The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."

According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.

In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.

"The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware," the report noted.

The Drokbk malware is written in .NET, and it's made up of a dropper and a payload.

Typically, it's used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the report from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

"This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets," says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.

He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It's also a relatively unknown piece of malware.

"There may be organizations out there with this running on their networks right now, undetected," he adds.

Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.

"Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems," Pilling notes.

**Dead-Drop Resolver Technique Offers Flexibility**

The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.

"It also helps the malware blend in by making use of a legitimate service," Pilling says.

**Robust Patching Is Critical Defense Strategy**

Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.

"In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key," he says.

He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.

**Iran-Backed Threat Groups Evolving, Attacks on the Rise**

The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.

"The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity," Pilling explains.

Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

"Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication," he explains.

In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are on the rise. Cobalt Mirage is hardly on its own.

"Over the last two years we've seen multiple group personas emerge — Moses' Staff, Abraham's Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations," Pilling says.

The US Treasury Department has already moved to sanction the Iranian government for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Iranian APT Targets US With Drokbk Spyware via GitHub

A reliance on CPE names currently makes accurate searching for high-risk security vulnerabilities difficult.

In many cases, once a high-risk security vulnerability has been identified in a product, a bigger challenge emerges: how to identify the affected component or product by its assigned name in the National Vulnerability Database (NVD). That's because software products are identified in the NVD with a common platform enumeration (CPE) name, which are assigned by the National Institute of Standards and Technology (NIST), part of the US Department of Commerce.

The NVD uses a CPE to identify hardware and software components based on vendor, product, and version string. When software users want to determine, via the NVD, whether a component of a product they are using has any associated vulnerabilities, they must know the precise assigned CPE name of the component. However, it is often impossible to find a CPE for a particular component, whether they are open source or proprietary.

In most cases, this problem makes it impossible to reliably automate many of the processes required for software security, such as producing a software bill of materials (SBOM).

**Why Finding Vulnerabilities in the NVD is Hard**

To understand the scope of the problem, consider the following six conditions that make it extremely difficult, if not impossible, to search for component and product vulnerabilities in the NVD, due to its reliance on CPEs as the sole identifier.

1\. Vulnerabilities are identified in the NVD with a common vulnerabilities and exposures (CVE) number, e.g., "CVE-2022-12345," and the Common Vulnerability Scoring System (CVSS) is used to assign a threat level to each CVE. A CPE is typically not created for a software product until a CVE is assigned to it. However, many software suppliers have never reported a vulnerability (which would generate a CVE), so a CPE has never been created for the product in the NVD. 

This is not necessarily because the products have never had vulnerabilities, but because the developer may not have reported any existing vulnerabilities to the NVD.

As a result, an NVD search will yield a "No matching records" response in both of the following scenarios: 

(i) a vulnerability does not exist in a given product

(ii) a vulnerability exists but has never been reported by the developer

2\. Since there is no error checking performed when a new CPE name is entered in the NVD, it is possible to create a product CPE that does not follow a consistent naming convention. As a result, when a user searches for the product using the properly specified CPE, they will receive a "There are 0 matching records" error message. This is the same message they would receive if the original (off-specification) CPE name were used but there were no CVEs reported against it.

When a user receives this message, it could mean there is a valid CPE for the product they're searching on, but a CVE has never been reported for that product, but it could also mean the CPE they entered does not match the CPE in the NVD, and that there are, in fact, CVEs attached to the (off-specification) CPE name submitted to the NVD.

The "There are 0 matching records" error message could also result if a user misspells the CPE name in the search bar. In this instance, the user would have no way of knowing that the message was generated by a typo, and instead could assume the product has no reported vulnerabilities.

3\. Over time, a product or supplier name may change due to a merger or acquisition, and the CPE name for the product may change as well. In this case, if a user searches for the original CPE, not the new CPE, they would not learn about new vulnerabilities. As before, they would receive the "There are 0 matching records" message.

4\. This also applies for different variations of supplier or product names, such as "Microsoft" and "Microsoft Inc.," or "Microsoft Word" and "Microsoft Office Word," etc. Without the exact correct supplier or product name, an NVD search will yield incorrect results.

5\. The same product can have multiple CPE names in the NVD if they are entered by different people who each use a different iteration. This can make it virtually impossible to determine which name is correct. To make matters worse, if CVEs have been entered for each of the CPE variants, this will result in their being no "correct" name. One example is OpenSSL (e.g., "OpenSSL" versus "OpenSSL Framework"). Since no single CPE name contains all the OpenSSL vulnerabilities, users must search separately for each variation of the product name.

6\. In many cases, a vulnerability will only affect one module of a library. However, since CPE names are assigned on the basis of products, not the individual modules they contain, users need to read the full CVE report to determine which module is vulnerable. If they don't, this can result in unnecessary patching or mitigations, like when a vulnerable module is not installed in a software product being used but other modules of the library are.

Fortunately, a cross-industry group called the SBOM Forum that includes members of OWASP, The Linux Foundation, Oracle, and others are working on the problem and have developed a proposal to improve the accuracy of the NVD with a focus on modern, automated use cases.

The group's recommendations, including the adoption of a package URL (purl) for software and GS1 Standards for hardware, are designed to create a standardized way to reliably query the NVD and receive accurate information on vulnerabilities.

How Naming Can Change the Game in Software Supply Chain Security

Security leaders also need to take a more holistic approach to addressing supply chain risks, company says in new research report.

Organizations should implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity, advocates Google — after the tech giant did a deep-dive into best practices for securing the software supply chain. 

In a report out on Dec. 9, Google laid out several recommendations for bolstering supply chain security, including the need for organizations to take on more direct responsibility for open source software, and taking a more holistic approach to addressing risks such as those presented by the Log4J vulnerability and the SolarWinds breach.

Google's report on software security is the first in a new "Perspectives on Security" research series that examines emerging security trends and how to address them. The report's release comes on the second anniversary of the SolarWinds breach disclosure, and its recommendations are based on Google's analysis of that incident as well as numerous other software supply chain breaches since then. Those include incidents at Codecov, Kaseya and those involving public code repositories such as PyPI.

The breaches have made software supply chain security a top item on the enterprise IT agenda. A recent report from Mandiant identified supply chain compromises as contributing to 17% of all intrusions in 2021, up from less than 1% just a year earlier. Supply chain issues were, in fact, the second most frequent initial intrusion vector after software vulnerability exploits in 2021.

**Two Main Takeaways for Security Decision-Makers**

"There are two main key takeaways from this report that enterprise IT and security decision makers should consider that will help them securely build and verify the integrity of software," says Royal Hansen, vice president of engineering at Google. 

The first, as mentioned, is that security leaders need to focus on adopting a more holistic approach to strengthen defenses against software supply chain attacks: "Organizations should also implement the SupplyChain Levels for Software Artifacts (SLSA) framework to ensure the security community mitigate threats across the entire software supply chain ecosystem," he says.

SLSA (pronounced "salsa") provides software developers a cadre of controls and practices to ensure software security and integrity during the entire software development life cycle through production. One of its key goals is to give organizations a way to prevent and detect tampering of the sort that happened at SolarWinds, where an adversary inserted malicious code into — and distributed it via — a signed software update.

SLSA is a prescriptive checklist, meaning it spells out the steps that organizations need to take. That includes, for instance, verifying the provenance of all open source and third-party components in their software, and for ensuring there's been no tampering with the software. 

Among other things, it also requires that organizations retain source code indefinitely and have the ability to verify the integrity of their software with tamper-proof provenance information.

Google perceives the SLSA framework as allowing organizations to optimize the benefits of things like a software bill of materials (SBOMs), i.e., a list of all the components in a particular piece of software.

**Assuming More Responsibility**

One of the other keys to bolstering supply chain security at an industry level is for organizations to secure their own open source and proprietary software supply chains, Google said.

This means ensuring that all software they build or acquire from other sources implements baseline security standards and controls. As an example, Google pointed to the Minimum Viable Secure Product (MVSP) requirements for enterprise-ready software that it developed in collaboration with several other companies, including Okta, Salesforce, Slack, and Venafi.

MVSP is a checklist of baseline security controls that a software developer must implement, at a minimum, to ensure a reasonably secure product. The checklist includes things such as whether the software vendor or publisher publishes vulnerability reports, conducts self-assessments and external testing, and implements practices such as SSO, HTTPS, and security headers.

Software purchasers can use the baseline to assess whether a product meets those requirements, while larger companies can incorporate MVSP as their standard questionnaire when triaging the security posture of their third-party software suppliers, Google said. Procurement teams can include them in requests for proposal (RFP) documents and use it as security baseline for vendor selection, Google said.

Hansen says security leaders and practitioners can also take other measures to bolster software supply chain security. "Findings from the report suggest a need for a more thorough understanding of software supply chain networks, identification of potential risks and implementation of risk-mitigation plans, and the establishment of security requirements for software procurement," he notes.

Security organizations can play a role as well by, for example, funding the Open Source Security Foundation (OSSF) and the open source software project maintainers who find and fix security vulnerability in open source code, Hansen says.

Google: Use SLSA Framework for Better Software Security

At Black Hat Europe, a security researcher details the main evasion techniques attackers are currently using in the cloud.

BLACK HAT EUROPE 2022 – London - CoinStomp. Watchdog. Denonia.

These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.

"Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage," said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.

While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muir's team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.

"Realistically for these kinds of attacks, it has more to do with the user than the \[cloud\] service provider," Muir tells Dark Reading. "They are very opportunistic. The majority of attacks we see have more to do with mistakes" by the cloud customer, he said.

Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. "The ease of which cloud resources can be compromised has made the cloud an easy target," he said in his presentation, "Real-World Detection Evasion Techniques in the Cloud."

**DoH, It's a Cryptominer**

Denonia malware targets AWS Lambda serverless environments in the cloud. "We believe it's the first publicly disclosed malware sample to target serverless environments," Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate they're well-studied in cloud technology.

The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS can't view their malicious DNS lookups. "It's not the first malware making use of DoH, but it certainly isn't a common occurrence," Muir said. "This prevents the malware to trigger an alert" with AWS, he said.

The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.

"At first we thought it was might be a botnet or DDoS ... but in our analysis it was not actually used by malware" and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.

**More Cryptojacking With CoinStomp and Watchdog**

CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main _modus operandi_ is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems' Unix environments.

Watchdog, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. "They are opportunistic in exploiting cloud misconfiguration, \[detecting those mistakes\] by mass scanning."

The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.

"We're at an interesting point in cloud malware research," Muir concluded. "Campaigns still are lacking somewhat in technicality, which is good news for defenders."

But there's more to come. "Threat actors are becoming more sophisticated" and likely will move from cryptomining to more damaging attacks, according to Muir.

3 Ways Attackers Bypass Cloud Security

Cloud-native application protection platform (CNAPP) addresses security challenges in multicloud environments, including integrating applications across multicloud or hybrid cloud environments.

The COVID-19 pandemic accelerated digital transformation initiatives for many businesses. For many, this entailed embracing cloud-native application development to make possible rapid deployment of software. The downside? Increased security risks across large and ephemeral cloud environments.

As cloud security only continues to become more complex and difficult to manage, organizations are increasingly looking at cloud-native application protection platforms (CNAPP) to protect their cloud infrastructure and applications running in the cloud. The idea behind CNAPP is to consolidate point solutions to enable more automation and reduce security gaps between tools.

**Bundling CSPM, CWPP, CIEM**

"You can think of CNAPP as the king of acronyms in cloud security," says Kate MacLean, senior director of product marketing at Lacework. "It encompasses everything from CSPM \[cloud security posture management\], CWPP \[cloud workload protection platform\], CIEM \[cloud infrastructure entitlements management\], and more, bringing these features together into a single platform."

Lacework recently updated its CNAPP offering, Polygraph Data Platform, with agentless workload scanning for secrets and vulnerabilities plus attack path analysis.

These new capabilities are designed to help IT security teams achieve better visibility into their organizations’ complex, dynamic, and unique environments so they can better identify, understand, and respond to the security alerts that matter, according to the company.

MacLean explains that agentless workload scanning helps build layered security into the cloud environment, giving IT security teams the ability to scan more resources for vulnerabilities in a faster and more comprehensive way.

"With broader coverage in the runtime environment and continuous monitoring, teams have a better understanding of potential risks in the cloud so they can proactively secure for them," she says.

**Addressing Workload, Configuration Security**

Ami Luttwak, co-founder and CTO of Wiz, says CNAPP aims to address workload and configuration security by scanning the areas during development and protecting them at runtime.

The company provides an agentless, API-centered approach offering organizations instant coverage of their multicloud environments. Wiz's platform scans public buckets, data volumes, and databases in Amazon Web Services, Google Cloud Platform, and Microsoft Azure and classifies data so that organizations can find out what data is located where.

"CNAPP is becoming the main platform for security and dev teams for everything they need from cloud security, from code time to production," he says. "It solves for the core challenges of protecting cloud infrastructure from a security perspective."

The platform uses schema matching across the entire environment to understand data flow and lineage, including when data is moved between environments or regions and improper storage of production data. It also continuously assesses for compliance to ensure security standards are consistently enforced across business units, regions, applications, and users, according to Wiz.

**Holistic Cloud Security**

A proper CNAPP protects cloud application development throughout the entirety of the application development life cycle — from build time through runtime. This simplified approach covers all clouds, and a single tool handles vulnerabilities, remediation, compliance, and reporting, giving it necessary context and visibility. With multiple tools and security functions consolidated into one platform, a CNAPP can replace multiple point solutions — not to mention countless hours of operational usage.

CNAPP Shines a Light Into Evolving Cloud Environments

The supply chain attack is piggybacking off an earlier breach to deploy new wiper malware.

A previous cyberattack on an Israeli software developer is being used by Agrius Advanced Persistent Threat (APT) group to launch wiper attacks against various organizations in the diamond industry.

Although Agrius and its attack against Israeli IT and HR companies last February was previously known, using the "Fantasy" wiper in attacks is new, according to researchers at ESET.

Fantasy is a modified iteration of the Apostle malware, the team said. But while its predecessor Apostle masqueraded as ransomware, Fantasy dispenses with the charade and moves directly to destroying files.

So far, ESET reported, Fantasy victims have been found in Hong Kong, Israel, and South Africa.

"Agrius is a newer Iran-aligned group targeting victims in Israel and the United Arab Emirates since 2020," ESET researchers explained. "Agrius exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally and then deploying its malicious payloads."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Agrius Iranian APT Group Cuts Into Diamond Industry

To be most effective, protective DNS services need to constantly reassess and rescore domains as additional data comes in.

**Question: What is the importance of a domain score when determining whether a domain is a threat?**

**Dave Mitchell, CTO, Hyas:** Did you know over 93% of all malware employs DNS as a mechanism to identify and contact its command and control (C2) to receive instructions? This is why a truly holistic cybersecurity strategy must include protection from malicious domains.

Being able to properly assess the reputation and safety of a particular domain is critical to preventing breaches. However, these results are often presented in terms of a threat scoring system, which can misleadingly imply static results. To be most effective, solutions in this space need to constantly reassess and rescore domains as additional data comes in. Legacy approaches to protective DNS fail to adapt to the inherently dynamic nature of the Internet. A proactive system must score potential threats in real time, categorizing the DNS traffic based on both static and dynamic indicators of malicious intent.

First, there are the known bad domains. These are domains that have been publicly reported and confirmed to be malicious. Blocking these domains is critical, but it is only a reactive measure. If your organization gets hit during the first wave of an attack that utilizes new malware or a new exploit, these static lists will not help. Using public block lists also leaves you open to attacks from known threats utilizing different infrastructure. Publicly known malicious domains are usually subject to the strictest layer of protection, and communication with them is forbidden. Someone would have to have a very good reason to access one of these domains.

More proactive scoring methods rely on assigning a threat category to all queried domains based on a wide variety of indicators. This is a huge advantage over the static approach, as detecting a threat in its early stages can give administrators the invaluable time they need to block domains involved with the attack before it is executed — thereby rendering it inert. For a solution to do this effectively, it requires advanced threat intelligence capabilities and an intimate understanding of attacker infrastructure and methodology to know how domains are being used and by whom.

Based on this information, advanced protective DNS services monitor domain traffic for suspicious indicators. For example, if a domain is brand new, bought from an unscrupulous registrar, purchased by a buyer from an area associated with cybercrime, and paid for in cryptocurrency, it's probably smart to block it — even if that domain hasn't been used in an attack yet. The number and severity of the suspicious indicators it finds will determine how the system classifies the domain. Sometimes the indicators are low-priority enough to permit communication with the domain, while still getting marked for further analysis. If the domain is later determined to be malicious, further communication will be blocked. Every service provider has its own secret sauce when it comes to scoring domains, so do your homework and demo a number of services before settling on one.

The more high-quality data a service has access to, the more accurate its results are likely to be when combined with continuous analysis. This is key for generating meaningful scores that maintain the delicate balance between overly aggressive blocking — annoying users and potentially slowing down the pace of business — or even worse, mistakenly letting malicious communication through, defeating the purpose of implementing the protection in the first place.

Beyond these built-in protections, administrators can usually set up custom lists or policies that make the system alert them and/or outright block DNS requests if a domain has multiple negative traits that meet or exceed established parameters. Once alerted, administrators can investigate the incident and proactively deal with it before it causes damage. An advanced protective DNS service also gives you a level of control in enforcing policies, as you can preemptively block certain DNS communications — for example, instituting a blanket block on certain hacker hotbeds. If clean traffic gets caught up in these custom rules, it is easy enough to add domains to the solution's allow list.

Every provider approaches the overall process of scoring domains differently — quite radically in some cases. Bare-minimum (sometimes free) protective DNS services often rely on static, publicly available lists, while more sophisticated services incorporate data from premium intelligence services to stay a bit more current. But the top options use advanced threat intelligence, based on examination of prior attacks and dynamic analysis, to predict domain risk. With the first two types, you are operating from a reactive stance and will almost certainly fall victim to an attack at some point. However, an advanced protective DNS helps secure your assets from new and emerging threats, giving your enterprise the upper hand against threat actors.

How Do I Use the Domain Score to Determine Whether a Domain Is a Threat?

Increased federal cybersecurity regulations provide a pivot point for manufacturers to reconsider their access management strategy.

Because they are dependent on dozens of highly technical processes, modern factories can't afford to let security burden end users who rely on technology. While this sounds simple enough, putting a plan in action isn't easy.

The pandemic, the Internet of Things (IoT), and the proliferation of cloud technologies sparked digital transformation, practically overnight. Manufacturers were forced to adopt new technologies to keep up with remote work, while still relying heavily upon on-premises infrastructure. Increased regulations like those from the National Institute of Standards and Technology (NIST) and Cybersecurity Maturity Model Certification (CMMC) posed even greater security complexities as manufacturers ramped up production to meet global demands. All of these factors led to a disheveled infrastructure that has allowed cybercriminals to thrive.

To ensure compliance, maintain bottom lines, and solve fragmentation, manufacturers need an access management strategy that works with all aspects of their environment. An agile single sign-on solution is the best place to start.

**Integrating Single Sign-on**

Single sign-on (SSO) isn't new. Many manufacturers have been utilizing the function for years to streamline operations. But with so much diverse technology, some of it dating back decades, manufacturing's patchwork environment has created a fragmentation challenge for both end users and IT departments.

While end users have to juggle several passwords across multiple apps, websites, and workstations, IT has the additional burden of monitoring user access and managing security in this complex environment. This includes conducting password resets and manually on- and offboarding users for each app.

It's necessary that SSO integrates with every application and endpoint — both on-premises and in the cloud. Not only would this help solve fragmentation and reduce the burden on IT, but with fewer logins to remember (or none at all), it would also increase productivity and satisfaction for end users. As more policies and regulations require additional authentication, modernizing SSO cannot be a maybe, but is a must.

**Enable Compliance With Access Management**

Before attacks like the one on Colonial Pipeline, many manufacturing plants had poorly secured workstations to streamline employee access to keep critical processes functioning. However, that ease of access also opened the door to cyber criminals. In response, increased regulations from the Department of Defense (DoD), like NIST and CMMC, completely transformed the security environment to protect federal infrastructure.

This may be less complicated for modern manufacturers with largely cloud environments. But for those smaller or midsize manufacturers that still rely a lot of on-premises technology, improving security can be frustrating for end users. And frankly, many organizations can't afford to overhaul this older technology to accommodate modern solutions that favor cloud. Instead, they need SSO that accommodates them.

Among the several digital identity requirements outlined by NIST, organizations that process any data related to government agencies or the DoD (a large bucket into which many manufacturers fall) must log in every time a system or application is accessed. In essence, this means no more unsecured workstations that workers can walk up to and start working on. NIST also requires increasingly complex passwords for every login and, in many circumstances, enforces multifactor authentication (MFA).

For end users who previously only had to log in a handful of times throughout their shift, this added authentication can become a burden — especially for plant workers wearing full protective gear who previously only had to push a few buttons to enable operations. With factories under more pressure than ever before, their bottom lines cannot afford to deal with hindered productivity.

These increased regulations represent a pivotal moment for the on-premises manufacturer. In short, if your SSO doesn't integrate with every login, it's time for you to rethink your access management strategy with these two words: passwordless experience.

**The Passwordless Experience**

Without the ability to use SSO for every login, there's more risk of credentials being forgotten — or worse, compromised. The fewer credentials an end user has to remember, the less likely that person is to forget a password or write it down. So, isn't the best password the one you don't know?

Think about it. If a user only logs in by tapping an NFC badge to a reader or by using biometrics, that password will remain stored away, only invoked in the background when the user authenticates. In combination with a push notification or physical token for MFA, organizations can provide employees with a completely passwordless experience that benefits both security and productivity. This also enables better holistic digital identity management, traceability, and agility across the entire organization.

While compliance should be achieved, it does not equal security. It's time to ditch meeting the minimums and strive toward efficient methods that enable growth. The technology you have is only as good as your ability to use it, so ensure it's useful for everyone. Because after all, without SSO for every login, you are only as strong as your weakest password.

**About the Author**

    

As the Senior Vice President of Worldwide Engineering and Cyber at Imprivata, Joel Burleson-Davis is responsible for building, delivering, and evolving the suite of Imprivata's cybersecurity products. Before joining Imprivata, Joel was Chief Technical Officer at SecureLink, the leader in critical access management. There he developed advanced solutions for enterprises to secure access to their most valuable assets, systems, and data. While at SecureLink, Joel was responsible for the overall technology and operational strategy and execution including direction and oversight for Product Development, Quality Assurance, IT and Cybersecurity Operations, Compliance, and Customer Success.

Single Sign-on: It's Only as Good as Your Ability to Use It

More than three-quarters of police and emergency responders worry about ransomware attacks and data leaks, while their organizations lag behind in technology adoption.

Cybersecurity threats have become commonplace for police departments, first responders, and other public-safety groups, with 93% of organizations experiencing a cybersecurity issue in the past year.

That's according to a report released on Dec. 8 by cloud platform provider Mark43, based on a survey of 343 first responders. The 2023 U.S. Public Safety Trends Report found that 76% of first responders had concerns that their IT systems are vulnerable to ransomware attacks and data breaches.

At the same time, the vast majority of first responders must deal with outdated technology and disconnected systems, with 68% of public-safety officers required to file paperwork from the office rather than in the field, and 67% of first responders encountering issues with inefficient technology, according to the report.

While adopting technology can solve many issues that currently plague first responders, most state and local agencies do not have the technical expertise to protect such technology against threats, says Larry Zorio, chief information security officer for Mark43, which provides information systems for law-enforcement and first responder agencies.

"These agencies in many cases do not have a dedicated security staff who can worry about these issues all day, ensuring that data is backed up and running vulnerability scans," he says. "To the the \[cybersecurity\] community, these are table stakes — you need to be doing patching, you need to be doing vulnerability scanning ... but these agencies are realizing that they cannot protect themselves from these risks on their own."

First responders' cybersecurity concerns are not unwarranted. In 2019 and 2020, ransomware groups started targeting state, local, tribal, and territorial (SLTT) government agencies in earnest. In 2019, for example, 22 town agencies and local government organizations were targeted with a coordinated ransomware attack disrupting services for citizens. Ransomware attacks on local school systems impacted education for at least 753,000 students during 2019 and 1.2 million in 2020.

And in 2021, the FBI warned that ransomware spread by the Conti cybercriminals group had targeted at least 16 healthcare and first responder networks. In September 2022, a ransomware attack disrupted 911 service for Suffolk County, NY.

**Targeting First Responders**

These attacks carry with them additional risks for citizens, the FBI stated in its 2021 advisory.

"Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed," the advisory stated. "Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges."

In general, the information technologists believe that ransomware attacks will continue at the same pace. The vast majority of IT professionals (84%) see ransomware as a significant threat to businesses, according to a study commissioned by Ransomware.org. In addition, 41% of IT professional believe their company is more likely to be a target this year, and 43% believe the threat will remain the same.

**Cloud Adoption Lags**

For first responders, the cybersecurity threats are balanced against the slow adoption of technology that could make their jobs and operations more efficient. While the majority of first responders believe that an integrated system for reporting would streamline operations, only a quarter of first responder organizations (27%) have moved to the cloud — two-thirds have not, the Mark43 survey found.

The Mark43 survey found that compliance and data transparency are also significant concerns for first responders, with 86% of respondents asking for improved crime reporting and two-thirds of those surveyed wanting more public transparency.

The agencies need to prioritize technology, data management, and cybersecurity roles. Instead, cybersecurity is often tasked to untrained IT workers inside the department or to officers that are nearing retirement, Zorio says.

"I don't feel that officers, who are trying to serve our communities, the fact that they are worried about that every day is definitely a concern," he says. "The industry in general needs to help them where we can, because it is not their job to worry about cybersecurity."

The survey defined cybersecurity issues as both malicious attacks by cybercriminals and availability problems caused by attacks.

Lack of Cybersecurity Expertise Poses Threat for Public-Safety Orgs

IE is still a vector: South Koreans lured in with references to the deadly Halloween celebration crowd crush in Seoul last October.

North Korean threat group APT37 was able to exploit an Internet Explorer zero-day vulnerability to deploy documents loaded with malware as part of its ongoing campaign targeting users in South Korea, including defectors, journalists, and human rights groups.

Google's Threat Analysis Group (TAG) found the zero-day flaw in the Internet Explorer JScript engine in late October, tracked under CVE-2022-41128, and now reports that Microsoft was responsive and has issued applicable patches.

To lure in potential victims, the malicious documents referenced the deadly crowd crushing incident in Seoul that happened during Halloween celebrations on Oct. 29.

"This incident was widely reported on, and the lure takes advantage of widespread public interest in the accident," the TAG team reported. "This is not not the first time APT37 has used Internet Explorer 0-day exploits to target users."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading