With companies pushing to adopt zero-trust frameworks, adaptive authentication and access — once languishing — looks finally ready to move out of the doldrums.

Although only seeing tepid adoption to date, adaptive access and authentication is set to gain steam among businesses this year as organizations pursue zero-trust capabilities that grant and restrict access to data and systems based on context.

In the latest sign of life in the evolving industry, startup company Oleria announced on March 21 that it had jumped into the market for providing adaptive access that can keep applications secure and allow access while minimizing blind spots and the overprovisioning of privileges. The company's executives maintained that easing deployment of granular and adaptive authentication will convince business customers to more rapidly adopt the technologies.

Companies already know that they need the context-aware security that adaptive access provides, says Jagadeesh Kunda, co-founder and chief product officer of Oleria.

"Modern IT has become a continuous, complex system, adapting dynamically to business needs, \[but\] the gap we hear from CISOs and CIOs is the ability to effectively manage access," he says. "With the typical organization running hundreds of applications to support an ever-changing environment, assigning roles and access on a static basis is no longer sufficient or sustainable."

While most companies strive for more granular access controls, adaptive technologies have foundered due to the complexity of the solutions. In its 2022 "MarketScape" report for advanced authentication, analyst firm International Data Corp. estimated that fewer than three in 10 companies use multifactor authentication (MFA), which is only an initial step toward the more advanced access controls represented by adaptive access and authentication. Overall, only 9% of companies have added context-based access policies, which in many ways are the foundation of adaptive access controls, according to Okta's 2022 "State of Zero Trust" report.

**Cloud Native Security Means Adapting**

Yet companies are convinced of the necessity of adaptive access because the ability to grant users access to the appropriate data in the proper way has become significantly more important. While only 9% of companies currently have access controls based on context, a significant 42% of businesses intend to implement those policies in the next 12 to 18 months, Okta stated in its report.

    

Only 9% of companies use context-based access policies, but 42% plan to adopt them. Source: Okta

The technology allows companies — and their security teams — to be more agile, says Chris Niggel, chief security officer for the Americas at Okta.

"It helps protect data by allowing the organization to be confident that sensitive data is only being accessed by approved individuals using approved systems," he says. "It allows IT and security teams to enable the business by more quickly granting and revoking access to this sensitive data."

While seemingly similar, adaptive access and adaptive authentication are slightly different concepts, Oleria's Kunda says. Adaptive access gives a user permissions to specific resources based on the user's behavior, the context of the request, the state of their device, and the overall organizational risk level, while adaptive authentication allows for changing privileges based on those criteria.

With the two technologies, companies can determine the level of access that is appropriate in a particular context and deliver that access, he says.

"As organizations increasingly recognize the importance of dynamically granting or denying access based on contextual factors, such as user behavior and risk level, adoption of adaptive access approaches will continue to increase," Kunda says.

**Pursuing Zero Trust**

With so much of companies' infrastructure relying on the cloud, executives have increasingly focused on zero-trust frameworks as a way to harden security while still accommodating hybrid workers.

In addition to a secondary code or token offered by two-factor authentication, a variety of other factors can be taken into account, such as the access device, user's location, time of day, and current level of risk for the organization. Depending on those criteria, the user may have an easier authentication experience if they are logging into a network or service from a common location, at a regular time of day, and using a known device.

"An access management tool might collect signals about what kind of endpoint you are working on, where you are in the world, and what your previous access patterns are to determine level of risk," says Michael Kelley, senior director analyst at Gartner. "That determination of level of risk is used to decide how you are authenticated and, potentially, what you have access to, and what kind of access you have once you have been authenticated."

While most modern applications continue to use static authentication, adaptive authentication is expanding. Over the past four years, nearly every provider of access management tools has added some form of adaptive access to their products, he says.

Adaptive access (AA) is a step along the path of zero trust, says Andras Cser, a vice president and principal analyst for security and risk at Forrester Research.

"Adaptive access means lower customer friction as AA solutions only raise friction for those users that indicate \[they pose\] higher risk levels, \[such as\] using new devices, using a hitherto unknown IP address geolocation, displaying 'superman' travel — logins in 10 minutes from places that are 1000s of miles apart," Cser says.

Adaptive Access Technologies Gaining Traction for Security, Agility

Decentralized identity products are increasingly projected to be introduced to the market in the next couple of years.

Although the decentralized identity market is still in its infancy, it has been gaining traction in recent years and has the potential to change existing identity, authentication, and access for the better. In 2022, the decentralized identity market was projected to reach $270 million.

    

Through decentralization and blockchain technology, there are an increasing number of people taking back control of their data. Although the digital identity space is still in its initial stages, it is possible that decentralized identity with blockchain could make identity management decentralized, simplified, and seamless, completely transforming the market landscape. Startups and DID initiatives continue to develop proofs of concept (PoC) for decentralized identity in government, finance, healthcare, and other fields, and the opportunities for decentralized identity continue to grow and evolve.

**eIDAS 2.0 Driving Growth**

Omdia believes that the eIDAS 2.0 regulation will be a significant driver for growth in decentralized identity during the forecast period. The updated eIDAS 2.0 initiative is built on the existing, cross-border, legal framework for trusted digital identities, the European electronic identification, and trust services initiative (eIDAS Regulation), which was adopted in 2014. By September 2023, all EU member states must ensure that a digital identity wallet is available to all EU citizens, residents, and businesses in the EU and usable not only for identity documents but for all attestations, including those with sensitive personal data such as health-related data and documents.

**Advantages of Decentralized Identity**

The advantages that decentralized identity gives users over traditional identity and access management solutions include control, security, privacy, and ease of use:

*   Control – Control gives identity owners and digital devices power over their digital identifiers. Because users have complete control and ownership of their identities and credentials, they can decide which information they want to reveal and can prove their claims without depending on any other party.
*   Security – Security reduces attack surfaces by storing personal identifiable information (PII). Blockchain is an encrypted decentralized storage system that is safe, flexible, and reduces the risk of an attacker gaining unauthorized access to steal or monetize user data.
*   Privacy – Privacy enables entities to use the principle of least privilege (PoLP) to designate minimal or selective access for identity credentials. PoLP is a term correlated with information security. It states that any person, gadget, or process should only have the minimal rights necessary to execute the considered task.
*   Ease of use – Decentralized identity technology gives users the advantage of easily creating and managing their identities with user-friendly neoteric decentralized identity apps and platforms.

**Disadvantages of Decentralized Identity**

In contrast, the disadvantages of decentralized identity include no large-scale adoption, legacy systems, and regulation and identity data fragility:

*   No large-scale adoption – Governments and organizations are still attempting to figure out how to deploy decentralized identity technology at scale while most non-tech users have not even heard of this phenomenon.
*   Legacy systems and regulation – Replacing existing legacy systems and creating interoperable global standards and governance are also important issues.
*   Identity data fragility – While a secondary issue, identity data fragility, which refers to duplication, confusion, and inaccuracy in identity management, remains.

**More Decentralized Identity Products Coming**

The popularity of decentralized identity is gathering pace with vendors such as IBM, Microsoft, and Ping Identity entering the fray. Even governments are looking at the technology. Omdia believes that over the next couple of years, more decentralized identity products will be launched onto the market, and this will help the technology become more mainstream. The decentralized identity market is expected to have significant growth during the forecast period, increasing to $6.5 billion in 2027.

Is Decentralized Identity About to Reach an Inflection Point?

Russian intelligence services, together with a Moscow-based IT company, are planning worldwide hacking operations that will also enable attacks on critical infrastructure facilities.

The release of thousands of pages of confidential documents has exposed Russian military and intelligence agencies' grand plans for using their cyberwar capabilities in disinformation campaigns, hacking operations, critical infrastructure disruption, and control of the Internet.

The papers were leaked from the Russian contractor NTC Vulkan and show how Russian intelligence agencies use private companies to plan and execute global hacking operations. They include project plans, software descriptions, instructions, internal emails, and transfer documents from the company.

The takeover of railroad networks and power plants are also part of a training seminar held by Vulkan to train hackers.

The leak also exposes the company's close links to the FSB, Russia's domestic spy agency, the GOU and GRU, the respective operational and intelligence divisions of the armed forces, and the SVR, Russia's foreign intelligence organization.

The documents, which were leaked by an unnamed source to a German reporter working for the Süddeutsche Zeitung at the start of Russia's invasion of Ukraine, have since been analyzed by global media outlets including The Washington Post and German media outlets Paper Trail Media and Der Spiegel.

According to the Spiegel report (in German), Vulkan has developed tools that allow state hackers to efficiently prepare cyberattacks, filter Internet traffic, and spread propaganda and disinformation on a massive scale.

The Spiegel report notes that analysts from Google reportedly discovered a connection between Vulkan and the hacker group Cozy Bear years ago; the group has successfully penetrated systems of the US Department of Defense in the past.

**Amezit, Skan-V Programs Revealed**

One offensive cyber program described in the documents is internally codenamed "Amezit."

The wide-ranging platform is designed to enable attacks on critical infrastructure facilities in addition to total information control over specific areas.

The program's goals include using special software to derail trains or paralyze airport computers, but it was not clear from the materials whether the program is currently being used against Ukraine.

Another project, called "Skan-V," is supposed to automate cyberattacks and make them much easier to plan.

Whether and where the programs were used cannot be traced, but the documents prove that the programs were ordered, tested, and paid for.

"People should know the dangers this poses," shared the anonymous source who leaked the docs to the media. The Russian invasion of Ukraine had motivated the source to make the documents public.

**As the Sandworm Turns**

A trail also leads to the state hacker group Sandworm, one of the most dangerous advanced persistent threats (APTs) in the world, responsible for some of the most serious cyberattacks of recent years. For instance, the threat actor has been targeting the Ukrainian capital since as far back as December 2016 when it used the malware tool Industroyer to cause a temporary power outage in Kyiv.

Until now, it was not known that the group used tools from private companies.

Sandworm has previously been linked to GRU.

Since the start of the war, at least five Russian, state-sponsored or cybercriminal groups — including Gamaredon, Sandworm, and Fancy Bear — have targeted Ukrainian government agencies and private companies in dozens of operations that aimed to disrupt services or steal sensitive information.

Vulkan Playbook Leak Exposes Russia's Plans for Worldwide Cyberwar

Russia's invasion of Ukraine spurs Space Force to seek astronomical investments in cybersecurity.

US Space Force top brass have requested a $700 million investment in cybersecurity as part of the military branch's overall $30 billion 2024 budget.

The Russian invasion of Ukraine and ongoing war has laid bare the national interest in defending critical networks, explained Gen. B. Chance Saltzman, chief of space operations, at a recent House Appropriations Committee hearing on Capitol Hill.

The $30 million investment in Space Force cybersecurity will "enhance the cyber defense of our critical networks associated with space operations," Saltzman said, according to reports on the hearing. "There's no question that space is going to be central to effective operations in the future."

In May 2022, Space Force added four squadrons to shore up cybersecurity throughout the branch and oversee an overhaul of the outdated Satellite Control Network.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Space Force Requests $700M for Cybersecurity Blast Off

Until a degree of confidence is established, a platform's credibility can be eroded by scammers and unsuspecting gamers who fall victim to their attacks.

The online gaming industry has seen rapid growth since the COVID-19 lockdowns began. However, with more and more players and new platforms entering the space, we are seeing an increase in the threats and scams that target a new generation of metaverse players.

Given the adolescent nature of the metaverse, bad actors have been quick to exploit budding companies and communities to dupe consumers. With the metaverse still a niche community — one that has yet to see vast, mainstream interaction — fraudsters have regularly turned to social media to impersonate CEOs and other critical C-suite executives.

The effect? A sharp decline in consumer trust in online gaming platforms and brands. In fact, a Coda Labs' survey of nearly 7,000 respondents showed that 41% are concerned with scams related to crypto gaming.

Amid the growing distrust compounded by the FTX scandal and subsequent crypto crash, companies have a long road ahead to rebuild the trust of players interested in nonfungible tokens (NFTs) and the buying and selling of digital assets.

Along with the move toward Web3 and decentralized platforms that live on the blockchain, companies must look at new ways to proactively monitor and detect threats while removing bad actors to create a safe environment for gamers and protect the integrity of the ecosystem.

**Trust or Trap?**

From phishing attacks to trademark infringements, threats can originate from anywhere in the world, and even the most prominent gaming companies are vulnerable.

For example, take the 2021 hack of gaming giant Electronic Arts (EA), which resulted in the theft of more than 780GB of valuable information — data hackers then tried to sell.

But it's not just data breaches among gaming publishers themselves. Cybercriminals are taking to social media platforms and community-oriented platforms like Discord to target users. Recently, Axie Infinity's Discord community was compromised, with hackers hijacking a Discord bot that automates roles and messages across an array of crypto projects.

Shortly after, the compromised bot announced a surprise mint — something developers indicated they would never announce. This breach came on the heels of a $650 million heist of the company's Ronin Bridge — an Ethereum sidechain built for Axie Infinity.

Fortunately, developers quickly caught on, successfully removed the bot, and reassured the community. Without adequate security and moderation, this hack could have resulted in users being redirected to illegitimate websites — translating to lost money for both the brand and the user, as well as a persistent negative impact on the brand's reputation.

**Six Easy Steps to Prevent Gaming Fraud**

As the online gaming industry continues to battle an unprecedented amount of imposters and online threats, it's more important than ever for companies to take action. To protect player safety and mitigate vulnerabilities, here are six helpful steps I'd recommend:

1.  **Turn your attention to relevant social media and gaming platforms.** Your security efforts should start here: Without an adequate understanding of where your users are being targeted, it's nearly impossible to properly protect your brand's reputation or your customers' personal information.
2.  **Shorten your TTD (time-to-detect) and TTR (time-to-remediate).** Threats should be prioritized with immediate takedowns, as the impact of breaches may be immediately consequential.
3.  **Monitor social media for CEO and other C-suite executive impersonations.** Often observed across social media platforms, these threats can quickly erode consumer trust in your brand and be used for malicious scams if not swiftly handled.
4.  **Protect your company's data.** Your data retention policies should require the deletion or de-identification of data after a specified period of time. It is also helpful to foster a company culture that values data on a need-to-know basis, meaning only relevant employees or teams can access and utilize sensitive data.
5.  **Enlist enforcement experts on your cybersecurity team.** These experts can analyze online threats and determine the most effective solutions for your company. Additionally, consider anti-phishing solutions that detect website duplication and impersonating websites, among other features.
6.  **Create a digital threat map that puts you in control.** These maps can be used to check connections between entities in the digital sphere to help you connect the dots and understand where you should focus ongoing security efforts.

From fake promo codes shared across social media to typosquatting websites and hacks involving paid ads to introduce malware, the growing arsenal of tools that cybercriminals can take advantage of grows ever more sophisticated.

The good news is that technology to launch counterattacks and take proactive measures has become more affordable and accessible than ever, but companies and players alike must stay vigilant.

For gaming in the metaverse to reach its full potential, platforms need to earn the players' trust. Until that degree of confidence is established and maintained, a platform's credibility can easily be eroded by scammers and unsuspecting gamers who fall victim to their attacks.

What CISOs Can Do to Build Trust & Fight Fraud in the Metaverse

A successful multi-orbit cryptography test beamed quantum-agile data up to two different satellites and back down to Earth.

Developers of post-quantum cryptography have successfully created a trial, data-transmission channel from Earth to satellites in multiple orbits that would be resistant to the hacking of the future.

The idea is to protect data routed via satellite clusters from being harvested and decrypted by quantum computers and to protect the operational technology communications that keep the arrays functioning. The challenge lies in maintaining resource-intensive, post-quantum protection along multiple hops as a signal is beamed around a cluster, with a data transmission rate that's acceptable for military and commercial real-time communications (and other applications).

During the test, carried out by QuSecure and Accenture, a data-transmission channel protected by both classical RSA-2048 and post-quantum encryption was opened to a low-Earth orbit (LEO) satellite and switched to a higher-altitude geosynchronous orbit (GEO) satellite, and then beamed back down to Earth.

"As more organizations are increasingly relying on space technology to provide solutions, resiliency, and more relevant information, security of those systems and the data is paramount," said Paul Thomas, space innovation lead for Technology Innovation at Accenture, in a statement.

**A Multi-Orbit Quantum Action Plan**

Once efficient quantum computing becomes a reality, the expectation is that clusters of them will have enough gas in the tank to break RSA-2048 encryption, something that even the most powerful of today's computers are incapable of achieving.

And presumably, when that happens, there will be legions of cybercriminal types pouring out of the woodwork to decrypt the many classified secrets that organizations, governments, and critical infrastructure (including satellite arrays) use to ward off mass operational disruption.

Granted, the timing on that breakthrough remains a moving target, but the satellite test is a step towards prepping for that doomsday scenario. Also, by employing post-quantum encryption now, it can protect against any "steal now, decrypt later" plans on the part of cyberattackers who might be stockpiling encrypted data in anticipation of a literal quantum leap.

"Outer space is getting more crowded and contested every day and providing reliable space-based security is critical in today's global economy," said Tom Patterson, quantum and space security lead at Accenture.

Post-Quantum Satellite Protection Rockets Towards Reality

In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

Business email compromise scams are moving beyond just stealing cash, with some threat actors fooling companies into sending goods and materials on credit, and then skipping out on payment.

Some cybercriminals are flipping their playbook on business email compromise (BEC) scams and, rather than posing as vendors seeking payment, are now posing as buyers, taking their profits in easily sold commodities.

By adopting the identity of a known company, criminal actors are able to order various goods in bulk, get beneficial terms of credit, and disappear before the manufacturer discovers the fraud, stated the FBI in a recent advisory on the trend. The scheme has become more common in specific sectors, with targets including construction materials, agricultural supplies, computer technology hardware, and solar-energy systems, according to the agency.

This form of fraud also allows attackers to escape the notice of financial institutions, which have become very skilled at tracking currency movement and clawing back funds, says Sourya Biswas, technical director of risk management and governance at NCC Group, a consultancy.

"BEC targeting commodities may have electronic records regarding the ordering, dispatch, and receipt of goods, but not for the last-mile piece where those goods are sold," he says. "Considering the types of commodities targeted — construction materials, computer hardware, etc. — these are typically easy to sell in pieces for cash to multiple buyers without triggering red flags."

This is not the first time that commodity theft has come to light. Last summer, BEC criminal groups targeted food manufacturers, stealing sugar and powdered milk by the truckload. In 2021, fraudsters used similar methods, posing as an electrical contracting company, to have 35 MacBooks worth almost $110,000 delivered to a business address, but switched the destination at the last minute.

**Same Tactics, Different Outcome**

In its advisory, the FBI noted that the tactics used by the criminal groups mimics those of more traditional BEC scams, with threat actors taking control of, or spoofing, legitimate domains of US companies, researching the proper employees to contact at a vendor, and then emailing requests to the vendor that appear to originate with the legitimate company.

However, commodities-fraud operations are harder to uncover than funds-focused BEC fraud. For instance, the criminal groups will often apply for Net-30 or Net-60 terms for payment by providing fake credit references and fraudulent tax forms to vendors, giving them lead time to fence the goods and disappear before suspicion might arise, the FBI stated in the advisory.

"Victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution," the advisory stated. "The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment."

**A Significant Evolution for BEC**

Commodities scams are decades old, especially with easy-to-resell electronics, says Roger Grimes, data-driven defense evangelist at KnowBe4, a cybersecurity services firm.

"If you know a little industry vernacular and how supply chains work, it's easier to convince the victims of the scam," he says. "It's also harder to trace the resell of those goods once the fraudster has obtained possession of them. But it also isn't every fraudster's first choice of how to get paid, because it significantly cuts down on profit margin."

The difference now is the interest in the gambit by cybercriminals previously carrying out BEC scams focused on fraudulent money transfers. 

The transition to targeting commodities is being driven by necessity in some cases, because BEC fraud is squarely on organizations' radars these days. In its "Internet Crime Report 2022," the FBI noted that its Recovery Asset Team (RAT) has recovered nearly three-quarters (73%) of all funds stolen by BEC groups since 2018. And financial institutions have become better at detecting fraud and cutting off funds more quickly, which has forced attackers to adapt, says Dmitry Bestuzhev, senior director of cyberthreat intelligence at BlackBerry.

"Financial institutions on both sides — sending or receiving funds — have been working to make it harder for the BEC operators," he says, adding that, for attackers, by "focusing on goods purchasing, it's an easier way to escape the monitoring algorithms ... so even if it's a two-step operation, it's still safer in terms of traceability and anti-fraud, prevention algorithms."

In addition, the simplicity of the scam has made the social-engineering aspects more effective. By asking for payment for goods, impersonating someone in authority, and using the language expected of business transactions, attackers are able to fool non-tech-savvy business people, says the NCC Group's Biswas.

Paying attention to advisories, such as the FBI's public service announcement, and building processes that can withstand social-engineering attacks is important, he says.

For instance, employees should be trained to spot obvious red flags. While compromising a legitimate company's email server provides a more convincing identity with which to conduct fraud, most criminal groups just use variants on the company name, such as changing a "company.com" domain to "co-pany.com" or "company-usa.com" domain, for example.

"Cybercriminals are always evolving, and defenders should evolve as well," Biswas says. "Any organization that pays for vendor services or supplies goods and services — that pretty much includes everyone — should always be on the lookout for ... new cybercrime tactics, techniques, and procedures (TTPs)."

BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

The vulnerability would have allowed an unauthenticated attacker to execute code on a container hosted on one of the platform's nodes.

Microsoft has patched what researchers called a "dangerous" flaw in its Azure Service Fabric component of the company's cloud-hosting infrastructure. If exploited, it would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Researchers from Orca Security discovered the cross-site scripting (XSS) flaw — which they dubbed Super FabriXss — in December and reported it to Microsoft, which issued a fix for it in March's round of Patch Tuesday updates, the researchers said in a blog post published March 30, revealing the technical details of the bug.

They also demonstrated how attackers can take advantage of the flaw — which makes Azure Service Fabric Explorer versions 9.1.1436.9590 or earlier vulnerable to exploit — in a presentation at Microsoft's BlueHat IL 2023 in Tel Aviv today. 

Super FabriXss, tracked as CVE-2023-23383 with a CVSS rating of 8.2, is the second XSS flaw so far that Orca researchers discovered in Azure Service Fabric Explorer. Part of Microsoft's Azure cloud computing platform, Azure Service enables packaging, deployment, and management of stateless and stateful microservices and containers on large-scale distributed systems.

The first XSS vulnerability, dubbed FabriXss and detailed by Orca researchers in October, did not pose as severe a risk as its successor, the researchers said. FabriXss, also patched quickly by Microsoft in a Patch Tuesday update, would have allowed an attacker to gain full administrator permissions on the Service Fabric cluster.

**Exploiting Super FabriXss**

With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes, which "means that an attacker could potentially gain control of critical systems and cause significant damage," Lidor Ben Shitrit, cloud security researcher at Orca Security, wrote in the post.

Using Super FabriXss, an attacker could craft a malicious URL that, when clicked, initiates a multi-step process eventually leading to the creation and deployment of a harmful container on one of the cluster nodes, Shitrit tells Dark Reading.

Specifically, researchers demonstrated at BlueHat how they could escalate a reflected XSS vulnerability in Azure Service Fabric Explorer to an unauthenticated RCE by abusing the metrics tab and enabling a specific option in the console: the "Cluster Type" toggle, Shitrit wrote in the post.

"To exploit this vulnerability, a victim (an authenticated Service Fabric Explorer user) must first click on the malicious URL and then be guided to click on the Cluster Type under the Events tab," he explains to Dark Reading. "Once exploited, sensitive cluster data could be revealed to the attacker, potentially allowing them to expand the attack to a larger surface."

The vulnerability itself arises from a vulnerable "Node Name" parameter, which can be exploited to embed an iframe in the user's context, Shitrit said in the post. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell.

"This attack chain can ultimately result in remote code execution on the container \[that\] is deployed to the cluster, potentially allowing an attacker to take control of critical systems," he wrote.

**Mitigation & Implications for Azure Users**

Orca reported the vulnerability to the Microsoft Security Response Center (MSRC) on Dec. 20, and an investigation into the issue begun later that month, on Dec. 31, the researchers said. Orca researchers and MSRC communicated several times regarding the impact of the flaw before Microsoft assigned CVE-2023-23383 to the vulnerability and issued a patch for it on March 14 that automatically fixed the issue for customers.

While no further action is necessary by Azure Service Fabric users, the flaw does, once again, highlight the inherent danger of unpatched flaws in cloud-based architectures that an enterprise deploys, he tells Dark Reading. These vulnerabilities "can pose higher risks compared to on-premises solutions," Shitrit says.

"With cloud-based systems, organizations often depend on third-party providers, leading to a larger attack surface and less control over security measures," he adds. "Additionally, it's important to consider the multi-tenant nature of cloud environments and the significance of maintaining proper isolation between tenants."

To address risks posed by cloud-based flaws like Super FabriXss, he suggests that organizations maintain a regime of cloud security hygiene. This includes regularly applying patches, monitoring security, addressing vulnerabilities, training employees on best practices, applying network segmentation, enforcing least-privilege permissions, collaborating with providers, and creating a robust incident response plan, Shitrit says.

"These combined efforts help ensure a secure and resilient cloud environment," he says.

Source

DARKReading