The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.

A vulnerable Kubernetes container and lax permissions allowed an attacker to turn a opportunistic cryptojacking attack into a wide-ranging intrusion that targeted intellectual property and sensitive data.

The attack, which cloud-security firm Sysdig dubbed "SCARLETEEL," started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted company's infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.

The incident, however, underscores that companies need to be careful when configuring the controls that allow cloud resources to interact with each other, says Michael Clark, director of threat research at Sysdig.

"Having EC2 roles being able to access other resources can be common, though usually it is tightly scoped to prevent incidents like this one," he says. "It's more about understanding how misconfigurations like this can combine with other issues leading to a larger breach."

The sophisticated cyberattack also shows that attackers are increasingly targeting cloud infrastructure in better ways. In the past, threat actors have focused on rudimentary interaction with cloud services, such as deploying cryptojacking software, but as they understand the vulnerabilities introduced by businesses in their own environments, cloud-focused attacks are becoming more popular.

In fact, observed cloud exploitation cases nearly doubled in 2022, while the number of incidents where threat actors interacted with cloud resources nearly tripled, cybersecurity services firm CrowdStrike stated in its latest annual "Global Threat Report" published on Feb. 28.

"It took a while for them to figure out how to operate in the cloud," says Adam Meyers, head of intelligence at CrowdStrike. "Organizations really need to be taking a hard look at their cloud security, because the cloud comes secure out of the box, but as people start to operate on it and change it, they make it less secure."

**From Minor to Major Security Breach**

The attacker compromised the target's cloud infrastructure through a vulnerable Internet-exposed service that allowed access to a Kubernetes pod, a technology used to manage and deploy containerized applications. Once inside the cluster, the attacker used the access to deploy containers with cryptojacking software, essentially stealing processing capacity from the victim's cloud infrastructure to mine for cryptocurrency.

"This is a common practice in automated container threats," Sysdig researchers stated in their analysis, adding that the attackers then "exploited that role to do enumeration in the cloud, search for sensitive information, and steal proprietary software."

The attackers had knowledge of how to move through the AWS cloud, including EC2 services, connecting to Lambda serverless functions, and using the continuous integration and continuous deployment (CI/CD) service known as Terraform. Because Terraform often saves the state of its pipeline to Simple Storage Service (S3) buckets, the attacker was able to retrieve those files and find at least one more additional credential in the plaintext data.

The second identity, however, had limited permissions, stopping the attacker's lateral movement, Sysdig stated in its analysis. Meanwhile, the attacker's attempts to enumerate users and cloud infrastructure led to detection, Clark says.

"It was caught by abnormal amounts of AWS actions being taken, especially from roles that shouldn't be making those types of requests," he says. "There is a threat intelligence aspect \[too\] — some of the IP addresses, which were involved, have been associated with malicious activity in the past."

**Misconfiguration, Not Lack of MFA**

The takeaways of the attack? For one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, limiting access — even assigning read-only access to specific cloud resources — can make all the difference in stopping an attack while in progress. The more attackers hammer at resources using stolen identities, the greater chance of detecting them, according to Sysdig.

"First, zero trust and the principle of least privilege are important and if you implement them, you will reduce the likelihood of compromise," the researchers wrote. "Second, strong detections and alerts should help you catch these activities before an attacker gets too deep."

Clark also points out that multifactor authentication (MFA) technologies will likely not make a great deal of difference in blunting cloud infrastructure attacks, since most of the cloud identities that attackers take advantage of are machine identities — so, alternate protections need to be put into place.

"MFA may have been helpful for the other involved accounts to prevent their access," Clark says, "but these were internal accounts made for automation purposes rather than ones that were expected to be logged into by a person."

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist

Separate attacks on two subsidiaries of an Asian conglomerate reflect a surge of cyber-espionage activity in the region in the last 12 months.

China's Blackfly advanced persistent threat (APT) group hit two subsidiaries of an Asian conglomerate in the materials and composites sector with cyberattacks recently. Researchers say it's part of a broader, "relentless" assault of various sectors in the region aimed at stealing intellectual property (IP). 

According to a blog post published today by researchers at Symantec (which is owned by Broadcom Software), the latest activity from Blackfly (aka APT41, Winnti Group, or Bronze Atlas) occurred late last year and early this year, and it shows the group relying more on open source tools than its usual trove of custom malware. This trend is reflected by other threat groups targeting the region, which has been a hotbed of activity. Last week, for instance, researchers at Symantec revealed a new threat group dubbed Hydrochasma targeting Asia-based organizations associated with COVID-19 treatments and vaccines in an intelligence-gathering operation — solely using open source and commodity malware and tools.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, tells Dark Reading that this puts Blackfly's incursions in context. "This investigation is a small piece of the jigsaw," he says. "The bigger picture is that there seems to be a fairly relentless intelligence operation underway on multiple fronts."

The open source tools tactic helps them avoid detection, which in the case of Blackfly — members of whom already have been indicted by the US government — would be an attractive proposition, O'Brien says.

"This shift toward open source tools is something we've seen a lot of attackers doing," he tells Dark Reading. "It makes attacks more difficult to attribute."

**Not One, but Two Threat Groups**

Blackfly is one of the longest known threat groups operating out of China. The group originally earned notoriety by attacking the gaming industry, but has evolved to target a diverse range of organizations and sectors, including industrial control systems, semiconductor, telecommunications, pharmaceutical, media and advertising, hospitality, and more, the researchers said.

Different research groups track the APT using different monikers. In fact, some use the umbrella label APT41 to denote not just Blackfly, but also another China-backed APT known as Grayfly because the two groups are so closely associated. In 2020, the US government indicted seven men on charges relating to hundreds of cyberattacks carried out by both groups, which highlighted the link between them by identifying two Chinese nationals alleged to have worked with both, the researchers said.

As security experts have already predicted, the public attention from that indictment on APT41 has apparently done nothing to deter the group, which continues its onslaught in an attempt to steal IP from multiple business sectors, O'Brien says.

"Blackfly and a number of its peers have been highly active over the past 12 months," he says.

**A Move to Open Source Cyberattack Tools**

While the latest attacks continue the patterns of activity that researchers have seen from Blackfly in recent years, as mentioned, one new aspect is the use of open source tools that haven't been a hallmark of previous activity, O'Brien says.

Early Blackfly attacks were distinguished by the use of the PlugX/Fast/Korplug, Winnti/Pasteboy, and ShadowPad malware families. The Winnti backdoor and other custom tools were used in the recent spate of attacks (for taking screenshots, dumping credentials, querying SQL databases, and configuring proxies), but Blackfly also used for the first time an open source, proof-of-concept (PoC) app called ForkPlayground to create a memory dump of an arbitrary process, and the publicly available credential-dumping tool Mimikatz.

"While the group's technical sophistication has remained consistent, there's been a regular refreshing of its toolset, no doubt in a bid to stay ahead of detection," O'Brien notes.

**Protecting the Enterprise From Chinese APTs**

Symantec advises using an overall in-depth defense strategy and the adoption of multifactor authentication (MFA) across the enterprise network to help avoid compromise by Blackfly and other APTs aimed at stealing IP. This entails "using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain," O'Brien says.

Organizations should also monitor the use of dual-use tools inside the enterprise network and ensure that the latest version of PowerShell is deployed, as well as enable logging, and only allow remote desktop protocol (RDP) from specific known IP addresses, he adds.

Proper audit and control of administrative account usage can also help organizations avoid attacks, as well as introducing a policy for one-time credentials for administrative work on the network "to help prevent theft and misuse of admin credentials," O'Brien says.

"We'd also suggest creating profiles of usage for admin tools," he adds. "Many of these tools are used by attackers to move laterally undetected through a network."

China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP

The war on critical infrastructure demands a better security strategy.

This year started off with a bang, with critical infrastructure attacks — both physical and cyber — at an all-time high. The Cybersecurity and Infrastructure Security Agency (CISA) released 12 industrial control system (ICS) advisories warning of critical security flaws, while the hacker group GhostSec, aka Anonymous Operations, claimed to have used ransomware in encrypting an industrial remote terminal unit of the type relied on by critical infrastructure.

**Critical Infrastructure Becoming Favorite Attacker Target**

Operational technology in critical infrastructure is the new favorite target for attackers. Why?

*   **Critical infrastructure attacks result in widespread impacts.** Every second of downtime at energy suppliers, utilities, and hospitals around the world can leave communities stranded and even cost lives, forcing parties to respond quickly. Shutting down train service or a gas pipeline has enormous, highly visible consequences, including significant threats of financial harm and risk to human safety.

*   **These attacks draw international attention.** The sensitivity and value of industrial targets makes for a more compelling news story than hitting a corporate target's IT network. This is why adversaries such as GhostSec prioritize developing and publicizing their operational technology (OT) attack capabilities.

*   **Critical infrastructure attacks also increase the success of a ransomware payout.** There's an increasing need to interconnect OT networks and assets safely with IT and cloud assets to support new business initiatives (e.g., supporting today's distributed workforce via remote access), and there's a glaring lack of effective mechanisms for providing it securely, which is causing the OT attack surface to balloon. Enter attackers with sophisticated ransomware techniques at the ready.

*   **Successful attackers can and do sell their tools and tactics to adversarial governments.** For instance, disruption to Western energy suppliers can benefit an adversarial regime such as Russia's when those attacks increase European dependency on Russian energy supplies.

**DoJ Disrupts Ransomware Group Attacking Critical Infrastructure**

In the fight against ransomware, the Department of Justice (DoJ) has made progress. According to a Jan. 26 press release, the department launched a "months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."

This announcement is a win for the DoJ, but we also need to be realistic. Adversaries are smart, and this win is bound to be short-lived. There is a lesson here for anyone responsible for securing critical infrastructure.

**Protecting Critical Infrastructure Requires a New Mindset**

Massive digital transformations happening in industrial segments (like energy, manufacturing, and utilities) require a new perspective to cybersecurity — this will become central not only to effective operations but to keeping society safe in 2023. In order to protect the world's energy infrastructure amid rising geopolitical tensions, shifting market dynamics, and fast digital transformation efforts — and all in the face of highly motivated adversaries — it's no longer enough to know you've been hacked. Preventative cybersecurity is a must, especially when it comes to safeguarding our world's scarcest resources.

If we don't shift our mindset and find ways to not only detect adversaries but also block them from being able to inflict harm, we'll continue to see these ransomware attacks succeed. They're always one step ahead and bound to already be searching for new ways to break through and impact our day-to-day lives in order to achieve their goals.

It's time for critical infrastructure operators to tackle the challenge of securely interconnecting OT assets with IT and the cloud without exposing vulnerable devices to corporate or public networks. They need to support business initiatives to allow distributed workforces and vendors to access critical components that can have a physical impact on the real world, in order to provide upgrades or manage urgent issues rapidly without opening up to new attack vectors. As OT assets grow more distributed, along with the experts who build, operate, and maintain them, this challenge will only increase. Now is the time for critical infrastructure organizations to invest in modernizing their access management and data security, leveraging zero trust strategies, to stay ahead of cyberattackers.

Rigorous cyber hardening of critical operations needs to happen — immediately. The mindset must shift from not just detecting cyberattacks, but to blocking them outright. The massive uptick in attacks should serve as a wakeup call to the industry. Even the minority of attacks that are reported publicly have become too numerous to ignore. And with the latest cybersecurity innovations, preventing harm is possible, even once the threat has already infiltrated inside an operational network.

The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win

**Hampshire, UK – 27th February 2023:** A new study from Juniper Research has found that the number of digital identity apps in use will exceed 4.1 billion globally by 2027; rising from 2.3 billion in 2023.

This represents a growth of 82% over the next four years. This increase will be driven by the use of government-backed digital identities to replace physical identity documents as a source of verification for third-party apps, such as banking and financial services. This will be critical, as businesses aim to reduce identity theft and meet increasingly stringent KYC (Know Your Customer) regulations. Find out more about the new research: Digital Identity: Solutions Assessment, Regional Analysis & Market Forecasts 2023-2027.

**Verification Moves to Zero Trust**

The research also identified a move away from reliance on passwords for identity verification, with these replaced by biometric verification and MFA (Multi-factor Authentication) under a zero-trust model, where identities are authenticated continuously. This approach is more resistant to traditional hacking methods, such as phishing; reducing the risk of data breaches.

Zero trust will be delivered via SSO (Single Sign On), which allows the user to access multiple accounts via a central, secured system. Critical to SSO is the use of mobile subscriber identity, with the number of mobile devices using their mobile number for SSO predicted to reach 2 billion in 2027; up from 922 million in 2023.

Research author Michael Greenwood explained: _“Consumers are highly motivated by convenience; making a streamlining of user experience significant for attracting and retaining them. SSO can achieve this, whilst also appealing to security-conscious users.”_

**Identity Apps vs Digital Wallets**

The primary competition for dedicated digital identity apps will come from digital wallets, which offer payment functionality alongside a digital identity capability. For instance, in some US states, digital driver’s licences held within Apple Wallets are fully recognised. However, these digital wallets will struggle to monetise identity in the same way as they have payments, due to competition from government-run schemes limiting adoption.

Digital Identity market research: https://www.juniperresearch.com/researchstore/fintech-payments/digital-identity-research-report

Juniper Research provides research and analytical services to the global hi-tech communications sector; providing consultancy, analyst reports and industry commentary.

Active Digital Identity Apps to Surpass 4.1B by 2027

The publisher of the Wall Street Journal, New York Post, and several other publications had last year disclosed a breach it said was the work of a state-backed actor likely working for China.

The state-sponsored attackers behind a breach that News Corp disclosed last year had actually been on its network for nearly two years already by that time, the publishing giant has disclosed.

In a letter to employees last week, News Corp said an investigation of the incident showed the intruder first broke into its network in February 2020, and remained on it until discovered on Jan. 20, 2022. Over that period, the adversary had access to what News Corp described as business documents and emails pertaining to a "limited number of employees." Data that the attacker had access to at the time included names, dates of birth, Social Security numbers, driver's license numbers, and health insurance numbers, News Corp said.

**An Intelligence-Gathering Mission**

"Our investigation indicates that this activity does not appear to be focused on exploiting personal information," the letter noted, according to reports. "We are not aware of reports of identity theft or fraud in connection with this issue."

When News Corp — the publisher of the Wall Street Journal, New York Post, and several other publications — first disclosed the breach last January, the company described it as an intelligence-gathering effort involving a state-sponsored advanced persistent threat (APT). In a Feb. 4, 2022 report the Wall Street Journal identified the actor as likely working on behalf of the Chinese government and focused on gathering the emails of targeted journalists and others.

It's unclear why it took News Corp more than a year after initial breach discovery to disclose the scope of the intrusion and the fact that the attackers had been on its network for nearly 24 months. A spokesperson for News Corp did not directly address that point in response to a Dark Reading request for comment. However, he reiterated the company's previous disclosure about the attack being part of an intelligence-collection effort: "Also as was said then, and was reported on, the activity was contained, and targeted a limited number of employees."

**An Unusually Long Dwell Time**

The length of time the breach at News Corp remained undetected is high even by current standards. The 2022 edition of IBM and the Ponemon Institute's annual cost of a data breach report showed that organizations on average took 207 days to detect a breach, and another 70 days to contain it. That was slightly lower than the average 212 days it took in 2021 for an organization to detect a breach and the 75 days it took for them to address it.

"Two years to detect a breach is way above average," says Julia O'Toole, CEO of MyCena Security Solutions. Given that attackers had access to the network for such a long time, they most likely got away with a lot more information than was first perceived, O'Toole says.

While that's bad enough, what's worse is that less than a third of breaches that happen are actually detected at all. "That means many more companies could be in the same situation and just don't know it," O'Toole notes. 

One issue is that threat detection tools, and security analysts monitoring those tools, cannot detect threat actors on the network if the adversaries are using compromised login credentials, O'Toole explains: "Despite all the investment in \[threat detection\] tools, over 82% of breaches still involve compromised employee access credentials."

**A Lack of Visibility**

Erfan Shadabi, cybersecurity expert at Comforte AG, says organizations often miss cyber intrusions because of a lack of visibility over their assets and poor security hygiene. The increasingly advanced tactics that sophisticated threat actors use to evade detection — like hiding their activity in legitimate traffic — can make detection a huge challenge as well, he says.

One measure that organizations can take to bolster their detection and response capabilities is to implement a zero-trust security model. "It requires continuous verification of user identity and authorization, as well as ongoing monitoring of user activity to ensure security," Shadabi tells Dark Reading.

Organizations should also be using tools such as intrusion detection systems (IDS) and security information and event management (SIEM) systems to monitor their networks and systems for unusual activity. Strong access control measures including multifactor authentication (MFA), vulnerability management and auditing, incident response planning, third-party risk management, and security awareness training are all other crucial steps that organizations can take to reduce attacker dwell times, he says.

"Generally speaking, organizations, particularly large ones, have a difficult time detecting attacks because of their vast technology estates," says Javvad Malik, lead awareness advocate at KnowBe4. "Many organizations don't even have an up-to-date asset inventory of hardware and software, so monitoring all of them for breaches and attacks is extremely difficult," he says. "In many cases, it boils down to complexity of environments."

Attackers Were on Network for 2 Years, News Corp Says

Cloud security vendor Wiz has raised $900 million since its founding in 2020.

Cloud security vendor Wiz has reached $10 billion valuation in the wake of a $300 million Series D round. Wiz plans to use the latest investment for product development and to increase the size of its workforce.

Security teams can use Wiz's cloud security platform to analyze infrastructure hosted in public cloud services such as Amazon Web Services, Azure, and Google Cloud, as well as to monitor infrastructure-as-code, APIs, and containers for vulnerabilities and misconfigurations. The platform consolidates a range of capabilities, including cloud security posture management, external attack surface management, cloud detection and response, and cloud-native application protection. At the heart of Wiz’s offering is the "security graph," which triages and correlates attack paths so that developer and security teams have information about the cause of a breach and how to respond.

The company's rise has been stratospheric, launching in March 2020 and hitting unicorn status a year later with a valuation of $1.7 billion. Wiz was valued at $6 billion after raising $250 million in a Series C funding round in October 2021. Wiz has raised $900 million to date.

The excitement around Wiz underscores a red-hot cloud security market that has accelerated as organizations shift more of their workloads to the cloud to accommodate a growing remote workforce and to support digital transformation initiatives. There are several cloud security vendors carving out space in the market, such as Palo Alto Networks and Check Point, and quite a few are chasing venture capital funding, such as Sentra, Gem Security, Dig Security, Laminar, and Ops Security.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Wiz Reaches $10B Valuation With Consolidated Cloud Security Platform

Vouched now covers more than 85% of the global population, as demand accelerates for its platform to securely automate KYC and KYP compliance to better serve patients and drive revenue.

**SEATTLE****,** **Feb. 27, 2023** **/PRNewswire/ --** Vouched, an AI-driven identity verification platform, today announced $6.3 million financing led by BHG VC and SpringRock Ventures, as well as prior investors Darrell Cavens and Mark Vadon.

Vouched's expansion plans build upon the company's rapid growth over the past year. The company now serves more than 300 banks, fintechs, and healthcare providers, including Alloy and Hims Health. Vouched's proprietary AI and computer vision platform now covers more than 85% of the global population.

"Vouched delivers the industry's most accurate and seamless identity verification AI, enabling companies to securely accelerate onboarding, provide frictionless customer experience, and unlock new growth opportunities," said John Baird, CEO, Vouched. "We look forward to enhancing the value of our identity verification platform to the healthcare market, and ensuring we remain a trusted partner-of-choice for businesses in highly regulated markets who want a solution that can prioritize both compliance and growth." 

As businesses continue to migrate toward digital-first strategies, fast and accurate identity verification tools will become the de facto standard. By 2030, digital identity is forecast to create economic value equivalent to six percent of GDP in emerging economies on a per-country basis and three percent in mature economies, according to a report from McKinsey Digital. It is more critical than ever for financial and healthcare verticals to ensure they are in full regulatory compliance while remaining focused on delivering a secure and seamless online experience to their existing and prospective customers.

"SpringRock Ventures recognizes the increasing importance of high reliability, real-time identity verification for expanding, consumer centric businesses such as telehealth, banking, or hospitality." said Kirsten Morbeck, Managing Director. "Vouched has built an automated, AI-powered, proprietary solution that is faster, more accurate, more configurable, more scalable and less expensive than existing solutions. Vouched is poised to be a leader in providing this lynchpin of consumer confidence and transaction security to help businesses grow faster."

"Covid-19 has accelerated demand for digital identity verification while fundamentally shifting more business processes online," says Andrew Stone SVP, Fraud Management & Financial Crimes. "With this knowledge, BHG VC has been impressed by the platform's growth and development, and we're excited for the company's success in regulated industries, including financial services and healthcare."

The company will use its latest financing to enhance its platform, recruit top-tier talent, and extend its support for financial services and healthtech businesses. Founded in 2018, Vouched has raised more than $18 million to date.

**About Vouched**

Vouched is an industry leading provider of AI-based identity verification for regulated and commercial businesses who need to quickly and accurately verify individuals in order to provide access to services, while minimizing fraud risk. Vouched delivers identity verification for anyone, anywhere, providing a multi-dimensional, dynamic verification of any individual's identity, including hard-to-identify populations. Vouched is the only IDV solution that is adaptive to ensure customer growth and acquisition goals are met, while maintaining compliance requirements through a proven, deterministic decision process that leads the industry in definitive response rates. Based in Seattle, Vouched is privately held and backed by Madrona Venture Labs, Mark Vadon and Darrell Cavens, Ascend Ventures, Flying Fish VC, BHG VC, SpringRock Ventures, SeaChange Ventures. Learn more at Vouched.id and follow us on LinkedIn.

Vouched Raises $6.3M to Expand AI Identity Verification Offering to Telemedicine and Healthcare

The exposure and exploitation of hardcoded secrets continues to drive software supply chain attacks. One solution: zero new hardcoded secrets.

Secrets embedded in source code pose a risk to developers and the organizations they work in. Secrets can be used to take over both user and service accounts, which can lead to sensitive data exposure, operational risks, and financial or reputational damage.

There are many commercial and open source projects available to detect hardcoded secrets, but mitigating — by removing, obfuscating, or rotating — exposed secrets is extremely hard. For example, rotating a secret tied to a service in your cloud environment can cause a denial of service across your application if that service is consumed by other code where the secret is not detected. This may be the case even if the secret is stored securely in a secrets management service.

The risk of having secrets in a source code repository is that the secret is immediately exposed to any other users who clone this repository. All historical secrets can be detected by scanning the files or the commits in the git history of the repository.

Therefore, mitigating secrets before they are exposed in the files or git history is a more desirable approach. Pipelineless security enforces a "zero new hardcoded secrets" policy by keeping secrets out of the source code repositories.

**Where Are Hardcoded Secrets Traditionally Detected?**

A typical code delivery flow begins with a developer cloning or downloading the latest version of the code repository and making changes to the local repository. Pushing the code changes back to the remote repository often kicks off a series of checks and scanners — for example, GitHub supports Checks API, while Azure DevOps supports service webhooks. Before the new features (or fixes) can be deployed to production, the developer's code branch needs to be merged into the main branch, which typically triggers another round of checks and build/CI pipelines to ensure that the application will still work properly after the merge. For example, container builds can occur at this time to speed up the pipeline after the code is merged.

Secret-scanning checks can be implemented in several places in the developer workflow: IDE plugins, pre-commit hooks, pre-receive hooks, webhooks to scanner, and CI/CD pipeline. Each method has pros and cons.

**IDE plugins.** Secrets can be scanned as the developers write code. It is an effective approach to help avoid committed secrets into the git history, but due to the various IDE tools and versions within engineering organizations, it is hard to ensure that 100% of developers will use it. This approach lacks an enforcement capability, which means developers can bypass this control — a serious drawback to any client-side security control.

**Pre-commit hooks.** Automated scripts run before code is committed into the local git history. This control has the same pros and cons as IDE plugins. Additionally, commits resulting from suggested code changes on a pull request can end up unscanned if they get accepted by the developer.

**Pre-receive hooks.** These are like pre-commit hooks, but they run on the source code management (SCM) side. This means that 100% coverage can be reached. However, they require administrative access to the underlying operating system, which cloud-based offerings such as GitHub cannot provide.

**Webhooks to scanner.** This is an effective approach, as it can provide 100% coverage as well. While webhooks cannot prevent push events from successful execution, they are delivered quickly and can be easily deployed on both cloud and on-premises deployments, which makes them very popular. Note that the results of the GitHub Checks API are visible to all users with access to the repository — which means that if a secret is exposed, others will know.

**Pipeline.** Implementing secrets scanning across 100% of the repositories is hard because pipelines typically require code changes. Additionally, it takes time to get a runner to kick off and execute a job, which makes it less effective when it comes to immediate secret mitigation. As is the case with webhooks, the results of the pipelines are visible to all users with access to the repository.

**Where 'Zero New Hardcoded Secrets' Comes In**

The concept of zero new secrets is fairly simple. A service that enforces such a policy needs to be built with the following in mind:

1.  Subscribe your secret mitigation service to **all important events across all repositories**, e.g. subscribe to code push, pull requests, and audit events.
2.  Kick off **out-of-band automated git-based guardrails**, such as resetting a branch to a pre-pushed state.
3.  Provide **isolated feedback to the code pusher**, at minimum. Ensure that the new secret finding is not presented to unnecessary users.

This is also known as pipelineless security. In a pipelineless implementation, a series of checks and services handles secrets detection right as the code is being pushed to the remote repository. When the developer pushes code from the local branch to the remote repository, a webhook is sent to the pipelineless security service, which runs the secret detection script. If no secret is found, the code is pushed normally.

However, if a secret is detected, the service resets the branch to the pre-push state. This way, the commits containing the secrets will not be accessible to adversaries poking around the repository's commit history. The developer is then notified privately and given instructions on how to back up the changes and fetch the code so that it can be fixed — both to minimize the risk of hardcoded secret exposure and to prevent any stigma from attaching to the developer.

A zero new hardcoded secrets policy, enabled by a pipelineless approach, can be effective in preventing the exposure of new secrets while developers work to resolve the backlog of historical secrets. Such a policy offers 100% coverage, the ability to mitigate newly pushed secrets in seconds, and direct feedback to the developer to act without exposing code to unnecessary parties.

How to Reduce Code Risk Using Pipelineless Security

Vulnerabilities impact each industry differently, so each sector needs to think about its defenses and vulnerability management differently.

Common vulnerabilities and exposures (CVEs) have been rising for the past few years, and they show no sign of stopping. New vulnerabilities are added to the National Vulnerability Database at an alarming rate — and the incredible volume makes tracking them increasingly difficult.

In 2000, there were only about 1,000 disclosed vulnerabilities. With this lower volume, security teams could review and remediate them efficiently: The systems were less complex and more easily siloed, and the sheer number was lower than today. Now, the number of disclosed vulnerabilities has exploded to over 23,000 in 2022 — a 2,200% increase in 22 years. And based on our Seasonal ARIMA model that builds on 10 years of data, Coalition anticipates more than 1,900 new CVEs per month in 2023, including 270 high-severity and 155 critical-severity CVEs.

For CISOs everywhere, this massive amount of information can be daunting since good cybersecurity hygiene is necessary for an organization to survive. However, not all CVEs are even exploitable, and there are varying degrees of difficulty in creating exploits for CVEs.

The situation can be even more overwhelming for industries with different technical and digital requirements, in which cyber may not be a focus area. Further, these security flaws also do not impact every industry in the same way. For example, a vulnerability may need to be prioritized differently for the consumer sector versus the healthcare or real estate sectors.

Below we'll dive into findings from Coalition's Cyber Threat Index 2023, which examines how today's security vulnerabilities impact various industries. The analysis stems from aggregations created entirely from underwriting scans run on these companies during the insurance quoting process.

**Healthcare and Real Estate CVEs Tend to Be Less Serious**

The healthcare sector is particularly vulnerable to cyberattacks, given the volume of personally identifiable information (PII) that ransomware attackers can exploit if they get into the network. The real estate industry is also a premium target because of the sensitive renter and owner application data managed.

Both have become appealing targets with digitization. Hospitals were forced to move to virtual doctor's appointments during the pandemic. Real estate has experienced the rise of smart buildings that use Internet of Things (IoT) devices to analyze building data and improve operations. Both these digital evolutions have expanded the attack surface into the cloud.

But while healthcare and real estate tend to have more security vulnerabilities or issues detected per asset or technology services, we found that they are often targeted with _less harmful_ CVEs. (A silver lining!)

Healthcare also has one of the lowest numbers of distinct breaches on average, demonstrating the smaller impact of these less harmful CVEs.

This lower level of exploitation may be because real estate and healthcare tend to use less technology on average. And when they do use it, they usually opt for more reliable and stable tech stacks compared to other industries, reducing their overall attack surface.

Just because healthcare and real estate have less-serious CVEs doesn't mean organizations shouldn't be patching. But it does point toward the need to take a more holistic view of gaps in their security posture to better understand which vulnerabilities are most important to prioritize and how vulnerabilities may affect them differently.

**Consumer Services and Technology at Higher Risk**

Unlike healthcare and real estate, technology and consumer services have complex, digitally oriented tech stacks. The technology industry uses the largest number of disparate technologies, such as developer favorites jQuery, Microsoft IIS, NGINX, and Cloudflare. The increase in cloud-hosted technologies expands the technology industry's attack surface.

The saving grace for the technology sector may be that it is more acutely aware of security and, thus, more likely to patch issues quickly. This is likely why the technology sector has the lowest rate of distinct data leaks per company at 5.59 average breaches in 2022.

According to our analysis, the consumer services industry stores the highest percentage of assets in the cloud. This is surprising because the industry processes and stores customers' PII. Storing PII in the cloud is a significant security risk because, if not done correctly, it can be exposed for anyone to view and download. Consumer services need to be on guard against vulnerabilities in the cloud and increase awareness around how a threat actor might exploit data stored in the cloud.

When you look at the CVEs impacting each industry, the consumer services and technology sectors have the highest average severity of the industries we analyzed during 2022. Over the last year, the consumer services sector had an average CVE criticality of 9.36 out of 10, and technology had an average of 9.29 out of 10. (Real estate had a much lower score of 7.78 out of 10, for context). This higher severity means that the CVEs impacting these two sectors have much more significant impacts and have the potential to cause the most damage.

**Respond to Threats Accordingly**

Understanding how security vulnerabilities impact these different industries can help cybersecurity vendors, including cyber insurers, make smarter decisions when assessing risk. It also helps companies improve their security posture by patching issues and flaws according to their particular risk. Organizations should look beyond the criticality of a vulnerability. Security teams also need to consider the context in which the vulnerability exists, the type of asset it exists on, and the types of losses that could result.

This difference in the breakdown of average attacks, severity, and attack surface size all dictate how organizations in different industries need to prioritize vulnerabilities differently. Consequently, it shows how they need to allocate technology defenses and human resources, too.

All CVEs Are Not Created Equal

New Zero Trust OT Security solution secures critical infrastructure without additional sensors.

**SANTA CLARA, Calif.****,** **Feb. 27, 2023** **/PRNewswire/ --** The usage and connectivity of operational technology (OT) is rapidly growing as are the number of cyberattacks on OT environments. These attacks can disrupt operations, causing damage that can reach far beyond revenue and reputation to supply chain, human safety and critical infrastructure. To help companies keep their OT environments secure, Palo Alto Networks today introduced the most comprehensive Zero Trust OT Security solution.

A key component of the solution is the new cloud-delivered Industrial OT Security service, which can be easily enabled — without the need to install additional sensors — by any of the 61,000+ active customers of Palo Alto Networks network security products: hardware and software Next-Generation Firewalls (NGFW) and Prisma SASE. Built on an AI-powered foundation with ease of deployment in mind, the new solution enables customers to secure their OT environments from the most sophisticated threats while simplifying their operations.

OT devices can be hard to secure because many lack built-in security and were not designed to be patched. In addition, high uptime requirements limit the ability to do regular security maintenance. OT environments are also at risk as organizations adopt new technologies like 5G, which enable mass connectivity, and open up remote access.

"Most OT security solutions in the market fall short because they can't identify all the assets and can only alert but don't prevent threats. This leads to a patchwork of siloed security technologies, which can lead to security gaps," said Anand Oswal, SVP, network security at Palo Alto Networks. "Our OT Security solution is designed to help organizations stay secure through granular visibility and effective inline security while meeting their availability and uptime requirements."

Using the industry's first ML-powered OT visibility engine, the Industrial OT Security service recognizes hundreds of unique OT device profiles, over 1,000 OT/Industrial Control System (ICS) applications, and has hundreds of distinct OT threat signatures to help protect these hard-to-secure assets. A notable feature of the service is its ability to help security teams proactively understand risk and apply controls. It continuously observes, categorizes and visualizes asset behavior so anomalies can be discovered immediately and addressed with firewall policy.

"As industrial OT systems and IT systems become more interconnected, so does the size of the attack surface available to the adversary. Defending against increasingly sophisticated threats requires expanded security strategies that can provide visibility, context, and Zero Trust capabilities across both OT and IT networks, devices, applications, and users," said Dave Gruber, principal analyst, Enterprise Strategy Group. "The Palo Alto Networks solution embraces this unified security model, promising to help protect complex OT environments."

"Manufacturing has come into the crosshairs of many recent cyberattacks. Palo Alto Networks Industrial OT Security is a must have to ensure security best practices are in place," said Jared Mendenhall, director, Information Security, Impossible Foods. "We look forward to Palo Alto Networks' dedicated OT Security solution to help us further secure our manufacturing plant, remote operations, and realize our broader Zero Trust vision."

The Zero Trust OT Security solution secures multiple OT use cases with consistent Zero Trust policies, all managed centrally:

*   **OT assets and networks** using Palo Alto Networks NGFWs, along with the new Industrial OT Security service.
*   **Remote access** using Prisma SASE.
*   **5G-connected devices** using NGFWs with Palo Alto Networks 5G-Native Security.

Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**Availability**

Palo Alto Networks Zero Trust OT Security solution and Industrial OT Security service will be available in March.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ the United States _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Source

DARKReading