The good news: The Apache Commons Text library bug is far less likely to lead to exploitation than last year's Log4j library flaw.

The Text4Shell vulnerability, tracked under CVE-2022-42889, started drawing potentially malicious activity this week.

Researchers at Wordfence issued a threat advisory urging security teams to update their Apache Commons Text library to the patched version 1.10.0. The team began monitoring Text4Shell, which has been given a CVSS score of 9.8, on Oct. 17, and by Oct. 18 they started seeing attempts to exploit it.

While the threat does have many similarities to last year's Apache Log4j library bug, Wordfence security researchers say Text4Shell poses less of a threat.

"While the vulnerability itself is similar to last year's vulnerability CVE-2021-44228 in Apache's log4j library, the Apache Commons Text library is far less widely used in an unsafe manner and the likelihood of successful exploitation is significantly lower," the team explained in their latest advisory.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exploit Attempts Underway for Apache Commons Text4Shell Vulnerability

At the Authenticate Conference, Google and Microsoft demonstrated their passkey prototypes. Apple, meanwhile, already launched its version in iOS 16.

Apple, Google, and Microsoft are in the early stages of delivering on their plan to provide passkeys based on the FIDO Alliance's new passwordless authentication standard. But eliminating passwords won't happen overnight.

The three leading device and platform providers in May collectively announced they would incorporate the new passkeys into their respective platforms. Passkeys are based on the FIDO2 standard, which consists of World Wide Web Consortium's (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance's Client-to-Authenticator Protocol (CTAP).

**Passkeys Start to Roll Out**

As expected, Apple became the first provider to provide passkeys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use passkeys. Mac users will also be able to implement passkeys when Apple releases its newest operating system update, macOS Ventura, which is due to arrive this month. Last week Google released passkey betas for Android and Chrome.

Once a user sets up a passkey on one Apple device, it can synchronize with any other supported Apple client or service using iCloud Keychain. Also, when a user enrolls one device with a passkey, they can automatically enroll any other Apple device and service that supports them.

Google's passkey beta lets users create and use passkeys on their Android devices and securely sync them via Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always encrypted end to end.

"When a passkey is backed up, its private key is uploaded only in its encrypted form using an encryption key that is only accessible on the user's own devices," Birgisson noted. "This protects passkeys against Google itself, or e.g. a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the passkey to sign-in to its corresponding online account."

**Demonstrating the Future**

Google and Microsoft demonstrated their implementations of passkeys to hundreds of identity and security experts at this week's Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand demonstrated how to sign into an account with passkeys, which will appear in an Android update by December. Brand said anyone could sign up for the developer beta in the Google Play Services channel.

"The moment you sign up for this with a particular Google account, you will be able to get the latest updates on your device within a couple of minutes," Brand said. Passkeys for Chrome OS are on the road map for release next year, he added.

Brand and other identity and security experts at the conference emphasized that authenticating with passkeys is considerably more secure than passwords because they aren't vulnerable to phishing attacks or other compromises. Passkeys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft doesn't plan to offer passkeys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company's Authenticator app, according to senior program manager for identity Scott Bingham.

"Passkeys are multidevice, FIDO credentials that are a really compelling solution," Bingham said. "It can be synced through a platform cloud and available to use on all your devices when you sign into the same platform account." 

While Windows Hello provides biometric authentication for unlocking a PC's OS screen, it will also enable the new passkeys.

**Integrating Online Services and Apps**

For passkeys to take off, websites and enterprises that use usernames and passwords for authentication must add support for passkeys. Thousands of organizations worldwide have deployed or are deploying FIDO authentication, enabling them to support passkeys, according to FIDO Alliance executive director Andrew Shikiar, in his opening remarks at the conference.

Among them is PayPal, which last year hired a founding member of the FIDO Alliance, Marcio Mello, as head of product for the PayPal Identity Platform. Mello said PayPal plans to offer support for passkeys in the US for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a passkey with PayPal. He then explained that when using iCloud Keychain on a Mac with the updated OS, the passkey is available automatically. When using a device that doesn't yet support passkeys, if the user had already created one, they could access it by generating a QR code.

"This provides that amazing combination we've been waiting for, both convenience and security," Mello said. "Something that's absolutely required for us to be able to reach the large-scale consumer deployment that we'd be looking for worldwide."

While passwords remain the most common credentials for authentication, they are costly to organizations, according to the FIDO Alliance's Online Authentication Barometer, published this week. The study found that 59% of respondents give up accessing online accounts when they can't remember their password, and roughly 40% abandon purchases for the same reason. The survey also found that 39% are familiar with passkeys.

**Adoption Will Be Slow**

Throughout the conference, organized by the FIDO Alliance, there appeared to be widespread optimism among identity and security experts that the standardized cryptographic keys promise to pave the way to a future of passwordless authentication to devices, online services, and applications.

"Passkeys stand to take passwords out of play for hundreds of millions of consumers immediately," Shikiar said. How immediately passkeys replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people signaled in their presentations.

The widespread adoption of passkeys is promising because users can reuse their credentials among different vendor ecosystems, says Gartner analyst Paul Rabinovich. Because passkeys registered on one device can complete authentication from another device, "we'll finally see wide adoption of software-based roaming authenticators" embedded as mobile apps or within operating systems, he says.

Passkey Demos Hint at What's Ahead for Passwordless Authentication

ASHBURN, Va., Oct. 21, 2022 /PRNewswire/ — Katzcy®, a woman-owned small business, has signed a five-year cooperative agreement with the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) to encourage and support a growing community of cybersecurity practitioners through cybersecurity games. The collaboration will be managed by NIST's National Initiative for Cybersecurity Education (NICE) as part of its mission to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development.

Over the duration of the cooperative agreement, Katzcy (through their PlayCyber division) will collaborate with NICE to support the US Cyber Games®, an effort to bring together talented cybersecurity athletes, coaches, and industry leaders to build an elite US Cyber Team® for global cybersecurity competition. Katzcy will align athlete recruiting efforts, cybersecurity competitions, and training initiatives to the NICE Workforce Framework for Cybersecurity (NICE Framework) so that the US Cyber Games can demonstrate how a consistent lexicon can be used to help ensure consistency in how cybersecurity work is described and performed.

Now in its second year, the US Cyber Games comprises four primary phases – the Open, Combine, Draft, and Game Season. The US Cyber Open is a free event open to anyone interested in cybersecurity games, regardless of age or experience level. Top scoring participants who qualify will be invited to the US Cyber Combine, an intensive mentored-evaluation and training over several weeks. A group of final participants will be selected from the Combine and announced at the US Cyber Games Draft Day. From December through the following October, the team will compete in virtual and in person cyber games throughout the world.

The new collaboration kicked off this week at the Season II US Cyber Games Draft Day event at the Department of Commerce headquarters in Washington, D.C. Draft Day provided information about careers in cybersecurity and showcased cybersecurity games through onsite exhibits. The Draft ceremony announced the top athletes of the Season II US Cyber Team. View the recording online. These athletes will train over the next several months as a team and represent the USA at the International Cybersecurity Competition in 2023.

Learn more about the US Cyber Games at uscybergames.com.

**About Katzcy**

As a certified Woman-Owned Small Business (WOSB), Katzcy is dedicated to growth, innovation, and progress. Through our PlayCyber® business line, Katzcy is helping build a stronger and more diverse community of cybersecurity professionals by delivering exciting cyber games experiences. Our mission is to bring together and inspire the very best cybersecurity athletes and build a stronger and more diverse community by delivering the world's most exciting cyber games for players, fans, and sponsors. Visit https://www.katzcy.com to learn more.

Katzcy Teams up with NIST on Cybersecurity Games

Build your company's security awareness program a suit of high-tech cybersecurity armor along with a collaborative atmosphere.

Iron Man wasn't built in a day. Nor was his suit — or ego, for that matter. The creation of the superhero and his suit of high-tech armor came out of necessity — to keep shrapnel shards from puncturing his heart. The solution was the creation of Iron Man's first-ever electromagnetic reactor — and, well, the rest is Marvel Cinematic Universe history.

But how does this relate to building a security awareness program? No, it doesn't mean you add watching _The Avengers_ to your cybersecurity curriculum (we tried!). But it does show that the first foray into building out such a heart-saving program often comes from necessity. No one expects to be trapped in the caves of a terrorist group or to have their organization's protective walls breached — but it does happen to superheroes and everyday companies alike.

So, you have to build something better to ensure your organization survives the missile attacks — whether being shot by the Ten Rings terrorist organization or by a ransomware-as-a-service group using smishing on an executive. Many stop there, when their first-gen defenses are in place and they're lulled into a false sense of security, but you don't have to.

**More Than Human**

Much like the arc of Iron Man throughout his decade-plus saga, your security awareness program needs to start with an origin story — a guiding set of principles that explain your current actions and future motivations. Many deem humans as the faulty link in cybersecurity and, in some ways, they can be; according to the World Economic Forum, 95% of cybersecurity breaches are caused by human error. Using this data, many organizations will purchase tech to bolster their defenses and limit their employee's visibility into threats facing the organization. For my team and our security awareness program, we chose the opposite course. We equip our humans with the tech, tools, and training they need to be first-line defenders against cyber threats.

This process of embedding security awareness into everything your employees do takes time. It can take months and even years to spark your company's collective Pikul — the energized arc reactor that drives your security awareness program forward — but it's worthwhile. To begin, you need to start the training journey early — incorporate training at the very start of employment, at new employee orientation.

Next, you need to embed real-world trainings and simulations into the day-to-day work environments of your employees, including things like phishing simulations, crisis tabletops, and social media alerts. For content inspiration, it's important to "run on reality" and use real things that have happened to your company or employees as the backbone of this training content. Often in the case of cyber bad actors, reality is stranger than fiction.

**What's Your Jarvis?**

Once you have your arc reactor powering the day-to-day movements of your program, it's time to set up your "Jarvis System." In _Iron Man_, Tony Stark uses his Jarvis AI to schedule everything from interplanetary drone strikes to dinner reservations. In the case of your organization's Jarvis, the scope of what you're looking for your system to do is much smaller. Jarvis, in the security sense, is a combination of internal programs and external tools and tech that creates a hard shell around your employees — think proactive threat intel, defense-in-depth processes, and automation and machine learning.

The complexity of your Jarvis system will depend on the size of your organization and what you can invest in outside resources. Simple open source phishing simulations and basic firewalls with intel feeds are a good starting point for smaller organizations; medium to larger organizations may look to email gateway-scanning tools and complex phishing-simulation services as well. Regardless of your buying power, a proper blending of external tools and resources with your inside expertise and processes are vital to ensure that the setup of your very own Jarvis system is successful.

Once you've found your Pikul and activated your Jarvis, you may be asking what else you can do to supercharge security awareness at your organization. For me, it's all about blending the people/processes/tech to focus on psychology. Security programs built with cyber psychology at the center create a collaborative, not punitive, relationship between your security team and the employee base and empowers employees to be proactive and stay vigilant from threats through positive interactions and reinforcement.

You never know the true potential of your team until you give them the proper training, tech, and trust — that's where the psychological element layers in. After all, Tony Stark wasn't a superhero until he put on the suit. And to end with my favorite line from Tony to Peter Parker, "If you're nothing without this suit, then you shouldn't have it."

Iron Man Started His Journey From Scratch & Your Security Awareness Program Can Too

Half of a million passwords from the RockYou2021 list account for 99.997% of all credential attacks against a variety of honeypots, suggesting attackers are just taking the easy road.

Tens of millions of credential-based attacks targeting two common types of servers boiled down to a small fraction of the passwords that formed a list of leaked credentials, known as the RockYou2021 list.

Vulnerability management firm Rapid7, via its network of honeypots, recorded every attempt to compromise those servers over a 12-month period, finding that the attempted credential attacks resulted in 512,000 permutations. Almost all of those passwords (99.997%) are included in a common password list — the RockYou2021 file, which has 8.4 billion entries — suggesting that attackers, or the subset of threat actors attacking Rapid7's honeypots, are sticking to a common playbook.

The overlap in all the attacks also suggest attackers are taking the easy road, says Tod Beardsley, director of research at Rapid7.

"We know now, in a provable and demonstrable way, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet," he says. "Therefore, it's very easy to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls."

Every year, security firms present research suggesting users are continuing to pick bad passwords. In October 2021, for example, a cybersecurity researcher in Tel Aviv, Israel, found he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password. In 2019, an evaluation of passwords leaked to the Internet found that the top password was "123456," followed by "123456789" and "qwerty," although it's unclear whether those leaks included old or rarely used accounts without password policies.

    

Attackers tend to guess the same common passwords. Source: Rapid7

In this case, however, Rapid7 researchers focused on the common passwords used by attackers rather than defenders, so the analysis applies to attackers' guesses in brute-force attacks. Such attacks have risen dramatically during the COVID-19 pandemic, with password-guessing becoming the most popular method of attack in 2021, according to an analysis by cybersecurity firm ESET.

"With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed," Rapid7 stated in its report. "As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging."

**One Year, a Half-Million Passwords**

Rapid7's research used credential data gathered from its Remote Desktop Protocol (RDP) and Secure Shell (SSH) honeypots between Sept. 10, 2021, and Sept. 9, 2022, detecting tens of millions of attempts to connect to the company's honeypots. The vast majority of attacks attempted to gain access to the SSH honeypots, with 97% of the more than 500,000 unique passwords targeting the mock SSH servers, according to Rapid7. The attacks targeting both SSH and RDP came from about 216,000 unique source IP addresses.

The half-million passwords represent less than a 100th of a percent of the permutations in the RockYou21 data set.

"The traffic we're seeing is indicating that these are off-the-shelf attacks with essentially no custom configuration," Beardsley says. "To put it another way, if there was any customization that ventured beyond the stock set of passwords, we would have seen it in these samples."

While the data says little about whether users are selecting poor passwords, the selection does indicate that attackers are taking the simplest path in their attacks. As is clear from the data, attackers are not attempting every entry on the RockYou2021 list, but a much smaller number. In addition, only a handful of passwords and usernames are the most common, dominating the distribution of passwords. 

Top RDP usernames are "administrator," "user," and "admin," while the top SSH usernames are "root," "admin," and "nproc." Bad passwords — such as "admin," "password," "123456," and an empty string indicating no password — are the most popular passwords attempted by attackers.

**Attackers Just Assume Users Use "Lame" Passwords**

The study didn't reflect poor password creation by users but rather that attackers believe that trying a few poorly selected passwords against their targets are a worthwhile guessing game, says Rapid7's Beardsley.

"We can't say precisely how successful attackers are with these lists of lame passwords, but basic economics tells us that they must be getting at least some value out of these attacks, or else we wouldn't be seeing millions of attempts over the year," he says. "My suspicion is that whoever is running these bots are running these attacks essentially at very low cost, and it's worthwhile enough to run this kind of attack with only occasional wins."

Organizations should continuously monitor systems for default and easily guessable passwords, which means running the RockYou2021 list of stolen credentials against exposed and internal systems. Rapid7 also recommends paying particular attention to external-facing SSH and RDP servers, as well as Internet of Things systems that may not have easy-to-change passwords.

In addition, companies should teach employees to use password managers to make strong, unique password creation easy, Beardsley says.

"By utilizing a password manager, you have the ability to generate a completely random password — one that certainly isn’t in the RockYou set — and have a different one for every service you offer," he says. "It all depends on being aware of the threat, but once you cross that hurdle, it's easy to avoid becoming a victim."

List of Common Passwords Accounts for Nearly All Cyberattacks

The new open source specification from Open Compute Project is backed by Google, Nvidia, Microsoft, and AMD.

Some of the top names in the hardware industry have joined forces to create common technologies to enhance security in the cloud.

Google, Nvidia, Microsoft, and AMD partnered to establish Caliptra, an open specification to embed security mechanisms inside chips. The spec, which is open source and free to license, was announced on Tuesday at the Open Compute Project Summit, being held in Santa Clara, Calif. The participating companies are members of the Open Compute Project (OCP), which will maintain the development of the specification along with the Linux Foundation.

The Caliptra project revolves around establishing a root of trust (RoT) — building security layers into silicon so data is encrypted and not exposed as it travels in data centers or the cloud.  

"We need to embed that capability in silicon. At some point in the future, it's not going to be enough to have it on the motherboard, for example in the server as a separate piece of circuitry," said Cliff Grossner, vice president of market intelligence at OCP, during a press briefing.

Caliptra expands the security boundaries of data from the chip level to the cloud. The specification provides common language for chip makers and cloud providers to create technologies around confidential computing, which is gaining attention as a way to protect data while it is in storage, in transit, or being processed in the cloud.

"With the rise of edge computing, the resultant growth in the exposed attack surface also presents a need for stronger physical security solutions," wrote Mark Russinovich, Microsoft CTO for Azure, in a Tuesday blog post about Caliptra.

**Defining Open Source Confidential Computing**

Vulnerabilities like Spectre and Meltdown showed hackers could steal data by attacking hardware. Intel and AMD, whose CPUs dominate the data center and cloud infrastructure, are adding proprietary features to lock down data at the chip level, but Caliptra is being pitched as a viable open source alternative.

The specification defines a reusable silicon block that can be dropped into chips and devices to establish an RoT. The silicon block provides verifiable cryptographic assurances that the chip security configuration is correct. It also provides a mechanism within the chip to ensure that the boot code can be trusted.

"This represents an enhancement over existing solutions today, and we expect that this will meet the enhanced security requirements for edge and confidential computing going forward," OCP's Grossner said.

The specification includes mechanisms to protect data from a range of electromagnetic, side-channel, and other common attacks. But Caliptra does not cover emerging attack vectors like quantum computers, which will provide the means to crack advanced encryption in just seconds.

The Caliptra specification also covers major aspects of attestation, which is more of a chip-level handshake to ensure that only authorized parties get access to data stored in hardware enclaves. The RoT blocks in a chip isolate the data, while providing an effective mechanism to verify the authenticity and integrity of code, firmware, and other security assets.

**Securing the Enterprise Cloud**

The first Caliptra spec, version 0.5, can be prototyped on field-programmable gate arrays before being implemented into final chip designs. The specification document points to the technology being geared for enterprise computing infrastructures rather than home or business PCs.

The tenets of Caliptra, which include authentication, detection, and recovery, tilt heavily toward establishing a silicon RoT for server and edge chips, which are built differently than PC chips.

Microsoft is using attestation based on Trusted Platform Module (TPM) chips as a security mechanism for Windows 10 and 11 operating systems. The company's Pluton security chip, which has a TPM built in and can be used for attestation, has largely been rejected by the wider PC industry.

Microsoft and Google executives didn't say whether or when they would make Caliptra a part of their cloud services. Microsoft last week expanded the use of AMD's SNP-SEV technology for confidential computing in the cloud. Azure also offers virtual machine instances with Intel's proprietary SGX security enclave.

**Expanding the Open Compute Project**

The Open Compute Project was established in 2011 by the likes of Google and Meta (then Facebook), which were buying thousands of servers and looking to standardize on hardware designs in their mega data centers. The goal was to reduce the server build times and cut costs by stripping off unnecessary components.

OCP has since grown into a powerhouse that counts all major infrastructure hardware providers as members — with the exception of Apple and Amazon, which rely on internally designed hardware.

OCP guidelines also include power, cooling, storage, and networking specifications that are now widely adopted. The OCP has also inspired nontech companies, largely in the financial sector, to experiment and develop standardized servers for on-premises data centers.

"We have the industry leaders coming together here within the OCP community, and we want to bring the standardized facility architecture for deployed servers," Grossner said. "Server security will become scalable."

Servers previously largely depended on CPUs, but now include different computing devices such as GPUs to handle applications like artificial intelligence. Standardizing the server security architecture was a top priority for company executives addressing media during the OCP call.

"This ecosystem we all play in — it starts with trust you have ... in your computing. We were on a path to have a number of bifurcated solutions, and that's just not good for anyone," said Mark Papermaster, chief technology officer at AMD, during the call.

Hardware Makers Standardize Server Chip Security With Caliptra

Lapsus$ Group became a top target after it breached the Brazilian Ministry of Health, among other targets.

Brazil's Federal Police announced they have arrested a Brazilian man they suspect as being a member of the cybercrime organization Lapsus$ Group. 

The man's arrest this week is the result of what the authorities dubbed "Operation Dark Cloud," launched in August, according to police, following Lapsus$ Group cyberattacks late last year on the Ministry of Health, Ministry of the Economy, Comptroller General of the Union, and the Federal Highway police. 

"The investigations began last December, when the Federal Police became aware that the cloud environment of the Ministry of Health had been attacked," the Federal Police statement said. "At the time, the attackers deleted files, data and instances from the attacked folder, even leading to the compromise of the website (connectus.saude.gov.br), responsible for the National Vaccination Certificate."   

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Brazilian Police Nab Suspected Member of Lapsus$ Group

Many enterprises continue to leave cloud storage buckets exposed despite widely available documentation on how to properly secure them.

Cloud storage misconfigurations of the sort that Microsoft disclosed late yesterday continue to be a major contributor to data breaches.

Microsoft Security Response Center said in a post that information shared by prospective clients with the company in recent years potentially may have been compromised via a misconfigured cloud storage endpoint.

SOCRadar, the threat intelligence firm that reported the issue to Microsoft, described discovering the data in an Azure Blob storage bucket that was publicly accessible over the Internet. The data was associated with more than 65,000 companies in 11 countries and included statement-of-work documents, invoices, product orders, project details, signed customer documents, product price lists, personally identifiable information (PII), and potentially intellectual property as well.

Microsoft blamed the issue on an unintentional misconfiguration on an endpoint containing the data, and said SOCRadar "greatly exaggerated the scope of this issue," with some duplicate data that exaggerated the numbers.

**Ongoing Problem**

Storage-bucket misconfigurations by other organizations have resulted in numerous data breaches in recent years. A Trend Micro study last year found storage-related configuration errors to be among the most common cloud security issues that lead to data breaches. The analysis showed, for example, that administrators frequently misconfigure a setting in Amazon's AWS cloud service that allows organizations to block public access to data in their S3 storage buckets. But even with readily available and detailed documentation, administrators often fall short and leave Amazon S3 buckets open and publicly accessible. 

The security vendor found the same problem prevalent in Microsoft Azure storage environments as well. The Azure storage account service that contains Azure Storage objects such as blobs, file shares and tables, had a misconfiguration rate of 60.75%, Trend Micro found.

Unsurprisingly, data exposures resulting from misconfigured cloud storage buckets remain commonplace. Many of the publicly known instances have involved data in insecure or poorly configured AWS S3 storage buckets. One recent example is Skyhigh Security's discovery of some 3TB worth of airport data — more than 1.5 million files — stored in a publicly accessible S3 bucket. The compromised data included PII and sensitive employee and company data associated with at least four airports in Peru and Colombia.

According to third-party risk management vendor UpGuard, there have been thousands of S3-related breaches tied to misconfigured S3 settings in recent years. Incidents involving Azure Blob misconfigurations — though fewer in number — have resulted in major compromises as well. Research that CyberArk conducted last year uncovered millions of files stored online in Azure Blob storage without any access restrictions at all, meaning anyone looking for the data could access it. Many of the files that CyberArk found include personal identifiable information, payment card information, financial information, and other sensitive data.

**So Much Data**

Meantime, the circumstances surrounding Microsoft's newly disclosed Azure Blob misconfiguration are not clear, says Claude Mandy, chief evangelist for data security at Symmetry Systems. "A more technical post-incident analysis would be beneficial for the entire industry to take proactive steps to avoid similar issues," he says.

The information released thus far on the Microsoft incident suggests that either the Azure storage container or the blobs containing the data was configured to allow anonymous public read access to the data — a setting that is not allowed by default. "This configuration drift is unfortunately common. For example, it may result from users with excessive privileges attempting to share specific data with external parties without having the expertise to configure external access securely," Mandy says.

In addition, it appears that the specific blob storage may have also been used to backup data from other blob storages, resulting in further unattended sharing of data, he adds.

The incident underscores the challenges organizations face from the sheer scale of data being generated and collected these days, and the way it is shared and managed. "This can include simple changes such as people joining and leaving organizations, or the need to use or share data with different parties," Mandy says. "The impact of the continual change at the most granular data object level can result in unattended and significant consequences but is challenging to manually monitor at scale."

Andrew Hay, chief operating officer at Lares Consulting, believes the recent incident was likely the result of an oversight by a developer or administrator. "Like AWS S3, users must go out of their way to allow public access to the Azure Storage Blob," Hay says. "Public read-access to blob data is an optional setting that can be enabled on a container."

While public read-access can be convenient for sharing data it also entails security risks, he says. Azure allows administrators to disallow public access to data in a storage account, he notes. Any subsequent request for access to blob data then would need to be authorized and anonymous requests would fail, Hay explains.

Microsoft had not responded to a request for additional comment as of this posting.

Microsoft Data-Exposure Incident Highlights Risk of Cloud Storage Misconfiguration

Zero trust protects identities, endpoints, applications, networks, infrastructure, and data, and can be implemented in different ways.

Cyberattacks in 2021 continued to steadily increase in volume and sophistication. Ransomware continued its ruthless path across industries, often putting lives at risk. Ransomware attacks also became increasingly simple to carry out with toolkits, as in the case of the Colonial Pipeline attack that disrupted businesses and daily life for many. Indeed, the FBI’s Internet Crime Complaint Center reported 2,084 ransomware complaints from January to July 31, 2021, a 62% year-over-year increase.

With most organizations shifting to a hybrid work environment as a result of the pandemic, the attack surface has dramatically expanded beyond corporate boundaries, leaving organizations even more exposed to cyber threats. CISOs and other cybersecurity leaders are facing the dual challenges of enabling digital transformation while adapting to a rapidly expanding threat landscape. This continues to reinforce the need for a comprehensive security approach that aligns to business priorities.

What happens when security leaders have a comprehensive security approach based on zero-trust principles? They can be fearless, armed with the ability to secure everything without any limits. Let’s take a look at four ways that we have seen organizations manage a comprehensive security approach.

**Commit to a Zero-Trust Strategy**

Today’s organizations need a security model that adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located. That is exactly what you get when implementing a zero-trust approach based on the three guiding principles of verify explicitly, use least-privilege access, and assume a breach. Instead of believing everything behind the corporate firewall is safe, the zero-trust model assumes a breach and verifies each request as though it originated from an uncontrolled network.

Microsoft's zero-trust approach is designed to reduce risk at every opportunity across the digital estate, which includes identities, endpoints, applications, network, infrastructure, and data. This means that every transaction must be validated and proved trustworthy before the transaction can occur. This approach is consistent with industry standards like the Open Group’s recently released Zero Trust Commandments and the NIST’s Zero-Trust Architecture.

Zero trust takes a fresh look across all of your security disciplines, including access control, asset protection, security governance, security operations, and innovation security (e.g., DevSecOps). Architecturally, this brings in automated enforcement of security policy, correlation of signals across systems, and extensive security automation and orchestration to reduce manual labor and toil.

**Manage Compliance, Risk, and Privacy**

Organizations constantly access, process, and store a tremendous amount of data — which is only increasing with business innovation. Additionally, organizations now face an ever-growing landscape of data regulations, creating complexity and compliance risk. Organizations should look for tools that translate complicated regulations and standards into simple language, map controls, and recommend improvement actions in the form of step-by-step guidance.

Additionally, many organizations still use manual processes to discover how much personal data they have stored; thus, they lack actionable insights to help mitigate security and privacy risks. With a privacy management tool, organizations can identify critical privacy risks, automate privacy operations, and empower employees to be smart when they are handling sensitive data.

**Use a Combination of XDR + SIEM Tools**

SecOps sifts through ever-growing mountains of data to detect and hunt for today’s attacks.

We have found that SecOps teams work best at this with a combination of deep analytics, broad visibility, and orchestration and automation:

*   Extended detection and response (XDR) tools provide deep insights and high-quality detections that let SOCs spend time on actual attacks rather than chasing false alarms (false positives).
*   Security information and event management (SIEM) tools help security operations gain a broad view across the environment and avoid “swivel chair analytics” from having to work across different consoles. 
*   Security orchestration, automated, and response (SOAR) tools help lower analyst burnout by automatically investigating and remediating attacks and orchestrating repetitive tasks across tools. 

The integration of these three types of tools ultimately helps organizations stay ahead of today’s complex and rapidly evolving threat landscape.

**Using MFA Whenever and Wherever Possible**

Multifactor authentication (MFA) is an essential tool to secure access to important resources within an organization. MFA adds a layer of protection to the sign-in process that passwords alone simply cannot offer. While MFA doesn’t stop all attacks, it does an amazing job of taking password-attack techniques off of the table. Password attacks are typically automated, resulting in a high volume of attacks that often result in attackers getting access to systems. Organizations that use MFA tools are better protected through additional identity verification when accessing accounts or apps.

In a world of remote and hybrid work, taking a comprehensive approach to security with a zero-trust strategy makes an organization more resilient to the continuous drumbeat of cyberattacks. Microsoft is committed to enabling this world with end-to-end security solutions, architectural guidance, insights and education, security program best practices, and more.

4 Ways To Achieve Comprehensive Security

New Android malware variant is part of long-running Domestic Kitten campaign being conducted by APT C-50 Group, analysts report.

Analysts have flagged a new Android malware variant being used by APT-C-50 as part of its wider Domestic Kitten campaign to spy on Iranian citizens. 

ESET researchers named the new spyware FurBall, but point out that aside from a few new scripts and tweaks, the basic functionality of the latest APT-C-50 malware iteration is unchanged from previous versions. The mobile surveillance spyware is delivered through a malicious app that offers Iranian translations of books and magazines. 

Domestic Kitten campaign was first discovered back in 2016. 

"The analyzed sample requests only one intrusive permission — to access contacts," the ESET team said about the new FurBall malware. "The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages."

However, if the attackers could expand the malicious app permissions, they would be able to steal additional device data, including text messages, location information, recorded voice calls, and more, the researchers added.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading