The energy sector remains susceptible to both espionage between nation-states and cybercrime, and recent developments keep pointing toward more attacks.

The connected world brings people together, but connectivity also brings risk. Cybercriminals can use the same tools that bring us together to spread chaos. Every organization is concerned about cybersecurity.

During the last several years, the energy industry has been subject to high-profile attacks, including an extremely disruptive ransomware strike on Colonial Pipeline that affected fuel supplies in the US for days. While this and other high-profile attacks were the work of cybercriminals looking for a huge payday, the energy sector remains susceptible to both espionage between nation-states and cybercrime. Recent developments keep pointing toward more attacks.

The cybersecurity community needs to take global, unified action to create new rules governing and protecting the energy industry worldwide. Failure to do so will only encourage more attacks on critical, lifesaving services and hamper economic growth around the world.

**The Future Is Uncertain, but It Is Electric**

Everything from our finances to heating and communications relies on electricity. Even cybersecurity relies on electricity. I believe that when we have access to reliable energy and electricity we can create a more just, unified world.

For example, German and French leaders met in Switzerland in the aftermath of World War II to discuss creating a cross-border electrical grid between the former enemies. The wounds of war were still fresh, yet a group of determined engineers hammered out a deal that would strengthen both countries' economic recovery through resilient electrical infrastructure.

Nearly 75 years later, the need to guarantee the steady flow of electricity continues to unify people, countries, and organizations in an increasingly unstable world.

**Risks Increase as Grid Grows More Decentralized**

The necessary decentralizing of energy production infrastructures dramatically increases attack surfaces in the electrical grid, creating cybersecurity gaps and vulnerabilities. Digitization of the energy infrastructure will deliver huge value in enabling a clean energy future but poses additional cybersecurity challenges if these technologies are operated in a traditional way. For instance, these developments have created decentralized energy products like solar panels on private homes and digitized assets that were previously analog, such as substations. Meanwhile, automated systems buy and sell power and communication networks span entire transmission and distribution lines. That's millions of miles of connectivity we didn't have before.

Unfortunately, utilities and energy companies are still approaching this 21st century problem with 20th century solutions built for static, centralized, monolithic grid architecture. Today's grids are dynamic, flexible, and decentralized — requiring connectivity with numerous equipment manufacturers and preventing operators from simply digitally and physically walling off the grid. Utilities need to stop breaches from occurring, of course, but traditional perimeter defense needs to be supplemented by an approach that continuously monitors assets and network communications to identify abnormal or potentially malicious behavior. On their side, manufacturers need to deliver additional cybersecurity capabilities and also ensure interoperability for cybersecurity operations.

It's critical that we create a global consensus on supporting and protecting the electricity grid as it grows in complexity and importance. Here are three ways the world can come together to better protect electricity infrastructure.

**An Agreement to Share**

The first step would be to share information across utilities, energy companies, equipment manufacturers, and government agencies. Similar to the International Atomic Energy Agency (IAEA), a global organization should be set up to encourage transparency throughout the industry and share data and information about potential attacks, vulnerabilities, and remediation techniques.

Data connectivity between grids would be crucial, giving regulators and cybersecurity professionals access to real-time critical intelligence that could potentially prevent an attack in advance. We could set up a "black box" exchange, similar to data recording devices on commercial airlines to prevent similar attacks from occurring again. The technology already exists to enable this transparency through remote monitoring and asset management solutions that automate grid connectivity. The key would be trust. Fortunately, we have two great examples of information sharing in the nuclear energy and airline industry.

**Consensus on Cybersecurity Rules and Regulations**

Today we have a highly decentralized regulation environment with different rules around the world. For example, sign-in credential standards vary among Asia, Europe, and the US – requiring manufacturers to develop slightly different product models for each region. Standardizing regulations would streamline compliance for utilities and equipment manufacturers, strengthening asset protection while freeing up money that could then be invested in more robust cybersecurity capabilities.

**A Legal Framework for Protection**

One day, I hope we'll amend the Geneva Conventions to protect the world's energy infrastructure from cyberattacks and, in turn, protect countless lives. However, given today's political environment, such an agreement is unlikely. Instead, we'll need to look to self-governance within the industry. Utilities, equipment manufacturers, and other stakeholders will need to come together to form a strong alliance that has the power to create and enforce global cybersecurity standards. We have the technology and the will to embed cybersecurity directly into grid infrastructure, making security implicit as grids continue to grow and decentralize. The power to enact positive change is in our court.

Can We Make a Global Agreement to Halt Attacks on Our Energy Infrastructure?

The stakes are high when protecting CNI from destructive malware and other threats.

Organizations in every industry now face sophisticated, and often novel, cyber threats. But for organizations operating critical national infrastructure (CNI), the scale and multiplicity of these threats can be overwhelming. These organizations are under immense pressure to avoid downtime, maintain safety standards, and comply with government legislation, while protecting themselves from a high frequency of incisive cyberattacks.

Here's a breakdown of some of the main cybersecurity challenges facing CNI and how organizations can tackle them.

**1\. Attack Tools for Hire**

CNI organizations make particularly favorable targets for ransomware gangs, as the high cost of downtime means they are often more likely to pay a ransom in the hope of quickly restarting their systems. These organizations face the same financial pressures as other industries, but the potential social, political, and safety implications of downtime make them especially vulnerable.

When DarkSide targeted Colonial Pipeline with ransomware last year, the group received the ransom it had demanded just hours after the attack detonated. Even so, it took six days for Colonial to restore the pipeline's operations using DarkSide's IT tool, causing significant oil shortages across the East Coast of the US.

It's not just organized ransomware gangs targeting these organizations, but also individual threat actors using for-hire ransomware-as-a-service (RaaS) tools. The increasing availability of these tools means we are seeing more small-fry attackers taking on big-game targets in the hope of large payouts.

Tools reliant on threat intelligence will struggle to keep up with this dispersed threat landscape. To fight it, organizations will need to employ security approaches that account for novel threats to both their IT and OT systems.

**2\. Ransomware Groups With Nation-State Backing**

Though ransomware affects organizations in all industries, CNI organizations face the added threat of nation-state-backed groups, which cause disruption to aid government or military action and may not be looking for ransom payments at all.

Because of their government backing, these groups have the funding to quickly develop novel tools and are incredibly difficult to combat with legislation or arrests. If an attack of this nature had struck Colonial Pipeline, the time it took to bring systems back online — and the socioeconomic disruption — could have been considerably worse.

At the Royal United Services Institute, Darktrace CEO Poppy Gustafsson addressed Russia's use of cyber warfare in its invasion of Ukraine.

"The attack on the Viasat satellite that disabled Ukrainian military communications one hour before the invasion was a key component of the beginning of this war," she said. "We have seen UK, US, and EU officials jointly attribute this attack to Russia, an immensely political act. That is unprecedented."

**3\. Destructive Malware**

With cyberattacks becoming an increasingly common fixture in military arsenals, CNI organizations are recognizing the need to bolster their defenses against tenacious and well-funded attackers who are employing novel malware strains. Increasingly, that includes destructive malware.

This year the Russian invasion of Ukraine brought another CNI threat into the headlines. HermeticWiper is a disk wiper that struck several Ukrainian organizations a day prior to the invasion, fragmenting and then overwriting files on disk in an attempt to cause disruption. This is a form of destructive malware: malware that does not hold systems for ransom but is simply designed to damage them, wiping data and breaking processes. The average estimated cost of one of these incidents to a large, multinational company is $239 million.

The nature of destructive malware makes it primarily a political or military tool, and in the wake of the invasion of Ukraine, the Five Eyes intelligence alliance issued a warning regarding the heightened risk of cyberattacks. The stakes of such an attack make it paramount that organizations are prepared for novel threats, rather than relying on rules-based security systems.

**4\. Government Compliance Requirements**

The social implications of CNI shutdowns mean that these organizations receive far greater attention from governments. In recent years, legislation has often followed high-profile attacks, leaving organizations limited time to update their procedures and remain compliant. A recent of case this in the US was the Cyber Incident Reporting for Critical Infrastructure Act. The act, signed earlier this year, requires critical infrastructure operators to report cyber incidents to CISA within 72 hours, meaning reports must be hastily drawn together during the immediate aftermath of an attack.

Having advanced threat investigation technology deployed across the digital environment can help CNI operators piece together cohesive threat narratives from disparate and sometimes subtle events, reducing the time to understanding massively for security teams. Beyond meeting government deadlines, this insight into how attacks emerge and move through the network massively increases an organization's ability to detect sophisticated threats and seek out potential vulnerabilities within their systems.

**5\. Converged Infrastructures That Need Protecting**

An earlier article covered the future of IT/OT convergence and how artificial intelligence (AI) can help organizations embrace it. In brief: Deploying technology that considers IT and OT as a single environment prevents gaps in security posture and aids the detection of wide-ranging attacks.

IT/OT convergence is one of the biggest points of anxiety for security professionals in CNI organizations. Technologies such as the Industrial Internet of Things (IIoT) devices and industrial control systems as-a-service (ICSaaS) make network segmentation increasingly ineffective.

When a phishing attack can lead to OT system shutdowns — and potentially put human lives in jeopardy — security approaches need to be able to stop threats with speed and precision. AI-driven tools can make convergence a strength, using data from one set of systems to inform detections within another.

Tackling 5 Challenges Facing Critical National Infrastructure Today

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organizations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organizations still running IE.

"Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing," says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. "For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers."

Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.

"This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use," Schell says. It's hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.

Any organization that hasn't already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. "The end of support means that new vulnerabilities will not get security patches if they don't meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates," she says.

**Bugs Still Abound**

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.

According to Maddie Stone, security researcher at Google's Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.

"It's not clear to me how Microsoft may or may not lock down access to MSHTML in the future," Stone says. "But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year" with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.

Tenable's Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

"Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities," Tills notes.

**The Usual Mitigations**

Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti's Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.

"MSHTML is now just one of many libraries that we have in Windows 11," says Johannes Ullrich, dean of research at the SANS Institute. "Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface," he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.

"IE is still popular enough to be a worthwhile target" for attackers, Ullrich adds.

Even so, the continuing number of zero-days being discovered in IE doesn't necessarily mean that attackers have suddenly intensified their interest in attacking it. "It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase," Ullrich says.

Internet Explorer Now Retired but Still an Attacker Target

Update allows BlastShield users to link with hybrid cloud network providers like AWS, Google, and the most recent addition, Azure, in one secure environment.

**Palo Alto, Calif. – June 16, 2022 –** BlastWave, a zero-trust networking solution provider that reduces the cost and complexity of remote access VPN management, today announced enhancements to its zero-trust security software solution, BlastShield_™_. The enhancements include added security capability for the three main cloud service providers, identity manager unification, Azure gateway security integration and easy bulk onboarding. BlastWave sees these updates as increasingly important with the global workforce shift to remote cloud environments on multiple vendor platforms.

The recent update allows BlastShield users to link with hybrid cloud network providers like AWS, Google, and the most recent addition, Azure, in one secure environment without forcing a user to rely on the respective security measures of each provider. This means users can have workloads distributed across provider environments but only one user authentication system. The update continues BlastWave’s mission of convenient, cutting-edge cybersecurity, all while offering enhanced protection within identity management systems. Most importantly, users can take advantage of BlastShield’s heightened speed and functionality, two vital features in multi-functional, cloud environments.

This latest update also adds support for gateway security in Azure environments, expanding on BlastShield’s previous gateway security capabilities in GCP, AWS, ESXi and COTS hardware systems. This new gateway security integration increases functionality for Azure users, allowing them to rely on password-less authentication instead of dated VPN security measures within their cloud-based Azure environments.

BlastShield’s latest update streamlines bulk onboarding, a typically arduous process, leveraging customers’ SSO functionality. This update’s features rely on an industry-standard API, System for Cross-domain Identity Management (SCIM), designed to simplify the management of user identities in cloud-based services as well as applications. It enables the automatic exchange of user information between identity domains, eliminating the insecure provisioning of identity managers when onboarding large numbers of users in distributed cloud environments. Identity managers have conventionally suffered from potential exposure to credential theft, SIM jacking, and other threat vectors. BlastShield’s update addresses these vulnerabilities without hampering the convenience of identity managers.

“BlastShield’s latest update enhances our proven security mechanisms with single sign-on identity management tools and offers simplified bulk onboarding,” said Michael Bacon, BlastWave Solution Engineer. “Many competitors are focusing more on endpoint security in these hybrid cloud environments, but we’re offering a macro-level security approach that combines the convenience of identity management systems like Okta and One Identity with the proven agile security of BlastShield’s network-level ZTNA and microsegmentation.”

The recent software update and resulting functionality are automatic for new subscribers and can be implemented with the click of a button in the BlastShield interface for current professional and enterprise customers.

“In the past, cybersecurity may have elicited groans from providers, largely due to its perceived inconvenience. This update lends BlastWave’s proven security stack to the login convenience offered by established identity managers,” said Mel Knight, Brier and Thorn CISO. “Once again, whether through bulk onboarding via secure provisioning or enhanced Azure environment security, BlastWave continues to imbue existing technologies with their patented, proven ZTNA security solution. We are excited for our customers to experience this update’s improved, secure convenience, bulk onboarding, and multi-vendor cloud security.”

\# # #

**About BlastWave**

Founded by former executives and technologists from Apple and Cisco, BlastWave is taking a fundamentally different approach to security aimed at protecting privacy and connected devices from cyberattacks. BlastWave’s patented product, BlastShield™️, is an integrated, zero-trust stack that combines state-of-the-art passwordless multi-factor authentication with high-performance, resilient encrypted connectivity and built-in microsegmentation. BlastWave is backed by Rocket Strategies, Lucas Venture Group, and Millennium Investments. The company is headquartered in Palo Alto, California. To learn more, visit www.blastwave.io and follow us on LinkedIn and Twitter @blastwaveinc.

BlastWave Announces Enhancements to Its Zero-Trust Security Software Solution, BlastShield

SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say.

Enterprise cloud services like Microsoft 365 leave enterprises open to ransomware threat actors who want to encrypt files saved in SharePoint Online and OneDrive libraries, researchers warn.   

The new target marks a potential pivot point for ransomware attackers running out of luck focusing on endpoints and network drives and might find less resistance attacking cloud infrastructure, new research from Proofpoint says. The team was able to document the attack chain from initial credential compromise to account takeover, discovery, exfiltration, and, ultimately, the ransom demand. 

"Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks," the Proofpoint team wrote along with their findings. "After all, the now-familiar 'AutoSave' feature along with versioning and the good old recycle bin for files should have been sufficient as backups. However, that may not be the case for much longer."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft 365 Function Leaves SharePoint, OneDrive Files Open to Ransomware Attacks

Cyber insurance is more than a policy for paying off ransomware gangs. It's designed to be something you transfer risk to when security controls fail.

Digital risks are a pervasive aspect of operating in today's digital economy, threatening organizations large and small no matter how hardened their security defenses. Unfortunately, preventing cyber incidents is impossible; instead, solving cyber-risk is a combination of proactive measures and risk transference.  

As cyberattacks become more frequent and sophisticated, many organizations are adding cyber insurance to their security portfolios. But not everyone understands just what the "cyber" in "cyber insurance" entails.

Cyber insurance was created to protect organizations and individuals against digital risks like ransomware, malware, and phishing campaigns. Whereas traditional insurance policies often only accept the transference of known physical risks (such as damage to equipment, stock, or locations), cyber insurance enables businesses to transfer the costs associated with recovery from the tangible and intangible losses related to a cyber-related security breach or similar event.

Although still somewhat in its infancy, with less than 1% market penetration, cyber insurance is expected to grow into a $20 billion industry by 2025.

Anyone new to cyber insurance might mistake it for a policy that pays off attackers to retrieve or unlock data. But it's much more than that.

**What Is Cyber Insurance?**

Cyber insurance is something you transfer risk to when your online security controls fail. Cyber insurance can cover multiple liabilities, such as loss of funds and income, expenses related to business interruptions, payments to experts to recover data, and even compensation for bodily injuries, depending on the resulting damage and prescribed policy.

Cyber insurance rates and coverage will be based on the maturity and thoroughness of your cyber defenses, among other factors. Typically, a provider will assess your vulnerabilities as part of the quoting process. This exercise can include, for example, a complete security report of all external assets and detection of potential security issues.

The average cyber-insurance policy for a small to midsize enterprise in 2021 was $1,589 for $1 million in cyber liability coverage. Prices are also based on factors like coverage or limits to what the provider will pay, as well as retentions that are similar to the deductible you pay for your car and home insurance. Other factors are considered, like your industry and the results of security scans.

**What Is the Role of Cyber Insurance Providers?**

Providers can also offer additional scanning and monitoring features to apprise you of potential vulnerabilities. For example, they might include services like full attack surface discovery and monitoring for your organization and five vendors.

They can monitor the Dark Web for keywords to determine if your name is mentioned. They can provide domain monitoring to see if an attacker is preparing a social engineering attack and adding an SSL certificate or an MX entry to a domain like yours. Or they might offer torrent monitoring to see whether your assets are downloading torrents.

By bridging the gap between physical and digital risks, cyber insurance allows companies to get back online and resume normal business operations faster after an incident, minimizing the cost to their recovery.

**What Is a Cyber Claim?**

Unlike nontechnical events like fires and floods, a cyber-insurance claim might be determined by means of attack and your ability or effort to prevent it. Because cyber insurance is still somewhat new and undefined, events and damages that would initiate a claim can be vague and inconsistent. Depending on the situation, the provider may deny coverage.

The most common forms of claims are based on data privacy liability, cyber extortion, network business interruptions, and recovery and restoration of data assets. But the majority of claims are related to breaches.

**Does My Business Qualify for Cyber Insurance?**

Some businesses may not see themselves as a target to threat actors, but that doesn't mean they are not vulnerable to cyberattacks or are uninsurable. When working with a cyber-insurance provider, companies are subject to an underwriting process that considers various aspects of their businesses (including risk posture, industry, and financial indicators) to determine coverage eligibility. Organizations that piecemeal their defense technologies or maintain lax security habits could be considered a higher risk and be charged higher premiums with lesser levels of coverage, the same way people who live in houses on flood plains have higher premiums.

A good cyber-insurance provider can provide recommendations and services to help prevent cyberattacks or paying ransomware hackers for their data. For example, they might tell you to turn off the Remote Desktop Protocol (RDP), which we know is a primary vector for ransomware. They might also provide guidance around what technologies are known to come with increased digital risks and help organizations adopt security best practices, such as patch management and implementing strong password guidelines.

Ultimately, staying on top of your digital risk involves finding the right risk management partner to help guide you. Cyber-insurance providers provide that extra level of expertise and coverage to reduce risks and provide financial support when things go wrong. In today's age of ransomware, this protection is more imperative than ever.

What We Mean When We Talk About Cyber Insurance

The commercial-grade surveillance software initially was used by law enforcement authorities in Italy in 2019, according to a new report.

Researchers have discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

Lookout Threat Lab researchers - who spotted the spyware - surmise that the secretive Italian spyware vendor RCS Lab developed it and say Hermit was previously deployed by Italian authorities in a 2019 anti-corruption operation in Italy. The spyware also was found in northeastern Syria, home to the country's Kurdish majority and a site of ongoing crises, including the Syrian civil war.

Android devices have been abused with spyware in the past; Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. More recent analysis from Google TAG indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Mike Parkin, senior technical engineer at Vulcan Cyber, says spyware is a tool used by many actors worldwide, including criminal organizations, state or state-sponsored threat actors, national security, and law-enforcement organizations following their own mandates.

"Regardless of who is using it or what agenda they are working toward, these commercial- grade spyware tools can seriously threaten people's personal privacy," he says.

The highest profile spyware case in recent memory was the discovery of Pegasus, a legal surveillance software developed by Israeli company NSO Group. The news caused an international furor after it was found covertly installed on iOS and Android mobile phones belonging to human rights activists, journalists, and high-ranking members of governments.

**How Hermit Works**

Hermit first gets installed on a targeted device as a framework with minimal surveillance capability. Then it can download modules from a command-and-control (C2) server as instructed and activate the spying functionality built into these modules.

This modular approach masks the malware from automated analysis of the app and makes manual malware analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or the capabilities of a target device. Hermit can also alter its behavior as needed to evade analysis tools and processes.

"The modular design might also be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items," explains Paul Shunk, security researcher at Lookout, which published a report on Hermit today.

Shunk says the overall design and code quality of the malware stands out compared with many other samples he has seen. 

"It was clear this was professionally developed by creators with an understanding of software engineering best practices," he says. "Beyond that, it is not very often we come across malware \[that\] assumes it will be able to successfully exploit a device and make use of elevated root permissions."

The discovery of Hermit adds another puzzle piece to the picture of the secretive market for "lawful intercept" surveillance tools, he says.

"As in the cases of NSO, Cytrox, and other vendors, discovery of their customers usually exposes their claim that their product is only used for legitimate purposes as at least partially untrue," Shunk says.

One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy.

And the main C2 server used by the app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan. 

"The combination of the targeting of Kazakh-speaking users and the location of the back-end C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan," Shunk says.

Lookout says an Apple iOS version of the spyware exists as well, but the research team was unable to obtain a sample to analyze.

**'MaliBot' Targets Online Banking**

Meanwhile, another Android-based malware family reared its head this week in the form of Malibot, which is targeting online banking customers in Spain and Italy with the capability to steal credentials and crypto wallets. The malware was discovered by F5 Labs while the security company was tracking the mobile banking Trojan FluBot.

The malware consists of two campaigns: Mining X, which presents a QR code that leads to the malware Android Package Kit, and TheCryptoApp, which attempts to dupe users into downloading a fake version of the popular cryptocurrency tracker app available on the Google Play Store. 

It's also able to steal or bypass multifactor authentication codes and trick victims into downloading the malware either via a direct SMS phishing message or via fake websites they're lured to.

"This is certainly one to pay attention to and F5 expects to see a broader range of targets as time goes on, especially given the versatility of the malware could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency," F5 warns in a blog post.

Android Spyware 'Hermit' Discovered in Targeted Attacks

Security pros can employ the technology to evaluate vulnerabilities and system capabilities, but they need to watch for the potential risks.

Digital twin technology allows for the creation of a virtual duplicate of a live production system, network environment, or cloud instance in real time — and it promises to be a rapidly growing market and boon to manufacturers and security pros alike, according to a new report from Capgemini. The benefits not only provide fallback during scheduled downtimes and improve performance through optimization, but they also aid organizations through the introduction of new business or operating models, the report, "Digital Twins: Adding Intelligence to the Real World," states.

The industry itself is still in its nascent stages, but investments are increasing. The market size for digital twins, which exceeded $5 billion in 2020, is expected to grow at more than a 35% compound annual growth rate between 2021 and 2027, Capgemini states.

Though cybersecurity is not a top driver of the technology at this time, 62% of respondents said cybersecurity and blockchain are of "importance."

Digital twins mirror a real-world system to let designers and engineers examine in realistic detail how different conditions will affect it, such as how a wind turbine might fare in a hurricane. Aside from the manufacturing and business opportunities, however, security pros can employ the technology to stress-test and otherwise evaluate the vulnerabilities and capabilities of security controls on computing environments. The ability to attack a live twin of a production environment — complete with ongoing updates reflected from the original system or environment — without putting data or productivity at risk potentially allows security teams to be as aggressive as they need to be without compromising operations. But whether data is placed at risk still seems to be a debated issue.

**Risking Data**

Capgemini cautions that security teams do not have carte blanche with digital twins. 

"An adversary affecting a digital twin or its physical counterpart can introduce divergence in the behaviors or states of the two entities," the report states. "Given the bi-directional link between the two, an attacker may negatively affect both through changes in either."  

"There are multiple areas where we have to be very careful about security with digital twins," cautions Brian Bronson, president of the Americas and APAC for Capgemini Engineering. "One of the main ones is the data capture. Because the digital twin has to do simulations with the 'in service' data, the process of capturing the data must be secure in order to protect it."

While the promise of digital twin technology for security is recognized, it might be too soon to fully implement it, says Ollie Whitehouse, global CTO at NCC Group, a research and consulting firm specializing in assessments, detection and response, compliance, and software resilience. 

"At the theoretical level, the assertion holds true," he says. "However, we are likely many decades off from digital twins being as tightly coupled as the paper implies. It's unclear as to their true value, i.e., what metricated improvement in cyber resilience an organization or product will yield if they employ digital twins."

Lisa O'Connor, cybersecurity research and development global lead at Accenture, concurs with the assertions in the Capgemini report. 

"First, all systems should be secure by design. This is no different whether we are building a production system or a digital twin of some aspect of that system," she says. 

If the digital twin is not secure by design, it could become a vector of attack.

"Changing the digital twin or the physical object's perceived behavior by intercepting and modifying the data is a known attack tactic in critical infrastructure and is common in any operational technology \[environment\]," she continues. "Such manipulations may affect the human operator or resulting analytics to make decisions on the wrong masked data. In the case where a digital twin is designed to provide direct feedback to or control of operational systems, it could directly affect those systems if not properly secured."

Nevertheless, digital twin technology has proponents who foresee its value as a cybersecurity tool. Dan Isaacs, CTO of the Digital Twin Consortium, says digital twin technology already offers security teams the ability to not only test larger environments, but also to become more granular to test more focused systems and infrastructure.

In fact, one can build a nested digital twin environment to uncover focused details related to risk, vulnerabilities, and training, as well as optimize operations. There are no silver bullets, but this is defense in-depth, Isaacs says.

**An Emerging Technology**

While Capgemini and the Digital Twin Consortium both promote the applications digital twin technology offer for very large environments, such as protecting power grids, network protection, and manufacturing, NCC's Whitehouse is still skeptical, underscoring the challenges the technology still must overcome.

"There has been some evidence that digital twins are possible in small-scale systems, but they have not been shown to scale to our knowledge," Whitehouse says. "There are numerous variables affecting how one can fully implement cyber-physical, complex business processes, and supply chains in a digital-twinned environment. Digital twins are an emerging concept going through rapid evolution."  

But, he cautions, "they are not prime for mass adoption today outside of the very specialized, and especially when looking at cyber resilience challenges. Often-imperfect data and insight into the physical system today coupled with cost constraints means watered-down realities exist. Digital twins are a vision of what might be — but the reality today is often very different when we look at implementation."

Capgemini's Bronson agrees that digital twin technology is at "the beginning of the journey."

"One of the main attention points is to understand that a digital twin is not a 'photo' at one point in time," he says. "We have to think of the full life cycle of the real object that we want to replicate — from the design to the end of life to recycling."

A digital twin is a database that contains sensitive information, warns Accenture's O'Connor. "Protecting the digital twin itself is as important as protecting the system it analyzes," she says.

Unlocking the Cybersecurity Benefits of Digital Twins

A working group of European and US officials meet at The Hague to collaborate on ransomware operations and strategies.

The US Department of Justice, along with the European Union criminal justice organization Eurojust, brought together law enforcement and legal experts recently at The Hague in workshops to enhance international cooperation to stop ransomware attacks.

The group represented 27 countries and included representatives from the Federal Bureau of Investigation (FBI), Secret Service, Homeland Security Investigations, the European Judicial Cybercrime Network, Eurojust's Cybercrime Team, and Europol's European Cybercrime Centre.

"Only by working together with key law enforcement and prosecutorial partners in the EU can we effectively combat the threat that ransomware poses to our society," US Assistant Attorney General Kenneth A. Polite Jr. said in a statement about the event. "I am confident that the U.S.-EU ransomware workshop will spur greater coordination and collaboration to address the ransomware threat."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

EU & US Unite to Fight Ransomware

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

**RSA CONFERENCE 2022 –** RSAC's Innovation Sandbox is a _Shark Tank_\-like competition, bringing 10 startup finalists to present onstage before judges.

Talon Security seized the first-place prize with a bold vision for the corporate Web browser of the future. For those thinking the browser is too competitive a market to take on, Talon's pitch makes intriguing arguments.

Deploying any kind of traditional security controls or software across operating systems, and into third-party contractors or personal devices, is logistically difficult or impossible. Yet Web browsers can be deployed by any user without admin privileges. In 2019, Microsoft consolidated under Google's open source Chromium code base, so Talon's Chromium browser should enjoy broad device and Web compatibility.

After requiring users to have Talon's browser to access their clouds, corporations then gain centralized management to control access levels. Talon ensures privileged data stays contained within the browser, as it can block saving, screen capture, or cut and paste.

Talon is not the only startup stretching our understanding of security's future. With these nine other innovative finalists, three trends have emerged.

**Core Security Still Being Reimagined**

Many of these entrepreneurs proposed bold visions for reimagining cloud security. Zero trust has been a popular approach, centralizing continuous authorization, device attestation, and taking the least-privilege approach in the cloud. Sharon Goldberg, CEO of the second-place finisher, BastionZero, takes issue with even calling today's solutions zero trust, "when really they create a single point of compromise."

BastionZero's founders came out of the cryptography world, where decentralized encryption, such as that in Bitcoin, and Transport Layer Security (TLS) are common. BastionZero enables engineers and build processes to authenticate to the cloud using multiple roots of trust. With this differentiator, if one root is compromised, organizations still maintain control.

Attack surface management company SevCo is the brainchild of JJ Guy and Greg Fitzgerald, the founders of Carbon Black and Cylance, respectively. Attempts at device inventories have always been an industry failure, and the problem has become worse with our remote and rapidly churning workforce.

SevCo's real-time streaming platform continuously correlates inventory from many sources through APIs. They record suspicious changes over time and are expecting to tame the problem of unmanaged and malicious devices reaching into clouds.

**Risk Management for Data, Privacy, and DevOps**

Unlike past years at Innovation Sandbox, the majority of 2022 finalists sell to users who do not report to the CISO. Talon's Web browser, SevCo's IT inventory, and BastionZero's authentication are more likely to fall under the CIO. Judges are surely sensitive to the demand for securing post-cloud IT infrastructure and defending digitization across organizations.

Another trio of startups in the competition emphasized working across these departments. Dasera frees data security that's been siloed within data, IT, and privacy teams. It visualizes data context, automates workflows, and coordinates policy and actions. Dasera ends up being a single pane of glass to visualize and manage data security across multiple departments and throughout its life cycle.

Torq is using a no-code approach that's seen recent success in automating cloud operations. It allows security professionals to visually build automation without the help of programmers, reducing costs. In addition to automating incident response, Torq can seamlessly coordinate with IT on the growing backlog of account provisioning, caused by identity attacks.

SecDevOps startup Cycode reaches across the organization to defend DevOps' entire pipeline: from application code to open source libraries and deployment paths. Cycode also automates remediation workflows to reduce costs.

**Cloud Security Focuses on APIs, Over-Permissioning**

Malware is still big on endpoints but receives less emphasis in cloud security. It's difficult for hackers to ensure their malware runs in the cloud near the data they target, especially with technologies like "serverless" containers and lambda functions. From what we know today, hackers are more likely to make API calls into or across the cloud, often sitting at their own devices behind anonymized IPs.

The cloud's crown jewels are applications and APIs that are exposed to the outside by design, said Neosec founder Giora Engel. Attackers can access them directly with credentials — whether legitimate or stolen. Hence the cloud security adage, "Hackers don’t break in, they log in." Neosec leverages API gateways, like Google Apigee. It discovers an organization's APIs, detects their vulnerabilities, and monitors use and abuse. Neosec wields behavioral analytics and offers a managed detection and response service on top.

Lightspin also doesn't focus on malware detection but manages cloud posture and protects workloads through a unique graph technology. Less-experienced analysts can visualize the most critical attack paths where vulnerabilities and configurations need closing. It's one of the easier products to use in its space.

Meanwhile, Cado Security brings forensics and incident response to cloud workloads. Instead of placing agents inside these workloads, Cado obtains cloned images of their disk, memory, and surrounding logfiles. Since offline forensic analysis has zero impact on high-availability workloads, cloud forensics has exciting potential.

Cado is one of the few examining binary files and processes inside workloads. It doesn't tout specific malware detection, yet allows searching for malware indicators and visualizing timelines.

Araali Networks is bucking the trend and places agents into the private cloud, leveraging Kubernetes DaemonSets and Linux's extended Berkeley Packet Filter (eBPF). Araali examines network traffic, enforces policies, and blocks malicious code.

Innovation Sandbox 2022 was a barometer for the rapid industry changes that are underway to secure the cloud. Cybersecurity must defend digitization across IT, data, privacy, and DevOps. It's a different world, where threats are a lot bigger than just malware.

Source

DARKReading