US cybersecurity services firm expands services in Latin America.

**SCOTTSDALE, Ariz., Aug. 29, 2022** (GLOBE NEWSWIRE) — Cerberus Cyber Sentinel Corporation (NASDAQ: CISO), an industry leader as a managed cybersecurity and compliance provider, based in Scottsdale, Ariz., announced that it has completed the acquisition of CUATROi, a cloud managed services provider and cybersecurity company with headquarters in Santiago, Chile, and offices in Bogotá, Colombia, and Lima, Peru. Under the terms of the agreement, CUATROi became a wholly owned subsidiary of Cerberus Sentinel.

CUATROi is a secured managed services provider to organizations throughout South America. Alejandro Torchio, CEO of CUATROi, will continue to manage the company's team of professionals and will work closely with the leadership team in Latin America.

“CUATROi is an excellent cultural fit with the Cerberus Sentinel family of companies,” said David Jemmett, CEO and founder of Cerberus Sentinel. “Cybersecurity is a worldwide problem that requires global capabilities to address the security demands of businesses and organizations. CUATROi has been partners with our Arkavia Networks team, also based in Santiago, Chile, for several years. They are a great addition to our growth strategy throughout Latin America.”

“We are very pleased to be part of the Cerberus Sentinel family of companies, a worldwide company and a global leader in cybersecurity, whose culture is similar to CUATROi. I want to thank the entire CUATROi team at the regional level who, through teamwork, managed to position ourselves regionally as a technological partner for our clients. I am sure that this will be a great opportunity for all of us to be part of a world-class company like Cerberus Sentinel,” said Alejandro Torchio, CEO, CUATROi.

CUATROi will continue to be based in Chile.

**About Cerberus Sentinel**

Cerberus Sentinel is an industry leader as a managed cybersecurity and compliance provider. The company is rapidly expanding by acquiring world-class cybersecurity, secured managed services, and compliance companies with top-tier talent that utilize the latest technology to create innovative solutions to protect the most demanding businesses and government organizations against continuing and emerging security threats and compliance obligations.

**Safe Harbor Statement**

This news release contains certain statements that may be deemed to be forward-looking statements under federal securities laws, and we intend that such forward-looking statements be subject to the safe-harbor created thereby. Such forward-looking statements include, among others, our belief that CUATROi is an excellent cultural fit with the Cerberus Sentinel family of companies; and our belief that CUATROi is a great addition to our growth strategy throughout Latin America. These statements are often, but not always, made through the use of words or phrases such as "believes," "expects," "anticipates," "intends," "estimates," “predict,” "plan," “project,” “continuing,” “ongoing,” “potential,” “opportunity,” "will," "may," "look forward," "intend," "guidance," "future" or similar words or phrases. These statements reflect our current views, expectations, and beliefs concerning future events and are subject to substantial risks, uncertainties, and other factors that could cause actual results to differ materially from those reflected by such forward-looking statements. Such factors include, among others, risks related to our ability to raise capital; our ability to increase revenue and cash flow and become profitable; our ability to recruit and retain key talent; our ability to identify and consummate acquisitions; our ability to acquire, attract, and retain clients; and other risks detailed from time to time in the reports filed with the Securities and Exchange Commission, including the Annual Report on Form 10-K for the fiscal year ended December 31, 2021. You should not place undue reliance on any forward-looking statements, which speak only as of the date they are made. Except as required by law, we assume no obligation and do not intend to update any forward-looking statements, whether as a result of new information, future developments, or otherwise.

SOURCE: Cerberus Cyber Sentinel Corporation

Cerberus Sentinel Announces Acquisition of CUATROi

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap.

Practically speaking, quantum computers are still years away, but the US Cybersecurity and Infrastructure Agency is still recommending that organizations begin preparations for the migration to the post-quantum cryptographic standard.

Quantum computers use quantum bits (qubits) to deliver higher computing power and speed, and are expected to be capable of breaking existing cryptographic algorithms, such as RSA and elliptic curve cryptography. This would impact the security of all online communications as well as data confidentiality and integrity. Security experts have warned that practical quantum computers could be possible in less than ten years.

The National Institute of Standards and Technology announced the first four quantum-resistant algorithms that will become part of the post-quantum-cryptographic standard in July, but the final standard is not expected until 2024. Even so, CISA is encouraging critical infrastructure operators to begin their preparations in advance.

“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap. The first step should be creating an inventory of vulnerable critical infrastructure systems, CISA said.

Organizations should identify where, and for what purpose, public key cryptography is being used, and mark those systems as quantum-vulnerable. This includes creating an inventory of the most sensitive and critical datasets that must be secured for an extended amount of time, and all systems using cryptographic technologies. Having a list of all the systems would ease the transition when it comes times to make the switch.

Organizations will also need to assess the priority level for each system. Using the inventory and prioritization information, organizations can then develop a systems transition plan for when the new standard is published.

Security professionals are also encouraged to identify acquisition, cybersecurity, and data security standards that will need to be updated to reflect post-quantum requirements. CISA encourages increasing engagement with organizations developing post-quantum standards.

The agency’s focus on the inventory echoes the recommendations made by Wells Fargo at RSA Conference earlier this year. In a session discussing the financial giant’s quantum journey, Richard Toohey, technology analyst at Wells Fargo, suggested that organizations begin their crypto inventory.

"Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" Toohey said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

Wells Fargo has a “very aggressive goal” to be ready to run post-quantum cryptography in five years, according to Dale Miller, the chief artchitect of information security architecture at Wells Fargo.

Migrating industrial control systems (ICSs) to post-quantum cryptography will be a major challenge for critical infrastructure operators, mainly because the equipment is often geographically dispersed, CISA said in the alert. Even so CISA urged critical infrastructure organizations to include in their strategies the actions needed to address risks from quantum computing capabilities.

CISA is not the only one sounding the alarm about getting started. In March, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place.

“Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA said.

A Peek Into CISA's Post-Quantum Cryptography Roadmap

Documents appear to show that Israeli spyware company Intellexa sold a full suite of services around a zero-day affecting both Android and iOS ecosystems.

Last month, an unknown customer appears to have shelled out around €8 million for a full-service zero-day remote control execution (RCE) exploit. 

Screenshots shared of the zero-day exploit bill of sale are dated July 14 and show that Intellexa, a spyware company, sold a product it called Nova Suite to an unknown buyer. It promised turnkey infections for Android, as well as iOS devices. The paperwork references iOS version 15.4.1 from March, but it's unclear how many devices remain vulnerable. 

Intellexa also promised the malware is delivered with just one click and uses the browser to inject the Android and iOS payload to mobile devices. The purchase price also includes data analysis, a "magazine" of 100 other infections, and even a full year's warranty. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Receipt for €8M iOS Zero-Day Sale Pops Up on Dark Web

Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the technology can make it easy to make security mistakes.

There used to be a time where risk-averse organizations could severely limit their business users' ability to make costly mistakes. With limited technical know-how, strict permissions, and lack of tailwind, the worst thing a business user could do was download malware or fall for a phishing campaign. Those days are now gone.

Nowadays, every major software-as-a-service (SaaS) platform comes bundled with automation and application-building capabilities that are designed for and marketed directly to business users. SaaS platforms like Microsoft 365, Salesforce, and ServiceNow are embedding no-code/low-code platforms into their existing offerings, placing them directly in the hands of business users without asking for corporate approval. Capabilities that were once available only to the IT and development teams are now available throughout the organization.

Power Platform, Microsoft's low-code platform, is built into Office 365 and is a great example due to Microsoft's strong foothold in the enterprise and the rate in which it is adopted by business users. Perhaps without realizing it, enterprises are placing developer-level power in the hands of more people than ever before, with far less security or technical savvy. What could possibly go wrong?

Quite a lot, actually. Let's examine a few real-world examples from my experience. The information has been anonymized, and business-specific processes were omitted.

**Situation 1: New Vendor? Just Do It**

The customer care team at a multinational retail company wanted to enrich their customer data with consumer insights. In particular, they were hoping to find more information about new customers so that they could better serve them, even during their initial purchase. The customer care team decided on a vendor they would like to work with. The vendor required data to be sent to them for enrichment, which would then be pulled back by their services.

Normally, this is where IT comes into the picture. IT would need to build some sort of integration to get data to and from the vendor. The IT security team would obviously need to be involved, too, to ensure this vendor can be trusted with customer data and approve the purchase. Procurement and legal would have taken a key part, as well. In this case, however, things went in a different direction.

This particular customer care team were Microsoft Power Platform experts. Instead of waiting around for resources or approval, they just went ahead and built the integration themselves: collecting customer data from SQL servers in production, forwarding it all to an FTP server provided by the vendor, and fetching enriched data back from the FTP server to the production database. The entire process was automatically executed every time a new customer was added to the database. This was all done through drag-and-drop interfaces, hosted on Office 365, and using their personal accounts. The license was paid out-of-pocket, which kept procurement out of the loop.

Imagine the CISO's surprise when they found a bunch of business automations moving customer data to a hard-coded IP address on AWS. Being an Azure-only customer, this raised a giant red flag. Furthermore, the data was being sent and received with an insecure FTP connection, creating a security and compliance risk. When the security team found this through a dedicated security tool, data had been moving in and out of the organization for almost a year.

**Situation 2: Ohh, Is It Wrong to Collect Credit Cards?**

The HR team at a large IT vendor was preparing for a once-a-year "Give Away" campaign, where employees are encouraged to donate to their favorite charity, with the company pitching in by matching every dollar donated by employees. The previous year's campaign was a massive success, so expectations were through the roof. To power the campaign and alleviate manual processes, a creative HR employee used Microsoft's Power Platform to create an app that facilitated the entire process. To register, an employee would log in to the application with their corporate account, submit their donation amount, select a charity, and provide their credit card details for payment.

The campaign was a huge success, with record-breaking participation by employees and little manual work required from HR employees. For some reason, though, the security team was not happy with the way things turned out. While registering to the campaign, an employee from the security team realized that credit cards were being collected in an app that did not look like it should be doing so. Upon investigation, they found that those credit card details were indeed improperly handled. Credit card details were stored in the default Power Platform environment, which means they were available to the entire Azure AD tenant, including all employees, vendors, and contractors. Furthermore, they were stored as simple plaintext string fields.

Fortunately, the data-processing violation was discovered by the security team before malicious actors — or compliance auditors — spotted it. The database was cleaned up, and the application was patched to properly handle financial information according to regulation.

**Situation 3: Why Can't I Just Use Gmail?**

As a user, nobody likes enterprise data loss prevention controls. Even when necessary, they introduce annoying friction to the day-to-day operations. As a result, users have always tried to circumvent them. One perennial tug-of-war between creative business users and the security team is corporate email. Syncing corporate email to a personal email account or corporate calendar to a personal calendar: Security teams have a solution for that. Namely, they put email security and DLP solutions in place to block email forwarding and ensure data governance. This solves the problem, right?

Well, no. A repeated finding across large enterprises and small businesses finds that users are creating automations that bypass email controls to forward their corporate email and calendar to their personal accounts. Instead of forwarding emails, they copy and paste data from one service to another. By logging into each service with a separate identity and automating the copy-paste process with no-code, business users bypass security controls with ease — and with no easy way for security teams to find out.

The Power Platform community has even developed templates that any Office 365 user can pick up and use.

**With Great Power Comes Great Responsibility**

Business user empowerment is great. Business lines should not be waiting for IT or fighting for development resources. However, we can't just give business users developer-level power with no guidance or guardrails and expect that everything will be alright.

Security teams need to educate business users and make them aware of their new responsibilities as application developers, even if those applications were built using "no code." Security teams should also put guardrails and monitoring in place to ensure that when business users make a mistake, like we all do, it will not snowball into full-blown data leaks or compliance audit incidents.

3 Ways No-Code Developers Can Shoot Themselves in the Foot

Businesses need to re-evaluate their cyber-insurance policies as firms like Lloyd's of London continue to add restrictions, including excluding losses related to state-backed cyberattackers.

Companies will need to re-evaluate their cyber-insurance premiums after major insurance companies have adopted exclusions for catastrophic cyberattacks conducted by "state-backed" actors.

This limits the risk that companies can offset with cyber insurance, security and risk experts tell Dark Reading — making taking out a policy potentially not worth it.

In the latest limits on cyber policies, insurance marketplace Lloyd's of London issued a notice on Aug. 16 to its member insurers, or syndicates, requiring that they exclude coverage for state-backed cyberattacks. The motive for the additional restrictions is to protect insurance companies and their underwriters from catastrophic loss, and help manage systemic risk that could overwhelm insurers, Lloyd's market bulletin stated.

**Is Cyber Insurance Still Worth It?**

While the insurers' position is understandable, businesses — which have already seen their premiums skyrocket over the past three years — should question whether insurance still mitigates risk effectively, says Pankaj Goyal, senior vice president of data science and cyber insurance at Safe Security, a cyber-risk analysis firm.

"Insurance works on trust, \[so answer the question,\] 'will an insurance policy keep me whole when a bad event happens?' " he says. "Today, the answer might be 'I don't know.' When customers lose trust, everyone loses, including the insurance companies."

The cyber-insurance industry has seen profits decline sharply in the past decade, as losses jumped from 35% of the revenue from premiums five years ago, to 72% in 2020. To adapt, insurance companies have dramatically raised the cost of policies — by 74% just in 2021, after rising 22% in 2020, according to FitchRatings.

    

Cyber insurance loss ratios peaked at 72% in 2020. Source: FitchRatings

Yet, insurance firms have also focused on limiting their liability. In 2021, global insurance firm AXA decided to stop paying ransoms to cybercriminals. And over the past two years, insurance companies have added act-of-war exclusions to their policies.

In its market bulletin (PDF), Lloyd's argued that the risk posed by cyberattacks continues to evolve and its members need to adapt to the threats posed by large or widely distributed attacks. While wartime risks are often excluded, Lloyd's requires that syndicates go further and ensure that certain policies have "a suitable clause excluding liability for losses arising from any state-backed cyberattack."

"If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage," the insurance facilitator stated. "In particular, the ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb."

The decisions come after pharmaceutical firm Merck won its lawsuit against its insurers after they refused to pay its $1.4 billion in business losses sustained in the NotPetya crypto-ransomware attack in 2017. The judge in the case ruled that the insurance policies' act-of-war exclusion did not apply, because the clause was meant to only exclude losses during armed conflicts.

Regardless, the policy changes are poorly thought out, some argue. 

 "Signs point to continued breaches and hacks, resulting in a longer claims process, and more litigations," says Goyal. "Unless the industry can collectively fix the way cyber insurance policies are understood, written and priced, ensuring that they are based on actual data and individual organizational risk — one size does not fit all — there is no end to the challenges and mistrust in cyber insurance."

**Too Broad an Exclusion**

The key problem is that the term "state-backed cyberattack" could be a very broad exclusion, and if abused by the insurance industry, one that will scuttle the usefulness of cyber insurance, experts say.

Attributing an attack to a nation-state is notoriously difficult, says James Turgal, vice president of cyber-risk and strategy for Optiv, a cybersecurity consultancy.

"Even if a computer involved in the attacks was traced back to an IP address located in an Iranian or North Korean military base, that doesn't necessarily mean that it was an attack done with the knowledge of or at the direction of the government's authorities," he says. "It could have been compromised by hackers in other countries \[as a false-flag attempt\]."

Currently, almost two-thirds of companies — 64% — suspect that they have been either directly targeted or impacted by a nation-state attack, says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. Many of the major sources of cyberattacks against North American, European, and Asian companies come from cybercriminal groups linked in some way with China, Iran, North Korea, or Russia. Whether that link will equate to being "state-backed" is an open question.

"These companies are clearly going to be worried about whether insurers will deem most attacks to be nation-state sponsored," he says. "As a result, we expect most businesses that are serious about security to double down on their efforts to protect themselves from hackers in the first place."

Insurers will have to develop clear guidelines regarding what evidence and data will be used to determine the attribution of an attack, and what behavior patterns or data points they will consider in determining whether an attack is state-backed, he says.

**Time to Beef Up Cyberdefenses**

Indeed, the exclusion will likely result in fewer companies relying on cyber insurance as a way to mitigate catastrophic risk. Instead, companies need to make sure that their cybersecurity controls and measures can mitigate the cost of any catastrophic attack, says David Lindner, chief information security officer at Contrast Security, an application security firm.

Creating data redundancies, such as backups, expanding visibility of network events, using a trusted forensics firm, and training all employees in cybersecurity can all help harden a business against cyberattacks and reduce damages.

"Organizations cannot just rely on their cyber insurance policy and must proactively protect themselves from these catastrophic cyberattacks," Lindner says.

Companies also should not expect insurance firms to reverse course. Their approach is just a continuation of the industry's reactive approach to cyber insurance, says Safe Security's Goyal. Insurance firms have increased premiums, put sub-limits on ransomware, and now, have adopted arguably broad exclusions, which may just result in delayed payouts and an increase in lawsuits when insurers refuse to pay out on a large policy.

Cyber-Insurance Firms Limit Payouts, Risk Obsolescence

Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.

NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.

The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.

Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.

Contradicting the cyberattackers' claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company's internal networks.

NATO, meanwhile, is "assessing claims relating to data allegedly stolen from MBDA," a NATO official told Dark Reading on Monday.

"We have no indication that any NATO network has been compromised," the official said.

**Double Extortion**

MBDA acknowledged in early August that it was "the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company's information networks," in a post on its website.

The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.

Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.

NATO is investigating one of the firm's suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.

The company is working with authorities in Italy, where the breach occurred.

MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.

**Classified Info & Ukraine**

Hackers claimed in their ad for the leaked data to have "classified information about employees of companies that took part in the development of closed military projects," as well as "design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies," according to the BBC.

Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.

This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.

After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.

The sample data viewed by the BBC also included documents labelled "NATO CONFIDENTIAL," "NATO RESTRICTED," and "Unclassified Controlled Information," according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.

The criminals also sent by email documents to the BBC including two marked "NATO SECRET," according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.

Nonetheless, MBDA insists that the verification processes that the company has executed so far "indicate that the data made available online are neither classified data nor sensitive."

NATO Investigates Dark Web Leak of Data Stolen From Missile Vendor

CISOs must adopt a new mindset to take on the moving targets in modern cybersecurity.

The concept of cybersecurity will always be defined by moving targets. Protecting an organization’s sensitive and valuable assets boils down to a competition, with bad actors attempting to outperform their targets with novel tools and strategies.

While the cybersecurity industry has always been marked by changing trends and the sudden debut of new technologies, the pace of change is accelerating. In just the last year, enterprises and large institutions have seen their activities frozen by ransomware, while major data breaches have damaged the reputations of towering organizations such as Facebook and LinkedIn. The emergence of cloud-native and hybrid cloud applications, in particular, has led to renewed security concerns. According to Flexera's 2022 State of the Cloud Report, 85% of respondents see security as their top cloud challenge.

Dramatic headlines regarding attacks and ransomware can cause cybersecurity leaders to become hyper-focused on preventing a breach at all costs. However, despite the sensational headlines that often accompany cybersecurity attacks, a breach doesn’t have to be a catastrophe. With the right combination of defensive tactics and pre-positioning, cybersecurity leaders can build confidence in the strength of their systems.

CISOs must adopt a new mindset to take on the moving targets in modern cybersecurity. These three questions will help security leaders understand how to best defend their most sensitive assets.

**1\. Where Is My Data?**

When cybersecurity leaders aim to prevent breaches by any means necessary, they're operating from a place of fear. This fear is caused by a lack of knowledge or understanding: When an organization doesn’t know where its sensitive data is kept and how well that data is protected, it can be easy to imagine any scenario in which the system is breached.

The first step toward achieving an effective cybersecurity posture is knowing exactly where data is being kept. Lack of awareness doesn’t just increase the risk of a data breach; it also increases the likelihood that an organization devotes critical resources to protect data that isn’t sensitive. CISOs must take steps to put data at the center of their security and prioritize the data that is most valuable to the business.

To protect their most valuable assets, organizations need to understand where data is stored within complex cloud architectures. After cataloging these assets, organizations must then classify whether the data holds real business value. Taking this data-centric approach to security ensures that an organization's most valuable assets are secured while spending less time on assets that require less security.

**2\. Where Is My Data Going?**

While an organization may be able to catalog where data is stored within its own systems, the challenge of cloud computing is in keeping track of where sensitive data is going. Today, developers and other employees can make a copy of sensitive data with a single click, with the potential to take that information outside of a protected environment and make it vulnerable to attacks. Automated data pipelines and data services can also extract data and move it elsewhere, leaving organizations with no idea as to who has access to their most valuable information.

Once organizations understand where data is kept and which assets are most valuable, they must then tag that sensitive data and track where it is going. This type of research can reveal a wide variety of surprises. For example, sensitive data could be traveling to a foreign server, taking it out of compliance with geographic regulations, or a bad actor could be accessing a single asset at the same time every night. When data travels, it must travel with its security posture — knowing where it’s going is key to understanding and predicting potential threat vectors.

**3\. What Happens if I Get Hacked?**

The constantly changing nature of cybersecurity, combined with the increasing number of attacks and breaches, means that it's highly likely that organizations will experience a breach during the course of their regular operations. However, this shouldn’t be reason to panic. Effective pre-positioning ensures that security teams can better manage risk and have the tools in place to ensure business continuity when a bad actor has gained access to their systems.

In this proactive approach to cybersecurity, knowledge is power. When organizations know which assets are most important and where these assets are located, it becomes much easier to protect them prior to being breached. CISOs and other security leaders must wade through an overwhelming amount of alerts and information; discovering and prioritizing high-value information makes it possible to triage operations and focus on what matters most.

In the constant battle between hackers and cybersecurity teams, the side that remains calm and projects confidence will be the winner. Focusing on preparation and knowledge allows cybersecurity leaders to remain confident in the strength of their systems, knowing that even the inevitable breach will not have any catastrophic impact.

The 3 Questions CISOs Must Ask to Protect Their Sensitive Data

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

August 29, 2022

Citizen development allows users to design creative solutions for immediate problems, but it requires training and oversight to avoid security holes.

by Michael Bargury, CTO & Co-Founder, Zenity

August 29, 2022

6 min read

Article

Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

August 24, 2022

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

by Kolawole Samuel Adebayo, Contributing Writer

August 24, 2022

5 min read

Article

Meta Takes Offensive Posture With Privacy Red Team

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

August 23, 2022

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

by Jeffrey Schwartz, Contributing Writer, Dark Reading

August 23, 2022

6 min read

Article

Expiring Root Certificates Threaten IoT in the Enterprise

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

August 22, 2022

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

by Julianne Pepitone, Contributing Writer

August 22, 2022

6 min read

Article

NIST Weighs in on AI Risk

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

August 20, 2022

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

by Edge Editors, Dark Reading

August 20, 2022

3 min read

Article

Thoma Bravo Closes $6.9B Acquisition of Identity-Security Vendor SailPoint

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

August 17, 2022

All-cash transaction deal that was first announced in April means SailPoint is no longer a publicly traded company.

by Dark Reading Staff, Dark Reading

August 17, 2022

1 min read

Article

Cybercriminals Weaponizing Ransomware Data for BEC Attacks

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

August 12, 2022

Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

by Edge Editors, Dark Reading

August 12, 2022

3 min read

Article

Looking Back at 25 Years of Black Hat

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

August 10, 2022

The Black Hat USA conference's silver jubilee is an opportunity to remember its defining moments, the impact it has made on the security community, and its legacy.

by Andrada Fiscutean, Contributing Writer, Dark Reading

August 10, 2022

9 min read

Article

Don't Take the Cyber Safety Review Board's Log4j Report at Face Value

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

August 09, 2022

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

by Matt Chiodi, Chief Trust Officer, Cerby

August 09, 2022

5 min read

Article

What Adjustable Dumbbells Can Teach Us About Risk Management

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

August 08, 2022

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

August 08, 2022

5 min read

Article

Name That Edge Toon: Up a Tree

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

August 01, 2022

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

by John Klossner, Cartoonist

August 01, 2022

1 min read

Article

Overcoming the Fail-to-Challenge Vulnerability With a Friendly Face

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

July 27, 2022

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

by Karen Spiegelman, Features Editor

July 27, 2022

6 min read

Article

Why Layer 8 Is Great

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

July 25, 2022

To help discern legitimate traffic from fraud, it helps to understand user intent as shown through their behavior.

by Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

July 25, 2022

4 min read

Article

Understanding Proposed SEC Rules Through an ESG Lens

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

July 22, 2022

Cyber threats are putting environmental, social, and governance discussions at the forefront of board meetings and C-suite discussions around the globe.

by Stephen Lawton, Contributing Writer

July 22, 2022

5 min read

Article

Equitable Digital Identity Verification Requires Moving Past Flawed Legacy Systems

Data science can be used to improve access to government assistance while reducing fraud.

July 21, 2022

Data science can be used to improve access to government assistance while reducing fraud.

by Jordan Burris, Senior Director of Product Market Strategy for the Public Sector, Socure

July 21, 2022

5 min read

Article

Microsoft 365 Empowers Business Users to Shoot Themselves in the Foot

Researchers warned that cyberattackers will be probing the code for weaknesses to exploit later.

Cyberattackers have compromised the internal systems of LastPass, making off with source code and intellectual property.

The password management company said it detected anomalous activity in its development environment two weeks ago. After digging into the forensic data, investigators determined that someone (or someones) compromised a developer account to gain access to the network, taking "portions of source code and some proprietary LastPass technical information," according to an announcement posted this week.

Crucially, the adversaries weren't able to access customer data or encrypted password vaults.

"We utilize an industry-standard 'zero-knowledge' architecture that ensures LastPass can never know or gain access to our customers' Master Password \[and it\] ensures that only the customer has access to decrypt vault data," according to LastPass.

That said, Ajay Arora, co-founder and president at BluBracket, noted that attackers will be looking hard for potential weaknesses to exploit in the LastPass source code, potentially leading to follow-on attacks.

"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, also said in a statement that the attackers could have been probing around to see if they could find an avenue into LastPass partner or supplier networks.

“Cybersecurity companies are being targeted to facilitate island hopping," he said. "After the FireEye breach, the industry should have woken up. In 2022, cybersecurity companies must practice what they preach. Many still underinvest in their own cybersecurity. Expect to be hit and prepare to respond.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LastPass Suffers Data Breach, Source Code Stolen

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for "Sliver." It's an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

"What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike \[by defenders\]," says Josh Hopkins, research lead at Team Cymru. "Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected," he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

**Growing Use**

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

**An Attractive Alternative for Adversaries**

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

"Stagers are used by many C2 frameworks to minimize the malicious code that's included in an initial payload (for example, in a phishing email)," Microsoft said. "This can make file-based detection more challenging."

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

"Sliver lowers the barrier of entry for attackers. \[It\] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses," he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. "Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it," he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it's free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

**Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks**

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

"Defenders would be unwise to take their eyes off Cobalt Strike," Hopkins says. "Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks."

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company's chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

"Sliver has a lot of features, \[but\] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users," he says "This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection."

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks' Unit 42 threat-hunting team uncovered what appeared to be Russia's notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called "Mythic" following some initial indications of adoption within the threat-actor community.  

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

"\[So\], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.

Source

DARKReading