Attackers primarily target on-premises IT infrastructures.

**FRISCO, Texas****,** **May 23, 2023** **/PRNewswire/ --** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the enterprise sector (organizations with more than 1,000 employees) from its annual global 2023 Hybrid Security Trends Report.

According to the survey, 65% of organizations in the enterprise sector suffered a cyberattack within the last 12 months, which is similar to the results among companies of all sizes (68%). The most common security incidents are also the same: phishing, ransomware and user account compromise.

However, larger organizations are a more frequent target for ransomware or other malware attacks: 48% of enterprises experienced this type of security incident on premises, compared to 37% among organizations of all sizes. Malware attacks are less common in the cloud: just 21% of respondents in the enterprise sector experienced one within the last 12 months.

"It is no surprise that the enterprise sector suffers malware attacks at a higher rate than smaller organizations. After all, ransomware operators want to maximize their profits, so they consider which organizations are most able to pay a ransom to reduce business downtime — and the larger an organization is, the costlier an operational disruption will be," says Dmitry Sotnikov, VP of Product Management at Netwrix. "On the other hand, larger organizations have more tools to spot the attack that might stay unnoticed for SMBs. In addition, enterprises have bigger infrastructure with more endpoints that statistically increases the chance of the security incident."

The enterprise sector also reports larger expenses as a result of cyberattacks than their smaller counterparts. Indeed, 28% of enterprises estimated their financial damage from cyberthreats to be $50,000 and higher, compared to just 16% among organizations overall.

"Smaller companies often underestimate their risk of attack, reasoning that cybercriminals tend to target enterprises because they store more intellectual property (IP) and other sensitive data. But our survey shows that organizations suffer cyberattacks with a similar frequency regardless of their size," says Dirk Schrader, VP of Security Research at Netwrix. "Every organization has valuable data, such as customer and employee information, and is therefore a target for attackers. What's more, SMBs are not only a target on their own but as a way into the larger enterprises that consume their services."

To learn more about how enterprises can overcome the ransomware challenge, visit the Netwrix ransomware protection page.

**About Netwrix**  

Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect, respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors: data, identity and infrastructure.  

For more information, visit www.netwrix.com.

Netwrix Report: Enterprises Suffer More Ransomware and Other Malware Attacks Than Smaller Organizations

The company's ESG appliances were breached, but their other services remain unaffected by the compromise.

Email and network security solutions company Barracuda Networks is warning customers that threat actors have targeted its email security gateway (ESG) appliances for compromise, by way of an email attachment scanning module.

The issue, discovered on May 19, has since been addressed through two security patches applied worldwide on May 20 and 21, though Barracuda still warned its customers on May 23 that some of the ESG appliances remain compromised. In its investigation, the company found that the vulnerability "resulted in unauthorized access to a subset of email gateway appliances," though its other products, such as the software-as-a-service (SaaS) email security services, were not affected.

Because the investigation was limited specifically to the ESG, the company encourages those that have been affected to assess their network environments to ensure that their other devices on the network have not also been compromised.

Barracuda continues to monitor the situation and users who have been impacted have been notified through ESG appliances of what their next steps should be.

"If a customer has not received notice from us via the ESG user interface," the company said, "we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Threat Actors Compromise Barracuda Email Security Appliances

Security professionals warn that Google's new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.

Two new top-level domain names — .zip and .mov — have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss.

Google announced the domains in early May, kicking off a slow buildup of criticism from the security community as people became aware of the issues. In a widely circulated post on Medium, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place — downloading a zip file from a GitHub repository — but by using unicode slashes, an "@" sign, and the .zip domain, a potentially malicious URL could instead redirect users to an attacker's website.

While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.

"There's no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware," he says. "Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks."

In the three weeks since Google announced the new domains — along with .dad, .phd, and .foo — security researchers have pointed out the dangers of TLDs that match file extensions. On Tuesday, for example, Trend Micro became the latest security firm to warn users to fine-tune their ability to spot malicious links. In the advisory, the company pointed out that the Vidar info-stealer uses fake URLs to download a "Zoom.zip" file to the victim's computer — and that the .zip domain will make the attack much more effective.

Google did not answer questions about the tradeoffs between risk and utility for the new TLDs but did send a statement to Dark Reading, pointing to other confusing domains, such as 3M's command.com domain as a way of arguing that the issue is not novel.

"The risk of confusion between domain names and file names is not a new one," the company stated. "Applications have mitigations for this — such as Google Safe Browsing — and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip."

Whether the new domains will make phishing better is still a question for some, but the risk of making more effective links seems to outweigh any benefit of the domains, says Erich Kron, security awareness advocate at phishing and security education firm KnowBe4.

"It's the 'why are we doing this?' that kind of gets me, and frankly, it's just a bad idea, right?" he says. "Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with \[legitimate files\] ... we are really opening the doors to some some very easy trickery here."

**No Active Phishing Attacks so Far**

The domain names have already led to some mistakes, and not just on the part of humans. Some tools, such as Google's own malware identification service VirusTotal, are confusing filenames with the .zip extension with URLs with the .zip TLD, according to Johannes Ullrich, dean of research for education organization SANS Technology Institute. Ullrich is in the process of surveying existing .zip domains to see which are malicious.

He has found that evidence of in-the-wild campaigns is scant so far. "This opens up new avenues for more convincing phishing attacks," Ullrich said, with a caveat: "However, there are already many ways to create convincing phishing attacks, so the risk is more incremental."

The good news is that attackers have not yet picked up the technique en masse for real-world attacks, Trend Micro stated in its advisory.

"As of today, Trend Micro has not yet received URLs related to these new TLDs from internal and customer cases," the company stated. "However, we will continue to monitor any related URLs we come across and block them as needed in preparation for potential phishing campaigns."

At this point, the biggest "attack" so far involves "rickrolling" and parked domains, Ullrich says: At least 48 domains have been registered by people who then posted a video of singer Rick Astley and his song, "Never Gonna Give You Up."

**Awareness, Best Security Practices Remain Top Advice**

The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.

However, much will still rely on users, who should be careful about checking links, and companies, which can restrict new domain names until cybersecurity providers can assign them a reputation, DomainTools' Helming says.

"There are ways for very savvy users to spot these file paths visually," he adds, "but the most effective defenses are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains — in any TLD — and updated user awareness training."

_With reporting by Jaikumar Vijayan_

Google's .zip, .mov Domains Give Social Engineers a Shiny New Tool

A cybersecurity vulnerability found in an implementation of the social login functionality opens the door to account takeovers and more.

A vulnerability in the implementation of the Open Authorization (OAuth) standard that websites and applications use to connect to Facebook, Google, Apple, Twitter, and more could allow attackers to take over user accounts, access and/or leak sensitive information, and even commit financial fraud.

OAuth comes into play when a user logs in to a website and clicks on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google" — a feature that many sites use to allow cross-platform authentication. A team from API security firm Salt Security's Salt Labs discovered the flaw, tracked as CVE-2023-28131, in the OAuth implementation in Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase.

Specifically, the flaw potentially could affect any users that use various and social media accounts to log into an online service that uses the framework, the researchers revealed in a blog post published May 24.

The vulnerability is the second — and more impactful — one that Salt researchers have found in an online platform's implementation of OAuth, which is proving to be a tricky standard to implement securely. In March, Salt discovered a flaw in Booking.com's implementation of OAuth that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

**Third-Party Risk With OAuth Implementation**

The flaw in Expo could have had a much wider impact than the Booking.com flaw, because of Expo's wide install base, Aviad Carmel, Salt security researcher, tells Dark Reading.

"Because this second OAuth vulnerability was discovered in a third-party framework used by hundreds of companies, the potential exposure was far greater," he says. "It could have impacted the OAuth implementations of hundreds of websites and apps."

Moreover, OAuth is becoming a de facto authentication standard in modern service-based architectures, as well as in emerging artificial intelligence (AI)-based platforms. This inherently means any vulnerabilities in OAuth implementations have a broad reach. In fact, in other research unveiled May 24, software-as-a-service (SaaS) security firm DoControl revealed that 24 percent of third-party AI apps require risky OAuth permissions.

Expo patched CVE-2023-28131 within hours after Salt researchers flagged the issue, and developers maintaining the platform recommended in a blog post detailing the flaw that customers update their Expo deployments to fully mitigate the risk.

However, the mounting list of OAuth vulnerabilities and the overall complexity of correctly configuring the standard that they highlight suggest that more websites and apps could have undiscovered flaws lurking beneath their surface.

The findings also demonstrate how enterprises are adversely and broadly affected when third-party frameworks introduce API vulnerabilities into their environment, often without them knowing. This puts customers at risk for credential leaks or account takeover, and gives threat actors a platform from which to launch further attacks, the researchers said.

**Exploiting the Expo Flaw**

When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. If it's the user's first time visiting Site A, the social media page will ask for permission to share details with Site A. If the user has gone through the process before, the social media site will automatically authenticate the user to Site A.

Salt Labs researchers discovered CVE-2023-28131 in Codeacademy.com, an online platform that offers free coding classes across a dozen programming languages. Companies including Google, LinkedIn, Amazon, Spotify, and others use the site to help train employees, and the site has around 100 million users. The researchers ultimately exploited the flaw to gain complete control of Codeacademy.com accounts, they said.

The vulnerability in the OAuth implementation within Expo relates to the social sign-in process, Carmel tells Dark Reading. "When users sign in using their Facebook or Google credentials, Expo acts as an intermediary and transfers the user's credentials to the target website," he says.

Attackers could have exploited CVE-2023-28131 by intercepting this flow and manipulating Expo to send the user credentials to a malicious domain instead of the intended destination, Carmel explains.

This exploitation could have led to leaks of personal data or even financial fraud if attackers used credentials to log into users' financial accounts. Threat actors also could potentially have performed actions on behalf of users on their social media accounts, Carmel says.

**Why OAuth Is Tricky**

OAuth's popularity stems from how it can provide a much more seamless user experience for people when interacting with frequently used websites. However, it has a complex, technical back-end that can lead to implementation mistakes, creating security gaps that are ripe for exploitation, the researchers said.

To secure an OAuth implementation, then, an organization must understand how OAuth functions and which endpoints can receive user inputs, Carmel says.

"Attackers may attempt to manipulate these inputs, so validating each one is essential," he advises. "This can be achieved by maintaining a whitelist of predetermined values or implementing other strict validation methods."

Because of how complex OAuth implementations are proving to be, Salt Security plans to release a best-practice guide in the future to help enterprises security their OAuth implementations effectively, Carmel adds.

OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps

It's time to invest in initiatives that engage young women in cybersecurity early and often.

The United States faces a tremendous shortage of cybersecurity professionals, with more than 750,000 open cybersecurity roles nationwide. According to an (ISC)2 report, women made up only about 24% of the global cybersecurity workforce in 2018.

If the cybersecurity sector doesn't start attracting more female professionals, it will never have the strength or numbers to counter the growing threats facing America. Cyberattacks are more prevalent and dangerous than ever before, posing threats like identity theft, financial fraud, corporate espionage, and state-sponsored cyberattacks, which will continue to increase in severity in the absence of a skilled cybersecurity workforce. While the Biden administration's National Cybersecurity Strategy provides a road map for addressing the gender gap and workforce shortage in science, technology, engineering, and math (STEM), as well as cybersecurity, there is more to be done. That's where universities come in.

Educational institutions have a crucial role to play in building the next generation of female cybersecurity talent and bolstering the workforce. There are several strategies universities can deploy to support women interested in entering one of the world's most important professions.

**Empower Girls to Pursue Cybersecurity as Early as Middle School**

For starters, universities can start appealing to female students earlier in their academic lives — as early as middle school — to pursue degrees and careers in cybersecurity. Historically, as girls enter middle school, their interest in STEM begins to decline, and most girls have already decided by the time they reach high school if a career in STEM is right for them. There also needs to be a shift in emphasis from "Do you like math and science?" to "Do you like technology, are you curious, and do you want a high-paying job?" in helping students explore new interests.

Framing those conversations in a more friendly way can help students who may not have considered a career in cybersecurity — or even know what it is — to see themselves in the industry.

**Foster Peer Mentorship Programs**

Universities can create mentorship programs, pairing the next generation of cyber leaders pursuing higher education and careers in the field with local middle and high school students. The peer mentorship model has been incredibly successful in inspiring and motivating young women and girls, increasing their confidence in their ability to pursue careers in the industry.

For example, IF/ THEN, a nonprofit focused on advancing women in STEM, has tapped high-profile STEM professionals across fields to serve as peer mentors to young women, initiating a cultural change in the industry.

Near-peer mentoring is a very effective strategy for supporting young women and other underrepresented groups in cybersecurity. Students can build meaningful relationships with individuals who are only a few years older and are achieving success in the field. If she can see it, she can be it.

**Leverage Experiential Learning**

Cybersecurity educators across the country also need to change their approach to promoting the field if they want students to develop an interest at younger ages. Experiential learning is critical to helping girls and other underrepresented groups understand the field and, more importantly, that they can contribute to it as a professional. A class on the merits of dual-factor authentication might put middle schoolers to sleep, but a class on cracking passwords would show them why it matters and how it applies to the real world.

Palo Alto Networks, a leading cybersecurity company, recently partnered with the Girl Scouts of the USA (GSUSA) to launch the first-ever national security badge program, which provides elementary, middle school, and high school girls with STEM activities to increase their cybersecurity skills and encourage them to pursue careers in the field.

Another national initiative that has been successful in increasing cybersecurity interest among K–12 students is GenCyber, which provides free summer cybersecurity camps for students and professional development opportunities for teachers nationwide. Funded by the National Security Agency (NSA) and National Science Foundation (NSF), these camps offer activities and competitions in everything from cryptography to network security to help all ages improve their cybersecurity fundamentals.

By prioritizing diversity and inclusion and supporting outreach programs, universities can build a pipeline of talent that will provide the professionals needed for an adaptive and responsive cybersecurity workforce. If Americans want to get serious about protecting ourselves, businesses, organizations, and our government, it's time to invest in initiatives that engage our young women in cybersecurity early and often.

How Universities Can Bridge Cybersecurity's Gender Gap

Researchers say the Iranian nation-state actor known as Tortoiseshell could be behind the attacks.

At least eight Israeli websites have been targeted in a watering hole campaign that researchers say could be the work of an Iranian nation-state threat group.

The attack campaign, discovered by ClearSky Cyber Security, focuses on shipping and logistics companies. Once a site is infected, a malicious script collects preliminary user information.

ClearSky said it has "a low confidence specific attribution" to the Tortoiseshell group out of Iran. The targeting of shipping and logistics companies aligns with Iran's history of cyberattacks against that sector over the past three years.

"Previous Tortoiseshell attacks have been observed using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appeared to be supply chain attacks with the end goal of compromising the IT providers' customers," the company claims. "The threat actor has been active since at least July 2018."

ClearSky tied the C&C server used in the attacks to Tortoiseshell.

Watering hole attacks have been part of the initial access vector used most overall by Iranian threat actors since at least 2017. ClearSky researchers observed four domains impersonating jQuery, and domain names impersonating jQuery were deployed in a previous Iranian campaign from 2017 using a watering hole attack.

Iranian threat actors traditionally have targeted Israeli websites in an attempt to collect data on logistics companies associated with shipping and healthcare. This latest website attack spotted by ClearSky is similar to an effort observed last year where an Iranian threat actor named UNC3890 was targeting shipping companies in Israel via a similar of type of attack.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Israeli Shipping, Logistics Companies Targeted in Watering Hole Attacks

Incident response playbooks and frameworks are leaving defenders ill-equipped to recover from the increasing number of successful cyberattacks. Developments in AI offer a new way for stretched teams to manage security incidents and heal swiftly.

The number of successful cyberattacks impacting organizations continues to increase, with recent high-profile breaches such as UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million.

Generative AI is allowing attackers to innovate and escalate their approach. Darktrace researchers observed a 135% increase in "novel social engineering attacks" across thousands of active customers from January to February 2023 (based on the average change in email attacks detected across Darktrace customers' email deployments). With that in mind, organizations should focus more than ever on their cyber resilience — namely, their ability to withstand, adapt, and recover from cyberattacks that have achieved initial access. Yet the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen.

Within this context, security teams need help to prepare, recover, and adapt confidently to cyber incidents, and new developments in AI are offering promising signs that they can do so.

**Evaluating the Current Picture**

With a growing skills shortage in the industry, it has become more and more difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.

Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident.

Published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes — often lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.

Similarly, tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. But they are time-intensive and will not test many of the technical tools and processes used in a real-world response.

**Moving From a Reactive to an Adaptive Approach**

Introducing self-learning artificial intelligence (AI) into incident management can allow teams to engage an incident in more detail and at an earlier stage than they currently can, minimizing disruption to the business.

One of the more challenging security tasks is dedicating time to continuously evaluate readiness to handle an incident, which could occur at any time. AI can add value here by combining a deep understanding of every internal asset and continuous evaluation of coverage and functionality of the recovery stack to assess: _How prepared are you for defeating a cyberattack?_

During an incident, especially if on a larger scale, AI-powered systems offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it. By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details. It can also prioritize assets for remediation based on its deep understanding of that asset's function and role within the incident and the business.

But AI assistance doesn't have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten the time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision making when it counts.

Time savings from AI can extend to record keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they've done about it, and what further actions they are planning to take.

Critically, incident management needs to interact with detection, immediate response, and preventative measures across the rest of the cybersecurity ecosystem. In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.

The reality is that cyber incidents are a question of _when_ and not _if_, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.

**About the Author**

    

Matt Bovbjerg joined Darktrace in 2015, specializing in strategic customer deployment architecture and operationalizing Darktrace within large security stacks, before becoming the Vice President of Integrations Architecture. Matt works closely with Darktrace R&D, Technology Alliance Partners, and customers to develop use case-driven third-party integrations, ensuring organizations get the most out of their security investments. Matt holds a Bachelor’s degree in Industrial and Operations Engineering from the University of Michigan.

How AI Can Help Organizations Adapt and Recover From Cyberattacks

Any new cybersecurity technology should be not just a neutral addition to a security stack but a benefit to the other technologies or people managing them.

The cybersecurity technology field is, shall we politely say, crowded. I recently returned from attending RSA, one of the biggest conferences in the industry. Trying to describe just how many new technologies and solutions I saw there feels a lot like trying to describe how big space is: Our brains can't actually process that kind of scale. 

I imagined being a chief information security officer (CISO) at this event, trying to make decisions on what products or technologies would solve their particular organization's security weaknesses. It was, in trying to maintain my earlier commitment to being polite, overwhelming. There _must_ be a better way to quickly figure out if a security technology is worth evaluating. 

This ecosystem we have found ourselves in, of slapping new technologies into our security stacks, isn't working. Security staffs everywhere are pulled too thin trying to manage every new technology, and threat actors are continuously breaking through our protection technologies. 

So, how do we break this cycle? When looking for security technologies, we start assessing how much value the technology provides — not just whether it can do what it promises to do, but also if it provides a net positive for the entire security stack and management teams. 

We are moving into a new era of cybersecurity, and every investment must be prudent. In order to make these decisions, companies must start asking some fundamental questions about these technologies in order to understand the true value — or cost — of a security solution. These questions of proactivity, intelligence, autonomy, scalability, and benefit to the stack as a whole can help you find the most value in every security technology.

Importantly, these questions can also help you evaluate your existing technologies, as you now know in real life how they are (or are not) serving your network and your teams. The answers might surprise you. 

**Question 1: Is the technology proactive or reactive? **

While almost any cybersecurity technology will be quick to use the word "proactive," we first should define what the term really means. A truly proactive technology is one sitting "left of boom," or, more simply, before a successful breach. Recently, almost all cybersecurity technology sits "right of boom," responding to and mitigating the effects of breaches that have already happened. 

In modern security frameworks and stacks such as MITRE/NIST/zero trust, often the only left-of-boom technology in place is the firewall/next-generation firewall (NGFW). These decades-old technologies have been tasked with more and more, and yet they remain standard. We have to help the rest of the security stack by investing in more proactive technologies. 

**Question 2: How much cyber intelligence can the technology leverage? **

It has become increasingly clear that the word of our time is "intelligence" — be it artificial, human, or, more in my world, cyber. The value of intelligence and data has never been higher, and this has proven especially true in the war against cybercriminals. 

The future is intelligence driven, and the more intelligence a cybersecurity technology can act on, the better. Any cybersecurity technology must be informed by as much cyber/threat intelligence as possible. Without the data to make informed decisions about enforcement, threat actors automatically have an upper hand. 

**Question 3: Is the technology (truly) autonomous? **

I cannot think of a cybersecurity technology that doesn't claim it is "autonomous." This has become so common in our industry that the word itself has almost lost meaning. However, with a cybersecurity staffing shortage that does not look to be going away any time soon, it's critical we evaluate what we mean by "autonomous" when thinking about a technology.

How many hours of an employee's day (on average) does this technology require? Does this technology require another full-time employee to manage the alerts or logs? Does this technology automatically update? (And what are the down times like for them?) The answers to these questions should be: zero, no, and yes. Anything else is not an autonomous technology. 

**Question 4: How does the technology scale? **

Threat actors have shown themselves to be nimble, inventive, and persistent in their attacks. The technologies we implement must be able to grow and adapt to these realities. Can they adapt to higher volumes, deeper obfuscations, and yet-unknown attack vectors? Knowing your technologies can grow with your network _and_ adapt to an ever-changing threat landscape is vital in any security technology investment. 

**Question 5: Can the technology work easily with existing technologies? **

One of the biggest drivers of cybersecurity professionals is what's known as "alert fatigue." This is caused by too many technologies that are extremely sensitive in finding threats or breaches, yet are unable to communicate with each other easily, throwing multiple alerts for the same malicious traffic. The cybersecurity teams are then forced to sift through multiple erroneous/duplicate alerts, and are more prone to errors due to the large volume of traffic networks are receiving day and night. Sadly, this is just one example of how multiple technologies that aren't sharing information can impact a network's cybersecurity posture. 

Any new cybersecurity technology you consider should be not just a neutral addition to the security stack, but rather a benefit to the other technologies or people managing them. Some questions to ask in this arena might be: Can it feed intelligence easily to other implemented technologies? Does it ease a pain point of another technology? Can it ingest information from other implemented technologies? 

Rarely will a technology be able to adequately answer for more than one of these questions. For instance, a technology might be able to use lots of intelligence but isn't proactive and needs constant monitoring by employees. These are the challenges security teams face every time they make a decision about a new or existing security technology, but figuring out how much value each technology adds — or doesn't — is the best start.

5 Questions to Ask When Evaluating a New Cybersecurity Technology

Companies are starting to address the misuse of artificial intelligence (AI). At Google I/O, for example, executives promised its AI has safety measures.

GOOGLE I/O 2023, MOUNTAIN VIEW, CALIF. — Sandwiched between major announcements at Google I/O, company executives discussed guardrails to its new artificial intelligence (AI) products to ensure they are used responsibly and not misused. They included Google CEO Sundar Pichai, who noted some of the security concerns associated with advanced AI technologies coming out of the labs.

The spread of misinformation, deepfakes, and abusive text or imagery generated by AI would be hugely detrimental if Google were responsible for the model that created this content, said James Sanders, principal analyst at CCS Insight.

"Safety, in the context of AI, concerns the impact of artificial intelligence on society," he said. "Google's interests in responsible AI are motivated, at least in part, by reputation protection and discouraging intervention by regulators."

For example, Universal Translator is a video AI offshoot of Google Translate that can take footage of a person speaking and translate the speech into another language. The app could potentially expand the video's audience to include those who don't speak the original language.

But the technology could also erode trust in the source material, since the AI modifies the lip movement to make it seem as if the person were speaking in the translated language, said James Manyika, Google's senior vice president charged with responsible development of AI, who demonstrated the application on stage.

"There's an inherent tension here," Manyika said. "You can see how this can be incredibly beneficial, but some of the same underlying technology can be misused by bad actors to create deepfakes. We built the service around guardrails to help prevent misuse and to make it accessible only to authorized partners."

**Setting up Custom Guardrails**

Different companies have different approaches to AI guardrails. Google is focused on controlling the output generated by artificial intelligence tools and limiting who can actually use the technologies. Universal Translators are available to fewer than 10 partners, for example. ChatGPT has been programmed to say it can't answer certain types of questions if the question or answer could cause harm.

Nvidia has NeMo Guardrails, an open source tool to ensure responses fit within specific parameters. The technology also prevents the AI from hallucinating, the term for giving a confident response that is not justified by its training data. If the Nvidia program detects that the answer isn't relevant within specific parameters, it can decline to answer the question or send the information to another system to find more relevant answers.

Google shared its research on safeguards in its new PaLM-2 large-language model, which was also announced at Google I/O. That Palm-2 technical paper explains that there are some questions in certain categories the AI engine will not touch.

"Google relies on automated adversarial testing to identify and reduce these outputs. Google's Perspective API, created for this purpose, is used by academic researchers to test models from OpenAI and Anthropic, among others," CCS Insight's Sanders said.

**Kicking the Tires at DEF CON**

Manyika's comments fit into the narrative of responsible use of AI, which took on more urgency following concerns about bad actors misusing technologies like ChatGPT to craft phishing approaches or generate malicious code to break into systems.

AI was already being used for deepfake videos and voices. AI company Graphika, which counts the Department of Defense as a client, recently identified instances of AI-generated footage in use to influence public opinion.

"We believe the use of commercially available AI products will allow IO actors to create increasingly high-quality deceptive content at greater scale and speed," the Graphika team wrote in its deepfakes report.

The White House has chimed in with a call for guardrails to mitigate misuse of AI technology. Earlier this month, the Biden administration secured the commitment of companies including Google, Microsoft, Nvidia, OpenAI, and Stability AI to allow participants to publicly evaluate their AI systems during DEF CON 31, which will be held in August in Las Vegas. The models will be red-teamed using an evaluation platform developed by Scale AI.

"This independent exercise will provide critical information to researchers and the public about the impacts of these models, and will enable AI companies and developers to take steps to fix issues found in those models," the White House statement said.

Google Adds Guardrails to Keep AI in Check

Secure email gateways and end users alike are being fooled by a cyberattack campaign that's enjoying skyrocketing volumes against businesses in every industry, globally.

A high-volume credential-harvesting campaign is using a legitimate email newsletter program named SuperMailer to blast out a significant number of phishing emails designed to evade secure email gateway (SEG) protections.

According to a report from Cofense on May 23, the campaign has snowballed so much that SuperMailer-created emails account for a significant 5% of all credential phishes within the firm's telemetry in the month of May so far. The threat seems to be exponentially growing: The monthly volume of the activity overall has more than doubled in three out of the past four months — notable even in a landscape where credential phishing is growing overall.

"Combining SuperMailer's customization features and sending capabilities with evasion tactics, the threat actors behind the campaign have delivered tailored, legitimate-looking emails to inboxes spanning every industry," explained Brad Haas, cyber threat intelligence analyst at Cofense and author of the research.

And indeed, Cofense reports that the threat actors behind the activity are casting a wide net, hoping to haul in victims in a varied sea of industries, including construction, consumer goods, energy, financial services, food service, government, healthcare, information and analytics, insurance, manufacturing, media, mining, professional services, retail, technology, transportation, and utilities.

**Supersized Phishing With SuperMailer**

What makes the numbers even more interesting is the fact that SuperMailer is a somewhat obscure German-based newsletter product that has nowhere near the scale of more well-known email generators such as ExpertSender or SendGrid, Hass tells Dark Reading — yet it's still behind wide swathes of malicious emails.

"SuperMailer is desktop software that can be downloaded for free or for a nominal fee from a number of sites that may be completely unassociated with the developer," he says. "A free version of SuperMailer was released on CNET in 2019, and since that point has had approximately 1,700 downloads. This number is low in comparison to many popular software downloads, but we do not have any other information on the number of legitimate organizational users."

SuperMailer did not immediately respond to Dark Reading's request for comment. But since the clients are propagated via third-party websites and have no server or cloud component, Haas notes that SuperMailer's metaphorical hands are tied when it comes to rooting out the activity.

"In the past, we've seen large, cloud-based services abused to send phishing emails or create unique URL redirects pointing to phishing pages, but those services often catch and combat the activity after a period of time," he says. "We do not know the extent to which the SuperMailer developer is capable of fighting this abuse."

That in of itself makes SuperMailer attractive to cybercriminals. But the other reason is that it offers an attractive disguise for getting past SEGs and ultimately end users, thanks to some unique features.

**Evading Email Security With Ease**

"This is another example of threat actors abusing tools that were designed for legitimate purposes," Haas notes, adding that features that legitimate users find helpful will also appeal to crooks. "This already happens in the penetration testing arena, where open source penetration testing tools are regularly abused by threat actors to conduct actual threat activity," he says.

In this case, SuperMailer offers compatibility with several email systems, which allows threat actors to spread their sending operation across multiple services — this decreases the risk that a SEG or upstream email server will classify emails as unwanted due to reputation.

"The threat actors likely have access to a variety of compromised accounts, and they use SuperMailer's sending features to rotate through them," Haas wrote in his report on the threat.

The SuperMailer-generated campaigns also take advantage of template customization features, like the ability to automatically populate a recipient's name, email, organization name, email reply chains, and more — all of which boosts the legitimacy of the email for targets.

The software also doesn't flag open redirects — legitimate Web pages that automatically redirect to any URL included as a parameter. That allows bad actors to use completely legitimate URLs as first-stage phishing links.

"If a SEG does not follow the redirect, it will only check the content or reputation of the legitimate website," Haas said in the report. "Although open redirects are generally considered to be a weakness, they can often be found even on high-profile sites. For example, the campaigns we analyzed used an open redirect on YouTube."

**Defending Against the SuperMailer Threat**

Cofense has been able to track the SuperMailer activity thanks to a coding mistake that the attackers made while crafting the email templates: The emails have all included a unique string showing that they were produced by SuperMailer. However, parsing messages for that string or more broadly blocking entire legitimate mailing services isn't the answer.

"We haven't yet uncovered any default characteristics that would allow us to broadly block emails generated by SuperMailer," Haas says. "In this case, the identifiable characteristics were discoverable only due to a mistake by the threat actor. Without the mistake, it wouldn't be feasible, as those characteristics are not visible in every SuperMailer email."

However, he notes that there are other characteristics that would identify the emails as potential security threats, even without knowing their origin — including their content. An example would be non-target-specific email reply chains appended to the messages.

This is especially important given that Cofense has discovered that the SuperMailer phishes are part of a larger set of activity that has accounted for a full 14% of phishing emails landing in inboxes in May in the Cofense telemetry. Haas explained that all of the emails — SuperMailer-sent and the others — share certain indicators that tie them all together, such as the use of URL randomization.

"Human intuition is often much better at recognizing these differences," Haas says "so training employees to be vigilant against phishing threats is a critical element of good cyber defense."

Source

DARKReading