For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort  organizations in other ways. 

Researchers from Kroll recently analyzed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

**Multiple Attack Vectors  
**Kroll's analysis shows that attackers leveraged the initial foothold gained via phishing in multiple ways, including to drop ransomware and malware, and to extort without any ransomware or encryption. 

In one incident that Kroll investigated during the first quarter, adversaries acquired an organization's global admin credentials after an IT employee at the company clicked on a phishing email they had sent. The adversaries used the credentials to take over multiple email accounts belonging to other members of the IT team as well as the C-suite, which in turn they used to download sensitive enterprise data. The attackers followed up with a demand seeking a ransom in exchange for the attack to stop.

In other instances, Kroll's researchers identified attackers breaking into a network by exploiting a vulnerability and then using that access to launch convincing-looking phishing campaigns. In one incident, the attackers exploited the ProxyShell vulnerability in Exchange Server to access the target network. Once inside, the attackers attempted to phish employees by attaching a malicious .zip file to a reply to a legacy internal email thread. The .zip file was disguised as an invoice, and appeared to be from a trusted internal source: Several users opened it and unknowingly downloaded IcedID on their systems. That organization was subsequently hit with the QuantumLocker ransomware two weeks later, Kroll said.

Phishing was not the only tactic that attackers used to try and gain initial access on a target system or network. In several incidents that Kroll investigated, threat actors exploited widely publicized vulnerabilities such as ProxyLogon and Log4Shell to gain a foothold from which to drop ransomware such as Conti, AvosLocker, and QuantumLocker on target networks. 

**Inadequate Defenses  
**Patrick Harr, CEO at SlashNext, a provider of anti-phishing services, says current organizations defenses are not fully designed to protect against attacks that appear to originate from inside the organization. "You can’t stop phishing that comes from legitimate services with employee awareness training," he says. "As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats." 

The broader adoption of work-from-home models over the past two years has also made it easier for attackers to target employees in phishing campaigns — and get away with it. "Remote work certainly created more opportunities for threat actors to execute \[business email compromise\] and other phishing attacks," says Hank Schless, senior manager of security solutions at Lookout. "Without being able to walk over to another person’s desk in the office, employees have a much harder time validating unknown texts or emails."

The increased reliance on smartphones and tablets for internal communications has created several issues, he adds. Spear-phishing attacks on mobile devices, for instance, are much harder to catch than on a desktop. Users also cannot preview link destinations or verify the sender's identity. So, a lot of the things that employees are trained to recognize as part of their phishing awareness training are hard or almost impossible to spot on a mobile device, Schless says.

**Temporary Ransomware Drop-off  
**Kroll's analysis showed that ransomware attacks — as a proportion of all attacks — dropped 20% between the fourth quarter of 2021 and the first quarter of 2022 and 30% between the third quarter of 2021 and the first quarter of 2022. At least some of the drop-off in attacks appears to have resulted from law enforcement's disruption of malicious activity by groups such as REvil, Kroll said. Another factor that likely contributed to the slowdown in ransomware attacks was the voluntary exit from the scene made by groups such as BlackMatter, Kroll added.

However, early data from the second quarter of 2022 suggests that ransomware actors are regrouping and preparing to resume their usual level of activity soon, according to Kroll.

An earlier report from Digital Shadows noted a similar drop-off in ransomware incidents in the first quarter of 2022 but pointed to emerging trends in the space that could have implications for enterprise organizations. One example is the growing trend by ransomware groups to align themselves for or against Russia in that country's war against Ukraine.

Like Kroll, researchers from Digital Shadows also observed incidents involving extortion, where no ransomware was deployed. One example cited by both companies was the attacks by a group identified as Lapsus$ (aka DEV-0537) that targeted several technology and security firms in the first quarter of 2022. In some of the incidents, the attackers defaced the websites of target organizations and claimed they had suffered a ransomware attack. In other instance, the group used stolen credentials to exfiltrate data and then threatened victims that it would release the data publicly unless paid a ransom.

Phishing Attacks for Initial Access Surged 54% in Q1

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain - including software.

MITRE's so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product. 

"An accountant, a lawyer, \[or\] an operations manager could understand this structure at the top level," says Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. "The System of Trust is about organizing and amalgamating existing capabilities that just don't get connected right now" to ensure full vetting of software as well as service provider offerings, for example.

The SoT will make its official public debut next month at the RSA Conference (RSAC) in San Francisco, where Martin will present the framework as a first step in gathering security community support and insight for the project. So far, he says, the initial feedback has been "very positive."

MITRE is best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, for the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.

Martin says he'll demonstrate the SoT framework and provide more details on the project during his RSAC presentation. The framework currently includes 12 top-level risk areas - everything from financial stability to cybersecurity practices - that organizations should evaluate during their acquisition process. More than 400 specific questions cover issues in detail, such as whether the supplier is properly and thoroughly tracking the software components and their integrity and security.

Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting data scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. An enterprise could then more quantitatively analyze a software supplier's "trustworthiness."

**SBOM Symmetry  
**Martin says that with software supply chain security, the SoT also goes hand in hand with software bill of materials (SBOM) programs. "SBOMs can give you deeper reason into understanding why you should trust," for example, a software component. Among several risk factors in the SoT, SBOMs can actually mitigate those risks or, at the least, provide better insight into the software and any risks. 

"If the SBOM has pedigree information, that information would allow for assessment of the tools and techniques used to build the software - whether reproducible builds were used to build the software, memory protection methods \[were\] invoked during the build" and other details, he notes.

So how does the SoT framework differ from risk management models? Traditional risk management employs probabilities, Martin says. With SoT, there's a list of risks that can be evaluated and scored to determine whether there is risk in specific areas and, if so, just how bad it really is.

"We want to help provide a consistent way of doing assessments ... and we would like to encourage data-driven decisions wherever we can" in supply chain evaluations, he says.

The next steps: introducing the concept of the SoT and offering the live taxonomy for public comment and scrutiny. "Then we can see what parts can be automated and where," and ensure that it can be integrated into the acquisition process. Vendors, too, could use SoT terminology in their product materials.

"'Supply chain' has a lot of different meanings," Martin explains. "We're not talking microelectronics in the US versus overseas. We're not trying to solve port issues. We're trying to get a culture of organizational risk management that includes supply chain concerns as a normal part of that. We want to bring some consistencies, automation, and data-driven evidence so there's more understanding of supply chain risks."

MITRE Creates Framework for Supply Chain Security

Last month attackers quickly reverse-engineered VMware patches to launch RCE attacks. CISA warns it's going to happen again.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks.

The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks. 

CISA said that last month, within just 48 hours of VMware patching its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks. 

"These vulnerabilities pose an unacceptable risk to federal network security," CISA director said Jen Easterly in a statement. "CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government's lead and take similar steps to safeguard their networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.

SAN JOSE, Calif., May 18, 2022 /PRNewswire/ -- Lacework, the data-driven cloud security company, today announced new features added to the Polygraph® Data Platform which provide enhanced visibility and protection in Kubernetes environments. Through Kubernetes audit log monitoring, integration with the Kubernetes admission controller, and Infrastructure as Code (IaC) security, Lacework customers can now further minimize risks in build time and automate discovery of unusual behavior that could signify cloud account or container compromise. With these new features, Lacework is the only company which can offer automated anomaly detection that provides consistent visibility, context, and security across the entirety of a customer's multi-cloud environment from a single security platform.

According to Gartner® (1), "by 2026, more than 90% of global organizations will be running containerized applications in production, which is a significant increase from less than 40% today."

As more organizations leverage container-based application deployment to scale their businesses, they are rapidly adopting Kubernetes to manage containerized workloads. While easier to manage overall, the complexity and sheer size of Kubernetes environments makes it difficult for companies to detect threats, ensure compliance, and efficiently capture relevant security events. Existing security tools and manual procedures aren't built to secure the Kubernetes attack surface, which slows down agile development and defeats the purpose of using containers. This forces customers to employ additional Kubernetes-specific tools, further slowing down understaffed security teams with additional tool sprawl and alert fatigue. In fact, Red Hat found in its 2021 State of Kubernetes Security Report that more than half of respondents delayed deploying Kubernetes applications into production due to security concerns. Developers need more automated practices to quickly resolve issues and focus on delivering revenue-driving initiatives.

Lacework eliminates this challenge by integrating container security into the Polygraph Data Platform, providing end-to-end, integrated monitoring that enables customers to secure their cloud and Kubernetes environments from build to runtime. By consolidating disparate tools into a single platform, Lacework provides a highly automated solution that empowers organizations to seamlessly integrate security into developer workflows. The new features announced today provide comprehensive visibility, threat detection and alerts, configuration and compliance checks, and vulnerability scans:

Kubernetes Audit Logs Monitoring: A typical Kubernetes environment could include thousands of pods and containers with components constantly being created, shut down, or moved, and generating millions of events daily. This feature enables customers to monitor Kubernetes audit logs and all user and system actions to detect unknown and known threats.

Kubernetes Admission Controller: Through this integration, the Polygraph Data Platform can scan containers for misconfigurations or vulnerabilities prior to deployment on Kubernetes. Customers can use pre-built or customer policies to define the criteria, threshold, and response for a violation.

IaC Security: Using capabilities available following the acquisition of Soluble, Lacework customers can now review Infrastructure as Code prior to deployment to identify and optionally block insecure Kubernetes-related configurations.

"Containerized workloads are already difficult for many security solutions to keep up with because of their ephemeral and constantly changing nature. At scale, it's impossible for often understaffed security teams to effectively secure these environments," said Frank Dickson, Group Vice President, Security & Trust research practice, IDC. "Any benefit organizations get from deploying Kubernetes environments is negated by security approaches which don't provide security teams with the same automation Kubernetes provides to developers."

"We chose Lacework because it provides a fully integrated platform for cloud security. Before Lacework, we lacked the granularity and depth we needed to assess vulnerabilities due to numerous disparate tools," said Michael Lyborg, Senior Vice President, Global Information Security & Enterprise IT at Swimlane. "By integrating Lacework and the Swimlane low-code automation platform we automated our container image scans. This has resulted in time savings, better prioritization of work, faster iteration and validation of builds. The integration gave us the ability to retroactively and continuously scan published images so we have a continuous real-time view of risk across our dynamic cloud environment."

"While so much innovation has focused on helping developers work more efficiently to create revenue-driving initiatives, very little has been applied to the security tools that keep businesses safe, reducing the gains of development teams and ultimately putting organizations at risk," said Adam Leftik, VP of Product, Lacework. "Security teams are as important as developers in driving revenue for businesses, and these Kubernetes features for the Polygraph Data Platform ensure they can help teams across the business innovate securely and with confidence."

The Lacework Polygraph Data Platform is the only solution that extends automated anomaly detection across AWS, Google Cloud and now Microsoft Azure and Kubernetes EKS environments. Using accurate, machine learning-based threat detection at scale, the Polygraph Data Platform empowers customers to innovate with confidence.

Kubernetes audit logs monitoring is now available to Lacework customers on AWS EKS in limited availability. The Kubernetes admission controller integration is generally available. Integration with IaC security is available to all Lacework customers.

**Additional Resources:**

Visit our team at KubeCon EMEA at booth S47 on the show floor.

Check out the Lacework blog to learn more about Kubernetes audit log monitoring, our integration with the Kubernetes admission controller, and IaC security.

Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

For more information about how to join the Lacework team, visit our careers page.

(1) Gartner, "Compute Evolution: VMs, Containers, Serverless — Which to Use When?",  
Refreshed 22 March 2022, Arun Chandrasekaran, Published 1 June 2021,  
https://www.gartner.com/document/4002112?ref=TypeAheadSearch

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Lacework**

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

SOURCE Lacework

Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments

Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.

The Cybersecurity Infrastructure and Security Agency (CISA) has issued a warning about active exploits against unpatched F5 Network's BIG-IP systems. 

A patch for the vulnerability (CVE-2022-1388) was issued on May 4; since then, working proof-of-concept exploits have circulated among cybercriminals, making it easier for even less-skilled attackers to take advantage, CISA explains. 

Along with CISA, the F5 BIG-IP vulnerability alert was issued by the Multi-State Information and Analysis Center (MS-ISAC). Both organizations "strongly urge" administrators to upgrade F5's BIG-IP systems to a patched version. 

"According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks," the alert states. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Unpatched F5 BIG-IP Devices Under Active Attack

Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.

Organizations increasingly rely on open source code. Many enjoy the convenience of using open source code to quickly innovate or spin up services without the time-consuming process of developing their own code, but there's a catch: Open source code can turn into a security nightmare for organizations.

On the eve of 2022, a zero-day vulnerability — Log4j — was exploited by threat actors and placed organizations' software and Web applications, along with their business-critical data, at an increased risk. What made this attack so far-reaching was that the vulnerability stemmed from widely used open source code.

This points to a broader issue — threat actors rely on subverting open source for malicious purposes. Often, in the case of Log4j and other software such as EspoCRM, Pimcore, and Akaunting, they are able to capitalize on the inherent vulnerabilities associated with this code and remain undetected. As an industry, there is often a belief that vulnerabilities with open source code will be easy to spot, but that isn't the case — Log4j was put into production in 2013 and nobody noticed any issues until it was already too late.

**Open Source Is a Double-Edged Sword  
**Open source code can be an amazing resource for organizations. At its core, it's ready-to-use software that enables teams to decrease development time. This speeds innovation and empowers developers to relatively quickly stand up and deploy software. Additionally, this code is supported by a community of developers who volunteer their time. This means that new features can be released and bugs can be fixed by the community with no cost passed on to the developer. It's this extraordinary benefit that _also_ presents as a security risk.

While there are numerous benefits to utilizing open source code, there also are risks associated with its use. For instance, open source can only be developed based on community involvement. If the community loses interest in the project, or if key individuals get called to work on another project, development will stall. Additionally, bugs may be overlooked as developers assume it's the community's responsibility to locate and fix them. While many hands often make light work, this is a common problem with group work that doesn't have clear processes in place to ensure a consistent product.

There's also a very common misstep that I see organizations take when it comes to open source. While many of them rely upon open source code, they don't view the code as their own and often don't apply the same security controls that they would to their own, natively built code. That means that open source libraries often escape security testing and code reviews, which creates an environment where bugs and security flaws can get baked into a product at a foundational level.

**Come Together to Secure Open Source Code  
**As an industry, there are actions that we can take to better secure our open source code from threat actors. To start, if you're using a code scanning tool, scan all the open source libraries you're using. I would also encourage developers to contribute to the project. If enough people get involved, the project owners can institute these security steps themselves. Additionally, always be sure to check what security steps the project follows before using it.

Ensuring that security is built-in upfront will help to ensure that potential vulnerability gaps are closed, and has the added benefit of helping your industry peers who rely on open source.

**Address Open Source Concerns With Attacker-Centric Behavioral Analytics  
**Open source code, and its related vulnerabilities, aren't going away anytime soon. While government agencies, such as the Federal Trade Commission, have provided guidance to reduce vulnerabilities related to open source, there are additional steps organizations can take to further mitigate any threats.

Vulnerabilities may already be present in your code and organizations cannot solely rely on security teams to find and manage those vulnerabilities. Protection starts with review by their own engineering teams. Additionally, it is important to utilize a solution that will protect your organization from these inherent vulnerabilities and block any attempts to exploit your data. Utilizing attacker-centric behavioral analytics is vital to help your organization mitigate these threats.

Signature-based defenses will often fail at protecting your organization from exploits like Log4j since attacks can be launched in a multitude of ways. Monitoring and detecting suspicious behavior over time will help to identify the various attack patterns so your organization can mount a stronger defense.

If the last two years are any indication, organizations need to be on the lookout for increased cyberattacks. In 2022, I encourage you to start securing your code at the foundational level, and together, work to secure our ubiquitous open source code upon which we so heavily rely.

The Industry Must Better Secure Open Source Code From Threat Actors

Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.

Microsoft Security Intelligence this week tweeted a warning about an attack campaign targeting SQL servers and using a new approach to evade PowerShell monitoring. 

Instead of PowerShell, these threat actors are using sqlps.exe, a utility that comes standard with every version of SQL and functions as a "wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem," Microsoft explained in a tweet thread. The new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners. 

Defenders should take note of the co-opting of the sqlps.exe utility and start to monitor their SQL server environments for its use as closely as they do for PowerShell, according to the Microsoft Security Intelligence team's advisory tweets. 

"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code," the team said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Flags Attack Targeting SQL Servers With Novel Approach

It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.

Digital transformation, hybrid work, and the shift to the cloud have increased attack surfaces and created new vulnerabilities. Businesses must evolve cybersecurity strategies to protect themselves in today's threat landscape, as ransomware attacks, data breaches, and software supply chain attacks have become almost daily occurrences.

It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.

**Accelerating the Adoption of Zero-Trust Network Access  
**In today's age of distributed workforces and multiple devices, we are seeing considerable demand for cloud-based zero-trust and zero-knowledge architecture to store passwords, files, and other confidential information. Zero-trust network access is the only viable solution in a world where the "network perimeter" no longer exists. In addition to securing network connectivity for their distributed workforces, organizations need to ensure that their third-party vendors and business partners can connect to needed network resources securely.

**Securing Users Through a Zero-Trust Approach  
**A zero-trust approach includes strong user and device authentication, role-based access control (RBAC) with least-privilege access, and comprehensive password security, including strong, unique passwords for every user account and multifactor authentication (MFA).

Businesses should require two-factor authentication (2FA) wherever it's supported, preferably using a time-based one-time password (TOTP) code or a hardware-based FIDO2 key. This way, even if a cybercriminal steals an employee's password, it's useless without the second authentication factor. Enforcing these policies, and making them easier for employees to follow, can be accomplished by deploying an enterprise-grade password security platform.

Just one stolen password can bring down tens of thousands, even millions of dollars' worth of cybersecurity defenses. Password-related cyberattacks are going to keep happening to companies of all sizes, because cybercriminals know that too many organizations play fast and loose with their password security. It is critical to implement a zero-trust network access architecture to include RBAC with least-privilege access and secure access management.

As organizations implement privileged access management (PAM), cybercriminals are looking for the more vulnerable attack vectors in an organization, which are often contractors, new employees, or users who are not very technologically savvy — to then seek privileged escalation. It is therefore imperative that identity security evolves from protecting privileged access to protecting every user and every access device.

**Keeping Infrastructure a Secret  
**Securing human users with zero-trust network access is critically important, but so is securing infrastructure secrets. Over the past years, organizations have been trading on-premises computing for multicloud and hybrid-cloud environments and monolithic applications for modern microservices-based distributed applications. This has resulted in more systems interconnecting and exchanging critical information, often protected by infrastructure secrets such as certificates, database passwords, API keys, and Remote Desktop Protocol (RDP) credentials.

This information unlocks access to highly privileged systems and data, enabling devices and apps to leverage cloud resources and execute sensitive business processes — yet they are often nor managed securely or effectively. For this reason, secrets are prized by cybercriminals for use in highly sophisticated cyberattacks. As an example, among the massive amounts of data stolen during the NVIDIA security breach were code-signing certificates — which threat actors are now using to spread malware in the wild.

**Implementing a Comprehensive IT Secrets Management Strategy  
**As data environments become more complex, and the number of connected devices and apps grows exponentially, organizations need to shore up their IT secrets management. This capability must be integrated with existing DevOps environments and build systems and also with identity and authentication systems.

Organizations can't afford to take an ad hoc approach to securing data using point solutions. It is important to adopt comprehensive, zero-trust tools and protocols for managing digital authentication credentials to adequately organize and secure their private infrastructure data across user credentials and infrastructure secrets. With modern identity security and access management technology, organizations can dramatically improve their security posture while gaining visibility and control over their critical credentials, secrets, and passwords.  

**About the Author**

    

Darren Guccione is the CEO and Co-founder of Keeper Security, a top-rated password manager and secure digital vault. Darren is an entrepreneur, tech leader, and serial inventor who is passionate about creating disruptive technologies and finding the intersection between art, science, finance and technology. Darren is an engineer and certified public accountant. In addition to founding Keeper Security, Darren co-founded Callpod, Inc., in 2006 and OnlyWire, LLC, in 2008. He also served as the CFO and co-founder of Apollo Solutions, Inc., which was acquired by CNET Networks (now CBS Interactive).

2022: The Year Zero Trust Becomes Mainstream

As demonstrated in Ukraine and elsewhere, the battlefield for today's warriors extends to the virtual realm with cyber warfare.

The first shots fired in the current conflict between Russia and Ukraine were not by firearms, but keystrokes. In this new-age war, the cybersphere is a primary battleground, and advanced threat actor groups are the foot soldiers. This Russian-Ukrainian cyber battlefield is complex and multipolar, populated by many disparate threat groups, each determined to do their part — and take their share of the winnings.

Moscow deviated from the standard norms of conventional warfare when it attacked Georgia in 2008, and had been deploying major cyberattacks against Georgian websites and Internet infrastructure. This was reported to be a Kremlin-backed, nation-state campaign, according to the Small War Journal. It was considered the "first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other warfighting domains."

In the past year, the escalation of cybercrime has been made blatantly manifest through the spike in ransomware attacks, the deployment of pernicious new malware, and the unprecedented surge in cybercriminals and cyber incidents — coordinated and conducted within the illicit underground communities of the Dark Web.

CISOs of 2022 must maintain constant vigilance, ensuring their organization has the capacity to track, monitor, and remediate threats coming in from multiple focal points. It’s not only the well-known advanced persistent threats (APTs) anymore, but your average Dark Web actor or the local anonymous chapter.

It is not uncommon to see threat actor groups declaring their latest victories in the ongoing digital battle, be it pro-Ukranian threat-actor groups announcing their successful breach of Russian federal organizations or pro-Russian threat actors targeting Western infrastructure. A brief scroll through these groups' Twitter profiles and telegram channels is sufficient to see how structured and organized they behave.

**Mass Mobilization**  
How can we explain the mass mobilization of threat actors of all levels of sophistication, taking to the cyber battlefield to play their part in a conventional war between nation-states? It would be simplistic to attribute this massive paradigm shift only to advancements in technology. Instead, this external, global change is deeply connected to the changing internal dynamics of the cybercriminal underground itself.

The proliferation of cyber offensive capabilities on a global scale has unfolded in tandem with the proliferation of knowledge within the cybercriminal underground, allowing threat actor groups to build off of one another and "leapfrog" their way forward at a dizzying pace. Now, there is a clear opportunity for cybercriminals of every level of sophistication to buy instead of build their arsenal for attack.

**Criminals Go Leapfrogging**  
A business phenomenon known as leapfrogging has advanced rapidly in the cybercriminal underground over the past decade. Leapfrogging refers to the process of bypassing the standard, step-by-step path of development, whereby a nation, an enterprise, or individual takes advantage of existing opportunities and innovations to skip ahead, accelerating development to jump straight to a leading position. 

In the cybercriminal underground, threat actors have access to a multitude of leapfrog enablers, able to employ the tools and services developed by their more experienced counterparts to deploy complex attacks that previously had been possible only for those who had followed the step-by-step evolutionary practice of building cyber expertise.

New offerings within the illicit underground economy of the Dark Web have allowed threat actors to wholly outsource their tools for attack, with prebuilt packages of scripts and tools facilitating anything from distributed denial-of-service (DDoS) attacks to common vulnerability exploitation. To capitalize on this booming new underground industry, many malware authors have moved to profit on their expertise, providing their skills "as-a-service." This allows their customers to cherry-pick targets while bypassing the tiresome and complicated process of developing sophisticated malware or deploying and maintaining servers to control the malware’s operations during the attack.

**New Services  
**The demand for quick wins and easy profits has spurred more actors to offer new kinds of services in various pricing strategies. One of the more popular services today is offered by initial access brokers (IABs). IABs sell access to thousands of compromised endpoints on a daily basis, allowing cybercriminals to buy their first way into the networks of almost every enterprise and vendor out there. 

For as little as $10 a piece, threat actors can purchase access and gain a steady foothold in their targets' systems, attaining a beachhead into highly secured organizations without having to bother with the complex, drawn-out process of gaining initial access on their own. By outsourcing access, attackers of all levels of sophistication can leapfrog several steps, jumping yet another step closer to the level of an APT.

As cyber capabilities proliferate, trickling from APTs to less advanced threat groups, there are tens of thousands of actors that may be simply one click away from purchasing the advanced capabilities that would allow them to leapfrog to quasi-APT status.

The question is no longer how relevant and actionable your threat intelligence is; it’s how comprehensive and scalable it can be. Simply put, can your cybersecurity team continuously track millions of cybercriminal actors every day, and deliver the critical insights you need to block threats in real time?

Source

DARKReading