Solution addresses compliance challenges in complex landscapes

**Ashburn, Va. – September 15, 2022** – Telos Corporation (NASDAQ: TLS), a leading provider of cyber, cloud and enterprise security solutions for the world’s most security-conscious organizations, is pleased to announce a collaboration with IBM Security as part of IBM’s Active Governance Services (AGS) that allows enterprises to operationalize and automate activities and solve challenges in cybersecurity compliance and regulatory risks.

“The number of global, national and local compliance requirements are increasing, which means enterprises now have massive amounts of security controls to implement, test and report on,” said John B. Wood, Telos CEO and chairman. “Telos and IBM Security are excited to address this issue together by leveraging our combined and extensive expertise in IT risk management and compliance to create efficiency out of chaos and offer effective solutions to the audit fatigue issue.”

AGS helps organizations overcome the challenges and costs associated with regulatory compliance, especially audit fatigue. According to a 2020 study, organizations, on average, must comply with 13 different IT security compliance and privacy regulations, which requires a team of 22 dedicated staff members and results in 58 working days per quarter spent responding to audit evidence requests. Beyond audit fatigue, the study also found that 86% of respondents believed compliance is or will be an issue when moving systems, applications, and infrastructures to the cloud.

The AGS solution, available via IBM Security Services, addresses these challenges by combining IBM’s world-class expertise to plan, design, deploy, operationalize, and accelerate cyber compliance and governance programs, and Telos’ Xacta® IT Risk Management platform that automates the most time-consuming aspects of compliance and audit activities like control selection, validation, reporting, and monitoring.

“Every organization must meet compliance, regulatory, contractual, and privacy obligations – no one is exempt. However, individual organizations have different risk appetites, tolerance levels, missions, and goals,” said Dimple Ahluwalia, VP & global managing partner, IBM. “AGS helps take the guesswork out of managing cybersecurity risk and compliance – all with proven technology, techniques, complete visibility, and ongoing expert support. We are thrilled to be working with Telos on this important challenge that faces today’s enterprises.”

The AGS solution, available via IBM Security Services, utilizes strategic planning, responsive compliance reporting, proactive monitoring and automation, all while leveraging existing tools to create a more ordered approach to IT risk management and compliance. The solution is scalable across hybrid, multi-cloud, and on-premises architectures and systems, bringing much-needed peace of mind to those on the front lines of the cybersecurity battle. The power of automation is on full display with AGS, reducing system compliance time up to 90% faster, the time to generate regulatory documentation by up to 70%, as well as the time to research vulnerabilities by up to 90%.

To learn more about AGS, please visit https://www.telos.com/offerings/ibm-active-governance-services-xacta.

**Forward-Looking Statements**

This press release contains forward-looking statements which are made under the safe harbor provisions of the federal securities laws. These statements are based on the Company’s management’s current beliefs, expectations and assumptions about future events, conditions and results and on information currently available to them. By their nature, forward-looking statements involve risks and uncertainties because they relate to events and depend on circumstances that may or may not occur in the future. The Company believes that these risks and uncertainties include, but are not limited to, those described under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” set forth from time to time in the Company’s filings and reports with the U.S. Securities and Exchange Commission (SEC), including its Annual Report on Form 10-K for the year ended December 31, 2021, as well as future filings and reports by the Company, copies of which are available at https://investors.telos.com and on the SEC’s website at www.sec.gov.

Although the Company bases these forward-looking statements on assumptions that the Company’s management believes are reasonable when made, they caution the reader that forward-looking statements are not guarantees of future performance and that the Company’s actual results of operations, financial condition and liquidity, and industry developments, may differ materially from statements made in or suggested by the forward-looking statements contained in this release. Given these risks, uncertainties and other factors, many of which are beyond its control, the Company cautions the reader not to place undue reliance on these forward-looking statements. Any forward-looking statement speaks only as of the date of such statement and, except as required by law, the Company undertakes no obligation to update any forward-looking statement publicly, or to revise any forward-looking statement to reflect events or developments occurring after the date of the statement, even if new information becomes available in the future. Comparisons of results for current and any prior periods are not intended to express any future trends or indications of future performance, unless specifically expressed as such, and should only be viewed as historical data.

**About Telos Corporation**

Telos Corporation (NASDAQ: TLS) empowers and protects the world’s most security-conscious organizations with solutions for continuous security assurance of individuals, systems, and information. Telos’ offerings include cybersecurity solutions for IT risk management and information security; cloud security solutions to protect cloud-based assets and enable continuous compliance with industry and government security standards; and enterprise security solutions for identity and access management, secure mobility, organizational messaging, and network management and defense. The Company serves commercial enterprises, regulated industries and government customers around the world.

Telos Corporation to Help Enterprises Operationalize Cybersecurity Compliance and Regulatory Risks with IBM Security

The entire security team should share in the responsibility to secure sensitive data.

Several recent high-profile instances of data loss serve as cautionary tales for organizations handling sensitive data — including a recent case where the personal data of nearly half a million Japanese citizens was put in a compromising position when the USB drive on which it was stored was mislaid.

Regardless of industry, all businesses handle sensitive data — whether it's storing HR or payroll files that include bank information and Social Security numbers or securely logging payment details. As such, enterprises of all sizes should have a data loss prevention (DLP) strategy in place that encompasses the entire organization. Organizations should update their DLP strategy frequently, to account not only for the evolution of how we store, manage, and move data, but also for advancements in cybercrime.

Some enterprises have added information security professionals to focus exclusively on DLP, but the entire cybersecurity team should share in the responsibility to protect sensitive data. A strong DLP strategy protects customers and maintains the integrity of data operations. Here are some best practices to guide organizations as they work to deploy a new DLP strategy or improve an existing one:

**1\. Know What Data Is Sensitive**

It may be tempting for organizations to apply a universal standard for data security across their business, but putting guardrails up for all information and every process can be an expensive and onerous task. By reviewing the different types of data employees work with and have access to, leaders can determine what data qualifies as sensitive and tailor their organization's strategies to protect the data that matters most. When leaders become familiar with the flow of their organization's data, it allows them to identify the people and departments that need to emphasize cybersecurity measures the most.

**2\. Backup, Backup, Backup**

An ounce of prevention is worth a pound of cure — and when dealing with sensitive data, it may even be worth millions should an organization's data be held for ransom or result in a costly loss of IP. Once businesses have identified the specific types of data deemed sensitive, employees should back it up in multiple places, all under secure protocols. Backups protect against damage from corrupted files and accidental deletion, and they make the company less vulnerable to extortionists who may try to hold data for ransom. Backups on air-gapped storage devices or servers are the most secure as they are physically separated from the Internet and can be properly secured. 

**3\. Empower Your People**

Even the most secure data loss prevention strategy can be foiled by a successful phishing attempt or a password written in plain text. Uninformed employees can fall prey to the latest scam or social engineering, unwittingly exposing their organization's data to bad actors. When leaders empower all levels and people in their organization to be an active part of security efforts, it safeguards against data loss and theft. It's critical to provide consistent training about cybersecurity risks so that employees — from the CIO to the newest intern — are aware of the newest threats to data.

**4\. Consider the Whole Data Journey**

Even when an organization invests to create a highly secure data infrastructure, whenever sensitive data leaves that environment, those protections can unravel. For businesses using a cloud storage solution, sensitive data can be vulnerable as soon as employees use unsecured public Wi-Fi. A robust data security approach should account for all the ways employees share sensitive data, inside and outside of established platforms.

**5\. Have a Rapid Response Plan**

Following data protection best practices can make breaches, hacks, and data loss less likely. However, there's always the possibility that they may happen, so you have to have a plan in place if something does go wrong. By having a plan in place, leaders can act swiftly to mitigate damage. The specifics of each rapid response plan depend on the nature of the data that has been compromised, but a plan may involve starting a data recovery process, remotely revoking access to shared storage solutions, promptly notifying employees or customers of a vulnerability, or alerting the proper authorities or customers that a data breach has occurred. It is important to already have a rapid response team in place to quickly conduct forensics, determine what data may have been compromised, follow laws and regulations about notifications, and also direct the proper resources to ensure the correction of any identified cybersecurity vulnerability.

These best practices provide a strong baseline for how to implement a new DLP plan, and can make existing strategies more resilient and effective. While the specific protocols in a DLP plan should be designed to fit organizations' individual needs, they should always drive toward the same goal: preventing data breaches and maintaining personal and professional privacy.

5 Best Practices for Building Your Data Loss Prevention Strategy

Oversubscribed round validates company's data-first approach to solving cloud security and privacy issues for global businesses thwarting data breaches and ransomwar

**MOUNTAIN VIEW, Calif., Sept. 15, 2022** — Fortanix® Inc., the data-first multicloud security company and the pioneer of Confidential Computing, today announced $90 million in Series C financing bringing the total amount the company has raised to over $122 million. The round was led by the Growth Equity business within Goldman Sachs Asset Management (Goldman Sachs) with participation from GiantLeap Capital as well as the existing investors Foundation Capital, Intel Capital, Neotribe Ventures, and In-Q-Tel. Soumya Rajamani, Vice President at Goldman Sachs, will join Fortanix's board of directors.   

The funding builds upon the significant and sustained growth Fortanix has experienced despite the pandemic and the recent macro-economic conditions. The company has gained customers across multiple verticals including some of the highly regulated industries. Traditional network security led approaches have not been entirely successful in preventing data breaches and ransomware. Regulatory requirements have increased as have penalty amounts. The data-first approach to security advocated by Fortanix tackles this problem head-on by decoupling security from infrastructure, and provides an elegant way to secure data, wherever it is. It further allows organizations to credibly conform to privacy laws and regulatory requirements globally including GDPR, Schrems II, HIPAA, PCI, ITAR and several others.  

"We constantly look for companies with disruptive technologies and have seen the benefits of its data-first approach," said Soumya Rajamani, Vice President at Goldman Sachs. Many businesses can relate to the challenge of data security and privacy, and we are proud to support the Fortanix team in their mission to solve security and privacy.”  

Fortanix's innovative approach, backed by more than 25 patents, has resonated in the market. The company counts dozens of Fortune 500 companies as its customers, as well as several U.S. government agencies. The company experienced more than 500% growth over the past three years, placing it in the top quarter of the annual Inc. 5000 list of the fastest-growing private companies in America for 2022. 

"I am grateful to the new and existing investors for their confidence in the Fortanix team and our technology, and I am thrilled to welcome Soumya Rajamani to our board of directors," said Ambuj Kumar, CEO and co-founder of Fortanix. "Cybersecurity is one of the most important needs of our current era. This fundraise is a strong validation of the massive market opportunity ahead as we execute our bold mission."   

**Strong Company Execution Guides Investor Sentiment**  

This significant round of financing was driven by a number of company momentum factors, including: 

*   A three-year aggregate growth trajectory of 522%, landing on the 2022 Inc. 5000 list of fastest-growing private companies in the U.S. 
*   Employee growth of 70% year-over-year to more than 225 employees 
*   An expanded ecosystem of strategic partnerships that includes over 100 product integrations 
*   More than 125 marquee global customers across major industries, including healthcare, banking, FSI, technology services, cloud providers, and federal agencies 
*   Strong intellectual property base with over 25 patents, underscoring the technical differentiation of Fortanix's data-first approach 
*   Recent expansion of the leadership team, including the additions of the company’s vice president of legal, chief revenue officer and chief marketing officer.  

**Additional Resources:**

*   Learn about the company’s journey inthis conversation with the two founders
*   Explore a new approach to enterprise data security on the Intel Capital blog
*   Read this blog post from Neotribe Ventures
*   Check out this latest blog from Foundation Capital: Fortanix Raises $90M Series C

**About Goldman Sachs Asset Management Growth Equity**  

Bringing together traditional and alternative investments, Goldman Sachs Asset Management provides clients around the world with a dedicated partnership and focus on long-term performance. As the primary investing area within Goldman Sachs (NYSE: GS), we deliver investment and advisory services for the world’s leading institutions, financial advisors and individuals, drawing from our deeply connected global network and tailored expert insights, across every region and market—overseeing more than $2 trillion in assets under supervision worldwide as of June 30, 2022. Driven by a passion for our clients’ performance, we seek to build long-term relationships based on conviction, sustainable outcomes, and shared success over time. Goldman Sachs Asset Management invests in the full spectrum of alternatives, including private equity, growth equity, private credit, real estate, and infrastructure. Since 2003, the Growth Equity business within Goldman Sachs Asset Management comprising more than 75 individuals has invested over $13 billion in companies led by visionary founders and CEOs. We focus exclusively on investments in growth stage and technology-driven companies spanning multiple industries, including enterprise technology, financial technology, consumer, and healthcare.

**About GiantLeap Capital  
**GiantLeap Capital is a next-generation private investment firm focused on investing in technologies that are transforming critical industries at the convergence of physical and digital infrastructure. The firm takes a long-term, thematic approach to provide flexible capital focused on idiosyncratic investment opportunities across growth stages. For more information, please visit https://www.giantleapcapital.com.

**About Fortanix**   
Fortanix secures data, wherever it is. Fortanix’s data-first approach helps businesses of all sizes to modernize their security solutions on-premises, in the cloud and everywhere in-between. Enterprises worldwide, especially in privacy-sensitive industries like healthcare, fintech, financial services, government, and retail, trust Fortanix for data security, privacy and compliance. Fortanix investors include Goldman Sachs, Foundation Capital, Intel Capital, In-Q-Tel, Neotribe Ventures and GiantLeap Capital. Fortanix is headquartered in Mountain View, CA. For more information, visit https://fortanix.com/.

Fortanix Raises $90M in Series C Funding Led by Goldman Sachs Asset Management

Access tokens for other Teams users can be recovered, allowing attackers to move from a single compromise to the ability to impersonate critical employees, but Microsoft isn't planning to patch.

Attackers who gain initial access to a victim's network now have another method of expanding their reach: using access tokens from other Microsoft Teams users to impersonate those employees and exploit their trust.

That's according to security firm Vectra, which stated in an advisory on Sept. 13 that Microsoft Teams stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. According to the firm, an attacker with local or remote system access can steal the credentials for any currently online users and impersonate them, even when they are offline, and impersonate the user through any associated feature, such as Skype, and bypass multifactor authentication (MFA).

The weakness gives attackers the ability to move through a company’s network much more easily, says Connor Peoples, security architect at Vectra, a San Jose, Calif.-based cybersecurity firm.

"This enables multiple forms of attacks including data tampering, spear-phishing, identity compromise, and could lead to business interruption with the right social engineering applied to the access," he says, noting that attackers can "tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks."

Vectra discovered the issue when the company's researchers examined Microsoft Teams on behalf of a client, looking for ways to delete users who are inactive, an action that Teams does not typically allow. Instead, the researchers found that a file that stored access tokens in cleartext, which gave them the ability to connect to Skype and Outlook through their APIs. Because Microsoft Teams brings together a variety of services — including those applications, SharePoint and others — that the software requires tokens to gain access, Vectra stated in the advisory.

With the tokens, an attacker can not only gain access to any service as a currently online user, but also bypass MFA because the existence of a valid token typically means the user has provided a second factor.

In the end, the attack does not require special permissions or advanced malware to grant attackers enough access to cause internal difficulties for a targeted company, the advisory stated.

"With enough compromised machines, attackers can orchestrate communications within an organization," the company stated in the advisory. "Assuming full control of critical seats — like a company’s head of engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization. How do you practice phish testing for this?"

**Microsoft: No Patch Necessary**

Microsoft acknowledged the issues but said the fact that the attacker needs to have already compromised a system on the target network reduced the threat posed, and opted not to patch.

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network," a Microsoft spokesperson said in a statement sent to Dark Reading. "We appreciate Vectra Protect's partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release."

In 2019, the Open Web Application Security Project (OWASP) released a top 10 list of API security issues. The current issue could be considered either Broken User Authentication or a Security Misconfiguration, the second and seventh ranked issues on the list.

"I view this vulnerability as another means for lateral movement primarily — essentially another avenue for a Mimikatz-type tool," says John Bambenek, principal threat hunter at Netenrich, a security operations and analytics service provider.

A key reason for the existence of the security weakness is that Microsoft Teams is based on the Electron application framework, which allows companies to create software based on JavaScript, HTML, and CSS. As the company moves away from that platform, it will be able to eliminate the vulnerability, Vectra's Peoples says.

"Microsoft is making a strong effort to move toward Progressive Web Apps, which would mitigate many of the concerns currently brought by Electron," he says. "Rather than rearchitect the Electron app, my assumption is they are devoting more resources into the future state."

Vectra recommends the companies use the browser-based version of Microsoft Teams, which has enough security controls to prevent exploitation of the issues. Customers who need to use the desktop application should "watch key application files for access by any processes other than the official Teams application," Vectra stated in the advisory.

Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish

New executive order stops short of mandating NIST's guidelines, but recommends SBOMs for federal agencies across government.

The Biden White House has released a new cybersecurity executive order outlining guidelines for software supply chain security, including the suggestion that federal agency CIOs start requiring documentation of secure development and software bills of materials (SBOMs).

In a memo sent to the heads of executive departments and agencies, the White House Office of Management and Budget outlines supply chain cybersecurity best practices established by the National Institute of Standards and Technology (NIST), which would recommend a full software inventory assessment, collecting statements from each outside software vendor that its products conform to the NIST supply chain security framework, and a requirement for SBOMs when purchasing new software.

"As agencies develop requirements that include the use of new software, they must request confirmation that the software producer utilizes secure software development practices," the OMB memo said. "This could be accomplished through specification of these requirements in the Request for Proposal (RFP) or other solicitation documents, but regardless of how the agency ensures compliance, the agency must ensure that the company implements and attests to the use of secure software development practices consistent with NIST Guidance, throughout the software development lifecycle." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Guidance Recommends SBOMs for Federal Agencies

This Tech Tip walks through the steps to set up signed commits with SSH keys stored in 1Password.

1Password is making it easier for GitHub users to set up signed commits using SSH keys. Signed commits verify that the person making the code change is who they say they are.

When code is checked into a git repository, the change is usually saved with the name of the person submitting the code. While the committer's name is typically set by the user's client, it can be easily changed to anything else, which makes it possible for someone to spoof the commit messages and names. This can have security implications if developers don't actually know who submitted a particular piece of code.

The fundamental, unsolved problem underlying all of the cybersecurity problems on the Internet is the lack of good tools to truly authentic a live human being, says John Bambenek, principal threat hunter at Netenrich. Making cryptographic signing, or signed commits, easy allows organizations to have a higher level of assurance about the person's identity.

"Without this, you are trusting the committer is who they say they are, and the person accepting the commit understands and reviews the commit for problems," he adds.

Bambenek notes that because criminals are going after code in open source libraries in earnest, being able to truly authenticate people pushing code means the window to using their repositories to compromise other organizations is much smaller.

**Easier, Scalable Key Management**

Michael Skelton, senior director of security operations at Bugcrowd, points out that managing SSH and GPG keys for signing commits over multiple developer virtual and host machines can be a cumbersome and confusing process. Previously, developers interested in signed commits managed with key pairs stored them in their GitHub accounts and on their local machines.

"This can make mass adoption of signed commits difficult, impairing the ability for your organization to make the most out of this feature," he says. "By having 1Password manage this on your behalf, you can more easily deploy these keys and update configurations hassle-free."

Because 1Password stores the SSH keys, it becomes easier, and less confusing, to manage keys over multiple devices. This feature also makes it possible to manage GitHub signing keys for developers in a more scalable fashion, Skelton says.

"By solving this problem, organizations can then look to enforce signed commits over their repositories using GitHub's vigilant mode, helping to limit the ability for committer names to be misrepresented and in turn misinterpreted," Skelton says.

With signed commits, it is easier to see when a commit has not been signed. It's also possible to create an application security policy that rejects unsigned commits.

**How to Set Up Signed Commits**

Here's how to set up GitHub to use SSH keys for verification.

1.  Update to Git 2.34.0 or later, then go to https://github.com/settings/keys and select "new SSH key," followed by selecting "Signing Key."
2.  From there, navigate to the "Key" box and select the 1Password logo, select "Create SSH Key," fill in a title, and then select "Create and Fill."
3.  For the last step, select "Add SSH Key," and the GitHub part of the process is complete.

Once the key is set up in GitHub, proceed to 1Password on your desktop to configure your _.gitconfig_ file to sign with their SSH key.

1.  Select the "Configure" option in the banner displayed on top, where a window will open with a snippet you can add to the _.gitconfig_ file.
2.  Select the "Edit Automatically" option to have 1Password update the _.gitconfig_ file with one click.
3.  Users in need of more advanced configuration can copy the snippet and do things manually.

A green verification badge for easy verification visibility will then be added to the timeline when you push to GitHub.

How to Use SSH Keys and 1Password to Sign Git Commits

Researchers link the APT to an attack on a Hong Kong university, which compromised multiple key servers using advanced Linux malware.

A new Linux version of the SideWalk backdoor has been deployed against a Hong Kong university in a persistent attack that's compromised multiple servers key to the institution's network environment.

Researchers from ESET attributed the attack and the backdoor to SparklingGoblin, an advanced persistent threat (APT) group that targets organizations mostly in East and Southeast Asia, with a focus on the academic sector, they said in a blog post published Sept. 14.

The APT also has been linked to attacks on a broad range of organizations and vertical industries around the world, and is known for using the SideWalk and Crosswalk backdoors in its arsenal of malware, researchers said.

In fact, the attack on the Hong Kong university is the second time SparklingGoblin has targeted this particular institution; the first was in May 2020 during student protests, with ESET researchers first detecting the Linux variant of SideWalk in the university's network in February 2021 without actually identifying it as such, they said.

The latest attack appears to be part of a continuous campaign that initially may have started with the exploitation either of IP cameras and/or network video recorder (NVR) and DVR devices, using the Specter botnet or through a vulnerable WordPress server found in the victim's environment, researchers said.

"SparklingGoblin has continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," researchers said.

Moreover, it now appears that the Specter RAT, first documented by researchers at 360 Netlab, is actually a SideWalk Linux variant, as shown by multiple commonalities between the sample identified by ESET researchers, they said.

**SideWalk Links to SparklingGoblin**

SideWalk is a modular backdoor that can dynamically load additional modules sent from its command-and-control (C2) server, makes use of Google Docs as a dead-drop resolver, and uses Cloudflare as a C2 server. It can also properly handle communication behind a proxy.

There are differing opinions among researchers as to which threat group is responsible for the SideWalk backdoor. While ESET links the malware to SparklingGoblin, researchers at Symantec said it is the work of Grayfly (aka GREF and Wicked Panda), a Chinese APT active since at least March 2017.

ESET believes that SideWalk is exclusive to SparklingGoblin, basing its "high confidence" in this assessment on "multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools," researchers said. One of the SideWalk Linux samples also uses a C2 address (66.42.103\[.\]222) that was previously used by SparklingGoblin, they added.

In addition to using the SideWalk and Crosswalk backdoors, SparklingGoblin also is known for deploying Motnug and ChaCha20-based loaders, the PlugX RAT (aka Korplug), and Cobalt Strike in its attacks.

**Inception of SideWalk Linux**

ESET researchers first documented the Linux variant of SideWalk in July 2021, dubbing it "StageClient" because they did not at the time make the connection to SparklingGoblin and the SideWalk backdoor for Windows.

They eventually linked the malware to a modular Linux backdoor with flexible configuration being used by the Specter botnet that was mentioned in a blog post by researchers at 360 Netlab, finding "a huge overlap in functionality, infrastructure, and symbols present in all the binaries," the ESET researchers said.

"These similarities convince us that Specter and StageClient are from the same malware family," they added. In fact, both are just Linux various of SideWalk, researchers eventually found. For this reason, both are now referred to under the umbrella term SideWalk Linux.

Indeed, given the frequent use of Linux as the basis for cloud services, virtual machine hosts, and container-based infrastructure, attackers are increasingly targeting Linux environments with sophisticated exploits and malware. This has given rise to Linux malware that's both unique to the OS or built as a complement to Windows versions, demonstrating that attackers see a growing opportunity to target the open source software.

**Comparison to Windows Version**

For its part, SideWalk Linux has numerous similarities to the Windows version of the malware, with researchers outlining only the most "striking" ones in their post, researchers said.

One obvious parallel is the implementations of ChaCha20 encryption, with both variants using a counter with an initial value of "0x0B" — a characteristic previously noted by ESET researchers. The ChaCha20 key is exactly the same in both variants, strengthening the connection between the two, they added.

Both versions of SideWalk also use multiple threads to execute specific tasks. They each have exactly five threads — StageClient::ThreadNetworkReverse, StageClient::ThreadHeartDetect, StageClient::ThreadPollingDriven, ThreadBizMsgSend, and StageClient::ThreadBizMsgHandler — executed simultaneously that each perform a specific function intrinsic to the backdoor, according to ESET.

Another similarity between the two versions is that the dead-drop resolver payload — or adversarial content posted on Web services with embedded domains or IP addresses — is identical in both samples. The delimiters — characters chosen to separate one element in a string from another element — of both versions also are identical, as well as their decoding algorithms, researchers said.

Researchers also found key differences between SideWalk Linux and its Windows counterpart. One is that in SideWalk Linux variants, modules are built in and cannot be fetched from the C2 server. The Windows version, on the other hand, has built-in functionalities executed directly by dedicated functions within the malware. Some plug-ins also can be added through C2 communications in the Windows version of SideWalk, researchers said.

Each version performs defense evasion in a different way as well, researchers found. The Windows variant of SideWalk "goes to great lengths to conceal the objectives of its code" by trimming out all data and code that was unnecessary for its execution, encrypting the rest.

The Linux variants make detection and analysis of the backdoor "significantly easier" by containing symbols and leaving some unique authentication keys and other artifacts unencrypted, researchers said.

"Additionally, the much higher number of inlined functions in the Windows variant suggests that its code was compiled with a higher level of compiler optimizations," they added.

SparklingGoblin Updates Linux Version of SideWalk Backdoor in Ongoing Cyber Campaign

With enough passion, intelligence, and effort, anyone can be a successful cybersecurity professional, regardless of education or background.

I've been in the tech industry for 25 years, almost all in cybersecurity. I've held security leadership positions for well over a decade, including the 18 months as head of security for an API platform with more than 20 million users.

I've had a successful career in information security, and I've done it without a college degree.

I'm just not convinced of the value of a degree for cybersecurity jobs. To be sure, some who go to school before embarking on cybersecurity careers may benefit from the education and training. But many others merely find themselves saddled with student debt, just to learn material that's often outdated or may not even be relevant to the job.

At the end of the day, with enough passion, raw intelligence, and hard work, anyone can be a successful cybersecurity professional, whether they have a degree or lack a background in IT and computer science.

Cybersecurity hiring historically has focused on a narrow candidate pool — people with the usual academic credentials, job experience, security certifications, and specific technical security skill sets. But as the demand for cybersecurity professionals keeps increasing, it is clear that the industry must get more creative in the hunt for talent.

The question on every CISO's mind is how. Here are four ideas.

**Drop College Degree Requirements**

Mandating at least a bachelor's degree for a cybersecurity job (or any tech industry job, for that matter) is obsolete thinking. Skills and personality traits like desire, curiosity, love of learning, calmness under pressure, and ambition are what really matter.

I go back to my own experience. I gave community college a try, because it's what was expected, but I was never a good student because I wasn't interested in the material.

My college turned out to be my first computer job where I spent time on the help desk, as a desktop engineer, as a systems engineer, and eventually left as a network engineer. What I learned during my four years there gave me the foundational knowledge to move to the next job/level.

I loved all technology and wanted to learn as much as I could but couldn't decide if I wanted to be on the network or systems side. I wound up in security because it was an area that allowed me to get involved in all aspects of tech.

Now, years later, I lead a combined security and IT operations team with more than 30 members, focusing on building a modern security program that supports the needs of a fast-growing business.

**Look for Talent Outside of Security**

Instead of chasing unicorns, companies should mine not only other areas of the IT department but completely different parts of the business for people with adjacent skills that could make them great cybersecurity pros.

Someone with a librarian's background, for example, could bring the strong detail orientation needed for security compliance work. A former military member may possess the grace under fire needed for hectic work in the security operations center (SOC).

Looking harder at candidates who don't fit the typical cybersecurity specialist mold necessitates a more aggressive move toward upskilling and reskilling existing employees. And beyond its benefit as a source of talent, looking inward rather than outward for help also could provide protection against the threat of recession and possible hiring freezes. Which leads to our third point…

**Train Like Crazy**

If someone has the natural skills to succeed in cybersecurity but has never even seen a SOC, who cares? Skills can be taught. That's why cybersecurity training sessions and boot camps exist.

Companies should invest in formalized training programs for individuals with nontraditional security backgrounds. They should be trained upfront and continually provided with additional training opportunities just like the rest of your team.

**Spread the Wealth**

The beauty of DevOps and DevSecOps is that they shift some security responsibility from dedicated security teams in operations to the development side, with the idea being that security should be baked in throughout the application development process.

This provides a fresh opportunity for more people throughout the organization to take on roles as security champions, security ambassadors, security advocates — pick your term. And it lessens the pressure on companies to hire for security team positions and increases the incentive to get creative in looking internally for these champions.

By following these four steps, companies can find people who have the aptitude and passion for security and who can be made into top notch professionals with a little bit of training and mentoring.

The industry has been doing the same thing over and over — hunting for the usual suspects — and it's time for new approaches.

To Ease the Cybersecurity Worker Shortage, Broaden the Candidate Pipeline

Interactive intrusion campaigns jumped nearly 50%, while the breakout time between initial access and lateral movement shrank to less than 90 minutes, putting pressure on defenders to react quickly.

Attackers are increasingly taking a hands-on approach to network intrusions, usually avoiding using malware; they have also reduced the time it takes to move from an initial compromise to infecting other systems in a network.

That's according to cybersecurity services firm CrowdStrike, which found in a report published Tuesday that both targeted attacks and interactive intrusions have increased overall. For the 12 months ending in June, targeted attacks accounted for 18% of all attacks, up from 14% for the prior 12 months, according to the firm's telemetry.

Attackers also focused on interactive intrusions that take a hands-on approach to compromises, with an almost 50% increase in such attacks, the company found. Unsurprisingly, the increase in hands-on attacks meant less reliance on malware — 71% of all events detected by CrowdStrike indicated malware-free activity, the company said.

The technology sector continued to be the focus of the most attacks, with nearly 20% of attacks targeting the industry sector, while telecommunications became the second most targeted at 10%, and manufacturing accounting for about 8% of attacks. Cybercriminal attacks accounted for 43% of all security incidents investigated by CrowdStrike, the firm stated in the report.

**A Rise in Nation-State Cyberattacks**

The shifts in cyberattacker tactics have come from specialized cybercrime offerings and an increase in nation-state attacks, says Param Singh, vice president of CrowdStrike's Falcon OverWatch group.

"This surge is being driven in part by the evolving e-crime landscape which has seen an unprecedented number of new criminally motivated adversary groups emerging and joining the fold in an attempt to capitalize on the lucrative opportunities for financial gain," he says. "Additionally, there has been a prolonged rise in targeted intrusion activity on the part of state-based adversaries in response to the evolving geopolitical landscape and global macro events."

More compromised credentials and more services means that adversaries are able to quickly choose vulnerable systems and gain access essentially on demand, which leads to faster breakout times, he says. At the same time, because advanced actors can use the same access-for-service tools, they are able to gain a beachhead and interactively hack their victim.

A shorter breakout time would normally suggest that attackers are using more automation, but CrowdStrike's threat hunters found that attackers are using interactive hacking more often. There are two separate trends at play, says Singh.

"\[T\]he ongoing surge in ransomware-as-a-service and affiliate networks along with increasing prevalence of access broker activity all adds up to one thing: a lower barrier to entry for criminally motivated adversaries," Singh says. "In practice, this translates to adversaries being able to operationalize an attack and both gain initial access easier and move laterally to additional hosts faster than previously seen."

CrowdStrike pointed toward the Russia-Ukraine conflict as one factor for the growth in targeted attacks, but China remains the most prolific attacker, according to the company's data.

"A look back at the numerous geopolitical and macro global events that have taken place have shown both China and Russia to be outspoken," Singh says. "While a greater proportion of attributable malicious activity has been linked back to China-nexus adversaries, it is our assessment that Russian adversaries continue to operate. However, it is possible that this activity currently falls under the unattributed category of intrusions."

**Mystery Assailants**

Meanwhile, the share of detected security incidents that remain unattributed continues to be high. In the 12 months ending June 2022, 38% of intrusion campaigns could not be positively attributed to a specific group, about the same (39%) as the previous 12 months.

"\[T\]here are often few identifiable artifacts or examples indicative of tradecraft to investigate, which prevents high-confidence attribution," CrowdStrike stated in the report. "This issues is compounded by the continued blurring of the lines between eCrime and targeted intrusion tradecraft and tooling, which also curtails high-confidence attribution."

To keep up with attackers' speed and break their chain of attack, defenders need to both deploy technology-based controls and use human-based threat-hunting services to catch signs of attackers and subvert their automated attacks and hands-on hacking.

"When it comes to breaking that chain, the reality is that adversaries are moving faster, in some cases in mere minutes," Singh says. "Pairing this observation with the increasing proliferation of compromised account usage with the diminishing reliance on malware means defenders must extend their defensive capabilities beyond technology alone."

Cyberattacks Are Now Increasingly Hands-On, Break Out More Quickly

Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.

An apparent operational security slip-up by a member of the TeamTNT threat group has exposed some of the tactics it's using to exploit poorly configured Docker servers.

Security researchers from Trend Micro recently set up a honeypot with an exposed Docker REST API to try and understand how threat actors in general are exploiting vulnerabilities and misconfigurations in the widely used cloud container platform. They discovered TeamTNT — a group known for its cloud-specific campaigns — making at least three attempts to exploit its Docker honeypot.

"On one of our honeypots, we had intentionally exposed a server with the Docker Daemon exposed over REST API," says Nitesh Surana, threat research engineer at Trend Micro. "The threat actors found the misconfiguration and exploited it thrice from IPs based in Germany, where they were logged in to their DockerHub registry," Surana says. "Based on our observation, the motivation of the attacker was to exploit the Docker REST API and compromise the underlying server to perform cryptojacking."

The security vendor's analysis of the activity eventually led to uncovering credentials for at least two DockerHub accounts that TeamTNT controlled (the group was abusing DockerHub free Container Registry services) and was using to distribute a variety of malicious payloads, including coin miners.  

One of the accounts (with the name "alpineos") hosted a malicious container image containing rootkits, kits for Docker container escape, the XMRig Monero coin miner, credential stealers, and Kubernetes exploit kits. 

Trend Micro discovered the malicious image had been downloaded more than 150,000 times, which could translate into a wide swath of infections.

The other account (sandeep078) hosted a similar malicious container image but had far fewer "pulls" — just about 200 — compared with the former. Trend Micro pointed to three scenarios that likely resulted in the leak of the TeamTNT Docker registry account credentials. These include a failure to logout from the DockerHub account or their machines being self-infected.  

**Malicious Cloud Container Images: A Useful Feature**

Developers often expose the Docker daemon over its REST API so they can create containers and run Docker commands on remote servers. However, if the remote servers are not properly configured — for instance, by making them publicly accessible — attackers can exploit the servers, Surana says.

In these instances, threat actors can spin up a container on the compromised server from images that execute malicious scripts. Typically, these malicious images are hosted on container registries such as DockerHub, Amazon Elastic Container Registry (ECR), and Alibaba Container Registry. Attackers can use either compromised accounts on these registries to host the malicious images, or they can establish their own, Trend Micro has previously noted. Attackers can also host malicious images on their own private container registry.   

Containers that are spun up from a malicious image can be used for a variety of malicious activities, Surana notes. "When a server running Docker has its Docker Daemon publicly exposed over REST API, an attacker can abuse and create containers on the host based on attacker-controlled images," he says.

**A Plethora of Cyberattacker Payload Options**

These images may contain cryptominers, exploit kits, container escape tools, network, and enumeration tools. "Attackers could perform crypto-jacking, denial of service, lateral movement, privilege escalation, and other techniques within the environment using these containers," according to the analysis.  

"Developer-centric tools like Docker have been known to be abused extensively. It’s important to educate \[developers\] at large by creating policies for access and credential use, as well as generate threat models of their environments," Surana advocates.

Organizations should also ensure that containers and APIs are always properly configured to ensure that exploits are minimized. This includes ensuring that they are accessible only by the internal network or by trusted sources. In addition, they should follow Docker's guidelines for strengthening security. "With the rising number of malicious open source packages targeting user credentials," Surana says, "users should avoid storing credentials in files. Instead, they are advised to choose tools such as credential stores and helpers."

Source

DARKReading