A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.

Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this \[threat\] and prepare to respond to it."

**Ongoing & Prevalent Campaign**

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

**Rapid Evolution**

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

**ChromeLoader's Updated Malicious Tactics**

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.  

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."

ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat

The  attack uses hijacked Egress branding and the legit Powtoon video platform to steal user credentials.

**UPDATE**  

A unique multistep cyberattack has been observed in the wild that attempts to trick users into playing a malicious video that ultimately serves up a spoofed Microsoft page to steal credentials. 

The team at Perception Point released a report on the phishing campaign, noting that attacks begin with an email that appears to contain an invoice from British email security company Egress. The report noted the fake Egress email contains a valid sender signature, which helps it pass email security filters.   

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

It all, the attack methodology is notable, researchers said. "This is a highly sophisticated phishing attack that involves multiple steps...and video," according to the Perception Point report on the two-step video phishing campaign.

**Egress Brand Impersonation**

Egress tells Dark Reading that its own investigation found the attack to rely on brand impersonation, even though the email could be seen on face value as being a legitimate Egress email.

"We can confirm that there is currently no evidence that Egress itself has been the victim of a phishing attack, and reports of an account takeover attack involving any Egress employee or any Egress user are false," the company said in a statement sent to Dark Reading. "There is no need for any Egress customer or user to take any action at this time."

The statement continued, "Our investigation shows that this is a standard brand impersonation. As you are probably aware, cybercriminals leverage many trusted and well-known brands to add legitimacy to their attacks. In the instance reported, a phishing email was sent using an Egress Protect (email encryption) template."

**_This story was updated at 9:30 a.m. ET on Sept. 21, to clarify that there was no account takeover at Egress. This story was also updated at 12:50 p.m. ET on Sept. 22, after Perception Point amended certain details in its blog on the attack._**

.

2-Step Email Attack Uses Powtoon Video to Execute Payload

The airline and the fintech giant both fell to successful phishing attacks against employees.

Call it breach week: Hard on the heels of the Uber bombshell, American Airlines said that it suffered a data breach after a successful phishing attempt hooked a few employee email accounts. And consumer banking app Revolut confirmed that more than 50,000 customers may be impacted by a targeted data heist.

In the case of American, the airline told customers in a notification letter filed with the Montana Department of Justice that in July it discovered compromised email accounts for a "limited number" of employees. The mailboxes contained a raft of customer data, which could include name, date of birth, phone number, mailing address, email address, driver's license number, passport number, and perhaps medical information. That said, there's no confirmation that attackers actually took off with any of the information.

Meanwhile, fintech bigwig Revolut, which offers global banking, debit cards, fee-free currency exchange, stock trading, cryptocurrency exchange, and peer-to-peer payment services, said that a cyberattacker was able to access data for about 0.16% of its 20 million customers for a "short period” of time. The data protection regulator in Lithuania, where Revolut is headquartered, said that translates to about 50,150 people impacted.

The attackers were able to access names, phone numbers, emails, physical addresses, partial card details, and some unspecified account information, according to the regulator notice — but Revolut noted that funds were safe.

"To be clear, no funds have been accessed or stolen," the company announced in an email to customers (shared on Reddit). "Our customers' money is safe — as it has always been. All customers can continue to use their cards and accounts as normal."

Nonetheless, in both breach cases, the exposed data gives cyberattackers everything they would need to mount targeted follow-on attacks using social engineering, or for credential-stuffing efforts. And indeed, some Revolut customers have already reported phishing messages aimed at capturing their banking account logins.

"While the resulting second-wave phishing attack wasn’t the likely motive in this case, secondary outreach directly to the end user is always a possibility when it comes to these types attacks," says Randy Watkins, CTO at CRITICALSTART. "Likely, the attackers would have preferred to get the information they wanted directly from Revolut, but with the information they were able to gain access to, they can significantly raise their chances of phishing the end users.”

Beware of Phish: American Airlines, Revolut Data Breaches Expose Customer Info

The release augments the company's Kubernetes management platform with free, user-friendly insight on security postures, along with cost monitoring and observability.

Cloud cost management platform provider Cast AI has released Cloud Security Insights, a free security analysis tool that integrates into an organization's AI-driven cloud optimization platform.

The platform, which is free for all users, aims to help DevOps and DevSecOps teams manage cloud resources, cloud optimization, and Kubernetes security.

It represents the second pillar of Cast AI's autonomous Kubernetes management platform, adding to the suite of tools for automating Kubernetes cost reduction, cloud resource provisioning, and security monitoring across Google Cloud, Amazon Web Services (AWS), and Microsoft Azure.

The vendor-independent platform provides users with fully automated reports containing Kubernetes configuration checks, which help ensure clusters are configured according to best practices for pods and workloads. The user interface provides details on individual checks and resources.

The platform also offers vulnerability scans for an overview of potential issues that might appear due to container images downloaded from public registries, as well as 24/7 visibility into Kubernetes cluster configurations.

In addition, container image vulnerability detection and security recommendations can be arranged and presented in order of priority. Other features help users achieve security and regulatory compliance and provide a common platform for security and development team integration and collaboration.

"In addition to comprehensive cost monitoring, you're now provided with individually tailored security recommendations to mitigate cloud native workload security issues," explains Cast AI co-founder and CPO Laurent Gil. "You just need to create an account and connect your AWS, Google, or Azure Kubernetes apps."

Gil adds that Cloud Security Insights can be used for multicloud or single-cloud environments, providing the same security alerts and insights regardless of which cloud providers the organization uses viaa common and simple control plane.

Native tools can handle these tasks, of course. Microsoft offers Microsoft Defender for Containers, for example, which covers more but costs $7 per CPU per virtual machine. It also requires customers to install an agent on their resources.

Google Cloud runs a vulnerability assessment service for images at a price of 26 cents per scanned container image, while security for Kubernetes includes this service and vulnerability assessment in the pre-general release.

"However, we already see that we are able to detect many more best practices violations," Gil asserts. "The value is in the platform — Security Insights and cloud optimization makes your applications secure and autonomous at the same time, with an instant position ROI."

In short, Gil says users get a "powerful and complete" insight on Kubernetes security monitoring, plus an instant ROI where the cost of Cast AI is always a fraction of the savings benefits.

"Applications now run securely and autonomously, with instant rightsizing and one of the fastest autoscalers on the planet," he adds.

**Kubernetes Environments Pose Multiple Challenge**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, points out that Kubernetes (aka k8s) environments have several specific challenges.

"These include compromised images, visibility into the environment, establishing and maintaining secure configurations, and a range of other problems related to securing containerized images in the cloud," he explains.

Anything that can help a security operations team consolidate their tools and give them more context and clarity helps, he adds.

"That's the case whether it's in the form of a single focused tool that covers multiple aspects of a deployment or a risk management tool that brings other tools together," Parkin says.

As a deployment orchestrator, Kubernetes will dominate an organization's alignment challenges, whether hybrid/multicloud or data center-based, says John Steven, CTO at automated threat modeling provider ThreatModeler.  

"Indeed, the point of Kubernetes is to abstract away the underlying infrastructure management, replacing it with its own scheme," he says. He explains that managed Kubernetes solutions simplify scale out because the cloud service provider's (CSP) control of underlying infrastructure makes it appear infinite.

Managed solutions also make incorporating key CSP-specific services, such as Directory Services, Persistence Solutions, or Learning APIs, into a Kubernetes application easier and more secure, he says.

"However, organizations can also feel like managed k8s is shackling — tying them to a particular provider through configuration, service, and administration idiosyncrasies," Steven says.

He notes that organizations with exceptionally high uptime requirements may struggle to provide multicloud resilience against failure of a single CSP availability zone or region.

"In practice, managed k8s trades the complexity of multicloud k8s for the idiosyncrasy and lock-in of managing a single cloud," Steven says. "Given the above, it's strategic for security solutions to target k8s. Providing visibility into clusters meets a crucial need."

Steven adds that more than one startup has suffered multiday outage because k8s misconfiguration knocked a critical business function offline or because storage, memory, or compute allotment claims defined too low a ceiling for peak usage during heavy use.

"If businesses begin to view k8s as an unreliable platform — even if \[it's\] because they don't have the expertise to wield it — they will move to simpler solutions," he says.

Cast AI Introduces Cloud Security Insights for Kubernetes

It's called "spell-jacking": Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services.

Spell-checking features present in both the Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and passwords — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps.  

The issue — dubbed "spell-jacking" by researchers at client-side security firm Otto JavaScript Security (Otto-js) — can expose personally identifiable information (PII) from some of the most widely used enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365, according to a blog post published Sept. 16.

Otto-js co-founder and CTO Josh Summit discovered the leakage — which occurs specifically when Chrome's Enhanced Spellcheck and Edge's MS Editor are enabled on browsers —  
while conducting research on how browsers leak data in general.

Summit found that these spell-check features send data to Google and Microsoft that's entered into form fields — such as username, email, date of birth, and Social Security number — when someone fills out these forms on websites or Web services while using the browsers, the researchers said.

Chrome and Edge also will leak user passwords if the "show password" feature is clicked when someone enters a password into a site or service, sending that data to Google and Microsoft's third-party servers, they said.

**Where the Privacy Risk Lies**

Otto-js researchers, who posted a video on YouTube demonstrating how the leakage occurs, tested more than 50 websites that people use daily or weekly that have access to PII. They broke 30 of those into a control group spanning six categories — online banking, cloud office tools, healthcare, government, social media, and e-commerce — and selected websites for each category based on the top ranking in each industry.

Of the 30 control group websites tested, 96.7% sent data with PII back to Google and Microsoft, while 73% sent passwords when "show password" was clicked. Moreover, the ones that did not send passwords had not actually mitigated the issue; they just lacked the "show password" feature, the researchers said.

Of the websites that the researchers investigated, Google is the only one that already had fixed the issue for email and some services. Otto-js found that the company's Web service Google Cloud Secret Manager remains vulnerable, however.

Meanwhile, Auth0, a popular single sign-on service, was not in the control group that the researchers had investigated but was the only website other than Google that had correctly mitigated the issue, they said.

Google's Enhanced spell-check feature, which requires an opt-in from the user, handles the data in an anonymized way, according to a Google spokesperson.

"The text typed by the user may be sensitive personal information and Google does not attach it to any user identity and only processes it on the server temporarily," he tells Dark Reading. "To further ensure user privacy, we will be working to exclude passwords proactively from spell check. We appreciate the collaboration with the security community, and we are always looking for ways to better protect user privacy and sensitive information."

Users of a number of enterprise cloud-based applications also are at risk when entering forms while using the apps on Chrome and Edge if the spell-check features are enabled. Of those aforementioned services, security teams from Amazon Web Services (AWS) and LastPass responded to Otto-js and already have remedied the issue, the researchers said.

**Where Does the Data Go?**

One big question that arises is what happens to the data once it's received by Google and Microsoft, which the researchers said they can't clearly answer.

At this point, no one knows if the data is being stored on the receiving end or, if this is the case, who is managing its security, the researchers noted. It's also not clear if the data is managed with the same level of security as known sensitive data such as passwords, or if it's being used by product teams as metadata for refining models, they said.

Either way, researchers observed that the issue once again raises the concern about technology companies such as Google and Microsoft having so much access to sensitive information about customers, employees, and companies, particularly when it comes to passwords.

"Passwords are meant to be a secret you share with the party you intended, and no one else," they wrote in the post. "A shared secret should be hashed and irreversible, but this feature violates a fundamental security principle of 'need-to-know' and could be considered a violation of privacy."

**Easily Overlooked Issue**

Moreover, the data leakage can be widespread for users or enterprises for a number of reasons, the researchers noted. One is that because the browser features that expose the data are actually helpful to users, they are likely to be turned on and exposing data without a user's knowledge.

"What's concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background," Summit says.

The password exposure also occurs as an "unintended interaction" between browser spell-check and a website feature, making it something that might easily fly under the radar, notes Walter Hoehn, vice president of engineering at Otto-js

"The enhanced spell-checking features in Chrome and Edge offer a significant upgrade over the default dictionary-based methods," he says. "Likewise, websites that provide the option of displaying passwords in cleartext are more usable, especially for those with disabilities."

**Path of Mitigation**

Even if a website or service has not fixed the issue from its side, enterprises can mitigate the risk of sharing their customers' PII entered into forms by adding "spellcheck=false" to all input fields, although this could create problems for users, researchers acknowledged.

Alternatively, enterprises can just add the command only to form fields with sensitive data to remove the risk, or they could take away the "show password" feature in their forms, they said. This won't prevent spell-jacking, but it will prevent passwords from being sent, the researchers said.

Companies also can mitigate internal exposure of company-owned accounts by implementing endpoint security precautions that disable enhanced spellcheck features and limiting employees from installing unapproved browser extensions, according to Otto-JS.

Consumers can mitigate their own risk of having their data sent to Microsoft and Google without their knowledge by going into their browsers and disabling the respective spell-check culprits, the researchers added.

Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords

Despite an 86% surge in budget resources to defend against ransomware, 90% of orgs were impacted by attacks last year, a survey reveals.

An annual survey of CISOs from Canada, the UK, and US reveals that security teams are starting to lose hope that they can defend against the next ransomware attack.

The survey was conducted by SpyCloud, and it showed that although budgets to protect against cyberattacks have swelled by 86%, a full 90% of organizations surveyed said they had been impacted by a ransomware over the past year.

"Additionally, more organizations have implemented 'Plan B' measures this year, from opening cryptocurrency accounts to purchasing ransomware insurance riders," the SpyCloud ransomware report said. "These findings suggest that organizations realize threats are slipping through their defenses and a ransomware attack is inevitable."

The survey did show some bright spots on the cybersecurity front — nearly three-quarters of those organizations surveyed are using multifactor authentication (MFA), with an increase from 44% to 73% year-over-year. The report added that respondents said they are focused on stopping credential-stealing malware, particularly on unmanaged network devices.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Survey Shows CISOs Losing Confidence in Ability to Stop Ransomware Attacks

The evolving tactics increase the threat of ransomware operators, but there are steps organizations can take to protect themselves.

Cybercriminals are becoming more strategic and professional about ransomware. They increasingly are emulating how legitimate businesses operate, including leveraging a growing cybercrime-as-a-service supply chain.

This article describes four key ransomware trends and provides advice on how to avoid falling victim to these new attacks. 

**1\. IABs on the Rise**

Cybercrime is becoming more profitable, as evidenced by the growth of initial access brokers (IABs) that specialize in breaching companies, stealing credentials, and selling that access to other attackers. IABs are the first link in the cybercrime-as-a-service kill chain, a shadow economy of off-the-shelf services that any would-be criminal can purchase to construct sophisticated tool chains to execute almost any digital offense imaginable.

IABs' top customers are ransomware operators, who are willing to pay for access to ready-made victims while they focus their own efforts on extortion and improving their malware.

In 2021, there were more than 1,300 IAB listings on major cybercrime forums monitored by the KELA Cyber Intelligence Center, with nearly half coming from 10 IABs. In most cases, the price for access was between $1,000 and $10,000, with an average sale price of $4,600. Of all of the offerings available, VPN credentials and domain administrator access were among the most valuable.

**2\. Fileless Attacks Fly Under the Radar**

Cybercriminals are taking a cue from advanced persistent threat (APT) and nation-state attackers by employing living-off-the-land (LotL) and fileless techniques to improve their chances of evading detection to successfully deploy ransomware.

These attacks leverage legitimate, publicly available software tools often found in a target's environment. For example, 91% of DarkSide ransomware attacks involved legitimate tools, with only 9% using malware, according to a report by Picus Security. Other attacks have been discovered that were 100% fileless.

This way, threat actors evade detection by avoiding "known bad" indicators, such as process names or file hashes. Application-allow lists, which permit the usage of trusted applications, also fail to restrict malicious users, especially for ubiquitous apps. 

**3\. Ransomware Groups Targeting Low-Profile Targets**

The high-profile Colonial Pipeline ransomware attack in May 2021 affected critical infrastructure so severely that it triggered an international and top government response.

Such headline-grabbing attacks prompt scrutiny and concerted efforts by law enforcement and defense agencies to act against ransomware operators, leading to the disruption of criminal operations, as well as arrests and prosecutions. Most criminals would rather keep their activities under the radar. Given the number of potential targets, operators can afford to be opportunistic while minimizing the risk to their own operations. Ransomware actors have become far more selective in their targeting of victims, enabled by the detailed and granular firmographics supplied by IABs.

**4\. Insiders Are Tempted With a Piece of the Pie**

Ransomware operators also have discovered that they can enlist rogue employees to help them gain access. The conversion rate may be low, but the payoff can be worth the effort.

A survey by Hitachi ID taken between Dec. 7, 2021, and Jan. 4, 2022, found that 65% of respondents said their employees had been approached by threat actors to help provide initial access. Insiders who take the bait have different reasons for being willing to betray their companies, although dissatisfaction with their employer is the most common motivator.

Whatever the reason, the offers made by ransomware groups can be tempting. In the Hitachi ID survey, 57% of the employees contacted were offered less than $500,000, 28% were offered between $500,000 and $1 million, and 11% were offered more than $1 million.

**Practical Steps to Improving Protection**

The evolving tactics discussed here increase the threat of ransomware operators, but there are steps organizations can take to protect themselves:

*   **Follow zero-trust best practices,** such as multifactor authentication (MFA) and least-privilege access, to limit the impact of compromised credentials and increase the chance of detecting anomalous activity.
*   **Focus on mitigating insider threats,** a practice that can help limit malicious actions not only by employees but also by external actors (who, after all, appear to be insiders once they've gained access).
*   **Conduct regular threat hunting,** which can help detect fileless attacks and threat actors working to evade your defenses early.  
    

Attackers are always looking for new ways to infiltrate organizations' systems, and the new ploys we're seeing certainly add to the advantages cybercriminals have over organizations that are unprepared for attacks. However, organizations are far from helpless. By taking the practical and proven steps outlined in this article, organizations can make life very tough for IABs and ransomware groups, despite their new array of tactics.

How to Dodge New Ransomware Tactics

What's it going to take to prod organizations to implement a post-quantum security plan? Legislative pressure.

What's it going to take to prod organizations to implement a post-quantum security plan? Legislative pressure.

Source: Deloitte

Security professionals might need a little help motivating themselves and their organizations to implement measures to counteract the threats inherent to quantum computing. According to a recent survey from Deloitte, enterprises say without external pressure, they won't be pushing forward their plans to implement precautions.

When asked what will drive their organizations to step up its quantum security risk management, over one-fourth (27.7%) said regulatory pressure, followed by one-fifth (20.7%) who cited pressure from the board of directors or the C-suite. The rest of the answers cascaded down accordingly: responding to competitors' pressure (15.1%), embarrassing internal incidents (11.7%), and customer or investor concerns (6.8%).

Because changing the way an organization handles data is a major decision, it makes sense that security staffs want the higher-ups to take responsibility for any change in direction. Perhaps to accommodate this desire, US President Joe Biden issued a pair of presidential directives in May 2022 to establish a national policy on what he called quantum information science, or QIS. Combined with NIST's recent approval of four post-quantum cryptography algorithms, these could provide the added push organizations need in order to get started combating a threat that is five to 10 years away.

The Deloitte survey asked about attitudes among organizations that were already considering the benefits of quantum computing. Responses showed that just over one-quarter of respondents had conducted a quantum risk assessment, with another quarter planning one in the next five years. About half of the respondents considered their organizations at risk for harvest-now/decrypt later (HNDL) attacks, in which encrypted files are stolen and stored until the technology to crack the encryption comes to market.

The scale of the potential threat to current computing practices is reminiscent of the Y2K bug, a database shortcoming that stored years as two-digit fields instead of four digits, the implications of which created both a popular panic and concentrated effort across industries to head it off. The preemptive policies from the US, as well as activities in the European Union, may bear fruit in pressuring corporations and governmental entities to institute post-quantum cryptography (PQC) and other protective measures. Boards of directors and company executives might find reassurance as government efforts progress and less-disruptive ways to begin the switchover emerge.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

No Motivation for Quantum Without Regulatory Push

**Woburn, MA, September 20, 2022 —** With the latest version of Kaspersky EDR Optimum, users can access an advanced automated detection mechanism and tailored incident response recommendations. The updated solution also ensures protection from damaged to crucial OS files, and provides information on file reputation from Kaspersky’s Threat Intelligence portal.

To help IT security workers deal with increased attack surfaces and complexities, Kaspersky presents the new edition of Endpoint Detection and Response Optimum. The updated version gives users the opportunity to gain highly sought-after skills in incident investigation and response, and helps them tackle their responsibilities under conditions of limited time and attention.

Kaspersky Endpoint Detection and Response Optimum provides information to get up to speed quickly. In addition to the previously available YouTube video instructions, the product now offers a Guided Response section in the alert card where IT security specialists can see the recommended steps for investigation and response.

In addition, Kaspersky Endpoint Detection and Response Optimum contains integrated "quality of life" improvements such as Threat Intelligence file reputation in the alert card. When a response is performed, a special check will help avoid making a mistake and blocking a crucial OS file, which can lead to ruining the whole infrastructure.

File reputation from Kaspersky Threat Intelligence Portal is available directly in the console allowing users to understand what files are harmless, malicious or suspicious, and also gives users insight into known or new threats in a faster and easier way. It also shows information such as which regions or countries the file was observed most frequently, and provides a link to the threat intelligence portal with additional information about the file.

“When our team was working on the Kaspersky Endpoint Detection and Response Optimum enhancements, one of the goals was to make all the solutions’ capabilities accessible for all types of our users, even for those who are making their first steps in investigation and response,” said Pavel Petrov, senior product manager at Kaspersky. “We believe the new features will allow our customers not only to ensure the protection of their company against multiple types of threats, but also increase the EDR expertise of the internal IT security team.”

During the last year, Kaspersky Endpoint Detection and Response was repeatedly recognized for its outstanding protective capacity. The product has shown superb results according to various independent evaluations including SE-labs, IDC, Radicati and others.

More information about Kaspersky Endpoint Detection and Response Optimum is available via this link.

Source

DARKReading