Research Information Security channel with S&P Global Market Intelligence. Typically, though, it comes down to weighing the tool's functionality and how well it will fit into the new company's architecture against other options that might be a better fit. In some cases, new investments may be required, while in others, subscription or licensing terms will have to be determined as part of spin-off costs, he says.

**The Right People, Working Together**

Another challenge Wagner faced was assembling the right combination of expertise for his cyber team. After evaluating the capabilities of existing J&J employees along with external candidates, he chose a combination of former J&J employees with deep business knowledge and new hires with modern technical and cyber skills. They included architects and engineers to implement defense controls, IAM experts, risk management leaders, and SecOps staff.

Wagner also chose to add one other type of personnel to his team: business information security officers (BISO), who act as intermediaries between the cyber organization and different business units. Wagner says that the BISO role is critical to his team's success.

"They focus on scouting what's new, the direction it's going, and how we can make sure the business is going about it securely," he explains.

With the tools and team in place, the final challenge was maintaining security for both J&J and Kenvue during the transition. It required constant communication among different functions, with daily meetings that included J&J leaders, Kenvue leaders, and suppliers to ensure that everything went smoothly.

With the foundation in place, Kenvue's security team is operating steadily, but Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

Continuing to improve cybersecurity programs is critical to helping ensure scalability and adaptability over the long term, Crawford says. That means making greater use of automation to handle overwhelming volumes of data at speed and scale.

"Automation will have to become even more trusted to handle problems at the scale and level of detail," he said. "Forward-thinking CISOs are, without doubt, looking at these opportunities seriously."

**About the Author(s)**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

J&amp;J Spin-Off CISO on Maximizing Cybersecurity

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC's four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

Tom Tovar, CEO & Co-Creator, Appdome

April 25, 2024

4 Min Read

Source: Vladimir Zuev via Alamy Stock Photo

COMMENTARY

In an earlier article, I covered what the Securities and Exchange Commission's (SEC) SolarWinds' indictments and four-day rule mean for DevSecOps. Today, let's ask a different question: Where do cyber disclosures go from here?

Before I joined the cybersecurity industry, I was a securities lawyer. I spent a lot of time navigating the SEC rules and worked with the SEC on a regular basis. This article isn't legal advice. It's practical advice from someone with real, albeit distant, familiarity with the SEC.

**The SEC Indictment in a Nutshell**

On Oct. 30, 2023, the SEC filed a complaint against SolarWinds and its chief information security officer, charging "fraud and internal control failures" and "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks," including the impact of an actual attack on its systems and customers. 

**Putting the "Should" Question Aside **

I want to put aside whether the SEC should have taken action. There are a lot of voices on this topic already. Some argue that SolarWinds’ public cybersecurity statements were aspirational, not factual. Others take the position that the CISO shouldn’t be targeted because his department could not deliver the required defenses. He relied on others to do so. Finally, the amicus briefs filed in support of SolarWinds and its CISO argued that the case will have a chilling effect on hiring and retention of CISO roles, internal communication, efforts at improving cybersecurity, and more. 

**The Cyber-Disclosure Problem **

The SEC began its complaint by pointing out that the company filed its IPO registration statement in October 2018. That document had a boilerplate and hypothetical cybersecurity risk-factor disclosure. The same month, the SEC's complaint reads, "Brown wrote in an internal presentation that SolarWinds' 'current state of security leaves us in a very vulnerable state for our critical assets.'"

This discrepancy is a big one, and the SEC said it only got worse. Even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds' products over time, "SolarWinds' cybersecurity risk disclosures did not disclose them in any way." To illustrate its point, the SEC listed all the public SEC filings following the IPO that included the same, unchanged, hypothetical, boilerplate cybersecurity risk disclosure. 

To paraphrase the SEC's complaint: "Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading." Worse still, according to the SEC, SolarWinds repeated the generic boilerplate disclosures even as an accumulating number of red flags piled up. 

One of the first things you learn as a securities lawyer is that disclosures, risk factors, and changes to risk factors in a company's SEC filings are vastly important. They're used by investors and securities analysts in evaluating and recommending stock purchases and sales. I was surprised to read in one of the amicus briefs that "CISOs are not typically responsible for drafting or approving" public disclosures. Maybe they should be. 

**Proposing a Remediation Safe Harbor **

I want to propose something different: a remediation safe harbor for cybersecurity risks and incidents. The SEC wasn't blind to the question of remediation. In this regard, it said:

"SolarWinds also failed to remediate the issues described above ahead of its IPO in October 2018, and for many of them, for months or years afterwards. Thus, threat actors were able to later exploit the still unremediated VPN vulnerability to access SolarWinds' internal systems in January 2019, avoid detection for nearly two years, and ultimately insert malicious code resulting in the SUNBURST cyberattack."

In my proposal, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident. This may not have helped SolarWinds. When it disclosed the situation, its 8K said that the company's software "contained malicious code that had been inserted by threat actors" without any reference to remediation. Still, for countless other public companies facing the never-ending battle between attacker and defender, a remediation safe harbor would allow them the full four-day time frame to evaluate and respond to the incident. Then, if remediated, take the time to disclose the incident properly. The other benefit of this "remediate first" approach is that there will be more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents. 

**Conclusion**

No matter where you come out on the question of whether the SEC should have acted or not, the question of how, when, and where we disclose cybersecurity incidents is going to be a big one for all cyber professionals. For my part, I think the CISO should control or, at the very least, approve the company's disclosures when cybersecurity incidents arise. More than that, the CISO should look for platforms that provide a single pane of glass to "see it and solve it" fast, with the least dependencies as possible. If we can encourage the SEC to embrace a remediate-first mindset, we just might open the door to better cybersecurity disclosure for everyone. 

**About the Author(s)**

CEO & Co-Creator, Appdome

Tom Tovar is the co-creator and CEO of Appdome, a one-stop shop for mobile app defense. He's a self-taught product creator, mobile app coder, hacker. He's serves as product advisor on several venture funded cyber companies, and previously as executive chairman of Badgeville, an enterprise digital motivation platform acquired by CallidusCloud, in several executive positions, including CEO, of Nominum, an intelligent-DNS security and services provider that was acquired by Akamai, and chief compliance officer, and operational executive in charge of business and corporate development, legal and channel at Netscreen Technologies acquired by Juniper Networks for $5B. He began his career as a corporate and securities attorney with Cooley Godward LLP. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.

SolarWinds 2024: Where Do Cyber Disclosures Go From Here?

PRESS RELEASE

Tampa Bay, FL (April 24, 2024) – KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced it has entered into a definitive agreement to acquire Egress, a leader in adaptive and integrated cloud email security. Egress’ Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats. Further terms of the transaction were not disclosed.

Organizations globally struggle to contain behavioral-based data breaches, with 74 percent of incidents involving the human element according to Verizon’s Data Breach Investigations Report. By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk. 

“The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture,” said Stu Sjouwerman, CEO, KnowBe4. “As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.”

“KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee,” said Tony Pepper, CEO, Egress. “One of the biggest challenges organizations face is accurately identifying who the next source of compromise is – and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most.”

The announcement comes on the heels of significant achievements for both companies thus far in 2024. KnowBe4 recently announced its AI-native platform, Artificial Intelligence Defense Agents (AIDA), which incorporates advanced AI agents to power efficacy and speed. Recent notable awards include being recognized as a Top Software Winner by G2 and a winner of Energage’s Top Workplaces USA for 2024. Meanwhile, Egress launched its AI-powered Automated Abuse Mailbox in early April and received several award recognitions, including Security Innovation of the Year (Computing Security Excellence Awards), Best Email Security Solution, Best Data Leak Prevention Solution (SC Awards Europe) and Best Place to Work in the UK (Great Places to Work 2024).

The transaction is expected to close in the coming months subject to customary closing conditions and regulatory approvals.

Egress is backed by FTV Capital and AlbionVC. Citi served as exclusive financial advisor to Egress and Orrick, Herrington & Sutcliffe LLP served as legal counsel to Egress.

For more information on KnowBe4, visit www.knowbe4.com. For more information on Egress, visit www.egress.com. 

About KnowBe4   
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 65,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organizations rely on KnowBe4 to mobilize their end users as their last line of defense and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email. 

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

KnowBe4 to Acquire Egress

PRESS RELEASE

Houston, Texas – Black Girls Do Engineer recently signed an Education Partnership Agreement (EPA) with the National Security Agency in an effort to continue playing a key role in developing science and technology talent for possible national security challenges.

The National Security Agency (NSA) partners with select universities and nonprofit organizations as part of the Agency’s Minority Serving Institution (MSI) Hacking 4 Intelligence (H4I) program. It is a program where the U.S. Government and industry partners, collaborate to solve national security problems. The program engages HBCU students and college bound students studying STEM disciplines.

Black Girls Do Engineer, a 501c3 nonprofit organization that provides access, education and resources to Black students K-12 in STEM was selected to participate because of its stellar reputation in hosting cohorts of students through various STEM subjects including co-ed HBCU and High School programs, utilizing Microsoft technology to do so.

The NSA’s collaborative H4I program is for students to have the opportunity to cultivate essential skills by deconstructing and analyzing NSA and Microsoft problem sets, all while collaborating and networking with government and industry partners. Students will form interdisciplinary teams and work to solve real-world NSA and Microsoft problem sets. At the end of a 12-week cohort, students exit the program with a minimum viable product ready for deployment.

“This partnership with NSA will allow our program to provide our cybersecurity resources and curriculum to Higher Education institutions through our developed BGDE digital infrastructure enhanced by Microsoft tools,” states Kara Branch the Founder and CEO of Black Girls Do Engineer.

Black Girls Do Engineer’s licensed STEM curriculum is committed to excellence in cyber defense education and research. Some of its programs include cybersecurity, artificial intelligence, data science and a host of technical training. Higher education programs include their design Badge A Thon event offered for college students.

“This collaboration will allow our national impact to reach new heights with higher education students,” concludes Kara Branch, Founder and CEO of Black Girls Do Engineer.

About Black Girls Do Engineer

As the fastest growing nationwide program for Black girls in STEM., BGDE has been dubbed “The Ivy League of Nonprofits.” The program is application-based and offers full-time membership-based STEM camps and workshops to Black girls in grades K through 12, with mentorship and individual workshops offered to college students up through age 21. The program currently has a 100% college acceptance rate and 100% job placement rate among its members. Since its launch in 2019, BGDE has served 4,000 girls though its program. The nonprofit has also helped secure its members $44,000 in STEM-related college scholarships.

BGDE futuristic programs of study include: A.I., Energy, Audio/Visual, Aerospace, Engineering, Medical, Robotics and Coding. Mentoring includes: College Prep, Financial Literacy, Upskilling, and Mentorship from professionals working in these fields offering real life experience.

Source

DARKReading