With more than 700,000 cybersecurity jobs available, now is a good time to consider a career change.

We've been battling the cybersecurity talent shortage for more than a decade, yet the problem seems to be getting worse, rather than better. According to CyberSeek, right now, there are almost 755,800 cybersecurity job openings in the US alone.

Over the past year, there's been a lot written about how companies are trying to close this gap by considering candidates with nontraditional backgrounds — including people looking to make a career change. While it's encouraging that someone may want to jump into cybersecurity, actually understanding how to make such a move can be difficult.

Let's face it: Making a career change is scary. It's completely unfamiliar territory. How do you even begin a career in cybersecurity? What steps are required? Do you need certifications before applying to a position? Do you need a degree? These are all real and relevant questions, and there hasn't been much guidance on how aspiring cybersecurity professionals can go about making a switch.

**Practical Steps**

With both a bachelor's and a master's degree in elementary education and teaching, I recently went through this process and had to find my own way, with very little outside help. So, it has become a passion of mine to help others in a similar position — no one should have to go this road alone.

Here are five practical steps for pursuing a new career in cybersecurity.

1.  **Reflect on the reasons you want to get into cybersecurity:** Don't make the career change because the grass seems greener or the pay seems higher. Really take the time to understand why this change resonates with your personal core value system. The old adage "If you love what you do, you will never work a day in your life" is applicable here. Make sure you're getting into cybersecurity for the right reasons.
2.  **Research different cybersecurity career paths to determine which you're most passionate about:** The job possibilities in cybersecurity are endless. If you want a technical role, applicable positions include designer/architect, defender, hacker, responder, auditor, and manager. If a less technical position is more up your alley, consider getting into education and training, conducting risk assessments, getting into marketing or HR, or becoming a salesperson. Whichever direction you choose to take, make sure your core cyber pathway aligns with your persona.
3.  **Look at your own job board:** Once you know which cybersecurity path you want to explore, look at your current company's job board to see which positions are open and if any of your skills are transferable. Don't worry if you don't have all the job qualifications listed — certain expertise and experience you do have could outweigh what you don't. For example, common "soft skills" required for many jobs across industries — such as being a life-long learner, a problem solver, or an effective communicator — now are essential to cyber roles and as equally valued as technical skills.
4.  **Network:** If you need to look outside your company for a cybersecurity role, think about who you know who could make a connection on your behalf. Joining industry and local cybersecurity groups is a great way to network. Women in CyberSecurity (WiCyS), which has a mission to "recruit, retain and advance women in cybersecurity," is an example of one such organization committed to networking and support.
5.  **Leverage the resources available to you to gain cybersecurity experience:** For example, (ISC)2 offers a free Certified in Cybersecurity Certification to help individuals kick-start their career. (I took this exam myself and found it very helpful and relevant.) Don't worry too much about overloading on certifications upfront, though. These can come down the road, if you decide to specialize in a certain area.

**A Note to Hiring Managers**

Entry-level cybersecurity job descriptions are deterring career changers (and recent graduates) from applying to open positions — and this in and of itself is contributing to the talent shortage.

Often, the requirements within entry-level job posts are unrealistic. For example, many require a Certified Information Systems Security Professional (CISSP), which can be attained only after five years of experience. How can an entry-level candidate already have five years under their belt? They can't. Cybersecurity professionals do not need a college degree to be successful. Post-secondary vocational schools, online training courses, and even self-learning can give candidates the skills they need to succeed.

We need to reset expectations, and the best way to do this is by having cybersecurity teams in need of new employees work directly with hiring managers to fix the disconnect between job descriptions and the actual qualifications needed to be successful in an entry-level cybersecurity role.

**It's All About Support**

Just as cybercriminals band together to go after victims, we in the cybersecurity industry need to collaborate too — not only to defend against bad actors but to help each other succeed. When security teams are fully staffed, companies' defenses against cybercriminals will be stronger. And we can help fill these open positions by supporting people who want to jump into cybersecurity, providing the resources they need to be successful, and helping to correct hiring managers' misperceptions of entry-level job qualifications. When we come together as an industry, we can truly make great strides to overcome the cybersecurity talent shortage.

How to Jump-Start Your Cybersecurity Career

A top Iranian, state-sponsored threat is a spear-phishing campaign that uses a fake Twitter persona to target women interested in Iranian political affairs and human rights.

A well-known Iranian threat group, Cobalt Illusion, has been linked to a spear-phishing campaign that is using the protests surrounding the death of Mahsa Amini in Iran as a lure.

Amini was a 22-year-old Iranian woman who was allegedly beaten to death by Iranian police for not wearing her hijab in accordance with government regulations. Her death set off a series of protests, particularly by women, who used them to publicly defy the same rules for which Amini was arrested.

Researchers from Secureworks identified the campaign, which targets such female protestors, political activists, and human rights researchers using a fake Twitter account. Someone using the name Sara Shokouhi, with a Twitter handle @SaShokouhi, reaches out to victims purportedly on behalf of US think tank Atlantic Council. In reality, Sara is a creation of the Cobalt Illusion advanced persistent threat (APT), aka Charming Kitten, APT42, Phosphorous, TA453, and Yellow Garuda.

"The threat actors create a fake person and use it to build rapport with targets before attempting to phish credentials or deploy malware to the target's device," said Secureworks CTU Rafe Pilling, principal researcher and Iran thematic lead, in a press statement. "Having a convincing persona is an important part of this tactic."

A cluster of activity reported on Twitter Feb. 24 spurred investigation into possible malicious cyber activity, with a number of women actively involved in Middle East political affairs and human rights reporting contact from the individual, researchers revealed in a blog post published today. What they discovered is that the @SaShokouhi Twitter account, in operation since October, has been tweeting or engaging in posts supportive of the Mahsa Amini protest in Iran to appear "sympathetic to protesters' interests and demands and create an illusion of shared interests," the Secureworks Counter Threat Unit (CTU) research team wrote in the post.

**Finding Common Ground**

Cobalt Illusion appears to have used the protests as a way to find common ground with targets, the researchers said. Included in some of the posts made by @SaShokouhi were "cynical use of distressing content such as images of dead children, physical abuse suffered by protesters, anti-Iranian government commentary, and anti-Iranian symbolism," the researchers wrote.

The researchers ultimately found that attackers created the Sara Shokouhi persona using stolen images from an Instagram account belonging to a psychologist and tarot card reader based in Russia, Pilling said. The APT also set up a fake Instagram account using the photos, @sarashokouhii.

The tactics used in the campaign are typical of the Cobalt Illusion APT, which is associated with Iran's Revolutionary Guard Corps (IRC) and has been active since about 2014.

"Phishing and bulk data collection are core tactics of Cobalt Illusion," Pilling said. "We've seen this happen in several guises in recent years."

Indeed, the group is known for using social media platforms to target academics, journalists, human rights defenders, political activists, intergovernmental organizations (IGOs), and nongovernmental organizations (NGOs) that focus on Iran. Their modus operandi is to set up trusted relationships through these platforms and then use phishing campaigns to steal credentials for systems they wish to access for cyber-espionage purposes, the researchers said.

Cobalt Illusion uses the information stolen through this activity in various ways, including to inform Iranian military and security operations of activity by persons of interest, which not only could lead to their surveillance, but even their arrest, detention, or targeted killing, Pilling said.

**Impersonating a Think Tank**

In the recent campaign observed by Secureworks, the SaShokouhi persona courted victims by claiming to work with Holly Dagres, a senior fellow at the Atlantic Council. In a tweet — a screenshot of which researchers included in their post — Dagres herself denied working with Shokouhi, indicating that the persona is not legitimate.

The link to Atlantic Council also is a giveaway that Cobalt Illusion is involved, the researchers said. That's because in previous activity confirmed by the Computer Emergency Response Team in Farsi (CERTFA) in September, the APT impersonated an Atlantic Council employee, they said. CERTFA is comprised of cybersecurity experts in Iran's digital security space.

"In that campaign, the group attempted to engage targets in video calls and delivered phishing links via the chat function at an appropriate point in the conversation," CTU researchers wrote.

CERTFA Lab has published a set of phishing indicators related to the campaign, which align with past Cobalt Illusion activity. Researchers recommended that organizations that could be targeted use available controls to review the IP addresses associated with the campaign and restrict access to them, being wary of the likelihood of their containing malicious content before opening them in a browser.

As always, when it comes to phishing, organizations should use industry-proven and reliable email-scanning technology to delete malicious messages before they reach employees, as well as train employees how to spot hallmarks of phishing activity to avoid engaging and thus risking compromise of sensitive data and systems, the researchers said.

Iranian APT Targets Female Activists With Mahsa Amini Protest Lures

Users should patch an unauthenticated remote code execution bug impacting FortiOS and FortiProxy administrative interfaces ASAP, Fortinet says.

Fortinet is warning users to patch a critical remote code execution (RCE) vulnerability in the FortiOS operating system, and in the FortiProxy secure Web gateway. 

An alert this week from FortiGuard Labs said a heap buffer underflow bug in the administrative interface could allow an unauthenticated, remote cyberattacker to execute code on a device running the platforms. The vulnerability could also allow a threat actor to perform a denial-of-service (DoS) attack on the GUI of devices running the vulnerable code, Fortinet added.

Fortinet has issued a security update for FortiOS and FortiProxy interfaces, and noted that no exploitation has been detected yet. 

"Fortinet is not aware of any instance where this vulnerability was exploited in the wild," the alert explained. "We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame."

This is the latest bug to come to light in the popular security appliance vendor's gear. Just late last month, Fortinet urged FortiNAC users to update their systems against a flaw that allowed unauthenticated attackers to write arbitrary system files.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Bug Opens Fortinet's Secure Web Gateway to Takeover

These agile controls and processes can help critical infrastructure organizations build an ICS security program tailored to their own risk profile.

It's no secret that the industrial control system (ICS) attack surface is rapidly expanding (PDF). From advancements in business digitalization, IT-OT convergence, and Internet of Things (IoT) adoption to the ripple effects of escalating geopolitical tensions, organizations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

After all, there's a clear differentiator regarding the nature of ICS/OT threats. Unlike traditional attacks against enterprise IT networks that are primarily rooted in monetary gain or data theft, state-sponsored adversaries often target critical infrastructure systems with the malicious intent to disrupt operations, inflict physical damage, or even facilitate catastrophic incidents that lead to loss of life.

This isn't fable or fiction — it's reality. In early February, leaders of two US House subcommittees called on the US Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. Or take the Russian state-sponsored Crashoverride incident (PDF) of 2016, which manipulated ICS equipment through the abuse of legitimate ICS protocols to disrupt the flow of electricity across Ukraine's power grid at the transmission substation level. As a result, part of Ukraine's capital, Kyiv, experienced a one-hour outage overnight.

The incident served as a microcosm to an evolving era of cyber-risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety, and national security.

That said, critical infrastructure organizations have a responsibility to deploy a robust ICS/OT security framework that protects their operational assets from sophisticated attacks. This isn't a matter of meeting mandatory compliance minimums to avoid fines or regulatory penalties. It's about leaving no stone unturned to protect people from the real-world impact of cybercrime — not only their own personnel, but those living and working in the surrounding communities from which they operate.

**The Five Components of Effective ICS/OT Security**

Balanced priorities are essential to effective ICS/OT security, as made clear by a recent SANS Institute whitepaper, "The Five ICS Cybersecurity Critical Controls." Prevention bias is a common theme across the cybersecurity community. Between 60% and 95%of the best-known and utilized security frameworks are preventative in nature but fall behind in detection and response. As a result, many organizations invest as little as 5% of their resources toward detecting, responding, operating through an attack, and recovering from compromises. Because the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organizations must be prepared for when that happens — and integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action.

Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.

1.  **ICS incident response:** An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings. These exercises reinforce risk scenarios and use cases tailored to their security environment — prioritizing actions based on the potential for operational impact and how to position the system to operate through an attack. They also enhance operational resilience by facilitating root cause analysis of potential failure events. 
2.  **Defensible architecture:** An effective ICS-defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarized zones, and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing risk through system design and implementation while driving efficient security team processes. 
3.  **ICS network visibility monitoring:** Due to the "systems of systems" nature of ICS attacks, it's vital to implement continuous network security monitoring of the ICS environment with protocol-aware tool sets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate, aiding in general resilience and recovery. 
4.  **Remote access security:** Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organization's IT network, but now threat actors can also capitalize on the IT network vulnerabilities of their entire supply chain. In turn, maintaining secure remote access controls is nonnegotiable for modern industrial operations. 
5.  **Risk-based vulnerability management:** A risk-based vulnerability management program empowers organizations to define and prioritize the ICS vulnerabilities that generate the highest level of risk. Often, they are vulnerabilities that allow adversaries to gain access to the ICS or introduce new functionality that can be leveraged to cause operational issues such as the loss of view, control, or safety within an industrial environment. Adopting risk-based vulnerability management requires having controls and device operating conditions in place that drive risk-based decisioning during prevention, response, mitigation, and recovery action.

**Fostering a Safer Future**

For facilities struggling to get a handle on their own ICS/OT security program, I recommend using the five critical controls as a starting point. These five pillars can serve as a road map for critical infrastructure organizations to build an ICS security program tailored to their own risk profile. And while the controls are invaluable to ICS/OT security, their potency still relies on an organizational culture of alignment where the severity of cyber-risk is understood and prioritized at every level — ranging from the board and executive leadership down to their security teams.

ICS/OT security must follow a team sport approach, combining the strength of agile controls and well-defined processes to keep pace with the accelerating nature of ICS attacks. With the right framework in place, critical infrastructure organizations can take proactive steps to drive their own defenses against malicious adversaries.

5 Critical Components of Effective ICS/OT Security

It's getting hard to buy cyber insurance, but not having it is not always an option. Low-coverage plans could bridge the gap.

"Everybody says it, so it must be true" is an example of the bandwagon logical fallacy. In the context of cyber insurance, the argument goes that everyone is a potential victim of an attack, thus everybody must have cyber insurance. In reality, not every organization can afford to buy cyber insurance, and there are organizations that don't qualify for a policy even if they want one.

Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. With the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware. In response to soaring claims, carriers are reducing the amount of coverage offered per policy, charging higher prices for less coverage, imposing much tighter rules on who can qualify for coverage, and cancelling policies for companies that don't meet the minimum requirements.

Policy coverages are significantly lower than they used to be, in some cases dropping from $10 million to $5 million and often lower, and many companies cannot get enough, says J. Andrew Moss, a partner at Reed Smith LLP's Insurance Recovery Group. "You have to fill in the gaps, and that's very tough because capacity has just been low or companies are priced out from buying as much insurance as they would ideally like to buy," he adds.

**Coverage Required, But Out of Reach**

For victims of a ransomware attack or a hacking attack where private information was disclosed, it can be difficult to obtain new policies. "What we usually recommend is that they undergo what we call a holistic review of their current insurance coverage," says Moss. The review includes general liability coverage, kidnap and ransom, property, first-party property insurance, and errors and omission, if they're in a professional services organization.

Some contracts and compliance regulations require that a company have a cyber insurance policy — posing a quandary for those companies that lose coverage. Without coverage, the company will find itself out of compliance or be vulnerable to a partner lawsuit for violating the terms of an existing contract. Getting some kind of cyber insurance policy often is mandatory, even if the company has other policies that could cover many of the losses a company might experience.

"It's not a comfortable time to be in business with respect to cyber risks," says Daniel J. Struck, a partner at the law firm Culhane Meadows PLLC. Characterizing today's cyber insurance market as being similar to the Wild West, Struck said he would not be surprised to see "relatively low-cost cyber insurance that doesn't cover much, but at least it provides the certificate for a contractor." He likens such "skinny" cyber insurance offerings to the low-cost, low-coverage auto insurance policies that allow drivers to meet US state auto insurance mandates.

**Bare Minimum Provides a Fig Leaf**

One benefit of a basic policy is that it could permit more organizations to obtain affordable coverage, eliminating the possibility of losing insurance and going out of compliance or violating contractual obligations.

Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security (CIS), notes that most corporate cyber insurance policies are negotiated by the corporate general counsel or outside counsel, and virtually all business policies are different. Underwriting these policies can take up to three months, he adds, due to their complexity and nonstandard clauses.

CIS offers a free self-assessment tool that helps users understand the financial impact of various aspects of a breach, including costs related to productivity, response, replacement, legal, competitive advantages, and reputation. The tool helps companies assess, report, and propose changes in cybersecurity controls based on a return-on-investment analysis, the organization says.

As all states have their own insurance commissioner and rules, Dukes suggests that companies lobby the National Association of Insurance Commissioners directly to develop national, standardized policies that would be easier for organizations to understand and manage, as well as set minimum requirements for a basic policy. A copy of the NAIC's 2022 Report on the Cyber Insurance Market can be found here, with its discussions on cyber insurance, committee actions, and resources located here.

'Skinny' Cyber Insurance Policies Create Compliance Path

Confidential computing will revolutionize cloud security in the decade to come and has become a top C-level priority for industry leaders such as Google, Intel and Microsoft. Edgeless Systems is leading these advancements to ensure all data is always encrypted.

**BOCHUM,** **Germany****,** **March 7, 2023** **/PRNewswire/ --** Edgeless Systems, a pioneering confidential computing company that is turning the public cloud into the safest place for sensitive data, today announced it has raised $5 million in its seed round led by Berlin\-based SquareOne with angel investors that include Evan Weaver (founder of Fauna), Mirko Novakovic (exit of Instana to IBM), Paolo Negri (founder of Contentful), Mathias Biilman and Chris Back (founders of Netifly).

The company is also hosting the annual Open Confidential Computing Conference (OC3) on March 15, 2023 where CTOs from Intel, Microsoft, AMD, Nvidia and others will discuss the state of confidential computing.

"Too many companies remain locked out of the cloud due to security concerns, but confidential computing technologies are poised to dramatically address this challenge in the coming months and years," said Georg Stockinger, Partner, SquareOne. "Edgeless Systems is already light years ahead of anyone else building the tools to make confidential computing easily accessible for developers in the enterprise. Its Constellation platform for Kubernetes is proof of its deep technical knowledge and first-mover position."

Edgeless Systems' flagship open source platform, Constellation and its associated tools, are already being used by hundreds of developers and DevOps engineers at companies such as Bosch, IBM and Intel, among others. Constellation is a confidential orchestration platform for Kubernetes. It leverages confidential computing to isolate and runtime-encrypt entire Kubernetes deployments, finally allowing enterprises to use the public cloud like their private cloud.

"We are turning the public cloud into everyone's private cloud," said Felix Schuster, CEO of Edgeless Systems. "By encrypting data all the time, even at runtime, and providing the best possible protection against infrastructure-based threats like malicious admins or co-tenants, Edgeless Systems can transform the way developers build and secure their public cloud workloads."

Moving workloads to the public cloud has many proven benefits but raises major compliance and data security concerns. Unfortunately, data leaks and compliance violations are realities associated with cloud transformation. Confidential computing is a hardware-based technology that shields computer workloads from their environments and keeps data encrypted even during processing. The required hardware (largely big hyperscalers) to realize the promise of confidential computing has only recently become available. Edgeless Systems has been an active driver of this emerging technology and today brings to bear both the technologies and financial backing to take it to the next level.

Edgeless Systems will use the seed funding to sustain its product lead, expand into the United States and add exciting features to its Constellation platform. It aims to be the defacto standard for 100 percent secure Kubernetes in the coming years. It will also build out its marketing and sales teams to help educate the industry on confidential computing and support advancements in this area.

For more information about Edgeless Systems, visit GitHub or get in touch for a live demo.

**About Edgeless Systems**

Edgeless Systems develops leading open source software for confidential computing to make the cloud the safest place for sensitive data. Edgeless Systems' Constellation is the first Kubernetes platform to ensure that hackers, cloud admins and foreign governments cannot access any data. The company was founded in 2020 by industry experts in Bochum, Germany, and has renowned investors and customers such as the Swiss stock exchange SIX and Bosch. For more information, please visit: https://www.edgeless.systems/

Edgeless Systems Raises $5M to Advance Confidential Computing

More than two years after a major takedown by law enforcement, the threat group is once again proving just how impervious it is against disruption attempts.

Like the proverbial bad penny that constantly keeps turning up, the Emotet malware operation has resurfaced yet again — this time after a lull of about three months.

Security researchers this week noted that the group is once again posing a threat to organizations everywhere, with malicious email activity associated with Emotet resuming early on March 7. The emails have been arriving in victim inboxes as innocuous-looking replies to existing email conversations and threads, so recipients are more likely to trust their content. Some of the Emotet emails have been landing as new messages as well.

**Very Large File & Payload**

The emails contain a .zip attachment, which, when opened, delivers a Word document that prompts the user to enable a malicious macro. If enabled, the macro, in turn, downloads a new version of Emotet from an external site and executes it locally on the machine.

Researchers from Cofense and Hornet Security who observed the fresh malicious activity described the Word documents and the malicious payload as inflated in size and coming in at more than 500MB each. Overall, the volume of the activity has remained unchanged since early March 7, and all of the emails have been attachment-based spam, the researchers said.

"The malicious Office documents and the Emotet DLLs we're seeing are very large files," says Jason Muerer, senior research engineer at Cofense. "We have not yet observed any links with the emails."

Hornet Security ascribed the large file and payload sizes as a likely attempt by the group to try and sneak the malware past endpoint detection and response (EDR) tools. "The latest iteration of Emotet uses very large files to bypass security scans that only scan the first bytes of large files or skip large files completely," according to a post by Hornet researchers. "This new instance is currently running at a slow pace, but our Security Lab expects it to pick up."

**A Malware That Refuses to Die**

Emotet is a malware threat that first surfaced as a banking Trojan in 2014. Over the years, its authors — variously tracked as Mealbug, Mummy Spider, and TA542 — have turned the erstwhile banking Trojan into a sophisticated and lucrative malware delivery vehicle that other threats actors can use to deliver different malicious payloads. These payloads have in recent years included highly prolific ransomware strains, such as Ryuk, Conti, and Trickbot.

The threat actors' preferred mode for delivering Emotet has been via spam emails and phishing, crafted to get users to open attached files or to click on embedded links to malware delivery sites. Once the threat actor compromises a system, Emotet is used to download other malware on it for stealing data, installing ransomware, or for other malicious activities such as stealing financial data. Emotet's command-and-control infrastructure (C2) presently runs on two separate botnets that security vendors have designated as epoch 4 (E4) and epoch 5 (E5)

In early 2021, law enforcement officials from multiple countries disrupted Emotet's infrastructure in a major collaborative effort that has done little to stop the threat actor from continuing its malware-as-a-service. At the time, the US Department of Justice assessed that Emotet's operators had comprised over 1.6 million computers worldwide between April 2020 and January 2021. Victims included organizations in healthcare, government, banking, and academia.

**New Activity, Same Tactics**

An October 2022 analysis of the Emotet threat group by security researchers at VMware identified multiple reasons for the group's continued ability to operate after the massive law enforcement takedown. These included more complex and subtle execution chains, constantly evolving methods to obfuscate its configuration, and using a hardened environment for its C2 infrastructure.

"Emotet has been used to deliver a range of secondary payloads," Muerer says. "While it was predominantly delivering other malware families in the past, there is evidence that the current endgame for these actors will likely be focused on ransomware."

There's nothing about the new Emotet activity that suggests that the threat group has deployed any new tactic or technique, Muerer says. The email-thread hijacking tactic and the macro-enabled Word documents are both tactics that the operators have been using for some time. And, as always, the primary infection vector remains spam and phishing emails.

"Nothing major has shifted that we are aware of," Muerer says. "Emotet remains a threat to everyone, with a disproportionately high impact on small businesses and individuals."

Emotet Resurfaces Yet Again After 3-Month Hiatus

Will stricter cybersecurity requirements make flying safer? The TSA says yes, and sees it as a time-sensitive imperative.

The Transportation Security Administration (TSA) announced a new set of cybersecurity requirements this week for airport and aircraft operators. The initiative constitutes "an emergency action," the TSA explained in a press release, urgent "because of persistent cybersecurity threats against US critical infrastructure, including the aviation sector."

This announcement comes hot on the heels of the White House's National Cybersecurity Strategy, published March 2. It's all part of a broader government effort to increase cyber resilience across critical industries.

Back in July, for example, the TSA issued near word-for-word similar requirements for the rail industry. As Robert Carter Langston, press secretary for the TSA, tells Dark Reading: "This amendment to the aviation security programs extends similar cybersecurity performance-based requirements that currently apply to other transportation system critical infrastructure."

"It's good that the TSA is codifying these requirements," says Mike Parkin, senior technical engineer at Vulcan Cyber, "though it remains to be seen how it will affect airline passengers."

**New Cyber Guidelines for Airports and Airlines**

This isn't TSA's first set of cyber rules of the road for airport and airline operators. In years prior, the TSA instituted requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA), establish cybersecurity points of contact, develop incident response plans, and complete vulnerability assessments.

The new set of rules states that TSA-regulated organizations must develop and assess "an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure," the agency wrote. TSA described four primary measures:

1.  Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
2.  Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3.  Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
4.  Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, noted that the guidelines are timely, and that TSA's "emergency" designation could be well warranted.

"I think it is wise of the TSA to require airport and aircraft operators to improve their cybersecurity resilience as attacks and geopolitical tension have continued to escalate over the years," he said in an emailed statement. "Airports and aircraft operators have also been caught in the cross hairs of Russian and Iranian cyber crews. This is why the aviation industry needs to protect all digital controls because they can and will be hacked. I truly believe that the cyber 9/11 is coming, which is why operators must invest in proactive cybersecurity measures."

**Will TSA's New Rules Make a Difference?**

Whether these new guidelines will make any real, material difference in airline security remains to be seen, but researchers welcomed them nonetheless.

On one hand, the details of exactly what will be considered sufficient security, from airports and airlines, and how compliance will be enforced, are still hazy. According to Langston, the details of how each organization will implement these measures "will be coordinated directly with TSA's stakeholders."

Even if airlines and airports do take heed, though, will the effects be significant? TSA's initiative "does fall in line with, and reinforces, the new National Cybersecurity Strategy document, and makes sense from multiple angles," Parkin says, but neither network segmentation nor access control, monitoring, or patching are particularly groundbreaking ideas.

As Parkin points out, "None of these requirements aren't already considered industry best practice\[s\] and things the airport authorities and airline operators shouldn't be doing already."

Kellerman, however, noted that some advanced tools fall under the broad umbrella of TSA's broader language in the requirements. Those include "micro-segmentation of networks, managed detection and response services (MDR), runtime application self-protection (RASP), and multifactor authentication (MFA) to protect against future intrusions," he noted. "They should also consider moving to secure cloud environments that deploy serverless application security. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business, not an expense, and that TSA cannot protect operators from growing ephemeral threats."

TSA Issues Urgent Directive to Make Aviation More Cyber Resilient

Led by growth in Russia, more than 40% of global ICS systems faced malicious activity in the second half of 2022.

More than 40% of the total number of global industrial control systems (ICS) computers saw some kind of malicious attack during the course of 2022.

This volume of cyberattacks against industrial systems was led by growth in Russia, which, as a region, saw a full 9 percentage-point increase in malicious activity in 2022, according to research into telemetry statistics this week from Kaspersky. Blocked malicious scripts were a particularly common threat within the firm's data for the period, which, along with phishing pages targeting ICS, saw an 11% rise over 2021, the analysis added.

However, Russia, which saw 39.2% of the ICS machines in Kaspersky's telemetry attacked, was not the top target overall. Rather, Ethiopia took the crown with 59% of its ICS footprint seeing malicious activity.

"In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions," the Kaspersky report said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

40% of Global ICS Systems Attacked With Malware in 2022

A state-backed threat actor impersonates political figures, tricking a prime minister, a former US president, and several European mayors and MPs into video calls later used in an anti-Ukraine influence campaign.

A Russian duo notorious for pranking numerous high-profile individuals, including Canadian Prime Minister Trudeau, is at it again — this time seeking to embarrass public figures that have expressed support for Ukraine in its war with Russia.

Over the past year, the two individuals — known publicly as Vovan and Lexus — have targeted high-ranking government officials and CEOs at large companies in North America and Europe, according to Proofpoint researchers, in a campaign to lure them into saying potentially volatile things on video and phone calls. The effort seems to be in retaliation for the targets' support for Ukraine in the war with Russia. 

**An Elaborate Impersonation Con**

In a blog post this week, Proofpoint said it had observed a sharp increase in activity from the pair following Russia's invasion of Ukraine last February. Since then, Vovan and Lexus have contacted numerous prominent business leaders and politicians that have either made public statements against the war or have donated to Ukrainian humanitarian programs.

In emails to the targeted individuals, the pair have variously presented themselves as Ukrainian Prime Minister Denys Shmyhal, Ukrainian Member of Parliament Oleksandr Merezhko, and Russian opposition leader Alexei Navalny's Chief of Staff Leonid Volkov. Other emails have purported to be from the "Embassy of Ukraine to the US" and the "Embassy of Ukraine in the US," and were sent from plausible-looking, embassy-themed email addresses.

The emails have attempted to convince recipients into participating in recorded video chats and phone calls, where they are encouraged to speak on various matters associated with the war in Ukraine. In some of the video conversations, the two individuals have worn heavy makeup and likely used deepfake technology to take on the appearance of figures they were impersonating. Edited versions of the recordings have later appeared on YouTube, Telegram, Twitter, and Russian-video platform Rutube.

"Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts," Proofpoint's report said. "The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences."

**A Who's Who of Victims**

Proofpoint's report did not name any specific individuals that might have fallen for Lexus and Vovan's tricks. But researchers from the company pointed Dark Reading to publicly known examples of their work.

In one instance, the pair posed as Ukrainian Prime Minister Shmyhal and tricked former UK Home Secretary Priti Patel into a 15-minute conversation with them on the war and the related refugee crisis. The hoaxers later posted a video of them duping Patel on YouTube and other social media channels. In another campaign last June, Vovan and Lexus tricked the mayors of Warsaw, Berlin, Vienna, and Budapest into making video calls with an individual they believed was Vitaliy Klychko, the mayor of Kyiv.

Vovan and Lexus, whose real names are Vladimir Kuznetsova and Aleksei Stolyarov, have also, as mentioned, tricked Canadian Prime Minister Trudeau (into thinking he was speaking with climate change activist Greta Thunberg). Last year, they posted a video on YouTube that purported to show former US President George Bush speaking with an individual he assumed was Ukrainian President Volodymyr Zelenskyy. In May 2021, the pair tricked multiple European members of Parliament into video meetings using deepfake technology to impersonate Russian opposition leaders, including Navalny.

**A Russian State-Backed Threat?**

Researchers at Proofpoint have been tracking the two individuals since 2021 under the threat actor designation "TA499." This week, they cautioned against dismissing them merely as pranksters, as some have previously. "While Vovan and Lexus brand themselves as 'pranksters and comedians,' multiple governments and officials deem the pair to be Russian, state-funded bad actors," Alexis Dorais-Joncas, senior manager for threat research at Proofpoint, tells Dark Reading.

Proofpoint has not been able to confirm the level of government involvement with the pair, but the company has determined from open source intelligence that the two actors are likely state encouraged and patriotically motivated. "It's fair to consider Vovan and Lexus as 'influencers' or 'propagandists,' as they deem to influence the political nature of Russia as a whole and reach an English audience through various methods," Dorais-Joncas says.

"TA499's elevation to state-aligned activity is due to the targeted nature of its campaigns, utilization of actor-controlled domain infrastructure, \[and\] multiple VoIP fake phone numbers for separate recipients," he notes. 

The two individuals perform reconnaissance to target both directly and via the close contacts of selected targets, and presents a risk to organizations, the researcher says. "These things combined with their specific focus on Russia-aligned propaganda, make them a state-aligned threat."

Proofpoint assessed with high confidence that TA499 will continue with its influence campaign, and likely reuse old or additional infrastructure to do so. The primary target continues to be C-level executives or those at the highest-profile positions at their respective organizations. 

The security vendor posted a list of email addresses that the duo has used so far in their campaigns and advised anyone who has reason to believe they could be targeted to verify the identities of people inviting them to discuss political topics.

Source

DARKReading