Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

The discovery adds to the growing list of recent incidents where threat actors have used public code repositories to distribute malware in software supply chain attacks.

Administrators of the Python Package Index (PyPI) have removed 10 malicious software code packages from the registry after a security vendor informed them about the issue.

The incident is the latest in a rapidly growing list of recent instances where threat actors have placed rogue software on widely used software repositories such as PyPI, Node Package Manager (npm), and Maven Central, with the goal of compromising multiple organizations. Security analysts have described the trend as significantly heightening the need for development teams to exercise due diligence when downloading third-party and open source code from public registries.

Researchers at Check Point's Spectralops.io uncovered this latest set of malicious packages on PyPI, and found them to be droppers for information-stealing malware. The packages were designed to look like legitimate code — and in some cases mimicked other popular packages on PyPI.

**Malicious Code in Installation Scripts**

Check Point researchers discovered that the threat actors who had placed the malware on the registry had embedded malicious code into the package installation script. So, when a developer used the "pip" install command to install any of the rogue packages, the malicious code would run unnoticed on the user's machine and install the malware dropper.

For example, one of the fake packages, called "Ascii2text," contained malicious code in a file (­\_init\_.py) imported by the installation script (setup.py). When a developer attempted to install the package, the code would download and execute a script that searched for local passwords, which it then uploaded to a Discord server. The malicious package was designed to look exactly like a popular art package of the same name and description, according to Check Point.

Three of the 10 rogue packages (Pyg-utils, Pymocks, and PyProto2) appear to have been developed by the same threat actor that recently deployed malware for stealing AWS credentials on PyPI. During the setup.py installation process, Py-Utils for instance connected to the same malicious domain as the one used in the AWS credential-stealing campaign. Though Pymocks and PyProto2 connected to a different malicious domain during the installation process, their code was near identical to Pyg-utils, leading Check Point to believe the same author had created all three packages.

The other packages include a likely malware-downloader called Test-async that purported to be a package for testing code; one called WINRPCexploit for stealing user credentials during the setup.py installation process; and two packages (Free-net-vpn and Free-net-vpn2) for stealing environment variables. 

"It is essential that developers are keeping their actions safe, double-checking every software ingredient in use and especially such that are being downloaded from different repositories," Check Point warns.

The security vendor did not immediately respond when asked how long the malicious packages might have been available on the PyPI registry or how many people might have downloaded them.

**Growing Supply Chain Exposure**

The incident is the latest to highlight the growing dangers of downloading third-party code from public repositories without proper vetting.

Just last week, Sonatype reported discovering three packages containing ransomware that a school-age hacker in Italy had uploaded to PyPI as part of an experiment. More than 250 users downloaded one of the packages, 11 of whom ended up having files on their computer encrypted. In that instance, the victims were able to get the decryption key without having to pay a ransom because the hacker had apparently uploaded the malware without malicious intent. 

However, there have been numerous other instances where attackers have used public code repositories as launching pads for malware distribution.

Earlier this year, Sonatype also discovered a malicious package for downloading the Cobalt Strike attack kit on PyPI. About 300 developers downloaded the malware before it was removed. In July, researchers from Kaspersky discovered four highly obfuscated information stealers lurking on the widely used npm repository for Java programmers.

Attackers have begun increasingly targeting these registries because of their wide reach. PyPI, for instance, has over 613,000 users and code from the site is currently embedded in more than 391,000 projects worldwide. Organizations of all sizes and types — including Fortune 500 firms, software publishers and government agencies — use code from public repositories to build their own software.

10 Malicious Code Packages Slither into PyPI Registry

A rising tide of threats — from API exploits to deepfakes to extortionary ransomware attacks — is threatening to overwhelm IT security teams.

The use of deepfakes to evade security controls and compromise organizations is on the rise among cybercriminals, with researchers seeing a 13% increase in the use of deepfakes compared with last year.  

That's according to VMware's eighth annual "Global Incident Response Threat Report," which says that email is usually the top delivery method.

The study, which surveyed 125 cybersecurity and incident response (IR) professionals from around the world, also reveals an uptick in overall cybersecurity attacks since Russia's invasion of Ukraine; extortionary ransomware attacks including double extortion techniques, data auctions, and blackmail; and attacks on APIs.

"Attackers view IT as the golden ticket into an organization's network, but unfortunately, it is just the start of their campaign," explains Rick McElroy, principal cybersecurity strategist at VMware. "The SolarWinds attack gave threat actors looking to target vendors a step-by-step manual of how to successfully pull off an attack."

He says that keeping this in mind, IT and security teams need to work hand in hand to ensure all access points are secure to prevent an attack like that from harming their own organization.

McElroy explains what he found eye-opening was the increase in lateral movement witnessed by most respondents — i.e., the process by which attackers pivot from a compromised device to burrowing deeper into the corporate network.

He calls lateral movement "the new battleground," appearing in a quarter of all attacks, with attackers leveraging everything from script hosts and file storage (e.g., in the cloud) to PowerShell, business communications platforms, .NET, and numerous other dual-purpose tools to rummage around inside networks.

To account for the threat, organizations must consider solutions that provide visibility into all areas of the network, including the cloud, to ensure they can prevent, detect, and respond to attacks leveraging lateral movement.

"While lateral movement has always been a threat, we have seen an increasing percentage of east-west traffic not moving through the network," McElroy says. "In this situation, most security teams struggle unless their system and organization controls are equipped to see the lateral movement between workloads and containers on the hypervisor."

**Attackers Targeting APIs with Greater Frequency**

The report separately shows that API attacks are being seen by nearly a quarter (23%) of the respondents.

The most common types of API attacks include data exposure (experienced by 42% of respondents), SQL attacks (37%), API injection attacks (34%), and distributed denial-of-service (DDoS) attacks, experienced by a third of respondents.

McElroy says that while it can be difficult to determine a definitive number, if one looks broadly at threat reports from the last three years, API attacks are "definitely increasing."

"Given that APIs underpin technology stacks and ensure things like integrations, automations and orchestrations, the attackers understand the weaknesses in APIs and have been targeting them more frequently as a result," he says.

**Risk of Burnout Still High, but Falling**

Nearly half (47%) of survey respondents have experienced "burnout or extreme stress" in the past 12 months; however, this is down slightly from the 51% reported last year.

However, a higher percentage of those who have experienced burnout say they're more likely to consider leaving their job than those in the same group from the 2021 report.

Although battling something as big as employee burnout may seem daunting, there are practical steps security teams can take to streamline and ease user stress when it comes to security.

The report, for instance, indicates measures such as flexible hours, investment in further education, and days off for well-being were having a positive effect preventing burnout.

McElroy explains that along with smart steps to address employee wellness, dealing with the tsunami of threats is getting a little easier.

"Defenders have also already begun implementing new strategies and methods to stem the tide of incursions," he says.

The report says that 75% of organizations have employed virtual patching as an emergency mechanism, nearly 90% of respondents now say they are able to disrupt an adversary’s activities, and 74% report that IR engagements are resolved in a day or less.

"These are all signs that reflect the growing maturity of security teams," McElroy says.

Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War

HYAS Confront provides total visibility into your production environment, giving you insight into potential issues like cyber threats before they become problems.

VICTORIA, British Columbia--Leading security technology firm HYAS Infosec — whose proactive solutions ensure that businesses can keep moving full forward in our ever-changing world — today announced the general release of its newest product, HYAS Confront, a cybersecurity solution offering complete visibility into every corner of a production environment. HYAS will be demoing Confront at Black Hat USA in Las Vegas from August 8 to August 11.

> “HYAS Confront’s distinctive ability to detect anomalies within your production environment ensures that even in these cases, you can uncover the problem before it does damage, letting businesses operate confidently and without fear of costly interruptions.”

Production environments are increasingly becoming a target for bad actors, as they want their attacks to cause as much disruption as possible. Afterall, if a company’s production environment is rendered inoperable, its ability to generate income is shut down. HYAS Confront addresses this growing issue by giving DevSecOps teams complete visibility into their production environment. HYAS Confront finally gives them a definitive picture of which devices on their network are communicating with one another, which devices are sending traffic outside the network, and how often and to whom they are sending it. HYAS Confront also automatically identifies communication to known command and control servers as well as other risks and threats.

“We have gotten an excellent response from our first customers, who began using the service during development and testing,” said HYAS CEO David Ratner. “We are extremely proud of the solution we have brought to market and the vital role it fulfills in providing complete network visibility.”

Most cybersecurity solutions on the market today focus on protecting the perimeter of your network, but unfortunately, regardless of the strength of your outward-facing security posture, you will be breached at some point. The numbers bear this out, with 97 percent of companies reporting having experienced a successful cybersecurity breach at some point.

However, even if bad actors sneak past your perimeter security, they can’t hide from the foundational network monitoring provided by HYAS Confront. Once deployed, a process that usually takes less than 30 minutes, it establishes a baseline of normal, healthy network traffic. With this data, HYAS Confront can recognize aberrations from normal traffic patterns that could indicate a problem. When such an anomaly is discovered, Confront alerts administrators so they can take appropriate action.

But the benefits of full production environment visibility doesn’t end with security. HYAS Confront can also reveal issues like misconfigurations, violations of policies or controls, and incomplete removal of malware after an attack. One of the most difficult aspects of incident response is ensuring that the environment is actually clean again, and HYAS Confront’s visibility can play a vital role in that process. It can also be a useful tool for understanding service assurance. This innovative solution integrates seamlessly with other network management and security infrastructure, working alongside them to enhance the value of these pre-existing investments. This improves overall network health, preventing problems down the road and giving businesses the confidence to move forward at full speed.

“Production environments are so critical to a company’s ability to function, and unfortunately, no matter how strong your perimeter is, bad actors _will_ eventually find a way in,” said Ratner. “HYAS Confront’s distinctive ability to detect anomalies within your production environment ensures that even in these cases, you can uncover the problem before it does damage, letting businesses operate confidently and without fear of costly interruptions.”

To request a demo visit

For any questions or to request more info, please email \[email protected\] or call us at 1-888-962-4794.

**About HYAS  
**HYAS is a valued partner and world-leading authority on cyber adversary infrastructure and communication to that infrastructure. We help businesses see more, do more, and understand more about the nature of the threats they face — or don’t even realize they are facing — in real time. HYAS’s foundational cybersecurity solutions and personalized service provide the confidence and enhanced risk mitigation that today’s businesses need to move forward in an ever-changing data environment. For more information: HYAS.com.

HYAS Infosec Announces General Availability of Cybersecurity Solution for Production Environments

Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.

With enterprise software more dependent on open source components than ever before, a big element of modern application security is reliant on how well the open source community can shore up vulnerable code. The Black Hat USA presentation "Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All" will tackle some important tools and strategies that can amp up the progress on this front. 

Jonathan Leitschuh, the inaugural Dan Kaminsky Fellow at HUMAN Security, plans to examine how the security research community can use automated bulk pull request generation to collaborate with open source maintainers in a way that can make it easier to address drastically larger numbers of high-risk flaws.

Leitschuh used his fellowship year to work on refining the tools and methods for scaling open source security vulnerability remediation. Dark Reading caught up with Leitschuh to discuss his upcoming talk and dive deeper into his work. (The interview has been lightly edited for conciseness and clarity.)

**Dark Reading: What do you think the No. 1 takeaway will be for the audience at your Black Hat talk?  
****Leitschuh:** My presentation will examine open source vulnerabilities and how several are more widespread than you’d think. For example, there is one project owned by Perforce, called _zeroturnaround/zt-zip_, that received all three of the security pull request fixes I attempted to fix across open source.

Importantly, the highest impact finding I intend to share is how it is possible to fix widespread and common security vulnerabilities at scale. We have the technology. All we need to do is leverage it.

My goal is to demonstrate that fixing these vulnerabilities is not an interactive problem. We can solve it with math, science, technology, and security. You have to be accessible, flexible, and open-minded if you want your proposed fixes to be accepted.

It’s not that people are asleep at the wheel when it comes to vulnerabilities. They often just aren’t aware of certain problems, and to compound things the Web is insecure by default.

****Dark Reading:** When we first talked at the beginning of the year, you were just getting your feet wet in the fellowship and planning out your year. Can you offer me an update on the progress that you made in utilizing CodeQL, OpenRewrite, and other tools to scale up open source vulnerability mitigation?  
****Leitschuh:** I ended up having to reimplement features, including Data Flow and Control Flow analysis, that were missing or partially implemented in OpenRewrite in order to support the vulnerabilities I intended to fix. The Control Flow feature was particularly tricky but was possible thanks to an excellent collaboration with my intern, Shyam Mehta. He had taken a few classes in college that I had not, in particular, one about compilers that was particularly helpful in our work.  

We generated over 400 pull requests to fix new instances of old vulnerabilities from my previous research and generated over 170 pull requests to fix new vulnerabilities that wouldn’t have been possible without OpenRewrite.

****Dark Reading: Did you run into** any surprises?  
****Leitschuh:** The feedback from maintainers has been, in general, positive, but it’s always interesting to see how careful you need to be around OSS maintainers. It is very important to make sure the automated fix you are making looks like the surrounding code. One of the biggest pushbacks from maintainers I’ve received is about not including unit tests with the pull requests. Unfortunately, their codebase is most often far too complex to automatically generate a unit test in addition to the fix.

****Dark Reading:** What was the most impactful finding/technique/application of tools you discovered over the course of the year?  
****Leitschuh:** To begin with, I had to start from scratch and conduct a data analysis. Using CodeQL was key as I needed to translate my knowledge not only across different programming languages, but also from query language to a procedural one.

Shyam was instrumental in making sure I was correctly building this new feature, which we needed for the final security vulnerability: Zip Slip, which is unzipping a zip file in such a way that one can arbitrarily overwrite file contents, potentially allowing for remote code execution.

As a note, Snyk had already done some work on this, but some of the mitigations their researcher worked with maintainers to craft were found to not have been 100% correct.

****Dark Reading:** Do you have a good example of your techniques in action?  
****Leitschuh:** As I became aware of more existing research, I knew there were more cases of security vulnerabilities waiting to be found.

From a CodeQL query, the GitHub Security Lab team provided me with a list of 900 repositories potentially vulnerable to Zip Slip. Of the 900, we have made 86 Zip Slip fix pull requests to date, which means 86 critical security vulnerabilities that now have possible fixes.

****Dark Reading:** Are there any loose ends that you hope the community can chip in and work on?  
****Leitschuh:** There is still a significant gap where we need the community’s help, especially surrounding the gap between the 900 repositories and 86 fixes.

The list of projects included archived and other unmaintained projects, which means the vulnerabilities may not be fixed any time soon, but at least they are now visible, along with potential fixes.

There’s a wealth of open source vulnerabilities that are just waiting to be fixed with more advanced techniques.

****Dark Reading:** In all practicality, what do you think it will take for practitioners to put your learnings into action?  
****Leitschuh:** Ideally the first step would be to learn CodeQL so that they can express searches for vulnerabilities. Then learning to use something like OpenRewrite in order to generate fixes. Then the best practices around bulk PR submission.

It would also be beneficial for practitioners to have at least a basic understanding of the language in use in a particular project, as this allows them to better understand the vulnerabilities and risks involved.

Curiosity is also an essential component so they can explore and dig into the vulnerability. For example, a practitioner could run a cursory search with GitHub Code Search, compile examples, and then write several unit tests to assess how you can address the vulnerability head on.

****Dark Reading:** How have your views changed over the course of the year on how you think we should work toward solving the biggest problems of software supply chain security today?**  
**Leitschuh:** The software security supply chain is a little different as my work is about the actual vulnerabilities in the project. However, there’s a lot of value in deep dives for security vulnerabilities, but it’s become very clear to me that there’s a lot of security vulnerabilities on the surface.

We know these vulnerabilities are out there. You put the scanners in the hands of a maintainer, they see a lot of noise. They have to filter out what’s good and what’s bad. With a pull request, even if you don’t fix it, it still, hopefully, hardens your software.

I knew this before I came in, but it became very clear to me how picky maintainers can be. There’s reaffirmation that you have to get the code and formatting right; you can’t skimp on messaging and overall reacting accordingly when you’re seeing reactions from maintainers.

People get their ego wrapped up in their software, which I admittedly can be guilty of. You’re challenging them in a certain way – even acting as a threat. As an example, you didn’t just write this wrong, you’ve written it in a way that is a true security vulnerability. It’s bigger than a bug. It’s important to have a healthy respect for the human aspect of open source software.

****Dark Reading:** Why do you think it is important for security practitioners and researchers to bring more respect to the table for maintainers of OSS projects? How can cybersecurity improve as a result?  
****Leitschuh:** I certainly understand the plight of an open source maintainer. It’s tough and demanding, and most are volunteering their time. They are an important line of defense against malicious actors and have to handle broad swathes of open source projects.

You need to be cognizant that the maintainers and owners of the projects are doing this in their spare time, so it is important to actively collaborate with them, as opposed to expecting them to always accept your suggested changes from the start.

We do our best work in cybersecurity when we work collaboratively. Maintainers are part of the process and should be identified and respected as such.

****Dark Reading:** What's next for you and your research as you come out of the fellowship?  
****Leitschuh:** I’m not entirely sure yet. I’d love to see this research taken to the next level. There are certain vulnerabilities like SQL injection that can be deterministically discovered with data flow and taint tracking (because CodeQL already does it).

The complicated bit is turning a detection into a fix. Software developers write code in a lot of different ways, trying to write fixes for all the different ways developers can write code is a difficult task.  

_Leitschuh is co-presenting with Patrick Way of Moderne (one of the open source maintainers for OpenRewrite) and Shyam Mehta, a software engineer studying at the University of Pennsylvania. Way taught Leitschuh "OpenRewrite from the ground up," and Mehta "has been instrumental over the course of the fellowship," Leitschuh says.  
_

_"Whenever I need to solve a problem and can move a little slower, or I need to think something through more as I’m building it, I pair-program with \[Mehta\], where he’s writing the code and I’m providing instructions. He has also helped by conducting a control flow analysis, created the UI for two large Control Flow example graphics used in the talk, and with debugging," Leitschuh says._

We Have the Tech to Scale Up Open Source Vulnerability Fixes — Now It's Time to Leverage It

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

Recently, I found inspiration in a set of adjustable dumbbells. I purchased these dumbbells in an effort to get into better shape. When they arrived, I found the four weight-adjusting mechanisms to be very intuitive and easy to use. I was soon on my way to a bit of strength training.

There was only one complication. A few days into using the dumbbells, I found that one of the four mechanisms wasn't quite working properly. In an effort to troubleshoot the issue, I tried a few different things — a trial and error of sorts. It took a few iterations — trying different combinations of placing the adjustable dumbbells in their holders in different orientations, along with swapping the dumbbells.

At last, having visibility into both the dumbbells and their holders, I isolated the issue. A small metal tab on the holder that presses on a piece on the dumbbell that releases the lock was slightly bent. Thus, it was not releasing the lock properly, which prevented me from adjusting the weight on the dumbbell. Once isolated, it was a quick and easy fix — I bent the small tab ever so slightly so that it released the lock properly.

You might be asking yourself what this story has to do with security and fraud. Allow me to share with you the lesson I learned from this: the importance of the convergence of security and fraud.

Just as I could not have troubleshot the dumbbell issue without having visibility into both the dumbbells and their holders, enterprises cannot properly manage risk without having a converged view into both security and fraud. In other words, enterprises must have a unified view of risk, across security and fraud.

**5 Ways Combining Security and Fraud Reduces Risk**

To help illustrate the importance of a converged risk program, let's take a look at five ways in which security and fraud work together to reduce risk across the enterprise:

**1\. Shattering silos:** Effectively managing risk across an enterprise requires teamwork across a variety of groups and functions. Combining security and fraud under a converged risk umbrella sends a signal that everyone is on the same team and working toward the same goals. It also sends the message that silos and the turf wars, politics, and inefficiencies they bring have no place in the enterprise.

**2\. Less biased risk metrics:** Most enterprises maintain a risk register and regularly review, evaluate, and audit both inherent and residual risk. Risks are assigned to different groups within the enterprise, and the management, monitoring, and mitigation of those risks is delegated to those groups. Sounds logical, right? The problem is that there isn't a perfect 1:1 mapping here. As a result, there is overlap — some risks wind up assigned and delegated to multiple groups. Thus begins the double (or multiple) counting of exposure, which translates to inaccurate and biased risk metrics. While combining risk and fraud will not eliminate this problem entirely, it will help reduce the bias of risk metrics.

**3\. Better monitoring:** As you can imagine, visibility into what is happening across the enterprise on the network, within applications, and in cloud environments is critical to proper security and fraud monitoring. There are many other important factors, of course, though visibility is one of several very important ones. When kept separate, security and fraud will naturally develop their own technology stacks. They will have different visibility across the enterprise, different risks they are concerned about, different skill sets developing alerting and eventing content, and different processes and procedures. But what happens when a threat actor jumps from one monitoring silo to another? Chances are that neither group will be able to piece together the bigger picture, and that introduces risk. Combining security and fraud reduces the risk of this happening and facilitates improved monitoring across the enterprise.

**4\. More complete investigation:** When security and fraud are converged, not only is monitoring improved, but so is investigation. In the event that there is a security or fraud incident, analysts (whether their expertise is security, fraud, or both) will need to query and analyze data from a wide variety of sources. When security and fraud are siloed, this is more complex than it needs to be. A converged risk function, on the other hand, should ideally have access to all of the requisite visibility in order to properly and fully investigate the incident.

**5\. More efficient response:** Given that a large amount of fraud happens in digital channels, the line between areas of responsibility for security and fraud is blurred to begin with. And that's all the more so when it comes time to respond to a potential incident. Coordination and collaboration is required across security, fraud, IT, and other areas of the business. Having security and fraud converged at the outset makes the response more efficient and smooth. If multiple responses are going on at the same time, those efficiency gains can really begin to add up.

Strategic thinking, determination, and resources are required to converge security and fraud. It is a worthwhile investment, however, that pays immediate dividends. Converging security and fraud into a unified risk function enables and empowers enterprises to more efficiently and effectively mitigate risk.

What Adjustable Dumbbells Can Teach Us About Risk Management

A worsening threat landscape, increased digitization, and the long-term positive effects of modern security strategies are pushing critical infrastructure operators to do better.

Following the Colonial Pipeline hack — one of the highest-profile attacks against US critical infrastructure to date — in 2021, the Department of Homeland Security's Transportation Security Administration (TSA) released two unprecedented Security Directives, requiring owners and operators of gas and liquid pipelines to implement strict new protections against cyberattacks.

On July 21, the TSA released an update to these directives, doubling down on its efforts to ensure better protection for energy infrastructure nationwide. In particular, it has emphasized the need for access control, credential management, and the use of "compensating controls" to allow pipeline operators to embrace the latest innovations in how they protect critical systems.

While the update represents another step toward better protection for the oil and gas industry, it's important to understand that the guidelines alone aren't the only factors influencing the security postures of critical infrastructure. Pipeline operators have already been acting; in our work with some of the largest TSA-regulated energy companies in North America, we've witnessed a fundamental, positive shift in their approaches to cybersecurity, especially over the past year.

**Three Cybersecurity Motivators**

Three major factors beyond government pressure stand out as being key motivations behind the acceleration of operators' adoption plans.

**1\. Today's threat landscape is progressively worsening.** Regulations don't happen in a vacuum. Today, our threat landscape has grown more dangerous than ever. In the past two years, we've seen countless cyberattacks on critical infrastructure, including hacks on meat processor JBS and the water treatment facility in Oldsmar, Fla. Furthermore, attackers are increasingly targeting the companies that make up the backbone of the United States' supply chain and society at large: oil and gas pipelines, manufacturing plants, food processors, water suppliers, and more.

These threats are only going to grow in severity. This is due in large part to the growth of ransomware-as-a-service (RaaS), heightened collaboration between RaaS and other cybercriminal groups such as access brokers, and a troubling uptick in Russian and other state-sponsored cyber threats targeting US critical infrastructure. Government regulations aside, no operator that we've come across has been able to ignore these growing risks — or wants to try their luck against these hackers without adequate protective measures.

**2\. Digitization is exposing new and dangerous vulnerabilities.** While attacks increase, the digitization of operations is bringing new vulnerabilities to light. On-site equipment such as programmable logic controllers (PLCs), SCADA systems, distributed control systems, and Internet of Things (IoT) devices are increasingly being accessed remotely, creating a porous perimeter that hackers can easily penetrate. This trend was only exacerbated as businesses pivoted to remote work during the pandemic. Now, operators are dealing with a significantly expanded attack surface.

Several components of the TSA's new guidelines reinforce what we already knew to be true: specifically, the importance of recognizing and mitigating these digitization-driven vulnerabilities. The requirements reaffirm the need to control the interconnection of operational technology (OT), IT, and even cloud by securing the digital conduits that connect the different zones and applications. The new TSA guidelines also deepen the requirements for "compensating measures" to protect access to critical systems, many of which have limited built-in security. These protections are so important to prevent an attacker being able to progress from zone to zone, or system to system, in the event of an initial network breach.

**3\. Better security is no longer just defensive; it's also the catalyst for greater digital transformation.** Beyond the necessity of protecting against attacks, operators have begun to realize that an advanced security strategy is capable of catalyzing an accelerated digital transformation — and this has catapulted them into implementing better protective measures.

It's widely understood that a zero-trust security architecture, as defined by the National Institute of Standards in Technology (NIST), is the best approach for protecting operations from threats. The heart of this strategy requires every asset, machine, or data source to have its own identity, with interactions between them being controlled by policy authorizations. Once such a model is achieved, benefits beyond airtight security immediately become clear.

For instance, critical infrastructure cybersecurity leaders reportedly cite, in a study commissioned by Xage (registration required), improved user experience, more efficient operations, and the ability to save time or money as top benefits to adopting zero trust. What's more, with every element of the operation digitized and secured, teams can share sensitive data with one another quickly and easily, and partners can tap into appropriate data sources to better collaborate and drive new types of value across the supply chain. The result is not only defense, but also greater efficiency, collaboration, and business innovation.

**Regulations Are Important, but They're Not a Silver Bullet**

The TSA's original Security Directives, coupled with the recent updates, represent a crucial catalyst in helping operators implement better protective measures; still, they're not the only factors driving progress. A worsening threat landscape, increased digitization, and the long-term positive effects of modern security strategies are all pushing critical infrastructure operators to do better. We're pleased to see the new requirements reaffirm what we know to be best practices for security, and we're confident that critical infrastructure protection will continue moving in the right direction.

Pipeline Operators Are Headed in the Right Direction, With or Without TSA's Updated Security Directives

What issues are cybersecurity professionals concerned about in 2022? You tell us!

As many enterprises shift their operations to cloud, security teams are grappling with multiple security concerns such as visibility, data security, compliance, and data breaches.

Data from Dark Reading's 2021 Strategic Security Survey suggests that security teams are less concerned about deploying security policies, visibility of data stored in the cloud, and the number of exploits targeting cloud service providers than they were in 2020. In contrast, the security professionals in the survey were more concerned in 2021 that cloud service providers would not be able to detect a breach and the fact that there are more cloud breaches being reported than they were in 2020.

What issues are cybersecurity professionals more concerned about in 2022? That's what Dark Reading would like to find out in this year's Strategic Security Survey (click to get to the survey).

Last year's report showed that enterprises are no longer as worried that cloud service providers won't be able to provide service-level guarantees of security. That's a good thing. Fewer people are still thinking that the cloud isn't safe. But the growing number of cloud breaches do have these enterprises concerned about how the service provider will work with them if there is an incident.

Dark Reading's 2022 Strategic Security Survey is still open — we welcome your insights.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

What Worries Security Teams About the Cloud?

As the market for initial access brokers matures, services like Genesis — which offers elite access to compromised systems and slick, professional services — are raising the bar in the underground economy.

The growing role of so-called initial access brokers (IABs) in the underground cybercrime economy is reflected in evolution of Genesis Marketplace, one of the earliest full-fledged markets for IABs, which has grown more sophisticated and polished over time.  

A report this week from Sophos takes a comprehensive look at Genesis, which started in 2017 and offers malicious actors access to other people’s data, from credentials and cookies to digital fingerprints, through its invitation-only marketplace.

Genesis currently lists more than 400,000 bots (compromised systems) in more than 200 nations, with Italy, France, and Spain topping the list of affected countries.

The market provides not just the data itself but well-maintained tools to facilitate that data's (mis)use. Those tools extend to bespoke anti-detection offerings that help its clients stay under the radar when deploying stolen credentials to access targeted bots — including a Google Chrome extension and even a "continually maintained and upgraded" Genesium browser on offer.

"Most attackers, especially less-experienced ones, do not want to waste time or effort on the reconnaissance and infiltration phases of an attack," explains Sophos threat researcher Angela Gunn. "The maturity of Genesis, both the ease of use and the serious-inquiries-only vibe that come with restricted access, speaks to not wasting time or effort."

The service is defined by the high quality level of data on offer, as well as the site's commitment to keeping stolen info up to date.

This means hackers who pay for stolen information are kept abreast by Genesis of when that information changes or gets updated. Users are charged an according rate based on the volume of information it has on the targeted bot.

"For instance, the single set of credentials that led to the June 2021 EA data breach, which famously allowed the attackers into EA’s system through the gaming giant’s Slack, were purchased on Genesis for $10," according to the report.

Genesis also offers its clientele a level of customer service and user interface (UI) polish that Sophos describes as "far from the old days of 133tsp34k and Matrix-wannabe interfaces." This includes a slick, contemporary interface, a page of frequently asked questions (FAQs), and multilingual tech support.

Returning users also have access to a dashboard with updated information about the compromised systems they've tapped into.

"The fact that Genesis actually has a customer-service function is a statement that bolsters the operation’s seriousness," Gunn points out.

**IABs Get More Professional as Demand Rises**

The evolution of Genesis points to the "growing professionalization and specialization" of the cybercrime economy, the report notes.

Ransomware groups and affiliates are assumed to be the service's most frequent customers, particularly criminals who are looking for an IAB site that gives them expedited access and faster lateral movement to their targets.

Gunn explains that the "Dark Web" — which of course is not just one thing — has been professionalizing for a while now.

"Applicant vetting, robust search, tech support, developers, and designers — that work doesn’t happen for free," she adds. "Paying for that work evidences just how high the profits are in this realm."

A high level of organization also distinguishes the Genesis market, giving malicious actors more contextual information surrounding stolen data, and allowing them greater insights into the compromised systems. This could in fact spur even more inventive attack vectors.

"For instance, a darknet manual that we found during a recent investigation suggests to other criminals that they use complementary data from Genesis for kicking victims out of their accounts if stolen credentials are no longer valid," according to the report.

This means that even if victims attempt to neutralize the threat of stolen credentials, attackers can use the complementary data to actively extort affected users.

**The Velvet Rope Treatment**

Adding to the air of exclusivity and sophistication is the service's invite-only accessibility, which has resulted in a smaller cybercrime ecosystem of fake sites promising access to Genesis and requiring gullible criminals to make a "deposit" with a credit card to access it.

In November 2021, Digital Shadows, which has been tracking IABs since 2016, reported an increase in the use of IABs among cybercriminals.

Gunn says if organizations want to avoid landing on the IAB auction block, they first must patch all vulnerabilities, keep their systems in order, and stay vigilant.

"Even if IABs are a newer development in the threat landscape, the processes of recon and infiltration are nothing new," she adds. "Organizations should have a detection strategy in place to recognize those unusual activities, but also you need to understand your network, what’s on it, what the potential attack surfaces are, and where to prioritize patching accordingly."

Genesis IAB Market Brings Polish to the Dark Web

For the right price, threat actors can get just about anything they want to launch a ransomware attack — even without technical skills or any previous experience.

The underground economy is booming — fomented by a surging and evolving ransomware sector. The Dark Web now has hundreds of thriving marketplaces where a wide variety of professional ransomware products and services can be had at a variety of price points.

Researchers from Venafi and Forensic Pathways analyzed some 35 million Dark Web URLs — including forums and marketplaces — between November 2021 and March 2022 and uncovered 475 webpages filled with listings for ransomware strains, ransomware source code, build and custom-development services, and full-fledged ransomware-as-a-service (RaaS) offerings.

**A Plethora of Ransomware Tools**

The researchers identified 30 different ransomware families listed for sale on the pages, and found ads for well-known variants such as DarkSide/BlackCat, Babuk, Egregor, and GoldenEye that previously have been associated with attacks on high-profile targets. The prices for these proven attack tools tended to be significantly higher than lesser-known variants. 

For instance, a customized version of DarkSide — the ransomware used in the Colonial Pipeline attack — was priced at $1,262, compared with some variants that were available for as low $0.99. The source code for Babuk ransomware, meanwhile, was listed at $950, while that for the Paradise variant sold for $593.

"It's likely that other hackers will be buying ransomware source code to modify it and create their own variations, in a similar way to a developer using an open source solution and modifying it to suit their company's needs," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. 

The success that threat actors have had with variants such as Babuk, which was used in an attack on the Washington, DC, police department last year, make the source code more appealing, Bocek says. "So you can see why a threat actor would want to use the strain as the foundation for developing their own ransomware variant.”

**No Experience Necessary**

Venafi researchers found that in many instances, the tools and services available through these marketplaces — including step-by-step tutorials — are designed to allow attackers with minimal technical skills and experience to launch ransomware attacks against victims of their choice. 

"The research found that ransomware strains can be purchased outright on the Dark Web, but also that some 'vendors' offer additional services like tech support and paid add-ons such as unkillable processes for ransomware attacks, as well as tutorials," Bocek says.  

Other vendors have reported on the growing use among ransomware actors of initial access services, for gaining a foothold on a target network. Initial access brokers (IABs) are threat actors that sell access to a previously compromised network to other threat actors.

**Initial Access Brokers Thrive in the Underground Economy**

A study by Intel471 earlier this year found a growing nexus between ransomware actors and IABs. Among the most active players in this space are Jupiter, a threat actor that was seen offering access to as many as 1,195 compromised networks in the first quarter of the year; and Neptune, which listed more than 1,300 access credentials for sale in the same time frame.   

Ransomware operators that Intel471 spotted using these services included Avaddon, Pysa/Mespinoza, and BlackCat.

Often the access is provided via compromised Citrix, Microsoft Remote Desktop, and Pulse Secure VPN credentials. Trustwave's SpiderLabs, which keeps tabs on prices for various products and services on the Dark Web, describes VPN credentials as the most expensive records in underground forums. According to the vendor, prices for VPN access can go as high as $5,000 — and even higher — depending on the kind of organization and access it provides.

“I expect to see a ransomware rampage carry on as it has done for the last few years," Bocek says. "The abuse of machine identities will also see ransomware move from infecting individual systems, to taking over entire services, such as a cloud service or a network of IoT devices." 

**A Fragmented Landscape **

Meanwhile, another study released this week — a midyear threat report by Check Point — shows the ransomware landscape is littered with considerably more players than generally perceived. Check Point researchers analyzed data from the company's incident response engagements and found that while some ransomware variants — such as Conti, Hive, and Phobos — were more common than other variants, they did not account for a majority of attacks. In fact, 72% of the ransomware incidents that Check Point engineers responded to involved a variant they had encountered only once previously.

"This suggests that contrary to some assumptions, the ransomware landscape is not dominated by only a few large groups, but is actually a fragmented ecosystem with multiple smaller players that are not as well-publicized as the larger groups," according to the report.

Check Point — like Venafi — characterized ransomware as continuing to present the biggest risk to enterprise data security, as it has for the past several years. The security vendor's report highlighted campaigns like Conti group's ransomware attacks on Costa Rica (and subsequently on Peru) earlier this year as examples of how significantly threat actors have broadened their targeting, in pursuit of financial gain. 

**Big Ransomware Fish May Go Belly Up**

Several of the larger ransomware groups have grown to a point where they employ hundreds of hackers, have revenues in the hundreds of millions of dollars, and are able to invest in things like R&D teams, quality assurance programs, and specialist negotiators. Increasingly, larger ransomware groups have begun to acquire nation-state actor capabilities, Check Point warns.

At the same time, the widespread attention that such groups have begun to garner from governments and law enforcement will likely encourage them to maintain a law profile, Check Point says. The US government, for example, has offered a $10 million reward for information leading to Conti members being identified and/or apprehended, and $5 million for groups caught using Conti. The heat is thought to have contributed to a Conti group decision earlier this year to cease operations.

"There will be a lesson learned from the Conti ransomware group," Check Point says in its report. "Its size and power garnered too much attention and became its downfall. Going forward, we believe there will be many small-medium groups instead of a few large ones, so that they can go under the radar more easily."

Source

DARKReading