The local phone and business communications company said that attackers accessed unspecified PII, after infiltrating its internal networks.

A blue whale breaching out of the oceanSource: Kerry Hargrove via Alamy Stock Photo

Texas-based Frontier Communications, which provides local residential and business telecom services in 25 states, has shut down its operations in the wake of a cyberattack that resulted in the theft of personally identifiable information (PII).

The breach occurred four days ago on April 14, when it detected a breach by an unauthorized third party who had gained access to "portions of its information technology environment," according to an incident filing with the US Securities & Exchange Commission (SEC).

As part of its containment efforts, Frontier took "certain of the company's systems \[offline, which\] resulted in an operational disruption that could be considered material." It reported that while its core IT environment is up and running, normal business operations have yet to resume; and as of this writing, the telco's website was still offline.

Frontier didn't disclose what PII the cyberattacker accessed or who's affected, nor the suspected nature of the adversary. Telecom companies are a popular target for both financially motivated attackers as well as advanced persistent threats (APT), given the rich data repositories they hold. For instance, the Sandman APT was behind a prolific string of attacks last fall bent on stealing call-data records, mobile subscriber identity data, and metadata from carrier networks.

"The company continues to investigate the incident, has engaged cybersecurity experts, and has notified law enforcement authorities," according to the SEC filing. "The company does not believe the incident is reasonably likely to materially impact the company's financial condition or results of operations."

**About the Author(s)**

Cyberattack Takes Frontier Communications Offline

It turns out that a powerful security solution can double as even more powerful malware, capable of granting comprehensive access over a targeted machine.

Source: Maurice Norbert via Alamy Stock Photo

A creative exploit of Palo Alto Networks' extended detection and response (XDR) software could have allowed attackers to puppet it like a malicious multitool.

In a briefing at Black Hat Asia this week, Shmuel Cohen, security researcher at SafeBreach, described how he not only reverse-engineered and cracked into the company's signature Cortex product but also weaponized it to deploy a reverse shell and ransomware.

All but one of the weaknesses associated with his exploit have since been mended by Palo Alto. Whether other, similar XDR solutions are vulnerable to a similar attack is as yet unclear.

**A Devil's Bargain in Cybersecurity**

There is an inescapable devil's bargain when it comes to using certain kinds of far-reaching security tools. In order for these platforms to do their jobs, they must be granted highly privileged carte blanche access over every nook and cranny in a system.

For instance, to perform real-time monitoring and threat detection across IT ecosystems, XDR demands the highest possible permissions, and access to very sensitive information. And, to boot, it can't be easily removed. It was this immense power wielded by these programs that inspired in Cohen a twisted idea.

"I thought to myself: Would it be possible to turn an EDR solution itself into malware?" Cohen tells Dark Reading. "I'd take all these things that the XDR has and use them against the user."

After picking a laboratory subject — Cortex — he began reverse-engineering its various components, trying to figure out how it defined what is and isn't malicious.

A lightbulb switched on when he discovered a series of plaintext files the program relied on more than most.

**How to Turn XDR Evil**

"But those rules are inside my computer," Cohen thought. "What would happen if I manually removed them?"

It turned out that Palo Alto had thought of this already. An anti-tampering mechanism prevented any user from touching those precious Lua files — except the mechanism had an Achilles' heel. It worked by protecting not each individual Lua file by name, but the folder that encapsulated them all. To reach the files he wanted, then, he wouldn't have to undo the anti-tampering mechanism, if he could just reorient the path used to reach them and bypass the mechanism altogether.

A simple shortcut probably wouldn't have sufficed, so he used a hard link: the computer's way of connecting a filename with the actual data stored on a hard drive. This allowed him to point his own new file to the same location on the drive as the Lua files.

"The program was not aware that this file was pointing to the same location in the hard disk as the original Lua file, and this allowed me to edit the original content file," he explains. "So I created a hard link to the files, edited and removed some rules. And I saw that as I removed them — and did another little thing that caused the app to load new rules—I could load a vulnerable driver. And from there, the whole computer was mine."

After taking complete control in his proof of concept attack, Cohen recalls, "What I did first was change the protection password on the XDR so it cannot be removed. I also blocked any communication to its servers."

Meanwhile, "Everything seems like it's working. I can hide the malicious activities from the user. Even for an action which would've been prevented, the XDR won't provide a notification. The endpoint user will see the green marks that indicate everything is OK, while underneath I'm running my malware."

The malware he decided to run was, first, a reverse shell, enabling full control over the targeted machine. Then he successfully deployed ransomware, right under the program's nose.

**The Fix Palo Alto Didn't Make**

Palo Alto Networks was receptive to Cohen's research, working closely with him to understand the exploit and develop fixes.

There was one vulnerability in his attack chain, however, that they chose to leave as is: the fact that Cortex's Lua files are stored entirely in plaintext, with no encryption whatsoever, despite their highly sensitive nature.

That seems alarming, but the reality is that encryption wouldn't be much of a deterrent for attackers, so after discussing the matter, he and the security company agreed that they didn't need to change that. As he notes, "The XDR eventually needs to understand what to do. So even if it's encrypted, at some point in its operation it will need to decrypt those files in order to read them. So attackers could just catch the content of the files then. It would be one more step for me in order to read those files, but I can still read them."

He also says that other XDR platforms are likely susceptible to the same kind of attack.

"Other XDRs will implement this differently, maybe," he says. "Maybe the files will be encrypted. But no matter what they will do, I can always bypass it."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware

The tech giant tosses together a word salad of today's business drivers — AI, cloud-native, digital twins — and describes a comprehensive security strategy for the future, but can the company build the promised platform?

Source: Peach Shutterstock via Shutterstock

The cybersecurity industry has no shortage of problems: Attackers are using automation to shorten their time to exploit, patching software is burdensome, establishing defenses such as segmentation remains difficult, and a shortage of cybersecurity-skilled workers holds back efforts in all of these areas.

No wonder, then, that Cisco has decided to launch an AI-powered, distributed security platform for protecting cloud workloads and artificial intelligence (AI) systems from cybersecurity threats. Dubbed Hypershield, the platform will push security out to the edge, using AI-augmented agents to maintain security controls around every workload in the data center and even distributed, connected devices. Cisco says the platform will be able to patch environments automatically, test software updates within the environment using simulated systems known as digital twins, and block attacks by detecting anomalous behavior.

Hyperbole was not in short supply, and "reimagined" seemed to be the word of the day.

Jeetu Patel, executive vice president and general manager of Cisco's security and collaboration division, called it "one of the largest platform shifts that we've experienced during our lifetimes."

"For the past gazillion years, when we've looked at security, the advantage has always been on the side of the adversary," Patel said during a press conference announcing Hypershield. "We are now approaching an era ... where ... because \[of this platform\], you might have a world where you might have an advantage as a defender, and wouldn't that be a wonderful world to live in."

Cybersecurity is certainly a field that could benefit from using AI for augmentation or as an assistant, and pushing security to the distributed edge — closer to the devices to be secured — can help simplify some aspects of vast networks that need to be secured.

The company's choice of technologies makes sense, says David Holmes, a principal analyst with Forrester Research. By using eBPF, a technology that allows sandboxed programs to run in a privileged context, pieces of the workload can be instrumented, and data processing units (DPUs) allow efficient processing of data using high-bandwidth network interfaces.

"They are describing a more modern approach to building a private cloud data center architecture, and that’s good," Holmes says. "eBPF for automation \[and\] security, container-like workloads — their DPUs — overall, this is good for the industry if they pull it off."

**Digital Twins Allow Automated Patching**

Craig Connors, chief technology officer of Cisco's security business group, demonstrated how a workload or application could be automatically patched and run in parallel using digital-twin technology to test the stability and correctness of the updated software. Digital twins are simulations — originally used in product development and manufacturing — that allow software engineers to test and observe a version of a device or application.

If patched code passes all tests and satisfies policies, then it can be promoted to production, Connors said during the demonstration.

"What we've done is we've essentially introduced the digital twin into every enforcement point that we deploy," Connors stated. "So we're actually bringing CI/CD \[continuous integration and continuous delivery\] to the embedded world by running the end-of-the-promotion pipeline as a digital twin on every single enforcement point for every single customer in the world in a transparent way. That allows us to test every possible combination that could happen in your real environment everywhere."

While the company will start with Linux environments, Cisco hinted at future plans to support other operating systems.

The same digital-twin approach can be applied to developing segmentation policies for networks of devices and workloads, according to Connors. The AI assistant built into the Hypershield platform could recommend microsegmentation policies and give a confidence score that each policy would behave well inside a given environment.

"Imagine if AI wasn't just recommending microsegmentation policies, but it was modeling them in a digital twin of your environment, and telling you exactly how it tested those policies to make sure they were correct before it recommended them to you," Connors said. "So we're really trying to bring that trust aspect in and not just 'AI bomb' you with recommendations."

**Distributed Exploit Protection**

Cisco says the platform will also protect against exploits in real time by using threat intelligence to inform anomaly detection and response. Because companies never know which vulnerabilities will be picked up by an attacker, the system allows all high-impact vulnerabilities to be treated the same.

This approach benefits companies with legacy hardware and software that has reached end of life and is no longer receiving updates, according to Connors.

"There are cases where we can never patch. ... Let's say the software's end of life, but my business still relies on it and a critical vulnerability exists," Connors said. "So while these are intended to be short-lived patches to bridge that gap between that availability and patch deployment and then we'll automatically pull back these distributed shields, it is potentially feasible that you may want to run this for the life of the application to continue protecting you against \[exploitation\]."

Having the vision and individual technologies is a good first step, but like the platform managing driver-assist features in cars, the trick is how it all comes together, says Jon Oltsik, analyst emeritus at Enterprise Strategy Group. Coordinating the pieces across multiple systems, rather than looking at each one in isolation — as well as figuring out "normal" activity — and then responding will be tricky.

"It's a good goal, but a lot of things need to come together to make it happen, including user buy-in," he says. "AI-based security must go through rigorous testing and be proven in the field before security professionals will trust it."

Cisco has promised the platform will be generally available by August.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cisco's Complex Road to Deliver on Its Hypershield Promise

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

PRESS RELEASE

Auburn, Ala. – Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security was awarded a $10 million Department of Energy grant in partnership with Oak Ridge National Laboratory (ORNL) to create a pilot regional cybersecurity research and operations center to protect the electric power grid against cyberattacks. 

The total value of the project is $12.5 million, with the additional $2.5 million coming from Auburn University and other strategic partners.

The center, officially named the Southeast Region Cybersecurity Collaboration Center (SERC3), will bring together experts from the private sector, academia and government to share information and generate innovative real-world solutions to protect the nation’s power grid and other key sectors. It will include a mock utility command center to train participants in real-time cyber defense.  

“Auburn University is proud to be at the forefront of this important field as we work against one of the greatest threats the country and the business sector will face in the future,” said Steve Taylor, Auburn University’s senior vice president for research and economic development. “The center will conduct critical research and provide real operational solutions to protect all of us as we address these challenges. We are thankful to Oak Ridge National Laboratory for partnering with us and Rep. Mike Rogers for his support in securing funding for this critical program.”  

The center will run experiments with industry partners in a research lab environment to support integration of new and existing security software and hardware into operational environments. Research labs will be established at Auburn University, housed at the Samuel Ginn College of Engineering, and at the Oak Ridge National Laboratory in Oak Ridge, Tennessee.

“We are excited to work with Auburn on this important national mission,” said Oak Ridge National Laboratory Director Stephen Streiffer. “We’re combining our capabilities to partner with industry, develop new security technologies and transfer those technologies to industry, all while developing the workforce that will operate these enhanced systems.”

Workforce and skills development will be a core role of Auburn’s in this partnership.

“This project provides an exciting opportunity for our college and our students,” said Mario Eden, dean of the Samuel Ginn College of Engineering. “Our students will get hands-on experience in a real-world environment. We have a proven track record of innovation and this project perfectly aligns with our mission to provide the best student-centered engineering experience in America and expand our engineering knowledge through research.”

With an emphasis on critical infrastructure, the research will help utilities across the nation become more resilient to the increasing threat of cyberattacks. 

“We know that adversaries want the ability to disrupt our energy infrastructure, which could be devastating for our communities,” said Moe Khaleel, associate laboratory director for National Security Sciences at ORNL. “SERC3 will focus on establishing regional partnerships and developing science-based solutions to mitigate these threats – and keep everyone’s lights on.”

Puesh M. Kumar, director of the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), praised the collaboration between organizations.

“I applaud Auburn University and Oak Ridge National Laboratory’s collaborative effort to advance grid cybersecurity,” Kumar said. “Everyone must come together – industry, the national laboratories, academia, as well as State and Federal governments – if we are to succeed against the growing cyber threats facing the U.S. energy sector from malicious actors and nation-states like the People’s Republic of China. This partnership is a critical example of that.”

Frank Cilluffo, director of the McCrary Institute, said the project is at the core of what the institute does. 

“A secure and resilient grid is a national and regional imperative,” Cilluffo said. “Spearheaded by James Goosby at McCrary and Tricia Schulz at Oak Ridge, we will create new research to rapidly identify, share and mitigate cybersecurity risks while we train the future workforce we need to keep us safe.”

Web source: https://www.eng.auburn.edu/news/2024/04/mccrary-serc3.html

Auburn University is a nationally ranked land grant institution recognized for its commitment to world-class scholarship, interdisciplinary research with an elite, top-tier Carnegie R1 classification, life-changing outreach with Carnegie’s Community Engagement designation and an undergraduate education experience second to none. Auburn is home to more than 30,000 students, and its faculty and research partners collaborate to develop and deliver meaningful scholarship, science and technology-based advancements that meet pressing regional, national and global needs. Auburn’s commitment to active student engagement, professional success and public/private partnership drives a growing reputation for outreach and extension that delivers broad economic, health and societal impact.

Auburn's McCrary Institute and Oak Ridge National Laboratory to Partner on Regional Cybersecurity Center

CISA advisory warns of critical ICS device flaws, but a lack of available fixes leaves network administrators on defense to prevent exploits.

Source: rapsian sawangphon via Alamy Stock Photo

A security advisory issued this week by the Cybersecurity and Infrastructure Security Agency (CISA) alerts administrators of vulnerabilities in two industrial control systems devices — Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R Series.

CISA warned that the Unitronics Vision Series PLC controller is open to remote exploit due to its storage of passwords in a recoverable format. This vulnerability (CVE-2024-1480) was assigned a CVSS score of 8.7.

Unitronics has not responded to, or worked with, the agency to mitigate the issue, leaving networks with these devices open to cyberattack, according to CISA. The advisory recommends ensuring the controllers are not connected to the Internet, isolating them from business networks, protecting the devices behind firewalls, and using secure methods, like virtual private networks (VPNs), for remote access.

The remaining ICS vulnerabilities impact the Mitsubishi Electric Corporation MELSEC iQ-R CPU Module. A design flaw in the CPU, tracked under CVE-2021-20599, has been assigned a CVSS score of 9.1. The unit transmits passwords in cleartext, which are easily intercepted by adversaries.

The Mitsubishi MELSEC CPUs also harbor a trio of reported flaws that could allow a threat actor to compromise usernames, access the device, and deny access to legitimate users. These include: exposure of sensitive information (CVE-2021-20594, CVSS 5.9); insufficiently protected credentials (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).

Mitsubishi is working to provide mitigations and workarounds for the issues. However, systems with these devices are unable to be updated with a fix, according to CISA. The agency advises administrators with these devices in their networks to shore up defenses with firewalls, remote access limitations, and IP address restrictions.

"Mitsubishi Electric has released the fixed version ... but updating the product to the fixed version is not available," the advisory said. "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability."

**About the Author(s)**

ICS Network Controllers Open to Remote Exploit, No Patches Available

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Source: Rokas Tenys via Shutterstock

AI agents equipped with GPT-4 can exploit most public vulnerabilities affecting real-world systems today, simply by reading about them online.

New findings out of the University of Illinois Urbana-Champaign (UIUC) threaten to radically enliven what's been a somewhat slow 18 months in artificial intelligence (AI)-enabled cyber threats. Threat actors have thus far used large language models (LLMs) to produce phishing emails, along with some basic malware, and to aid in the more ancillary aspects of their campaigns. Now, though, with only GPT-4 and an open source framework to package it, they can automate the exploitation of vulnerabilities as soon as they hit the presses.

"I'm not sure if our case studies will help inform how to stop threats," admits Daniel Kang, one of the researchers. "I do think that cyber threats will only increase, so organizations should strongly consider applying security best practices."

**GPT-4 vs. CVEs**

To gauge whether LLMs could exploit real-world systems, the team of four UIUC researchers first needed a test subject.

Their LLM agent consisted of four components: a prompt, a base LLM, a framework — in this case ReAct, as implemented in LangChain — and tools such as a terminal and code interpreter.

The agent was tested on 15 known vulnerabilities in open source software (OSS). Among them: bugs affecting websites, containers, and Python packages. Eight were given "high" or "critical" CVE severity scores. There were 11 that were disclosed past the date at which GPT-4 was trained, meaning this would be the first time the model was exposed to them.

With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture.

Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability.

GPT-4, however, successfully exploited 13, or 87% of the total.

It only failed twice for utterly mundane reasons. CVE-2024-25640, a 4.6 CVSS-rated issue in the Iris incident response platform, survived unscathed because of a quirk in the process of navigating Iris' app, which the model couldn't handle. Meanwhile, the researchers speculated that GPT-4 missed with CVE-2023-51653 — a 9.8 "critical" bug in the Hertzbeat monitoring tool because its description is written in Chinese.

As Kang explains, "GPT-4 outperforms a wide range of other models on many tasks. This includes standard benchmarks (MMLU, etc.). It also seems that GPT-4 is much better at planning. Unfortunately, since OpenAI hasn't released the training details, we aren't sure why."

**GPT-4 Good**

As threatening as malicious LLMs might be, Kang says, "At the moment, this doesn't unlock new capabilities an expert human couldn't do. As such, I think it's important for organizations to apply security best practices to avoid getting hacked, as these AI agents start to be used in more malicious ways."

If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were). And they might have to start using the same LLM technologies as well as their adversaries will.

But even GPT-4 still has some ways to go before it's a perfect security assistant, warns Henrik Plate, security researcher for Endor Labs. In recent experiments, Plate tasked ChatGPT and Google's Vertex AI with identifying samples of OSS as malicious or benign, and assigning them risk scores. GPT-4 outperformed all other models when it came to explaining source code and providing assessments for legible code, but all models yielded a number of false positives and false negatives.

Obfuscation, for example, was a big sticking point. "It looked to the LLM very often as if \[the code\] was deliberately obfuscated to make a manual review hard. But often it was just reduced in size for legitimate purposes," Plate explains.

"Even though LLM-based assessment should not be used instead of manual reviews," Plate wrote in one of his reports, "they can certainly be used as one additional signal and input for manual reviews. In particular, they can be useful to automatically review larger numbers of malware signals produced by noisy detectors (which otherwise risk being ignored entirely in case of limited review capabilities)."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

The group gained access to the victim network by duping IT employees with high administrative-access privileges.

Source: Scharfsinn via Alamy Stock Photo

Researchers this week shared details of an attack campaign by the infamous FIN7 threat group that targeted a large US-based global automotive manufacturer.

FIN7, a Russian advanced persistent threat (APT) group, also known as Carbon Spider, ELBRUS, and Sangria Tempest, conducted a spear-phishing campaign in late 2023 that was spotted and ultimately halted by BlackBerry's threat and research team. The attackers identified IT employees with high admin-level rights and lured them in by impersonating an IP scanning tool with a malicious URL. Once the employees opened the link, the threat actor ran its Anunak backdoor, allowing them to "gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas)," BlackBerry researchers said in blog post detailing the attack.

BlackBerry said its threat and research team detected and disrupted the attack before FIN7 was able to launch the ransomware portion of the attack.

In the past, FIN7 has targeted US retail, hospitality, and restaurant sectors, though it is now branching out to defense, insurance, and transportation sectors. BlackBerry researchers believe that the threat group is now likely targeting larger entities, with the assumption that they will pay a higher ransom.

BlackBerry did not disclose the name of the targeted automotive manufacturer.

**About the Author(s)**

Russian APT Group Thwarted in Attack on US Automotive Manufacturer

The missing ingredient in NIST's newest cybersecurity framework? Recovery.

Alex Janas, Field Chief Technology Officer, Commvault

April 18, 2024

5 Min Read

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY

As the digital landscape grows more treacherous, companies are finally beginning to treat cybersecurity as a top operational risk. And for enterprises revising their data security strategies, the updated guidance from the National Institute of Standards and Technology (NIST), the US government's key technical standards adviser, is a good starting point. NIST's cybersecurity framework, first released in 2014, has functioned as the leading educational and academic guide. The newest version includes important updates, like the addition of data governance as one of the core pillars. Unfortunately, it falls short in a significant way. It doesn't say nearly enough about the most crucial ingredient of any comprehensive and contemporary cybersecurity plan: the ability to recover from a cyberattack. 

It's important to keep in mind that recovering from an attack is not the same as disaster recovery or business continuity. It's not enough to simply tack the recovery function onto a broader incident response plan. Recovery must be ingrained into the security stack and into your response plans. And even outside a crisis scenario, there must be a continual feedback loop established, where all parts of the cybersecurity function — including recovery — are always sharing information and are a part of the same workflow. 

Given the persistent threat landscape and the growing number of mandatory regulations, such as the EU's Digital Operational Resilience Act (DORA), companies must urgently address the gaps in their cybersecurity preparedness plans.

**Shifting From a Frontline Mentality **

While NIST is a comprehensive framework, the cybersecurity industry (and, by proxy, most companies) put far more attention on the part that focuses on preventing cyberattacks. That's important, but prevention can never be assured and should not be done at the expense of a comprehensive security plan. 

A company that only uses the NIST Cybersecurity Framework will put that company in a position where they are underinvested in responding to current and future cyberattack scenarios. That's a risk no organization can afford to take. You will be breached. In fact, you are breached, you just don't know it yet. This means the restoration platform must be integrated with the security stack to help protect itself and the business environment to ensure the company can get back to business — which is one of the main goals of this work.

Vendors and customers alike must put resources toward returning to a post-attack state: How to get there, and how to test and verify that capability. The secret to a robust recovery is planning. To truly be safe, businesses must take steps now to integrate the technology and people responsible for recovery into the rest of their cybersecurity function. 

Once that happens, although recovery teams can still operate independently, there's a continual feedback loop. So, all the different parts of the security teams can still easily send and receive information to and from the other functions. 

**Test, Test, Test**

While companies often have time frames in mind of how quickly systems must be back online, far fewer have fully considered what it takes to get to that safe state following an attack. 

Testing helps inform how long each step in the identification and remediation of a breach should take, so companies have a benchmark to use when an actual incident occurs. And without adequately testing backup environments, the recovery function becomes much more difficult — and potentially more dangerous. When restoring from an untested backup environment, the company might inadvertently restore implanted malicious code, provide attacker access, or return to a vulnerable state. 

Companies must actively run simulated or real-world drills that test all facets of their cyber resilience to uncover the weak points, including any issues that could impact a company's ability to get their IT systems operational again. 

**Linking the Steps  **

Integrating recovery tools into the larger incident response arsenal can yield valuable intelligence, both in preparing for and responding to an attack. 

These days, modern recovery systems can actively monitor backup repositories and regularly send feeds back to the security teams to detect any abnormal behavior far quicker than in the past — a vital capability as attackers increasingly aim their efforts at the last-mile data centers. And as a cyber-resilient restoration platform becomes integrated into the modern security stack, it must connect with the systems that transform the intelligence from the various systems and services to provide security teams with better context about the events that are happening in their environment as well as better auditing required under the various compliance and regulations around the globe. 

**Aligning the People to the Process **

While many organizations have experts attached to every other process in the NIST framework, few have teams or even individuals dedicated to managing recovery. 

Often, the function falls between the domain of the chief information security officer (CISO) and chief information officers (CIO), which leads to both assuming the other owns it. The overworked security team typically views recovery as tedious — and something that occurs only at the tail end of a chaotic process that should be handled by the IT team. 

Meanwhile, the IT team, unless steeped in security, may not even know what the NIST framework is. Facing a deluge of complaints, their focus is on simply getting the environment back online as quickly as possible, and they may not recognize how perilous an unplanned, hasty recovery can be. 

Taking this seriously involves dedicating resources to oversee recovery, making sure this step doesn't get overlooked in the ongoing planning and testing — let alone in the chaos that often accompanies a breach. 

When given strategic direction from the C-suite, and assigned the right ongoing responsibilities, the recovery individual or team can ensure that the response protocols are regularly tested, as well as serve as the bridge to connecting recovery with the rest of the cybersecurity function.  

**The Most Vital Step**

In this era when every business should assume they are breached, recovery must be recognized as just as important as the other steps in the NIST framework. Or maybe even more important.

Companies that only play cyber defense will eventually lose. They are playing a game where they think the score matters. Defenders can have 1,000 points but will lose to an attacker who scores once. There's simply no way to guarantee victory against an opponent who plays outside the rules and controls when and how the game is played.

Businesses must allocate resources to prepare for cyberattacks. Without a tested response plan to resume operations safely and securely, companies will have no choice but to capitulate to attackers' demands, pay the ransom, and thereby embolden an attacker.

**About the Author(s)**

Field Chief Technology Officer, Commvault

As the Field Chief Technology Officer for Commvault, Alex Janas is responsible for overseeing cybersecurity. He is a distinguished cybersecurity expert with over 20 years of diverse experience, spanning the private sector and the Department of Defense (DOD). 

In his work within the private sector, Alex has excelled in a wide range of security responsibilities; Cyber and Physical Security Penetration Assessments, Incident Response and Forensics, Virtual Chief Information Security Officer (vCISO), Cyber Executive Protection and Technical Surveillance Countermeasures (TSCM).

Alex’s government experience is highlighted by his tenure at the National Security Agency (NSA), where he served for 11 years in the Tailored Access Operations as an Analyst, Operator, and Division Technical Director. Alex is a proud recipient of the Master Operator designation, a prestigious honor bestowed upon a highly select cadre of Computer Network Operations personnel.

Rebalancing NIST: Why 'Recovery' Can't Stand Alone

Industry leaders aim to solve the threat to both the mental health of workers and security of organizations with solutions that recognize the enormous pressures facing cybersecurity professionals.

Source: Roman Samborskyi via Alamy Stock Photo

It's no secret that burnout is an epidemic among cybersecurity professionals that threatens not only the mental health of workers in the field, but also the security of organizations. But how to solve the growing crisis is still something with which the industry is grappling.

Peter Coroneos, founder of Cybermindz, and Kayla Williams, CISO of Devo, have different perspectives on cybersecurity burnout given their distinct roles and perspectives as industry leaders, but together they have a shared vision to find solutions to help break the current cycle of burnout that faces the cybersecurity profession.

Coroneos is founder of Cybermindz, a not-for-profit that offers resilience training for cyber teams, among others; and Williams is chief information security officer (CISO) of Devo, a cloud-native security analytics company.

The two — whose companies already are partners in fighting burnout — will come together at the upcoming RSA Conference to host a session called "Burnout in Cyber: The Intersection of Neuroscience, Gender, and Wellbeing." Their session will present some reasons why cybersecurity burnout has become a vicious cycle, as well as how a combination of empathetic leadership and neuroscience-based training can help break it.

**Security Staff Burnout: A Wake-Up Call**

The "wake-up call" for Coroneos on how serious the burnout problem came when a survey of 200 cybersecurity professionals conducted by Wakefield Research on behalf of Devo released its results last September. The study found that a hefty 83% of those surveyed admit that stress has led them and peers to make errors that have caused data breaches.   

The COVID-19 pandemic-related workplace changes as well as the increased cyberattacks taking advantage of organizations' hasty and often insecure shift to accommodate a remote workforce really threw cybersecurity burnout into high gear, he said.

"COVID brought together a number of factors that have been brewing in the background for a number of years," Coroneos says in a recent interview.

Working remotely, cybersecurity professionals felt even less of a separation between their work and home lives and felt as if they quite literally always took their work home with them. And with cyberattackers exploiting the vulnerable security situation with which many companies were faced at the time, there was even more work for them to do, and thus more pressure than ever, he says.

It was a "perfect storm" of conditions to foster burnout, Coroneos says. "We started to see many more reports of the degradation in the mental health status of cybersecurity teams," he says. "They feel this relentless pressure with no end in sight."

**The Blame Game**

Some of that pressure comes with the often-unfair burden of blame that CISOs and chief security officers (CSOs) in particular shoulder when a data breach or attack goes horribly wrong for a company, says Williams, who in her position as CISO knows all too well.

A key source of stress these executives experience is that they often don't control their budgets and the overall security roadmap at their respective organizations, and thus don't typically get the sufficient funding to execute their vision for a company's security. However, they still will be held accountable if something goes wrong, Williams says.

She cited notable high-profile lawsuits brought against top security executives from Uber and SolarWinds in which they took the brunt of the blame for security incidents at their respective companies as scenarios that are scaring top professionals out of the industry.

"From what I'm seeing and hearing, turnover is incredibly high," Williams says. "Speaking to my peers, they don't want to be CSOs anymore."

Indeed, the Devo survey found that 85% of professionals surveys will leave their role in the next year, while 25% will leave the industry entirely.

The current situation that many security professionals find themselves in is a burnout cycle that keeps those who stay in the profession feeling stressed out and hopeless about their jobs, while creating unprecedented numbers of turnover in a position that already faces job shortages. This circular cycle creates even more burnout for those who stay in cybersecurity roles, Coroneos and Williams say.

**Breaking the Security Fatigue Cycle**

To break this cycle, the two professionals pose a combination of empathetic leadership strategies and a neuroscience-based solution to help retrain people's minds to deal with high levels of stress.

As a CISO herself, Williams says she knows how important it is to communicate effectively with people in various cybersecurity roles within the organization to ensure that their individual needs both professionally and emotionally are being met. This is especially true as a new generation of cyber professionals with different emotional needs is entering the workforce, she says.

"As a people leader, it is my responsibility to ensure that I am communicating to my teams in a way that resonates with them," Williams says. It's important for leaders to take time to understand the needs of individuals on a team and to check in with them as they would with family or friends to ensure they are not feeling overwhelmed by stress or the demands of their responsibilities, she says.

Meanwhile, Cybermindz is taking a page out of the playbook of international armed forces with a training solution called Integrative Restoration (iRest) that has been implemented by the US and Australian military since 2006 and 2016, respectively.

iRest — the result of more than 40 years of observation, research and development by clinical psychologist Richard Miller and his team at an institute of the same name California — is an attention-training technique to help the brain's limbic system return to a restful state after an intense period of high stress.

The problem for cybersecurity pros is that they often get stuck in a constant state of psychological fight-or-flight response pattern due to the constant stress cycle of their jobs, Coroneos explains. iRest is a training that helps them switch out of this cycle to bring them to a deeper state of relaxation to reset that fight-or-flight response. This will help the brain switch off, so it is not constantly creating stress not only in the workplace but throughout their everyday lives, thus creating burnout, he says.

"We need to get them into a position where they can come into a proper relationship into their subconscious," Coroneos says, adding that so far cybersecurity professionals who have experienced the training — which Cybermindz is currently piloting— report they are sleeping better and making clearer decisions after only a few sessions of the program.

Indeed, while burnout remains a serious problem, the message Coroneos and Williams ultimately want to convey is one of hope that there are solutions to solve the burnout problem currently facing cybersecurity professionals, and that the enormous pressures these dedicated professionals face is not being overlooked.

"We want to show them that their mental health need not be the price of their career," Coroneos says.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading