Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

The DevSecOps journey is well worth undertaking because it can improve communication, speed up development, and ensure quality products.

DevSecOps can be a confusing concept. Is it a tool? A process? A culture? When do you need DevSecOps? How do you get to that point? What differentiates it from DevOps? Researching the topic often leaves one with more questions than answers.

DevOps started to gain momentum around 2008 when IT operations and software development became more focused on getting code out the door faster and implemented without major roadblocks. Traditional software development life cycles (SDLC) followed a more structured waterfall approach, which led to slower delivery of applications, fixes, and changes.

Then the Agile development methodology started to transform the software development landscape, with smaller and more frequent releases. This faster delivery led to a continuous development process across the entire landscape through collaboration and automation, which has led to the DevOps process. However, many organizations left security to the end of the development process, leading to numerous challenges and issues.

The concept of introducing security into the development life cycle is often termed a "shift left" in the process. Developers are not security specialists and can be reluctant to take on security, as it can impact their ability to push out new code. With increasing pressure to release products in shorter market windows, how does a developer prioritize vulnerabilities? Further complicating the matter is the amount of data that lacks context, making it harder to determine what is required, where, and by whom.

Development and security are not the only teams to be involved in the process. Countless vulnerabilities are found in operating systems, databases, Web servers, and other parts of the infrastructure — most of which are not the responsibility of development, but of operations.

**The 5 Stages of DevSecOps Maturity**

    

Source: Ivanti

The concept of shifting left — including security earlier and as part of the development process — is called DevSecOps. It's about collaboration, awareness, and automation between all teams involved in the development process.  

Here's a brief summary of the maturity journey and each step along the way:

**1\. Beginner.** At the beginner, or basic maturity, stage, there is a desire to undertake DevSecOps; however, organizations are still working in siloed teams with limited collaboration and almost no automation. Releases tend to be large, like a waterfall implementation, and scans are undertaken just prior to release. In this phase of maturity, you are faced with limited vulnerability information and a very reactive approach to resolve issues as they are found.

**2\. Intermediate.** At the intermediate stage, organizations are moving into an adoption phase and have started introducing automation across the process, leading to continuous scans that pick up issues earlier and often. Silos start to break down, and adoption of collaboration becomes common. Software developers are starting to learn about application security and begin applying best practices into their unit testing as part of the acceptance criteria.

**3\. High.** At the high maturity stage, organizations have embraced the DevSecOps process. Within the high maturity state, organizations have a high degree of automation across testing and deployment. Collaboration is now standard, and threat modeling is now incorporated into the process to identify vulnerabilities early and include them in the development life cycle.

**4\. Expert.** In the expert stage, organizations are now undertaking build-based scans with full integration and automation to provide constant feedback to the collaboration teams. Siloes have entirely disappeared, and organizations now have in place cross-functional team alignment. Chaos testing is applied to identify application resiliency, code, and signature validation within the applications.

**5\. Advanced.** Very few organizations have moved into the advanced stage, where an organization centralizes their data into a single source of truth with integration across all tools to collect, normalize, and reconcile events, assets, security, and quality. This single source of truth enables an organization to provide processwide reporting and KPIs to help identify issues in the process and drive improvement, leading to a concept of QualityOps — the holy grail!

The DevSecOps journey is complex but well worth undertaking because it will improve communication, speed up the development life cycle, and ensure quality products. Where does your company stand in its DevSecOps security journey?

When Security Meets Development: The DevSecOps Conundrum

New 'trust' tool improves online experience and helps tackle digital fraud.

PURCHASE, N.Y., and REDMOND, Wash., April 25, 2022 /PRNewswire/ -- Mastercard on Monday announced the launch of an enhanced identity solution designed to improve the online shopping experience and tackle digital fraud in a new collaboration with Microsoft Corp.

"This builds on our commitment of working across the industry to provide advanced technologies that enable trust."

Mastercard has directly addressed these needs by enhancing its **Digital Transaction Insights** solution with next-generation authentication and real-time decisioning intelligence capabilities. The solution pairs Mastercard's network insights with the merchant's own data to confirm the consumer is who they claim to be, providing financial institutions with the additional intelligence needed to optimize their authorization decisions and approve more genuine transactions. Digital Transaction Insights is used across a wide range of online checkout instances, from click-to-pay functionality and wearables to digital wallets and in-app purchases. Now more than ever, delivering a frictionless shopping experience is critical as retailers look to shift window shopping and price comparison visits to confirmed sales. And, while consumers enjoy the convenience of shopping online, fraudsters also seek to develop new methods to use these same channels for ill-gotten gains. One of the growing types of digital fraud is first-party fraud, where a legitimate purchase is made online but later disputed. First-party fraud is estimated to be a $50 billion global issue.

Ajay Bhalla, president, Cyber and Intelligence at Mastercard, said, "Shopping online should be simple, quick and secure. But that isn't always the case. We're committed to developing advanced identity and fraud technology to help enhance the real-time intelligence we provide to financial institutions around the globe. This builds on our longstanding commitment of working across the industry to provide advanced technologies that enable trust, and help build a safe and thriving digital ecosystem for all."

Microsoft will be the first partner to share its insights and integrate with the new Digital Transaction Insights solution across several lines of business. Building on a long history of cross-collaboration, Microsoft's Dynamics 365 Fraud Protection's proprietary risk assessment, which leverages adaptive AI to assist in real-time fraud detection by identifying risky behaviors across purchase, account and in-store activities, has been integrated with Mastercard's Digital Transaction Insights to better enable real-time intelligence sharing in an easily consumable and actionable format. This will enable issuers to enhance their decision-making processes for authorizations, chargebacks and refunds. Moreover, organizations can improve transaction acceptance rates with insights that help them balance profitability and revenue opportunities against fraud loss and checkout friction.

Charles Lamanna, corporate vice president of Business Applications and Platforms at Microsoft, said, "We are excited to partner with Mastercard to leverage our cloud-native, cutting-edge fraud assessment tools to empower issuers and merchants to prevent more fraud and approve more genuine users. This partnership lays the foundation for the future of global fraud prevention where data silos are no longer a barrier to security."

Digital Transaction Insights is enabled by EMV 3-D Secure and Mastercard Identity Check, a global authentication solution built on the enhanced industry standard. Both elements support GDPR requirements and other related regulations. In 2021 alone, Mastercard Identity Check delivered a 14% uplift in transaction approval rates across billions of transactions.

**Additional resources**

For more information about Microsoft Security solutions, visit Microsoft Security. Bookmark the Security blog to keep up with expert coverage on security matters. Also, follow @msftsecurity for the latest news and updates on cybersecurity.

**About Mastercard (NYSE: MA)**

Mastercard is a global technology company in the payments industry. Our mission is to connect and power an inclusive, digital economy that benefits everyone, everywhere by making transactions safe, simple, smart and accessible. Using secure data and networks, partnerships and passion, our innovations and solutions help individuals, financial institutions, governments and businesses realize their greatest potential. Our decency quotient, or DQ, drives our culture and everything we do inside and outside of our company. With connections across more than 210 countries and territories, we are building a sustainable world that unlocks priceless possibilities for all. www.mastercard.com

**About Microsoft**

Microsoft (Nasdaq "MSFT" @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

SOURCE Microsoft Corp.

Mastercard Launches Next-Generation Identity Technology with Microsoft

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

The first quarter of 2022 saw a 46% increase in distributed denial-of-service (DDoS) attacks over Q4 2021, which a new report attributes to a community of "hacktivists" intent on disrupting Russian state interests in retaliation for the Ukraine invasion. 

The report, by security vendor Kaspersky, notes that the volume of DDoS attacks was already historically high, but the first months of 2022 saw more targeted and innovative activity than previously seen. The DDoS attacks also persisted for much longer than previously recorded, with the average DDoS session lasting 80 times longer than during the last months of 2021. 

The report points to one instance from the past quarter where attackers set up a site similar to a popular puzzle game called "2048" to make launching attacks on Russian sites more like a game to recruit others to launch additional attacks. 

"In Q1 2022 we witnessed an all-time high number of DDoS attacks," said Alexander Gutnikov, security expert at Kaspersky, in a statement. "The upward trend was largely affected by the geopolitical situation. What is quite unusual is the long duration of the DDoS attacks, which are usually executed for immediate profit. Some of the attacks we observed lasted for days and even weeks, suggesting that they might have been conducted by ideologically motivated cyberactivists."

Gutnikov pointed out that the report found most organizations were unprepared to defend against DDoS attacks.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ukraine Invasion Driving DDoS Attacks to All-Time Highs

An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.

**DALLAS, April 25, 2022** – Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, announced the launch of Trend Micro One, a unified cybersecurity platform with a growing list of ecosystem technology partners that enables customers to better understand, communicate, and lower their cyber risk.

Organizations are battling on all fronts to face mounting cyber risks from their complex and growing attack surface with stretched teams and siloed security products. The unified security platform approach delivers a continuous lifecycle of risk and threat assessment with attack surface discovery, cyber risk analysis, and threat mitigation and response.

**Inaugural partners of the Trend Micro One technology ecosystem include:** Bit Discovery, Google Cloud, Microsoft, Okta, Palo Alto Networks, ServiceNow, Slack, Qualys, Rapid7, Splunk, and Tenable.

Kevin Simzer, COO of Trend Micro, shared, "We are so proud that ecosystem partners and even some competitors value integrating into our platform. Collectively we help enterprises fight the bad guys known as cybercriminals. Alone we are strong, but together our industry is unstoppable in helping customers eliminate security gaps anywhere, identify internal and external enterprise assets, and take critical steps to mitigate them."

According to Gartner®, "vendors are increasingly acquiring or developing these adjacent technologies and integrating them into a single platform. The benefits are best realized when this integration minimizes consoles and configuration planes and reuses components (e.g., endpoint agents) and information.\[1\]"

"We all know that digital transformation is table stakes for the post-pandemic enterprise. But this comes with additional risks: a bigger target for threat actors to aim at and more visibility and security coverage gaps for them to hide in," said Jeremiah Grossman, CEO of Bit Discovery. "Trend Micro’s approach stands out from the crowd — notably with its blend of multiple sources of asset and risk visibility, including external attack surface visibility powered by Bit Discovery. Trend Micro’s platform helps customers quickly get a prioritized and comprehensive understanding of their attack surface.”

As a unified platform, Trend Micro One delivers powerful risk assessment capabilities, but the ecosystem partners extend that to make it the most complete in the industry. Joint customers benefit from truly connected visibility, better detection and response capabilities, and comprehensive protection across security layers and systems.

Trend Micro One supports this approach by enabling customers to:

*   **Discover the attack surface:** Identify, monitor, and profile cyber assets in customers’ environments.
*   **Understand and continuously assess risk:** Analyze risk exposure, the status of vulnerabilities, the configuration of security controls, and types of threat activity.
*   **Effectively mitigate risk:** Ensure the right preventative controls and take swift action to mitigate risk and remediate attacks across the enterprise by leveraging Trend Micro's threat and risk intelligence.

**_To find out more about the Trend Micro One platform, please visit:_** **_https://www.trendmicro.com/en\_us/business/products/one-platform.html_**

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

Trend Micro Launches New Security Platform

It's time for regulators of critical infrastructure — including industrial control systems and operational technology — to focus more on operational resiliency.

During the past year, the Biden administration has issued several standards and mandates across critical infrastructure sectors, from water to transportation. Critical infrastructure is unique because nearly all United States citizens benefit from a critical national infrastructure (CNI) entity every day — whether they realize it or not. So, when one of those CNI entities is compromised, the impact often is felt on a personal level. Just look at Colonial Pipeline breach: Lines at gas stations were longer than ever as Americans feared a drastic fuel shortage.

The Biden administration's efforts to strengthen these sectors are well-intentioned and certainly demonstrate that the US government is taking cybersecurity threats seriously. These efforts are worthy of recognition because previous administrations haven't always prioritized cybersecurity strength. Intentions aside, however, these reporting mandates and standards are likely to prove ineffective and even dangerous.

**Assuming Visibility  
**One of the main issues industrial control systems (ICSs) and operational technology (OT) systems face today is lack of visibility. You can't secure what you don't have access to, and studies have shown that the vast majority of organizations have limited visibility into their ICS environments — if they have any visibility at all.

These standards and mandates dangerously assume that organizations know they were breached in the first place. If organizations don't have the resources to monitor their ICS environments, they may never know a threat actor is trying to break into their network — or, worse, that a threat actor has already been inside the network for days, months or even years. This obviously makes the 24- and 72-hour reporting mandates impossible to meet. In addition, it appears we are headed toward a hodgepodge of overlapping regulations that will place a significant burden on private enterprises.

**Distracting From What's Important  
**One example of this overlap is Senate bill S.2875 Cyber Incident Reporting Act of 2021 and House bill H.R. 5440 Cyber Incident Reporting for Critical Infrastructure. These bills have overlapping requirements that complicate the reporting process. Organizations will likely be required to determine what category an incident falls into and which government agency should handle it. The resources required to do this should be devoted to improving security rather than navigating the complexities of reporting requirements.

Indeed, complying with standards issued by the government takes significant time and resources that could be used to implement effective security controls, especially when it seems like it takes an actual cyberattack for the government to determine that we need another mandate for another industry.

**The Solution  
**It's time for regulators of critical infrastructure to focus more on operational resiliency. Focus and increase investments on ensuring organizations can respond to attacks, minimize impact, and restore operations quickly. We must begin accepting that not all cyberattacks against critical infrastructure can be prevented. The physical nature of these systems makes it nearly impossible to stop 100% of attacks. However, we still have the capability to respond and recover, and that's where we should focus our efforts.

Finally, it's time to take a step back and define a single critical infrastructure cybersecurity standard. If your industry is defined as critical infrastructure, then, by definition, it requires protection. Let's define a singular critical infrastructure cybersecurity standard now and start enforcing protection, including increased investments in systems to increase visibility and resiliency.

Overlapping ICS/OT Mandates Distract From Threat Detection and Response

Barely over a quarter of medical device companies surveyed maintain a software bill-of-materials, and less than half set security requirements at the design stage.

The stakes for cybersecurity are literally life and death in the medical device industry. As far back as 2013, then-US Vice President Dick Cheney had his doctor turn off the wireless connectivity in his pacemaker as a precaution, as the BMJ reports. The WannaCry attacks in 2017 to 2019 and other incidents show that was not merely paranoia – and this year's Access:7 vulnerability underscores the continuing threat to connected devices, including medical systems. While such events have raised awareness in the healthcare system about security threats, "the more that medical device manufacturers work to improve their cybersecurity capabilities, the more gaps they realize they have."

That's according to a report published this week by Cybellum. The report, titled "Medical Device Cybersecurity: Trends and Predictions," collected responses from 150 security and compliance decision-makers in the medical device industry worldwide.

The highlighted bar in the above graph shows that only 27% of respondents said their company generates and maintains a software bill-of-materials (SBOM) for its products. Such documents list all of the software components that go into a product, vital to tracking unexpected dependencies and hidden vulnerabilities, as the Log4j debacle underscored. The May 2021 executive order from US President Joe Biden calls out SBOMs as important to cybersecurity. The level of mainstream awareness and implementation is what makes this low adoption rate a surprise. It's an area to watch for next year's results.

The most implemented security measures in Cybellum's survey are running binary code analysis (47%) and setting security requirements during the design phase (46%). Binary analysis can reveal patterns of security flaws and audit for known vulnerable software elements. Addressing security concerns earlier, aka "shifting left," means developers can find and fix problems before they get deeply embedded and difficult to disentangle. The good news is that almost half of security decision-makers at medical device companies say they're using at least one of those techniques; the flipside is that more than half do not use them.

Other techniques medical device companies are using to secure their products include source-code static code analysis (SAST), performed by 41% of respondents; threat intelligence, by 39%; continuous security testing across the device life cycle, by 38%; educating developers on secure coding, by 27%; pen-testing/fuzzing, by 16%; and dynamic application security testing (DAST), by 14%.

The Cybellum report notes that "looking at the data segmented by types of companies, SBOM is more popular with OEMs (34%), compared to suppliers of medical device components (20%). The ultimate responsibility for the safety and security of devices lands on the OEM, which could explain why they make it a priority. Of course, both audiences have a long way to go."

For more insights, download the report from Cybellum.

Many Medical Device Makers Skimp on Security Practices

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

Sophos has acquired SOC.OS, a spinoff company of BAE Systems Digital Intelligence with a software-as-a-service (SaaS) solution for automating the monitoring and triaging the growing volume of data and alerts across organizations. 

Sophos said it plans to add the SOC.OS technology to its existing managed threat detection and response products. 

"Alert fatigue and lack of visibility still plague security teams worldwide," Dave Mareels, chief executive officer and co-founder of UK-based SOC.OS said. "Considering this, against the backdrop of constantly changing cyberthreats and a challenging talent landscape, defenders need new and innovative products and services that can help them solve more complex incidents in less time."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Sophos Buys Alert-Monitoring Automation Vendor

UltraDNS Terraform Provider enhances productivity, change management.

**Sterling, Virginia – April 21, 2022** – Neustar Security Services, a leading provider of cloud-oriented security services that enable global business to thrive online, has launched an integration with Terraform, an open-source infrastructure-as-code software tool created by HashiCorp. The new integration, UltraDNS Terraform Provider, enables DevOps teams to provision DNS changes when applications are deployed to realize enhanced productivity during that deployment.

Integrating UltraDNS into the Terraform ecosystem enhances Neustar Security Services’ capability to deliver a platform that provides speed, stability and extensibility when managing DNS. The new integration supports DNS standard and advanced records, including features such as SiteBacker, Simple Monitor/Failover, Simple Load Balancing and Traffic Controller. Available to DevOps teams on the Terraform registry, UltraDNS Terraform Provider includes four categories, 11 resources, 11 data sources, 94 self-check modules and 37 help files.

“As IT infrastructure has grown increasingly complex, so too has the task of managing DNS strategy,” said Enrique Somoza, director of product management with Neustar Security Services. “UltraDNS’s integration with Terraform enhances our customers’ velocity to accurately deploy, manage and automate DNS updates across complex cloud environments.”

The integration will allow Neustar Security Services to enable its customers’ application of Terraform across different use cases and environments.

“This latest integration reflects Neustar Security Services’ commitment to listening to and addressing the evolving needs of its customers, particularly those who use Terraform to define, build and version infrastructure safely and efficiently,” added Somoza.

Neustar Security Services’ UltraDNS integration with Terraform provides a compelling solution for DevOps managers, who can learn more about technical details here.

**About Neustar Security Services**  
The world’s top brands depend on Neustar Security Services to safeguard their digital infrastructure and online presence. Neustar Security Services offers a suite of cloud-delivered services that are secure, reliable, and available to enable global businesses to thrive online. The company’s Ultra Secure suite of solutions protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional interactions all day, every day. Delivering the industry’s best performance service, Neustar Security Services’ mission-critical security portfolio provides best-in-class DNS, application and network security (including DDoS, WAF and bot management) services to its Global 5000 customers and beyond. For more information, visit https://neustarsecurityservices.com/.

Neustar Security Services’ UltraDNS Integrates Terraform for Streamlined, Automated DNS Management

Ransomware groups are looking to strike large agriculture cooperatives during strategic seasons, when they are most vulnerable, according to law enforcement.

Ransomware operators are eyeing attacks on large networks of farmers, called agriculture cooperatives, during make-or-break planting and harvest seasons, when they are likely most desperate to pay, according to the Federal Bureau of Investigation. 

A new advisory details previous attempts by threat actors since 2021 to disrupt agricultural co-op operations, including a Lockbit 2.0 attack on a critical farming supplier, and a July 2021 breach of a business management software company serving several agricultural cooperatives. Some of the attacks were successful and resulted in a production slowdown, the FBI says. 

Another successful attack could affect the entire food chain, the alert warns. 

"Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production," the alert says. "Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyber attacks against agricultural cooperatives during key seasons is notable."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading