"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.

One of the primary hallmarks of an advanced persistent threat (APT) group is its ability to operate undetected for years while carrying out its specific mission.

The newest example is "Aoqin Dragon," a China-based APT actor that researchers at SentinelOne recently discovered has been spying on organizations across multiple countries for the past 10 years. The group's primary mission appears to be cyber espionage, and its targets have included organizations in the government, telecommunications, and education sectors in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

In its analysis of the threat actor's targets, SentinelOne said infrastructure and malware shows the group likely comprises a small Chinese-speaking team with potential links to an adversary that Mandiant has been tracking for some time as UNC94. Aoqin Dragon’s targeting suggests its interests are aligned with those of the Chinese government, though SentinelOne has not been able to confirm that.

In a report last week, SentinelOne said it was able to identify Aoqin Dragon activity going back to at least 2013 and continuing through today. Over that period, the threat actor — like other APT groups — has been constantly refining and tweaking its tactics, techniques, and procedures (TTPs), SentinelOne said.

In the initial stages, Aoqin Dragon relied heavily on exploits targeting a couple of old Microsoft vulnerabilities (CVE-2012-0158 and CVE-2010-3333) to compromise targets. Later the group began using various document lures to try and infect target systems. Lures included documents with political themes pertaining to the Asia-Pacific region and content with pornographic themes. Individuals who fell for these lures were infected with a backdoor called Mongall, or sometimes with a modified version of Heyoka, a tool based on an open source proof of concept for exfiltrating data from compromised systems via DNS tunneling.

According to SentinelOne, Mongall is not especially feature-rich. Even so, it is effective and can create a remote shell for uploading files from an infected machine to the attacker's command-and-control servers (C2). The malware embeds three C2 servers in its code, making it dangerous, SentinelOne said.

**Rarely Used Tactic**

Since at least 2018, Aoqin Dragon has been using fake removable devices — in addition to its usual document exploits — as a vector for gaining initial access on target systems. In cyberattacks involving removable devices, SentinelOne observed the threat actor placing a removable disk shortcut file on a compromised system. When clicked, the file initiates a sequence of activity that ends with a malicious loader being placed on the system.

Joey Chen, threat intelligence researcher at SentinelOne, says Aoqin Dragon's use of a removable device for initial access is noteworthy because few actors use the approach these days. Instead of an actual physical removable device — such as an USB or DVD — the threat actors have been trying to lure users into clicking on a malicious removable disk shortcut file forged to look like a normal removable device. 

"The USB shortcut file contains a specific path to execute the Evernote Tray Application and use DLL hijacking to load the malicious encrashrep.dll loader as explorer.exe," Chen says. "The advantage of using a removable device as an initial access vector is that malicious files don't need to land into the victim's host machine."   

Mike Parkin, senior technical engineer at Vulcan Cyber, says the use of fake removable devices for initial access can be very effective, but it has never been the most common attack vector. 

"There was a time when leaving infected USB thumb drives, DVDs, and CD-ROMs was a common penetration testing technique that mimicked what we saw threat actors doing in the wild," he says. "Downloading and mounting an ISO file is the same idea, only entirely file-based."

For threat actors, removable devices are another tool that they can deploy to infect their targets, Parkin says. 

"If the victim can be enticed to download and launch the malware, the attacker has gotten around the need to breach the external defenses," he says. "The victim did it for them."

Several of Aoqin Dragon’s TTPs — such as DLL hijacking and DNS tunneling to evade detection — are similar to those that other threat actors use, says Chen. However, the threat actor's use of removable devices as an initial access vector is somewhat different. 

"In addition, the entire spread module and install module of the malware are all written by actors themselves," he says. This has made it harder for typical endpoint protection systems to detect the malware, he notes.

Chinese Threat Actor Employs Fake Removable Devices as Lures in Cyber Espionage Campaign

Martyn Ryder from Morphean explains why forging trusted partnerships is integral to the future of physical security in a world of networks, systems, and the cloud.

Physical security and cybersecurity have traditionally been regarded as two quite separate practices.

While the role of the physical security professional has commonly involved the installation of hardware, such as CCTV cameras, to protect people and premises, the primary focus of their cybersecurity counterparts has been networks, systems, and software in the drive to mitigate threats.

Digital transformation has seen both industries evolve rapidly over the last decade, while simultaneously drawing much closer together, united against a threat that can traverse both the physical and cyber realms. The opportunity this presents is significant, yet there are also risks.

Forward-thinking organizations are now looking to protect their entire operation from both a physical and cybersecurity perspective, in a single homogenized approach. But what does this mean for the physical security professional, and how are the roles of physical security and IT technicians set to change as physical security hosted in the cloud increasingly becomes the norm?

**Moving Away From Security Silos**

Advancements in cloud, the IoT, and the sharing of data mean that legacy analog security technologies are rapidly becoming obsolete, in favor of intelligent, connected physical security solutions capable of sharing data to improve security and enhance business operations. Yet without the correct network security protocols in place, vulnerabilities can be inadvertently introduced, such as exposing backdoors into a network as a result of unsecured devices, or other paths that security antagonists could take to target the enterprise.

While modern businesses should look to employ the highest levels of physical and cyber protection, such measures become difficult to achieve when implemented in a siloed way. In May 2019, vulnerabilities were discovered in network physical access control systems that allowed hackers to hijack credentials, take control of doors, install malware, and launch distributed denial-of-service (DDoS) attacks, all while circumventing the security measures in place. In this scenario, it was the physical security system that was compromised leaving the business wide open to attack.

Convergence, therefore, between cybersecurity and physical security offers a solution to bring the two security facets together in partnership, increasing resilience and enhancing preparedness to identify and mitigate threats. The resulting overarching, holistic view of an organization’s security posture will enable all points of connectivity to be thoroughly assessed and managed; this is critical as cyber and physical assets become increasingly intertwined and the attack surface is increased.

**Physical Security in a Cloud-Enabled World**

Yet as digitalization and cloud migration make network-connected devices and services the preferred configuration, there is a risk that those physical security professionals who are unprepared for the new era may be left behind. Connecting physical security to the cloud has countless security and intelligence benefits for the end user. But those physical security installers who do not understand the language of IT or fully grasp the benefits of cloud physical security solutions will be unable to pass these benefits to their customers, resulting in a smaller pool of low-scale projects.

In order to remain competitive, physical security specialists must begin arming themselves with knowledge of network connectivity, data collection, and the power of analytics. This will help them position physical security technology as more than just business protection, but rather a business opportunity. Close integration with IT and cybersecurity partners will be key to achieving this objective and will place the physical security professional in a far better position to work with the latest devices, technologies, and platforms to improve business operations for their customers.

**Zero Trust and the Safety of Cloud-Based Physical Security**

While the dangers associated with adding any device to a network cannot be ignored, recognizing the risks will help businesses ensure the most appropriate security protocols are in place for maximum protection of networks and systems. An increasing number of vulnerable endpoints creates copious opportunity for network exposure, and malicious threat actors are lying in wait to take advantage. A perimeter firewall is no longer enough to ensure network integrity, and unauthorized access to data and services must be made as granular as possible.

This is why the principle of zero trust, based on a framework from NIST, has emerged as cybersecurity best practice. The premise is a simple one: Give no implicit trust. This means ensuring access is only granted to areas of the network as and when they are needed. Multifactor authentication methods can help establish trust, verifying user activity to help protect the network from malicious intent. While it’s still a relatively new concept, physical security integrators must quickly come to grips with such principles to ensure they can deliver surveillance systems that do more than just deliver physical security.

As physical and IT security increasingly converge, security professionals should be looking to align themselves with vendors through trusted partnerships. This will help them to expand their capabilities and take their skill sets to the next level. Working with a provider that can help them understand the benefits of cloud physical security and the importance of working collaboratively with IT will enable the physical security professional to work with confidence, applying cutting-edge technologies to meet today’s business requirements without compromising network and system security.

_Martyn Ryder is VP Sales & Marketing at Morphean._

__This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.__

How Can Security Partnerships Help to Mitigate the Increasing Cyber Threat?

Service ingests AWS, GCP and Microsoft Azure data.

DENVER, June 14, 2022 /PRNewswire/ -- Enterprise security teams face unprecedented attack surface expansion as technology evolution, employee fatigue and complicated cloud or digital transformation initiatives strain resources. Optiv, the cyber advisory and solutions leader, today announced the expansion of its Managed XDR (MXDR) offering to ease clients' burden of safeguarding critical data, applications and systems in the cloud (public or multi-cloud) in near real-time with an all-star roster of integrated platforms, including:

*   Amazon Web Services (AWS), which provides clients with additional detection and response capabilities to protect them from increasingly complex cyberattacks.
*   Google Cloud (GCP), which adds comprehensive visibility and workload protection at scale across multi-cloud environments.
*   Microsoft Azure, which offers extensive data protection and integrated services.

Users rely on Optiv MXDR's unique ability to aggregate, organize and prioritize security alerts and configuration changes and correlate them across multiple cloud sources. By chaining services together with leading platforms, Optiv streamlines data collection and enrichment to provide customizable insights to strengthen security controls. Clients are able to address threat detection and visibility on a scale that meets their individual level of cloud adoption. In addition, the service's expansion ensures in-depth coverage and access to rapid investigation and response measures.

"Organizations require enhanced and fully integrated solutions to counter the evolving methods and increased number of cyberattacks by threat actors. As part of Optiv's Advanced Detection and Response solution, MXDR and AWS, GCP and Azure help our clients reduce their risk and focus their valuable resources on the things that matter most," said Rocky Destefano, Optiv's chief technology officer. "By innovating with world-class cloud partners, we're taking Optiv's security analysis expertise to the next level and helping our clients secure their future by focusing on the very best of what the market has to offer."

Optiv's MXDR was launched in August 2021. A collaborative approach to cutting-edge services, products and technical experts is necessary to defend against a wide-range of adversaries. With expanded integration in the cloud, organizations have the potential to lean on Optiv to provide enhanced detection and response, quicker returns to operational normalcy and business-centric outcomes across every stage of the security lifecycle, no matter the level of maturity.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/.

**Follow Optiv**

Twitter: www.twitter.com/optiv  
LinkedIn: www.linkedin.com/company/optiv-inc  
Facebook: www.facebook.com/optivinc  
YouTube: www.youtube.com/c/OptivInc  
Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv** **Security: Secure greatness™**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv MXDR Enhances Detection Coverage With Expanded Cloud Integration

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

RSA CONFERENCE 2022 – If cloud services weren't complicated enough for the typical business today to properly configure and secure, there's also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers' virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these "secret agent" middleware programs on their customers' virtual machines, and with the highest privileges, as a "bridge" between their cloud services and their customers' VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

"These agents are adding an additional attack surface and cloud customers don't know about those agents ...; most are installed silently. If they come pre-installed, they have no idea" either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure's Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren't aware of OMI.

"There was confusion over how to handle this middleware" patching, Tamari said.

The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgent's listing in the database notes that the agent previously contained an information disclosure vulnerability, CVE-2019-0804. If exploited, it could allow an attacker to access memory in the kernel from a user process.

Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.

AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw CVE-2022-29527 was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.

Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Google's OS Login service, previously was patched for a local privilege escalation flaw, CVE-2020-8933, that would have given root access. OSConfig, which is built into GCP VM images, also had a local privilege escalation vuln in 2020 that Google later fixed.

**What to Ask About Cloud Middleware**

So, how can organizations pinpoint these "secret agents," as Wiz researchers refer to them?

In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: "Whose middleware is it \[and\] how do you know if it's running on your environment" and does the software contain vulnerabilities, and how are updates and patches handled?

"This is a different attack surface. It's a gray area," he said. "It needs transparency and a clear process for updates for agents, VMs."

Beware the 'Secret Agent' Cloud Middleware

SSO's one-to-many architecture is both a big advantage and a weakness.

With the average enterprise using almost 1,000 applications, it's no surprise that single sign-on (SSO) has become such a critical gatekeeper. It provides ease of access and can eliminate the sprawl of usernames and passwords that haunt users and frustrate administrators.

While SSO is useful, it's not without inherent risk. Since it uses a one-to-many architecture, if an identity is breached, an attacker instantly gains access to all of the resources that particular account holder is authorized to use. As we know, users will often select weak passwords and can easily fall prey to phishing attacks.

Another challenge is that not every system can use a single sign-on solution, leaving gaps in security. While most SSO technologies can support multiple cloud-based applications, homegrown and legacy applications require different approaches, like Microsoft Active Directory. This creates identity silos and creates massive complexity.

Meanwhile, passwords remain the weak link in any security implementation, including SSO, because they don't actually validate the identity of the user.

**Mitigating SSO Risks**

Multifactor authentication (MFA), which is supported by many SSO solutions, is usually layered on top of usernames and passwords, but there's no identity verification taking place other than something you know (mother's maiden name or such) and something you have, such as your cellphone. Combining MFA and identity verification will fill some of the gaps in SSO.

Adding identity verification works well for organizations that already scan employees' biometrics, drivers' licenses, or passports in the hiring process because they already have a proof of identity on file for comparison. Identity-proofing all employees before issuing credentials is a strong first step toward bringing SSO into the zero-trust world, which requires reauthentication when risk factors are elevated.

However, in order to implement zero-trust access, organizations must validate a user's identity and not just require an additional authentication factor. That's because if an attacker has compromised a user's identity, asking for reauthentication or a second form of authentication will not detect that the access request is being made by someone who is not actually the authorized user. Without this fundamental understanding of identity, any authentication method including SSO cannot be trusted.

Replacing passwords as the main method of identifying a user is the key first step in making SSO more secure, but several other techniques can build on that effort to make it even more secure and easy to use. Security analytics can be used to detect anomalies in user behavior patterns. For example, if a user has made a few failed attempts to log on or is connecting from an unusual device or location, the system could require a new secondary form of authentication.

It's also important to understand what digital assets are not covered by SSO. For example, custom-built and legacy applications don't not easily integrate with SSO. Therefore, an approach that marries identity verification with authentication provides the trust levels necessary to support both SSO and extend passwordless access to assets that are not covered by SSO.

If an SSO implementation is still based on passwords, it's extremely important to establish a secure password reset process. For example, using verified biometrics that use what's called liveness detection to make sure that a static image of the user is not being used to spoof the system. This type of capability can ensure the authorized account holder is present when resetting a password, and that the reset is not being performed by an attacker.

Clearly, SSO's one-to-many architecture is both a big advantage and a weakness. By supplementing SSO with identity verification and advanced MFA, it's possible to eliminate passwords in a safe and secure fashion.

Understanding and Mitigating Single Sign-on Risk

The combination of Awingu and the Parallels Remote Application Server platform will enable end users to securely work from anywhere, at any time, on any device, or OS.

OTTAWA, June 13, 2022 (GLOBE NEWSWIRE) -- Corel, a leader in professional creativity and productivity solutions, today announced it has acquired Awingu, a provider of secure remote access technology, for an undisclosed amount. Awingu will become a part of the Parallels brand portfolio. The combination of Awingu and the Parallels® Remote Application Server (RAS) platform will give end users added flexibility and freedom they need to securely work from anywhere, at any time, on any device, or OS. Parallels, part of the Corel group, is an all-in-one application delivery and virtual desktop infrastructure (VDI) solution that provides remote access to virtual applications and desktops delivered through on-premises, hybrid, or cloud-based environments.

Ideal for both mid-market and large enterprises, Awingu provides a secure way for organizations to facilitate bring your own device (BYOD) or work from anywhere policies through its easy-to-use and secure unified workspace. With this technology acquisition, the Parallels RAS platform will become a one-stop solution that gives customers the ability to easily access legacy and cloud-native applications and files, while alleviating the worry of data security and infrastructure complexity from IT teams.

“The future of work is now; we are living it. The pandemic further accelerated the need for organizations to determine and shift their remote and hybrid work infrastructures. Now, organizations are figuring out how they can cater to the flexibility that employees want with their workplaces while also ensuring secure and efficient access,” said Prashant Ketkar, Chief Technology and Product Officer, Corel. “We’re committed to helping organizations navigate this shift in the workplace, and with the addition of Awingu we’re one step closer to improving the experience for every stakeholder that interacts with our products.”

Awingu will continue to operate alongside Parallels’ offerings to deliver secure remote workspaces for customers in healthcare, finance, manufacturing, government, and telco verticals. Additionally, Awingu will expand its integration with Parallels to accelerate innovation and provide a unified capability for secure remote access to both legacy and cloud-native applications. This will provide a range of solutions for customers leveraging on-premises assets, hybrid architectures, and any cloud.

“I’m excited to join the Corel organization with the Awingu team. Both companies have a customer-first mindset and share the mission to ensure a seamless, secure, and effective workspace no matter where an employee is located,” said Walter van Uytven, CEO, Awingu. "Together with Parallels RAS, we’ll bring a broader, richer set of solutions across the secure remote desktop and app streaming industry to our customers.” The Awingu team, including CEO Walter van Uytven, will join Corel, bringing their strategic and engineering expertise to the organization to help accelerate product roadmaps.

Unlike most solutions in the market, Awingu does not require agents on the server or software to be installed on end-user devices. Awingu is “clientless” and runs entirely in the browser, where it aggregates all company files and applications, including SaaS and legacy Windows or Linux applications into one online workspace with one login. The ability to aggregate traffic provides an audit mechanism to secure actions in remote workspaces, enabling administrators to implement a zero trust security solution at the edge. This ease of use and simplified deployment enables customers to implement Awingu in hours, not days, empowering IT departments of all sizes to enable secure remote workspaces for their end-users. Founded in 2011 and headquartered in Ghent, Belgium, Awingu has been named a Gartner Cool Vendor in unified workspaces. Awingu is available in over 20 countries and partners with organizations like Microsoft, Blackberry, and Barracuda and serves customers such as the Port of Antwerp, Peloton, UDLAP University, and ConvergeOne.

Corel is a KKR portfolio company. Awingu was previously backed by Pamica NV, an investment company of Awingu’s former Executive Chairman, Michel Akkermans.

**About Corel**  
Corel products enable millions of connected knowledge workers around the world to do great work faster. Offering some of the industry's best-known software brands, we give individuals and teams the power to create, collaborate, and deliver impressive results. Our success is driven by an unwavering commitment to deliver a broad portfolio of innovative applications – including CorelDRAW, MindManager, Parallels, and WinZip – to inspire users and help them achieve their goals. To learn more about Corel, please visit www.corel.com.

**About Awingu**  
Awingu is a browser-based "Unified Workspace" that allows users to work and collaborate from virtually anywhere using any device compatible with HTML5 browsers. Awingu offers businesses the ease and convenience of platform-independent mobility and Bring Your Own Device. Awingu requires zero client software installation, making IT administration extremely simple. Awingu is headquartered in Ghent, Belgium, with offices in New York, United States.

Corel Acquires Awingu

Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.

The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.

In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).

One of the vulnerabilities is a so-called use after free issue in the WebGPU application programming interface for functions such as computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and can have an impact on the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on vulnerability database VulDB. "No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction," VulDB noted.

Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB estimated the price for an exploit for the flaw to be between $5,000 and $25,000 currently, though that could go up soon, it noted.

The second flaw is an out-of-bounds memory access use in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese firm VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google's advisory noted the reward for disclosing the vulnerability had yet to be determined.

The third high-severity vulnerability that the new Chrome version addresses (CVE-2022-2010) is an out-of-bound read issue in compositing or in rendering Web page content. A security researcher with Google's own Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one also affects the confidentiality, integrity, and availability of affected systems, VulDB said.

The fourth high severity vulnerability that Google disclosed is a use-after-free issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a function that Google describes as an "almost native Graphics Layer engine" in Chrome. The memory corruption vulnerability has a near identical impact as the other three, based on VulDB's description of the issue.

**CISA: Flaws Allow Attackers to Take Control of Affected Systems**

CISA urged organizations to review Google's Chrome release note and apply the update to mitigate risk. "Google has released Chrome version 102.0.5005.115 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system," it said.

The seven flaws that Google addressed with its latest Chrome version is considerably smaller in number than some other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated as being of critical severity while seven others were rated as being highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company rated as being of high severity.

CISA Recommends Organizations Update to the Latest Version of Google Chrome

Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services.

Kaiser Permanente recently revealed that an employee email compromise on April 5 left personal medical information on nearly 70,000 of its patients at risk of compromise.

Although Kaiser said the attacker had access for only a couple of hours and there is no evidence that sensitive data was breached, patient information including first and last name, medical record number, dates of service, and lab test results were involved, the company said in a notice about the incident. 

The US Department of Health and Human Services Office for Civil Rights is investigating the compromise, which took place at the Kaiser Foundation Health Plan of Washington and potentially impacted a total of 69,589 patients, its website said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Kaiser Permanente Breach Exposes Data on 70K Patients

Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.

A security flaw in the Travis CI API has left tens of thousands of developers' user tokens and other sensitive information exposed to attack, as threat actors could use the credentials to wage attacks in cloud services, including GitHub, Amazon Web Services (AWS), and Docker Hub.

The issue was first reported as far back as 2015, but the vulnerability in the API can still be exploited to launch attacks laterally across the cloud, according to a new blog post from Team Nautilus, which notes that all free-tier users of Travis CI are at risk.  

The Travis CI API is commonly used by developers to test apps, and during their research the analysts were able to access more than 770 million cleartext logs, chock-full of the kind of sensitive data that threat actors could leverage to move laterally across cloud services for malicious activity. 

"We disclosed our findings to Travis which responded that this issue is 'by design', so all the secrets are currently available," according to the post on the Travis CI API vulnerability. "All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exposed Travis CI API Leaves All Free-Tier Users Open to Attack

Cut away everything that costs more attention, storage, or time than its impact is worth.

One of my favorite quotes comes from John Naisbitt's book _Megatrends_: "We are drowning in information but starved for knowledge." This quote so accurately captures much of modern life. In particular, it succinctly describes the state of many enterprise security programs that, unfortunately, suffer from high levels of false-positives and other "noise" that reduce their effectiveness.

To understand why security teams are so held back by noise, we must first understand the consequences of noise for the security team. While not an exhaustive list, here are a few key repercussions.

**Wasted cycles****:** When security teams build a workflow around a centralized work queue, that work queue needs to be attended to — from triage and incident-handling to analysis, investigation, forensics, and recovery. That means that all events in the queue need to be prioritized and reviewed. Noise fills this queue with items to review that do not add value to the security program. In other words, noise wastes the security team's precious and valuable cycles.

**Missed true-positives**:**** The phrase "finding a needle in a haystack" is an apt one in security, and in security operations in particular. The needle represents true-positive security incidents, while the haystack represents false-positives. The more false-positives there are, the more difficult that makes finding the real security incidents that are buried in the noise.

**Increased infrastructure costs**:**** Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value. Identifying budget for a never-ending list of security priorities is always high on the list for security leaders.

**Skewed metrics**:**** False positives tend to skew metrics. Certain metrics, particularly those that focus on percentage of time spent on security incidents, ratios of true-positives to false-positives, volume of incidents, number of incidents handled, and analyst time per incident will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.

**How to Eliminate the Noise**

Knowing a few of the reasons why false-positives and noise negatively affect our security program helps us build a plan to address the problem. Here are nine suggestions that I've found helpful over the course of my career.

**1\. Begin with risk**:**** Not surprisingly, a firm understanding of and commitment to risk is the strongest of bases for building a strong security program. Assess the risks and threats to the enterprise, understand what within the enterprise they affect, and learn the potential cost and potential for damage and loss associated with each one.

**2\.** **Create goals and priorities**:**** Selecting when to address what is one of the most important strategic decisions a security team can make. Prioritize the risks and threats enumerated in the previous step and create goals and priorities that will be addressed both near-term and longer-term.

**3\. Assess impact**:**** Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.

**4\. Identify data overkill and gaps**:**** Understand the existing telemetry collection in place and evaluate whether each data source contributes to improving detection for the security team. If it doesn't, then collecting it just adds infrastructure costs while not adding value. Identify gaps in telemetry that leave the team blind to potential security incidents and develop a plan to address those gaps.

**5\. Consider technology overkill and gaps**:**** Look closely at existing technology that is in place. Examine where technology is helpful, such as producing highly reliable security alerting, collecting valuable telemetry data, or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the security team, as well as where gaps exist in telemetry and detection.

**6\. Throw out the default rule set**:**** Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the security program. Instead, they bury the team in false-positives and actively work against timely and accurate detection of security incidents. It may sound radical, but there are far more benefits to throwing out the default rule set than there are disadvantages.

**7\. Implement tight detection****:** Truly embracing the "less is more" philosophy includes incisively interrogating the data to produce high-fidelity, high-reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.

**8\. Focus on process**:**** The highest quality work queue in the world won't help when there are broken or nonexistent processes. A world-class security team has mature, efficient, and effective processes that guide and govern how they work.

**9\. Continuously improve**:**** No security program is in an ideal state, and the best security teams are keenly aware of their weaknesses and opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the security program is critical to its long-term success.

The conventional wisdom that more data, more events, and more alerts make for better detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their detection capabilities and the maturity of their security programs. Improving the signal-to-noise ratio and embracing the "less is more" philosophy for security can help enterprises detect security incidents sooner and more accurately while wasting significantly fewer resources on false-positives and noise.

Source

DARKReading