**NEW YORK****,** **Feb. 8, 2023** **/PRNewswire/ --** Nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations' accounting and financial data to increase in the year ahead, according to a new Deloitte Center for Controllership poll. Yet just 20.3% of those polled say their organizations' accounting and finance teams work closely and consistently with their peers in cybersecurity.

During the past 12 months, 34.5% of polled executives report that their organizations' accounting and financial data was targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.

"Accounting and financial data is the lifeblood of organizational operations — and often meant to be kept confidential outside of highly regulated public disclosures for publicly traded organizations," said Temano Shurland, a Deloitte Risk & Financial Advisory principal in finance transformation, Deloitte & Touche LLP. "While there may not have been much need for accounting, finance and cyber teams to work closely in the past, recent years have shown that's no longer the case. We strongly recommend that these teams try to 'learn each other's languages' and tighten their working relationships across silos."

Looking to the year ahead, 39.5% of respondents expect to increase the amount of collaboration between their finance and cyber teams. Currently, the majority (42.7%) of polled leaders say their organizations' finance and cyber teams only work together as needed with inconsistent closeness and consistency, while 11.1% do not work together at all.

"As cyber incidents increase in frequency, size and complexity, adversaries target nearly any data obtainable and by leveraging system vulnerabilities," said Daniel Soo, a Deloitte Risk & Financial Advisory principal in cyber and strategic risk, Deloitte & Touche LLP. "Implementing financial security operations — something you could call FinSecOps — means protecting financial data. Asking finance, accounting and security functions to team closely to manage FinSecOps is one preventative step we're seeing leading organizations take, so that they are agile enough to mitigate threats to financial data and help enable business growth."

**About Deloitte**

Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world's most admired brands, including nearly 90% of the Fortune 500® and more than 7,000 private companies. Our people come together for the greater good and work across the industry sectors that drive and shape today's marketplace — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthier society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them. Building on more than 175 years of service, our network of member firms spans more than 150 countries and territories. Learn how Deloitte's approximately 415,000 people worldwide connect for impact at www.deloitte.com.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Almost Half of Executives Expect a Rise in Cyber Events Targeting Accounting and Financial Data in Year Ahead

Omdia has learned that Gigamon sold its ThreatInsight NDR business to Fortinet for approximately $31 million. The deal highlights what may be a pivot point for the NDR market.

Gigamon has exited the network detection and response (NDR) business, selling its NDR solution to a former competitor, Omdia has learned.

The Santa Clara, California-based network visibility and IT observability vendor quietly sold its ThreatInsight NDR business to Fortinet at the end of last year. Omdia research indicates the acquisition price was approximately $31 million.

The sale also encompassed the staff dedicated to ThreatInsight, including Gigamon’s former threat intelligence group. Omdia research indicates that approximately 30 to 50 Gigamon employees moved to Fortinet in the transaction.

**Gigamon Shifts to NDR Enabler**

Gigamon entered the NDR market in 2018 when it acquired NDR startup Icebrg. Seen at the time as a strong complement to its portfolio of network visibility solutions, which includes network traffic decryption, ThreatInsight never lived up to Gigamon's commercial expectations, in part because enterprise buying centers for visibility and observability tend to differ from those related to threat detection, investigation, and response (TDIR).

One of the difficulties of selling point products is that they tend to have very specific buying centers. This is highlighted by the position that Gigamon found itself in with NDR. While it continues to have success selling its broader portfolio by targeting CISOs and security architecture teams, NDR sales are typically evaluated and funded within incident response groups, which require a different sales motion.

While security remains an important use case for Gigamon’s visibility portfolio generally, Gigamon increasingly saw itself as better positioned as an ecosystem enabler of NDR solutions through partnership with leading NDR vendors.

By eliminating any competitive conflicts, the deal should immediately make Gigamon a more attractive partner with a variety of NDR vendors with which it formerly competed. Additionally, the company can re-emphasize its renewed focus on network and hybrid cloud observability, this following its recent pivot to relabel its core platform as a Deep Observability Pipeline solution.

**Fortinet Doubles Down on NDR**

Fortinet will rebrand the ThreatInsight technology as FortiNDR Cloud and sell it as a cloud-based addition to its existing on-premises FortiNDR product (formerly known as FortiAI).

Fortinet introduced FortiAI in 2020 as an AI/ML appliance for network detection and response. The company has seen strong demand for NDR as customers shift focus to what Fortinet calls advanced and early detection. The growing adoption of a zero-trust philosophy is also driving additional interest as organizations treat internal east-west traffic with increased scrutiny.

**NDR Market Evolution**

The move also highlights the NDR market’s continuing evolution. As enterprises increasingly seek to unify their TDIR product architectures, interest is growing in NDR solutions that can not only detect and respond to network-specific threats but can also provide insight to and integration with broader solution sets, such as XDR and other security operations platforms.

This evolution is playing out in several ways. For example, NDR vendors are continuing to expand their functional footprint to include additional network security capabilities, such as a broader set of detection capabilities. Of course, the flip side to that trend is network security appliance vendors potentially adding NDR as an additional feature.

Fortinet is a case in point. While FortiNDR Cloud will be available as a stand-alone product, and one that requires no Fortinet hardware, NDR functionality is sure to find its way into broader network security solutions such as next-generation firewalls (NGFWs). This trend will shift the competitive landscape in NDR, which is currently dominated by pure plays such as Darktrace, ExtraHop, and Vectra.

NDR solutions are also increasingly expected to integrate across emerging open XDR ecosystems. This, of course, requires significant investment as the number of integration requests can be large, even if initially just focusing on EDR vendors. Omdia believes success in NDR would have required a significant new investment from Gigamon.

Ironically, given the increased partnership opportunities, Omdia believes this divestiture might well grow Gigamon’s overall share of security dollars, as security teams are either stakeholders or outright buyers of the network observability capabilities that Gigamon offers. More broadly, the company is betting that customers will be shopping for a comprehensive observability platform across hybrid environments.

Omdia's most recent global NDR market outlook indicates the NDR market is worth $0.95 billion as of the end of 2021 and is expected to grow to $1.98 billion by the end of 2027. However, Omdia forecasts that growth in the stand-alone NDR market will slow in 2023 due to macroeconomic headwinds but will rebound and continue to show reasonable growth for the foreseeable future. That said, consolidation of detection and response functionality across digital domains is an important trend.

More broadly, and as importantly, security buyers are looking to consolidate security functionality from a smaller group of larger providers. While best-of-breed security point products will never disappear, suite vendors such as Palo Alto Networks, Fortinet, and Cisco, among others, are well positioned for current vendor consolidation.

Gigamon Exits NDR Market, Sells ThreatInsight Business to Fortinet

Don't let something that's a decade away distract you from today's cyber threats.

In the cat-and-mouse game of cybersecurity, it's essential to always be thinking ahead about the next big thing. What's next around the corner, and how can I ensure that I don't fall behind? One such emerging technology that's looming is quantum computing. While the positive potential for the technology is enormous, it also brings with it daunting challenges, particularly in the cybersecurity space.

On Dec. 21, 2022, President Biden signed into law the Quantum Computing Cybersecurity Preparedness Act, which encourages federal agencies to adopt technology that is protected from decryption by quantum computing. At a high level, this can make it appear as though the danger of cyberattacks buoyed by the power of quantum computing is imminent, making security professionals across the public and private sectors nervous. But it isn't time to panic just yet. Let's dive a little deeper into what the dangers are and then look at why most organizations, especially those in the private sector, shouldn't be concerned in the immediate future.

**Security Dangers of Quantum Computing**

The biggest fear with quantum computing is its use in decrypting data. The current paradigm of information security is based on five pillars: confidentiality, integrity, availability, authenticity, and nonrepudiation. These all rely (at least to some extent) on public key cryptography, which is built on the fact that it is difficult for classical computers to factor prime numbers. However, one of the things quantum computers are much better at than classical computers is factoring primes — which fundamentally undermines traditional cryptography. This puts not only newly stolen information at risk but also all information that has previously been intercepted and stored by hackers.

The ability to break public key cryptography puts most of our digital economy at risk and requires the adoption of a whole new approach — namely the migration to using quantum resistant algorithms. Although these algorithms already exist, we can't be sure of their real-world efficacy because there isn't yet a quantum computer large enough to validate them. Additionally, utilizing these algorithms will require a time-intensive and tedious process of end-to-end implementation across an entire environment.

**Why Most Organizations Don't Need to Worry — Yet**

The good news is that the best predictions on a quantum computer capable of factoring prime numbers with a low enough error rate to be useful is likely still a decade or more out. Additionally, Western governments and companies currently hold some of the most cutting-edge research in this area, so if things continue along this path, many businesses and most federal agencies will have some runway to prepare for when the threat truly materializes.

That said, this timeline is of little comfort for any organization that has already had critical data with a longer shelf life stolen. While we may have some runway to set up new security approaches to better protect ourselves from quantum-powered cyberattacks in the future, data that is already in the hands of a malicious actor is now on a timeline. While most enterprises don't have data that will still be critical 10 years from now, agencies or organizations dealing with homeland security or other mission-critical information most certainly do.

**What Actions Should We Take Now?**

Right now, it's all about preparation and planning. For some, that involves thinking through how to deal with the fallout of older sensitive data being decrypted, but the most important step is ensuring quantum cryptographic readiness. This involves a complete inventory of existing cryptographic assets and certificates and making sure they are all up to date. This is critical because it not only prepares an organization for a wholesale migration to using quantum resistant algorithms, but it also helps ensure safety in the meantime.

The risk at this moment is that organizations will expend too much energy worrying about how to deal with the threat of quantum computing rather than focusing on the more mundane issues of proper cyber hygiene. Assets that aren't protected with the most up-to-date cryptographic methods or employees that haven't had the necessary training on how to suss out phishing emails are currently a far greater threat to organizations than quantum computing. While it's important to consider the threats of tomorrow, the current risk landscape should be our primary focus.

A decade or so from now, quantum computing will very likely be a top concern as it breaks the foundations that information security is built upon. Information cannot be considered confidential, authentic, accessible (to the right parties), or verifiably created by a specific person if the underlying technology can be circumvented. But at the moment, we still have ample time to prepare. For now, organizations will benefit more from establishing strong cyber-hygiene policies for today's threat landscape. Ten years is a long time in security, so it's unlikely that quantum computing will be the lone emerging technology to challenge the status quo — only time will tell!

It Isn't Time to Worry About Quantum Computing Just Yet

The automaker closed a hole that allowed a security researcher to gain system administrator access to more than 14,000 corporate and partner accounts and troves of sensitive data.

An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.

Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.

From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.

Once acting as an administrator, Zveare said he had "full access" to internal Toyota projects, documents, and user accounts, including some of those that belonged to Toyota external partners and suppliers such as Michelin, Continental, Stanley Black & Decker, and Harman.

All in all, the researcher gained read/write access to Toyota's global user directory of more than 14,000 users. Zveare also could access corporate user account details, confidential documents, projects, supplier rankings/comments, and other sensitive data related to those users, he said.

**Significant Supply Chain Threat**

The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.

Indeed, had a threat actor discovered the issue before him, "the consequences could have been severe," Zveare observed.

The issue could have allowed attackers to create their own user account with an elevated role to retain access should the issue ever be discovered and fixed, or download and leak all the data to which they had access, he said.

They also could have deleted or modified data in a way to be disruptive to global Toyota operations, or crafted a highly targeted phishing campaign to attempt to capture "real corporate login details, which could have exposed other Toyota systems to attacks," Zveare wrote.

The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was "impressed," he said.

"Out of all the security issues I have reported so far to various vendors, Toyota’s response was the fastest and most effective," he said.

Zveare revealed his research nearly a year after Toyota suffered a major supplychain breach that subsequently forced it to halt production of all 28 lines of its 14 plants in Japan. On Feb. 22, the company reported a cyberattack causing a "system failure" at supplier Kojima Industries that created problems with its just-in-time production control system.

Fortunately for Toyota, the latest breach was an ethical one and, thanks to Zveare's responsible disclosure, the company could fix it before there was any impact on the company or its partners' business, notes one security professional.

"Not all 'breachers' are as responsible as in this case!" observes Henning Horst, CTO of data security specialists at Comforte AG.

**How It Was Done**

Zveare's journey to finding the backdoor wasn't completely straightforward, he acknowledged in his post. Initially he wasn't even sure if the portal — which he said is an Angular single-page application created by SHI International Corp-USA on behalf of Toyota — was a very important entity for the company.

To access the system, first he had to patch JavaScript code of an initial login screen that asks a user to click on a button to identify with which Toyota business they are affiliated. In a previous incident in which he hacked into the Jacuzzi SmartTub app, this action was all that was needed to achieve full access to the network due to an improperly secured API.

However, the GSPIMS API appeared to be secure, which inspired Zveare to further dig into the application code to see what else might be cooking. What he eventually found was that JSON Web Tokens — or session tokens representing the users' valid authenticated sessions on the website — were being generated based on a user's email without requiring a password.

Zveare Googled for Toyota supply chain users and made an educated guess to formulate the email of someone who he thought would be a user of the GSPIMS portal. "Then I fired off the _createJWT_ HTTP request, and it returned a valid JWT!" he wrote.

His discovery gave him the ability to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, "completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options," Zveare wrote.

Though the user whose email he accessed the system with did not have system administrator privileges, he eventually searched within the GSPIMS to find the email of someone who did, and using that he gained full control of the system as an administrator.

**A Big-Picture Security Approach**

Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.

"What are perceived as 'internal systems' to organizations, no longer are," Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. "With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion."

Developing this big-picture perspective and security strategy is not so simple, as most enterprises already have their hands full managing their own company's risk, notes Lorri Janssen-Anessi, director of external cyber assessments for BlueVoyant.

However, considering how easy it was for Zveare to gain access to a system that serves Toyota's global supply chain, companies need to get their heads around this risk to maintain security across any third party that touches their network, she says.

"What today's organizations should take from the reported vulnerability in Toyota's supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity," Janssen-Anessi says.

Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. "This helps to control what data can be accessed in the event of a breach," Janssen-Anessi says.

Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG's Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting "the data itself rather than perimeters and borders around the data."

Toyota Global Supply Chain Portal Flaw Put Hacker in the Driver's Seat

Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

ChatGPT has taken the world by storm since late November, sparking legitimate concerns about its potential to amplify the severity and complexity of the cyber-threat landscape. The generative AI tool's meteoric rise marks the latest development in an ongoing cybersecurity arms race between good and evil, where attackers and defenders alike are constantly in search of the next breakthrough AI/ML technologies that can provide a competitive edge.

This time around, however, the stakes have been raised. As a result of ChatGPT, social engineering is now officially democratized — expanding the availability of a dangerous tool that enhances a threat actor's ability to bypass stringent detection measures and cast wider nets across the hybrid attack surface.

**Casting Wide Attack Nets**

Here's why: Most social engineering campaigns are reliant upon generalized templates containing common keywords and text strings that security solutions are programmed to identify and then block. These campaigns, whether carried out via email or collaboration channels like Slack and Microsoft Teams, often take a spray-and-pray approach resulting in a low success rate.

But with generative AIs like ChatGPT, threat actors could theoretically leverage the system's Large Language Model (LLM) to stray away from universal formats, instead automating the creation of entirely unique phishing or spoofing emails with perfect grammar and natural speech patterns tailored to the individual target. This heightened level of sophistication makes any average email-borne attack appear far more credible, in turn making it far more difficult to detect and prevent recipients from clicking a hidden malware link.

However, let's be clear that ChatGPT _doesn't_ signify the death sentence for cyber defenders that some have made it out to be. Rather, it's the latest development in a continuous cycle of evolving threat actor tactics, techniques, and procedures (TTPs) that can be analyzed, addressed, and alleviated. After all, this isn't the first time we've seen generative AIs exploited for malicious intent; what separates ChatGPT from the technologies that came before it is its simplicity of use and free access. With OpenAI likely moving to subscription-based models requiring user authentication coupled with enhanced protections, defending against ChatGPT attacks will ultimately come down to one key variable: fighting fire with fire.

**Beating ChatGPT at Its Own Game**

Security operation teams must leverage their own AI-powered large language models (LLMs) to combat ChatGPT social engineering. Consider it the first _and_ last line of defense, empowering human analysts to improve detection efficiency, streamline workflows, and automate response actions. For example, an LLM integrated within the right enterprise security solution can be programmed to detect highly sophisticated social engineering templates generated by ChatGPT. Within seconds of the LLM identifying and categorizing a suspicious pattern, the solution flags it as an anomaly, notifies a human analyst with prescribed corrective actions, and then shares that threat intelligence in real-time across the organization's security ecosystem.

The benefits are the reason why the rate of AI/ML adoption across cybersecurity has accelerated in recent years. In IBM's 2022 "Cost of a Data Breach" report, companies that leveraged an AI-driven security solution alleviated attacks 28 days faster, on average, and reduced financial damages by more than $3 million. Meanwhile, 92% of those polled in Mimecast's 2022 "State of Email Security" report indicated they were already leveraging AI within their security architectures or planned on doing so in the near future. Building on that progress with a stronger commitment to leveraging AI-driven LLMs should be an immediate focus moving forward, as it's the only way to keep pace with the velocity of ChatGPT attacks.

**Iron Sharpens Iron**

The applied use of AI-driven LLMs like ChatGPT can also enhance the efficiency of black-box, gray-box, and white-box penetration testing, which all require a significant amount of time and manpower that strained IT teams lack amidst widespread labor shortages. Considering time is of the essence, LLMs offer an effective methodology for streamlining pen-testing processes — automating the identification of optimal attack vectors and network gaps without relying on previous exploit models that often become outdated as the threat landscape evolves.

For example, within a simulated environment, a "bad" LLM can generate tailored email text to test the organization's social engineering defenses. If that text bypasses detection and reaches its intended target, the data can be repurposed to train another "good" LLM on how to identify similar patterns in real-world environments. This helps to effectively inform both red and blue teams on the intricacies of combating ChatGPT with generative AI, while also providing an accurate assessment of the organization's security posture that allows analysts to bridge vulnerability gaps before adversaries capitalize on them.

**The Human Error Effect**

It's important to remember that only investing in best-of-breed solutions isn't a magic bullet to safeguard organizations from sophisticated social engineering attacks. Amidst the societal adoption of cloud-based hybrid work structures, human risk has emerged as a critical vulnerability of the modern enterprise. More than 95% of security breaches today, a majority of which are the result of social engineering attacks, involve some degree of human error. And with ChatGPT expected to increase the volume and velocity of such attacks, ensuring hybrid employees follow safe practices regardless of where they work should be considered nonnegotiable.

That reality heightens the importance of implementing user awareness training modules as a core component of their security framework — employees who receive consistent user awareness training are five times more likely to identify and avoid malicious links. However, according to a 2022 Forrester report, "Security Awareness and Training Solutions," many security leaders lack extensive understanding of how to build a culture of security awareness and revert to static, one-size-fits-all employee training to measure engagement and influence behavior. This approach is largely ineffective. For training modules to resonate, they must be scalable and personalized with entertaining content and quizzes that align with employees' areas of interest and learning styles.

Combining generative AI with well-executed user awareness training creates a robust security alliance that can enable organizations to work protected from ChatGPT. Don't worry cyber defenders, the sky isn't falling. Hope remains on the horizon.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

From prevention and detection processes to how you handle policy information, having strong cyber insurance coverage can help mitigate cybersecurity attacks.

Enterprise cybersecurity is a team sport involving multiple players. It encompasses everything from technology vendors to cyber insurance providers and cyber defense platforms. And while many organizations have implemented plans for prevention and detection, they often fail to consider remediation.

Despite the best preparations, cyberattacks may be inevitable. That's why it's important to have specific remediation policies like cyber insurance in place to mitigate the effect of potential future breaches. Keep reading to learn how enabling certain security features can help obtain favorable cyber insurance coverage.

**Determining Your Risk, Right-Sizing Your Coverage**

While all businesses run the inherent risk of cyberattacks, the scale of your operations and type of industry you operate in will impact the type of threat you experience and, consequently, the rate you will pay for cyber insurance. Organizations must understand their risk profiles if they want to ensure they're getting the best cyber insurance rate possible.

Small businesses, for example, are more likely to be hacked by outside actors. In part, this is because threat actors have scaled their operations to identify vulnerable targets. Small businesses are also less likely to enable basic cyber hygiene practices that can protect against 98% of online attacks. Large businesses, on the other hand, are disproportionately at risk from insider attacks simply due to the size of their attack surface. These kinds of threats can take the shape of phishing attacks, email compromises, stolen credentials, and more.

Another tool that companies can use to improve their cyber insurance rates is the insurance underwriting application itself. Companies can use this application as a blueprint to identify which steps they should take to most effectively protect themselves. Similar services exist in the marketplace, including Microsoft’s zero-trust maturity assessment quiz or built-in tools like Microsoft Secure Score.

**Vulnerability Management Has Evolved**

Much like risk profiles, vulnerability management can change based on the size of your company and the space you work in. For small businesses, it's about making yourself a difficult target by conducting regular security scans and enabling basic security hygiene features to ensure a base level of protection. Larger entities also need to worry about external threats, but they have the added responsibility of monitoring internal threats as well. Ultimately, it comes down to understanding your attack surface and spending the time to identify where you are most vulnerable. If you want to optimize your coverage, cyber insurance providers will want to see that you're taking proactive steps to guard against potential threats.

Vulnerability management has also evolved alongside the growth of technology. In the past, cybersecurity was focused on perimeter defense — locking down network ports and devices. Today, the growth of remote work and expansion of attack surfaces has created a much stronger focus on identity management. Employees can take their work identities — and by extension, their network access credentials — with them wherever they go. So it's important companies use tactics like verifying explicitly, employing least-privileged access, and always assuming abreach to guard against modern threat vectors. Following these security hygiene practices can help ensure that you're getting a competitive insurance rate.

Finally, companies should treat all cyber insurance communications and policy documents as highly sensitive information. If threat actors know how much coverage your company has, they're able to use this information to demand the highest possible ransom payment in exchange for restoring services or releasing data. Companies should not only safeguard their policy documents, but they should also protect any email communications or applications that disclose sensitive information about their insurance policies.

While cybersecurity can seem overwhelming, businesses have a wealth of resources that they can turn to when looking for better ways to protect themselves. From prevention and detection processes to ensuring coverage with things like cyber insurance, organizations can better mitigate the effects of a cybersecurity attack. Microsoft Security has information on emerging threats and the latest security features that defenders can enable to help obtain favorable cyber insurance coverage.

How to Optimize Your Cyber Insurance Coverage

Five months after AWS customers were alerted about three vulnerabilities, nearly none had plugged the holes. The reasons why underline a need for change.

It's a familiar story: A feature designed for convenience is used to sidestep security measures. In this presentation from Black Hat USA 2021, a pair of researchers show how they found three separate ways to hop between accounts on AWS. Even though fixes for those vulnerabilities were released quickly, the holes reveal that cloud services do not offer the level of isolation expected. The long-term solution may mean changing how the cybersecurity sector handles CVEs.

For the first two isolation breaches, Wiz.io CTO Ami Luttwak and head of research Shir Tamari altered the path prefixes on AWS CloudTrail and Config to allow a user to write to another user's S3 bucket. The third method used the AWS command line to download files from another user's account via the serverless repository.

Sending the logs from several S3 buckets to one is intended for the convenience of an admin who runs several instances, Luttwak and Tamari said in their presentation, "Breaking the Isolation: Cross-Account AWS Vulnerabilities."

"I learned from this behavior that CloudTrail can write to resources that are owned and managed in other accounts," Tamari added. "And for me, a security researcher, there is a concern."

**Customers Notified, So What Happened?**

While Amazon did not have the power to fix the configurations for customers itself — because the fixes involved setting the source account you want, which only the user can decide — it contacted all affected customers to explain the potential problem and how to fix it. Yet when Wiz.io went back after five months, it found that 90% of accounts had not applied the fixes.

Luttwak pointed out that the security team AWS messaged often didn't get the warnings because of the sheer number of accounts they run.

"How do you know this is an important fix to do?" he asked. "And the more we thought about it, the more we understood, this is a big, big problem."

Right now, the system of CVEs allows organizations to check on the latest vulnerabilities, complete with a numerical system of classifying severity and links to vendors' fixes. That works pretty well in most areas of IT. However, cloud vulnerabilities may not get assigned CVE numbers.

"This is because cloud services, as we currently understand them, are not customer controlled," wrote Cloud Security Alliance IT director Kurt Seifried and research analyst Victor Chin. "As a result, vulnerabilities in cloud services are generally not assigned CVE IDs."

**The Amazon Exception**

CVEs take pains to point out that cloud services vulns can indeed receive a CVE ID, as long as the owner of the software is the CVE numbering authority (CNA) reporting them. Rule 7.4.4 says the CNA "may" assign a CVE number if it owns the product or service, even if it is not customer controlled and the fix requires customers to take action.

But here's the sticky wicket: Rule 7.4.5 states, "CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s) are not owned by the CNA, and are not customer controlled."

In short, the real reason why these AWS vulnerabilities were not issued CVEs is that Amazon is not a CNA partner. Microsoft can issue CVEs for its own products and services, as can Google. Whether the appropriate fix is changing the rules to allow any CNA to assign IDs to vulns whose fixes are out of customers' hands or to sign up Amazon as a CNA depends on your perspective. In June 2022, Wiz.io took matters into its own hands by establishing a community database of cloud vulnerabilities to fill the gap.

As Luttwak said, "There's hundreds of services in AWS, and many of them are getting more and more cross account capabilities, because cross account is the main strategy today for organizations using AWS. So the attack surface is just growing."

Why Some Cloud Services Vulnerabilities Are So Hard to Fix

Hackers can't steal a credential that doesn't exist.

The rise of the cloud has made business more agile, flexible, and streamlined, which is why over 90% of enterprises has committed to a multicloud strategy. But complexity creates seams where secrets leak out. Recent high-profile breaches at Microsoft and airports have made misconfigured S3 buckets a cybersecurity trope. However, configuration issues aren't the only problem: access creep is just as dangerous, and common, according to recent figures.

Overprivileging happens when a service or account requests or requires all the permissions it might possibly ever use, usually in order to avoid having to go back and request new permissions if the need arises later. This would not be a not great situation even at a single-server level, but as various services and vendors interact, each granted its own high level of permissions, the chance of compromise builds.

In its end-of-year summary for 2022, cloud security company Permiso reported that cloud security posture management (CSPM) vendors use only a fraction of the permissions they are granted: just more than 1/10th, or 11%. This shrinks to 5.3% across all users and roles. That's a lot of unlocked doors that nobody needs to open.

The results of its analysis jibe with the results from a CloudKnox survey from two years ago, which found that 90%-95% of identities on AWS, Azure, Google Cloud Platform, and vSphere use no more than 2%-5% of the permissions granted.

"Most teams assume that these secrets are only being used by the individuals or workloads they have been provisioned to, but in reality, these secrets are often shared, rarely rotated, are long-lived and not single-use, so just like passwords, they become more vulnerable as they age," the Permiso team wrote.

And therein lies the problem. Organizations are usually pretty strict about setting up permissions for human users, but they tend to allow the requested default permissions for machine identities. This leads to a situation in which threat actors need only find a way into one overly broadly permissioned account in order to gain privileged access over much of the corporate cloud. "You may have your database perfectly locked down, but if a service that has access to that database has the permissions for anyone to get in, your database is as good as compromised," Kendall Miller, president of Kubernetes governance service FairWinds, warned in 2021.

And for the year 2022, Permiso flatly declared, "All of the incidents we detected and responded to were a result of a compromised credential," rather than a misconfigured cloud resource.

The key to managing this risk is to audit permissions and institute strong identity access management (IAM) policies for all users, not just humans. That begins with determining what data an application actually needs access to — and what it doesn't. A software org chart might prove helpful in tracing out the routes of access among apps and assigning or restricting permissions.

Cloud Apps Still Demand Way More Privileges Than They Use

A broken access control vulnerability could have led to dangerous follow-on attacks for users of the money-management app.

A finance app called "Money Lover" has been found leaking user transactions and their associated metadata, including wallet names and email addresses.

That’s according to Trustwave, which published its findings in a blog post on Feb. 7.

Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.

Though the app leaked no actual bank account or credit card details, "the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily," wrote Karl Sigler, a senior security research manager at Trustwave. "And when you have a financial institution that loses a customer's trust, they will likely see a reputation hit."

**The Money Lover Bug**

Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover's security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets (wallets managed by two or more users).

It was a classic case of broken access controls, where he — an otherwise authorized user — was able to view data that should have been kept outside of his permissions.

"Based on the small amount of information in the blog," Stephen Gates, security evangelist at Checkmarx, speculates to Dark Reading, "I would suspect that an API in use has an API1, API2, and/or API3 vulnerability,” aka broken object level authorization, broken user authentication, and excessive data exposure, respectively (all forms of broken access control).

Such vulnerabilities are extremely common. Every few years or so, the Open Web Application Security Project (WASP) releases a Top 10 list, using extensive testing and surveys of industry professionals to track the most common web security vulnerabilities. In its latest 2021 iteration, broken access controls made the No. 1 spot on the list.

Broken access isn’t just prevalent, though — it’s dangerous. "If the app has one or more of the above vulnerabilities," Gates adds, "it’s just a matter of time before attackers craft the perfect request to possibly gain access to even more data."

**The Implications of the Bug**

While the sensitive data in this case isn't all that sensitive (i.e., not payment card details or credentials), users would be advised not to pooh-pooh cases like this, as they can lead to more pointed attacks further down the line. For example, cross-referencing email addresses with past leaks could potentially lead to account takeover or impersonation.

Even the basic metadata leaked by Money Lover could be something to go on, for hackers that like to use every part of the animal, as it were.

"For instance," Sigler explains, "a scenario could occur where an attacker reaches out to one of the users sharing a wallet via email and suggests that funds aren't seen in a specific shared wallet name and transaction ID. The attacker could then recommend the person transfer money to a different account or maybe log in to 'check' the transaction but provide a link to a credential capture webpage."

Sigler puts it bluntly: "There is no reason for any Money Lover user to be able to see the transactions of any other user. Tightening up permission to just authorized users is an important security control."

As of Jan. 27, the Money Lover app patched the vulnerability; users should update their apps to the latest version.

'Money Lover' Finance App Exposes User Data

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Source

DARKReading