Just as one crop of malware-laced software packages is taken down from the popular Python code repository, a new host arrives, looking to steal a raft of data.

Just a week after 10 malicious software packages were found nesting in the Python Package Index (PyPI) repository, several more have come to light, uncovered by different firms. It's becoming a bit of a whack-a-mole exercise, snuffing out bad code only to find more taking its place.

In last week's disclosure, researchers at Check Point found Trojanized packages mimicking popular legitimate components, containing droppers for information-stealing malware. That prompted Kaspersky analysts to scour the open source repository further, which led to the discovery of two more rogue offerings, dubbed "pyrequests" and "ultrarequests," that purported to be one of the most popular packages in PyPI (which is simply named “requests“).

"The attacker used a description of the legitimate 'requests' package in order to trick victims into installing a malicious one," according to Kaspersky's Tuesday analysis. "The description contains faked statistics, as if the package was installed 230 million times in a month and has more than 48,000 stars on GitHub. The project description also references the web pages of the original requests package, as well as the author’s email. All mentions of the legitimate package's name have been replaced with the name of the malicious one."

If installed, the result is a W4SP Stealer infection, through which attackers can steal Discord tokens, saved cookies, and passwords from browsers in separate threads.

Meanwhile, researchers at Synk on Tuesday published findings around a dozen malicious PyPI packages aimed at stealing Discord and Roblox users’ credentials and payment info. According to Kyle Suero, Snyk's lead researcher on the report, the malware will also attempt to steal Google Chrome data or pilfer passwords and bookmarks from Windows machines to pivot throughout all accounts.

All of the offending packages have been removed from PyPI; however, it's unclear how many times they were downloaded before that.

Attacks on code repositories continue to snowball. According to ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase.

"As long as we keep ignoring the core of the problem — which is how do you trust code — we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs, said in a recent report.

Whack-a-Mole: More Malicious PyPI Packages Spring Up Targeting Discord, Roblox

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Come up with a cybersecurity-themed caption for the cartoon above, and you could win a $25 Amazon gift card if it's chosen as Dark Reading editors' favorite. Here are four convenient ways to submit your idea:

*   Email _\[email protected\]_ with the subject line "Dark Reading August Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, Sept. 7, 2022. We look forward to your submissions.

**Last Month's Winner**

July's "Modern-Day Fable" caption contest now how a modern-day twist that would even make Aesop laugh. Congratulations go to winner Dana Morrow, director of security services at Foresite MSP. A $25 Amazon gift card is on the way.  

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Vicious Circle

Cybercrime has been funded with cryptocurrency, but the valuation of various digital currencies has dropped by more than two-thirds and cybercriminals are feeling the pinch.

The dramatic decline in cryptocurrency has dampened activity around specific types of financial crimes — most significantly, investment scams and illegal Dark Web transactions — leading to a drop in consumer losses for the first half of 2022.

That's according to an analysis published on Aug. 16 from blockchain data provider Chainalysis.

Overall, the cumulative revenue collected by scammers dropped by two-thirds — 65% — for the first seven months of the year, according to the firm. The decline is only partly linked to the decrease in the value of major cryptocurrencies. Bitcoin, for example, plunged in value by 51% between Jan. 1 and July 31, and that still doesn't account for the total drop.

The number of deposits connected to scams also dropped by more than two-thirds, suggesting that fewer consumers were falling prey to those efforts, says Kim Grauer, director of research at Chainalysis.

"Most scams are investment scams, and if investments across the board are down, then less funds will flow to the services that are, in fact, scams," she says. "We also saw a lot of law enforcement wins in the past year which have further deterred scammers."

Since their peak last November, major cryptocurrencies have dropped precipitously in value, reaching lows in June. Bitcoin dropped nearly 72%, from its $67,567 close on Nov. 7, 2021, to $19,018 on June 17. Similarly, Ethereum plunged nearly 80% to close at about $994 on June 17. Both digital assets have recovered from those lows in the past two months.

    

Monthly deposits to scams have declined. Source: Chainalysis

Cryptocurrency is the financial backbone of most online crimes, Chainalysis stated in its midyear update, so the drop in cryptocurrency has impacted other major cybercrimes, such as money laundering and ransomware. Both have dropped by 20% to 25% since the beginning of the year, according to cybersecurity firms. 

That said, crimes that do not depend on enticing victims with cryptocurrency have been less affected by the volatility. Business e-mail compromise (BEC), for example, still accounted for 35% of the dollar losses in 2021, compared with 0.7% for ransomware, according to the FBI's Internet Crime Complaint Center (IC3).

"Nobody likes a crypto bear market, but the one silver lining is that illicit cryptocurrency activity has fallen along with legitimate activity, albeit not as sharply," the company stated. "This is especially encouraging in scams, where the decrease in market hype seems to mean fewer are fooled by scammers, and in darknet markets, where law enforcement’s \[shutdowns of major markets\] appears to have dampened the entire sector."

**DeFi Services Still Hot Targets**

One constant? Hacking of digital wallets and decentralized financial (DeFi) services continued to grow. Overall, cybercriminals stole at least $1.9 billion in cryptocurrency through hacking online services so far in 2022, an increase of about two-thirds from the same period in 2021.

The majority of the hacking profits comes from hacking DeFi protocols, Chainalysis stated in the mid-year report.

"DeFi protocols are uniquely vulnerable to hacking, as their open source code can be studied ad nauseum by cybercriminals looking for exploits — though this can also be helpful for security as it allows for auditing of the code," the company stated. "\[I\]t's possible that protocols' incentives to reach the market and grow quickly lead to lapses in security best practices."

Specific regions have also focused on specific types of crime. North Korean nation-state actors have compromised specific DeFi protocols, leading to massive gains for the sanctioned government. The attackers stole approximately $1 billion so far in 2022, accounting for the majority of the $1.9 billion in losses from exchanges and services, as of July 2022.

"We have seen ransomware attacks coming out of North Korea, but right now DeFi hacking is the most profitable thing for the North Korean hacking organizations to carry out," Grauer says. "North Korean hacking organizations have realized how profitable this type of hacking can be if done correctly, so have continued to carry out attacks throughout 2022."

Financial institutions, consumers, and cybersecurity professionals should not expect the decline in fraud related to cryptocurrency to continue, Chainalysis stressed. Consumers need to be better educated about the risks, while the cybersecurity of decentralized financial protocols needs to be bolstered and audited. Finally, legitimate exchanges should have protections in place to prevent the transfer of money to known scams, and law enforcement should develop their capabilities to seize cryptocurrency from bad actors, the company stated.

With Plunge in Value, Cryptocurrency Crimes Decline in 2022

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.

**Proof of Concept Exploit for Remote Code Execution**

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.

"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."

Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.

"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.

Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

"Disabling the service is not a feasible workaround," he says.

**Server Spoofing Leads to Credential Theft**

Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.

"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.

A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.

"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."

Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.

**Distributed Workforce Broadens Attack Surface**

Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.

"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.

Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.

Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.

"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.

"None of them are a perfect defense, but they do serve to reduce the risk," he says.

Windows Vulnerability Could Crack DC Server Credentials Open

Threat hunting not only serves the greater good by helping keep users safe, it rewards practitioners with the thrill of the hunt and solving of complex problems. Tap into your background and learn to follow your instincts.

Growing up in the Pacific Northwest, I was fascinated by treasure hunting. I love the idea of finding something valuable or important. I had an arsenal of tools even the most seasoned treasure hunters would envy: a metal detector, a bucket, and a plastic shovel. Yet the most valuable tool I possessed was my firm belief that I would find treasure as long as I looked hard enough.

Threat hunting is like treasure hunting in many ways. Threat hunters also have their tools of the trade.

Several years ago, I traded that plastic shovel for a data visualization tool (i.e., Kibana) and too much coffee. I still feel the excitement of the hunt for something valuable. You see, treasure hunting and threat hunting both stimulate the mind. They are both filled with hidden clues, there is no set path, and sometimes you must solve complex problems. There is unmistakable value in discovering threats, so that we can improve the security of our organizations.

At one point in my military career, I worked as a networking specialist on a cyber-protection team, where I became a network traffic analysis expert. The mission was simple — just hunt. Remember, no good treasure hunt starts without a treasure map. That's where this threat-hunting story begins.

I received a PDF version of the network map that contained hundreds of endpoints, ports, protocols, and services (PPS) to quickly identify acceptable and normal network traffic as a baseline. The posters we printed from the PDF were the size of twin-sized blankets. Yet, we hung them up on the ops floor. We had our "treasure map," and set out to analyze the hex and packet captures (PCAPs).

We found nothing that deviated from the baseline and PPS listing. But I still had the unshakeable belief from my youth that I would find something if I looked hard enough. We were parsing through millions of network events and terabytes of data. I decided to investigate the top-talking ports – even the acceptable ports outlined on the PPS.

"Manual" threat hunting, for lack of better words, relies on highly skilled people and the knowledge they have collected over years in the field. Down the list I went looking at HTTPS, HTTP, DNS, SMTP, and so on. Finally, I arrived at port 1433, or SQL, which is the primary language used for managing data. This was significant as it's often a large attack surface for hackers and adversaries. I built a query and modified data fields to quickly identify the IPs communicating with one another.

One pair of IPs looked a little unusual and didn't fit into the schema of the other IPs. It stood out to me because I understood the network (thanks to our trusty map). That's when I discovered unencrypted SQL data. I could see everything and the data in these tables made my jaw drop. This data was leaving the network unencrypted. I immediately notified my mission commander, who carried it up the chain – we discovered it was a configuration error that was quickly fixed. The goal of discovering threats was so that we could take action to remediate them.

**Learning From Experience**

Eight-year-old me would have been very proud of my ability to find such a significant threat – being able to improve our security was certainly of value. There were many lessons to be learned from this hunt that I have held with me over the years:

*   Understand the network you're working on to easily recognize patterns and behaviors that deviate from normal.
*   Question and review all traffic, even acceptable or normal traffic. Network traffic is guilty until proven innocent in the world of threat hunting.
*   Not every hunt will result in threats being found, but always listen to your instincts. If you know it's out there, it probably is.

Threat hunting is an opportunity to help a greater good. Cyberattacks are relentless. We must work together as professionals to change the playing field. Equally, be willing to accept help. I have been fortunate to find work that brings me so much joy. I love what I do because it connects me with a lifelong drive. There are many specialties within cybersecurity; finding your particular niche will make you successful in this field.

Lessons From the Cybersecurity Trenches

Heads of CIA and CISA headline event at DC Convention Center.

Returning in person after two years, the 13th Annual Billington Cybersecurity Summit is a three-day event designed to examine the nation's pressing cyber needs and the impact of the Biden Administration's fast-moving cyber strategic direction.

The summit explores "Transforming Cybersecurity Through a Unified Approach" with a focus on the hottest cyber topics. More than 125 speakers spanning government, military, nonprofits, industry, and academia, including CIA Director William Burns; Chris Inglis, National Cyber Director, EOP; DHS CISA Director Jen Easterly; John Sherman, CIO, DOD; and two top cyber officials from Ukraine will discuss cyber trends and issues during more than 40 sessions.

**WHEN**

September 7-9, 2022

Sept 7: 8:45 a.m.-5 p.m.

Sept 8: 8:30 a.m.-5 p.m.

Sept 9: 9 a.m.-noon

**TOPICS**

The summit has more than 40 panel discussions, breakout sessions, and fireside chats. Agenda topics include:

*   Cyber Lessons Learned from Ukraine
*   Securing Infrastructure in an Increasingly Connected World
*   Election Security and the 2022 National Elections
*   Lessons Learned for Fortifying a Strong Cybersecurity Workforce
*   All-Star VC Roundtable: What Are the Next Game-Changing Cyber, Disruptive Technologies?
*   The Cyber Threat Landscape and Zero Trust: Lessons Learned and Success Stories
*   Future of Encryption: Moving to a Quantum-Resistant World
*   Cybersecurity Public/Private Engagement
*   Addressing Insider Threat while Protecting Privacy
*   Future Panel | Cybersecurity and the Future of 5G
*   Enhancing the Security of Open-Source Software and the Supply Chain
*   Automating Cybersecurity: Applying AI Internally and at the Edge
*   Beyond Ransomware: Identifying the Next Cyber Threats

**WHERE**

Walter E. Washington Convention Center

801 Mt Vernon Pl NW

Washington, DC

**HOW**

Learn more or register at https://billingtoncybersummit.com/. Complimentary government and military tickets are available. Tickets for corporate attendees are $895; academic and non-profits are $125; and students are $25. Press is free for credentialed reporters but must register in advance online.

**WHY**

Presented by over 40 sponsors, led by Amazon Web Services, Raytheon Intelligence & Space, and Cisco Secure, the Billington Summit convenes leading senior cyber government decision-makers to examine key trends and topics while fostering deeper dialogue between government leaders and private industry.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SEPT. 7-9: Ukraine, Election, AI, Cybercrime, 5G Among Topics Explored by 125+ Speakers at 13th Billington Cybersecurity Summit

After 30 years and a brief pandemic hiatus, DEF CON returns with "Hacker Homecoming," an event that put the humans behind cybersecurity first.

DEF CON — Las Vegas — Halls stuffed with hackers lined up for hours for their chance to hone their skills on the latest tech, helped along by a volunteer army of so-called "goons" — it was a hopeful place to be last weekend during DEF CON 30.

Everyone wore masks so even the immunocompromised could participate. There was a trend toward focusing on using hacker powers to protect the population from utility breaches, smart car accidents, misinformation, and more. Giving the entire conference its reputational edge were rooms buzzing with information and the kind of immediacy and potency that made it feel almost subversive — punk rock, even.

Here are just a few of the highlights Dark Reading happened to find among the organized chaos that was DEF CON 30.

**1\. Merch Madness**

The longest lines, by many hours, were those to get the latest DEF CON-branded merchandise. While some used the time to refuel with snacks, others put a little more thought into the break in the action. Take Brad Lindsley, who made his own "Linecon Bag" with a mounted gaming screen and controllers for four players.

"I was waiting in line for hours at another DEF CON and I was thinking about what I would want to do in line," he told Dark Reading.

    

Brad Lindsley shows off his Linecon bag. (Photo by Becky Bracken for Dark Reading)

**2\. IoT Village**

DEF CON 30 hackers also had the option to ply their skills on dozens of Internet of Things (IoT) devices, including the Emergency Broadcast System and a Globecomm satellite system, thanks to the work of TIVO Trevor and the rest of the team, who spent the last 90 days building the IoT common control framework (CCF).

Trevor said that this year the IoT Village made the decision to shift its emphasis because of the shifting threat landscape that now focuses on infrastructure and other IoT devices.

"We've moved away from SOHO (small offices/home offices) to IoT this year," he told Dark Reading.

    

TIVO Trevor at the DEF CON 30 IoT Village. (Photo by Becky Bracken for Dark Reading)

**3\. Sink This Battleship**

There were too many contests going on during DEF CON 30 to count. One big one was a version of Capture the Flag called "Can You Sink the Ship?" put on by Fathom5, which challenged teams of hackers to bring down their ship training module. The kickoff was preceded by more than a few rules laid out by Fathom5 CTO David Burke, who included an instruction not to tinker with the hoses underneath: "Please don't spray hydraulic fluid everywhere around the room."

    

Burke explains the ground rules of the contest. (Photo by Becky Bracken for Dark Reading)

**4\. Other Challenges Accepted**

Other, less elaborate contests included a collection of Capture the Flag versions, Red Team challenges, and even a DEF CON Scavenger Hunt.

    

One of the many contest leaderboards projected around the DEF CON Contest Village. (Photo by Becky Bracken for Dark Reading)

**5\. The Voting Village**

Noted voting-machine researcher Harri Hursti, representing the Election Integrity Foundation, brought in a collection of voting machines currently in use across the US for hackers and conspiracy theorists alike to try out and challenge their security.

Dark Reading ran into a group of hackers giving one of the US voting machines a careful look. Asked if they thought they might be able to crack into it, one of the group responded, "I don't know if we can, but it's fun thing to play with."

    

Voting machine hackers, from L to R: Wkampbel, Segzf4ult, Cole Knight, James, Semifour. (Photo by Becky Bracken for Dark Reading)

**6\. The Signage**

Even the signage spread out around DEF CON 30 was flair-forward, with an array of clever quips, dazzling digital renderings, and just straight-up art. Here is just the tiniest taste of what was on display.

    

The Chill Out Room at DEF CON had an elaborate stage for DJs and performances. (Photo by Becky Bracken for Dark Reading)

    

Signage at the lock-picking area at DEF CON. (Photo by Becky Bracken for Dark Reading)

    

Wall projection over main DEF CON 30 entrance. (Photo by Becky Bracken for Dark Reading)

**7\. Brain Hacking & Misinformation**

An entire village at this year's DEF CON was dedicated to misinformation. With phishing and social engineering still driving so many successful cyberattacks, Dr. Matthew Canham of Beyond Layer 7 gave a presentation on cognitive security, which essentially means blocking attackers from compromising the brain itself. From optical illusions to instances like Cambridge Analytica's practice of building psychographic profiles to target victims, brain hacks are here and getting more sophisticated, according to Dr. Canham.

    

Misinformation Village information screen prior to Dr. Canham's presentation. (Photo by Becky Bracken for Dark Reading)

**8\. The Traditions**

This year was Michael Bargury's debut on the DEF CON stage. That meant that before he kicked off his presentation about codeless malware, the CTO and cofounder of Zenity (and Dark Reading columnist) engaged in a DEF CON tradition... he did a shot, along with his "goon" who gave the introduction. After a few seconds and just one wince while the liquor went down, Bargury was officially inaugurated into the DEF CON speaker's club and ready to go.

    

Bargury takes the podium following his inaugural shot of courage. (Photo by Becky Bracken for Dark Reading)

DEF CON 30: Hackers Come Home to Vibrant Community

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organizations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

The attacks targeting the MSHTML flaw were part of a broader set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw.

**Old Is Gold for Threat Actors**

Kaspersky's telemetry showed far more attacks on a handful of other vulnerabilities from 2018 and 2017. One of them was CVE-2018-0802, a remote code execution (RCE) vulnerability in Microsoft Office that was attacked some 345,827 times last quarter. Another similar memory corruption flaw from 2017 (CVE-2017-11882) was targeted in 140,623 attacks while a Microsoft Office/WordPad remote code execution flaw also from 2017 (CVE-2017-0199) was involved in 60,132 attacks.

The so-called Follina vulnerability in Microsoft Support Diagnostic Tool (MSDT) (CVE-2022-30190) was among the most targeted of recent vulnerabilities. The RCE flaw was one of at least five zero-day flaws that Microsoft has disclosed this year.

In total, Kaspersky found vulnerabilities in older versions of Microsoft Office being used in attacks against more than half a million users in second quarter. The attacks are another reminder of how unpatched vulnerabilities in older technologies remain a popular and highly attractive target for threat actors, the security vendor noted. "Old versions of applications remain the main targets for attackers, with almost 547,000 users in total being affected through corresponding vulnerabilities in the last quarter," Kaspersky said.

Kaspersky's report is another reminder of why security experts advocate quick patching of Microsoft vulnerabilities. Recent data has shown attackers have gotten much faster at exploiting flaws than before. A study that Rapid7 conducted last year showed that the mean time to known exploitation for vulnerabilities in 2021 was just 12 days — a 71% decrease from 42 days in 2020. The company explained the numbers as being driven by a sharp rise in zero-day exploit activity. "A drastic reduction in time to exploitation year over year means that not only are well-worn emergency patching procedures necessary, incident response protocols are likely to require repeated use as well," Rapid7 noted at the time.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

ZTNA brings only marginal benefits unless you ensure that the third parties you authorize are not already compromised.

The transition to a zero-trust architecture is rife with challenges that can put a 10,000-piece, monochromatic jigsaw puzzle to shame. Not only must the IT team recognize and validate every corporate employee, their computing devices, and their applications, but they also must do so for key nonemployees, third-party vendors, and partners who access corporate assets.

It is a difficult enough task when one knows who their primary third-party supply chain partners are; it becomes almost impossible to manage secondary, tertiary, and other partners as well. And therein lies the challenge of defining who is an authorized and authenticated user and who is not.

While many of today's zero-trust network access (ZTNA) products claim to offer ongoing authentication and authorization of every known and registered user, device, and application trying to access a network all the time, often what companies actually experience is slightly different, says Jason Georgi, field CTO at Palo Alto Networks. Instead of constant authentication, they get initial authentication for each access.

Today, he says, ZTNA products excel at the microsegmentation of networks and providing very limited access to corporate assets on the network, but he expects next-generation ZTNA products to provide greater security for the data being processed.

A white paper by John Grady, a senior analyst at Enterprise Strategy Group, and commissioned by Palo Alto Networks asserts that there are several areas where current ZTNA products are falling short. Among the improvements Grady called for are prevention of violations of least privilege, the ability to cancel an application's access if it starts behaving in an unanticipated or unacceptable manner after granted access, and the ability to do security inspections of data not currently being inspected.

**Reducing Third-Party Risk**

Companies working to improve their risk profile by employing ZTNA are gaining only marginal benefits if they do not ensure that the third parties they authorize are not already compromised. To accomplish this, companies moving to zero trust also need to improve their third-party risk management (TPRM).

Organizations that employ ZTNA require that remote users be entered into a Microsoft Active Directory or other authentication system. While that works well for remote employees, it falls short when the remote access user is a business partner or vendor. Because of this, these partners often need to access the corporate environment over a virtual private network (VPN). But VPNs have inherent security limitations and do not scale well. As a result, someone who uses a VPN to access corporate assets behind the corporate firewall already has more access than they require; malicious users could leverage this to attack the network from the inside.

"If you think about all the bad things that have occurred, it's always through that backdoor of a vendor connection because you have a wide-open pipe on a VPN," says Dave Cronin, vice president of cybersecurity strategy for Capgemini Americas.

But VPNs, despite having less comprehensive security than zero-trust offerings, are not going away, he cautions. A zero-trust architecture requires that every user be preauthorized within a trusted environment, such as by being listed in Microsoft Active Directory or some similar application. That will not happen when organizations have hundreds or thousands of supply chain partners who are not individually identified, authenticated, and registered.

"In a lot of cases, organizations are layering additional sets of controls around specifically the third-party access component because, in some cases, the third parties are using unmanaged devices, meaning they're using their own corporate devices or even personal devices to access a company's enterprise applications," says Andrew Rafla, a partner and principal, as well as the cyber-risk and zero trust leader, at Deloitte. "There's a greater need to shift toward more modern ZTNA or \[Secure Access Service Edge\] SASE-type solutions, specifically for third-party access."

Rafla adds that the zero-trust edge (ZTE), sometimes referred to as SASE, can be seen as a compensating control to help mitigate the potential threats brought on by third parties and other managed constituents. Such compensating controls — including edge security, TPRM, multifactor authentication, and perhaps a dozen more controls together — can help companies demonstrate that they should qualify for cyber insurance, which has become more difficult to obtain recently.

"The more agile you are able to be as an organization to enable remote workforces, the easier, generally speaking, it is for you to do the right thing for derisking third-party access to your application systems environments," says Josh Yavor, CISO at Tessian. "The reason for that is because by pushing security down to the devices and then to the application layer, it means that while the networks are absolutely still relevant and critical, we're logically building our defensive risk bubbles around the applications themselves, and then the devices and identities that are in use when accessing them.

"By separating what used to be entirely network-dependent thinking to those layers, it means that we have more granular options for enabling access securely from our third parties."

That said, while hybrid VPN and ZTNA networks are likely here to stay for the foreseeable future, VPN security needs to be enhanced by adding more authentication controls and the ability to shut down the connection should the user access inappropriate data or applications. This could include improving port and protocol controls to contain the risk.

Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management

Here's how to flip the tide and tap open source intelligence to protect your users.

Are you a fan of fitness-focused social networking apps such as Strava? You're not alone. Even military personnel enjoy tracking and sharing their runs. It sounds great, except that all activity and GPS data the Strava app collects and publishes invariably exposes the precise location of military bases.

You might be surprised to see the kind of information that's publicly available on the Internet today. But it shouldn't be a surprise, given how we live in the days of oversharing. We announce on Twitter and email auto-responses about our vacation plans, essentially inviting robbers. Security professionals call it OSINT (open source intelligence), and attackers use it all the time to identify and exploit vulnerabilities in processes, technologies, and people. OSINT data is usually easy to collect, and the process is invisible to the target. (Hence why military intelligence uses it along with other OSINT tools like HUMIT, ELINT, and SATINT.)

The good news? You can tap OSINT to protect your users. But first you'll have to understand how attackers exploit OSINT to sufficiently evaluate the scope of your attack surface and bolster your defenses accordingly.

OSINT is an age-old concept. Traditionally, open source intelligence was gathered through TV, radio, and newspapers. Today, such information exists all across the Internet, including:

· Social and professional networks like Facebook, Instagram, and LinkedIn  
· Public profiles on dating apps  
· Interactive maps  
· Health and fitness trackers  
· OSINT tools like Censys and Shodan

All this publicly available information helps people share adventures with friends, find obscure locations, keep track of medications, and find dream jobs and even soulmates. But there's another side to it as well. Unbeknownst to potential targets, this information is just as conveniently available to scammers and cybercriminals.

For instance, the same ADS-B Exchange app that you use to keep track of your loved one's flights in real-time can be exploited by malicious actors to locate their targets and craft nefarious plans.

**Understanding the Different Applications of OSINT**

Open source information isn't just available to those it is intended for. Anyone can access and utilize it, including government and law enforcement agencies. Despite being cheap and easily accessible, nation-states and their intelligence agencies use OSINT because it provides good intelligence when done right. And since it's all freely available information, it's very hard to attribute access and utilization to a single entity.

Extremist organizations and terrorists can weaponize the same open source information to collect as much data about their targets as possible. Cybercriminals also use OSINT to craft highly targeted social engineering and spear phishing attacks.

Businesses use open source information to analyze competition, predict market trends, and identify new opportunities. But even individuals perform OSINT at some point and for a variety of reasons. Whether it's Googling an old friend or a favorite celebrity, it's all OSINT.

**How to Use Multiple OSINT Techniques**

The shift to work-from-home was inevitable, but the entire process had to be expedited when COVID-19 hit. Finding vulnerabilities and data against people working from home, outside the traditional security perimeter of organizations, is sometimes just a quick online search away.

**Social networking sites****:** Cybercriminals can gather data like personal interests, past achievements, family details, and current and even future locations of employees, VPs, and executives of their target organizations. They can later use this to craft spear-phishing messages, calls, and emails.

**Google:** Malicious users can Google information such as the default passwords for specific brands and models of IT equipment and IoT devices like routers, security cameras, and home thermostats.

**GitHub:** A few naive searches on GitHub can reveal credentials, master keys, encryption keys, and authentication tokens for apps, services, and cloud resources in shared, open source code. The infamous Capital One breach is a prime example of such an attack.

**Google hacking:** Also known as Google dorking, this OSINT technique lets cybercriminals use advanced Google search techniques to find security vulnerabilities in apps, specific information about individuals, files containing user credentials, and more.

**Shodan and Censys:** Shodan and Censys are search platforms for Internet-connected devices and industrial control systems and platforms. Search queries can be refined to find specific devices with known vulnerabilities, accessible elastic search databases, and more.

**Applications of OSINT for Defense Practices**

Businesses that are already using OSINT to identify opportunities and study competitors need to widen their application of OSINT to cybersecurity.

OSINT Framework, a collection of OSINT tools, is a good starting point for enterprises to harness the power of OSINT. It helps penetration testers and security researchers discover and collect freely available and potentially exploitable data.

Tools like Censys and Shodan are primarily designed for pen-testing, too. They allow enterprises to identify and secure their Internet-connected assets.

Oversharing personal data is problematic for individuals and the organizations they work for. Enterprises should educate employees about safe and responsible social media use.

Employee cybersecurity awareness training should be, at the very least, a semi-annual undertaking. Unannounced cyberattacks and phishing simulations must be part of these training workshops.

Source

DARKReading