Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe.

Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe.

Dark Reading

Phishing remains one of the biggest enterprise vulnerabilities for security professionals. Chris Cleveland, founder of PIXM, talks about phishers’ evasive maneuvers and how organizations can tap Computer Vision to keep email and its users safe. He also describes recent phishing threat activity that PIXM has been tracking, and he discusses the effectiveness of security training efforts for employees.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems

Reports

*   Zero Trust and the Power of Isolation for Threat Prevention
*   2021 Digital Transformation Report

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems
*   Protecting Enterprise Data from Malicious Insiders
*   Cybersecurity Outlook 2022 - December 8 Virtual Event
*   Beyond Patch Management: Next-Generation Approaches to Finding and Fixing Vulnerable Code

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
*   Business Buyers Guide to Password Managers
*   The Rise of Extended Detection & Response
*   Supply Chain Cyber Risk Management Whitepaper

More Insights

White Papers

*   Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
*   Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report

Webinars

*   Black Hat Spring Trainings - June 13-16 - Learn More
*   Preventing Attackers from Navigating Your Enterprise Systems

Reports

*   Zero Trust and the Power of Isolation for Threat Prevention
*   2021 Digital Transformation Report

PIXM: Stopping Targeted Phishing Attacks With 'Computer Vision'

The countermeasure, which compares the time and voltage at which circuits are activated, is being implemented in 12th Gen Intel Core processors.

Intel has developed and incorporated a circuit into its latest line of PC chips that can detect when attackers are using motherboard exploits to extract information from PC devices.

The "tunable replica circuit" on the latest Intel chips can detect attempts to glitch systems through voltage, clock, or electromagnetic techniques, Intel said during Black Hat. Attackers use these techniques to insert their own firmware and take control of the device.

"Every semiconductor ever produced is vulnerable to these attacks. The question is, how easy is it to exploit? We've just made it a lot harder to exploit because we detect these attacks," says Daniel Nemiroff, senior principal engineer at Intel.

The circuit is being implemented in Alder Lake, the 12th Gen Intel Core processors, which are used in laptops. Servers may get this technology at a later date, Nemiroff says.

**The Circuit's Inner Workings**

Typically, when a computer turns on, the silicon's power management controller waits for the voltage to ramp to a certain value before it starts activating components. For example, the power management controller activates the security engine, the USB controller, and other circuits when they reach their voltage values.

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits.

The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset.

"The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says.

Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack. The attackers will also need to know the exact time at which to mount a voltage glitch and what voltage they should drive to the pin.

"It's practical in the sense that if someone has stolen your machine from a taxi \[and\] brings it to their lab, they've got all the time in the world to open the laptop and then solder the right voltage generator lines to the machine itself," Nemiroff said.

That is the reason why the circuit is currently being integrated into chips used for laptops and not servers and desktops. Servers and desktops are not as portable and, thus, harder to steal, Nemiroff says.

**Deploying Countermeasures**

While no evidence of a motherboard exploit used in this manner exists, defenses need to be incorporated now, before attacks become widespread.

"There's no recorded exploit of an Intel PC system using these attacks, but there are various examples of other devices that have been attacked that are more interesting, like discrete TPMs and smart cards," Nemiroff says.

Glitching the security of a system isn't novel; it has existed in pay TV and smart cards for more than two decades, said Dmitry Nedospasov, who runs hardware security services provider Toothless Consulting and Advanced Security Training, which provides information security training.

Intel is adding system countermeasures to its platform controller hub, not its CPU. It's not clear to what extent the countermeasure implemented in the controller hub would be capable of protecting the system.

"The threat model is not clear and so is the reason why this mitigation is required," Nedospasov said.

As to the effectiveness of the circuit, it will be hard to verify whether it works without some kind of peer review, Nedospasov said.

"It's not clear what will and will not work in practice," Nedospasov said.

A lot of the patents on hardware countermeasures for chips were created in the 1990s and early 2000s, many of which came from pay TV.

"What this also means is that the 20-year patent periods have already expired or are expiring in the coming years. Many in the industry believe that we can expect more and more hardware countermeasures as manufacturers will no longer have to license the patents to implement these protections," Nedospasov said.

It is possible customers are putting pressure on Intel to shore up its on-chip security mechanisms, Nedospasov said.

"The bar is being raised and people are running out of software and firmware attacks, but they are going to come at us with hardware attacks. We figure this is the right time to deploy those kinds of countermeasures," Nemiroff said.

Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

As organizations begin to adopt AI products, systems, and services into their environment, they are looking for guidance on mitigating algorithmic biases and other risks. The big fear of AI is that it may be used in ways the designers did not attend.  

This focus – being aware of human impact on technology – is part of the “socio-technical” effort by the National Institute of Standards and Technology to develop a framework to help organizations navigate bias in AI and incorporating trust in the systems. NIST is currently asking for public and private comments on the second draft of the Artificial Intelligence Risk Management Framework and on the companion NIST AI RMF Playbook. The AI RMF Playbook is intended to help organizations implement the framework, with suggested actions, references, and supplementary guidance.

The framework is split into to four functions: Govern, Map, Measure, and Manage. The playbook will offer guidance on the first two functions, Govern and Map. Recommendations for the latter two, Measure and Manage, will be available at a later date.

NIST says its socio-technical approach will “connect the technology to societal values,” and will develop guidance that considers ways humans can impact how technology is used. The framework also examines “the interplay between bias and cybersecurity and how they interact with each other,” NIST said when the first draft was introduced.

The NIST Artificial Intelligence Risk Management Framework has focused on three types of biases associated with AI: statistical, systemic, and human. Current recommendations include fostering a governance structure with clear individual roles and responsibilities, and a professional culture that supports transparent feedback on technologies and products. A systemic bias would be a business or operating process which contributes to a consistently skewed decision.

“From my experience, what I’ve seen is the reliance on AI too much,” says Chuck Everette, director of cybersecurity advocacy at Deep Instinct. ”I see it too often that organizations forget that threats are constantly evolving and changing, therefore you have to make sure your AI algorithms are properly tuned and your models are properly being adapted to the newest threats. Also, I’ve seen cases where bias data has been used and introduced, therefore leaving environments open to certain types of attack due to inaccurate data training.”

The comment period for both draft versions end Sept. 29. The final version of the AI RMF is expected in early 2023, and playbook will be after that.

NIST Weighs in on AI Risk

The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.

Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.

The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.

**Remote Code Execution Flaws**

One of the zero-days (CVE-2022-32893) exists in WebKit, Apple's browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in one of its typically terse vulnerability disclosures this week. "Apple is aware of a report that this issue may have been actively exploited," the company noted.

The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.

Apple said it had implemented "improved bounds checking" in iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 to address both issues.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple's technologies puts both businesses and consumers at risk from the vulnerabilities. "While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors," she says.

**WebKit Flaw Has Wider Impact**

In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up "booby-trapped" Web pages that can trick Macs, iPhones, and iPads into running untrusted software. "Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page," the security vendor said.

The flaw has widespread impact because WebKit powers all Web rendering software on Apple's mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.

"The WebKit component is particularly problematic, as it is the browser engine across all Apple software," says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "Apple users should patch now. These updates need to be applied as soon as possible."

**Both Consumers & Organizations at Risk**

Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.

"Apple is light on the technical details of this week's two zero-day vulnerabilities," he says. "However, it is never reassuring to see the phrase 'execute arbitrary code with kernel privileges'," as Apple's disclosure reads.

Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees' lives and provide patching instructions, including how to enable automatic updates.

Mike Parkin, senior technical engineer at Vulcan Cyber, says there's not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it's hard to say who'll be more at risk.

"Organizations should deploy the appropriate controls to minimize the risk to their environments," Parkin advocates. "The ones that allow BYOD devices will face some additional challenges, as they'll need to address systems that they don't directly control."

Patch Now: 2 Apple Zero-Days Exploited in Wild

Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography.

Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography. He discusses why end-user organizations struggle to adapt to the latest threats, and describes how the “atomized network” can help here. Roesch also talks about how startups regularly contribute to the advancement of security innovation, and he offers up some suggestions for new ways for defenders to safeguard their networks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybersecurity Solutions Must Evolve, Says Netography CEO

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.

The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang.  

According to reports, the ransomware group is using various Twitter handles to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims to pay to extend the publishing of their stolen data by 24 hours ($5,000), download the data ($200,000) or destroy all the data ($300,000). It's a strategy the LockBit 3.0 group already pioneered.

"It is not surprising BlackByte is taking a page out of LockBit's book by not only announcing a version 2 of their ransomware operation but also adopting the pay to delay, download, or destroy extortion model," says Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, who calls the market for ransomware groups "competitive" and explains LockBit is one of the most prolific and active ransomware groups globally.

Hoffman adds it is possible BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations.

"Although the double-extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams," she says. "It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted."

Oliver Tavakoli, CTO at Vectra, calls this approach an "interesting business innovation."

"It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach," he says.

John Bambenek, principal threat hunter at Netenrich, points out ransomware actors have played around with a variety of models to maximize their revenue.

"This almost looks like an experiment on if they can get lower tiers of money," he says. "I just don't know why anyone would pay them anything except for destroying all the data. That said, attackers, like any industry, are experimenting with business models all the time."

**Causing Disruption With Common Tactics**

BlackByte has remained one of the more common ransomware variants, infecting organizations worldwide and previously employing a worm capability similar to Conti's precursor Ryuk. But Harrison Van Riper, senior intelligence analyst at Red Canary, notes that BlackByte is just one of several ransomware-as-a-service (RaaS) operations that have the potential to cause a lot of disruption with relatively common tactics and techniques.

"Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful," he says. "The option to extend the victim's timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond, to name a couple of reasons."

Tavakoli says cybersecurity pros should view BlackByte less as an individual static actor and more as a brand that can have a new marketing campaign tied to it at any time; he notes the set of underlying techniques to carry off the attacks seldom change.

"The precise malware or entry vector utilized by a given ransomware brand may change over time, but the sum of techniques used across all of them are pretty constant," he says. "Get your controls in place, ensure you have detection capabilities for attacks which target your valuable data, and run simulated attacks to test your people, processes and procedures."

**BlackByte Targets Critical Infrastructure**

Bambenek says that because BlackByte has made some mistakes (such as an error with accepting payments in the new site), from his perspective it may be a little lower on the skill level than others.

"However, open source reporting says they are still compromising big targets, including those in critical infrastructure," he says. "The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline."

In February, the FBI and US Secret Service released a joint cybersecurity advisory on BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors.

BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing

To lessen burnout and prioritize staff resiliency, put people in a position to succeed with staffwide cybersecurity training to help ease the burden on IT and security personnel.

Cyberattacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organizations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.

It's no surprise, then, that cyber resiliency has been a hot topic in the cybersecurity world. But although cyber resiliency refers broadly to the ability of an organization to anticipate, withstand, and recover from cybersecurity incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organizations that focus exclusively on technology risk are overlooking an equally important element: people.

**People Are Vulnerable, but They Don't Have to Be**

People are often thought of as the weak link in cybersecurity. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cybersecurity technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.

Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organization, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organizations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritize the resiliency of their people just as highly as the resiliency of their technology.

Training the organization to recognize the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organizations will discover that their overall cyber-resiliency will improve significantly.

**Building the Necessary Support Systems**

The COVID-19 pandemic — and the resulting acceleration of digital transformation, cloud adoption, and remote work — perfectly encapsulates the need to prioritize people. Security teams have been in a pressure cooker since the pandemic began, constantly being asked to do more, account for additional variables, set up new capabilities. And of course, there is always a new vulnerability that catches the eye of a CEO or other senior leader and suddenly becomes a priority. These teams are tired, and burnout is a real concern. They need support from their organizations.

Because, as valuable as modern cybersecurity tools are, people still make the most important decisions —which means prioritizing the resiliency of those people is critical. Tired, overworked employees who don't feel appropriately valued by their employers are more prone to mistakes or lapses in judgment. It is important to maintain open dialogue with IT and security personnel to understand their needs. Employees who find themselves working 12-hour days again and again aren't just prone to mistakes. They're likely to leave for a better opportunity — one that lets them maintain a healthy work-life balance. Organizations must be prepared to hire and train new employees to help carry some of the load for teams already being tasked with making significant adjustments in the face of ongoing challenges.

Learning to recognize signs of burn-out in your people, talking openly about burnout and how you are addressing it, and encouraging a culture of well-being will make for a more resilient team. After all resiliency is about recovery, in both people and technology.

**Never Overlook the Importance of People**

Too many organizations today view people as replaceable, but organizations that want to remain steadfast in the face of today's threat landscape should recognize the value of a happy, motivated, well-trained, and well-rested workforce. Cyber-resiliency isn't just about having the right technology in place to deal with modern attackers, but about empowering people to make the right decisions, and ensuring that they have the knowledge and support they need to make them. Overlook the importance of people at your own peril —even with automation on the rise, they remain the backbone of a successful business.

Cyber Resiliency Isn't Just About Technology, It's About People

Filling cybersecurity roles can be costly, slow, and chancy. More firms are working with third-party service providers to quickly procure needed expertise.

There are many possible solutions to the cybersecurity skills shortage, but most of them take time. Cybersecurity education, career development tracks, training programs, employer-sponsored academies, and internships are great ways to build a talent pipeline and develop skill sets to meet organizational needs in years to come.

But sometimes the need to fill a gap in capability is more immediate.

An organization in the entertainment industry recently found itself in such a position. Its primary cybersecurity staff member quit suddenly without notice, taking along critical institutional knowledge and leaving various projects incomplete. With its key defender gone, the organization's environment was left vulnerable. In a scarce talent market, the organization faced a long hiring process to find a replacement — too long to leave its digital estate unattended. It needed expertise, and quickly.

**Finding Skills in Scarcity**

According to a 2021 ESG report, 57% of organizations have been impacted by the global cybersecurity skills crisis. Seventy-six percent say it's difficult to recruit and hire security professionals. The biggest effects of this shortage are increasing workloads, positions open for weeks or months, and high cybersecurity staff burnout and attrition.

In this climate, more companies are turning to third parties for cybersecurity staff reinforcement. According to a NewtonX study, 56% of organizations are now subcontracting up to a quarter of their cybersecurity staff. Sixty-nine percent of companies rely on third-party expertise to assist in mitigating the risk of ransomware — up from 58% in 2017 — per a study by Ponemon and CBI, A Converge Company.

One way that companies gain this additional support is via third-party staff augmentation and consulting services. Cybersecurity staff augmentation, or strategic staffing, entails trained external consultants acting as an extension of an organization's security team in a residency. Engagements can be anywhere from a few weeks to a few years, and roles can range from analysts and engineers to architects, compliance specialists, and virtual CISOs.

The reasons companies seek staff augmentation services vary. A hiring freeze may prevent an increase in head count, even as the need for extra help persists. A staff member's shoes may need to be filled during a temporary leave of absence. A project may require support for a year or two, but not long enough to justify hiring a permanent employee. A company may need staffing services while seeking a replacement for an outgoing staff member.

**Trying Out a New Role**

Another motivation for companies to seek temporary staff augmentation is the opportunity to explore the value and benefit of new roles. Hiring a full-time employee is a time- and resource-intensive endeavor involving recruiting, interviewing, background checks, and other HR activities, followed by onboarding and training. In addition, new employees take time to ramp up: According to Human Panel, it takes five to eight months for a new hire to reach full productivity. On top of everything, there's the risk of the employee not working out — a Bamboo HR survey found that 31% of people have left a job within the first six months.

These are just some of the reasons companies often want to try out the idea of a new role before formally opening one, and strategic staffing services allow that flexibility. Recently, an organization came to us unsure if it really needed a firewall engineer, so we placed an engineer there for a six-month engagement. Once the customer realized the value of the role, it opened head count for an internal position and we worked together in the candidate search.

**What to Look for in Staff Augmentation Services**

Choosing your staff augmentation provider wisely is important in ensuring a successful engagement. One factor to consider is the investment the provider puts into its people. Traditional staffing agencies act merely as a broker between the staff resource and the client organization and rarely invest in training or career development of their staff resources.

A better option is to seek a cybersecurity-focused services provider that fills positions from its bench of in-house experts, rather than subcontractors. This offers many positive aspects: Consultants are more likely to receive training, benefits, and support for technical certifications, and to come from a culture of security — all of which make for a higher-quality engagement. Look for a provider that fosters an open team environment of knowledge-sharing — as a client, you will benefit from the knowledge of the entire team in the provider's pool.

**Talent Pool**

Reeling from its sudden employee departure, the entertainment organization needed a replacement. It reached out to us and within 48 hours, we provided a qualified engineer. Our consultant began filling in for day-to-day operations and resumed the unfinished projects. When the time came, our engineer also assisted with the interview process, helping to select a qualified candidate to permanently fill the role. By the end of the engagement, several projects were complete and a new employee who knew the necessary technologies was installed.

Staff augmentation isn't the whole answer to the cyber-skills crisis. Organizations still need to ensure they have a talent pool of cybersecurity expertise for future years. But when the need arises, a strategic staffing residency is gaining more recognition as an effective way to procure the necessary cybersecurity expertise fast and flexibly, without the risks or cumbersome process of full-time employment.

**About the Author**

    

Aaron Mullinax serves as VP | Architecture and Integration for CBI, A Converge Company and brings more than 28 years of information security experience to his role. He is responsible for helping to shape the vision of the area under his leadership by strengthening organizational defenses across people, process and technology.

Easing the Cyber-Skills Crisis With Staff Augmentation

The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access.

An analysis of China-backed advanced persistent threat (APT) actor APT41's activities has shown the group to be using a unique — and somewhat inexplicable — method for deploying its main Cobalt Strike payload on victim systems.

Researchers from Singapore-based Group-IB also discovered that the adversary is using a variety of dual-use tools for conducting reconnaissance. 

So far, Group-IB has identified at least 13 major organizations worldwide that have been compromised over four separate campaigns, with the APT gaining varying levels of access. Victims included organizations in the government, healthcare, manufacturing, logistics, hospitality, and media sectors in the US as well as China, India, Taiwan, and Vietnam. 

The security vendor concluded that the actual number of APT41's victims could be much higher, based — among other things — on the fact that it observed signs of APT-related activity at a total of 80 private and government organizations in 2021.

**Puzzling Payload Deployment Strategy for Cobalt Strike**

One interesting aspect of the campaigns that Group-IB analyzed was the tendency by APT41 to encode its main custom Cobalt Strike binary in Base64, then break it up into smaller chunks of 775 characters. These are then added to a text file. In one instance, the threat actors had to repeat the action 154 times to write the entire payload to the file.

In another instance, Group-IB researchers observed the threat actor breaking up the code into chunks of 1,024 characters before writing the payload to a text file using 128 iterations of the process.

Nikita Rostovcev, an analyst within Group-IB's APT research team, says it's unclear why APT41 might have adopted the strategy but surmises it may be an attempt at remaining under the radar.

"We do not fully know why the attackers chose this method because SQLmap has a large data transfer limit, which means it was done intentionally, most likely in order to prevent its detection," he says.

However, detecting the ruse is not difficult, especially considering that the payload was encoded in Base64 at the end, he adds: "This is a unique finding. We have not seen any other attackers use this method in their attacks."

**SQL Injection & Dual-Use Tools**

Group-IB's analysis shows the threat actors had shifted tactics for initial access, performing SQL injection attacks using the SQLmap tool to gain a foothold to some target organizations. SQLmap automatically discovers and exploits SQL vulnerabilities. The SQL injection attacks allow APT41 actors to gain command shell access on some targeted servers.

The tactic marks a deviation from APT41's usual pattern of using phishing, watering-hole attacks, and stolen credentials as an initial access vectors.

APT41 mainly went after databases with information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form. In total, APT41 actors attacked 86 vulnerable websites and applications belonging to the targeted organizations, and they were able to compromise half of them via SQL injection.

"Typically, attackers from APT41 are interested in information about existing users and their accounts and any data that can be used for further lateral movement," Rostovcev says.

Once the threat actor has gained access to a target network it has been known to deploy numerous other custom tools to carry out its mission. In its report earlier this year, Cybereason identified some of these tools as DeployLog, for deploying the threat group's main kernel-level rootkit, an initial payload called Spyder Loader; a tool for storing payloads called StashLog; and one for privilege escalation dubbed PrivateLog.

In the 2021 campaigns that Group-IB investigated, it discovered APT41 actors using tools such as Acunetix's Web vulnerability scanner, Nmap, and OneForAll, and pen-testing tools such as subdomain3, subDomainsBrute, and Sublist3r.

"All these utilities — except Acunetix — are available to the public and used not only in hacker's attacks but in penetration tests, for example," Rostovcev says.

Rostovcev describes the tools as falling into multiple categories, including those that can be used to look for hidden directors and forgotten backup archives, and those for scanning ports and the services running on them.  

**A Prolific & Persistent State-Sponsored Threat Actor**

APT41 (aka Winnti, Wicked Panda, Barium, and Blackfly) is a well-known APT group that first surfaced in 2010 with attacks on the likes of Google and Yahoo. The group is believed to be working on behalf of the Chinese government — or at least with its tacit support. Some have described APT41 as representing a collection of cyber threat actors carrying out directives from China's intelligence agencies. 

Though the US government indicted five APT41 members in 2020 and multiple security vendors have chronicled its activities and TTPs, the threat actor has continued its activities unfazed. The Cybereason report shows that APT41 stole hundreds of gigabytes of sensitive data from 30 organizations in North America in a recent cyber-espionage campaign.

Source

DARKReading