It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.

Device diversity, cloud adoption, remote work, and the increasingly complex software supply chain have significantly expanded today's attack surface. But despite increased year-over-year investment in security operations, most organizations only have the resources to address 10% of the millions of issues present in their environments.

Security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to _their_ organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down barriers caused by existing data siloes.

Everything within the digital ecosystem creates data — from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management life cycle to explore the strengths, weaknesses, and opportunities for each resource.

**Silo 1: Cyber Asset Management**

There are ample approaches to creating a consolidated inventory of all assets and their associated risk posture: legacy spreadsheets, "traditional" network scanners and IT asset management tools, and cyber asset attack surface management (CAASM) platforms.

Depending on the approach, though, teams may only be looking at the "traditional" attack surface instead of considering everything that would be present in a typical multicloud, decentralized, and well-segmented modern network. While progress is being made in this category, it's still built off point-in-time, state-based insights. The lack of insight into attack behavior therefore impacts their overall effectiveness.

**Silo 2: Threat Detection and Response**

On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary's perspective through analyzing network, user, and machine behavior. Although the quality of data from security information and event management (SIEM) systems is considerable, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.

Additionally, threat detection and response platforms typically only monitor "known" assets for changes, whereas the greatest threat lies with the changes made to unknown assets. So, while these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations. Gartner predicts unpatchable attack surfaces will grow from less than 10% of the enterprise's total exposure in 2022 to more than half by 2026.

**Silo 3: Third-Party Intelligence**

There are several ways to gauge the potential impact and exploitability of vulnerabilities, such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities.

The greatest risk of relying only on third-party guidance is that it doesn't consider the organization's unique requirements. For example, security teams still have to decide which patches to prioritize in a group of "severely critical" vulnerabilities (e.g., those with a CVSS score of 9.0 or higher).

In this case, it's impossible to make an informed decision using these quantitative methods alone. Factors such as the location of the asset would help teams determine the exploitability of the vulnerability within _their own_ organization, whereas its interconnectivity would give teams an idea of the blast radius — or potential overall attack path.

**Silo 4: Business Insights**

From configuration management databases (CMDBs) to controls and dependency maps to data lakes, this list wouldn't be complete without internal business tracking systems. These resources are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping.

But as enriching as they are, custom databases require a heavy manual lift to not only implement, but also keep current. Therefore, due to the rate at which our environments change, they quickly become outdated, making it impossible to accurately survey security posture changes.

**Change Is Programmatic, Not Tool-Centric**

While each source listed above serves its own purpose and provides a unique layer of valuable insight, none serves as a single source of truth for navigating today's sophisticated threat landscape. That said, they're extremely powerful when they work together, revealing a comprehensive vantage point that enables teams to make better, more informed decisions.

Many of the valuable insights necessary to drive informed, risk-based decisions either get lost in the siloes of enterprise tech stacks or stuck between conflicting teams and processes. Although modern environments require equally progressive security, there isn't a single tool or team that can repair this broken process.

Security leaders need to align their cyber asset intelligence to their primary use cases. That may be through mapping their vulnerability prioritization process using third-party intelligence, business context, and asset criticality, or by targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.

Data Siloes: Overcoming the Greatest Challenge in SecOps

The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.

Most ransomware attackers use one of three main vectors to compromise networks and gain access to organizations' critical systems and data.

The most significant vector in successful ransomware attacks in 2022, for example, involved the exploitation of public-facing applications, which accounted for 43% of all breaches, followed by the use of compromised accounts (24%) and malicious email (12%), according to Kaspersky's recently released report, "The Nature of Cyber Incidents."

Both exploitation of applications and malicious emails declined as a share of all attacks compared with the previous year, while the use of compromised accounts increased from 18% in 2021.

Bottom line: Doubling down on the most common attack vectors can go a long way to preventing a ransomware attack. "A lot of companies are not the initial targets for attackers but have weak IT security and \[allowing them to\] be hacked easily, so cybercriminals take the opportunity," says Konstantin Sapronov, head of the global emergency response team at Kaspersky. "If we look at top three initial vectors, which together account for almost 80% of all cases, we can implement some defensive measures to mitigate them, and go a very long way to decreasing the likelihood of becoming a victim."

The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors made up the top three techniques — exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%) — but that ransomware actors tended to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.

Ransomware took off in 2020 and 2021, but leveled off last year — even dropping slightly. But this year, ransomware and a related attack — data leaks with a goal of collecting a ransom — appear to be increasing, with the number of organizations posted to data leak sites increasing in the first part of 2023, says Jeremy Kennelly, lead analyst for financial crime analysis at Mandiant.

"This may be an early warning that the respite we saw in 2022 will be short-lived," he says, adding that the ability to continue to use the same initial access vectors has helped attacks.

"Actors engaging in ransomware operations haven’t needed to evolve their tactics, techniques, and procedures (TTPs) significantly in recent years, as well understood strategies have continued to prove effective," Kennelly says.

**Unsurprising Trio: Exploits, Credentials, Phishing**

In December 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were commonly using five initial access vectors, including the three identified by both Kaspersky and Mandiant, as well as external remote services — such as VPNs and remote administration software — and third-party supply chain attacks, also known as trusted relationships.

Most compromises are either quick or slow: Quick attacks compromise systems and encrypt data in days, while slow ones are where threat actors typically infiltrate deeper into the network over months, possibly conducting cyber espionage and then deploying ransomware or sending a ransom note, according to Kaspersky's report.

Exploitation of public-facing applications and the use of legitimate credentials also tend to be harder to detect without some sort of application or behavioral monitoring, leading to longer dwell times for attackers, says Kaspersky's Sapronov.

"\[N\]ot enough attention is paid to application monitoring," he says. "Also, when attackers use \[exploitation\], they need to take more steps to reach their goals."

    

Exploitation is the top initial access vector and tends to lead to a quick ransomware attack or longer espionage. Source: Kaspersky

**Tip: Track Exploitation Trends**

Knowing the most common approaches attackers likely will take can help inform defenders. Companies should continue to prioritize vulnerabilities that have exploits in the wild, for example. By paying attention to the shifts in the threat ecosystem, companies can make sure that they are prepared for likely attacks, Mandiant's Kennelly says.

"Due to the velocity at which threat actors can weaponize exploit code to support intrusion operations, understanding which vulnerabilities are being actively exploited, whether exploit code is publicly available, and if a particular patch or remediation strategy is effective can easily save organizations from dealing with one or more active intrusions," he says.

But avoid putting too much emphasis on protecting against specific initial access vectors, as attackers continually adapt to defenses, Kennelly adds.

"The specific infection vectors that are most common at a given time should not broadly change an organization's defensive posture, as threat actors continually shift their operations to focus on whichever vectors prove most successful," he says. "\[A\] decrease in the prevalence of any given vector does not mean it poses a significantly lower threat — for example, there has been a slow decline in the proportion of intrusions where access was obtained via phishing, but email is still used by many high-impact threat groups."

3 Common Initial Attack Vectors Account for Most Ransomware Campaigns

As we share an increasing amount of personal information online, we create more opportunities for threat actors to steal our identities.

The digital world touches everything we do: work, shopping, even your wallet. And the one thing that keeps your digital life secure is your identity. So what makes up your digital identity? Digital identities are broadly defined and include everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a Web form when shopping online, every time you verify you're 21 or older, and every time you enter a password, you're sharing a part of your digital identity.

We are constantly disseminating the attributes of our digital identities across countless platforms, and this will only expand as we do more things online. However, with the broader adoption of digital platforms, there become more and more opportunities for threat actors to steal these attributes and hijack our digital identities.

**The True Threats of Digital Identity Theft**

In April, the National Council on Identity Theft Protection shared statistics from the first quarter of 2023, alarmingly showing that the Federal Trade Commission (FTC) has already received 5.7 million total fraud and identity theft reports.

So what happens when identity theft or fraud takes place? On the enterprise side, organizations that fall victim to data breaches, malware, or ransomware attacks could face legal repercussions and have to pay affected customers millions of dollars. In addition to monetary penalties, organizations also face reputational damages, which could result in massive business losses.

Individual victims of identity theft or fraud, on the other hand, may experience financial fraud or losses and spend considerable time and money dealing with the fallout. Additionally, some victims will be left with traumatic feelings of violation and anxiety or hypervigilance — similar to what a victim of a robbery may feel.

As we enter the era of Web3, the cybersecurity threats for victims of identity theft are worsening. Now that processes, appointments, and work life are digital, people are constantly sharing the attributes that make up their digital identity. What becomes very dangerous is people sharing their personally identifiable information (PII), such as their Social Security number, driver's license, and address, as this information is exactly what threat actors look for when breaching organizations.

Once threat actors gain access to digital identities and PII they can create synthetic identities — fictitious identities that are created using a mix of real and falsified information. These synthetic identities have the ability to disrupt people's lives and the way they do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. Additionally, ChatGPT can help fraudsters create more believable, native-sounding phishing campaigns, including emails and chat dialogue that trick or coerce users into giving up their authentication credentials.

**How to Stay Secure**

Last year, a Verizon report found that 82% of all breaches involved the human element, which includes social engineering attacks, misuse, and errors. So how do you prevent human error? Education. Empowering employees with the security basics they need and educating them as to what phishing, smishing, and vishing attacks look like can severely cut down on data breach risk. Organizations should also implement security standards for employees and ensure that these standards are taught during onboarding.

Similarly, the best way for consumers to stay secure is to educate themselves on social engineering attacks and remain vigilant when checking emails, text messages, and phone calls. There are plenty of free digital resources available for consumers that cover security basics, such as what to look for when opening a suspicious email, how frequently passwords should be reset, and what to do if you suspect your information has been compromised.

Customers should also be doing their own due diligence and checking to see what data organizations are collecting and what security is being used to protect that data. On the flipside, organizations need to implement responsible data storage practices by only holding onto data they can actually utilize, and having a centralized identity storage system. A centralized identity storage system will take care of internal mapping of various applications and ensure all digital identities are located in a centralized location, cutting down the propagation of these identities through multiple systems within the same organization.

Educating employees and cutting back on data storage are just two minimum standards for organizations. Additionally, organizations must implement secure systems and solutions such as systemized automation, biometrics, and other identity verification methods. This is where identity and authentication converge. Both parties, consumers and organizations, need to ensure there is trust. Consumers need to trust that organizations will keep their digital identity and data secure, while organizations need to trust that consumers are who they say they are.

**The Future of Digital Identities**

Awareness of digital identities is on the rise. It's promising that the US government has made a public statement announcing it plans to prioritize digital identity solutions, though the US remains behind other regions — specifically, the UK and EU.

In 2021, the EU introduced its digital identity framework proposal to create a sole "trusted and secure European e-ID." Additionally, this year European Parliament voted to move forward with creating an EU digital wallet to further protect European identities and transactions. Within the next few years we'll likely see the US follow in the footsteps of the EU and create a one-stop solution for digital identities.

My hope for the future of digital identities is that we create a seamless, trusted, and secure experience. To do this we'll need to implement a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. In this system, instead of sharing every piece of personal information, users would only be disclosing the minimum information required for individual tasks. This would create the ideal environment to build a digitally secure and trusted world.

Keep Your Friends Close and Your Identity Closer

New rules aim to level up the quality of submissions to Google and Android device Vulnerability Reward Program.

Google and Android will now assess device vulnerability disclosure reports based on the level of information that bug hunters provide in order to encourage more comprehensive submissions.

Vulnerability reports submitted to the Android and Google Vulnerability Reward Program (VRP) will be rated as "High," "Medium," or "Low" quality based on these elements, according to Google Security:

*   The accuracy and detail of the vulnerability description
*   Analysis of its root cause
*   Proof of concept
*   Reproducibility
*   Evidence of reachability

Google and Android have also upped the top bug bounty prize to $15,000.

"Additionally, starting March 15th, 2023, Android will no longer assign Common Vulnerabilities and Exposures (CVEs) to most moderate severity issues," the Google Security blog post announcing the VRP changes said. "The CVEs will continue to be assigned to critical and high severity vulnerabilities."

Bugcrowd founder and chief technology officer (CTO) Casey Ellis applauds the effort by Google to define the elements of a high-quality vulnerability disclosure.

"Nothing happens without effective communication. ... The power of crowdsourcing brings with variability in how vulnerability submitters communicate, and the downstream effectiveness of the report at communicating the risk to those who need to fix it," Ellis says, in response to the new VRP rules. "Google stepping up to help educate the hacker community on 'the things which make communication more effective' is an enormous win for both the space and the community itself."

In 2022 alone, Google's VRPs paid out a record-setting $12 million in bug bounties.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Debuts Quality Ratings for Security Bug Disclosures

85% of AppSec pros say ability to differentiate between real risks and noise is critical, yet only 38% can do so today; mature DevOps organizations cite widespread impact due to lack of cloud-native tools

**Tel Aviv, May 17, 2023** \- Backslash Security, the new cloud-native application security solution for enterprise AppSec teams, today released a new research study, **Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report**, exploring how the state of application security has evolved given the rise of cloud-native application development. The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. 

The study reveals that AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace, and playing security defense via an endless and unproductive vulnerability chase. **Notably, 58% of respondents report spending over 50% of their time chasing vulnerabilities, with a shocking 89% spending at least 25% of their time in this defensive mode.** This costly 'defensive tax' — the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program — is estimated to be upwards of $1.2 million annually.

Given the accelerated pace of digital innovation across enterprises of all sizes and the blurred lines between AppSec and CloudSec, enterprise AppSec teams are saddled with solutions that have not caught up to the cloud pace. **As a result, AppSec professionals are losing faith in the prevailing AppSec tools:** 

*   Almost all organizations are seeing a widespread impact of the lack of cloud-native AppSec tools, including growing friction between AppSec and dev teams (39%), jeopardized ability to generate revenue (39%), and inability to retain high-value dev talent (38%) and AppSec talent (35%);
*   94% of respondents cited multiple issues with today’s AppSec technologies; top complaints were the considerable amount of time spent prioritizing findings (48%) and that existing AppSec tools are noisy (45%);
*   SAST and DAST are quickly losing ground, with just 32% of respondents stating that they use either of these prevailing standards extensively.

The report emphasizes the urgent need for a **new AppSec paradigm that maps a clear path to a modern standard for cloud-native AppSec success,** characterized by end-to-end visualization of all microservices, automatic identification and prioritization of real risks, and intelligent triaging and remediation. In assessing the importance of these three key tenets of modern AppSec: 

*   82% agree that automating threat model visualization will help AppSec teams save time and manual labor analyzing cloud-native application risks;
*   91% believe correlating application security risks with the application’s exposure to the outside world, such as via open APIs, is important;
*   91% believe differentiating between general code weaknesses and critical vulnerabilities is important;
*   Eight out of the nine total capabilities that define this new cloud-native AppSec paradigm were ranked as “critical” or “important” by 70%+ of respondents.

**However, the AppSec industry suffers from a massive cloud-native enablement gap.** Across all of the most critical capabilities, respondents reported that enablement is sorely lacking: 

*   85% of respondents say the ability to differentiate between real risks and noise is critical to their success, making it the #1 most important capability; yet only 38% of respondents are enabled to do so;
*   This trend persists throughout, including “correlating security findings to the developer or dev team responsible for the fix” (78% vs. 43%); “meeting compliance standards” (78% vs. 38%); and “efficient triaging between Dev and AppSec” (73% vs. 42%).

"What we're hearing across the board is a message of urgency – we've entered a new, cloud-native reality, and it’s time to put an end to the AppSec catch-up game," said Shahar Man, co-founder and CEO of Backslash. "These outdated AppSec methodologies hamper productivity, innovation and talent retention for both AppSec and dev teams. The cloud-native application development paradigm calls for a new, unified approach to application security that will make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth."

This report surveyed 300 security professionals specifically tasked with application security for their organization, equally split between CISOs, AppSec managers and AppSec engineers from U.S. companies with 1,000 or more employees. Companies represent a wide range of industries. 

Click here to download the report and learn more. 

**About Backslash Security**

Backslash is the first Cloud-Native Application Security solution for enterprise AppSec teams to provide unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams.

With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications; quickly prioritize code risks based on the relevant cloud context; 

and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, including technology entrepreneur and investor Shlomo Kramer, Ron Zoran (former CRO of CyberArk), and Brian Fielder (General Manager, CTO Enterprise Security at Microsoft), Backslash has been deployed across leading technology organizations and Fortune 100 companies. 

More at https://www.backslash.security/.

AppSec Teams Stuck in Catch-Up Cycle Due to Massive Cloud-Native Enablement Gap

As enterprises adopt multicloud, the security picture has become foggy. Cloud workload protection platforms and distributed firewalls are creating clarity.

As enterprises move more of their business infrastructure into the cloud, they are grappling with the challenges of managing multiple cloud environments. Security firms are tackling multicloud security through increased visibility, cross-platform implementations, or a combination of the two.

On Thursday, cloud networking firm Aviatrix announced its new Distributed Cloud Firewall security platform, which combines traffic inspection and policy enforcement across multicloud environments. The firm uses native cloud platform features and its own technology to give companies a consolidated view into the security of their cloud workloads and the ability to push out the same policies to different clouds, says Rod Stuhlmuller, VP of solutions marketing at Aviatrix.

"The architecture is really what's new, not necessarily the capabilities of each of the features," he says. "It's very different than having to reroute traffic to some centralized inspection point for whatever security capabilities you're talking about — that just becomes very complex and expensive to do."

The vast majority of companies (87%) have moved their information infrastructure to a multicloud architecture, with the lion's share (72%) using a hybrid approach that combines both private cloud infrastructure and public cloud services, according to the "Flexera 2023 State of the Cloud Report." Among the top challenges for enterprises are managing their multicloud architectures and the security of their cloud infrastructure, with 80% and 78% struggling with the issues, respectively, according to Flexera.

    

Security and managing multicloud deployments are two top challenges for companies. Source: "Flexera 2023 State of Cloud Report"

As companies deploy workloads to multiple cloud service providers (CSPs), security can suffer. Because CSPs differ in the way that they handle security policies, inspection of traffic, and deploying workloads, companies can quickly lose visibility into security of their cloud infrastructure, says Patrick Coughlin, vice president of technical go-to-market for Splunk, a data and insights cloud platform.

"Let's say, maybe, you go to Google for your machine-learning tooling and workloads, you go to Azure for your core corporate business services, and you go to AWS for cost-efficient storage and overall data management. You may even have some homegrown applications that are legacy and highly regulated that you need to keep on prem," he says. "But what the security team needs is visibility across all of that, and it's a nontrivial challenge to be able to provide not just that visibility but the ability to investigate across all of that when something goes bang in the night."

**The Multicloud Security Mess**

Initially, many providers created virtual instances of their firewall appliances and set them as gateways to cloud infrastructure, but those virtual firewalls have become increasingly difficult to manage, especially across multiple cloud platforms, says John Grady, principal analyst for cybersecurity at Enterprise Strategy Group.

"Virtual firewall instances have been around for a while, but there's been an acknowledgement over the last couple of years that these deployments can be complex and cumbersome and don't take advantage of the key benefits the cloud offers," he says. "So we've seen a general shift toward more cloud-native network security solutions."

With more organizations using multiple infrastructure-as-a-service (IaaS) solutions from the top cloud companies — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — finding a solution to the growing complexity is critical.

Aviatrix, for example, allows companies to create an abstracted policy that can be applied across all the cloud platforms using their native security groups, without the administrator needing to go to each cloud. For companies with proliferating workloads, driven by microservice-based software architecture, the number of containers and virtual machines that need to be updated can skyrocket, Stuhlmuller says.

"It's not that we're putting firewalls everywhere, but we're putting the inspection and enforcement capability into the network into the natural path of traffic, with a \[single management console\] that allows us to do central creation of policy but push that distributed inspection enforcement out everywhere in the network."

Other major vendors that focus on cloud workload security, albeit with differing takes on the technologies, include Palo Alto Networks, Trellix, Trend Micro, Rapid7, and Check Point Software Technologies, according to Forrester Research.

**Saving Money Becomes Paramount**

With uncertain economic times worrying the executive suites, cost savings may be the biggest argument for businesses to consolidate their view of their cloud infrastructure. A security architecture based in the cloud and representing every cloud platform in the same way helps companies more efficiently secure their cloud services, but the approach also has the real benefit of being able to save money, says Andras Cser, vice president and principal analyst at Forrester Research.

"Multicloud security cuts costs," he says. "Organizations do not have to invest in procuring and training for multiple cloud providers' security solutions. They can, instead, use a single provider or cloud provider to source all cloud security capabilities from one tool. This reduces errors, improves security posture, and cuts costs."

In addition, consolidating some features leads to cost efficiencies. Distributed firewalls, for example, have the ability to run network address translation (NAT) and charge per hour, as opposed to many vendors that charge per hour and by bandwidth, according to Aviatrix's Stuhlmuller.

Finally, a simpler approach to security in the cloud helps companies reduce the overhead of securing workloads and allows their security professionals to focus on improving the security maturity, says ESG's Grady.

"Many organizations continue to struggle with the skills shortage and are trying to do more with less," he says. "There's an efficiency benefit with a 'write-once, enforce everywhere' model, as well as time savings from not having to deploy individual instances and the associated cloud infrastructure — such as load-balancers — to support them."

Enterprises Rely on Multicloud Security to Protect Cloud Workloads

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.

For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target's master password in cleartext from a memory dump — even when the user's workspace is closed.

While KeePass' maintainer has developed a fix for the flaw, it won't become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.

"No code execution on the target system is required, just a memory dump," the security researcher "vdhoney" said on GitHub. "It doesn't matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system."

An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.

Vdhoney described the vulnerability as one that only an attacker with read access to the host's filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

"Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," the researcher added.

Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called "SecureTextBoxEx" processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. "For example, when 'Password' is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

**Patch in Early June**

In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.

"To clarify, 'within the next two months' was meant as an upper bound," Reichl said. "A realistic estimate for the KeePass 2.54 release probably is 'in the beginning of June' (i.e. 2-3 weeks), but I cannot guarantee that."

**Questions About Password Manager Security**

For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass' XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.

Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.

"No password manager is safe to use when the operating environment is compromised by a malicious actor," KeePass had noted at the time. "For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment."

The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.

In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.

Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.

In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

KeePass Vulnerability Imperils Master Passwords

Plug X and other information-stealing remote-access Trojans are among the malware targeting networking, manufacturing, and logistics companies in Taiwan.

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

**Cyberattacks in the China-Taiwan Conflict**

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

"Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a 'shooting war,'" says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. "Though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan," the researchers explained.

For now, there's no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

"In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.," Parkin says.

But "state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent," he says. "Facing threats like that makes it even more important for us to have our security stack at least to baseline."

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

Risk from artificial intelligence vectors presents a growing concern among security professionals in 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

10 Types of AI Attacks CISOs Should Track

Cybercrime group that often uses smishing for initial access bypassed traditional OS targeting and evasion techniques to directly gain access to the cloud.

A threat actor known for targeting Microsoft cloud environments now is employing the serial console feature on Azure virtual machines (VMs) to hijack the VM to install third-party remote management software within clients' cloud environments.

Tracked as UNC3944 by researchers at Mandiant Intelligence, the threat group is leveraging this attack method to skirt traditional security detections employed within Azure with a living-off-the-land (LotL) attack ultimately aimed at stealing data that it can use for financial gain, Mandiant researchers revealed in a blog post this week.

Using one of its typical method of initial access — which involves compromising admin credentials or accessing other privileged accounts via malicious smishing campaigns — UNC3944 establishes persistence using SIM swapping and gains full access to the Azure tenant, the researchers said.

From there, the attacker has a number of options for malicious activity, including the exportation of information about the users in the tenant, collection of information about the Azure environment configuration and the various VMs, and creation or modification of accounts.

"Mandiant has observed this attacker using their access to a highly privileged Azure account to leverage Azure Extensions for reconnaissance purposes," the researchers wrote. "These extensions are executed inside of a VM and have a variety of legitimate uses."

**Hijacking the VM**

By leveraging in particular the serial console in Microsoft Azure, UNC3944 can connect to a running OS via serial port, giving the attacker an option besides the OS to access a cloud environment.

"As with other virtualization platforms, the serial connection permits remote management of systems via the Azure console," they wrote. "The novel use of the serial console by attackers is a reminder that these attacks are no longer limited to the operating system layer."

UNC3944 is a financially motivated threat group active since last May that typically targets Microsoft environments for ultimate financial gain. The group was previously seen in December leveraging Microsoft-signed drivers for post-exploitation activities.

However, once UNC3944 takes control of an Azure environment and uses LotL tactics to move within a customer's cloud, the consequences go beyond mere data exfiltration or financial gain, one security expert notes.

"By gaining control of an organization's Azure environment, the threat actor can plant deepfakes, modify data, and even control IoT/OT assets that are often managed within the cloud," Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, said in a statement sent to Dark Reading.

**From the VM to the Environment**

Mandiant detailed in the post how the threat actor targets the VM and ultimately installs commercially available remote management and administration tools within the Azure cloud environment to maintain presence.

"The advantage of using these tools is that they’re legitimately signed applications and provide the attacker remote access without triggering alerts in many endpoint detection platforms," the researchers wrote.

Before pivoting to another system, the attacker set up a reverse SSH (Secure Shell Protocol) tunnel to its command-and-control (C2) server and deployed a reverse tunnel configured such that port forwarding any inbound connection to remote machine port 12345 would be forwarded to the localhost port 3389, they explained in the post. This allowed UNC3944 a direct connection to the Azure VM via Remote Desktop, from which they can facilitate a password reset of an admin account, the researchers said.

The attack demonstrates the evolution and growth in sophistication of both attackers' evasion tactics and targeting, the latter of which now goes beyond the network and the endpoint directly to mobile devices and the cloud, notes Kern Smith, vice president of Americas, sales engineering at mobile security firm Zimperium.

"Increasingly, these attacks are targeting users where organizations have no visibility using traditional security tooling — such as smishing — in order to gain the information needed to enable these types of attacks," he says.

**How to Defend Against this VM Attack**

To thwart this type of threat, organizations must first prevent targeted smishing campaigns "in a way that enables their workforce while not inhibiting productivity or impacting user privacy," Smith says.

Mandiant recommends restricting access to remote administration channels and disabling SMS as a multifactor authentication method wherever possible.

"Additionally, Mandiant recommends reviewing user account permissions for overly permissive users and implementing appropriate Conditional Access Authentication Strength policies," the researchers wrote.

They also directed organizations to the available authentication methods in Azure AD on the Microsoft website, recommending that least-privilege access to the serial console be configured according to Microsoft's guidance.

Source

DARKReading