Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity.

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained in an advisory issued on Dec. 13. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

Code signing is used to provide a level of trust between the software and the operating system; as such, legitimately signed drivers can skate past normal software security checks, helping cybercriminals move laterally from device to device through a corporate network.

**SIM-Swap, Ransomware Attacks**

In this case, the drivers were likely used in a variety of post-exploitation activity, including deploying ransomware, the computing giant acknowledged. And Mandiant and SentinelOne, which along with Sophos jointly alerted Microsoft to the issue in October, have detailed the drivers' use in specific campaigns.

According to their findings, also issued on Dec. 13, the drivers have been used by the threat actor known as UNC3944 in "active intrusions into telecommunication, BPO \[business process optimization\], MSSP \[managed security service provider\], and financial services businesses," resulting in a variety of outcomes.

UNC3844 is a financially motivated threat group active since May that usually gains initial access to targets with phished credentials from SMS operations, according to Mandiant researchers.

"In some cases, the group’s post-compromise objectives have focused on accessing credentials or systems used to enable SIM-swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments," Mandiant detailed in a separate Dec. 13 blog post on the issue.

In service of those goals, the group was observed using the Microsoft-signed drivers as part of a toolkit designed to terminate antivirus and EDR processes. That toolkit consists of two pieces: Stonestop, a Windows userland utility that terminates processes by creating and loading a malicious driver, and Poortry, a malicious Windows driver that uses Stonestop to initiate process termination.

SentinelLabs also observed a separate threat actor using the same driver, "which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling."

To combat the threat, Microsoft has released Windows Security Updates that revoke the certificate for affected files and suspended the partners' seller accounts.

"Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity," the company noted in the advisory.

Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Version 2.0 of the Common Security Advisory Framework will enable organizations to automate vulnerability remediation.

Today, nearly every party that issues security advisories uses its own format and structure. Plus, most security advisories are only human-readable, not machine-readable.

System administrators have to read each advisory, determine if they use the products and versions listed, and evaluate the potential risk and existing mitigations. Based on their system's exposure and the business value, they make a decision about if and when to patch.

It’s a time-consuming process that delays vulnerability remediation and increases risk. Vendors and providers of software and hardware need to disclose security vulnerabilities in a way that accelerates this process and empowers customers to use automation.

**The New Standard for Security Advisories**

The Common Security Advisory Framework (CSAF) 2.0 supports the automation of vulnerability management by standardizing the creation and distribution of structured machine-readable security advisories.

CSAF is an official standard of OASIS Open. The technical committee that developed CSAF includes numerous public- and private-sector technology leaders, users, and influencers.

Manufacturers can use CSAF to standardize the format, content, distribution, and discovery of security advisories. These machine-readable JSON documents enable administrators to automate the comparison of advisories against a user’s asset database or even a supplier's software bill of materials (SBOM) database.

The automated system can filter vulnerabilities based on the products of interest and prioritize based on business value and exposure. This dramatically speeds up the evaluation process and enables administrators to focus on managing risk and fixing vulnerabilities.

**CSAF, VEX, and SBOMs**

Vulnerability Exploitability eXchange (VEX) is a profile in CSAF. VEX was developed in the SBOM community as a way for manufacturers to easily convey that a product is not affected by issuing a so-called negative security advisory. VEX is designed to work with SBOMs, although it is not necessary to have an SBOM to use VEX documents.

A VEX document must include information about the disposition of each vulnerability as it impacts each product. A product can be marked as under investigation, fixed, known affected, or known not affected. For those products that are marked as known not affected, VEX requires that the publisher include a justification for that status.

Being able to communicate the various statuses of a vulnerability — including under investigation and not affected — means customers can get that information without calling the vendors or manufacturers, which will be a relief to customer support. Moreover, it enables customers to better manage vulnerability risk.

When paired with an SBOM, VEX documents enable administrators to use asset management systems to quickly determine what vulnerabilities are not exploitable, which frees them to focus on any vulnerabilities that could put their businesses at risk.

**Other CSAF Profiles**VEX is one of five profiles in the CSAF schema. Each profile has certain required fields and is designed to address a specific need.

The CSAF base profile serves as the foundation for all of the other profiles. It defines the default required fields for any CSAF document — primarily information about the document itself, such as who published it, when it was published, and if it has been revised.

The security advisory profile includes information that we see in most security advisories today — details about the vulnerability, products affected, and remediations.

The informational advisory profile can be used to provide information about a security issue that is not a vulnerability, such as a misconfiguration.

Finally, the security incident response profile can be used to provide information about a security breach or incident that happened at the company, or about the impact that an incident involving another party (like a contractor or component manufacturer) had on the company.

**CSAF Tools and Guidance**

CSAF defines conformance targets that help consumers and producers to find the right tool for their requirements. The OASIS CSAF technical committee also developed a suite of tools for using CSAF, including:

*   Secvisogram is an online editor to create, update, and view CSAF documents. It also can produce a human-readable version of the document.
*   CSAF CMS back end is a work-in-progress implementation of a CSAF content management system. The system will support producers of CSAF documents by providing workflows and automation of metadata creation.
*   CSAF validator service is a REST-based service that implements the CSAF full validator target. It tests a given CSAF file according to the specification.
*   CSAF Provider is an implementation of the role CSAF Trusted Provider and offers a simple HTTPS-based management service. It acts as a static site generator to present CSAF files as required by the standard.
*   CSAF Checker is a tool for testing a CSAF Trusted Provider according to Section 7 of the CSAF standard. It checks requirements without considering the indicated role.
*   CSAF Downloader is a tool for downloading advisories from a CSAF provider.

To help issuing parties to write actionable CSAF documents, there is guidance for each field, which can be found here.

CSAF Is the Future of Vulnerability Management

Without many details, Apple patches a vulnerability that has been exploited in the wild to execute code.

The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. 

The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory. 

As for the active exploitation, the mobile giant noted that it is "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."

Apple has been plagued by zero-day exploits over the past several months.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Zero-Day Actively Exploited on iPhone 15

Former pure-play deception startup Illusive attracts Proofpoint with its repositioned platform focusing on identity threat detection and response (ITDR).

Less than year after a shift to the burgeoning identity threat detection and response (ITDR) market from its initial roots as a pure-play deception technology startup, Illusive reached the liquidity promised land this week. Proofpoint has announced plans to purchase the firm for an undisclosed amount, with the deal set to close in early 2023.

According to executives from Proofpoint, which specializes in email and cloud security, the pickup was spurred by a drive to reinforce its technology portfolio with identity-focused protections. The company said it was drawn to Illusive for its identity risk discovery and remediation capabilities, in addition to post-breach defenses that could build out Proofpoint's protections against ransomware​ and data theft.

"It's currently far too easy for an attacker to turn one compromised identity into an organizationwide ransomware incident or data breach," said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in a statement.

**Deception Tech: Not Enough on Its Own**

Initially founded in 2014 by former Check Point Software Technologies veteran Ofer Israeli, Illusive touted itself for a long time for its deception technology capabilities, focusing primarily on breach detection through the use of decoy assets — including credentials — seeded on customer networks. 

The firm had raised more than $54 million in venture funds with that market positioning. However, pure-play deception increasingly has been subsumed as a narrow feature set within broader segments, like extended detection and response (XDR).

As Forrester's David Holmes put it in his analysis of the acquisition of deception player Attivo by XDR vendor SentinelOne in March, "Deception tech, while _super cool_, was never able to achieve escape velocity on its own, and some of its shining stars are disappearing into portfolios of larger vendors."

Amid that kind of market action, Illusive pivoted.

**Entering the ITDR Space**

Earlier this year, it repositioned itself as an identity risk management vendor, with the launch of its Illusive Spotlight ITDR platform in February. 

The platform is not that big of a departure from its deception roots — it works hand-in-hand with the deception technology the vendor had developed and sells through its Illusive Shadow product. But the launch of Spotlight gave Illusive leave to reposition itself as a major identity player and go after a market that industry analysts are increasingly promoting as an important component of security programs of the future. 

In March, Gartner named the rise of ITDR as one of the top security and risk management trends for 2022.

"Organizations have spent considerable effort improving \[identity access management\] IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure," Peter Firstbrook, research vice president for Gartner, said in that prediction. "ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation."

In many ways, this deal by Proofpoint mirrors SentinelOne's purchase of Attivo. Forrester's Holmes said at the time that the company was attracted to Attivo's identity capabilities first, with the deception element coming second.

"What acquisitions like this one ultimately mean for security and risk decision-makers is that they can pivot from deploying a stand-alone deception tech product and start evaluating how deception gets paired with one or two key tactical domains such as identity," Holmes wrote at the time.

The Proofpoint purchase of Illusive solidifies that assessment.

Proofpoint Nabs Illusive, Signaling a Sunset for Deception Tech

The proliferation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and the threats to open source software supply chains.

An automated attack within the NuGet open source ecosystem for .NET developers has resulted in a flood of malicious packages containing links to phishing campaigns.  

That's according to a joint report on Wednesday from Checkmarx and Illustria, which, upon digging deeper, found that automated attacks are taking aim on a broad level, against users of the npm, NuGet, and PyPI software developer ecosystems.

The attack vector in the NuGet ecosystem involves the use of automated processes to create a large number of packages with names and descriptions designed to lure those interested in hacking, cheats, and free resources. These contain links to phishing campaigns built to steal personal information or other sensitive data.

The scale of this attack is unique, according to the report, because it involves the creation of over 144,000 packages by the same threat actor — a significantly larger number of packages than is typically seen in such attacks, making it an especially large and significant event.

"The use of automated processes to create the packages and user accounts makes it difficult for security teams to identify and take down the packages," Jossef Harush, head of supply chain security engineering at Checkmarx, tells Dark Reading.

Harush adds, "This makes the attack more dangerous and harder to defend against. It also highlights the need for organizations to be vigilant and take steps to protect themselves against these types of attacks."

**Automation: Improving Efficiency, Reducing Risk to Hackers**

Harush explains the attackers likely invested in automation to poison the NuGet, PyPI, and npm ecosystems because it allows them to create a high volume of packages and user accounts in a short amount of time.

"This allows them to spam the open source ecosystem with many packages, potentially reaching a significant number of users and increasing the likelihood that they will fall victim to the phishing campaigns," he says.

Additionally, because the use of automation makes it difficult for security teams to identify and take down the packages, the attackers can continue their campaign for a longer period.

"Automation also reduces the risk of the attackers being caught and allows them to operate more efficiently and with less risk," Harush notes.

**Malicious Packages: Key Preventive Measures**

In addition to monitoring networks for signs of the phishing campaigns and other suspicious activity, and educating employees about the importance of being cautious when downloading packages from open source ecosystems, businesses should consider security tools and services to help identify and protect against such threats to their software supply chains.

"Security postures against software supply chain attackers need to evolve in several ways to better defend against these threats," Harush says. "First, the package managers need to improve their ability to detect and prevent the publication of malicious packages to open source ecosystems like NuGet, PyPI, and npm."

He explains this may involve the use of technology to monitor these ecosystems and identify suspicious activity, as well as the development of better security practices and processes for identifying and responding to threats.

Harush points out that overall security postures against software supply chain attackers need to be more proactive, adaptable, and collaborative to effectively defend against these threats.

"This may involve a combination of technology, processes, and people working together to identify and respond to these threats in a timely and effective manner," he says.

A recent report from Google also noted that security leaders should take a more holistic approach to addressing supply chain risks, and should work to implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity.

Automated Cyber Campaign Creates Masses of Bogus Software Building Blocks

Learn to think three moves ahead of hackers so you're playing chess, not checkers. Instead of reacting to opponents' moves, be strategic, and disrupt expected patterns of vulnerability.

Many an article chronicles hacked passwords available in bulk on the evil "Dark Web." It's presented as evidence that the bad behavior of users is the root of all hacking. But as a former red teamer, the end user isn't the only one who is a prisoner to discernable behavioral patterns.

There is a "pattern of vulnerability" in human behavior extending far beyond end users into more complex IT functions. Finding evidence of these patterns can give hackers an upper hand and speed the timeline of compromise.

It's a reality I recognized earlier in my career in operational roles. I've physically helped rebuild and relocate data centers and rewire buildings from top to bottom. It gave me a great perspective of what it takes to build in security from scratch, and how unconscious behaviors and preferences can put it all at risk. In fact, understanding how to identify these patterns gave me a very reliable "superpower" when I moved into red teaming, which ultimately resulted in a patent grant. But more on that later.

**Fatal Recall**

Let's start by examining how our addiction to patterns betrays us — from credentials, to software operation, to asset naming.

While technology has afforded us so many benefits, the complexity of managing it — and the cumbersome controls intended to protect — drives people to repeatable patterns and the comfort of familiarity. The more regular the task or function becomes, the more complacent we get with the pattern and what it telegraphs. For a red teamer, the ability to watch routines, from the physical to the logical, can offer a wealth of intelligence. Repeatability offers opportunity and time to discern patterns, and then to find the vulnerability in those patterns that can be exploited.

Internal naming schemes in particular — be they asset names, system names, or credential groupings — lend themselves to picking common words for descriptive categorization. I saw one organization that used the names of mountains. And while you may not know which system K2 versus Denali is, it acts as a filter for an attacker as they explore an environment. It's also an excellent social engineering tool, allowing an attacker to "speak the internal IT lingo." You may ask, OK, but "what's in a name?"

**Brutal Reality**

I'm sure you've heard of brute-force attacks where attackers throw guesses in volume at a target to find the right combination that leads to access. It's a numbers game and a blunt instrument. However, if you can discern the use of naming conventions, it sharpens the ability to focus on a range of accounts or systems, and then understand their potential attributes. It speeds up the clock for an attacker.

But, you ask, "if these are _internal_ conventions, how does an _external_ attacker even find this type of information"?

**Patently True**

Enter my aforementioned superpower. As any experienced red teamer knows, information leaks out of organizations in many ways, you just need to know where to look, and how to find the signals in the noise.

Internal naming groups and conventions become exposed to the outside world in a variety of ways. They're buried in website code, detailed in technical documentation or as part of APIs, or just simply published in public system information.

Admittedly, this is a very large haystack, but finding the needles is exactly what the patent I was involved in (US Patent 10,515,219) endeavors to do. Site-scanning tools collect a range of information, and unsurprisingly, an overload of information. My approach strips out all the technical programming information (such as markup, JavaScript, etc.), and leaves just words. It then compares results with lists of English words. The algorithm then identifies groupings of words or abbreviations _not_ present in the selected language that, presumably, _may_ signify an internal naming convention or credentials. As is common with brute-force campaigns, it may not, but as the axiom goes, the attacker only needs to be right _once,_ so the ability to generate context-sensitive word lists may make or break your next campaign. This is when the picture may start to become clearer and the shape of things such as user groups, system names, etc., manifest.

**Actions Speak Louder**

So, we've established how our deeply rooted behaviors can betray our security literally with "writing on the wall." How do we change, or at least be more aware of, our very nature?

There's the old joke summed up in the punch line that you don't need to outrun a tiger — you just need to outrun your companions. In this way, **first use the basic "sneaker" technologies**. Password managers, multifactor authentication (MFA), and the like at least allow you to outrun your peers so attackers can focus on the laggards in the herd.

**Second, elect for regular change.** Change is uncomfortable, but that discomfort triggers better situational awareness. If you know yourself and your environment better, and force change, that helps prevent an attacker's ability to get to know you too well.

**Next, trust your gut**. If something doesn't seem right, it probably isn't. If you focus on failure and not the familiarity of the behavior around failure, you're better equipped to see the bad guys coming and make sure a small anomaly doesn't become a big problem.

**Finally, play chess, not checkers**. Too many organizations think they're playing chess, and may be employing more complex pieces and roles, but if, ultimately, you're playing in reaction to your opponents' moves, it's checkers in disguise.

It's a lesson I am teaching my own son while he's interested in learning chess. He's learning the _strategy_ behind the game. He understands using the pieces and their characteristics to manipulate the game, and is quickly catching on to the fact that he also needs to focus on manipulating _me_. I'm teaching him to think three moves ahead, think about what is possible, and lure his opponent into doing what he wants them to do, not what they want to do — and, most importantly, to trust the gambit.

How Our Behavioral Bad Habits Are a Community Trait and Security Problem

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

**Taking the Crown as a Rapidly Evolving Threat**

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

**A New Twist on Partial Encryption**

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call _GetNativeSystemInfo_ to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

**Shielding the Enterprise From a Royal Threat**

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

_"_Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

Royal Ransomware Puts Novel Spin on Encryption Tactics

Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.

An analysis of threats encountered by four organizations has identified the most common techniques used by attackers to compromise systems, infiltrate networks, and steal data, according to data analysts at Splunk SURGe, which published details of the research on Dec. 14.

The analysis used published data from Mandiant, Red Canary, MITRE's Center for Threat Informed Defense, and the US Cybersecurity and Infrastructure Security Agency (CISA) to find the most popular post-compromise threat activities, as defined by the MITRE ATT&CK framework. Threat groups that gain access to a compromised system, for example, are likely (28% of the time) to start up the PowerShell command line utility to extend their attack laterally throughout a network and to gain persistence on the compromised machine, the analysis found.

The use of PowerShell, obfuscating files, and exploiting public-facing applications are the three most popular techniques for attackers, the analysis found. Using the data, security operations center (SOC) managers can ensure that they are focused on detecting common tactics, says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.

"A lot of times, SOC analysts don't know where to start, and these are the areas where four trusted sources are saying they see adversaries consistently using these techniques," he says. "I talk to a lot of people around the world, and they do not have logging turned on for PowerShell, and if you do not have logging for PowerShell you are never going to see what is arguably the No. 1 adversary technique according to these four groups."

    

The rankings of the top four techniques by data set. Source: Splunk

The analysis effort combined data on cyberattacks from multiple industries and multiple years, including more than 400 techniques from the MITRE ATT&CK framework and more than 100 techniques targeting industrial control systems (ICS).

The analysis comes at a time when attackers are shifting toward using more stealthy tactics and hands-on intrusion techniques, making the training of SOC analysts increasingly important. In the past year, for example, cybersecurity services firm CrowdStrike has seen a small but measurable increase in targeted attacks, which now account for 18% of all attacks. In addition, attackers are eschewing malware in their attacks, with 71% of intrusions investigated by the firm not using malicious tools.

For defenders, finding ways to detect attacks remains difficult, Splunk researchers stated in the analysis.

"It has never been more difficult to decide which threats deserve the most attention," the analysis stated. "A sound defensive approach to directing analysis efforts should be data-driven, focusing on the trends and progression of attacker tradecraft, such as represented in ATT&CK."

**PowerShell, Obfuscated Files Top Tactics**

The top four tactics used by intruders includes using PowerShell as a command shell and script interpreter and attempting to obfuscate files and commands to remain stealthy. Using vulnerabilities in public-facing applications is the third most common technique, while spear-phishing attacks are the No. 1 initial access technique, according to Splunk's analysis.

The company plans to expand the list to a top 20 most common tactics, allowing security teams to discuss whether they can detect the techniques and how best to use their current tools to do so.

A critical part of the effort should be to game out each technique, how it could be detected, and whether the current information, telemetry, and logs are able to detect attackers who use the technique. Determining which logs and telemetry to track is the hard part, Kovar says.

"Find all the ways to log and show that information because every vendor and company has such different information and different platforms," he says. "That is where the hard work comes in, and for a lot of people, they know what they want to do, but they just don't know where to start."

**Easing the Pain for Threat Hunters**

By focusing on the attack techniques most commonly used by attackers, SOCs and security teams should have more information about how to improve their programs and better detect attackers.

Easing the work of SOC analysis is critical. A year-old survey found that 72% of SOC analysts rated the pain of doing their jobs at least a 7 out of 10.

In the end, Splunk's SURGe team aims to give cybersecurity professionals a way to harden their networks against attacks. Tackling the top 20 list of attacker tactics and ensuring that the SOC can detect every technique is a great way to begin 2023, Kovar says.

"Your mileage may vary," he adds, "but I am very confident that if you want to start your threat hunting program in a couple areas and want an immediate return on investment, this is where you can start."

Analysis Shows Attackers Favor PowerShell, File Obfuscation

Deloitte's Future of Cyber study highlights the fact that cybersecurity is an essential part of business success and should not be limited to just mitigating IT risks.

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impact of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It \[cyber\] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

**Cyber Maturity Matters**

Deloitte categorized organizations' cybersecurity maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment. Whether or not the organization adopted any of these three practices hinged on stakeholders recognizing the importance of cyber responsibility and engagement across the whole organization, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organizational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

In the analysis, 21% of organizations were considered high maturity, as they adhered to two or three of the key practices, and 41% of organizations were categorized as medium maturity for adhering to one of the practices. The remainder, or 38%, were low maturity, as they did not adhere to any of practices identified by Deloitte.

According to Deloitte, 91% of organizations reported at least one cyber incident or breach, but low maturity organizations tended to experience more significant cybersecurity events (6 or more events).

There were some differences based on the organization's maturity in what kind of issues they were concerned about. High-maturity organizations seem more concerned about cybercriminals and terrorists, as well as phishing, malware, and ransomware. Medium-maturity and low-maturity organizations were more concerned about denial-of-service attacks.

High maturity organizations are doing more when it comes to engaging leadership, planning, and acting, and they are seeing results in areas typically not associated with cybersecurity, such as increased efficiency, resiliency, and agility, Deloitte noted. Nearly 70% of high maturity organizations said their cybersecurity posture had an impact on enhancing trust and enabling efficiency throughout the organization. And 65% of the high maturity organizations cited resilience and agility as the benefits they are seeing as a result of their cybersecurity activities. More than half of the leaders of these high maturity organizations said their cybersecurity activities gave them confidence to take on new initiatives, compared to 45% for medium-maturity organizations and 40% for low-maturity organizations, Deloitte found. Cybersecurity also helped with the bottom line: 47% of high maturity organizations claimed their cybersecurity initiatives helped increase revenue.

Cybersecurity Drives Improvements in Business Goals

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Source

DARKReading