The Cisco CCF helps save resources by enabling organizations to achieve cloud security certifications more efficiently.

**SAN JOSE, Calif., May 5, 2022** — Today, Cisco is pleased to release the Cisco Cloud Controls Framework (CCF) to the public. The Cisco CCF is a comprehensive set of international and national security compliance and certification requirements, aggregated in one framework. It empowers teams to make sure cloud products and services meet security and privacy requirements thanks to a simplified rationalized compliance and risk management strategy, saving significant resources.

Meeting the fast-evolving requirements for security certifications and standards across the globe is becoming increasingly important, but also extremely challenging, and resource- and time-intensive for Cloud-based software providers.

“The Cisco CCF is central to our company’s security compliance strategy. By making it available for public use, we are helping ease compliance strain and enable smoother market access and scalability for the cloud community,” explains Prasant Vadlamudi, Cisco’s Senior Director for Global Cloud Compliance. “By sharing our CCF with customers and peers, we also continue to support our commitment to transparency and accountability that are foundational to Cisco’s DNA.”

The CCF is the foundational methodology for Cisco to accelerate certification achievements across our cloud offerings and establish a strong security baseline. It is the result of years of standards research to certify SaaS products for multiple standards for repeatable practices and efficiencies. The CCF offers a structured, “build-once-use-many” approach for achieving the broadest range of international, national, and regional certifications.

With this framework, organizations can define, implement, and demonstrate controls that are foundational to security and privacy certifications consistently across SaaS portfolios, such as SOC 2, ISO 27001: 2013, ISO 27701, ISO 27017, ISO 22301, ISO 27018, Germany’s BSI C5, FedRAMP Tailored for the US public sector, the Spanish ENS, Japan’s ISMAP, PCI DSS v3.2.1, the EU Cloud Code of Conduct, and Australia’s IRAP\*.

“Customer demand for global SaaS security certifications is constantly expanding, as are the security risks we all face. As the complexity of market demand grows, SaaS providers need an efficient way to simplify and streamline efforts to attain security certifications. Our experience has helped us define a common set of building blocks that are repeatable across developed products. Tailoring additional blocks for specific regional or topical certifications ensures the CCF is sensitive to the needs and expectations of regulators and customers across different geographies and sectors,” says Vadlamudi.

The CCF comes with guidance on how to implement these controls and the audit artifacts needed to demonstrate controls operating effectiveness. Cisco will regularly update the CCF as regulations evolve and new frameworks are integrated into our compliance processes.

**Additional Resources:**

*   Cisco Cloud Controls Framework
*   Blog, Announcing the Cisco Cloud Controls Framework (CCF)

\*SOC 2® - SOC for Service Organizations: Trust Services Criteria; ISO IEC 27001:2013 - Information technology — Security techniques — Information security management systems — Requirements; ISO/IEC 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services; ISO/IEC 27018:2019 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; ISO/IEC 27701:2019 - Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines; ISO 22301:2019 - Security and resilience — Business continuity management systems — Requirements; Federal Risk and Authorization Management Program (FedRAMP LI-SAAS/Tailored); Esquema Nacional de Seguridad (ENS); Infosec Registered Assessors Program (IRAP December 2020); Payment Card Industry Data Security Standard (PCI-DSS v3.2.1); Information System Security Management and Assessment Program (ISMAP); Cloud Computing Compliance Controls Catalogue (C5); EU Cloud Code of Conduct (CoC); Third Party Cybersecurity Compliance Certificate (CCC)

**About Cisco**

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

Cisco Announces Cloud Controls Framework Is Now Available to Public

With 80% of companies using cloud collaboration tools, cybercriminals are using multichannel phishing attacks to exploit security gaps in the hybrid work model.

The modern workforce is hybrid, and remote work is here to stay. With 80% of companies using cloud or hybrid cloud collaboration tools, it's fertile ground for a cybercriminal to expand the threat surface. Multichannel phishing is becoming the preferred way to deliver these attacks as threat actors exploit security gaps in the hybrid work model. While organizations focus on protecting email from phishing and malware, there are gaps in defenses for other channels. In a recent report on how to respond to the cyberthreat landscape, Gartner warns of the use of multichannel phishing approaches that combine social engineering, vishing, smishing, email, and Web phishing attacks in a single campaign.

Today, 91% of all cyber breaches include a phishing attack because these types of attacks often succeed. Cybercriminals are so successful because these attacks are increasingly sophisticated, zero-hour spear-phishing threats designed specifically to slip past traditional security controls Threats to the mobile channel continue to grow with malicious apps, as well as malicious SMS messages with and without malicious links, spear-phishing, and malicious Web content. Mobile devices are an excellent opportunity because they are less protected, URL inspection is harder on mobile devices, phones have smaller screens than computers, and content is often truncated. Cybercriminals take advantage of distracted users who conduct quick work tasks and transactions, which offers the perfect environment for launching multichannel attacks.

Cybercriminals are capitalizing on digital channels that aid the productivity of remote workers like SMS/text, Slack, LinkedIn, Zoom, Microsoft Teams, Google Meet, and WhatsApp. These channels are less protected and provide an easy way to trick users, steal credentials, and ultimately exfiltrate data from an organization. A growing trend for cybercriminals is to use WhatsApp and SMS to send malicious URLs that appear identical to a Microsoft Teams meeting invite, which they use to harvest Microsoft 365 credentials. This benign invite contains a malicious URL that takes the user to a landing page asking them to enter their Microsoft 365 credentials, and, just like that, a user has given up their login credentials. These credentials now enable the cybercriminal to take over an account and continue to deliver phishing attacks from legitimate services like AWS, Azure, Outlook, and SharePoint.

In most cases, these attacks will bypass most phishing detection tools. SlashNext Threat Labs saw a 57% increase in phishing attacks from trusted services from the fourth quarter of 2021 to the first months of 2022. The trusted reputation of these domains enables cybercriminals to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers use shared services to get around domain reputation technologies with increased frequency. Using mainstream, legitimate commercial infrastructure sites to avoid detection has been a successful tactic, and the growth in these threats continues in 2022.

It's long been known that phishing attacks are getting through gaps in current defenses like secure email gateways, advanced threat protection, and identity graph technology. In addition, some users are accessing corporate tools outside of all security defenses. It should be on every cybersecurity leader's list to address multichannel phishing in 2022. So, how do you know if multichannel phishing is a problem in your organization? Start by assessing the phishing attack surface in your organization. Here are a few questions to get started: Where are your employees protected from phishing? Are they protected when accessing URLs on their browser or their mobile device? Are your users protected from zero-hour threats in real time? Answering no to these questions can indicate that your users and the organization are at risk.

A cyber readiness plan to protect against multichannel phishing should include people, processes, and tools. Ensure the plan includes educating users about the risk of multichannel phishing. Communicate about preventative strategies for how to identify social engineering tactics and suspected compromises. Implement an abuse inbox, and enable alerts for suspicious activity, such as foreign logins. Install security tools that leverage AI and computer vision to detect and block malicious zero-hour threats across email, Web, and mobile.

**About the Author**

    

Patrick Harr is CEO of SlashNext, the authority in multichannel phishing and human hacking protection across email, Web, and mobile.

Multichannel Phishing Concerns Cybersecurity Leaders in 2022

Researcher to reveal fresh details at Black Hat Asia on a tenacious cyber-espionage group attacking specific military, law enforcement, aviation, and other entities in Central and South Asia.

It's one of the more prolific yet lesser-known nation-state hacking groups in the world, and it's not out of China or Russia. The so-called SideWinder (aka Rattlesnake or T-APT4) group has been on a tear over the past two years, launching more than 1,000 targeted attacks.

Noushin Shabab, senior security researcher with Kaspersky, has been tracking SideWinder since 2017 and will share her latest findings on this cyber-espionage team at Black Hat Europe in Singapore this month.

"They have been very persistent in their attacks in terms of targeting specific victims over and over, with new malware and newly registered domains," Shabab says. "So even if the target has suspected that a previous attempt had malicious intentions — like with spear-phishing emails and so on — the threat actor has tried to use a new infection vector and use a new domain to try their luck, over and over."

SideWinder also has upped its game when it comes to hiding its tracks and deflecting detection — as well as in thwarting researchers. The threat group now executes a more complex attack chain that uses multiple layers of malware, additional obfuscation, and memory-resident malware that leaves no evidence of its presence, she says. Although other well-oiled and advanced threat groups also continue to add new methods of camouflaging their activity, Noushin says, SideWinder stands apart for her with its dogged persistence and high volume of activity.

"I think what truly makes them stand out among other APT \[advanced persistent threat\] actors is the large toolset they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure," she says. "I haven't seen 1,000 attacks from a single APT" from another group thus far, she adds. 

Shabab has tracked SideWinder's activity since April 2020, but Kaspersky first reported on SideWinder in January 2018 and believes it's been around since at least 2012. The security firm traditionally avoids attributing threat actors to specific nation-states, but Shabab says her firm's initial research into SideWinder showed the group is tied to an India-based company that was advertising malware analysis and penetration testing services on its website. 

"We found some context between that company and that threat actor," she says. However, she notes that "over the years, \[SideWinder\] attribution became more challenging."

SideWinder mostly targets military and law enforcement entities in Central and South Asia, but it's also hit foreign affairs, defense, aviation, IT, and legal firms in Asia. Pakistan and Sri Lanka are its main focus of late, according to Kaspersky's research, and it's recently targeted government and related organizations in Afghanistan, China, and Nepal, according to previous research from Trend Micro and from Anomaly.

Kaspersky also follows another cyber-spying threat group, dubbed Sidecopy, that copies SideWinder's tactics and techniques on occasion, often pivoting to the newest infection vector SideWinder has adopted. Unlike some other security research teams, Kaspersky considers Sidecopy separate from SideWinder. It's seen Sidecopy target organizations mainly in India and Afghanistan.

**No Zero-Days Required  
**SideWinder's main initial attack vector consists of sending convincing-looking spear-phishing emails with malware-rigged document attachments to its carefully curated targets. The hacking group doesn't deploy any zero-day exploits, but instead mostly weaponizes known Windows or Android vulnerabilities, including old Microsoft Office flaws, according to Shabab.

That said, in January 2020, researchers at Trend Micro revealed that they had discovered SideWinder exploiting a zero-day local privilege-escalation vulnerability that affected hundreds of millions of Android phones when it was first published (CVE-2019-2215).

SideWinder often switches gears if its first attempts don't infect its victims. Shabab has seen the APT abuse the Windows file shortcut feature to mask the malware, for example.

"The interesting thing is we have seen them be quite careful and innovative in the way they approach victims," she says. 

On at least two occasions, she says, SideWinder sent empty document attachments with the spear-phishing emails. The document had no content, but a malicious payload was inside. "After a short while, they send a letter \[in an email\] that apologizes for the empty document they had sent earlier. But that second email had a different malicious payload inside the document," she says. "They were trying everything to make sure they get a foothold into the victim's system."

SideWinder also swaps domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well.

Kaspersky's research shows that SideWinder mainly targets Windows for now, but it did find some malicious mobile apps last year when the firm investigated the group's infrastructure domains and servers. 

"But looking at their large attack infrastructure and large malware family sets they have for Windows, it doesn't seem mobile is their main focus," Shabab says.  

**Black Hat Talk  
**Shabab will share technical details in her session at Black Hat Asia next week, entitled "SideWinder Uncoils to Strike." Those will include how the hacking team has evolved its obfuscation methods for hiding its malware, and folding it into multistage infection chains. She says that investigating SideWinder's attack methods required her to decrypt several layers of encryption and thousands of obfuscation scripts. And "for each one, the decryption key was different," she says.

Shabab plans to provide recommendations on how to use SideWinder indicators of compromise along with specific security defense advice on defending against this APT group. Because it mostly achieves initial infections via known vulns and legitimate features in Windows (such as Microsoft Office), patching and the usual best security practices are key. That means hardening applications with whitelisting or firewall rules, which can help halt additional malicious malware modules from SideWinder's servers, she says.

"It's not very difficult to stop the attack" initially, she says. But if SideWinder gets past that first hurdle and infects the machine in the first phase of the attack, eradicating the attack gets exponentially harder. She adds: "They have lots of techniques to stay undetected longer and stay persistent."

1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin

Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.

Cybercriminals are ramping up their attacks on the Docker Engine — the software foundation of the container infrastructure used by many cloud-native companies. Researchers flagged a pair of cyber campaigns this week that showcase the increasing risk, including a compromise aimed at launching denial-of-service (DoS)) attacks on Russian targets.

On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firm's honeypot, a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the cybercriminals installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.

The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.

"We configured one of our machines as a honeypot, and within three hours, we saw it compromised, so we had to shut it down and rebuild it," Malik says. "The infection point is very rapid."

The attacks on Uptycs' Docker-based infrastructure are not unique. The incidents are happening to other companies as well.

**Unwitting Hosts to Hostile DoS Activity Against Russia  
**Honeypots maintained by cybersecurity services firm CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376, according to an analysis of an attack posted on May 4. 

CrowdStrike researchers revealed that attackers compromised its honeypots through the open Docker API and then installed two malicious container images that were used to to attack Russian and Belarusian sites.

The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.

Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. CrowdStrike researchers noted that the portion of these downloads that originated from compromised machines is unknown.

The use of compromised infrastructure has far-reaching consequences for organizations that may unwittingly be participating in hostile activity against Russian government, military, and civilian targets, the firm warned. Any investigation into the attack by Russian intelligence will likely point back to the victim's server, says Adam Meyers, vice president of intelligence at CrowdStrike.

"It is a little different when they are using your infrastructure to attack a third party," he says. "If \[Russia or Belarus\] starts looking at these attacks, they might say, 'Oh, they are DoSing us, so we will DoS them.'"  

**Security Needs to Focus on Docker Threats**  
While Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security, Meyers says. 

The attack surface is concerning: In December, security startup Prevasio found that 51% of the 4 million images they scanned on Docker Hub included packages that had a critical security vulnerability. On the misconfiguration front, while exposing the remote Docker API is not a common configuration — currently Shodan counts 803 assets exposing port 2375 — the relatively frequent scanning of the port means that any misconfiguration would be exploited quickly.

"It is a relatively new technology, and with any new technology there is a security curve that goes with that," Meyers says. "There is a general lack of awareness around the threat, and that is the thing that we are trying to raise the flag with here. You need to take Docker security seriously."

**More Visibility Needed into Docker  
**To understand their level of risk, businesses should ensure that they can adequately monitor the attack surface area of assets such as Docker, Kubernetes servers, and DevOps-related infrastructure, says Siddharth Sharma, a researcher at Uptycs.

"Most of these attacks go unnoticed because people might not have a comprehensive security solution monitoring their Docker infrastructure," he says. "So the attacker will not be detected as often, unless something goes wrong. But often the types of \[payloads\] they install are not obvious."

Last year, Docker changed the licensing terms of Docker Desktop, moving to a subscription model and arguing that the shift will help the company support more security features and audits. The move came two years after the company split, dividing into Docker — focused on development with Docker Hub and Docker Desktop — and the enterprise infrastructure components of Docker Enterprise, which was sold to Mirantis.

Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks

As the gaming sector booms, game publishers and gaming networks have been heavily targeted with distributed denial-of-service (DDoS) attacks in the last year.

For the past two years, the constraints of the COVID-19 pandemic have spawned an unprecedented surge in the online gaming industry, which is emerging as a major platform for entertainment, social interaction, and competition. By 2024, this media category could surpass $200 billion in revenue, making it one of the fastest-growing industry segments in the world, with an estimated 2 billion unique gamers worldwide.

As online gaming booms and gains a higher profile, game publishers and gaming networks are attracting unwelcome attention: a growing wave of cyberattacks that carry major costs. According to our recent threat research, gaming was one of the industries most heavily targeted by distributed denial-of-service (DDoS) attackers in 2021.

**DDoS Attacks in Gaming on the Rise  
**As it would be for any major business, data loss is a high priority for gaming companies whose servers are tempting targets for thieves seeking access to high-value databases that hold payment information, player statistics, intellectual property, and more. More recently, DDoS attacks intended to disrupt game play and bring massively multiplayer online (MMO) games to their knees have been more commonplace. Here, data is not at risk. Instead, DDoS is preventing legitimate players from accessing games, leading to user frustration, revenue loss, and reputational risk. Impact is not limited to the game itself, but also impacts businesses that rely on the game such as e-sports professionals and Twitch streamers.

**DDoS Halts Squidcraft Games Tournament  
**A recent major security incident underscores the point. In January, Twitch Rivals hosted a six-day Squid Game-themed competition — a Minecraft tournament called Squidcraft Games for Spanish-speaking gamers. About 150 contestants, including some of the platform's most famous Spanish-speaking creators (including Ibai, Rubius, and Auronplay), competed for a $100,000 purse in front of a record-setting 2 million viewers.

But what really grabbed the headlines wasn't just the high-profile competition — it was the intensive (and peculiarly timed) DDoS attacks that eventually shut down Internet access in Andorra, the small principality located between France and Spain in the Pyrenees mountains where some tournament participants live. On the fourth day of the tournament, Jan. 22, 2022, a DDoS attack reaching 100 Gbps in several short bursts impacted the Andorran competitors.

**Additional Fallout  
**News reports indicate this attack, the work of an unknown DDoS-for-hire service, knocked out about a dozen Andorran players from the competition (including E1Rubis, Biyin, TheGregfg, TaeSchnee, VioletaG, Aroyitt, 8cho, TinenQa, and Auron), and paved the way for OllieGamerz to take the top spot and $100,000. It doesn't take a lot of imagination to see how a DDoS attack — one of the simplest, cheapest, and most effective attacks — can be timed to gain a decisive advantage on high-stakes competitors and disrupt matches in a win-at-all-costs culture.

**Multifaceted Threats to Gaming's Unique Architecture  
**Online games typically employ a distinct architecture to optimally serve their customers. When a player wants to join an online game, they must first enter a "lobby" where they wait for other players to join. When enough players have gathered in the lobby, the game starts — only then can these users play the game. As a result of this architecture and their multiplayer design, online games are vulnerable to DDoS attacks through multiple dimensions: the game server itself, the game lobby, and, for some peer-to-peer multiplayer games, the individual player.

The real-time nature of gaming presents major issues because it emphasizes team scalability, which can create challenges when addressing security concerns. Of course, gaming platforms are highly sensitive to performance and outage issues. Their passionate users are vocal about outages of any kind at any time. Failing to meet user expectations can doom the reputation of a game.

The other element in play here is that the gaming sector covers a huge variety of companies, from international giants to smaller firms that address niche markets. Each eventually encounters the same issues (e.g., keeping customer data and intellectual property secure and ensuring high availability and performance). However, smaller firms may find it harder to get the right skills in place.

With the increasing shift to online gaming and the growth of e-sports, gaming companies must redouble their efforts to protect themselves and their users from cyberattacks. This means developing a good security strategy that covers all the bases. This includes design and architecture, coding and deployment, up to the hosting of the online service. These proactive measures can prevent attacks from affecting the gaming experience and protect the gamers while building trust in the integrity of their platforms and the competitions they host.

Why Security Matters Even More in Online Gaming

All active GitHub users who contribute code will be required to enable at least one form of two-factor authentication by the end of 2023.

Security experts have been banging the multifactor authentication (MFA) drum for years, encouraging users to move away from solely relying on the username/password combination to secure their most sensitive accounts. Now GitHub is done with encouraging: By the end of 2023, all users who contribute code to GitHub-hosted repositories must have one or more forms of two-factor authentication (2FA) enabled, the company says.

Zero-day attacks and sophisticated exploits are scary, but social engineering and credential theft pose bigger headaches for enterprise defenders. User credentials grant attackers full access to the application and the associated data, or in case of a code repository like GitHub, visibility into source code as well as the ability to maliciously modify the code.

"This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code," says Mike Hanley, GitHub's CSO. The downstream effects of an attacker seizing control of a popular code repository is staggering, as "it can be downloaded tens of thousands of times, or hundreds of thousands of times," he says.

Attacks against the software supply chain jumped by more than 300% in 2021, Aqua Security said in January.

GitHub’s decision increases the complexity of account takeovers, says Andrew Hay, COO at LARES Consulting. "It has been proven time and time again that multifactor authentication provides an additional layer of protection to a user's account without exponentially complicating the login process," he says.

**Raising the Bar  
**Considering the sheer number of developers and active repositories on GitHub.com, this move has the potential to significantly enhance the security of the software supply chain. The company says the shift to 2FA will impact 83 million developers.

Hanley has said in the past that GitHub’s sheer size puts the company in a strong position to boost the security of the entire software ecosystem. By implementing new security features, GitHub is raising the bar on things developers and project maintainers have to do.

"Strong password management, privileged access security, and MFA will make it difficult for attackers to be successful at gaining an initial foothold," says Joseph Carson, chief security scientist and advisory CISO at Delinea. "This will likely force them to look for an easier target elsewhere."

**Move to Mandatory Enrollment  
**GitHub has offered 2FA in some form since 2013. Recognizing that attackers are increasingly targeting JavaScript packages on the npm registry, GitHub enrolled all the maintainers of the top 100 npm packages with mandatory 2FA back in February. Even so, adoption has lagged. Currently, only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, the company says.

The numbers are dismal but not wholly unexpected. Back in 2018, Google noted that seven years after introducing 2FA for Gmail, less than 10% of active accounts had enabled the feature. More than three-quarters (78%) of organizations with Microsoft Active Directory (AD) currently do not employ MFA for their user accounts, Microsoft said in its quarterly Cyber Signals report earlier this year. Microsoft has said repeatedly that "99.9% of breaches would be prevented if you just implemented MFA."

GitHub has taken other steps to improve security beyond relying on just the username and password. Earlier, GitHub deprecated basic authentication for Git operations and GitHub’s REST API, and now require email-based device verification. Since March, all npm accounts require enhanced login verification. The company launched 2FA for GitHub Mobile on iOS and Android back in January.

GitHub will allow multiple methods, including hardware security keys and mobile push notifications approved directly from the GitHub app.

GitHub already gives enterprise customers the ability to require developers to use 2FA to access enterprise repositories. When enforcement takes effect, there may be some issues if GitHub winds up removing users who do not have 2FA enabled from enterprise repositories, Hay notes. "It may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to," he says.

**Delayed Enforcement  
**The shift to mandatory 2FA will occur in phases. All maintainers of the top 500 packages will be enrolled in mandatory 2FA on May 31. Maintainers of high-impact npm packages — which GitHub defined as those with more than 500 dependents or one million weekly downloads — will be enrolled in mandatory 2FA in the third quarter of 2022. The long lead time — more than a year out — will help GitHub "make sure we get this right" in terms of ensuring the user experience with the command line and the web interface, Hanley says.

Carson notes that recent advancements have made MFA "far less burdensome" to users. The most common mistake in enterprise deployments is to add MFA to existing authentication schemes rather than strengthening (and potentially replacing) them. MFA should be used to make logging in more efficient, as well as more secure.

"It is important to make authentication easier and the experience positive where possible," Carson says. "Otherwise users will find ways around the security control making them much weaker."

GitHub to Developers: Turn on 2FA or Lose Access

Operation CuckooBees uncovered the state-sponsored group's sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.

China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.

"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

**Winnti Stung by CuckooBees**  
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.

**New Tools, Rare Abuse of Windows CLFS Mechanism**  
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.

The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.

One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.

"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.

"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.

Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.

**The Evolving Winnti Attack Chain**  
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.

"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.

Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.

"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.

The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.

"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."

China-Backed Winnti APT Siphons Reams of US Trade Secrets in Sprawling Cyber-Espionage Attack

Microsoft's stand-alone version of Defender for SMBs promises to help SecOps teams automate detection, response, and recovery.

Microsoft has released a stand-alone version of Defender for Business for small-to-midsize businesses (SMBs), which the company says will provide endpoint security on par with that of a large enterprise. 

A Microsoft survey found that 70% of SMBs are worried about the business risk that cybersecurity poses, and while 80% of SMBs said they have antivirus protection, 93%  still have concerns about cybersecurity threats. 

Microsoft said Defender for Business can help automate the protection, detection, and response tasks that can bog down SecOps 

"Automated investigation and remediation are a huge part of the product," Adam Atwell, cloud solutions architect at consulting firm Kite Technology Group, said in a statement. "It's just happening in the background. Defender for Business makes our security so simple."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Releases Defender for SMBs

The US has to adapt its own policies to counter the push, warns former DocuSign CEO and Under Secretary of State Keith Krach.

Despite the block on information flowing from China, stories about the nation's surveillance state have leaked out. From social credit scores and online censorship to electronic billboards that display a citizen's "violations" like jaywalking, surveillance is a part of everyday life for millions of Chinese people.

China is increasingly exporting not only its technology but the authoritarian values that underpin them, and this spread must be contained before it moves through more of the world, says Keith Krach, who served as DocuSign CEO from 2009 to 2019 before becoming Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration in June 2019.

Krach, who continues to advise the administration of President Joe Biden and leads the Krach Institute for Tech Diplomacy at Purdue University, was nominated for the 2022 Nobel Peace Prize for his work on China. He recently spoke with Dark Reading about China's tech-centered authoritarianism, how the country is embedding its values in its exports, and what the US must do with its own tech policies to keep a moral high ground.

This interview has been condensed for length and clarity.

    

Source: Keith Krach

**Q: You've dedicated much of your career to fighting against "techno-authoritarianism." How do you define that term? What activities rise to the level of authoritarianism?**

**Krach:** Our rivals are playing the long game in what's a four-dimensional game of military, economic, diplomatic, and cultural chess — and the crossroads, the main battleground, is technology. It all intersects there. So here's what techno-authoritarianism is in the simplest \[terms\]: It is using technology for bad instead of for good. That could be a surveillance state, dangerous military weapons, or whatever else is done for bad.

You can think of it as sort of the opposite of what we \[in the United States\] honor as a nation and in the free world at large: respecting things like the rule of law, property of all kinds, nations' sovereignty, human rights, the environment, the press. Those good principles of collaboration, like transparency, reciprocity, accountability — these are things that we honor.

But these are things that China, Russia, the authoritarians don't live by. Instead they \[rule by\] a power principle: cooperation, coercion, concealment, intimidation, retaliation, retribution. And what \[affects us all\] is that when someone doesn't play by the rules, it's no longer a free market; it's a fool's market. For example, let's say you're a Silicon Valley CEO, and I'm a Chinese company. I can steal your intellectual property, I don't have to be transparent, I can use slave labor, I can use cheap energy from big coal-fired power plants.

I don't have to obey the law — or to be \[more precise\], I _am_ the law. How can you possibly compete? I'll beat you every time. So we've got to do something about it.

**Q: You've been particularly vocal about techno-authoritarianism in China — to the extent that you can no longer visit or do business there after officials sanctioned you and your family** **\[among other former Trump officials\] last year.**

**Can you provide context on the extent of Chinese surveillance? It's especially present in Xinjiang, where authorities closely track the habits and activities of millions of Uyghurs, a Muslim minority group in the city. The US is among several countries to accuse China of committing genocide** **of the Uyghurs, but surveillance happens all over the country in varying degrees.**

**Krach:** Oh, it's literally George Orwell's _1984_. They use technology to intimidate, and there is no privacy anymore. To the extent that in Beijing and a lot of the big cities, they have these big TV-like electronic billboards where they show, for example, if somebody jaywalks crossing the street. They'll flash your picture up there, they'll show how many violations they have, all this kind of personal stuff. They know exactly where people are doing, what people are spending, I mean ... everything. They assign people social credit scores based on their behavior and decide what you can and can't do.

It creates a paranoid society where everybody feels watched, and nobody trusts anyone — because there's also incentives for turning people in for violations. It's just a nasty, nasty way to live.

**Q: Chinese authorities, of course, say this surveillance is for the good of the people. They're leveraging technology in all sorts of new projects, including so-called safe cities** **underpinned by \[Chinese telecom\] Huawei that harness all kinds of data about people's activities — ostensibly created to be like what we call smart cities here, helping get ambulances to car accidents faster and assisting police in stopping crime. But in actuality, according to groups like the bipartisan Center for Strategic and International Studies, they're tracking facial recognition and license plate data, monitoring social media, and stomping out dissent.**

**Krach:** These wired cities are a Trojan horse, the same way that what they're doing in Xinjiang is a proving ground. It's beta testing for all this stuff to roll out in China and to export elsewhere. So Xinjiang is literally a glance into the future.

China is essentially exporting a "dictatorship-in-a-box" when they send their surveillance tools \[overseas\]. These are tools that the worst of dictators could have only dreamed up. And that's the stuff that enables genocide: the whole surveillance state, literally thought control. I call it China's Great One-Way Firewall, where all the data comes in for their own use. Propaganda goes out, but the truth does not come in. That's why \[China's President\] Xi \[Jinping\] is just obsessed with technology. His biggest obsession is the semiconductor business because he knows that's the foundation of everything.

**Q: Several countries, including Kyrgyzstan and Ecuador, have adopted Chinese-made surveillance tech. That's in part because China has worked to offer less-funded governments functional and more affordable semiconductors and 5G technologies. When China exports this technology, it seems that in many cases they're exporting the values behind them as well. How can that spread of authoritarianism be stopped?**  

**Krach:** I'll take you inside what happened with 5G for an example. You heard about the 5G race all the time a couple of years ago because it looked like China's most important \[tech\] company Huawei was going to run the table for 5G. They announced 91 5G deals, 47 in Europe. So \[in the US government\] we're hitting the panic button. 5G controls are much more than cell phones: It's utility grids, Internet of Things, people's personal data, the government's more precious secrets.

Right around February 2020 \[when I was Under Secretary of State for Economic Growth, Energy, and the Environment in the Trump administration\], it seemed US efforts to stop it were failing. So our team got the authority to make a last-ditch effort to defeat their 5G master plan. We combined our team with some of the greatest Foreign Service officers, and it was like magic with that diversity of thought.

What we heard was that \[US\] government guys going around the world, saying, "Don't buy Huawei." And I go, "That's the dumbest thing I've ever heard." If I'm a CEO, I'd say to my chief of staff, "Hey, let's check out Huawei. They must have something good." So I said, "Why don't we treat the countries, the telcos, like customers? The customer's always right, and to get a customer, you must have a value proposition. Why should they partner with us if they don't get anything out of it?"

In my first 60 bilateral \[meetings\] I had as under secretary, I asked all these governments, "How's your relationship with China?" They'd say, "Oh, they're a really important trading partner." And then they'd look both ways, as if someone was there, and add, "But we don't trust them." That rang bells in my head. Because trust is the basis of every relationship — personal, business, or otherwise. You buy from people you trust. You partner with people you trust. So we went around to the CEOs of these foreign telcos and said, "Do you want to give your government's and citizens' data to a country that requires any company to turn information over to the Chinese Communist Party? Or do you want to partner with someone you trust?"

We created a digital standard of trust, called the Trust Principle, built on principles like respect for human rights and collaboration. And that was the basis for what we did with the Clean Network, a group of 60 countries that represent two-thirds of the world's global GDP, \[along with\] 200 telcos and a whole host of companies that were committed to building a 5G system completely free of bad actors and dedicated to fair principles.

It's not an anti-China thing. It's your choice: You can either be locked out of 70% of the market, or you can change the way that you do business. That moral high ground is key. In one move, we took those things that they were using against us and weaponized the very principles that protect our freedoms. In less than a year, those 91 \[Huawei\] 5G deals dropped by \[dozens and dozens\].

    

Source: Keith Krach

**Q. I want to turn the lens inward now because ideas like the Trust Principle and the Clean Network depend on maintaining that moral high ground — and they're built on essentially what we think of as fundamental American ideals — but in reality, the US has participated in surveillance itself. And in the private sector, plenty of US tech companies have had their own issues with data privacy and security, with many of their businesses based on supplying free services and monetizing the data their users provide. Can we have a leg to stand on unless we reform our own practices here in the States?**

**Krach:** It's an interesting and important question. Most people have never heard of this position, but I was the US/EU ombudsman for the data privacy shield. Now what that meant was after the Snowden episode, the Europeans go, "You know, we don't want you guys to do it again." And so they came up with a one-way data privacy shield: From a governance standpoint, if the United States snooped on a European and the Europeans found out about it, then they had a mechanism where they take it to the EU, they'd sort it out, and then it would come directly to me. There was nobody in the executive branch overseeing me on this, to be honest — it was straight with the judicial branch, and those guys were serious. "We're gonna prosecute come hell or high water. Patriotism thrown out the door; you've got to do what's right." And that was an interesting thing.

But the first thing I thought was, why isn't this reciprocal? The No. 1 thing \[I said\] when I met with the Europeans was, "Why is this a one-way thing, but you guys are shielded?" And then I'd say, "Oh, hey, how's your EU/China data privacy shield going? You have one, right?" And they're like, "Uh ... no. You know, China will be China."

Anyway, from a company standpoint, when people think of US tech companies, they think of the social and search companies like Google and Facebook. They're important companies, sure, but that's a small fraction of it. In my view, the rules of the road have not fully been written yet on data, privacy, security, data flows. It's going to take not only all three branches of our government but also the private sector and international players. If I were \[a tech CEO\], I would get out in front of this one because you can see it's going to be coming down. Things like Elon Musk buying Twitter probably would be a catalyst for that.

**Q: What, then, does the US need to do? It sounds like you think there's a lot more coming pretty soon down the pipe in terms of regulatory and compliance.**

**Krach:** Yeah, yeah. And I think it needs to be clear. But also, US companies were getting robbed blind and locked out of the Chinese market. So there's a squeeze play there, and then \[on the government level\] the EU was coming up with these regulations that just target US companies, so there's another squeeze play. But here again, it all boils down to one word: trust. You have to be able to trust the people you partner with, and you have to be trusted yourself.

**Q: As we look at how technology is evolving in general — Web3, the metaverse — there's so much emerging. Which security issues do you think should be top of mind from a policy standpoint?**

**Krach:** The first one is protect from the enemy. On _60 Minutes_, FBI Director \[Christopher\] Wray talked at length about China's cyber threat and threat to intellectual property. Because their attitude is, if it's out there and we can take it, it's your fault for not protecting it. It's a wholly different value system. 

So the second piece is educating everyone about that, especially at the corporate board level. I just wrote an article for Fortune about how companies need to have their China contingency plan. \[Business leaders\] need to ask themselves, "What is our policy to make sure that we're trusted by our customers, our shareholders, our suppliers, our partners, all the governments we do business with?"

There's some things the government can help out on. For example, we could install something like the no-bribery law, in which American companies that go overseas and are asked for bribes have the law to fall back on. They can say, "No can do, it's against the law. I'll go to jail, sorry." Why don't we make a law that it's illegal to transfer technology to the Chinese? They have that divide-and-conquer system: "You guys won't give it to me? I'll go to your competitor." So there's some things that we can do along those lines, understanding their values and how we can weaponize ours. But again here, it takes collaboration across government and the private sector. It's critical that we figure it out.

Q&A: How China Is Exporting Tech-Based Authoritarianism Across the World

Researchers use code, Bitcoin transactions to link ransomware attacks on banks to DPRK-sponsored actors.

A new ransomware strain called VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

"We suspect the ransomware families described in this blog are part of more organized attacks," Beek adds. "Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading