Though organizations are increasingly incorporating zero-trust strategies, for many, these strategies fail to address the entirety of an operation, according to Gartner.

Source: Artemis Diana via Alamy Stock Photo

According to the latest research by Gartner Inc., 63% of organizations globally have implemented a zero-trust strategy into their operations, whether that be partially or fully. 

More than half (56%) of that group said they were doing so because a zero-trust approach is considered to be "an industry best practice." However, a zero-trust strategy often addresses only half of an organization's environment, at most, in many cases, said John Watts, vice president analyst and KI leader at Gartner. 

"Enterprises are not sure what top practices are for zero-trust implementations," he noted in the firm's announcement on the survey, which was conducted in the fourth quarter of 2023.

Gartner has three recommendations for security leaders looking to implement a zero-trust strategy: recognize the scope of what it can reasonably cover (which usually is not the entirety of an organization); incorporate metrics to measure success and risk, and keep your audience in mind when communicating such information; and prepare for an increase in staffing and costs.

These practices potentially can make the transition to zero trust more successful and beneficial to organizations. While 35% of organizations reported failures that interrupted their implementation of zero-trust strategies, Watts added that "organizations should have a zero-trust strategic plan outlining operational metrics and measure the effectiveness of zero-trust policies in order to minimize delays."

**About the Author(s)**

Zero Trust Takes Over: 63% of Orgs Implementing Globally

The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

SecOps highlights this week include the executive role in "cyber readiness;" Cisco's Hypershield promise; and Middle East cyber ops heat up.

Source: Panther Media GmbH via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In This Issue of CISO Corner:**

*   GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories
    
*   Break Security Burnout: Combining Leadership With Neuroscience
    
*   Global: Cyber Operations Intensify in Middle East, With Israel the Main Target
    
*   Cisco's Complex Road to Deliver on Its Hypershield Promise
    
*   Rebalancing NIST: Why 'Recovery' Can't Stand Alone
    
*   3 Steps Executives and Boards Should Take to Ensure Cyber Readiness
    
*   Rethinking How You Work With Detection and Response Metrics
    

**GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories**

By Nate Nelson, Contributing Writer, Dark Reading

A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that's about to change, according to a team of academics.

Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren't as effective.

Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.

Read more: GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Related: First Step in Securing AI/ML Tools Is Locating Them

**Break Security Burnout: Combining Leadership With Neuroscience**

By Elizabeth Montalbano, Contributing Writer, Dark Reading

Widely reported burnout among cybersecurity professionals is only getting worse. It starts at the top with pressure on CISOs mounting from all sides — regulators, boards, shareholders, and customers — to assume all the responsibility for an entire organization's security, without much control of budgeting or priorities. Wider enterprise cybersecurity teams are wearing down too under the weight of putting in long, stressful hours to prevent seemingly inevitable cyberattacks.

Certainly awareness of the stress and strain driving talent away from the cybersecurity profession is widely acknowledged, but workable solutions have been elusive.

Now two professionals looking to break what they call the "security fatigue cycle" say leaning on neuroscience can help. Peter Coroneros, founder of Cybermindz and Kayla Williams, CISO of Devo, have come together to advocate for more empathetic leadership informed by a better understanding of mental health, and will be presenting their ideas in more detail at this year's RSA Conference.

For example, they found tools like iRest (Integrative Restoration) attention training techniques, which have been used for 40 years by US and Australian militaries help people under chronic stress get out of the "flight-or-flight" state and relax. iRest could also be a useful tool for frazzled cybersecurity teams, they said.

Read more: Break Security Burnout: Combining Leadership With Neuroscience

**Global: Cyber Operations Intensify in Middle East, With Israel the Main Target**

By Robert Lemos, Contributing Writer, Dark Reading

The unraveling crisis in the Middle East continues to produce historic volumes of cyberattacks to support military operations.

There are two categories of adversary groups at work, according to experts — nation-state threat actors working as an arm of a military operation and hacktivist groups attacking willy-nilly based on opportunity and a victim's perceived proximity to the group's enemies.

Israel's National Cyber Directive boss said Iranian- and Hezbollah-affiliated groups have been trying to take down the country's networks "around the clock."

Cybersecurity experts warns Israel should prepare for destructive cyberattacks to continue as the Iran-Israel cyber conflict escalates.

Read more: Cyber Operations Intensify in Middle East, With Israel the Main Target

Related: Iran-Backed Hackers Blast Out Threatening Texts to Israelis

**Cisco's Complex Road to Deliver on Its Hypershield Promise**

By Robert Lemos, Contributing Writer

Cisco's big reveal of its AI-powered cloud security platform Hypershield was big on buzzwords and left industry watchers with questions about how the tool is going to deliver on its pitch.

Automated patching, anomalous behavior detection and blocking, AI-agents maintaining real-time security controls around every workload, and a new "digital twin" approach are all touted as Hypershield features.

The modern approach would be a major step forward "If they pull it off," David Holmes, a principal analyst with Forrester Research said.

Jon Oltisk, analyst emeritus at Enterprise Strategy Group, compared Hypershield's ambitions to the development of driver-assist features in cars, "The trick is how it comes together."

Cisco Hypershield is scheduled for release in August.

Read more: Cisco's Complex Road to Deliver on Its Hypershield Promise

Related: First Wave of Vulnerability-Fixing AIs Available for Developers

**Rebalancing NIST: Why 'Recovery' Can't Stand Alone**

Commentary By Alex Janas, Field Chief Technology Officer, Commvault

Although NIST's new guidance on data security is an important basic overview, but falls short on offering best practices for how to recover from a cyberattack once it's already happened.

Today, organizations need to assume they have been, or will be, breached and plan accordingly. That advice is perhaps even more important than the other elements of the new NIST framework, this commentary argues.

Companies should immediately work to address any gaps in cybersecurity preparedness and response playbooks.

Read more: Rebalancing NIST: Why 'Recovery' Can't Stand Alone

Related: NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

**3 Steps Executives and Boards Should Take to Ensure Cyber Readiness**

Commentary By Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

Working to develop an effective and tested incident response plan is the best thing executives can do to prepare their organization for a cyber incident. Most major mistakes happen in the first "golden hour" of a cyber incident response, the commentary explains. That means ensuring every member of the team has a well-defined role and can get to work quickly on finding the best path forward, and crucially, not making remediation errors that can upend recovery timelines.

Read more: 3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Related: 7 Things Your Ransomware Response Playbook Is Likely Missing

**Rethinking How You Work With Detection and Response Metrics**

By Jeffrey Schwartz, Contributing Writer, Dark Reading

During the recent Black Hat Asia conference Allyn Stott, senior staff engineer with Airbnb challenged every security professional to rethink the role metrics play in their organization's threat detection and response.

Metrics drive better performance and help cybersecurity managers demonstrate how detection and response program investment translates into less business risk to leadership.

The single most important security operations center metric: alert volume, Stott explained. He added looking back over his past work, he regrets how much he leaned on the MITRE ATT&CK framework. He recommends incorporating others including SANS SABRE framework and Hunting Maturity Model.

Read more: Rethinking How You Work With Detection and Response Metrics

Related: SANS Institute Research Shows What Frameworks, Benchmarks, and Techniques Organizations Use on their Path to Security Maturity

CISO Corner: Breaking Staff Burnout, GPT-4 Exploits, Rebalancing NIST

PRESS RELEASE

TEL AVIV, Israel -- (BUSINESS WIRE)-- Miggo, a cybersecurity startup introducing the first Application Detection and Response (ADR) platform, announced today $7.5 million in seed funding led by global cybersecurity VC firm YL Ventures with the participation of CCL (Cyber Club London), cybersecurity leaders from Elastic and Everon and former CISOs of Google, Zscaler and Nike. Miggo's ADR platform addresses a critical gap in application security by enabling security teams to detect and respond to targeted application attacks in real-time.

2023 saw a rise in high-profile application attacks that went undetected by traditional tools. The MOVEit, Microsoft SharePoint, Ivanti Gateway and GoAnywhere breaches highlight critical AppSec blind spots of application behavior in runtime and how attackers are hedging their bets on this well-known, ongoing security gap. According to Justin Somaini, Partner at YL Ventures and former CISO of Unity, SAP and Yahoo!, “Applications in production constitute one of the few true blind spots of today’s security programs. Last year’s incidents alone underscore how critically we need to secure the application layer. This is a space that still needs a lot of innovation to address what traditional tools cannot.”

Today, applications are the primary target of nearly 80% of data attacks, according to Verizon’s 2023 Data Breach Investigations Report. More recent shifts to distributed application architecture, which requires multiple chains of trust between different services, have further broadened the domain’s threat landscape. Attackers can manipulate flows between services without detecting existing security sensors like EDR, WAF and CNAPP tools. The only way to identify such malicious activity is with direct views into applications while they're running.

Under the leadership of Daniel Shechter, CEO and co-founder, and Itai Goldman, CTO and co-founder, Miggo developed a platform that analyzes interactions and data flows within applications to detect and mitigate attacks before they can escalate into breaches. "We need to proactively tackle this massive and largely unseen attack surface. Not only do we need precise detection and response for unexpected behaviors directly in live application environments, but also insight and understanding into the inner workings of today’s distributed applications as they run," explained Shechter.

Miggo's technology precisely discovers and maps the architecture of distributed applications to establish behavioral baselines and monitor for deviations from intended design or code execution flows. Leveraging live in-application context, Miggo determines if a deviation indicates that the application is exploitable, under active exploitation or backdoored, and initiates targeted mitigations to contain breaches by pinpointing the offender and affected areas to recommend precise remediation strategies.

The combined ability to detect live threats to applications and respond within the applications themselves are key innovations, according to CISO Mike Melo. “Miggo is finally providing transparency for our most significant attack vector with the exact tools each stakeholder requires to protect and defend mission-critical assets. ADR is the unified solution we need to not only give us application-layer visibility and control but also dramatically lower our mean time to detect and respond to application attacks,” he said.

Discover how Miggo can safeguard your applications against the next generation of cyber threats. Visit miggo.io for more information and to schedule a demo.

About Miggo  
Miggo is the first Application Detection and Response platform, providing the visibility, response and understanding you need to prevent application breaches. Using in-application context to shed light on your biggest attack surface, Miggo’s ADR enables businesses to monitor how applications behave in runtime and stop attackers from manipulating chains of trust between distributed services. With Miggo, monitor application weak spots and identify and mitigate attacks in real-time. Visit miggo.io for more information.

About YL Ventures  
YL Ventures funds and supports visionary cybersecurity entrepreneurs from seed to scale to help them evolve transformative ideas into market-leading companies. The firm accelerates company growth with tailored support through its powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of multidisciplinary experts. Based in Silicon Valley, New York and Tel Aviv, YL Ventures manages five funds with $800M in total AUM. The firm has a track record of seeding cybersecurity unicorns such as Axonius and Orca Security and its portfolio companies have been successfully acquired by high-profile, global industry leaders including Palo Alto Networks, Microsoft, Okta and Proofpoint. In 2022, YL Ventures ranked 8th out of over 250 venture capital firms in PitchBook’s prestigious Global Manager Performance Score League Tables and was the only cybersecurity-focused VC to secure a top 10 spot.

Miggo Launches Application Detection and Response (ADR) Solution

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

Airbnb's Allyn Stott recommends adding the Human Maturity Model (HMM) and the SABRE framework to complement MITRE ATT&CK to improve security metrics analysis.

Source: Dzmitry Skazau via Alamy Stock Photo

Sorting the false positives from the true positives: Ask any security operations center professional, and they'll tell you it's one of the most challenging aspects of developing a detection and response program.

As the volume of threats continues to rise, having an effective approach to measuring and analyzing this kind of performance data has become more critical to an organization's detection and response program. On Friday at the Black Hat Asia conference in Singapore, Allyn Stott, senior staff engineer at Airbnb, encouraged security professionals to reconsider how they use such metrics in their detection and response programs — a topic he broached last year's Black Hat Europe.

"At the end of that talk, a lot of the feedback I received was, 'This is great, but we really want to know how we can get better at metrics,'" Stott tells Dark Reading. "That's an area where I've seen a lot of struggles."

**The Importance of Metrics**

Metrics are critical in assessing the effectiveness of a detection and response program because they drive improvement, reduce the impact of threats, and validate investment by demonstrating how the program lowers risk to the business, Stott says.

"Metrics help us communicate what we do and why people should care," Stott says. "That's especially important in detection and response because it's very difficult to understand from a business perspective.”

The most critical area for delivering effective metrics is alert volume: "Every security operations center I've ever worked in or ever walked foot in, it's their primary metric," Stott says.

Knowing how many alerts are coming in is important but, by itself, is still not enough, he adds.

"The question is always, 'How many alerts are we seeing?'" Stott says. "And that doesn't tell you anything. I mean, it tells you how many alerts the organization receives. But it doesn't actually tell you if your detection and response program is catching more things."

Effectively leveraging metrics can be complex and labor-intensive, adding to the challenge of effectively measuring threat data, Stott says. He acknowledges that he has made his share of mistakes when it comes to engineering metrics to assess the effectiveness of security operations.

As an engineer, Stott routinely evaluates the effectiveness of the searches he conducts and the tools he uses, seeking to get accurate true- and false-positive rates for detected threats. The challenge for him and most security professionals is connecting that information to the business.

**Implementing Frameworks Properly Is Critical **

One of his biggest mistakes was his approach in focusing too much on the MITRE ATT&CK framework. While Stott says he believes it provides critical details on threat actors' different threat techniques and activities and organizations should use it, that doesn't mean they should apply it to everything.

"Every technique can have 10, 15, 20, or 100 different variations," he says. "And so having 100% coverage is kind of a crazy endeavor."

Besides MITRE ATT&CK, Stott recommends using the SANS Institute's Hunting Maturity Model (HMM), which helps describe an organization's existing threat-hunting capability and provides a blueprint for improving it.

"It gives you the ability to, as a metric, say where you're at as far as your maturity today and how the investments you're planning to make or the projects you're planning to do will increase your maturity," Stott says.

He also recommends using the Security Institute's SABRE framework, which provides risk management and security performance metrics validated with third-party certifications.

"Rather than test across all of the MITRE ATT&CK framework, you're actually working on a prioritized list of techniques, which includes using MITRE ATT&CK as a tool," he says. "That way, you're not just looking at your threat intel but also at security incidents and threats that would be critical risks for the organization."

Use of these guidelines for metrics requires buy-in from CISOs, since it means gaining organizational adherence to these different maturity models. Nevertheless, it tends to be driven by a bottom-up approach, where threat intelligence engineers are the early drivers.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Rethinking How You Work With Detection and Response Metrics

Securing the presidential election requires vigilance and hardened cybersecurity defenses.

Shawn Henry, Chief Security Officer, CrowdStrike

April 19, 2024

3 Min Read

Source: thinkx2 via Alamy Stock Photo

COMMENTARY

Foreign adversaries have attempted to disrupt the US elections for years through various methods. This includes espionage and "hack and leak" campaigns that steal sensitive data and later amplify it in public forums. Today, generative AI (GenAI) is altering the battlefield for attacks, and in the modern information ecosystem where misinformation and disinformation can spread rapidly, it has the potential to transform geopolitics.

Throughout my 24-year career with the FBI, I witnessed sophisticated adversaries attempt to sow confusion and cripple networks, as cyber-threat actors developed tools and tactics to disrupt businesses, governments, and more. The malicious use and proliferation of GenAI in 2024 presents one of the toughest challenges we'll face in an election year. 

**Adversaries Continue on Their Path to Disrupt and Dismantle**

Nation-state adversaries affiliated with and tied to the motivations of foreign governments have the resources to scale operations, and pose a constant threat to democracy. As we've seen previously, it's likely that threat actors from China, Russia, and Iran (charged for sending fake, intimidating emails to US voters in 2020) will seek to interfere with the 2024 US election.

Adversaries may seek to target actual election infrastructure itself, including the hardware and software used to tally and transmit votes, as well as political campaign assets. While some actors have leveraged information operations, generative AI is poised to increase the attractiveness of this malicious activity. With GenAI, it is easier than ever for threat actors to create content and influence narratives that support their underlying goals and objectives. This, in turn, can undermine public confidence and perceptions of political issues, parties, and candidates.

In fact, we're already starting to see the impacts. Threat actors from China recently weaponized deepfakes ahead of Taiwan's election, aiming to increase the voting public's confidence in candidates more diplomatic to China. Fabricated information campaigns stemming from state-nexus entities will not be novel in 2024; however, generative AI will make deciphering what is real or not infinitely more difficult. 

The rise of GenAI has also lowered the barrier of entry for virtually anyone to interfere with elections. Less sophisticated hackers or hacktivists with a specific geopolitical goal may be able to create high-quality disinformation campaigns with relative ease. We've already seen a local magician make global headlines this year by using AI to create fake robocalls, and it's only April.

**Countering These Growing Threats**

So, what can be done? When it comes to protecting the disparate election systems, it is critical to apply a risk-informed approach. At the heart of this is hardening environments to protect systems and stop breaches, 24/7 continuous monitoring of systems, and deep visibility into critical areas of risk, including endpoints, cloud, and identity. Employing both threat hunting and threat intelligence is equally as important, as these tools help to proactively protect against adversaries who may attempt to penetrate networks.

State and local elections administration entities have improved their security over the past several election cycles. So too have political parties and campaign entities. But additional attention and investment is warranted.

With respect to information operations, we must continue to raise awareness. Defending against this threat starts with vigilance from everyone. Citizens must be on alert and validate the origin of information they are consuming, consider the source's political stance and objective, and attempt to validate information through trusted sources prior to amplifying it. All Americans have a crucial role to play in critically analyzing the information they are getting and, more importantly, sharing 

Social media companies and GenAI companies should work to detect and prevent threat actors' use of their tools and platform. At a minimum this means cooperating with each other where appropriate and collaborating with cybersecurity companies and IT providers that have experience tracking these groups.

In 2024, voters in all 50 states and across 55 countries will participate in elections, providing numerous opportunities for adversaries with various motivations to disrupt and dismantle confidence in democracy. With proper awareness, preparation, and cybersecurity best practices in place, we can take a big step forward in defending democracy in the digital age. Failure to do so could be catastrophic.

**About the Author(s)**

Chief Security Officer, CrowdStrike

Shawn Henry serves as chief security officer and is one of the company's longest tenured executive leaders, having joined in 2012 after retiring from the FBI senior executive service. In Henry’s role, he oversees all security aspects of CrowdStrike, including the company's information security, business continuity and resiliency, and risk reduction programs, as well as the physical security of CrowdStrike's global facilities, personnel, executive protection, and corporate events. Prior to joining CrowdStrike, Shawn oversaw half of the FBI's investigative operations as Executive Assistant Director, including all FBI criminal and cyber investigations worldwide, international operations, and the FBI's critical incident response to major investigations and disasters.

AI Lowers Barrier for Cyber-Adversary Manipulation in 2024 Election

Malformed DOS paths in file-naming nomenclature in Windows could be used to conceal malicious content, files, and processes.

Source: Robert Adrian Hillman via Alamy Stock Vector

BLACK HAT ASIA – Singapore – A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.

That's according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session here this week. He also detailed four different vulnerabilities related to the issue, which he dubbed "MagicDot" - including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.

**Dots & Spaces in DOS-to-NT Path Conversion**

The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to NT paths.

When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that's a DOS path that follows the "C:\\Users\\User\\Documents\\example.txt" format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.

The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:

*   C:\\example\\example<space>    
    

are all converted to "\\??\\C:\\example\\example" as an NT path.

Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.

**Simulating an Unprivileged Rootkit**

The MagicDot issues first and foremost create the opportunity for a number of post-exploitation techniques that help attackers on a machine maintain stealth.

For instance, it's possible to lock up malicious content and prevent users, even admins, from examining it. "By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them ... users would not be able to read, write, delete, or do anything else with them," Yair explained in the session.

Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.

"I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it," Yair said. "As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside."

A third attack method involves masking malicious content by impersonating legitimate file paths.

"If there was a harmless file called 'benign,' I was able to \[use DOS-to-NT path conversion\] to create a malicious file in the same directory \[also named\] benign," he explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. "As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead," leaving the victim none the wiser that they were actually opening malicious content.

Taken together, manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges, explained Yair, who published detailed technical notes on the attack methods in tandem with the session.

"I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more," he said — all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.

"It's important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules," he warned.

**A Series of "MagicDot" Vulnerabilities**

During his research into the MagicDot paths, Yair also managed to uncover four different vulnerabilities related to the underlying issue, three of them since patched by Microsoft.

One remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Windows's new extraction logic for all newly supported archive types allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution.

"Basically, let's say you upload an archive to your GitHub repository advertising it as a cool tool available for download," Yair tells Dark Reading. "And when the user downloads it, it's not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous."

A second bug is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy.

The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to "unexpected behavior" but hasn't yet issued a CVE or a fix for it.

"I create a folder inside the demo folder called …<space> and inside, I write a file named c.txt," Yair explained. "Then when an administrator attempts to delete the …<space> folder, the entire demo folder is deleted instead."

**Potentially Wider "MagicDot" Ramifications**

While Microsoft addressed Yair's specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists, even though that's the root cause of the vulnerabilities.

"That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue," the researcher tells Dark Reading. "This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about."

He adds that the problem has ramifications beyond Microsoft.

"We believe the implications are relevant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software," he warned in his presentation.

Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.

"Most high-level API calls in Windows support NT paths," Yair said in his presentation. "Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on."

For businesses, security teams should create detections that look for rogue periods and spaces within file paths.

"There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it's not that easy to do," Yair tells Dark Reading. "Normal users can't just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a lower API that is closer to the kernel, and will need some expertise to accomplish this."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Source

DARKReading