The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities.

The feds have moved to sanction the Iranian government for its cybercrime activities, which they allege have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

US Department of the Treasury's Office of Foreign Assets Control (OFAC) is specifically designating Iran's Ministry of Intelligence and Security (MOIS) for "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.

The sanctions mean that US citizens and visitors to the US are prohibited from doing business or carrying out any transactions involving funds, goods, or services with the designated entities or their proxies.

**Albanian Cyberattack Sparks US Action**

The Treasury Department cited a recent cyberattack in July that disrupted the Albanian government as emblematic of Iran's tactics; that incident resulted in the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.

"Iran's cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," Brian Nelson, undersecretary of the treasury for terrorism and financial intelligence, said in a statement on Friday. "We will not tolerate Iran’s increasingly aggressive cyber-activities targeting the United States or our allies and partners."

John Hultquist, vice president at Mandiant Intelligence, notes that Iran has a history of targeting the MeK, the group at the center of the Albanian incident. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain," he says. "Those operations were a template for the Albania attack."

**Calling Out MuddyWater & APT34**

The sanctions also extend to Minister of Intelligence Esmail Khatib, who the Treasury Department said is responsible for directing APT groups from within MOIS. The Friday announcement specifically mentions his weapon as including the MuddyWater APT (aka OilRig or APT34, specializing in espionage on rival governments) and APT39 (aka Chafer, which the US says supports Iran's human rights abuses).

“MOIS carries out cyber-espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service, the IRGC," says Hultquist, who notes that Mandiant has previously linked both APTs to Tehran. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personally identifiable information (PII)."

US Sanctions Iran Over APT Cyberattack Activity

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Microsoft, Cloud Providers Move to Ban Basic Authentication

A sweeping effort to prevent a raft of targeted cybercrime groups from posting ransomware victims'  data publicly is hampering their operations, causing outages.

The ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been the focus of distributed denial-of-service (DDoS) attacks targeting their data leak sites, causing downtime and outages.

The attacks have been monitored by Cisco Talos since Aug. 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.

Forum posts by the LockBit gang's technical support arm, "LockBitSupp," indicate that the attacks have had a significant impact on the group's activities, with nearly 1,000 servers targeting the leak site with close to 400 requests per second, researchers said.

"Many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites," a Talos blog post explained this week.

The groups have responded in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others have beefed up DDoS protections.

"Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to post new victim information publicly, we will likely continue to see various groups respond differently, depending on the resources available to them," the blog post authors noted.

**Shutdowns Offer Respite to Targeted Groups**

Aubrey Perin, lead threat intelligence analyst at Qualys, says in the case of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report showcases how effective these attacks are at halting ransomware operations, with outages allowing defenders precious time to investigate.

"If the leak sites are shut down, the victim's infrastructure cannot be announced," Perin says. "The purpose of these types of attacks is to interrupt the gangs' activities," adding that if gangs cannot list victim information, then extortion tactics become far more difficult, and in some cases benign.

However, Perin adds today's bad actors are growing increasingly sophisticated and learning from mistakes on the fly, so they may find workarounds rather quickly.

"More mature gangs have exemplified their agility to quickly re-organize and launch more sophisticated countermeasures for DDoS attacks," Perin explains. Where initial ransomware authors used "spray-and-pray" methods, Perin points out that today's bad actors carry out ransomware attacks as professional operations, with each applying their own "special sauce."

"Organizations each have their own strategies and protocols they follow, and RaaS is no different. Each gang finds what works best, develops strategy, and executes," Perin says. "Each gang's operations are unique to that of other gangs."

Thus, Perin says, without a deeper understanding of a specific gangs' operating schedule and strategy, it is next to impossible to know the real impact to their operations.

"That being said, these attacks certainly have the power to tarnish their reputations," Perin notes.

**Rival Extortion Groups, Government Agencies Could Benefit**

When it comes to who's behind the DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion crews and government agencies are two possible beneficiaries of attacks against data leak sites.

"There is no honor among thieves, and there is a history of groups targeting each other," he says. "On the government side, US Cyber Command commander General \[Paul\] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government has continued efforts to disrupt the adversaries."

Holland says extortionists need to think about their site's resilience, just like legitimate businesses.

"There are other ways for ransomware victims to interact with the actors," he explains. "RaaS representatives are available on forums, and victim negotiations can still be taken offline through various messaging applications."

Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively combatting the issue.

"We'll likely see the threat groups relocate their servers and services to a more distributed infrastructure to maintain availability, just like any organization would to stay operational," he says.

From Hay's perspective, the report suggests that attacks directed at RaaS data leak sites are likely not going to fade away anytime soon, which could lead to a sort of underground competition for affiliates.

"You don't need to be the best, you just have to be better — or more available — than the other guy," he says.

LockBit, ALPHV & Other Ransomware Gang Leak Sites Hit by DDoS Attacks

More docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

Evidence indicates that the world's ports are returning to pre-pandemic levels. During the first 11 months of 2021, the value of US international freight increased by more than 22% (PDF) compared with the same 11 months in 2020. More freight means more ships docking at port. And not only are more ships docking, but their dwell times are increasing as well. The average container vessel dwell time at the top 25 US container ports was estimated at 28.1 hours in 2020. In the first half of 2021, average container vessel dwell times increased to 31.5 hours.

While this increase in activity is undoubtedly welcome, more docked ships bring a new challenge. The longer a ship is docked, the more vulnerable the port is to a cyberattack.

**The Cyber-Risk to Ships**

The maritime industry is especially vulnerable to cyber incidents. There are multiple stakeholders involved in the operation and chartering of a ship, which often results in a lack of accountability for the IT and OT system infrastructure and the ship's networks. The systems may rely on outdated operating systems that are no longer supported and cannot be patched or run antivirus checks.

Going forward, this threat is expected to increase. Critical ship infrastructure related to navigation, power, and cargo management has become increasingly digitized and reliant on the Internet to perform a broad range of legitimate activities. The growing use of the Industrial Internet of Things (IIoT) will increase the ships' attack surface.

Common ship-based cyber vulnerabilities include the following:

*   Obsolete and unsupported operating systems
*   Unpatched system software
*   Outdated or missing antivirus software and protection from malware
*   Unsecured shipboard computer networks
*   Critical infrastructure continuously connected with the shore side
*   Inadequate access controls for third parties including contractors and service providers
*   Inadequately trained and/or skilled staff on cyber-risks

**Troubled Waters?**

Maritime cybersecurity has become a significant issue affecting ports around the world. According to the firm Naval Dome, cyberattacks on maritime transport increased by 400% in 2020. Cybersecurity risks are especially problematic to ports around the globe since docked ships regularly interact digitally with shore-based operations and service providers. This digital interaction includes the regular sending of shipping documents via email or uploading documents via online portals or other communications with marine terminals, stevedores, and port authorities.

For example, many port authorities require a Port State Control (PSC) survey to be completed by foreign ships docking in their ports. Among other activities, this survey verifies several ship certificates and approximately 40 different documents required by international maritime authorities.

Some past examples of port-based cyber breaches:

**Port of Rotterdam:** In June 2017, the port of Rotterdam was hit with a ransomware attack that paralyzed the activities of two container terminals operated by APMT, a subsidiary of the Møller-Maersk group. Note that the port of Rotterdam had completely automated its operations as part of a Smart Port strategy.

**Port of Shahid Rajaee:** In May 2020, the port of Shahid Rajaee, Iran, suffered a cyberattack that almost totally shut down its operations. The Washington Post reported that the "computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility." This cyberattack was presumed to be Israel's response to an attack on its water network.

**Port of Kennewick:** In November 2020, the port of Kennewick, Wash., was hit with ransomware that completely locked access to its servers. Even with the small size of this port, it took nearly a week for port authorities to access their data. Malware injected via a phishing email is thought to be the cause of this attack.

Knowing that they are vulnerable to cyber breaches does not help alleviate the challenge to ports that have no choice but to accept documents originating from these ships. If ports block these documents, the ships cannot dock, and this ultimately causes delays in global logistics and the supply chain.

**The Danger**

Ports have no choice but to accept the ships' documents. Refusal to accept these documents means loss of port revenue and blockages in the smooth flow of the supply chain. Document sending must proceed. But file-borne threats pose a significant challenge for ports. Malware is designed to access or damage a computer without the owner's knowledge. Hackers embed malicious code into seemingly innocent files. When those files are opened, the malware automatically executes and allows the hackers to gain access to valuable data or cause damage to the maritime industry.

Many of these threats first enter the ship through email phishing schemes — attempts to fool employees and individuals into opening and clicking on malicious links or attachments in emails or uploading malicious documents to website portals. These "hacks'' often exploit vulnerabilities in the ships' networks, using the vessel to gain access to the ship's partners, including the port.

Why Ports Are at Risk of Cyberattacks

No agreement could be reached on terms of a firm offer, the provider of AI-based cybersecurity products says.

US private equity firm Thoma Bravo, which has been on a cybersecurity vendor buying spree lately, has walked away from plans to add British cybersecurity firm Darktrace to its portfolio.

The two sides parted ways after failing to come to an agreement on the terms of a deal. The news sent shares of Darktrace plunging nearly 35% Thursday on the London Stock Exchange, falling from 514.6 pence per share (about US$5.91) at close of trading Wednesday to 337.1 pence per share (roughly $3.87) on Thursday.

Darktrace — a provider of AI-based cybersecurity technologies — on Aug. 15 announced that it had received several "preliminary and conditional proposals" from Thoma Bravo to purchase the company. The security firm said Thoma Bravo was in early discussions to buy it out in an all-cash transaction, but it had cautioned at the time that there was no certainty that an offer would be made.

On Thursday, Darktrace said those discussions had broken down, and that an agreement could not be reached on the terms of an offer.

"Further to the announcement made earlier today by Thoma Bravo that it does not intend to make an offer for the Company, the Board of Darktrace confirms that discussions with Thoma Bravo have terminated," the company said. "As a result of the announcement made earlier today by Thoma Bravo, the Company is no longer in an offer period for the purpose of the UK Takeover Code."

Thoma Bravo did not immediately respond to a Dark Reading request for comment on the development.

British rules governing proposed mergers and acquisition prohibit Thoma Bravo from making an offer for Darktrace for another six months, unless another firm makes a formal offer to buy the company, Reuters and several British media outlets noted.

Darktrace was founded in 2013 and currently claims to have more than 7,400 customers in 110 countries. It reported revenues of $419.3 million for fiscal year 2022 before revising that number down to $415.5 million after determining that $3.8 million in revenues should have been attributed to fiscal year 2021. Darktrace went public on the LSE in April 2021. At one point, the security vendor's market cap hit more than $8 billion, but questions over the company's valuation drove its stock down shortly thereafter and kept it there for most of this year.

Darktrace also has had its share of controversy related to British billionaire Mike Lynch, who is one of the biggest shareholders in the company. Lynch is currently fighting extradition to the US after a British court held him culpable earlier this year of artificially inflating the value of his previous company Autonomy before selling it to HP for $11.1 billion in 2011. HP filed a lawsuit against Lynch after the company was forced to write-down the value of Autonomy by $8.8 billion one year after acquiring the firm.

**Market Valuation an Unlikely Factor**

All of that said, Richard Stiennon, chief research analyst at IT-Harvest, says Thoma Bravo's change of plans likely had little to do with Darktrace being overvalued. In fact, most publicly traded cybersecurity companies are way down from their highs last summer and, if anything, are dramatically undervalued, Stiennon says.

"I don't think Thoma Bravo is backing off of Darktrace because of valuations," he says. "I think strategically there is not a clear market for the AI-enhanced threat hunting that Darktrace touts. The market is pretty much equal to Darktrace's revenue today."

**Thoma Bravo's Cybersecurity Buying Spree**

The Darktrace acquisition, if it had gone through as planned, would have added yet another company to Thoma Bravo's rapidly growing roster of cybersecurity acquisitions. Recently the private equity firm has spent tens of billions of dollars acquiring the likes of identity service provider SailPoint for $6.9 billion, Ping Identity for $2.8 billion, Proofpoint for $12.3 billion, and Sophos for $3.9 billion.

Overall, 2021 marked a record year for merger and acquisition activity in the cybersecurity sector, with some $77.5 billion in M&A volume and $29.3 billion private equity and venture capital investments, according to Momentum Cyber. Through the end of the first quarter of 2022, Momentum reported $12.2 billion in M&A activity and $7 billion in financing from VCs and PE firms.

Darktrace Shares Plunge After Thoma Bravo Acquisition Falls Apart

You certainly don't need to panic, but you do need to form a plan to prepare for the post-quantum reality.

Unless you live under a rock, you'll know that quantum computers will break the cryptography we use today in as little as 10 years. Unfortunately, most analysis on this topic is simplistic. The quantum threat is described as though a day will come where quantum is unleashed and all systems will be broken at once. This is far from the truth.

As a CISO, it's important to develop a nuanced understanding of this critical topic. You certainly don't need to panic, but you need to form a plan that's based on your business, with all its idiosyncrasies. Your peers in other companies should be doing the same thing; however, their plans will look different. There is no generic answer to the quantum threat.

In reality, the threat will materialize slowly. The first machines able to run Shor's algorithm will take weeks to break an RSA key. Only the highest value targets will be considered for attack, given the immense cost expected for that amount of computation. Over time, more machines will be capable of breaking keys, and the cost and time associated with the task will reduce dramatically. Eventually, anyone will be able to perform this attack within minutes for minimal cost.

Your goal as a CISO is to assess your risk over this unknown time frame. Do you process data so sensitive that you're likely to be among the first targets? Is some of your data more valuable than the rest? What about the lifetime of the data — how long does it need to remain secret? These are all questions to consider as you create a pragmatic plan to address the quantum threat.

**Understand the Status Quo**

At a recent conference, I heard a law firm describe its response to a major cyberattack. During the confusing first days, the company was desperate to assess whether its critical data was safe. Yet the respondents realized they weren't sure what data mattered most. Eventually they concluded their client data was more important than the rest of the business combined. This shaped the firm's subsequent decisions and accelerated its response time.

Ideally, you would reach these conclusions before a major cyberbreach. And certainly, you must understand your business priorities before you plan your post-quantum migration plan. CISOs need to develop an inventory of every system that describes:

*   The business importance of the data.
*   How cryptography protects the data at rest and in transit.
*   How long the data needs to remain secret. 

If you already have this data in hand, congratulations — you're unusually well-prepared. For most CISOs, however, this information is patchy, at best. Understanding the status quo is the critical first step in your migration.

**Pragmatically Prioritize**

Next comes the difficult piece. With your pragmatic hat on, you need to decide the order in which to migrate your systems to post-quantum algorithms. You can't change everything at once, and it's likely to be years between the time your first systems are migrated and the last.

Your highest priority should be long-term sensitive data that is transmitted across the Internet. This includes health data, government secrets, client data, and intellectual property. This data is especially vulnerable thanks to an attack sometimes known as "hack now, decrypt later," in which attackers record encrypted transmissions to decrypt in the future using a quantum computer.

If your company develops physical devices, such as in the Internet of Things (IoT) industry, you will need to pay particular attention to migrating roots of trust toward post-quantum algorithms. Devices that are expected to remain secure for 10 or more years are definitely at risk from fraudulent firmware once the quantum threat arrives.

This is the hardest step in the migration process because it's unique to your business. But it's worth doing correctly so that you allocate resources appropriately. This process also highlights the vendors you need to work closely with, as they migrate their own systems to post-quantum protection.

**Start Testing**

Once your migration plan is in place, the next step is to perform testing to understand the impact of shifting your systems toward post-quantum algorithms. The new post-quantum algorithms behave differently than the algorithms we use today, and it won't always be a simple task to pull one algorithm out and replace it with another.

Even with the recent NIST announcement of its initial quantum-resistant algorithm candidates, post-quantum algorithms are not yet standardized, and it may take until 2024 until that happens. Use this time wisely to understand where you need to invest additional resources to cope with the changes that lie ahead.

**Take the Chance to Build Better**

Whenever I talk about quantum, I find the conversation quickly drifts to the quantum threat. However, I encourage people to think positively about quantum technology and even the quantum threat itself.

Responding to the threat will require an immense upheaval of systems, similar in scope to the Y2K challenge. This is a rare opportunity to touch each of our systems and change them for the better. It's certain that this algorithm migration won't be the last one we have to conduct. Let's use this opportunity to build crypto agility into our systems, so the next migration is far less painful.

And while we are rebuilding crypto systems, we should explore how we can build on firmer foundations. This is where quantum technology has a role to play. As we look to a future where threat actors have quantum computers as a weapon, we should look to defend ourselves with the same amount of power. Quantum is a dual-edged sword, and we should ensure that, as defenders, we are ready to wield it for protection as well.

A Pragmatic Response to the Quantum Threat

From analyzing your company's risk profile to knowing where keys are stored and who can access them, prioritize key clean-up and management. Make compliance an outcome and develop a risk management strategy.

The stratospheric rise in the number of global cybersecurity attacks cast a floodlight on the critical need to follow best practices with encryption and security in general. Adopting an inside-out mindset is one thing; putting it into practice is another.

To assist, the team at Cryptomathic has compiled a list of five key pointers to better cryptographic key management to help organizations jumpstart the journey.

**Tips for Better Cryptographic Key Management**

**1\. Start with really good keys — and an inventory scan.** Without a doubt, the most important thing you can do is make sure that your organization is using high-quality keys. If you don't use good keys, what's the point? You're building a house of cards.

Creating good keys requires knowing where the keys come from and how they were generated. Did you create them on your laptop or with a pocket calculator, or did you use a purpose-built tool designed specifically for the job? Do they have enough entropy? From generation, to usage, to storage, the keys should never leave the secure boundaries of a hardware security module (HSM) or a similar device.

Chances are, your organization is already using keys and certificates — do you know where they reside? Who has access to them and why? Where are they stored? How are they managed? Create an inventory of what you have and then start to prioritize the clean-up and centralization life cycle management for those keys, certificates, and secrets.

**2\. Analyze your entire risk profile across your whole environment.** You can create the most brilliant, thorough, and comprehensive cybersecurity strategy, but ultimately, it will only be successful if everyone in your organization buys in and complies with it. That's why it's important to develop a risk management strategy with input from representatives from across the business. Include compliance and risk people from the beginning to keep the process honest. For the security processes and protocols to be meaningful, they must include everyone from IT people to the business units who bring use cases and can go back and explain to their peers why the security steps are necessary.

**3\. Make compliance an outcome, not the ultimate objective.** This might sound counterintuitive, but hear me out. Even though compliance is incredibly important, there's an inherent risk to using regulatory compliance as the sole driver of your strategy. When systems are designed to simply tick the boxes on a regulatory checklist, organizations miss the broader, more important point: to design and build for better security.

Instead, use regulations and security standards as a guideline for the minimum set of requirements and then make sure that your efforts actually address your security and business needs going forward. Don't let compliance be a distraction from the real objective.

**4\. Balance security with usability.** How does security affect usability? Have you created a system that's so secure that it's impractical for most users? It's imperative to find a balance between security and the user experience, and to make sure that the security processes don't hinder people from actually doing their work. For example, multifactor authentication can be a great way to make access more secure, but if it's not implemented correctly, it can cause workflows to break down and efficiency to take a nosedive.

**5\. Be a specialist … that knows when to call an expert.** Key management is serious business and should be treated as such. Someone in your organization should become really proficient at understanding the tools and technology to establish good key management practices at the core of everything your organization does.

At the same time, it's equally important to recognize when you need expert support, like when your organization has too many keys to manage. The National Institute for Standards and Technology (NIST) publishes a huge document that lays out recommendations for everything that should and shouldn't be done to establish good key management practices. Cryptography professionals deep-dive into these recommendations to make sure that the cryptographic tools and key management solutions offered meet these standards. That way, when your organization needs additional support for the key management process, you'll have the framework to evaluate the options and find the expertise you need to secure your assets effectively.

5 Keys to Better Key Management

Instagram and Facebook parent company Meta was slapped with the fine for exposing the personal data of minors.

Following an investigation that began in 2020, Ireland's data privacy regulation agency will reportedly issue Meta a $400 million fine, for mishandling Instagram user data belonging to minors.

The Data Protection Commissioner (DPC) told Reuters the full decision on the Instagram data privacy fine will be released in a few days.

Reuters reported the DPC was looking into the ability of 13-to-17-year-old users to obtain business accounts, exposing their personal information in violation of GDPR data privacy rules. Instagram and Facebook parent company Meta has vowed to appeal, but has since put measures in place to protect under-age users' data.

Last March, the DPC issued a €17 million (US$16.9 million) fine against Meta for noncompliance with GDPR regulations following a series of 12 data breaches.

Reuters added that the draft ruling against Instagram was shared with other European Union regulators, so there could be more fines coming.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meta to Appeal $400M GDPR Fine for Mishandling Teen Data in Instagram

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Breaches involving phishing and credential compromise have received a lot of attention in recent years because of how frequently threat actors have employed the tactics in executing both targeted and opportunistic attacks. But that doesn't mean that enterprise organizations can afford to lessen their focus on vulnerability patching one bit.

A report from Kaspersky this week identified more initial intrusions last year resulting from exploitation of vulnerabilities in Internet-facing applications than breaches involving malicious emails and compromised accounts _combined_. And data the company has collected through the second quarter of 2022 suggests the same trend might be playing out this year as well.

Kaspersky's analysis of its 2021 incident-response data showed that breaches involving vulnerability exploits surged from 31.5% of all incidents in 2020 to 53.6% in 2021. Over the same period, attacks associated with the use of compromised accounts to gain initial access declined from 31.6% in 2020 to 17.9% last year. Initial intrusions resulting from phishing emails decreased from 23.7% to 14.3% during the same period.

**Exchange Server Flaws Fuel the Exploit Frenzy**

Kaspersky attributed the surge in exploit activity last year as likely tied to the multiple critical Exchange Server vulnerabilities that Microsoft disclosed, including a set of four zero-days in March 2021 known as the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). When chained together they allowed attackers to gain complete remote control over on-premises Exchange Servers. 

Attackers — which included organized criminal gangs and state-sponsored groups from China — quickly exploited tens of thousands of vulnerable Exchange Server systems and dropped Web shells on them before Microsoft could issue a patch for the flaws. The vulnerabilities evoked considerable concern because of their ubiquity and severity. They even prompted the US Department of Justice to authorize the FBI to take the unprecedented step of proactively removing ProxyLogon Web shells from servers belonging to hundreds of organizations — in most cases, without any notification.

Also driving the exploit activity in 2021 was another trio of Exchange Server vulnerabilities collectively labeled ProxyShell (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) that attackers used extensively to drop ransomware and in business email compromise (BEC) attacks.

More than a year later, the ProxyLogon and ProxyShell vulnerabilities continue to be targets of heavy exploit activity, says Konstantin Sapronov, head of Kaspersky's Global Emergency Response Team. One of the most severe of these flaws (CVE-2021-26855) has also been the most targeted. Kaspersky observed the vulnerability — part of the ProxyLogon set — being exploited in 22.7% of all incidents involving vulnerability exploits that it responded to in 2021, and the flaw continues to be a favorite among attackers this year as well, according to Sapronov.

**Same Exploitation Trend Likely Playing Out in 2022**

Even though several serious vulnerabilities have surfaced this year — including the ubiquitous Apache Log4j vulnerability (CVE-2021-44228) — the most exploited vulnerabilities of 2021 remain very prevalent in 2022 as well, Sapronov says, even beyond the Exchange server bugs. For instance, Kaspersky identified a flaw in Microsoft's MSHTML browser engine (CVE-2021-40444, patched last September) as the most heavily attacked vulnerability in the second quarter of 2022.

"Vulnerabilities in popular software such as MS Exchange Server and library Log4j have resulted in a huge number of attacks," Sapronov notes. "Our advice to enterprise customers is to pay close attention to patch management issues."

**Time to Prioritize Patching**

Others have noted a similar spike in vulnerability exploit activity. In April, researchers from Palo Alto Networks' Unit 42 threat research team noted how 31%, or nearly one in three incidents, they had analyzed up to that point in 2022 involved vulnerability exploits. In more than half (55%) of those, threat actors had targeted ProxyShell. 

Palo Alto researchers also found threat actors typically scanning for systems with a just-disclosed flaw literally minutes after the CVE is announced. In one instance, they observed an authentication bypass flaw in an F5 network appliance (CVE-2022-1388) being targeted 2,552 times in the first 10 hours after vulnerability disclosure.

**Post-Exploitation Activity is Tough to Spot**

Kaspersky's analysis of its incident-response data showed that in nearly 63% of cases, attackers managed to stay unnoticed in a network for more than a month after gaining initial entry. In many cases, this was because the attackers used legitimate tools and frameworks such as PowerShell, Mimikatz, and PsExec to collect data, escalate privileges, and execute commands. 

When someone did quickly notice a breach, it was typically because the attackers had created obvious damage, such as during a ransomware attack. "It's easy to detect a ransomware attack when your data is encrypted, as services are unavailable, and you have a ransom note on your monitor," Sapronov says.

But when the target is a company’s data, attackers need more time to roam around the victim’s network to collect necessary information. In such cases, attackers act more stealthily and cautiously, which makes these kinds of attacks harder to detect. "To detect such cases, we suggest employing a security tool stack with extended detection and response (EDR)-like telemetry and implement rules for detection of pervasive tools used by adversaries," he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the real takeaway for enterprise organizations is that attackers will take any opportunity they can to breach a network. 

"With a range of exploitable vulnerabilities, it’s not a surprise to see an uptick," he says. Whether the numbers are higher for vulnerabilities over socially engineered credential attacks, is hard to say, he notes. 

"But the bottom line is threat actors will use the exploits that work. If there's a new remote code exploit on some Windows service, they’ll flock to it and breach as many systems as they can before the patches come out or firewall rules get deployed," he says.

The real challenge is the long-tail vulnerabilities: The ones that are older, like ProxyLogon, with vulnerable systems that have been missed or are ignored, Parkin says, adding that patching must be a priority.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

The initial access broker (IAB) for ransomware gangs known as UAC-0098 has targeted Ukrainian organizations in five separate phishing campaigns spanning April to August.

Former members of the Russia-linked Conti ransomware gang are repurposing their tactics to join in with an initial access broker (IAB) that's been targeting Ukraine in a series of phishing campaigns that occurred over a recent four-month span.

Google Threat Analysis Group (TAG) has been tracking recent activity of a group it identifies as UAC-0098, which researchers think now includes former members of the notorious ransomware actor.

As TAG's Pierre-Marc Bureau wrote in a blog post published Wednesday, UAC-0098 — historically known for delivering the IcedID banking Trojan as a prelude to human-operated ransomware attacks — in recent months has acted specifically against Ukrainian organizations, the government of Ukraine, and pro-Ukraine European humanitarian and nonprofit organizations.

The activity's goal has been to sell persistent access into such targets' networks to various ransomware groups, including Quantum and Conti (aka FIN12 or Wizard Spider).

UAC-0098's latest campaigns demonstrate a shift in focus to politically motivated actions, reflecting the group's affiliation with Conti and, unsurprisingly, its support of Russia's military actions against Ukraine, notes Tom Kellermann, CISM and senior vice president of cyber strategy at Contrast Security.

"Conti's recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime," he said in an email to Dark Reading.

**Making the Connection**

Google TAG discovered five separate and specific phishing campaigns that occurred from April to August, using tools and tactics previously identified with Conti. Threat actors impersonated several known entities to lure victims into downloading malware using typical phishing tactics to give ransomware groups access for further threat activity.

The first campaign that linked UAC-0098 to Conti caught TAG's attention in late April, when researchers identified attacks delivering AnchorMail, also referred to as "LackeyBuilder." AnchorMail, developed by Conti and previously installed as a Trickbot module, is a version of the Anchor backdoor that uses the simple mail transfer protocol (SMTPS) for command-and-control (C2) communication.

"The campaign stood out because it appeared to be both financially and politically motivated," Bureau wrote in the post. "It also seemed experimental: instead of dropping AnchorMail directly, it used LackeyBuilder and batch scripts to build AnchorMail on the fly."

Researchers also identified UAC-0098 activity in another email campaign that occurred earlier in the month to deliver IcedID and Cobalt Strike as attachments to Ukrainian organizations. This particular initial phase of the group's Conti-linked activity occurred between mid-April to mid-June, and primarily targeted hotels in the Ukraine.

**Other Campaigns**

Another phishing attack occurred on May 11 when UAC-0098 targeted Ukrainian organizations in the hospitality industry with phishing emails impersonating the National Cyber Police of Ukraine. The emails contained a download link urging targets to use it to update their operating systems; the link generated a PowerShell script to fetch and execute IcedID.

On May 17, UAC-0098 used a compromised account of a hotel in India to send phishing emails again to Ukrainian hospitality organizations, researchers said. The emails included an attached .ZIP archive containing a malicious .XLL file that downloaded a variant of IcedID.

On that day, the same compromised account also was used to target humanitarian nongovernmental organizations (NGOs) in Italy, delivering IcedID as an .MSI file through the anonymous file sharing service dropfiles\[.\]me.

Two days later in a fourth separate campaign, UAC-0098 impersonated representatives of Elon Musk and his StarLink satellite service using the address "\[email protected\]\[.\]info" to send phishing emails claiming to deliver software required to connect to the Internet using StarLink satellites. The email included a link to an .MSI installer dropping IcedID, downloaded from the attacker-controlled domain, "starlinkua\[.\]info."

Four days later, a similar attack targeted a wider range of Ukrainian organizations operating in the technology, retail, and government sectors using the same IcedID binary with a file name that resembled a Microsoft update, researchers said.

The last phishing campaign by UAC-0098 uncovered by TAG occurred on May 24, and targeted the Academy of Ukrainian Press with a phishing email containing a Dropbox link to a malicious Excel document. The document directly fetched a Cobalt Strike file from an IP address previously used to deliver IcedID payloads in the campaign against the Italian NGOs on May 17, researchers said.

**Conti's Notorious Past**

Conti, a ransomware group active since late 2019, ceased operations as a formal entity in May. However, its members have carried on its cybercriminal legacy, remaining as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, initial network access, and other criminal endeavors.

In its heyday, Conti was known as one of the most dangerous and ruthless ransomware groups in the world; one of its last acts, in fact, so crippled the government of Costa Rica that the country was forced into a state of emergency.

Though linked to Russia, Conti previously had flip-flopped in its support of Russia's invasion of Ukraine, initially showing support on its data leak site early in the conflict before issuing a retraction that condemned "the ongoing war." The group then noted in a statement soon after that it would take "retaliatory measures" if the West launched cyberattacks against Russia or Russian-speaking countries.

The latest alignment with UAC-0098 now appears to show that at least some former members of Conti are backing Russia once more. It also demonstrates a blurring of the lines between financially motivated and government-backed groups in Eastern Europe, "illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests," noted TAG's Bureau.

Another group that notably also has turned against Ukraine is Trickbot, which IBM researchers said in July had been systematically attacking Ukrainian targets over the previous three-month period. Trickbot over the years has evolved from a banking Trojan to an initial access broker and a distributor for several ransomware and malware tools, including the Conti and Ryuk ransomwares, and the Emotet Trojan.

Source

DARKReading