The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.

The Cybersecurity and Infrastructure Security Agency (CISA) has teamed up with the FBI to offer a $10 million reward to anyone that can offer intelligence on the Cl0p ransomware gang.

The group, a Russian gang that extorts its victims with threats of publishing private data, has racked up hundreds of victims, including agencies within the United States government itself, most recently exploiting various MOVEit vulnerabilities such as CVE-2023-35708, CVE-2023-34362, and CVE-2023-35036.

In a tweet posted by the US Department of State's "Rewards for Justice" program, the feds announced the award, stating "Do you have info linking Cl0p ransomware gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward." 

In addition, the image posted in the tweet reads, "Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp, or via our Tor-based tip line below."

Due to the nature of the cybercrime gang and the possibility of retaliation should anyone come forward with information regarding the group, all messaging systems that the US State Department suggests in the tweet are encrypted. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA, FBI Offer $10M for Cl0p Ransomware Gang Information

The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Organizations that have implemented the "Log in with Microsoft" feature in their Microsoft Azure Active Directory environments could potentially be vulnerable to an authentication bypass that opens the door to online and cloud account takeovers.

According to researchers at Descope, who dubbed the attack "nOAuth," the issue is an authentication implementation flaw that affects multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. A successful attack gives a bad actor full run of a victim's accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.

"OAuth and OpenID Connect are open, popular standards which millions of Web properties already use," says Omer Cohen, CISO at Descope. "If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted."

**Inside the nOAuth Cyberattack Threat**

By way of background, OAuth is an open, token-based authorization framework that allows users to log into applications automatically, based on previous authentication to another trusted app. This is familiar to most people from the "Log in with Facebook" or "Log in with Google" options available on many e-commerce websites.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps.

"Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols," according to the Descope analysis. In other words, it holds the keys to a lot of important corporate data.

The weakness allows bad actors to perform cross-platform spoofing simply by using an unwitting victim's email address to impersonate them, according to Descope's analysis on the issue, released this week.

"In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications," explained researchers at Descope. "However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, so it cannot be trusted."

That means that anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under "Contact Information" in that account to control the email authentication claim.

"\[This\] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate," the researchers explained. "They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication."

The attack flow is unnervingly simple:

1.  The attackers accesses their Azure AD account as an administrator.
2.  The attackers change the "email" attribute of their account used for authentication to the victim’s email address.
3.  Since Microsoft does not require the email change to be validated on Azure AD, the system merges the two accounts and gives the attackers access to the victim's environment.

**A Far-Ranging Authentication Weakness**

To better understand the scope of the problem, the Descope researchers created a nOAuth proof-of-concept (PoC) exploit and tested it "with a white-hat attack on hundreds of websites and applications to check if any of them were vulnerable," they said. "We found that quite a few of them were."

Amid the sitting ducks were a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, as well as several SMBs and early-stage startups.

"We also informed two authentication platform providers that were merging user accounts when 'Log in with Microsoft' was used on an existing user account," according to the report. "In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using 'Log in with Microsoft' would have been vulnerable."

These findings, according to the researchers, "are a drop in the ocean of the Internet," and there are likely many, many thousands of other users that could be affected.

Microsoft has always issued general guidance to users to not to use an email address as a unique identifier for authentication, but after Descope informed Microsoft of the breadth of the issue, the computing giant has revamped its Azure AD OAuth implementation guidance to include two new claims to use, and dedicated sections on claim verification.

"If your app uses 'Log in with Microsoft' and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier," Cohen notes. "If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the 'sub' (Subject) claim to avoid potential exploitation."

**Incorrect OAuth Implementations Plague Businesses**

Incorrect implementations of OAuth have been coming to light at big businesses lately, showcasing a need for organizations to lock down this potentially damaging attack vector.

In March, for instance, flaws in the authorization system of the Booking.com website came to light that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

And in May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of any users that used various and social media accounts to log in to an online service that uses the framework.

Cohen underscores that the OAuth standard and others like it are trustworthy and strong authentication approaches but that businesses need to make sure to work with cybersecurity and authentication experts when building them in.

"These standards are extremely complicated to work with," he says. "Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application."

He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts."

He stresses that the importance of this can't be understated, given that cybercriminals are actively looking for these types of weaknesses.

"These are very typical attack vectors exploited," Cohen notes. "Attackers use these to cause widespread harm."

He adds, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."

Azure AD 'Log in With Microsoft' Authentication Bypass Affects Thousands

Dark data may be your most elusive asset, but it can also be your most costly if you don't protect it.

What is something that comprises more than half of companies' data repositories, but most aren't even aware they have? It's dark data, information companies unknowingly gather that is not integral to day-to-day business interactions and therefore often sits in the background. While that data is seemingly unnecessary to most companies, it's invaluable to cybercriminals.

**What Is Dark Data?**

At a time when many companies are focused on collecting, analyzing, and acting on data they receive from customers, it's not surprising that the amount of latent (or dark) data is accumulating far beyond what they planned to store, protect, and potentially purge. For example, when you consider that Netflix spent nearly $10 million a month in 2019 to store its data in the cloud, you can see how much dark data storage might be costing a company.

Gartner equates dark data to dark matter in physics. Dark data extends beyond any published sensitive data elements. It can include personal information from customers or past employees, but might also include nontraditional data such as systems backups, log files, configuration files, sensitive internal procedures, email backups or "spools," scanned document repositories, and human resources information. These are all dark data sources that attackers may want to sell or use.

And while there are some regulatory bodies that aim to protect information that might be considered dark data, such as the US Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) in Europe, many companies continue to store this data long after they are required to do so.

**How to Protect Dark Data**

Every company needs to prioritize its customer and employee data, so how can you protect something you don't even know you have? Further, how do you prioritize this among the other cyber vulnerabilities in your organization? Here are five steps you can take:

1.  **Increase visibility of data:** Start by building a data inventory to map the information you know about. Next, perform threat modeling to identify security needs, locate threats and vulnerabilities, assess severity, and prioritize solutions. This will help you understand what data you have and explore how it may be at risk. This process allows you to understand and quantify threats so that you can better prioritize remediation of identified security risks.
    
2.  **Think like the adversary:** Leverage offensive testing (such as using ethical hackers and professional security testers) to try to breach defenses like an attacker would. This will help you find and address vulnerabilities.
    
3.  **Counter the adversary:** Once you have a complete view of your data footprint and threat model, apply or reinforce security controls in target areas (for example, endpoint detection and response, logging and monitoring, content interception and inspection for Web traffic, and patching). Consider steps 1–3 as a continuous improvement cycle of data discovery.
    
4.  **Shrink the battlespace:** Delete sensitive personal data that is no longer necessary. Minimize data collected and design code-level controls to support data retention periods. This limits the proliferation of sensitive data throughout your environment.
    
5.  **Avoid technology infatuation:** Data loss prevention (DLP) tools help avoid accidents, but they should not be considered a catch-all for data security. Most DLP technologies are weak and can lull organizations into a false sense of security. Like all things cyber and privacy, data protection is about getting people, process, and technology working in balance and harmony. Reinforce carefully chosen tools with crisp processes (detailed and well-documented playbooks and blueprints), workflows, and runbooks, and make sure they're managed and led by thoughtful people with real expertise.
    

**Latent Data May Be Risky Data**

There are well-known cases where large organizations found themselves the victims of dark data breaches. Data that was latent and secondary to their business models was suddenly extremely costly in terms of brand trust and legal fees.

Just because you don't see it or use it doesn't mean your data is not dangerous. Dark data should be a consideration for every organization. It should be accounted for, protected, and regularly purged (as applicable) to keep cybercriminals at bay. Dark data may be your most elusive asset, but it can also be your most costly if you don't protect it.

5 Steps for Minimizing Dark Data Risk

A ready-made, low-complexity path to pwning the popular enterprise VPN clients for remote workers is now circulating in the wild.

A security researcher has dropped a proof-of-concept (POC) exploit for a just-patched, high-severity security vulnerability in Cisco's client software for remote workers looking to connect to VPNs.

The bug (CVE-2023-20178) is an arbitrary file delete vulnerability in the Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows, which could allow authenticated attackers to escalate privileges to SYSTEM level with no user interaction.

As Cisco explained in its patch advisory earlier this month: "A vulnerability in the client update process of could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established."

Security researcher Filip Dragović released an exploit that does just that via a public GitHub posting this week. It uses a process called "vpndownloader.exe," which is started in background when a user connects to a VPN using either the Cisco Secure or AnyConnect software.

"It will create directory in c:\\windows\\temp with default permissions," explained Dragović, who originally discovered the flaw and reported it to Cisco. "After creating this directory, vpndownloader.exe will check if that directory is empty, and if it's not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT Authority\\SYSTEM account."

After that, cyberattackers can employ a known tactic to create a SYSTEM shell for abusing Windows Installer behavior and elevating privileges, he added.

Organizations should patch their clients immediately — while Cisco noted no known exploitation at the time of patching, that will likely quickly change with a PoC circulating in the wild. Successful exploitation is "noncomplex," according to the researcher, and the software has a history of being targeted by cyberattackers looking to take over data-rich VPN sessions.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Patch Now: Cisco AnyConnect Bug Exploit Released in the Wild

More connectivity means more potential ways into your enterprise, so securing every main attack surface is imperative.

Greater connectivity and enhanced digital operations can deliver a number of business benefits, but they also create a broader, more dynamic environment to defend. Fortunately, about 98% of cyberattacks can be mitigated with basic security hygiene, according to the "Microsoft Digital Defense Report 2022."

Still, cyberthreats are getting more sophisticated and becoming more coordinated, making it even more important for organizations to secure their six main attack surfaces. Here's a look at each, including the central risks and where to focus effort and resources — along with one takeaway that links them all. 

**Email Threats Abound**

Phishing attacks grew by 61% from 2021 to 2022, while 35% of ransomware incidents involve the use of email, costing businesses approximately $2.4 billion in 2021 alone, according to the FBI. 

Along with URL checking and disabling macros, it's crucial to provide regular education to employees about how to spot ever-more realistic phishing email. As the quality of social engineering improves, everyone needs regular reminders of their role in protecting the enterprise.

**A Broader Definition Of 'Identity'**

Securing identity across the organization is essential to protecting access to your systems and data. Threat actors are getting more creative in circumventing multifactor authentication (MFA), with techniques such as adversary-in-the-middle phishing attacks and token abuse. Widely available phishing kits have made it even easier — and affordable — for threat actors to steal credentials. 

Cloud access, third-party accounts, and workload identities must also be protected. Workload identities, in particular, are often overlooked during permissions audits. Security teams should consider all of the potential meanings of "identity," both human and automated. 

**Endpoints Provoke Concern**

Managing an ever-growing array of endpoints complicates security further. On average, according to Microsoft's report, 3,500 connected devices in an enterprise are unprotected by an endpoint detection and response agent. 

Unmanaged or unpatched devices can not only be infected, but they can easily become avenues to compromise an organization. For servers, in particular, the subsequent access to user credentials and the network can quickly lead to IP theft and ransomware attacks. Prioritizing improved endpoint visibility and security hygiene is critical for defending against these threats.

**IoT Devices Can Create Additional Vulnerabilities**

By 2025, IDC expects more than 41 billion Internet of Things (IoT) devices across enterprise and consumer environments working alongside operational technology (OT). 

With many routers and networks now hardened against attacks, IoT devices are appealing targets for threat actors. In a Ponemon Institute study, 35% of respondents said an IoT device was the point of compromise, and many business devices are running outdated software with well-known vulnerabilities.

Greater IoT security is fast becoming recommended or required of manufacturers in the US and abroad. Greater visibility into every connected device is an absolute must. 

**The Conundrum of Cloud**

Whether single, hybrid or multicloud, cloud resources can pose a security challenge. Many organizations struggle to gain end-to-end visibility across their cloud ecosystems, which can lead to security gaps. Microsoft's research found that 84% of organizations that suffered ransomware attacks did not integrate their multicloud assets with their security tooling — a critical oversight. Also, cloud apps can present risks due to both misconfigurations and hidden, code-based vulnerabilities that could be mitigated from the start through security by design and default.

Closing identity and misconfiguration gaps — combined with robust tools for attack response — go a long way toward securing the whole cloud environment, from the corporate network to cloud services.

**Exponential External Exposure**

Today's external attack surface reaches far beyond an organization's own assets. Multiple clouds, digital supply chains, and third-party ecosystems make it hard to see the full scope of this exposure. In fact, a 2020 Ponemon report showed that 53% of organizations had at least one data breach caused by a third party in the previous two years.

Finding weak links in defenses often means thinking like threat actors: Since attackers look for the easiest way in, what are the most likely entrance points? Understanding what can be exploited across your external attack surface is the key to defending it.

All of these attack surfaces have something in common: Protection takes both visibility and awareness. Visibility can be achieved through tools and strategies, but awareness of oncoming risks requires accurate, timely threat intelligence. Knowing how seemingly unrelated events and signals can point to an imminent threat — and understanding where and how that threat can take advantage of the six main attack surfaces — gives security teams a crucial advantage in an ever-evolving risk environment.

6 Attack Surfaces You Must Protect

Camaro Dragon (Mustang Panda) is spreading a malware variant of WispRider quickly across the globe even through air gaps, often unbeknownst to users.

Espionage malware that spreads by self-propagating through infected USB drives is back, surfacing recently in an incident at a European healthcare institution, researchers have found.

Researchers at Check Point Research discovered the backdoor, which they've dubbed WispRider. The campaign is the work of the Chinese-state-sponsored APT that Check Point tracks as "Camaro Dragon," but which is probably better known as Mustang Panda (aka Luminous Moth and Bronze President).

Check Point first discovered the malware when an employee who had participated in a conference held in Asia came home with an infected USB drive, researchers revealed in a blog post published June 22. Apparently, the employee — dubbed "Patient Zero" by the researchers — had shared his presentation with fellow attendees using his USB drive, and one of his colleagues there passed on the infection from his computer, they said.

"Consequently, upon returning to the healthcare institution in Europe, the employee inadvertently introduced the infected USB drive, which led to spread of the infection to the hospital's computer systems," Check Point researchers wrote in the report.

The incident shows how the APT, which previously primarily focused its cyber espionage activities on organizations in Southeast Asia, is now extending its reach globally, they said. Indeed, despite China's tacit support for Russia's war against Ukraine, Mustang Panda already was seen last year mounting a cyberespionage campaign against the Russian military.

The research also highlights the "alarming" role USB drives play in spreading malware quickly and often unbeknownst to users — even across air-gapped systems. "These malicious programs possess the ability to self-propagate through USB drives, making them potent carriers of infection, even beyond their intended targets," Check Point researchers wrote in the post.

**WispRider, an Evolving Malware Payload**

The main payload of the campaign discovered by the researchers is called WispRider, which is a backdoor outlined in a report late last year by Avast — in which the toolset was called "SSE." It's since been fortified with additional features, Check Point researchers said.

For one, it propagates through USB drives using a launcher called HopperTick, and also includes a bypass for SmadAV, an antivirus solution popular in Southeast Asia. The malware also performs DLL-side-loading using components of security software, such as G-DATA Total Security, and of two major gaming companies, Electronic Arts and Riot Games, the researchers said. Check Point notified the companies of the use of their components in the malware, they said.

WispRider and Hopper Tick align with other tools by wielded by Mustang Panda in terms of infrastructure and operational goals, allowing for their attribution to the Chinese APT, the researchers noted. Related malware also used by the threat actor include a Go-based backdoor called TinyNote, and a malicious router firmware implant named HorseShell.

The WispRider infection begins when a benign USB thumb drive is inserted into an infected computer, the researchers explained. The malware detects a new device inserted into the PC and manipulates its files, creating several hidden folders at the root of the thumb drive. It then copies into the thumb drive a Delphi loader with the name of the original thumb drive, and a USB thumb drive icon.

Interestingly, there is no special technique used in this USB infection flow to automatically run the Delphi launcher; instead, it relies on social engineering, the researchers explained.

"The victims can no longer see their files on the drive and are left only with the executable, which they will likely click to reveal their files — thereby setting off an infection flow of the machine," they wrote in the post.

WispRider acts as both an infector and backdoor, side loading as a DLL that includes both the USB infector component and the backdoor itself, the researchers said. It has execution flows to run both from an infected machine or to infect a machine if it hasn't already been infected, they explained.

The latter "is likely an alternative infection vector which delivers the malware to the targeted network when the actors cannot rely on the USB propagation, as they can’t physically access the machine to plug in an infected drive," researchers wrote.

Moreover, based on known tactics of Mustang Panda, the non-USB WispRider infections likely originate via "spear-phishing campaigns that deliver an archive with all the infection-related files and assure the legitimate executable runs with a relevant argument," they wrote.

**Mitigating USB-Borne Cyber Threats**

USB-propagated infections have been around for two decades, but are increasingly becoming a popular attack vector of APTs and other large cybercriminal groups because of how rapidly threat actors can spread various types of malware via this vector. It also allows them to sneak malware onto otherwise heavily secured networks via individual devices, the users of which may be unaware that they are carrying an infection.

Indeed, the FBI warned earlier this year of a USB cyberattack campaign in which threat group FIN7 was actually mailing thumb drives to US organizations with the explicit goal of delivering ransomware into their environments.

Due to the increasing nature and large surface area of these attacks, Check Point researchers made a number of recommendations to help organizations protect themselves against USB drive-based attacks:

*   Raise awareness among employees of the potential dangers of using USB drives from unknown or untrusted sources, and encourage cautious behavior and discourage the use of unfamiliar drives on corporate devices;
*   Organizations also should establish strict and clear guidelines regarding the use of USB drives with any device that's connected to the corporate network, and even consider limiting or prohibiting their use unless obtained from trusted sources;
*   In fact, it is a good idea for enterprises to seek secure alternatives to USBs altogether, such as cloud storage or encrypted file-sharing platforms, the researchers noted. This will reduce reliance on physical USB drives and mitigate associated risks;
*   And, keeping security measures up to date overall by updating antivirus software and other security software across all devices, as well as periodically scanning USB drives for potential infections, can also help protect corporate networks.

USB Drives Spread Spyware as China's Mustang Panda APT Goes Global

Compliance, seen as a burden for businesses, is being passed to overloaded IT departments — leaving organizations unsure if they're compliant at all.

INFOSEC23 – London – Compliance with data-protection requirements remains one of the cornerstones of cybersecurity and risk management, but with the fifth anniversary of the General Data Protection Regulation (GDPR) behind us, indications point to it becoming an unreasonable burden on IT departments.

Research released this week at Infosecurity Europe by Hornetsecurity found that 80% of organizations are more concerned about compliance than they were five years ago; however, the burden to retain an appropriate level of compliance falls on the IT department in more than half (57%) of businesses.

The survey of IT leaders in around 200 organizations found that more than a third (37.5%) of organizations do not have a dedicated compliance officer, while 69% of respondents said that compliance has a "moderate" to "extreme" impact on their IT department's operations, and one in eight companies (13%) could not confirm at all that they were compliant with required controls, likely due to a lack of resources.

This does suggest that rather than being seen as a risk management enabler, compliance is perceived as a hindrance to achieve, and many simply offload it to the IT department, which may or may not be prepared to handle it.

“The fact that more than half of companies are hindering the day-to-day work of IT departments through lack of compliance staff and policies is a huge concern," Hornetsecurity CEO Daniel Hofmann said in the report.

**Is There a Negative Perception of Compliance?**

Andy Syrewicz, technical evangelist at Hornetsecurity, says he believes there is a negative perception of the compliance burden — not just at the technology level, but in most businesses as a whole. 

"Many organizations see compliance as just a ‘cost of doing business,' much like taxes," he says. "Many organizations want to do the right thing in safeguarding data regardless of the existence of regulations, but there are those in the industry that have a more flippant attitude. That said, the heavy burden of compliance is increasingly being put on IT teams — and businesses are looking for ways to deal with it."

Rowenna Fielding, director of Miss IG Geek, says the GDPR had a significant impact on business due to the introduction of the Accountability Principle, which requires organizations to be able to demonstrate —with evidence — that they are upholding data-protection principles, respecting data-subject rights, and fulfilling their governance obligations.

"This closed a gap in previous data-protection law, which had largely been treated as a box-ticking exercise up until then," she says. "However, this also made organizations realize how much 'compliance debt' they'd been carrying and required significant changes to be able to catch up with the previous 20 years as well as meet the new, more stringent standards."

Fielding adds that there are strong parallels with health and safety laws, or consumer rights regulations which exist to protect living people from being harmed or exploited in pursuit of business advantage: "It’s hardly surprising that some business decision-makers perceive safeguards as a burden rather than a responsibility."

That is the key word: burden. If something is a burden we're less enthused about it, and it seems that is the case with compliance in this research. Fielding says it is up to business leaders to make sure that they have clear and realistic strategies and facilities for staying on the right side of the law – or better yet, taking corporate social responsibility seriously.

**Who's Responsible for Data Security Compliance?**

Asked about the statistic on compliance being the responsibility of IT, Fielding says this is a recipe for disaster. IT’s responsibility is to make sure procurement, configuration, maintenance, and support of IT equipment and services all enable an organization’s compliance obligations — not to act as sheepdogs for the whole organization.

“Each business unit should be determining their own operational parameters to fit within the organization’s strategy, and that means understanding any applicable compliance requirements and putting them into effect," she says.

The solution surely is for the responsibility for compliance to be spread among the whole organization, starting with a lead from the top. Fielding says it is the responsibility of senior management to provide the rest of the organization with parameters, resources, and steerage so that legal/contractual/business obligations can be met, but what often seems to happen is that the top level of an organization assumes that "compliance" is something that can be achieved simply by telling people to do it (and threatening them with punishment if they don’t).

"This neither creates an environment where compliance is incentivized, and doesn't offer suitable or adequate resources for achieving it," she says. "After all, it's so much easier to scapegoat a junior employee for noncompliance than it is to build and maintain a culture which _enables_ compliance."

IT Staff Increasingly Saddled With Data Protection Compliance

From hardening Windows systems to adding access control and segmenting the network, there are steps organizations can take to better secure corporate data.

Having been in the cybersecurity industry since the early '90s, I've witnessed its transformation over many years. Today, my team conducts extensive research and testing to uncover vulnerabilities that organizations often overlook. We've successfully breached the networks of major companies in North America and identified security gaps that could have led to catastrophic consequences if left unmitigated.

In this article, I will share the top three tips that every organization must implement to secure their data and protect themselves from potential attacks based on our daily assessments and discoveries.

**1\. If Your Network Isn't Segmented, It's Not Secure**

Cybersecurity experts preach the benefits of network segmentation, but according to data cited by CIO, only 25% of organizations implement it. If you don't have a logical separation between your most critical information and your everyday employees, you're going to have a hard time securing your network.

To secure corporate data, organizations need to have configurations in place on any floor and office space that touches network ports. Doing so will prevent someone from accessing the network from any device. Even seemingly harmless devices such as printers can pose a threat to a network. During a physical penetration test we were asked to conduct for a large airline, the consultant was able to gain physical access to the airline's internal network via a printer at the gate, all without encountering any employee intervention.

To prevent unauthorized access, it's vital to implement access controls such as passwords or user authentication, as well as keeping firmware up to date to address any known vulnerabilities. And if the corporate backup solution is easily accessible to you, then it's easily accessible to threat actors who can delete the backups and detonate ransomware. In the airline example, network segmentation would isolate printers from other parts of the network to limit the potential impact of a security breach. 

Firewall access controls should be established between internal network segments to limit access to network resources in the event of an attack. Physical or logical access control should also be implemented to prevent unauthorized physical access to devices.

So, keep your devices in check (and your printers) and your network will thank you for it.

**2\. Modernize Your Network as Much as You Can Afford**

Over the past 30 years, Microsoft has made significant strides in the security of Windows and Windows networking. However, the Windows operating system still supports out-of-the-box legacy solutions that go back to Windows 95 — if not further, to Windows for Workgroups. If you've invested in modern operating systems such as Windows 10 or 11, or Windows Server 2016 or newer, there is no reason to continue to support these legacy solutions. By enabling "native mode domain," you can disable all the backward compatibility that may be weakening your network security and immediately enhance the security of your network. 

Companies can better reduce their security risks by eliminating their reliance on "end of life" solutions. Invest in upgrading legacy systems and ensure that all system software is patched through a vulnerability management and remediation program.

**3\. Greater Visibility Into Threat Vectors Through Content Filtering **

To improve your firewall's visibility into traffic leaving your environment, ensure that you have content visibility to block potential threats. The first question to ask is whether your employees are on the corporate network. A work-from-home culture may not scale well for you. However, there's no reason for your server systems to have unrestricted access to the Internet. Leveraging solutions such as content filtering can help you control the type of sites that could be accessed while an attacker is attempting to exploit your organization. For instance, blocking access to Mega.io and other common file-sharing sites used by ransomware threat actors is effective in stopping data exfiltration.

For employees in a work-from-home culture, content-filtering options such as Zscaler or even DNS monitoring solutions such as Umbrella from Cisco are useful not only for controlling the type of websites that corporate devices can access from outside of the building, but also for providing monitoring capabilities in case an employee falls victim to a phishing attack. Corporate assets should still be under the control of the organization, even if they're being used outside the traditional office environment.

Companies can no longer afford to take their eye off the ball when it comes to security measures — even basic protections such as firewalls are only minimally effective at intervening in today's potential threat levels. I cannot stress enough the importance of implementing these three things to be a step ahead of attackers and have visibility into your entire environment.

Lessons From a Pen Tester: 3 Steps to Stay Safer

The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.

Apple has released emergency patches for two new zero-day vulnerabilities in its software that an advanced persistent threat (APT) actor has been using to deploy malware in an ongoing iOS spying campaign dubbed "Operation Triangulation."

Meanwhile on Wednesday, Kaspersky released a new report that provided additional details on the TriangleDB spyware implant used in the campaign, which it flagged as containing a number of oddities, such as disabled features that could be deployed at a future time. 

According to the company, its analysis showed that for now, the malware supports 24 functional commands that serve various purposes such as creating, modifying, removing and stealing files, listing and terminating processes, gathering credentials from the victim's keychain and monitoring their location.

"Features that we found especially significant are the abilities to read any file on the infected device, extract passwords from the victim's keychain and track the device geolocation," says Georgy Kucherin, one of the security researchers at Kaspersky who discovered the zero-day bugs that Apple disclosed this week.

**A Trio of Zero-Days**

One of the newly addressed security vulnerabilities (CVE-2023-32434) affects multiple iOS versions and gives attackers a way to execute arbitrary code with kernel level privileges on iPhones and iPads. The other vulnerability (CVE-2023-32439) exists in Apple's WebKit browser and enables arbitrary code execution via maliciously crafted web content. Apple on June 21, 2023, issued updates addressing both vulnerabilities. 

The two bugs are part of a set of three Apple zero-days that researchers at Kaspersky have discovered so far while investigating Operation Triangulation. The investigation began about seven months ago when the security firm spotted several dozen iOS devices on its corporate Wi-Fi network behaving in a suspicious manner.

The company released a report on its initial analysis of the malicious activity, in early June. At the time, Kaspersky described the attackers as likely exploiting multiple vulnerabilities in Apple software to deliver the TriangleDB spyware implant on iOS devices belonging to targeted iOS users. Researchers at the company identified the first of the flaws as CVE-2022-46690, an out-of-bounds issue that allowed an application to execute arbitrary code at the kernel level. Kaspersky described the malware itself as running with root privileges, capable of executing arbitrary code on affected devices and implementing a set of commands for collecting system and user information.

Reading files on the infected device allows attackers to get access to sensitive information such as photos, videos, emails, as well as databases containing conversations from messenger apps, Kucherin says. TriangleDBs' keychain dumping features allow the attackers to harvest the victim's passwords, and then further use them to access various accounts owned by the victim.

**TriangeDB Shows Curious Spyware Behavior**

Somewhat curiously, the implant requests multiple privileges from the operating system (on infected devices) without any obvious ways to use the information, Kucherin says. Examples of privileges that the malware requests—but doesn’t presently use—include access to the microphone, camera and the address book. 

"These features may be implemented in auxiliary modules that can be loaded by the implant," at some future time, he notes.

Another significant discovery that Kaspersky made when analyzing TriangleDB is the fact that the attackers behind the malware have an eye on targeted macOS users as well. "Perhaps the most interesting finding is the 'populateWithFieldsMacOSOnly' method that we found in the implant," Kucherin says. "Its existence means that similar implants can be used to target not just iOS devices, but also Mac computers."

Kaspersky has assessed it was the victim of a targeted attack, but likely not the only one. Russia's Federal Security Service (FSB) intelligence outfit has alleged—without providing any proof—that the US National Security Agency (NSA), likely in cahoots with Apple, is behind the malware and the spying operation. The agency has accused the two of installing the spyware on thousands of iOS devices belonging to Russian diplomats and Russia-affiliated individuals of supposed interest to the US government. In a tone reminiscent of US accusations against Russia and China, Russia's foreign ministry described the iOS spyware campaign as part of a decades long effort to collect "large-scale data of Internet users" without their permission or knowledge.

Both the NSA and Apple have rejected those allegations.

Kaspersky has released a utility called ‘triangle\_check’ that organizations can use to search for signs of the spyware implant on their iOS devices.

2 More Apple Zero-Days Exploited in Ongoing iOS Spy Campaign

The company says its Themis Co-pilot for Outlook helps recipients discern business email compromise attacks, reducing false positives for security staff.

Cloud email security provider Ironscales added a new arrow to its quiver: Themis Co-pilot for Microsoft Outlook, a self-service threat-reporting chatbot powered by PhishLLM, the company's own large language model (LLM).

Business email compromise (BEC) is a large and growing problem in which attackers use deception and impersonation to fool users into giving away personally identifiable information (PII), corporate assets, and even money. According to the FBI, BEC has cost businesses $50 billion globally in the past 10 years, with a 17% year-over-year growth in losses in 2022. And Verizon's "2023 Data Breach Investigations Report" (DBIR) reported that over the past year, 74% of breaches involved human judgment.

Microsoft Outlook addresses BEC with a Report Phish button, which sends a report to system admins but depends on the user being able to discern a phishing email. To that end, Ironsides developed Themis Co-pilot to flag suspicious emails and lead recipients through a dialogue explaining how to tell if something is a phishing lure.

Themis Co-pilot taps into Ironscales' Themis AI security data set, which was built from millions of security events and — like ChatGPT and other well-known generative artificial intelligence (AI) tools — employs reinforcement learning from human feedback (RLHF) to keep current. Unlike ChatGPT, Themis AI and PhishLLM are proprietary and held only by Ironscales, which eliminates many of the privacy and confidentiality concerns AI tools raise when employees feed back new data.

The idea behind RLHF is that by feeding new phishing examples and human decisions back into PhishLLM via Themis AI, the actions of Themis Co-pilot will become more accurate. This virtuous cycle will, ideally, not only result in fewer false positives for the security team to clear, but can help train users to learn what to look for in a phishing attempt.

Themis Co-pilot is available now in closed beta from Ironscales.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading