Attacked once, victimized multiple times: Data marketplaces are making it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

Cybercriminals and other threat actors are increasingly using data dumped from ransomware attacks in secondary business email compromise (BEC) attacks, according to new analysis by Accenture Cyber Threat Intelligence.   

The ACTI team analyzed data from the 20 most active ransomware leak sites, measured by number of featured victims, between July 2021 and July 2022. Of the 4,026 victims (corporate, non-governmental organizations, and governmental entities) uncovered on various ransomware groups’ dedicated leak sites, an estimated 91% incurred subsequent data disclosures, ACTI found.

Dedicated leak sites most commonly provide financial data, followed by employee and client personally identifiable information and communication documentation. The rise of double extortion attempts – where attack groups use ransomware to exfiltrate data and then publicize the data on dedicated leak sites – has made large amounts of sensitive corporate data available to any threat actor. The most valuable types of data most useful for conducting BEC attacks are financial, employee, and communication data, as well as operational documents. There is a significant overlap between the types of data most useful for conducting BEC attacks and the types of data most commonly posted on these ransomware leak sites, ACTI said.

The data is a “rich source for information for criminals who can easily weaponize it for secondary BEC attacks,” ACTI said. “The primary factor driving an increased threat of BEC and VEC attacks stemming from double-extortion leaks is the availability of \[corporate and communication data\].”

    

There is overlap between available disclosed data and such data’s usefulness for BEC attacks.

Data thieves are making it easier for their customers to find and access the stolen information. The dedicated leak sites are increasingly available on publicly accessible sites, not hidden away on Tor domains, and some offer searchable indexed data to make it easier for threat actors to find what they need for their attacks.

For example, the operators of the data-selling marketplace Industrial Spy organize and name folders with labels that reflect their content to make finding specific files easy, ACTI said. Customers can use the marketplace’s search functionality to find specific files, such as employee data, invoices, scans, contracts, legal documents, and email messages. The search can also hunt for data from specific industries and countries.

“Indexed and searchable databases like these help actors more efficiently acquire specific data versus downloading bulk data and hoping to find desired information,” ACTI said.

Cybercriminals Weaponizing Ransomware Data for BEC Attacks

Duston Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That's the argument that Brian Gorenc and Dustin Childs, both with Trend Micro's Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, "Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories."

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he's noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

"The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk," he noted. "Faulty patches can also be a boon to exploit writers, as 'n-days' are much easier to use than zero-days."

**The Trouble With CVSS Scores & Patching Priority**

Most cybersecurity teams are understaffed and under pressure, and the mantra "always keep all software versions up-to-date" doesn't always make sense for departments who simply don’t have the resources to cover the waterfront. That's why prioritizing which patches to apply according to their severity rating in the Common Vulnerability Severity Scale (CVSS) has become a fallback for many admins.

Childs noted, however, that this approach is deeply flawed, and can lead to resources being spent on bugs that are unlikely to ever be exploited. That's because there's a host of critical information that the CVSS score doesn't provide.

"All too often, enterprises look no further than the CVSS base core to determine patching priority," he said. "But the CVSS doesn't really look at exploitability, or whether a vulnerability is likely to be used in the wild. The CVSS doesn't tell you if the if the bug exists in 15 systems or in 15 million systems. And it doesn't say whether or not it's in publicly accessible servers."

He added, "And most importantly, it doesn't say whether or not the bug is present in a system that's critical to your specific enterprise."

Thus, even though a bug might carry a critical rating of 10 out of 10 on the CVSS scale, it's true impact may be much less concerning than that critical label would indicate.

"An unauthenticated remote code execution (RCE) bug in an email server like Microsoft Exchange is going to generate a lot of interest from exploit writers," he said. "An unauthenticated RCE bug in an email server like Squirrel Mail is probably not going to generate as much attention."

To fill in the contextual gaps, security teams often turn to vendor advisories – which, Childs noted, have their own glaring problem: They often practice security through obscurity.

**Microsoft Patch Tuesday Advisories Lack Details**

In 2021, Microsoft made the decision to remove executive summaries from security update guides, instead informing users that CVSS scores would be sufficient for prioritization – a change that Childs blasted.

"The change removes the context that's needed to determine risk," he said. "For example, does an information-disclosure bug dump random memory or PII? Or for a security-feature bypass, what is being bypassed? The information in these writeups is inconsistent and of varying quality, despite near universal criticism of the change."

In addition to Microsoft either "removing or obscuring information in updates that used to produce clear guidance," it's also now more difficult to determine basic Patch Tuesday information, such as how many bugs are patched each month.

"Now you have to count yourself, and it's actually one of the hardest things I do," Childs noted.

Also, the information about how many vulnerabilities are under active attack or publicly known is still available, but buried in the bulletins now.

"As an example, with 121 CVEs being patched this month, it's kind of hard to dig through all of them to look for which ones are under active attack," Childs said. "Instead, people now rely on other sources of information like blogs and press articles, rather than what should be authoritative information from the vendor to help determine risk."

It should be noted that Microsoft has doubled down on the change. In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information, she said.

The goal is to give security administrations enough time to apply the patch without jeopardizing them, Gupta said. "If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," she said.

**Other Vendors Practice Obscurity**

Microsoft is hardly alone in providing scant details in bug disclosures. Childs said that many vendors don't provide CVEs at all when they release an update.

"They just say the update fixes several security issues," he explained. "How many? What's the severity? What's the exploitability? We even had a vendor recently say to us specifically, we do not publish public advisories on security issues. That's a bold move."

In addition, some vendors put advisories behind paywalls or support contracts, further obscuring their risk. Or, they combine multiple bug reports into a single CVE, despite the common perception that a CVE represents a single unique vulnerability.

"This leads to possibly skewing your risk calculation," he said. "For instance, if you look at buying a product, and you see 10 CVEs that have been patched in a certain amount of time, you may come up with one conclusion of the risk from this new product. However, if you knew those 10 CVEs were based on 100+ bug reports, you might come to a different conclusion."

**Placebo Patches Plague Prioritization**

Beyond the disclosure problem, security teams also face troubles with the patches themselves. "Placebo patches," which are "fixes" that actually make no effective code changes, are not uncommon, according to Childs.

"So that bug is still there and exploitable to threat actors, except now they've been informed of it," he said. "There are many reasons why this could happen, but it does happen – bugs so nice we patch them twice."  

There are also often patches that are incomplete; in fact, in the ZDI program, a full 10% to 20% of the bugs researchers analyze are the direct result of a faulty or incomplete patch.

Childs used the example of an integer overflow issue in Adobe Reader leading to undersized heap allocation, which results in a buffer overflow when too much data is written to it.

"We expected Adobe to make the fix by setting any value over a certain point to be bad," Childs said. "But that's not what we saw, and within 60 minutes of the rollout, there was a patch bypass and they had to patch again. Reruns aren't just for TV shows."

**How to Combat Patch Prioritization Woes**

Ultimately when it comes to patch prioritization, effective patch management and risk calculation boils down to identifying high-value software targets within the organization as well as using third-party sources to narrow down which patches would be the most important for any given environment, the researchers noted.

However, the issue of post-disclosure nimbleness is another key area for organizations to focus on.

According to Gorenc, senior director at ZDI, cybercriminals waste no time integrating vulns with large attack surfaces into their ransomware tool sets or their exploit kits, looking to weaponize newly disclosed flaws before companies have time to patch. These so-called n-day bugs are catnip to attackers, who on average can reverse-engineer a bug in as little as 48 hours.

"For the most part, the offensive community is using n-day vulnerabilities that have public patches available," Gorenc said. "It's important for us to understand at disclosure if a bug is actually going to be weaponized, but most vendors do not provide information regarding exploitability."

Thus, enterprise risk assessments need to be dynamic enough to change post-disclosure, and security teams should monitor threat intelligence sources to understand when a bug is integrated into an exploit kit or ransomware, or when an exploit is released online.

Ancillary to that, an important timeline for enterprises to consider is how long it takes to actually roll out a patch across the organization, and whether there are emergency resources that can be brought to bear if necessary.

"When changes occur to the threat landscape (patch revisions, public proof-of-concepts, and exploit releases), enterprises should be shifting their resources to meet the need the need and combat the latest risks," Gorenc explained. "Not just the latest publicized and named vulnerability. Observe what's going on in the threat landscape, orient your resources, and decide when to act."

Patch Madness: Vendor Bug Advisories Are Broken, So Broken

GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.

Organizations hosting significant parts of the open source software supply chain continue to adopt security measures that give developers and maintainers more tools to harden their projects against attacks and malicious code commits.

On Monday, GitHub announced that the company — which owns and maintains the Node Package Manager (npm) service — had called for developers to comment on a plan to adopt sigstore, which simplifies the signing of code components produced by projects as well as linking them back to the source code. The sigstore project has made digitally signing source code easier because individual maintainers no longer have to manage their own cryptographic infrastructure.

The technology service allows software developers to confirm what code has been used to generate a particular software application or component, says Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSF), which maintains sigstore with the Linux Foundation.

"The assembly of components into software platforms and applications — all of that has been done with the same kind of security we had on the Internet before TLS \[Transport Layer Security\], frankly," he says. "We depended on a not necessarily misplaced but  high degree of trust that the infrastructure just did things for us or that there were not bad actors out there."

The proposal is the latest effort to make tools available to developers to secure the software supply chain. GitHub's npm, the Python Package Index (PyPI), and others have already urged developers to adopt two-factor authentication (2FA) to secure their accounts to prevent a compromise through a simple credential-based attack. GitHub, for example, has already moved the top 500 most-popular npm projects to 2FA and plans to require the security technology for any project with more than a million downloads per week.

Adopting digital signing of software packages is another critical step. In March, software security firm Sonatype announced it had "every intent to adopt sigstore as part of the Maven Central platform." Maven is the most popular source of Java software components and is maintained by Sonatype. PyPI has a specification called The Update Framework (TUF) that calls for digital signing of software packages, and the repository has a sigstore module under development.

The ability to attest that a program or executable came from a certain source code repository is an important step in securing the software supply chain, Justin Hutchings, director of project management for GitHub's security features, wrote in the blog post.

"When package maintainers opt-in to this system, consumers of their packages can have more confidence that the contents of the package match the contents of the linked repository," Hutchings said. "Historically, linking packages back to the source code has been difficult because it required individual projects to register and manage their own cryptographic keys."

GitHub acquired the Node Package Manager (npm) in 2020.

**SBOMs and "Salsa"**

The ability to sign code is fundamental to supply chain security. For example, a software bill of materials (SBOM) is a way to communicate to developers and security tools the components that make up a software project. Determining what software components and libraries are used in modern software projects is not always straightforward. Already, the US government has created requirements that any software sold to a federal agency needs to have an SBOM, but only a third of companies currently use SBOMs.

Another initiative, the Supply Chain Levels for Software Artifacts (SLSA), pronounced "salsa," provides developers and application security managers with a road map for securing software projects and communicating the software provenance.

"You need to have integrity, and you need to understand the quality — SLSA is really around that integrity part," says Kim Lewandowski, one of the original creators of SLSA and a co-founder at Chainguard, a software security firm. "A developer knows they're getting this piece of software that is built around these dependencies and these are the \[software\] artifacts that went into it."

Sigstore works because the technology makes signing code much easier for developers. OpenSSF's Behlendorf likens the platform to the Let's Encrypt service, which makes the keys for securing websites freely available and easy to deploy. Making any security technology easy to use is critical, he says.

"Greater security in open source software is going to come, not just by helping people write better code," he says. "It is not just going to come from a lot of people finding zero-days, and getting those fixed and fixes pushed out. It is going to come from having tooling that will make having better security throughout the supply chain a 'zero lift' for developers. If they even have to have a feature flag turned on, that is too much."

Software Supply Chain Chalks Up a Security Win With New Crypto Effort

Unusually, SOVA, which targets US users, now allows lateral movement for deeper data access. Version 5 adds an encryption capability.

The Android banking Trojan SOVA is back and sporting updated capabilities — with an additional version in development that contains a ransomware module.  

Researchers at Cleafy, which documented the resurgence of SOVA, say that version 4 appears to be targeting more than 200 mobile applications, including banking apps and crypto exchanges/wallets. Spain appears to be the country most targeted by the malware, followed by the Philippines and the US.

The SOVA v4 malware is hidden within fake Android applications disguised by the logos of popular apps including Chrome and Amazon. The latest version includes a refactored and improved cookie-stealer mechanism, which can now specify a list of targeted Google services and other applications. In addition, the update allows the malware to protect itself by intercepting and deflecting attempts made by victims to uninstall the app.

Also in the latest versions of SOVA, attackers can control the specific targets via the command-and- control (C2) interface. This increases the adaptability of the malware to a large variety of attack scenarios.

In addition, it has capabilities that allow attackers to grab screenshots, and to record and execute commands. This enables an attacker to look for ways to laterally move around to other systems or applications that might be more lucrative.

"The most interesting part is related to the \[virtual network computing\] capability," the report notes. "This feature has been in the SOVA roadmap since September 2021 and that is strong evidence that \[threat actors\] are constantly updating the malware with new features and capabilities."

**Ransomware on the Horizon**

The Cleafy team also found evidence that suggested that an additional version of the malware, version 5, is in development and will include a ransomware module that had previously been announced in a September 2021 development roadmap.

"The ransomware feature is quite interesting as it’s still not a common one in the Android banking-trojan landscape," Cleafy researchers note. "It strongly leverages on the opportunity that has arisen in recent years, as mobile devices became for most people the central storage for personal and business data."

Cory Cline, senior cyber security consultant at nVisium, says that adding ransomware capabilities to a banking Trojan offers plenty of upside to cybercriminals.

"No longer do they need to steal your personal data to get access to your financial information," he explains. "With ransomware capabilities, attackers can now encrypt affected devices."

He adds that with more and more people storing nearly every aspect of their lives on their mobile devices, attackers will be able to more easily find targets willing to pay to get access to their data returned.

"The team behind SOVA has demonstrated a new level of sophistication," he says. "The feature set is fairly unique to the Android banking Trojan scene, and SOVA is one of the most feature-rich Android banking Trojans available."

However, he points out that the team behind SOVA has opted to implement RetroFit for C2 as opposed to writing its own solution.

"This could speak to some limitations in the development team," Cline says.

**Banking Trojans Get Boost From Added Capabilities**

Other banking Trojans have also resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by joint international task force in January 2021.

Joseph Carson, chief security scientist and Advisory CISO at Delinea, says that improving and evolving existing Android banking Trojans has many advantages.

"The significant improvements to SOVA v4 and SOVA v5 show that attackers can simply expand existing features such as the cookies stealer, which now includes more payment services and applications to exploit," he points out. "New modules such as those targeting cryptowallets demonstrate that attackers see cryptocurrencies as a lucrative target."

He explains that adding ransomware capabilities can have multiple advantages for attackers, such as destroying evidence. That makes it difficult for digital forensics to discover any traces or attribution of the attacker, and gives the attacker an additional option to get paid when stealing credentials or cookies is not successful.

"As new Internet services specifically in the financial industry get adopted," Carson says, "attackers will need to keep updating banking Trojans with new modules just like any other software company to stay compatible with newer technologies."

Novel Ransomware Comes to the Sophisticated SOVA Android Banking Trojan

Back-end complexity of cloud computing means there's plenty of potential for security problems. Here's how to get a better handle on SaaS application security.

Many security practitioners take their eye off cloud and software-as-a-service (SaaS) security based on the faulty assumption that the providers are inherently secure. While most providers are, the cloud is so flexible and customizable that every organization might open different doors – ones that they're responsible for closing. Ones that traditional security tools often overlook.

Some 89% of organizations have a multicloud strategy, with 48% using multiple public and private clouds. By the end of 2021, it was estimated that 99% of organizations would be using one or more SaaS solutions. With so many resources now in the cloud, it's a complex responsibility to secure each one.

Security risks continue to plague organizations. According to Varonis' "2021 SaaS Risk Report," 44% of cloud user privileges are misconfigured and 43% of all cloud identities are unused and exposed to threats. By rightsizing your cloud footprint, adopting new security controls, and emphasizing SaaS security management, you can be confident enough in your security to achieve cloud nirvana – security that's so automated, intuitive, and frictionless that you never have to think about it. There are three phases to getting there.

**Understand Your Cloud Footprint**

You must take a strategic view of cloud security. The first step is to undertake an inventory to find what SaaS services are in use. Which business areas are dependent on what SaaS services? Which SaaS services are common across the enterprise?

Then create an inventory focused on where your most sensitive data is. What information is leaving your applications or being exchanged with other applications? The next question is: Which users, resources, and applications have access to your data? Only once you understand your cloud footprint, data in the cloud, and resources accessing it, can you work to secure it.

Make no mistake: cloud and SaaS sprawl are difficult to audit. According to Productiv's recent report, the average SaaS portfolio size is 254 applications but only 45% of those apps are used on a regular basis. Taking that deep dive and reflecting on the business purposes of those apps may identify some ways to reduce your organization's overall risk (and your SaaS spend). Auditing your cloud footprint is important so that you have a clear picture of your risk, and so you can ensure you're meeting compliance, regulatory, and customer obligations.

Before you can start chipping away at the inhibitors of SaaS security, you need to make sure you're covering all your bases. Does your security scope include management of third-party applications and data? What about any necessary compliance or regulatory policies for checking misconfigurations and anomalies? While most companies stop there, it's important to have deep security coverage for your most business-critical SaaS applications, including threat detection and continuous monitoring.

**Protect Your Cloud Footprint**

Once you understand your cloud footprint, and where most sensitive data is, you need to assess whether your data is protected. Are appropriate security controls in place to ensure all applicable layers of encryption and masking? Are only appropriate people able to access sensitive data? Are configurations being scanned on a regular basis to detect misconfigurations and, more importantly, are those misconfigurations being remediated in a timely manner?

You need to define security controls to protect the data and configurations. Once you've defined security controls, you need to replicate the process for the multitude of SaaS vendors you're working with across your ecosystem.

In addition to, say, Microsoft 365, you probably also have some combination of Workday, Salesforce, ServiceNow, Atlassian, and potentially dozens of other applications that keep your business running. Interestingly, the Productiv report shows an inverse relationship between the size of an organization and its application engagement. Smaller organizations, according to the report, engage with 49% of apps while enterprises only use 39%.

The fragmentation of the SaaS market means that not only do you have multiple vendors to consider, but they all operate based on different standards and with different levels of security. Unfortunately, there's no common framework for SaaS security.

The Center for Internet Security (CIS) has developed critical controls for the cloud, but they haven't yet become so widely adopted that they provide consistency across the entire industry. For now, you need visibility into the security of each SaaS application.

**Cloud Nirvana: Eliminate the Need to Think About Security**

Getting closer to cloud nirvana means finding efficiency as the cloud continues to scale. SaaS leads the way in the expansion of cloud adoption, with end-user spending expected to hit more than $176 billion this year, according to Gartner, and increase nearly 18% next year.

Adhering to the industry standard framework like CIS controls will make for a clearer picture of your SaaS security, but there's even more you can do. By adopting a DevSecOps structure, you involve security teams at the beginning of the development lifecycle so there are no surprises or delays down the road.

Reaching true cloud nirvana, though, typically comes through SaaS security management that can monitor, detect, and protect against threats. This includes automating security for instant visibility, 24/7 monitoring, and alerts for common SaaS security risks like misconfigured data access, overly broad permissions for user accounts, and exposed data.

How to Clear Security Obstacles and Achieve Cloud Nirvana

The head of Microsoft's Security Response Center defends keeping its initial vulnerability disclosures sparse — it is, she says, to protect customers.

BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company's vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.

In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.

For most vulnerabilities, Microsoft's current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. "If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," Gupta says.

**Sparse Vulnerability Information?**

Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.

However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft's current practice of putting vulnerabilities into an "Exploitation More Likely" or an "Exploitation Less Likely" bucket does not provide enough information to make risk-based prioritization decisions.

More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable's CEO Amit Yoran accused the company of "silently" patching a couple of Azure vulnerabilities that Tenable's researchers had discovered and reported.

"Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service," Yoran wrote. "After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," and without notifying customers.

Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.

**Consistent with MITRE's CVE Policies**

Gupta says Microsoft's decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE's CVE program.

"As per their policy, if there is no customer action needed, we are not required to issue a CVE," she says. "The goal is to keep the noise level down for organizations and not burden them with information they can do little with."

"You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis," she notes.

Gupta points to last year's disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft's strategy was to directly contact organizations that are impacted.

"What we do is send one-to-one notifications to customers because we don't want this info to get lost," she says "We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly."

Sometimes an organization might wonder why they were not notified of an issue — that's likely because they are not impacted, Gupta says.

Microsoft: We Don't Want to Zero-Day Our Customers

During a keynote at Black Hat 2022, former CISA director Chris Krebs outlined the biggest risk areas for the public and private sectors for the next few years.

BLACK HAT USA — Las Vegas — A potential invasion of Taiwan should be top of mind for any entity, as geopolitical factors will continue to affect cybersecurity risk profiles.

That's the word from Chris Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA) who now runs a consultancy with former Facebook CISO Alex Stamos (the appropriately named Krebs Stamos Group). He took to the stage at Black Hat USA 2022 to talk about what will be driving the risk landscape in the next few years.

Krebs was fired from CISA for insisting the 2020 election was secure and fraudless ("We insist that we were successful — it was a singularly important moment in American history," he said at Black Hat. "And I think we did a pretty damn good job.") In the 18 months since, he has hit the road, talking to officials in the private sector, global governments, and state and local entities.

"I wanted to find consensus on what the trend lines are out there, the market pressures and the coming inflection points that are influencing technology, governments, bad actors, and people," he said.

In addition to geopolitical headwinds, Krebs noted that digital transformation, along with ever-increasing cyber-offensive capabilities from the bad guys, should have both the public and the private sectors on notice — or they risk falling hopelessly behind.

**Taiwan Looms as Geopolitical Pressures Accelerate**

In the last six months alone, there has been an unprecedented collision between geopolitical risks and technology risks — and this will only continue, according to Krebs. In addition to the ongoing war in Ukraine, Taiwan is a hotspot to watch.

"Leaders need to plan out beyond the next two quarters," he noted. "You have to look three to four years out, and every single company out there should be conducting simulation scenarios, impact assessments, tabletop exercises at the executive level around what's happening in the Taiwan Strait."

A Chinese invasion of Taiwan has the potential to impact organizations across the board, especially affecting the technology supply chain, competition and markets, and IT operations.

"Political headwinds have big effects and you have to game these things out," Krebs noted. "I don't know if it's going to happen tomorrow, next year, or three, four years out, but based on the conversations I have with national-security officials, they're pretty confident that's going to come to a head between China and Taiwan."

He added, "And if you want to be in a position to de-risk your operations, you have to start that yesterday."

While nation-state and advanced persistent threats (APTs) tend to be discussed in the context of China, Iran, North Korea, and Russia, Krebs noted that this is about to become a much bigger space to be concerned with.

"Literally every country on the face of this earth is developing capabilities for espionage for domestic surveillance," he warned. "And yeah, they're also looking at capabilities for destruction and disruption. There are going to be splashy, new, and novel events in the near future."

Against this backdrop, companies will also have to tabletop their responses to world events with an eye to ethics, he urged.

"You have to have a set of principles," he said. "You have to establish your values, who you are, what your red lines are. When Russia invaded Ukraine, we were working with a couple of different companies that said, look, we're not impacted by sanctions, so we're good, we don't really need to worry about it. Our take was, when images of war crimes start showing up on TV, and on Twitter and elsewhere, you're going to have a problem. You're continuing to support the Russian war machine."

**Insecurity in the Cloud, by Design**

Krebs also noted that as the COVID-19 pandemic drove an acceleration to the cloud and digital transformation, it became clear that the benefits of insecure products far outweigh the downsides.

"That's because we operate inside a larger ecosystem, inside businesses that are focused on productivity and reducing friction, and they tend to see security as slowing things down when you want to be first to market," he explained. "So we're building more products that are insecure by design because of the market pressures."

Meanwhile, as the ongoing mass migration to the cloud is being done in an effort to increase flexibility, elasticity, productivity, and efficiency, an ancillary result was a reduction in the ability for firms to see what's happening across their infrastructure.

"We've made it more complex, and we've also started adding on additional products, the infrastructure on the platforms, and we have this explosion of software-as-a-service (SaaS) opportunities and options out there," Krebs said. "Those are all opportunities for the bad guys to come in and get what they want. Do you really understand how the cloud works across the various hyperscale vendors and how you interact with it?"

Cybercriminals understand these shifts in business architecture, along with the dependencies and the trust connections housed within the relationships between software services and technology providers; this, he warned, will continue to foment more attacks against the supply chain and managed service providers.

Further complicating matters is the ongoing proliferation of connected things, which all come with potentially insecure cloud apps.

"I think we all agree there's going to be more stuff connected, because we have a pathological need to connect things to the Internet, seemingly," he said. "Three, four years into the future there are going to be more things around you that are collecting and generating data. These things are generating an incredible amount of data exhaust, digital exhaust, and it's becoming more complex, not less."

He noted that William Gibson had this reality pegged when he released the book _Neuromancer_ in 1984.

"He coined the term 'cyberspace,'" Krebs said. "But it's how he described cyberspace that was so captivating — the unthinkable complexity of cyberspace. We're there right now."

**Public Sector Concerns: Security Work to Do**

The next future concern on the Krebs list is the fact that the US government is struggling with balancing market interventions and regulation with the capitalist desire to allow innovation to grow.

"We see an overreliance on checklists and compliance rather than performance-based outcomes, so we're not getting the security-related outcomes we want," he noted, adding that to boot, what oversight does exist isn't implemented well.

"Congress needs to figure it out as well, and needs to establish select committees in the House and Senate that consolidate oversight over the various departments and agencies, particularly in the civilian branch," Krebs said. "We have 101 civilian agencies, and every single one of them is running their own email service. So, we've got to fix that."

On the law enforcement side, the Department of Justice and FBI have been consistently tackling the ransomware issue, which Krebs called "the right moves."

"They're going more aggressively at the adversary at the command-and-control level," he explained. "But we need to shift from longer-term investigations towards more disruptive actions aimed at imposing costs and eliminating ransomware's ability to extract value from companies here in the US.

Ransomware has become professionalized, he noted, and cyberattackers' capabilities just keep getting better and better.

"The barriers to entry have dropped, and now, they have access to exploits that were the remit of nation-states," he said. "They're profiting, and it's not costing them anything; they're getting their wins. And until we create meaningful consequences, and impose costs on them, they will continue to."

**Workforce Challenges Continue**

When it comes to the infamous lack of qualified people to fill 3 million open cybersecurity roles, the situation is confounding given how rewarding a career it can be, Krebs said.

"The first thing is, it's fun. Second is, it's lucrative," he noted. "We get paid pretty well in this industry. And third, relatedly, it's durable; we're going to be dealing with these challenges for the rest of our lives, perhaps the rest of human history. And then last thing is, these are national security issues. The mission we're doing is incredibly important."

That said, the US workforce over all is becoming increasingly tech-native, which he's optimistic about.

"We're getting critical thinking skills coming along with the technology savviness that we're looking for," he said.

While there's much to think about going forward, and to act on today, Krebs did say that there are reasons to be hopeful about the chances for businesses to keep up with the risk landscape.

"As evidenced by Black Hat USA at 25, we have a maturing industry," he said. "We're producing and generating products that are solving problems. We have technology vendors that are working to solve problems in the infrastructure."

Krebs: Taiwan, Geopolitical Headwinds Loom Large

In her keynote address at Black Hat USA 2022, Kim Zetter gives a scathing rebuke of Colonial Pipeline for not foreseeing the attack.

BLACK HAT USA — Las Vegas — The unprecedented ransomware attack against Colonial Pipeline last year shows that critical infrastructure operators have made little progress in protecting their networks 12 years after the discovery of Stuxnet. Author and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline during the keynote session opening the second day of Black Hat USA, its leaders had plenty of warnings that could have prevented the crippling attack.

Zetter, who has covered many major cyber-incidents over more than two decades, is author of the book _Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon_ (Crown: 2015). Stuxnet, the malicious worm that security experts discovered at an Iranian uranium enrichment facility in 2010, explicitly targeted the Siemens S7-400 system. The discovery heralded a new generation of targeted attacks, according to Zetter.

"When Stuxnet was discovered in 2010, it shed a light on vulnerabilities and critical infrastructure that few had noticed before," Zetter said. "The security community largely focused on IT networks. They had previously ignored what are known as operational networks, OT networks, industrial control systems, all of those systems that manage pipelines and railways and the electric grid and water treatment plants and manufacturing, and so many other pivotal industries."

Stuxnet was more significant for what it portended than any damage resulting from it at the time. Introduced to a network via a USB drive, Stuxnet consists of worming malware, a Windows LNK file designed to propagate it, and a rootkit that hides the malicious files.

The discovery of Stuxnet shouldn't have come as a surprise back then, but it opened some eyes for the first time, according to Zetter.

"Stuxnet provided stark evidence that physical destruction of critical infrastructure using nothing more than code was possible," she said. "But no one should have been surprised. There have been warnings about the use of digital weapons to disrupt or destroy critical infrastructure a decade prior to Stuxnet."

Zetter said the impact of Stuxnet was significant, pointing to four major changes it brought to security: Stuxnet created a trickle-down effect in the form of techniques and tools, kicked off today's cyber-arms race, established the politicization of security research and cyber-defense, and shed light on the vulnerability of critical infrastructure.

Coinciding with Stuxnet was the discovery of an advanced persistent threat (APT) called Aurora, which exposed the growing capabilities of nation-state hackers, Zetter noted.

"Many of you probably remember this was a widespread espionage campaign by China that hit 34 companies and targeted source code repositories of Google, Adobe, and Juniper," she said. "And \[it\] included one of the first significant supply chain operations targeting the RSA C repository, the engine for its multifactor authentication systems."

**Risks Remain High for Industrial Control Systems**

The high-profile attack that locked up Colonial Pipeline, which distributes 45% of fuel across the US East Coast, forced it to shut down its 5,500 miles of pipeline until it paid over $4.4 million in ransom. Zetter suggested there is no reason last year's ransomware attack should have blindsided the company's top leaders.

"What happened with Colonial Pipeline last year was foreseeable, as was the growing threat of ransomware," Zetter said. "As the company CEO told lawmakers on Capitol Hill months later, although it did have an emergency response plan, that response plan didn't include a ransomware attack — even though ransomware attackers had been targeting critical infrastructure since 2015, so the signs were there if Colonial Pipeline had looked."

Zetter pointed to Critical Infrastructure Ransomware Attacks (CIRA) statistics compiled by Temple University in 2019, just two years before the Colonial Pipeline attack. The researchers counted some 400 ransomware attacks on critical infrastructure in 2020 and 1,246 attacks between Nov. 2013 and July 31, 2022.

"These weren't just attacks on hospitals, which of course had been a big target for ransomware actors in 2016," she said. "But these were also targeting oil and gas facilities. And the attackers weren't just targeting IT systems. They were already going after the OT networks that are controlling the critical processes."

Further, Zetter noted that in 2020, the year before the Colonial Pipeline attack, Mandiant reported that seven ransomware families had struck organizations that operate industrial control systems since 2017. The attacks created major disruptions and production and delivery delays.

Also in 2020, 10 months before the Colonial Pipeline attack, the Cybersecurity & Infrastructure Security Agency (CISA) issued a reminder of the Department of Homeland Security's (DHS) Pipeline Cybersecurity Initiative. The effort, created by DHS in 2018, was a joint effort of CISA, the Transportation Security Administration (TSA), and various federal and private sector stakeholders.

Zetter indicated that it is probably not ironic that DHS announced new cybersecurity requirements for those who own and operate critical pipelines two months after the Colonial Pipeline attack. "I don't mean to beat up on Colonial Pipeline — they're just a convenient example, because the attack was so significant," she said. "But other critical infrastructure is in the same position or worse."

After Colonial Pipeline, Critical Infrastructure Operators Remain Blind to Cyber-Risks

Up-and-coming companies shoot their shot in a new feature introduced at the 25th annual cybersecurity conference.

BLACK HAT USA 2022 -- Las Vegas — At an intimate stage area in the Innovation City section located at the back of the Business Hall, Phylum beat out three other cybersecurity startups to take the title at the inaugural Innovation Spotlight competition, held on Wednesday evening at the 25th Black Hat USA.

The four finalists were Phylum, a software supply chain security company; KeyCaliber, a company that uses asset behavior analytics to help clients prioritize protective measures; Normalyze, which identifies sensitive data and vulnerable access paths ripe for exploitation; and Tromzo, with a product security operating platform (PSOP) for building applications more securely.

Dark Reading's editor-in-chief, Kelly Jackson Higgins, hosted the awards. Judges picked finalists back in July after viewing video submissions from candidates -- companies that were 2 years old or less and had fewer than 50 employees.

**The Final Four**

The finalists presented in alphabetical order, starting with KeyCaliber. Roselle Safran, cofounder and CEO, explained how her company's analytics engine helps continuously identify and protect an organization's most valuable data, aka "crown jewels" — indeed, the company's brand representatives were men dressed in royal robes and costume crowns. Safran said KeyCaliber's software can run on her company's network, on the customer's network, or on premises, a flexibility that meets prospective clients' need to balance resources and security.

    

KeyCaliber's two kings. (Photo by Karen Spiegelman for Dark Reading)

Next up was Normalyze cofounder and CEO Amer Deeba. His company is in a similar risk management space as KeyCaliber, but emphasizes "holistic data security" rather than crown jewels. The company offers "data-first cloud security" that scans for sensitive data on Google Cloud, AWS, and Microsoft Azure. His co-founder, CTO Ravi Ithal, was standing to the side recording his partner's presentation, in a perfect example of the supportive atmosphere of the event.

The specter of Log4j hung over the presentations, none more so than Phylum's. Cofounder and president Peter Morgan said his company focuses on the security of open source packages, using deductive analysis of risk indicators to create what he likened to a "credit score for packages." The company offers a community edition that has "feature parity" with the paid edition, limiting it to one user and five projects at a time. He said the automated analysis takes 12-15 minutes to complete. "We're walking really well, and the system is learning to run as we speak," Morgan said.

The last to present was Harshil Parikh, CEO and cofounder of Tromzo, a product security operating platform designed to make the entire software development pipeline more secure. In response to a question from the judges, Parikh explained that the company wrote its own no-code platform for automating security processes and remediation.

**The Winners**

First, all four finalists were winners in that they got booth space at Black Hat USA, as well as a receptive audience for their presentations and a consultation with an Omdia analyst. There were decision-makers in the audience Wednesday, with a few CEOs filling the seats and a standing-room crowd watching the competition.

Tromzo definitely had the flashiest presentation. Parikh opened by using a DVD as a prop to illustrate the outdated former cutting-edge technology. He closed by tossing the DVD over his shoulder, warning, "Don't get left behind." That jazz might be why Tromzo took first place in the audience poll.

Ultimately, however, the opinions that mattered most in the contest were those of the judges, and they favored the open source-emphasizing Phylum. The seven judges were Ketaki Borade, senior analyst in Omdia’s Infrastructure Security research practice; Trey Ford, deputy CISO at Vista Consulting Group; Hollie Hennessy, senior analyst in Omdia's IoT cybersecurity practice; Maria Markstedter, founder and CEO of Azeria Labs; Lucas Nelson, founding partner at Lytical Ventures; Robert J. Stratton III, principal & strategist at Polymathics and venture partner at Nextgen Venture Partners; and Rik Turner, principal analyst in Omdia's IT security and technology team.

Supply Chain Security Startup Phylum Wins the First Black Hat Innovation Spotlight

Even among businesses with cyber insurance, they lack coverage for basic costs of many cyberattacks, according to a BlackBerry survey.

Organizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.  

These were among the findings of a BlackBerry and Corvus Insurance survey of 450 business decision-makers for IT and security solutions, which also revealed more than a third (37%) of respondents currently lack coverage for any ransomware payment demands.

Nearly six in 10 (59%) of respondents said they hoped the government would cover damages when future attacks are linked to other nation-states, and fully half of small to medium-size business (SMB) respondents said they hoped Uncle Sam would increase financial aid in all ransomware incidents.

Gary Davis, senior director of cybersecurity at BlackBerry, says these statistics were the most surprising — and concerning — findings from the survey.

"I think that would establish a dangerous precedent and only encourage more nefarious attacks," he says.

Davis explains he believes the best option for SMBs is to hire a cybersecurity managed service provider (MSP) to deliver the essential capabilities required by insurance providers in the most affordable and comprehensive way possible.

"Demonstrating compliance will go a long way toward an effective negotiation with the insurance providers," he says. "Also, I would encourage SMBs to share their security posture insights with their insurance provider."

The good news is, most organizations are happy to share this type of information.

"To me, that’s very much akin to how many car insurers operate today when they offer better rates for those willing to have a device in their car that reports their driving behavior to the insurance company," Davis says. "Hopefully, sharing these details will have a similar impact on what insurance providers charge for cyber insurance."

**Cyber Insurance Lacking Critical Coverage**

The survey also revealed that the increased software requirements demanded by insurance brokers is making cyber insurance harder to get — more than a third of respondents said they had been denied coverage due to unfulfilled endpoint detection and response (EDR) software requirements.

Overall, the findings indicated that even when organizations do have cyber insurance, the coverage lacks critical elements, with 43% of survey respondents not covered for auxiliary costs, including court fees or employee downtime.

Davis points out he has not seen any evidence that the bad actors are slowing down, which suggests that organizations of every size and type should increasingly rely on cyber insurance as another means of helping to combat the problem.

"Ideally, we will also see stronger ties between cybersecurity vendors and insurance providers to collaborate on ways we can help companies minimize their risk of being successfully attacked," he says.

**As Cyber-Insurance Market Evolves, Complications Arise**

The BlackBerry report follows a June study by Proofpoint, which found less than half of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed.

The increasing volume of ransomware and other cyberthreats is jacking up the price of cyber insurance, while insurers are simultaneously starting to demand more direct access to organizational metrics and measures.

They argue this access will allow them to make more accurate risk assessments – however, some businesses may be loath to reveal such closely held information, in part because it may wind up preventing them from receiving coverage.

At the same time, some insurers are pulling out of the market, including global insurance giant AXA, which said in May that it would stop reimbursing French companies for ransomware payments to cybercriminals.

Amid a dynamic environment where insurers have started to charge more for policies and begun setting higher requirements, debates over standards, baseline security controls, and new exclusions and limitations on coverage types continue to wreak havoc on this burgeoning market.

Source

DARKReading