Chemical companies are the latest to be targeted by the well-known North Korean group, which has targeted financial firms, security researchers, and technology companies in the past.

The North Korean-linked Lazarus group sent fake job offers to targets in the chemical sector and information technology firms, which — when opened — install Trojan horse programs to collect information and send it back to the attackers, technology provider Broadcom's security arm Symantec stated in an advisory on April 14.

The attack is part of a long-running campaign — dubbed Operation Dream Job — that sends targets in specific industries malicious Web files disguised as job offers, which when opened attempts to compromise the system. While the current set of attacks focuses on South Korean chemical companies and their IT service providers, other targets have included industries and government agencies in Europe, Asia, and the United States. This campaign marks a shift, as Lazarus in the past targeted the defense, government, and engineering sectors.

The attacks have, at various times, targeted defense contractors, engineering firms, government agencies, and even pharmaceutical companies during the height of the pandemic, says Dick O’Brien, principal intelligence analyst for Symantec's threat-hunting team.

"North Korea-linked attackers have a long history of targeting intellectual property, presumably to assist strategically important engineering or technology projects," he says, adding: "Across all attacks, we’ve seen a range of data theft \[and\] data exfiltration tools deployed on infected computers. We’re assuming that they take what they need before moving on."

Other security and technology firms have also documented Lazarus's involvement in Operation Dream Job, which some researchers track as Operation AppleJeus. In early 2021, the Lazarus group targeted security researchers with similar offers of high-level jobs in the industry. And, earlier this year, the attackers targeted more than 250 individuals working for news media, software vendors, and Internet infrastructure providers, using job offers that appeared to come from Disney, Google, and Oracle, according to Google, which tracked the campaign.

A related campaign targeted cryptocurrency and financial technology and services firms, Adam Weidemann, a researcher with Google's Threat Analysis Group, stated in a late March blog post.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," he wrote. "It is possible that other North Korean government-backed attackers have access to the same exploit kit."

**Long-Running Campaign  
**The April 14 advisory from Symantec noted that the campaign started at least as early as August 2020, albeit with a different set of targets. While the current campaign targets the chemical sector, campaigns discovered in 2020 had focused on government agencies and defense contractors, the company stated in its advisory.

"Operation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage," the company said.

Symantec's threat team outlined the steps in a successful attack in January 2022, which completed less than four days after the target received the file until the final execution of a program that collected and exfiltrated system data. After the targeted user opened the fake job offer, the attack exploited a vulnerability in one of two software packages, the INISAFE Web EX Client for system management or MagicLine, a gym management program, says Symantec's O'Brien.

"They’re not household names for us but our working assumption is they’re widely used in the industry or sector they’re currently targeting," he says. "An alternative hypothesis is they installed the software themselves in order to inject into it, but we haven’t seen any evidence of that."

While companies not running either application may not have to worry about this particular attack, cyber-espionage groups such as Lazarus are very good at tailoring attacks to match their target's environment, he says.

For that reason, no single solution will help prevent cyber-espionage attacks, O'Brien stressed. Instead, companies should take a layered approach to defense, using network detection, endpoint security, and hardening technologies — such as multifactor authentication — to protect against multiple vectors of attack, he says.

"We’d also advise implementing proper audit and control of administrative account usage, \[and\] you could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials," O'Brien says. "We’d also suggest creating profiles of usage for admin tools, \[because\] many of these tools are used by attackers to move laterally undetected through a network."

Lazarus Targets Chemical Sector With 'Dream Jobs,' Then Trojans

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

On April 13, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to warn that certain industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices can be targeted by advanced persistent threat (APT) actors who have the capability to gain full system access.

The alert warned that vulnerable products include Schneider Electric programmable logic controllers, OMRON Sysmac NEX PLCs and Open Platform Communications Unified Architecture (OPC UA) servers.

Once on the operational technology (OT) network, APT actors can utilize certain custom-made tools to scan for vulnerable devices, and then exploit and subsequently take control of them.

The advisory also noted a critical issue with Windows-based engineering workstations. Systems in the OT environment, or even on the IT side, can be compromised using an exploit targeting vulnerable motherboard drivers.

Utilizing these techniques, importantly and worryingly, could allow APT actors to elevate their privileges, move laterally within the OT environment to other devices, and disrupt or crash critical devices.

With recent events, such as the Colonial Pipeline attack, which saw the entire OT environment shut down (despite not even originating with OT devices), plus the rise of ransomware and the threat of politically motivated national state actors, those in critical national infrastructure need to act fast.

DoE, CISA, NSA, and the FBI urge organizations, especially those in the energy sector, to implement detection and mitigation recommendations to detect APT activity and harden their ICS/SCADA devices.

The advisory credited security firms including Dragos, Mandiant, and Palo Alto Networks for contributions leading to the advisory. Dragos revealed it’s been analyzing the malware (dubbed PIPEDREAM) since early 2022.

**Conclusions  
**It goes without saying that threat actors will continually find a way to penetrate IoT and OT networks; this advisory is not the first of its kind, nor will it be the last.

The tricky issue with OT networks is their average age (often spanning decades), complex history (evolving organically with minimal planning), and the demanding nature of devices. Traditionally, OT environments did not connect to the IT network in the way they do today — they were physically segregated and disconnected from the outside world, as well as the enterprise and any IT-related functions. This is what’s called an "air gap" but is now a thing of the past.

Digital transformation and the connection of OT systems and other devices to the network broadens the attack surface and opens up industrial environments to attackers. But the business priorities driving this transition, plus the nature of legacy systems and devices that need to be constantly available, mean security is often left behind.

The alert underscores how important it is for enterprises to prepare to address these kinds of IoT and OT security advisories quickly and thoroughly, before adversaries can take advantage of them.

It may seem trivial, but first points of call include changing all passwords and maintaining offline backups — which can help to mitigate brute-force attacks and aid fast recovery in the event of an attack. Those in industrial environments need to ensure they have a robust cybersecurity posture in place — including adequate visibility and monitoring, alongside perimeter and access controls.

The alert notes the importance of collaboration between stakeholders across IT, cybersecurity and operations, which is especially important to ensure cybersecurity is effectively applied in these complex IoT and OT environments with their own unique requirements.

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

The act contains a loophole added late in the process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.

During the past few years, we have witnessed an alarming increase in the volume and sophistication of cybercrime and cyberattacks. It is both understandable and necessary that the US Congress has taken measures to strengthen our country’s cybersecurity. The Strengthening American Cybersecurity Act of 2022, for example, was recently passed by the Senate and is currently in review by the House of Representatives. The cybersecurity community is pleased to see action by Congress on this important issue, but, unfortunately, the act contains a significant loophole added late in the legislative process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.

The Domain Name System, of course, registers domain names and translates them into digital addresses that route traffic through the global Internet. DNS is at the heart of the Internet and represents the exact type of information that needs to be reportable to proactively protect our cyber assets.

For decades, DNS and the data concerning individuals and organizations that register and use domain names — known as WHOIS data — have been critical to law enforcement agencies and private cybersecurity companies to protect the US and its citizens from cyberattacks and cybercrime.

As stated in written testimony to Congress by the FBI Cyber Division in 2003, “Cyber Division investigators use the WHOIS database almost every day. Querying of domain name registries is the first step in many cybercrime investigations. Anything that limits or restricts the availability of WHOIS data to law enforcement agencies will decrease its usefulness in FBI investigations …” This was true in 2003, and it is true now. In 2020, DHS reaffirmed, “Homeland Security Investigations (HSI) views WHOIS information, and the accessibility to it, as critical information required to advance HSI criminal investigations, including COVID-19 fraud.”

**Gone Dark**  
Despite the unambiguous statements from governments and law enforcement agencies expressing the critical importance of DNS and open and immediate access to accurate WHOIS data for cybersecurity, WHOIS data has essentially gone dark since May 2018. This can be traced to the enactment of policies put in place by the Internet Corporation for Assigned Names and Numbers (ICANN) as the organization attempted to comply with the European Union’s General Data Protection Regulation (GDPR). But GDPR applies to people, not to companies or governments. Yet nearly all useful registration data has been hidden — even the data not subject to GDPR.

It is not only US-based law enforcement agencies that emphasize the critical role of the DNS and WHOIS data for cybersecurity. In 2018, the European Cybercrime Centre (EC3) Advisory Group on Internet Security stated, “Almost all cyberattacks … require infrastructure which is subject to DNS registration at some point in the attack life cycle. As such, the international Whois protocol plays a critical role in identifying malicious infrastructure and thus defending against or preventing attacks. Accessing Whois registrant information is an essential element of the cybersecurity community’s efforts to maintain the overall security and stability of the global Internet. …”

Passing cybersecurity legislation while exempting DNS and ignoring the lack of WHOIS data accessibility is like trying to improve banking security while removing the know-your-customer (KYC) requirements. Doing so leaves the country increasingly vulnerable and unable to identify, track, and prevent malicious behavior.

**Restore Access to WHOIS Data**  
Given these circumstances, it is contrary to the goal of improving security for the federal government and the American people for Congress to give a “pass” on mandatory reporting to the DNS and the current lack of availability of WHOIS data. It would be more beneficial for Congress to restore access to WHOIS data and require that all domain name registries and registrars that have any business nexus to the US be able to verify the accuracy of the WHOIS data of their customers. Such data should also be made publicly accessible. The three top-level domains —.com, .org, and .net — are all administered by US companies and, as of April 2021, comprised 60% of all domain names used by websites around the world.

As explained by the Anti-Phishing Working Group at a Cooperation Against Cybercrime international conference, “Restricted access to WHOIS data by GDPR regulation under its initial interpretation (by ICANN) hampers Internet security; law enforcement activities; security research; anti-money laundering activities; and programmatic suppression of criminal infrastructure.” Turning a blind eye to this critical component of cybersecurity and relegating these DNS and WHOIS data issues to the exclusive provenance of ICANN’s multistakeholder organization, which has failed to serve the public interest, will impede rather than improve the cybersecurity of the US.

Cybersecurity Act of 2022: A Step in the Right Direction With a Significant Loophole

Elsewhere Partners invests in proven service mesh and API management innovator as it grows team and breaks into new markets.

ALEXANDRIA, Va.--(BUSINESS WIRE)--greymatter.io Inc., an enterprise microservices platform provider, today announced the close of a $7.1 million Series A round. Led by Elsewhere Partners, the funding will fuel greymatter.io’s global growth as demand intensifies for its comprehensive microservices platform, which includes service mesh and API management for enterprise-scale IT environments.

“Organizations are quickly realizing that they must future-proof their IT infrastructures. The distribution of software, APIs, data, and users across hybrid, multi-cloud, and on-premise systems has created dramatically more complex networks that large organizations (both public and private) are struggling to control, secure and monitor,” said Chris Pacitti, founder and partner of Elsewhere Partners. “We have been watching greymatter.io execute on their vision for an enterprise microservices platform for more than three years. They have proven the strength and scalability of their platform to effectively manage the explosion of configuration sprawl, security, governance, and risk needs.”

In enterprise hybrid and multi-cloud operations, it is more important than ever for IT leaders to control complexity, trust nothing, and see everything. The global service mesh market continues to surge with some analysts predicting it will top $2.3 billion by 2028 to support the complexities introduced by service-based architectures, and greymatter.io has been a leading innovator in the space since 2015. Helping large organizations cut their operational costs by upwards of 30 percent, greymatter.io allows DevSecOps and NetSecOps teams to easily manage increasing complexity, secure application networking with zero-trust and see everything happening across their IT environment. Recognized as an industry outperformer by GigaOm, the Grey Matter platform offers cloud- and platform-agnostic solutions to uncover and relieve the top issues plaguing enterprises as their application networking, API security and IT operations evolve – from misconfigurations, unvetted configurations and unpatched vulnerabilities, to data leaks, failed audits and more.

“greymatter.io has become a proven industry force thanks to our talented team and steadfast commitment to ease our customers’ top infrastructure burdens,” said greymatter.io CEO Chris Holmes. “Working with an investment partner as dedicated as we are to customer-driven, product-led company growth, there are no limits to what the coming months/years hold. We will continue to provide the most comprehensive modern microservices platform based on a service mesh purpose built to help large public organizations and private enterprises overcome complexity sprawl and tackle all governance, analytic and zero-trust security needs regardless of the number of clouds, on-premise systems, applications or endpoints involved.”

After years successfully serving the complex needs of massive, globally distributed government and defense organizations, greymatter.io will use the funding to expand the reach of its proven microservices platform in both the public and private sector by rapidly building out its team. In addition, greymatter.io will accelerate its pipeline of platform enhancements, add support for key open source community projects, and cultivate new partnerships in advanced areas of zero-trust security and data mesh to support its continued market leadership.

Timed with the investment, seasoned enterprise B2B software industry executives Mike Kushin and Michele Perry (an Elsewhere Partners operating advisor) will join the Board to help support the company’s market expansion and recruiting efforts.

**About greymatter.io Inc.  
**A venture-backed microservices platform provider, greymatter.io is driving the next era of intelligent service mesh and API management to solve complex challenges flowing from enterprises’ DevSecOps and NetSecOps pipelines through production operations. Led by a team of experts, the company builds infrastructure intelligence solutions to help its customers better manage, secure, and operate enterprise software. The platform has a rapidly growing user base that includes some of the largest, most security-conscious, globally decentralized organizations in the world. Learn more at greymatter.io.

**About Elsewhere Partners  
**Elsewhere Partners is a growth-stage venture capital firm that invests in Elsewhere Outliers – business software companies that are located outside of traditional venture capital hubs and have achieved substantial customer traction and revenue growth without significant outside funding. Elsewhere Partners combines transitional capital with transformational expertise to help companies achieve exit readiness on their own terms. To learn more, visit www.elsewhere.partners.

greymatter.io Closes $7.1 Million Series A to Meet Rising Need for Its Enterprise Microservices Platform

Also, it re-certifies its data services by TÜV AUSTRIA.

**Woburn, MA – April 14, 2022 -** Kaspersky has expanded the scope of its cyberthreat-related data relocation, which now covers users in Latin America and the Middle East. The company’s commitment to following the best data security practices has been reaffirmed by TÜV AUSTRIA’s re-certification of Kaspersky’s data services with an expanded scope. In addition, the company publicly shared information on the requests for data and technical expertise received from government and law enforcement agencies as well as from users in H2 2021.

These measures reflect the company’s continuous commitment to move toward greater transparency undertaken as part of the Global Transparency Initiative (GTI). By launching GTI in 2017, Kaspersky set a benchmark for digital trust and became the first cybersecurity vendor to make its source code available for review. Committed to being a trusted partner for its users, to date, Kaspersky remains one of few international IT vendors that seek to turn transparency into an industry standard and take steps toward greater accountability.

Since March 2022, Kaspersky has been processing and storing malicious and suspicious files received from users in Latin America and the Middle East, which used to be processed by facilities in Russia, in data-centers in Zurich, Switzerland. Prior to that, the relocation of such data storage had been completed for Europe, North America and a number of Asia-Pacific countries. Swiss data centers provide world-class facilities in compliance with leading industry standards so the company’s users can be confident in the security of their data.

Moreover, Kaspersky has renewed its ISO 27001\* certification issued by independent certification body TÜV AUSTRIA, an internationally recognized applicable security standard. In addition to the audit passed in 2020, this time the scope of the certification was even extended and now covers not only the Kaspersky Security Network (KSN) system for the safe storage and access to malicious and suspicious files (called KLDFS), but also KSN systems for processing statistics (called KSNBuffer database).

Conformity with ISO/IEC 27001:2013 – internationally recognized as the best practice industry and applicable security standard – lies at the core of Kaspersky’s approach to implementing and managing information security. The certification – granted by the third-party accredited certification body, TÜV AUSTRIA – demonstrates the company’s commitment to strong information security and its Data Service’s compliance with industry leading practices.

The document can be found in the TÜV AUSTRIA Certificate Directory and is also publicly available on the Kaspersky website here.

Andrey Efremov, Kaspersky’s Chief Business Development Officer, said_: “We have relocated the cyberthreat-related data processing and storage from a number of additional countries and territories to facilities in Switzerland – a country renowned for its strict data protection legislation. These steps form just part of our Global Transparency Initiative, which also includes independent assessments of our company’s data service and engineering practice integrity, and the provision of our products’ source code for open review. Together, these measures further underline our commitment to ensuring that the way we treat our user data is as open and transparent as possible, and that we continue to provide our customers and partners with the most reliable and trustworthy solutions and services.”_

**The new edition of the Transparency report**

Kaspersky has developed an enduring practice of disclosing information on the company’s approach to dealing with data requests and releases its regular “Law Enforcement and Government Requests” report, uncovering data in two categories: user data and technical expertise\*\*. The latest report looks at this data during the second half of 2021.

In particular, during the second half of 2021, Kaspersky received 109 requests from governments and law enforcement agencies (LEAs) from 12 countries. At least 36% of those were rejected due to an absence of data or to not meeting legal verification requirements. In total, 92 of the requests received during the second half of the last year were for technical expertise.

In total, throughout 2021, Kaspersky received 214 requests, (compared to 160 requests in 2020), from governments and LEAs from 17 countries. A total of 181 of those were for technical expertise (compared to 132 in 2020). Further information on the steps for processing such requests can be found here.

At the same time, the number of user requests for details on what and where user data is stored and its provision or removal increased, reaching 2,252 in total.

To promote accountability and transparency of cybersecurity industry standards, Kaspersky seeks to share its expertise with a broader community. Thus, as part of its Global Transparency Initiative, Kaspersky further expanded its Cyber Capacity Building Program (CCBP), which aims to help organizations worldwide develop practical tools and knowledge for security assessments by launching a relevant online course — “Digital Cyber Capacity Building Program.” The online training, which is now available for an even greater audience, will ensure that more organizations and individuals will have a chance to boost their cyber-resilience by learning how to properly carry out product security assessments and evaluations.

To learn more about the Kaspersky Global Transparency Initiative, please visit the website here.

\* ISO/IEC 27001 is the most widely used information security standard, prepared and published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards.

\*\*User data includes information provided by users to Kaspersky when they use the company’s products and services. It depends on the services, products and features users use and is protected as described in the Kaspersky Privacy Policy.

Requests for technical expertise include non-personal technical information produced and provided by Kaspersky security researchers and machine learning algorithms. This may include the MD5 hashes of malware, indicators of compromise (IoCs), information about the modus operandi of cyberattacks, output of malware reverse engineering, statistical information and other results of investigations and research.

Kaspersky Relocates Cyberthreat-Related Data Processing for Users in Latin America and Middle East to Switzerland

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

Researchers should take extra care in deploying data-science applications to the cloud, as cybercriminals are already targeting popular data-science tools such as Jupyter Notebook.

Always looking for an easy compromise, attackers are now scanning for data-science applications — such as Jupyter Notebook and JupyterLab — along with cloud servers and containers for misconfigurations, cloud-protection firm Aqua Security stated in an advisory published on April 13.

The two popular data science applications — used frequently with Python and R for data analysis — are generally secure by default, but a small fraction of instances are misconfigured, allowing attackers to access the servers with no password, according to the Aqua Security's researchers. In addition, after setting up its own server as a honeypot, the company detected in-the-wild attacks that attempted to install cryptomining tools and ransomware onto accessible instances of the software.

Signs that there are attackers targeting data-science environments is worrisome, considering that the researchers setting up those environment are largely uninformed about cybersecurity, says Assaf Morag, lead data analyst with Aqua Security.

"We know, based on our experience with application security, that developers are starting to learn more about security, but what about data scientists?" he says. "Are they gaining a proper education? My training is as a data scientist, and there were no focus on data security."

**Looking for Misconfigurations**  
In the past, threat actors have frequently scanned the Internet for servers running insecurely configured application. Last year, for example, a misconfigured Git server using default login credentials allowed attackers to steal source code for Nissan's mobile apps, market-research tools, and vehicle-connected services. Over the past five years, a significant number of data breaches have been caused by misconfigured storage servers — such as Amazon's Simple Storage Service (S3) buckets — that were found by attackers.

Research conducted in 2020 found that misconfigured cloud services, containers, and servers are attacked within hours of appearing online. The research, which used an insecurely configured Elasticsearch instance, was targeted by 175 scans over 11 days, increasing to 435 requests over the subsequent 2 weeks, including searches for particular terms such as "password" and "wallet."

The attacks on data-science tools used similar tactics, as seen through the lens of its honeypots, Aqua Security stated in its advisory.

"Most of the attacks got initial access via misconfigured environments," the company stated. "After gaining access, adversaries attempted to achieve persistence by creating a new user in the notebook or adding Secure Shell (SSH) keys. Then, most of the attacks executed a cryptominer, trying to get a quick gain."

The problem is that a small minority of the instances are configured to allow anyone to access the notebook server. During the research, for example, the Aqua Security researchers saw a novel attempt at using access gained through Jupyter Notebook to run a Python-based crypto-ransomware program.

"Normally, access to the online application should be restricted, either with a token or password or by limiting ingress traffic," Aqua Security wrote in the ransomware advisory. "However, sometimes these notebooks are left exposed to the internet with no authentication means, allowing anyone to easily access the notebook via a web browser."

**Lock Down Data Tools**  
Overall, data scientists and the Jupyter Project appear to be doing a credible job in securing the software. In total, less than 1% of the approximately 10,000 of instances of Jupyter Notebook are configured for open access, according to scans using the Shodan search engine. The fact that attackers are targeting the servers, however, should prompt defenders to focus on ensuring that the data-science tools are locked down, says Aqua Security's Morag.

"There will always be a zero-day or another misconfiguration that users did not know about, like Log4shell or Spring4 shell," he says. "While those do not apply to Jupyter Notebook, they show that you need to have another layer of protection. If you rely on the network to protect you, it is not enough these days, I think."

The Aqua research is not the first to expose vulnerabilities and misconfigurations of data-science tools. In 2021, researchers from cloud-security firm Wiz.io found that Microsoft created an insecure implementation for linking Jupyter Notebook instances to Azure Cosmos DB databases, allowing attackers to create a connection between an instance of Jupyter Notebook and the database service, which then allowed the attacker to access all other databases using the same service.

Attackers' strategy of targeting a new community of technical users is not new. Threat actors have already started targeting machine-learning researchers and the data behind artificial-intelligence and machine-learning systems, according to experts.

Data Scientists, Watch Out: Attackers Have Your Number

A power failure at a major London data center shows that a truly resilient network is flexible, not just redundant.

Volatile global dynamics like the Russia-Ukraine war, climate change driving an unprecedented surge in natural hazards, sharp peaks and rapid declines of a pandemic, out-of-control organized cybercrime syndicates … 2022 seems like a practical demonstration of Murphy's Law for enterprise networks. In the face of looming uncertainty and nation-state attacks that may result in collateral damage to facilities, remember: No matter how advanced your network infrastructure is, its resilience determines its true worth.

The strength of any network can be measured by its points of presence (PoPs), where two or more networks or communication devices share a connection. (Editor's note: The author's company is one of many cloud network providers that maintain PoPs around the world.) PoPs connect people to different networks, as well as to the greater Internet. They usually contain multiple servers and routers, and Internet service providers typically have multiple PoPs distributed over a geographic area. These physical locations allow people to be interconnected to others around the world. Having PoPs near your offices and remote and mobile users, wherever they may be, is critical for receiving services.

But just counting PoPs doesn't tell you whether the network is robust. What happens if a PoP fails? And PoPs do fail, even with good design and data center selection. Case in point is the recent Interxion outage.

**Interxion's Unexpected Power Outage**  
Earlier this year, Interxion, a leading provider of data center services across EMEA, faced an hours-long power outage at its central London campus. Being at the center of the European trading landscape and with billions in trade at stake, the facility had to have built-in redundancy and backup plans in place.

Unfortunately, even the equipment designed to switch power to an on-site backup generator failed, alongside the multiple power feeds going into the building.

My company's own PoP in the Interxion data center was unavailable for several hours. Thankfully, our customers were automatically redirected to another nearby Cato PoP for operational continuity. But the incident caused service outages for numerous customers whose networks depended solely on this data center.

**Alternate Scenario: How It Should Have Been**  
The hours-long outage could have been averted if customers had access to a global private backbone of PoPs and intelligent traffic-routing. The traffic would have been automatically redirected to another nearby PoP, and customers would have barely noticed the few seconds of outage. This alternate scenario pretty much sums up how a consolidated, cloud-native secure access service edge (SASE) service ensures resiliency and business continuity even in a situation as unlikely as the case in point.

**Achieving Multidimensional Network Resiliency**  
In a situation like Interxion's, the strategic distribution of PoPs matters more than sheer numbers. Beyond placement, the PoPs also need surplus capacity to handle the emergency traffic. Taking into account all such aspects, modern enterprise networks need to achieve multidimensional resiliency.

Such incidents have taught us what multidimensional resiliency really looks like:

**• Availability:** A globally distributed backbone of PoPs is essential for connectivity and service delivery. However, it's the density of PoPs in a region that matters in a failover plan, not the number of countries covered. If a PoP fails, you'll need another PoP nearby to reroute the traffic through.

**• Security:** This must always remain a priority, even during a crisis. That's why the full security stack must be built into the underlying network infrastructure. When all PoPs have built-in encryption and security, all endpoints — on-site, remote, and mobile users and devices — stay within the security perimeter even when redirected through backup PoPs.

**• Fault tolerance:** Modern enterprise networks need self-healing capabilities to handle disruptions, using different techniques like switching over to another PoP. Every second of downtime counts, and only intelligent, automated traffic routing can ensure rapid detection and quick transition.

**• Adaptability:** It's impossible to anticipate and prepare for all possible disruptions. Enterprise networks need to have the flexibility and agility to adapt to unexpected stressors. For instance, some of our customers couldn't benefit from our quick transition from the London PoP because they used firewalls to route traffic whose main and failover links both went only to the London site. When the London PoP failed, we had to quickly adapt and configure a new link going to a PoP in Manchester.

**• Dependability:** IT and service providers need to have full insight into the network to see how a failure impacts traffic across the network. In this situation, it would have been impossible to see exactly which customers had their failover link routed to the London PoP without complete visibility into all customer traffic. There's no way to ensure network dependability without having a complete view of the network at all times.

**Final Thoughts**  
The true strength of a network lies in its resilience in the face of unanticipated, rare-case scenarios. Redundancy itself is simply not enough, since it can fail — as it did during the Interxion outage. Multidimensional resilience ensures the network stays operational even if multiple backup plans fail.

Although a global, cloud-based SASE architecture with a unified management console checks all the resiliency boxes, you need ongoing investments to determine how things can go wrong and build the capabilities to continue operations and services during crisis situations.

Inside a Data Center Outage: Lessons About Resilience

Organizations can defend themselves from future unknows attacks by implementing targeted security hardening measures, turning on built-in security protections, and leveraging existing technology stack to achieve microsegmentation and credential hygiene.

Black swan events are considered incidents with high impact and low frequency that are impossible to predict. Whether you consider them black swan cyber events or not, the SolarWinds attack and the Log4Shell exploit stressed some of the key ways in which organizations can prepare themselves and prevent crises.  

Here are three common misconceptions around prevention of such events. 

**Misconception No. 1: There's nothing we can do about zero days and supply-chain attacks.**

One of the common misconceptions is that it's almost impossible to protect environments from critical zero-day vulnerabilities or supply-chain attacks, as they are highly stealthy and cannot be predicted. At best, this misconception will shift efforts toward enhancing the detection and response capabilities. At worst, it will promote a sense of helplessness when dealing with such events.

Contrary to common perception, these events are not the "unknown unknowns." Organizations can deploy and adjust their defenses strategically, often using their existing teams and security stack, and protect themselves from such attacks.

A simple yet powerful example is preventing egress Internet traffic from servers. Even though it may sound like a basic security practice, real-world experience demonstrates that it's not implemented by even relatively mature organizations.

Blocking servers from reaching out to the Internet will prevent attacks (or dramatically slow down attackers), where the exploit depends on the server to initiate connection to the attacker's command and control infrastructure, whether through reverse shells, malicious code in a third-party software such as SolarWinds, or a vulnerability such as Log4Shell. This leads us to the realization that even a basic security control can stop both the SolarWinds supply chain attack, one of the most sophisticated attacks in recent years, as well as mitigate the Log4Shell vulnerability, one of the most potent and ubiquitous vulnerabilities discovered recently.

Investigating and learning common tactics, techniques, and procedures (TTPs) and modus operandi of the latest breaches and exploits can provide organizations with valuable insights on how to improve and prioritize defenses in a way that will mitigate the use of future exploits.

**Misconception No. 2: Once attackers infiltrate an environment, they will fully compromise it.  
**Another misconception is that these novel exploits will inevitably allow attackers to do more than just infiltrate the perimeter.

Targeted security enhancement initiatives can be implemented to make the environment much more resilient to lateral movement and privilege escalation techniques, keeping attackers at bay, not able to leverage their initial footholds to gain access to core assets. This approach will also provide defenders with more time to detect and eliminate attacks in their early stages.

*   **Lateral** **m****ovement:** Microsegmentation is a daunting task. Many organizations procrastinate on implementing such projects as they require mapping all internal traffic, creating granular allow-lists of ports and hosts, buying expensive solutions, and investing crucial resources in deploying and then maintaining such environments. However, many of the advantages of microsegmentation can be achieved without going the full distance.
    
    Restricting ingress traffic on interactive (e.g., RDP, SSH) and noninteractive (e.g., SMB, WinRM, RPC) management protocols, by using host-based firewall policies on both servers and workstations, and then limiting management traffic to specific dedicated segments or jump boxes, can help achieve the core value provided by microsegmentation.
    
    While sometimes traffic on noninteractive management protocols toward servers is required for operational or applicative purposes, in many cases it's not required between different workstations or between servers in the DMZ. Adopting a focused deny-list approach at first will yield an immediate risk reduction, to a point where it will gradually become very challenging to move laterally within the network.
    

*   **Privilege** **e****scalation****:** One of the major challenges in reducing the risk of materializing attacks in the network is credential hygiene and prevention of privilege escalation. Nevertheless, similar to the approach taken above, focusing on high-value measures derived from real-world use of known and common TTPs can provide significant value for defenders.
    
    To achieve this, constantly search for exposed clear-text credentials, set long and complex passwords for service accounts, avoid using domain admin accounts for daily activities, and use built-in Microsoft security features such as Protected Users, LAPS, LSA Protection, and Credential Guard.
    
    Credential hygiene issues are a major contributing factor in almost every single attack that Sygnia responded to in the last couple of years. Securing privileged identities should be top priority in any security road map for 2022.
    

**Misconception No. 3: Patching is the only solution we have for novel vulnerabilities.  
**Often when a new vulnerability is published, the main (and sometimes the only) recommendation suggested by numerous advisories is patching, as if patching is the only action organizations can initiate to contain the risk. Patching is crucial, but it can take time for large enterprises to fully understand their exposure and apply patches in production environments. Occasionally, a few days after patching, new vulnerabilities are discovered by the security industry because of the attention the system or the application is drawing. Patching will not always mitigate all gaps.

Understanding the way in which the exploit is executed — and the dependencies on which the exploit is relying to execute — is imperative in responding to such events. What may be considered as only a workaround to mitigate the vulnerability can sometimes prove to be a lifesaver for organizations.

**Leverage and Optimize Your Security Stack  
**Contrary to common belief, organizations _can_ prevent or reduce the impact of novel exploits such as Log4Shell or highly sophisticated attacks like SolarWinds.

This can be achieved by organizations leveraging _and_ optimizing their current security stack, implementing surgical hardening measures, and using built-in security features that can be turned on easily without requiring additional spend.

The Misconceptions of 2021's Black Swan Cyber Events

Enterprises are more dependent than ever on open source software and need to manage the risk posed by vulnerabilities in components and third-party vendors.

FORRESTER SECURITY & RISK CONFERENCE — Companies need to take steps to minimize the risk posed by third-party software in the supply chain, which has grown significantly over the past few years, analysts advised at the Forrester Security & Risk 2021 Conference this week.

The concerns come as external attacks increasingly come through vulnerabilities in third-party software, such as open source projects or a breach of a third-party provider. More than a third of external attacks (35%) are carried out through exploiting a vulnerability, while another third (33%) come from a breach of a third-party service or software maker, according to a Forrester survey of 530 security decision-makers.

The growth of third-party risk threatens to undermine the security of enterprise applications if companies don't take steps to tame the problem, Alla Valente, senior analyst at Forrester, said during a roundtable at the conference.

"We have a lot of third-party risk and it's just escalating, and part of the reason is there are more third parties than we've ever had," she said. "If you didn't create \[a particular application\] and you are relying on someone else to maintain it, chances are ... \[ security\] is not going to get done."

The issue will become more important in 2022, as governments start to draft guidelines for secure software. The Biden administration, for example, signed an executive order in May requiring the National Institute of Standards and Technology (NIST) to draft guidelines for federal contractors to better secure software. The guidelines include providing a software bill of materials, or SBOM, to the government for their products and attesting to the security of the developers' build environments. NIST already has created draft guidelines for securing Internet of Things devices and software and held a workshop in September with industry to discuss the topics.

SBOMs are a key component for companies to understand their risk and identify software components as well as extended dependencies that could undermine an application's security, Chris Condo, principal analyst with Forrester, said during the presentation.

"Most developers just connect to a repo and they download the latest software versions of whatever packages they are using, but are those packages being scanned for vulnerabilities and is everyone even using the same version?" Condo said, adding that without a focus on such issues, companies are just delaying security problems. "You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way."

The inconsistent nature of open source software continues to be a key issue. While major packages are typically well managed, many enterprises end up using packages — often through dependencies of more common components — that are not as well managed and may have vulnerabilities.

While the average time that open source software projects remediate vulnerabilities has dropped significantly (from 371 days in 2011 to 28 days in 2021), the number of packages hosted by the major ecosystems have grown significantly — 20% in the last year, according to a report published by software security firm Sonatype.

Companies need to delve into the packages they rely on for software development and determine if they pose a security issues, Condo said. "Understanding what you are actually depending on is really important, where is the weakest link, where are these issues going to arise, and should we use something that is a proprietary package or something that is curated," he said.

**The AI/ML Factor**  
As companies increasingly pursue analytics based on artificial intelligence and machine learning (AI/ML), they are facing on similar issues. AI/ML represents a specific facet of the open source problem because a great deal of the algorithms are encoded in open source projects. Businesses should determine whether these components pose a risk to their business, analyst Valente said.

"Organizations are leveraging AI and machine learning, and the question is not whether they are going to use AI and ML but whether they are going to buy it or build it," Valente said. "If they are going to buy ML or AI models, that is not something that they are maintaining — in many cases it is open source, and even commercial software, is 75% to 90% open source."

Finally, businesses need to focus on security issues earlier in the process. Determining that an open source dependency poses a security issues and removing it from consideration is far less expensive than attempting to close security issues found in the software after deployment, Condo said.

"You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way," Condo said, adding that security should be part of the entire software development chain. "If you thought about really shifting left your security and designers doing threat modeling, review it with a security expert, and think about \[things like\] where data should reside and how to secure some of these APIs."

Source

DARKReading