Multiclient research report shows organizations are significantly increasing efforts to secure their supply chains in response to software supply chain attacks.

In August 2022, the Enterprise Strategy Group (ESG) released "Walking the Line: GitOps and Shift Left Security," a multiclient developer security research report examining the current state of application security. The report's key finding is the prevalence of software supply chain risks in cloud-native applications. Jason Schmitt, general manager of the Synopsys Software Integrity Group, echoed this, stating, "As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative."

**_The report shows that organizations are realizing the supply chain is more than just dependencies. It's development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more._**

Although open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have "significantly increased" their software supply chain security efforts in response to recent supply chain attacks.

Respondents to the report's survey cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization's attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.

Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.  

**_The report shows that a lack of open source management is threatening SBOM compilation_**.

The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While respondents have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most-cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization's code is — or will be — composed of up to 75% open source. Fifty-four percent of respondents cited "having a high percentage of application code that is open source" as concern or challenge with open source software.

Synopsys studies have likewise found a correlation between the scale of open source software (OSS) usage and the presence of related risk. As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software bill of materials (SBOM) compilation. But with exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task — and 39% of survey respondents in the ESG study marked as a challenge of using OSS.

**_OSS risk management is a priority, but organizations lack a clear delineation of responsibilities._**

The survey points toward the reality that while the focus on open source patching following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has resulted in a significant increase in OSS risk mitigation activities (the 73% we mentioned above), the party responsible for these mitigation efforts remains unclear.

A clear majority of DevOps teams view OSS management as part of the developer role, whereas most IT teams view it as a security team responsibility. This may well explain why organizations have long struggled to properly patch OSS. The survey found that IT teams are more concerned than security teams (48% vs. 34%) about the source of OSS code, which is a reflection on the role IT has in properly maintaining OSS vulnerability patches. Muddying the waters even further, IT and DevOps respondents (at 49% and 40%) view the identification of vulnerabilities before deployment as the security team's responsibility.

**_Developer enablement is growing, but lack of security expertise is problematic._**

"Shifting left" has been a key driver of pushing security responsibilities to the developer. This shift has not been without challenges; although 68% of respondents named developer enablement as a high priority in their organization, only 34% of security respondents actually felt confident with Development teams taking on responsibility for security testing.

Concerns like overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight into security efforts seem to be the biggest obstacles to developer-led AppSec efforts. A majority of security and AppDev/DevOps respondents (at 65% and 60%) have policies in place allowing developers to test and fix their code without interaction with security teams, and 63% of IT respondents said their organization has policies requiring developers to involve security teams.

**About the Author**

    

Mike McGuire is a senior solutions manager at Synopsys where he is focused on open source and software supply chain risk management. After beginning his career as a software engineer, Mike transitioned into product and market strategy roles, as he enjoys interfacing with the buyers and users of the products he works on. Leveraging several years of experience in the software industry, Mike's main objective is connecting the market's complex AppSec problems with Synopsys' solutions for building secure software.

Report Highlights Prevalence of Software Supply Chain Risks

Security Pro File: The DevOps evangelist and angel investor shares his expertise with the next generation of startups. If you're lucky, maybe he'll even share his Lagavulin.

It was only a few years ago, around 2016 or '17, that Zane Lackey had a conversation that encapsulated the challenge of his life. Then a founding adviser at Signal Sciences, he was meeting with the CISO and CIO of a certain Fortune 500 client (he won't say which). 

He met with the CISO first. Lackey suggested a cloud migration, but the man refused to budge. "I'm not allowing any of that," Lackey remembers him saying. "It's all insecure."

Lackey's second meeting of the day was with the CIO, who informed him that cloud migration was "our No. 1 priority." Lackey must have given the man a strange look because he laughed. "I see you've been talking to the CISO," the CIO said. "We just don't invite him to meetings anymore."

Lackey, former CISO and general partner at Andreessen Horowitz (a16z) since March, is one of the foremost champions of DevOps, the integration of a company's code-writing and code-deploying teams. "The teams have different priorities," he tells Dark Reading, "but they form a Venn diagram. Solutions have to help everybody, in security and everything else."

The greatest obstacle to the kind of architectures Lackey lives for has nothing to do with code or obsolete firewalls: It's the culture of siloed security and operations teams, ignoring each other's processes, or, like the Fortune 500 officers that day, actively subverting each other.

In his words, "Technology is the easy bit. Culture is the hard bit."

**The Early Years**

The ancient feuds and impenetrable silos of digital business teams must be a particular headache to someone like Lackey, who never outgrew his boyhood joy in attacking tech problems. Lackey grew up in Murphys, Calif., a tiny village without much in the way of mental stimulation. Lackey discovered PCs in his early teens and began saving money for a new hard drive to learn Linux. It was hard, lonely work, and he loved it. It took him months to figure out the PPP settings to connect to his local ISP. But once he was on, it took only five minutes for someone to hack him and shut him down.

"It was a moment that changed my life," he says, "in an extraordinarily positive way." 

Security infrastructure became Lackey's obsession. He began spending nights playing virtual "capture the flag" with his friends, devouring Red Hat, Windows, and every systems manual he could find. The passion for infrastructure and offense-defense security took Lackey to UC Davis, that improbable cradle of geniuses, where he worked as an intern in the computer security lab (a rarity in the early 2000s, even at big universities). 

At one point he had to develop a honeytrap, and so he created an entire, fake departmental website to lure in hackers. A group of South American teenagers took the bait and installed their own Counter Strike server. He describes the event today as if it were a rugby match: all give and take, high pressure and clever footwork.

His first job out of Davis came from a 2005 Craigslist ad: A Bay Area startup called iSEC Partners was looking for its first employee. Lackey started immediately, working as a general consultant under the direction of Alex Stamos. His work involved a lot of app, wireless, and network pen testing and assessment.

Then in 2010 the NCC Group bought iSEC Partners, and Lackey went to New York to start an East Coast branch. It was there, around 2011, that Lackey began exploring the tools and tactics that would come to be known as DevOps. Companies were growing faster than their linear waterfall deployments could handle. Cloud storage and bespoke, integrated tool chains had only just bridged the gap of concept and code.

But Lackey was on the case, especially after Etsy took on the 26-year-old, briefly as a consultant and then as CISO. It wasn't exactly a gamble on the company's part, at least as Lackey tells it; his credentials spoke for themselves. Etsy gave Lackey his first real taste of the colossal volume of modern, international security upkeep. At iSEC, Lackey had deployed a pen test once every 18 months. At Etsy, he was expected to deploy 30 times _per day_.

"This was security," he says, "but for a different world." (Etsy was ahead of the pack — at the time, Google and Facebook were deploying once a week.)

That different world brought its own new tools, not only at Etsy but at its mirror company on the West Coast, Netflix, where another iSEC veteran, Jason Chan, was now CISO. Like Chan, Lackey saw that reliance on thousands of discrete Web application firewalls (WAFs) could never keep pace with the modern volume of threats. The cloud transition was part of the solution, as was a more nuanced zero-trust strategy than was common, then or now. 

But what companies like Etsy needed was a new architecture altogether, where each individual application fits into a companywide, vertically integrated security system like teeth in a zipper, accessible through one "single pane of glass" console. The console would have to be completely visible across teams, never "someone else's job" (in or out of the company), and, most importantly, scalable. That's where DevOps came in.

Businesses grow at different speeds; the point of DevOps is to keep their security operations moving at exactly the speed they need. Lackey says that scale is the foremost problem facing every security team, and that "if you have to be a security expert to use a security tool, \[the tool\] doesn't scale."

**Changing Up His Game**

In 2014, Lackey left Etsy with two of his colleagues to form Signal Sciences, a venture-backed Web app and API security startup. Signal Sciences blew up (in a good way): At the peak of Lackey's tenure as board member and CSO, the company had 150 employees, $28 million in annual recurring revenue, and outlets like Forbes and Gartner piled on accolades.

Lackey then found himself on the other side of the table, advising the Fortune 500 companies and, increasingly, investing in new firms. "I enjoy adapting," he says, with the same relish that comes through in his tales of early 2000s hacking games.

"Security was one of the largest speed bumps to early DevOps adoption," Lackey says. As CISO at Etsy, an early DevOps adopter, he learned how to institute DevOps through firsthand experience. He co-authored a book on the topic, called _Building a Modern Security Program_, and found he enjoyed sharing the lessons he learned with other enterprises going through the shift.

Angel investing seems to unite Lackey's two professional passions: the steady march of DevOps as a discipline and the love of frustrating, high-stakes, high-risk play. It's also a union of right-brain tech and left-brain leadership skills, which seems to come naturally to Lackey. Last year he explained to Cloud Security podcast that as all roles merge, founders have to keep their goals in mind or risk failing. "You're building a company," he told them, "not a tech project" — remarkable advice from an infrastructure specialist.

Fastly bought Signal Sciences in 2020. Lackey consulted independently for two years before accepting the partner role at a16z. He likes the work, particularly his interactions with founders — "I enjoy being their first call," he says — and says the new solutions he's seeing are extraordinary. He won't say what those solutions are, for confidentiality's sake; presumably they include updated zero-trust protocols for the 2020s. But he's happy to see the discipline he helped shape, DevOps, take on a life of its own. 

"This is a generational change in software development and delivery," he says. "I'm excited for the future."

**PERSONALITY BYTES**

**What professional achievement are you most proud of?** "It's not an achievement, but I'm very proud of all the teams I've been able to be a part of, and the work we've done."

**What one technology or solution has made the greatest impact on your work?** "Again, it's not a technology, but I'd say velocity — the increase in velocity. The shift from the waterfall-approach era to the DevOps era has been about rapid movement, rapid iteration. I mean, think of how long it took to found a company in the '90s, compared to the early 2000s, compared to now."

**What's one thing your colleagues would never guess about you?** "I was born in a fishing village in Alaska. Talk about low tech! My parents went to Alaska in the '70s to work as commercial fishermen. After they had me, they moved to Murphys."

**Any hobbies?** "Travel — I've been to every continent except Antarctica, but that's next. I ski and snowboard."

**Finally, we understand you're a scotch drinker. Islay, Speyside, Highland?** "I love all whiskeys: bourbon, scotch, Japanese. I tend to like peatier scotches, though — your basic Lagavulin 16, for example. One glass is usually enough."

Zane Lackey: 'Technology Is the Easy Bit'

A new group, Monti, appears to have used leaked Conti code, TTPs, and infrastructure approaches to launch its own ransomware campaign.

Analysts have discovered a ransomware campaign from a new group called "Monti," which relies almost entirely on leaked Conti code to launch attacks.

The Monti group emerged with a round of ransomware attacks over the Independence Day weekend, and was able to successfully exploit the Log4Shell vulnerability to encrypt 20 BlackBerry user hosts and 20 servers, BlackBerry's Research and Intelligence Team reported.

After further analysis, researchers discovered that the indicators of compromise (IoCs) for the new ransomware attacks were the same as in previous Conti ransomware attacks, with one twist: Monti incorporates the Acrion 1 Remote Monitoring and Maintenance (RMM) Agent.

But rather than being Conti reborn, the researchers said they believe Monti lifted Conti's infrastructure when it was leaked last spring, during February and March.

"As additional ransomware-as-a-service (RaaS) solution builders and source code become leaked, either publicly or privately, we could continue to see these doppelganger-like ransomware groups proliferate," the BlackBerry team added. "General familiarity with the TTPs \[tactics, techniques and procedures) of known groups can help us identify any unique traits of these lookalike crews."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Monti, the New Conti: Ransomware Gang Uses Recycled Code

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities.

The feds have moved to sanction the Iranian government for its cybercrime activities, which they allege have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

US Department of the Treasury's Office of Foreign Assets Control (OFAC) is specifically designating Iran's Ministry of Intelligence and Security (MOIS) for "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.

The sanctions mean that US citizens and visitors to the US are prohibited from doing business or carrying out any transactions involving funds, goods, or services with the designated entities or their proxies.

**Albanian Cyberattack Sparks US Action**

The Treasury Department cited a recent cyberattack in July that disrupted the Albanian government as emblematic of Iran's tactics; that incident resulted in the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.

"Iran's cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," Brian Nelson, undersecretary of the treasury for terrorism and financial intelligence, said in a statement on Friday. "We will not tolerate Iran’s increasingly aggressive cyber-activities targeting the United States or our allies and partners."

John Hultquist, vice president at Mandiant Intelligence, notes that Iran has a history of targeting the MeK, the group at the center of the Albanian incident. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain," he says. "Those operations were a template for the Albania attack."

**Calling Out MuddyWater & APT34**

The sanctions also extend to Minister of Intelligence Esmail Khatib, who the Treasury Department said is responsible for directing APT groups from within MOIS. The Friday announcement specifically mentions his weapon as including the MuddyWater APT (aka OilRig or APT34, specializing in espionage on rival governments) and APT39 (aka Chafer, which the US says supports Iran's human rights abuses).

“MOIS carries out cyber-espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service, the IRGC," says Hultquist, who notes that Mandiant has previously linked both APTs to Tehran. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personally identifiable information (PII)."

US Sanctions Iran Over APT Cyberattack Activity

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Microsoft, Cloud Providers Move to Ban Basic Authentication

A sweeping effort to prevent a raft of targeted cybercrime groups from posting ransomware victims'  data publicly is hampering their operations, causing outages.

The ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been the focus of distributed denial-of-service (DDoS) attacks targeting their data leak sites, causing downtime and outages.

The attacks have been monitored by Cisco Talos since Aug. 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.

Forum posts by the LockBit gang's technical support arm, "LockBitSupp," indicate that the attacks have had a significant impact on the group's activities, with nearly 1,000 servers targeting the leak site with close to 400 requests per second, researchers said.

"Many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites," a Talos blog post explained this week.

The groups have responded in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others have beefed up DDoS protections.

"Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to post new victim information publicly, we will likely continue to see various groups respond differently, depending on the resources available to them," the blog post authors noted.

**Shutdowns Offer Respite to Targeted Groups**

Aubrey Perin, lead threat intelligence analyst at Qualys, says in the case of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report showcases how effective these attacks are at halting ransomware operations, with outages allowing defenders precious time to investigate.

"If the leak sites are shut down, the victim's infrastructure cannot be announced," Perin says. "The purpose of these types of attacks is to interrupt the gangs' activities," adding that if gangs cannot list victim information, then extortion tactics become far more difficult, and in some cases benign.

However, Perin adds today's bad actors are growing increasingly sophisticated and learning from mistakes on the fly, so they may find workarounds rather quickly.

"More mature gangs have exemplified their agility to quickly re-organize and launch more sophisticated countermeasures for DDoS attacks," Perin explains. Where initial ransomware authors used "spray-and-pray" methods, Perin points out that today's bad actors carry out ransomware attacks as professional operations, with each applying their own "special sauce."

"Organizations each have their own strategies and protocols they follow, and RaaS is no different. Each gang finds what works best, develops strategy, and executes," Perin says. "Each gang's operations are unique to that of other gangs."

Thus, Perin says, without a deeper understanding of a specific gangs' operating schedule and strategy, it is next to impossible to know the real impact to their operations.

"That being said, these attacks certainly have the power to tarnish their reputations," Perin notes.

**Rival Extortion Groups, Government Agencies Could Benefit**

When it comes to who's behind the DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion crews and government agencies are two possible beneficiaries of attacks against data leak sites.

"There is no honor among thieves, and there is a history of groups targeting each other," he says. "On the government side, US Cyber Command commander General \[Paul\] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government has continued efforts to disrupt the adversaries."

Holland says extortionists need to think about their site's resilience, just like legitimate businesses.

"There are other ways for ransomware victims to interact with the actors," he explains. "RaaS representatives are available on forums, and victim negotiations can still be taken offline through various messaging applications."

Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively combatting the issue.

"We'll likely see the threat groups relocate their servers and services to a more distributed infrastructure to maintain availability, just like any organization would to stay operational," he says.

From Hay's perspective, the report suggests that attacks directed at RaaS data leak sites are likely not going to fade away anytime soon, which could lead to a sort of underground competition for affiliates.

"You don't need to be the best, you just have to be better — or more available — than the other guy," he says.

LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks

More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

Evidence indicates that the world's ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.

While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

**The Cyber-Risk to Ships**

The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship's networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.

Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships' attack surface.

Common ship-based cyber vulnerabilities include the following:

*   Obsolete and unsupported operating systems
*   Unpatched system software
*   Outdated or missing antivirus software and protection from malware
*   Unsecured shipboard computer networks
*   Critical infrastructure continuously connected with the shore side
*   Inadequate access controls for third parties including contractors and service providers
*   Inadequately trained and/or skilled staff on cyber-risks

**Troubled Waters?**

Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.

For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.

Some past examples of port-based cyber breaches:

**Port of Rotterdam:** In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the Møller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.

**Port of Shahid Rajaee:** In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the "computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility." This cyberattack was presumed to be Israel's response to an attack on its water network.

**Port of Kennewick:** In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.

Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.

**The Danger**

Ports have no choice but to accept the ships' documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner's knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.

Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These "hacks'' often exploit vulnerabilities in the ships' networks, using the vessel to gain access to the ship's partners, including the port.

Why Ports Are at Risk of Cyberattacks

No agreement could be reached on terms of a firm offer, the provider of AI-based cybersecurity products says.

US private equity firm Thoma Bravo, which has been on a cybersecurity vendor buying spree lately, has walked away from plans to add British cybersecurity firm Darktrace to its portfolio.

The two sides parted ways after failing to come to an agreement on the terms of a deal. The news sent shares of Darktrace plunging nearly 35% Thursday on the London Stock Exchange, falling from 514.6 pence per share (about US$5.91) at close of trading Wednesday to 337.1 pence per share (roughly $3.87) on Thursday.

Darktrace — a provider of AI-based cybersecurity technologies — on Aug. 15 announced that it had received several "preliminary and conditional proposals" from Thoma Bravo to purchase the company. The security firm said Thoma Bravo was in early discussions to buy it out in an all-cash transaction, but it had cautioned at the time that there was no certainty that an offer would be made.

On Thursday, Darktrace said those discussions had broken down, and that an agreement could not be reached on the terms of an offer.

"Further to the announcement made earlier today by Thoma Bravo that it does not intend to make an offer for the Company, the Board of Darktrace confirms that discussions with Thoma Bravo have terminated," the company said. "As a result of the announcement made earlier today by Thoma Bravo, the Company is no longer in an offer period for the purpose of the UK Takeover Code."

Thoma Bravo did not immediately respond to a Dark Reading request for comment on the development.

British rules governing proposed mergers and acquisition prohibit Thoma Bravo from making an offer for Darktrace for another six months, unless another firm makes a formal offer to buy the company, Reuters and several British media outlets noted.

Darktrace was founded in 2013 and currently claims to have more than 7,400 customers in 110 countries. It reported revenues of $419.3 million for fiscal year 2022 before revising that number down to $415.5 million after determining that $3.8 million in revenues should have been attributed to fiscal year 2021. Darktrace went public on the LSE in April 2021. At one point, the security vendor's market cap hit more than $8 billion, but questions over the company's valuation drove its stock down shortly thereafter and kept it there for most of this year.

Darktrace also has had its share of controversy related to British billionaire Mike Lynch, who is one of the biggest shareholders in the company. Lynch is currently fighting extradition to the US after a British court held him culpable earlier this year of artificially inflating the value of his previous company Autonomy before selling it to HP for $11.1 billion in 2011. HP filed a lawsuit against Lynch after the company was forced to write-down the value of Autonomy by $8.8 billion one year after acquiring the firm.

**Market Valuation an Unlikely Factor**

All of that said, Richard Stiennon, chief research analyst at IT-Harvest, says Thoma Bravo's change of plans likely had little to do with Darktrace being overvalued. In fact, most publicly traded cybersecurity companies are way down from their highs last summer and, if anything, are dramatically undervalued, Stiennon says.

"I don't think Thoma Bravo is backing off of Darktrace because of valuations," he says. "I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace's revenue today."

**Thoma Bravo's Cybersecurity Buying Spree**

The Darktrace acquisition, if it had gone through as planned, would have added yet another company to Thoma Bravo's rapidly growing roster of cybersecurity acquisitions. Recently the private equity firm has spent tens of billions of dollars acquiring the likes of identity service provider SailPoint for $6.9 billion, Ping Identity for $2.8 billion, Proofpoint for $12.3 billion, and Sophos for $3.9 billion.

Overall, 2021 marked a record year for merger and acquisition activity in the cybersecurity sector, with some $77.5 billion in M&A volume and $29.3 billion private equity and venture capital investments, according to Momentum Cyber. Through the end of the first quarter of 2022, Momentum reported $12.2 billion in M&A activity and $7 billion in financing from VCs and PE firms.

Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart

You certainly don't need to panic, but you do need to form a plan to prepare for the post-quantum reality.

Unless you live under a rock, you'll know that quantum computers will break the cryptography we use today in as little as 10 years. Unfortunately, most analysis on this topic is simplistic. The quantum threat is described as though a day will come where quantum is unleashed and all systems will be broken at once. This is far from the truth.

As a CISO, it's important to develop a nuanced understanding of this critical topic. You certainly don't need to panic, but you need to form a plan that's based on your business, with all its idiosyncrasies. Your peers in other companies should be doing the same thing; however, their plans will look different. There is no generic answer to the quantum threat.

In reality, the threat will materialize slowly. The first machines able to run Shor's algorithm will take weeks to break an RSA key. Only the highest value targets will be considered for attack, given the immense cost expected for that amount of computation. Over time, more machines will be capable of breaking keys, and the cost and time associated with the task will reduce dramatically. Eventually, anyone will be able to perform this attack within minutes for minimal cost.

Your goal as a CISO is to assess your risk over this unknown time frame. Do you process data so sensitive that you're likely to be among the first targets? Is some of your data more valuable than the rest? What about the lifetime of the data — how long does it need to remain secret? These are all questions to consider as you create a pragmatic plan to address the quantum threat.

**Understand the Status Quo**

At a recent conference, I heard a law firm describe its response to a major cyberattack. During the confusing first days, the company was desperate to assess whether its critical data was safe. Yet the respondents realized they weren't sure what data mattered most. Eventually they concluded their client data was more important than the rest of the business combined. This shaped the firm's subsequent decisions and accelerated its response time.

Ideally, you would reach these conclusions before a major cyberbreach. And certainly, you must understand your business priorities before you plan your post-quantum migration plan. CISOs need to develop an inventory of every system that describes:

*   The business importance of the data.
*   How cryptography protects the data at rest and in transit.
*   How long the data needs to remain secret. 

If you already have this data in hand, congratulations — you're unusually well-prepared. For most CISOs, however, this information is patchy, at best. Understanding the status quo is the critical first step in your migration.

**Pragmatically Prioritize**

Next comes the difficult piece. With your pragmatic hat on, you need to decide the order in which to migrate your systems to post-quantum algorithms. You can't change everything at once, and it's likely to be years between the time your first systems are migrated and the last.

Your highest priority should be long-term sensitive data that is transmitted across the Internet. This includes health data, government secrets, client data, and intellectual property. This data is especially vulnerable thanks to an attack sometimes known as "hack now, decrypt later," in which attackers record encrypted transmissions to decrypt in the future using a quantum computer.

If your company develops physical devices, such as in the Internet of Things (IoT) industry, you will need to pay particular attention to migrating roots of trust toward post-quantum algorithms. Devices that are expected to remain secure for 10 or more years are definitely at risk from fraudulent firmware once the quantum threat arrives.

This is the hardest step in the migration process because it's unique to your business. But it's worth doing correctly so that you allocate resources appropriately. This process also highlights the vendors you need to work closely with, as they migrate their own systems to post-quantum protection.

**Start Testing**

Once your migration plan is in place, the next step is to perform testing to understand the impact of shifting your systems toward post-quantum algorithms. The new post-quantum algorithms behave differently than the algorithms we use today, and it won't always be a simple task to pull one algorithm out and replace it with another.

Even with the recent NIST announcement of its initial quantum-resistant algorithm candidates, post-quantum algorithms are not yet standardized, and it may take until 2024 until that happens. Use this time wisely to understand where you need to invest additional resources to cope with the changes that lie ahead.

**Take the Chance to Build Better**

Whenever I talk about quantum, I find the conversation quickly drifts to the quantum threat. However, I encourage people to think positively about quantum technology and even the quantum threat itself.

Responding to the threat will require an immense upheaval of systems, similar in scope to the Y2K challenge. This is a rare opportunity to touch each of our systems and change them for the better. It's certain that this algorithm migration won't be the last one we have to conduct. Let's use this opportunity to build crypto agility into our systems, so the next migration is far less painful.

And while we are rebuilding crypto systems, we should explore how we can build on firmer foundations. This is where quantum technology has a role to play. As we look to a future where threat actors have quantum computers as a weapon, we should look to defend ourselves with the same amount of power. Quantum is a dual-edged sword, and we should ensure that, as defenders, we are ready to wield it for protection as well.

Source

DARKReading