The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says.

A pair of critical flaws in industrial Internet of Things data platform vendor Open Automation Software (OAS) are threatening industrial control systems (ICS), according to Cisco Talos.

They're part of a group of eight vulnerabilities in OAS software that the vendor patched this week.  

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its functioning; another (CVE-2022-26833) enables unauthenticated use of a REST application programming interface (API) for configuration and viewing data on systems. 

In its advisory, Cisco Talos described the remote code execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9.4.

The remaining flaws exist in different components of OAS Platform V16.00.0112. They were assessed as being less severe (with vulnerability-severity ratings that range from 4.9 to 7.5), and included information disclosure issues, a denial-of-service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications on vulnerable systems.   

"Cisco Talos worked with Open Automation Software to ensure that these issues are resolved, and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy," its advisory noted. The company recommended that organizations using the vulnerable software ensure that proper network segmentation is in place to minimize the access that an attacker, who exploited the vulnerabilities, would have on the compromised network.

OAS's Open Automation Software Platform is primarily designed to let organizations in industrial IoT environments move data between different platforms — for instance, from an Allen Bradley programmable logic controller (PLC) to a Siemens PLC. Central to the platform is a technology the company calls Universal Data Connect that enables data to flow from and between IoT devices, PLCs, applications, and databases. OAS describes its technology as also being useful for logging data in ICS environments and putting then in open formats, and for aggregating data from disparate sources. OAS has customers from across multiple industry verticals including power and utilities, chemical, construction, transportation, and oil and gas.

**Critical Flaws**

The RCE execution vulnerability (CVE-2022-26082) that Cisco Talos discovered exists in a secure file transfer functionality in the OAS Platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS Platform to upload an arbitrary file. Cisco said the issue had to do with missing authentication for a critical function. 

"The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform," Cisco Talos said.

The REST API-related vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in OAS Platform V16.00.0121 and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software. 

To mitigate the risk from this flaw, Cisco recommended that organizations create custom security groups and user accounts with only the needed permissions and then restrict access to these accounts.   

Researchers have been discovering a steadily growing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity vendor Claroty released earlier this year showed vulnerabilities impacting these environments increased 52% in 2021 to 1,439, compared to 942 in 2020. About 63% of the flaws were remotely exploitable. 

The number of vulnerabilities reported last year was some 110% more than the 683 flaws reported in ICS technologies in 2018. Vulnerabilities were reported for the first time in products from 21 of the 82 ICS vendors that were affected by flaws last year.

Critical OAS Bugs Open Industrial Systems to Takeover

Organizations must ensure their kubelets and related APIs aren’t inadvertently exposed or lack proper access control, offering an easy access point for malicious actors.

Kubernetes clusters provide a scalable and resilient backbone to many modern Internet-facing applications. However, if adversaries can access the nodes in those clusters, they essentially take over your infrastructure. They can compromise the integrity of your systems and hijack the infrastructure and use it for their own purposes.

Recent data from Shodan shows 243,469 Kubernetes clusters that are publicly exposed. These clusters also exposed port 10250, used by the kubelet (the agent that runs on each node and ensures that all containers are running in a pod) as a default setting. Attackers could potentially use the kubelet API as an entry point in targeting Kubernetes clusters to mine for cryptocurrency.

Trend Micro researcher Magno Logan looked at how cybercriminals could abuse these clusters and exposed kubelet ports.

First, there is the problem of sensitive information leakage by returning data on the running pods on the node.

In addition, since the kubelet API is exposed, there is another endpoint _/run_ that would allow an attacker to execute commands inside the running pods of the cluster just by sending a _POST_ request to the specific pods and using the parameter _cmd_ to execute the desired shell commands. Trend Micro says threat actor TeamTNT performed multiple _/run_ commands in just this manner to compromise multiple clusters last year. This technique can make things easier for attackers to take over clusters, Logan says in the report.

Logan called it "very concerning" that hackers could use the kubelet API as an entry point when targeting Kubernetes clusters.

"Those 600 kubelets we've found to be completely exposed and without authentication or authorization could easily be compromised via simple API requests," he said. "That would allow an attacker to execute commands on the pods running inside that node, most of the time to mine cryptocurrencies."

**Exposed Kubelets Leave Door Open to Malicious Actors**

According to Michael Isbitski, director of cybersecurity strategy for Sysdig, when Kubernetes clusters or kubelets are improperly exposed or don't enforce proper access control, it leaves the door open for a wide range of malicious activity.

"Attackers can potentially harvest sensitive data being transmitted within the cluster, spin-up new workloads, reconfigure elements of a node, disable access controls, erase audit trails, add vulnerable dependencies, bootstrap malicious cryptominers, and more," he says.

Isbitski notes that many Kubernetes configurations are secure by default with current platform offerings, but some organizations may be sitting on old or misconfigured deployments.

He points out organizations also sometimes inadvertently override secure defaults to get a cluster to an operational state without understanding the potential security risks.

"We've seen issues with vulnerabilities in runtime components, which can result in container escapes and lateral movement within networks if attackers are successful in their exploitation attempts," he says.

**Practice Defense In-Depth, Zero Trust**

Matt Dupre, director of software engineering at Tigera, a provider of security and observability for containers, Kubernetes, and cloud, points out that sufficiently privileged access to the kubelet amounts to a complete compromise of that host and potentially any other workloads running on it.

Access to the Kubernetes API has the same potential impact: Admin access essentially provides complete control of the cluster and everything in it.

He notes that while the security risk is significant, an overwhelming majority of the clusters that accepted connections from the Internet rejected the requests due to lack of authentication or authorization.

"Given that, there are two concerns: firstly, that you fall in that misconfigured 613 clusters, or that a new critical vulnerability that bypasses authn or authz is found, and this would be a very significant vulnerability," Dupre says. "Organizations' internal APIs are probably a bigger worry in practice."

He advises practicing defense in depth by following zero-trust principles and not allowing connections to your kubelets from unknown sources, such as the Internet.

"Additionally, you could port-scan your infrastructure and investigate any responses," he adds. "Keeping careful control of access tokens is always important — they should never be published, and you should have processes in place to ensure that they and other secrets are stored properly."

**Avoid Exposing the Kubelet Default Port**

As a basic kubelet security practice, Logan says organizations shouldn’t expose their kubelet port (10250 by default) to the Internet.

"If you need to do that, at least enable kubelet authentication and authorization on the kubelet API to avoid attackers being able to perform requests to the API and receive the 401 – Unauthorized response," he adds.

Mark Lambert, vice president of products at ArmorCode, an application security provider, says when deploying these types of systems, take a "zero-trust mindset" and remember that the default configurations are usually set up for ease of use, not security.

"This means you need to pay close attention to configuration files, disable features you are not using, change default ports, and minimize information leakage so that hackers cannot gain insight that could provide them another point of attack," he says.

Finally, all this needs to be operationalized as part of your application security program, and development teams must be engaged early, as they play a key role in building security into the design of the application from the start.

Besides enabling the kubelet authentication and authorization on the kubelet API, Logan advises restricting the kubelet permissions via the least privilege principle and periodically rotating the kubelet certificates to reduce the attack surface.

"Organizations should also investigate tools for runtime protection such as Falco to prevent and alert when there are suspicious execution happening inside their containers," he says.

**Constantly Analyze IaaC, Monitor Clusters in Runtime**

Isbitski says native capabilities and tooling from cloud providers and Kubernetes platform providers can provide a starting point for keeping kubelets protected.

He adds that security teams must continuously analyze the infrastructure-as-code used to configure and operate clusters, scan dependencies used by workloads, and monitor clusters in runtime to detect malicious activity, such as when an attacker attempts unauthorized access to the Kubernetes APIs.

"Appropriate access control should also be implemented at multiple points of a cluster," he says. "Native capabilities like Kubernetes network policy also help with restricting communication within a cluster and enforce zero trust principles."

Isbitski points out the Kubernetes control plane is also multilayered when working with managed Kubernetes.

In those scenarios, security teams should also continuously validate the cloud tenant configurations, along with IAM policies, for misconfigurations and excessive permissions.

Exposed Kubernetes Clusters, Kubelet Ports Can Be Abused in Cyberattacks

Space Force's Delta 6 cyber-defense group adds squadrons, updates legacy Satellite Control Network.

Space Force's Delta 6 mission, responsible for thy cyber defense of US military satellites, is adding four squadrons to boost cybersecurity throughout the military branch, as well as oversee the modernization of the aging Satellite Control Network.

Each operational mission within Space Force, from missile warning systems to navigations and communications, is organized into one of nine "Deltas," Breaking Defense explained in a report about the move. 

Delta 6 is the "cyber operations" group and will expand to embed a cyber-defense squadron of personnel called "Cyber Protection Teams" within other wings, Space Operations Command announced. 

Delta 6 will need also need additional help as it tackles upgrading the aging Satellite Control Network, which is a series of 19 antennas positioned around the world and relied upon by the military, NASA, the National Oceanic and Atmospheric Administration, and the National Reconnaissance Office, Breaking Defense reported. 

The system dates back to 1958, according to Delta 6 Commander Roy Rockwell. 

"Our scheduling system still operates on DOS — so, 1990s technology," Rockwell told Breaking Defense. “We are working through an upgrade that should be complete by the end of this year that’ll bring us up to a Windows-level type scheduling capability. So we're still far behind." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Space Force Expands Cyber Defense Operations

The 14th defendant behind The Infraud Organization contraband marketplace has been sentenced, this time for one count of racketeering.

Stolen identities, compromised credit-card data, computer malware, and more were collected and sold by The Infraud Organization, a transnational cybercrime syndicate — and the Department of Justice estimates the activity cost victims more than $568 million. 

Now a member of the cybercrime group has been sentenced to four years in prison for his role in Infraud: a 37-year-old Brooklyn, NY, resident named John Telusma, who pleaded guilty to one count of racketeering. He's the 14th defendant sentenced in the case.

The DoJ said Telsuma joined the Infraud Organization in August 2011 and over the subsequent five-and-a-half years became one of the "most prolific and active members of the Infraud organization, purchasing and fraudulently using compromised credit-card numbers for his own personal gain," the DoJ announcement of the sentencing said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Scammer Behind $568M International Cybercrime Syndicate Gets 4 Years

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.  

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

**Inside the Chaos**

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read\_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode
*   Change the victim’s desktop wallpaper
*   Customizable file-extension lists
*   Better encryption compatibility
*   Run on startup
*   Drop the malware as a different process
*   Sleep prior to execution
*   Disrupt recovery systems
*   Propagate the malware over network connections
*   Choose a custom encryption file-extension
*   Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

**Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper**

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group \[infiltrates\] a victim organization's network, \[steals\] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies \[targeted with the Onyx wiper\] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

**Chaos Wiper Reined in With Yashma**

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service \[MaaS\] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

*   Antivirus (AV) solutions
*   Vault services
*   Backup services
*   Storage services
*   Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

**Every Business Is a Target**

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

New Chaos Malware Variant Ditches Wiper for Encryption

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.  

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”  

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.  

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

**Infecting the Browser Helps Bypass Security Measures**

Parkin adds that with so many applications being now browser-based, it’s a logical place for cybercriminal to put their malicious code.

In addition, the browser is an application that is not monitored by most security programs, and extensions are usually not scanned by most endpoint protection solutions to determine whether they are malicious.

“By infecting the browser, the attacker gets around a number of security measures, such as traffic encryption, that would otherwise impede their attack,” Parkin says. “It’s like adding a malicious hard drive to your system.”

Having access to a browser provides attackers access to victim data and could, in some cases, provide the opportunity to perform actions on the compromised person's behalf. With such easy access and high-value information inside browsers, malware operators can achieve big results for minimal effort.

To boot, ChromeLoader's capabilities do not end with installing malicious extensions — it could carry out more advanced attacks as well.

“Most security tools don't detect it,” says Talon's Bobrov. “The fact that ChromeLoader abuses PowerShell makes it incredibly dangerous, since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections.”

He adds that ISO files can hold a lot of data, so there's plenty of room for malware to hide. In addition, these files are confusing for end users and have some automatic actions that the operating system might perform.

**Cyber Hygiene, User Education Needed to Stop Malicious ISO Files**

Bobrov says that to prevent exposure to malicious ISO files, the first step is related to basic cyber hygiene: You need to understand and trust the data you download and where you download it from.

“Do not launch ISO files that are not from trusted sources, and never run files inside ISO without verifying their safety,” he advises. “When browsing the Internet, make sure you have security controls in place to help monitor the websites you browse and help protect you from malicious content.”

From Parkin’s perspective, user education is a good first step to prevent exposure to malicious ISO files, which includes teaching users to be wary of downloading suspect files. (Any cracked software falls into this bucket.)

“Beyond user education, admins can deploy tools and enforce policies that restrict mounting ISO files, though that may be a challenge in \[bring-your-own-device\] BYOD environments,” he says.

A step beyond that is using remote desktop environments such as VNC, Citrix, or Windows Remote Desktop, which can shift policy enforcement back into the IT admin’s hands.

ChromeLoader Malware Hijacks Browsers With ISO Files

Here's how physical security teams can integrate with the business to identify better solutions to security problems.

The responsibilities of physical security teams have expanded well beyond traditional security roles. However, these security teams all too often are seen only as a cost center instead of being recognized as risk management professionals who can help move the business forward in areas far beyond "guns, guards, gates, and locks."

The same knowledge, skills, and abilities that help your security team excel when dealing with high-stress, high-anxiety physical security risks and threats can be focused to help confront other risks your business is facing. In fact, your team may already have significant knowledge and skills to handle risks that may not fall directly within the physical security realm, such as insider threats, third-party risks, cybersecurity risks, operational risks, and personnel issues.

Here are some tips to help security leaders reimagine how physical security teams can integrate with other business areas to find better solutions to the security problems their organizations are facing.

**Connect With the Business to See the Big Picture  
**Expanding collaboration with counterparts in other business divisions — specifically, HR, legal, information technology, compliance, and risk management — can help security teams connect their day-to-day contributions to the larger goals and successes of the organization. It's pretty clear that when we connect security to the organization’s larger risk management strategy, the organization will be able to leverage the unique perspective of physical security risk managers to find effective solutions to other problems. It starts, as with many major improvements, with conversations across the organization among multiple stakeholders.

Indeed, it’s crucial for the engagement between security and its counterparts to be a two-way dialogue. When there is mutual understanding between the physical security team and other counterparts in the organization, that knowledge can motivate all sides to find more common-sense solutions and compromises that everyone can get behind.

**Learn Something New  
**How much does your team know about other areas of the business or about the industry? In some cases, having additional knowledge and skills could be the difference between managing risks with a business-as-usual mindset and creating an innovative solution that could save your team time and resources. Encourage your teams to learn new skills, get training to accomplish a goal, or explore new tools helps keep everyone engaged and looking at their work with fresh eyes. Even a few hours spent learning a new skill in an online learning platform like LinkedIn Learning or Udemy can create enormous time and resource savings. Where possible, create opportunities for individuals to share their knowledge with others to reinforce their own learning and help motivate more growth throughout the team.

**Use Technology More Effectively  
**Physical security teams are investing more resources in technology solutions that help identify and monitor threats, streamline and automate workflows, and protect personnel and resources. These solutions should ultimately make your team more efficient and effective, but that's possible only if team members understand a tool's features and know how to use them correctly. The right technology can provide a tactical advantage and instill greater confidence in times of uncertainty.

Encourage your team to spend time learning about the technology products they use, as well as the most efficient and effective ways to use them. In addition, use these opportunities to consider how the information and data your team is collecting could assist others within the organization. Many security-focused tools and platforms contain useful data and features that other departments would find valuable as they work to manage similar threats or investigate emerging problems. Ensuring that data and tools are shared with the appropriate stakeholders could save your organization money and your team time.

**Demonstrate Value  
**As security teams have taken on more responsibility and managed a more comprehensive threat landscape, they have increasingly sought a seat at the executive decision-making table. While those in executive protection may naturally have greater access and be received more readily by those at the top, at too many organizations, the physical security team is still viewed through the antiquated lens of a cost center, solely focused on physical safety and security threats.

While upskilling the staff and integrating the security team into broader risk management functions will help the security team get its seat at the table, It's critical for security teams to create metrics that measure their activities, develop baselines, and document improvements over time. This can be challenging for physical security teams that successfully prevent problems — after all, it’s difficult to prove your team is effective and valuable if nothing happens — but it is possible.

I'll give you an example that came up in a recent discussion of security professionals hosted by Ontic. A security team initiated a conversation with its real estate and risk management team and found that they tracked metrics on the financial impact to the organization when and if specific buildings saw their operations disrupted. What’s more, a few buildings suffered from a disproportionate number of false fire alarms that disrupted operations. The security team worked with others to swap smoke detectors for heat sensors, resulting in a drastic reduction in false alarms. This resulted in a documentable reduction in costs to the organization.

**Conclusion**  
Physical security teams can (and should) be much more than a cost center. By focusing efforts on training, collaboration, and value demonstration, physical security teams' reach and impact will help move the organization forward.

Physical Security Teams' Impact Is Far-Reaching

The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.

This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.

The attack, orchestrated by ransomware group DarkSide, targeted the pipeline's IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company's operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline's employees.

The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.

This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn't effective, especially because a single attack can now target and traverse multiple fields of operation.

By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.

This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.

**How Ransomware Groups Exploit IT/OT Convergence**

The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.

Two of the firm's Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.

A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace's investigation showed that, while network segregation was sufficient to stop the attack's command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.

Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.

No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company's traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.

**Riding the Changing Tides**

Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.

It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.

Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.

Taking the Danger Out of IT/OT Convergence

Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.

Microsoft's cloud-based developer workstation comes preconfigured with all of the required applications so that developers and hybrid teams have access to everything they need directly through the Web browser.

Microsoft Dev Box is a virtual machine that provides developers with a "ready-to-code" workstation, Microsoft said this week during Build 2022, its annual developer conference. Teams can configure images, assign or remove team members, and start coding on a new project without first dealing with a complex and time-consuming set-up process.

Application testing becomes easier, since each Dev Box can be set up to re-create a specific customer environment. Developers who have to support multiple versions of the same software can have multiple Dev Boxes and switch back and forth between different environments. There is no need to worry about software conflicts and dependency issues, the company says.

Dev Box is based on the same cloud foundations as Windows 365, which offers users Windows machines in the cloud. As a result, Dev Box has similar security benefits as Windows 365 Cloud PC, such as the fact that workstations will automatically be fixed up with the latest security updates and administrators can apply Azure’s access control and authentication policies to control how developers access Dev Box. IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager, wrote Kathleen Mitford, corporate vice president of Azure Marketing, on the Azure blog.

Dev Box can wind up making it easier to securely manage remote development teams. Since the developer is going through the Web browser to access the workstation, security teams don’t have to worry about the security of the physical device the developer is using or whether source code and other corporate intellectual property are being downloaded onto a personal device.

While Microsoft did not announce an exact release data for Dev Box, there is a waiting list for private preview.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Unveils Dev Box, a Workstation-as-a-Service

Massive merger will put Broadcom's Symantec and VMware's Carbon Black under one roof.

Semiconductor vendor Broadcom plans to buy cloud computing firm VMware for a whopping $61 billion in cash and stock.

Broadcom described the acquisition as part of its move to create a global infrastructure technology company. The company also announced that its Broadcom Software Group will be rebranded as VMware.

"VMware has long been recognized for its enterprise software leadership, and through this transaction we will provide customers worldwide with the next generation of infrastructure software. VMware's platform and Broadcom's infrastructure software solutions address different but important enterprise needs, and the combined company will be able to serve them more effectively and securely," said Tom Krause, president of Broadcom Software Group, in a statement. "We have deep respect for VMware's customer focus and innovation track record, and look forward to bringing together our two organizations."

Security-wise, the deal will bring Broadcom's Symantec security division and VMware's Carbon Black unit under one roof. Broadcom acquired Symantec in for $10.7 billion in August 2019, and VMware bought cloud-native endpoint security firm Carbon Black for $2.1 billion in October 2019. 

The deal is expected to close in Broadcom's fiscal year 2023, pending regulatory and VMware shareholder approvals.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading