There are more similarities between developing a professional athlete and developing a cybersecurity pro than you might expect.

Mike Mitchell, Vice President, Threat Hunt Intelligence, Intel 471

October 22, 2024

5 Min Read

Source: Augustas Cetkauskas via Alamy Stock Photo

COMMENTARY

What do professional sports and security operation centers (SOCs) have in common? Before I became a cybersecurity professional and after my baseball career with the Colorado Rockies, I would have said nothing at all. As I've navigated the cybersecurity industry over the past 10-plus years, I've identified three core tenets that form the foundation of successful SOCs and championship baseball teams: leadership, preparation, and collaboration. 

Early in my baseball career, my high school coaches taught me valuable lessons about the importance of leadership, and showed me one of the most effective ways I've seen it applied. Managers of a baseball team are much like managers of a SOC, in that they both must build and manage effective teams consisting of wildly different personnel, personalities, and challenges. It's how they choose to lead their teams that truly sets them apart from a "day-to-day" manager.  

The best managers I've had in cybersecurity and in baseball were all prior practitioners who led by example and used every opportunity as a teachable moment. In baseball terminology, these leaders were "player's coaches," meaning they had a visceral understanding, knowledge, and passion for the game based on their own experiences but still demanded excellence from each of us. SANS Institute recently published a blog post about becoming a leader in the SOC, stating, "A leader doesn't necessarily need to be able to perform all the specialized activities covered by the team, they should understand the responsibilities of each team member and know what it's like to walk in their shoes."  

Managers that take this approach allow team members to succeed, fail, and learn from their mistakes, while knowing their leadership can commiserate with their shared experiences. Being a leader takes more than just setting a lineup or creating a SOC process; it's about ensuring the team knows you are invested in their growth, and can be an example of the time, effort, and skills it takes to be an effective SOC analyst. 

**The Importance of Team Building**

The University of Virginia (UVA) baseball program changed my perspective on the significance of team building and what it means to create a culture that embodies teamwork and preparation as a foundational focus. These experiences drilled home the concept of "battling" for each other, knowing everyone's strengths and weaknesses, and allowed us to overprepare for the actual game. SOC managers, leveraging well-designed tabletops exercises, can offer the same level of "game-like" intensity, high-pressure situations, and team-building atmosphere. By engaging the security analysts, threat intelligence analysts, engineers, and incident responders, tabletop exercises enable SOCs to battle test their playbooks, effectively communicate, and validate their processes, all while developing teamwork and bolstering their trust in one another. The Cybersecurity and Infrastructure Security Agency (CISA) offers some amazing resources that can be used to build effective tabletops centered around a variety of different generic scenarios. However, organizational-specific scenarios allow SOCs to design tabletops that are unique to their risk profile, infrastructure, and protected assets. For example, if the company is in the financial industry, it may practice and drill on scenarios related to information stealers or ransomware groups targeting access for monetary gain. When it's "game time" and a real-world incident affects that organization, the SOC will be ready to tackle anything the threats throw at them. 

After my fourth year at UVA, I was extremely fortunate to be drafted by the Colorado Rockies, and during my career, I witnessed how collaboration can foster championship teams. Communication and information sharing between team members or departments are integral for successful collaboration. In a highly skilled environment like professional baseball or a mature SOC, everyone wants to be the one the manager leans on to get the job done. This competitive nature can sometimes lead individuals to isolate themselves so that their abilities and knowledge stay wholly unique to their skill set. However, I've experienced on the field and in the SOC individuals who put their pride aside and continually took time out of their day to share their knowledge to help upskill and provide guidance to their fellow teammates. 

**Working Together**

SOCs that encourage interpersonal communication between their analysts, threat hunters, engineers, or incident responders develop a team that understands the roles and responsibilities of every other team member, and can use that knowledge to help streamline or assist in more effective ways during an incident. SOCs can also establish collaborative environments by creating and executing a collective game plan against their opponents. Professional baseball organizations have advanced scouting groups that collect as much information as possible about the opposing team, including pitching/hitting tendencies (behaviors), and who and how they are going to pitch to hitters (tactics). By leveraging an intelligence-driven approach, the SOC can also achieve an effective collaborative environment. Cyber threat intelligence (CTI) acts like the advanced scouting group by gathering as much information about the threats, actors, tactics, techniques, and procedures (TTPs), and behaviors to effectively profile their organizational risk and priorities. Those priorities are then communicated to different teams like threat hunting, detection engineering, and security engineers, allowing them to work as a collaborative unit and communicate based on actionable intelligence.  

Reflecting on my time in baseball and in cybersecurity, there are more similarities than I expected between developing into a professional athlete and a cyber professional. Through my journey in both careers, I've worked with amazing individuals that led by example and were more than just a manager. They instilled in me the importance of preparation and the significance of building a culture of teamwork. These collaborative environments have allowed me to not only learn from my managers but also establish long-lasting relationships with my peers and teammates. 

**About the Author**

Vice President, Threat Hunt Intelligence, Intel 471

Mike Mitchell is Vice President, Threat Hunt Intelligence, of Intel 471. Prior to joining Intel 471, he was a co-founder of recently acquired threat hunting provider Cyborg Security. While at Cyborg, he was a cross-functional founder focused on technical implementation, sales, product architecture, and managing the content development team and its deliverables. Mike has more than 12 years of diverse cybersecurity experience in roles including senior solutions and security engineer, director of sales engineering to co-founder of Cyborg Security. Before his career in cybersecurity, Mike spent a number of years in pro baseball with the Colorado Rockies.

What Today's SOC Teams Can Learn From Baseball

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Need a push? A day for a cybersecurity professional can be full of adrenaline-pumping moments. Come up with a clever cybersecurity-related caption for the cartoon above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

A round of congratulations goes to Chris Potter, whose caption for September's "Tug of War" contest nailed first place:

Thanks to all who participated. Some noteworthy contenders included "…And here we have the top contenders for our CAPTCHA the flag tournament," "AI Race Condition," and "Artificial or Human, I’m not seeing any intelligence."

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: The Big Jump

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

The networking company confirms that cyberattackers illegally accessed data belonging to some of its customers.

Source: Sergiy Palamarchuk via Shutterstock

Cisco has disabled public access to one of its DevHub environments after threat actors downloaded some customer data from the site and put it up for sale on a cybercrime forum.

The compromised data included source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to some large companies, including Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

**Data Heist From Public-Facing Environment**

News of the breach first surfaced a week ago, when researchers spotted three threat actors using the monikers IntelBroker, EnergyWeaponUser, and zjj, putting up the data for sale on BreachForums. IntelBroker is a known Serbian entity that began operations in 2022 and is linked to several major data heists, including ones at Europol, General Electric, and DARPA (Defense Advanced Research Projects Agency).

Cisco announced it was investigating the incident on Oct. 15. Three days later, the company confirmed the security incident in an update that offered little detail on the kind of data that the attackers managed to access and download.

Cisco's own systems appear not to have been affected in the incident. "We have determined that the data in question is on a public-facing DevHub environment — a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," Cisco's advisory noted. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."

The company said that, at the moment, there is no evidence the attackers illegally accessed any personal identity data or financial information, but it added that it was still investigating that possibility. "Out of an abundance of caution, we have disabled public access to the site while we continue the investigation," the company said.

In their BreachForums post, the threat actors claimed the data they downloaded from Cisco's DevHub site included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and at least some confidential Cisco information.

**Reminder: The Need to Secure Public-Facing Assets**

The Cisco incident is a reminder why organizations need to protect public-facing environments with measures like input validation to protect against injection attacks, strong authentication tools and processes, and regular vulnerability assessments, says Jason Soroko, senior fellow at Sectigo.

Common mistakes organizations make when it comes to securing their public-facing assets include neglecting OWASP guidelines, underestimating security risks, failing to update systems regularly, and not prioritizing secure coding practices, Soroko says: "Don't forget to back up your website code and practice restoring it. Malware detection tools are available that make it easy to regularly scan."

Organizations can sometimes tend to perceive their public-facing assets as less critical when, in reality, they can expose sensitive information that attackers could use for future intrusions, he adds. The data that the attackers obtained in the Cisco incident, for instance, included source code, API tokens, certificates, and credentials that attackers could potentially leverage in a significant way in a future campaign.

Eric Schwake, director of cybersecurity strategy at Salt Security, says various factors contribute to sensitive data ending up on an organization's public-facing environments. "This can occur due to accidental misconfigurations of access controls, human errors in code or file management, inadequate security testing before deployment, or the compromise of third-party services," he says. These oversights can lead to the exposure of sensitive data and create potential entry points for attackers.

Schwake recommends that organizations implement a multilayered security strategy to reduce this risk. "This involves enforcing strict access controls, promoting secure coding practices, conducting thorough security testing, building posture governance standards, and performing regular security assessments," he says. "Using secrets management solutions and continuous monitoring tools can further improve security and protect against unauthorized access to sensitive information."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Disables DevHub Access After Security Breach

This latest breach was through Zendesk, a customer service platform that the organization uses.

Source: Postmodern Studio via Alamy Stock Photo

Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.

Unknown bad actors have allegedly claimed access tokens to the archive's Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive's platform.

The email began as follows:

"It's dispiriting to see that even after being made aware of the breach two weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their GitLab secrets," the hacker stated. “As demonstrated by this message, this includes a Zendesk token with perm\[ission\]s to access 800K+ support tickets sent to \[email protected\] since 2018." 

The email continued, "Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else."

Though it can’t be said for certain, Chris Hickman, chief security officer (CSO) of Keyfactor, said the hacker may not have serious malicious intent, but instead wants to prove a point: that those in charge of the Internet Archive must be more proactive in protecting its network from those who would do much worse.

"This is a security oversight as tokens that are not rotated regularly have longer lifespans, increasing the window of opportunity for attackers to steal and misuse them," Hickman wrote in an emailed statement to Dark Reading. "If a token is not rotated correctly, it might expire, leading to authentication failures for legitimate users. If a malicious actor obtains an unrotated token, they could use it to gain unauthorized access to systems or services, leading to service disruptions and customer frustration, damaging a company's reputation and bottom line."

The organization hasn't made any public comments regarding the latest breach, but it did request donations last week to help support its endeavors of promoting open access to knowledge resources.

Internet Archive Gets Pummeled in Round 2 Breach

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Source: Rawpixel via Shutterstock

Cybercriminals have found a new way to get around what has been an effective deterrent to phishing attacks, with novel anti-bot services sold on the Dark Web that allow them to bypass the protective "Red Page" warning in Google Chrome that alerts users to potential fraud.

The anti-bot services aim to prevent security crawlers from identifying phishing pages and blocklisting them by filtering out cybersecurity bots and disguising phishing pages from Google scanners, according to new research published today by SlashNext.

They do this by rendering ineffective the Red Page, a feature of Google Safe Browsing — which itself is a feature of Chromium-based browsers and other Google services — that aims to protect users from harmful websites by warning them of potential dangers, such as phishing attempts. The page is so-named because it is displayed in red and provides a warning that a site to which someone is navigating may be deceptive, advising them to avoid it.

In doing so, the warning can "severely" limit "the potential success of phishing attacks," according to the post, providing "a massive hurdle" to threat campaigns. That's because these campaigns rely on high click-through rates, which is significantly lowered when Google's detection flags a phishing page and adds it to a blocklist.

Now various anti-bot services found on the Dark Web, such as Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, "threaten to undermine this line of defense, potentially exposing more users to sophisticated phishing attempts," according to the post.

**How Anti-Bot Services Work**

Though each service has its own unique features, they are all based on a combination of several techniques that allow malicious content to bypass Google's Red Page feature. Most rely on bot detection mechanisms that analyze user-agent strings and IP addresses to filter known security bot traffic that would otherwise be blocked, according to SlashNext.

"Public lists of cybersecurity crawlers are widely available (for example, Shodan), making it easy to filter known security bot traffic," according to the post. "Once an IP address or user-agent is flagged as a security crawler, it is blocked, ensuring the page remains accessible to real users but hidden from cybersecurity entities."

The services also use cloaking techniques such as context-switching or JavaScript obfuscation to serve different content based on the visitor’s profile. These techniques effectively redirect security crawlers to benign content while directing a user to a phishing page.

Another common feature of the anti-bot services is to introduce CAPTCHA or challenge pages to filter out automated scanners that typically would analyze a webpage for malicious content. "Since most bots cannot solve CAPTCHAs, this technique effectively blocks them while allowing real users through," according to the post.

Some anti-bot services might even introduce a time delay, which further confuses security bots by making them "time out" before they can scan the page and thus warn users of a potential security threat.

They also can bypass the Google Red Page by delivering region-specific content and blocking foreign traffic, according to SlashNext. For example, if a phishing campaign is targeting a Korean bank, the service might allow only Korean traffic to visit the site while blocking foreign IP addresses, the researchers noted. Moreover, these methods can get extremely specific in terms of geography, even narrowing campaigns down to the city level, which would prevent international cybersecurity services from detecting the page entirely, according to the post.

**Not Completely Foolproof**

While these anti-bot services can significantly reduce the scope of Google Red Page, they do have their limitations, the researchers noted. The malicious services work best in less sophisticated phishing campaigns because they can identify and block known crawlers in the user-agent string — where many security vendors declare their bots and crawlers, the researchers noted.

"This allows cybercriminals to filter out bot traffic, prolonging the lifespan of phishing campaigns," according to the post. However, in more sophisticated phishing operations, manual analysis by analysts will eventually detect the page, leading to its inclusion on blocklists.

Still, anything that can limit the detection of phishing by end users is a threat to the overall security, not just of individuals but also enterprises. That's because despite being one of the oldest forms of cybercrime, phishing is still one of the primary ways attackers gain initial entry onto corporate networks to perform other types of malicious activities, such as ransomware attacks.

Moreover, the rise in the availability of phishing kits that make it easy for attackers to create campaigns, the growing sophistication of phishing tactics and now the emergence of anti-bot services make detection by individuals and defenders more complex.

The best defense against the use of anti-bot services to bypass Google Red Page is to use security platforms that can detect threats in real-time across email, mobile, and messaging apps with as much accuracy as possible, according to SlashNext. Aforementioned manual analysis of phishing pages and the subsequent addition of malicious sites to blocklists also can prevent these services from being effective.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

The future of application security is no longer about reacting to the inevitable — it's about anticipating and preventing attacks before they can cause damage.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

In my years managing security in complex environments, I've seen how threats and defenses evolve, but application security has proven a very tough nut to crack. What excites me today is the significant progress we're making in closing long-standing gaps in AppSec, and I would argue that application detection and response (ADR) is leading the charge. 

**A Fresh Take on an old Problem**

Historically, application security has been reactive. Tools like firewalls, endpoint protection, and network monitoring have been crucial, but they've often missed the critical component of the application layer itself. As our applications have transformed into interconnected ecosystems, it's become clear that traditional security measures aren't measuring up. 

The paradigm shift of ADR, which hinges on transforming AppSec from reactive to proactive security, is finally moving the needle. Instead of just detecting threats, new ADR solutions are providing deep insights into application behavior in real-time, allowing us to get ahead of potential issues. It offers unprecedented visibility and response capabilities across distributed architectures, enabling continuous monitoring of runtime behaviors, anomaly detection, and rapid incident response. This shift not only enhances our ability to identify and address threats promptly but also significantly reduces incident response times. 

**Real-Time Visibility Is a Game Changer**

One of the most frustrating aspects of securing modern applications has always been the lack of real-time visibility. Traditional tools offer only a snapshot of an application's security at a specific moment, leaving us blind to what's happening during runtime. ADR integrations are changing this dynamic by utilizing data that's already being collected and turning it into actionable insights. 

It is now possible to continuously map out applications as they evolve, monitoring data flows, API interactions, and third-party integrations. This offers new capabilities to identify potential vulnerabilities and misconfigurations in real-time as applications scale or change in production environments. For instance, the discovery of the ALBeast vulnerability, a critical weakness in AWS's Application Load Balancers (ALBs), was made possible by real-time configuration analysis. This is yet another critical issue that would have otherwise gone unnoticed without ADR tools.

**Proactive, Not Reactive**

Previously, security often meant reacting to issues after they occurred. ADR allows us to get ahead of threats, providing security teams with context about how applications behave and where weaknesses may lie. It doesn't just stop at identifying anomalies, it helps us understand why those anomalies matter and how to address them effectively. 

What excites me most about this is how today's ADR pioneers are complementing existing security measures, like Web application firewalls (WAFs) or authentication controls. These tools often generate large volumes of alerts, many of which turn out to be false positives. With ADR tech, we can cut through that noise, prioritizing threats based on application-specific context and focusing on what really matters. The pragmatist in me is also thrilled to see how ADR enhances the effectiveness of these tools, ensuring that every part of a security stack operates at its full potential. 

**Securing Distributed, Cloud-Native Applications**

As we build more distributed and cloud-native applications, the complexity of these systems will continue to grow. These architectures provide incredible flexibility and scalability, but every integration also opens new attack surfaces. ADR is a field built for this environment, by capitalizing on the wealth of insights provided by runtime behavior across microservices, APIs, and third-party integrations. Application performance and identifying misconfigurations or vulnerable code paths can now be found within a moment. 

**Why Now?**

The timing for the budding ADR market couldn't be better. As the threat landscape continues to evolve, adversaries are getting more sophisticated, targeting weaknesses at the application layer that traditional tools can't catch. We're seeing new types of attacks that exploit the growing complexity of our applications, and ADR allows us to address these threats head-on. By integrating ADR tools and principles into our strategies, we not only respond more quickly, we also enhance overall security across the industry. 

I would also be remiss to downplay another key role of ADR — facilitating better collaboration between development and security teams. With real-time visibility into both the development and runtime phases, security doesn't have to feel like a roadblock anymore. Instead, it's becoming a continuous process that extends throughout the application life cycle. 

**Looking Forward**

While no solution is a silver bullet, ADR represents a significant step forward. By offering a clear window into how applications behave at every stage, we can finally move away from reactive, best-effort security to data-driven, proactive protection. 

For those of us responsible for securing today's complex environments, ADR signifies a much-needed evolution. The future of application security is no longer about reacting to the inevitable; it's about anticipating and preventing attacks before they can cause damage. 

As a chief information security officer, that's a future I'm genuinely excited about. 

**About the Author**

Vice President & CISO, Paychex

Bradley Schaufenbuel is the vice president and chief information security officer at Paychex, a recognized leader in the payroll, human resource, and benefits outsourcing industry.  

With more than 20 years of industry experience, Bradley is a recognized security professional with significant expertise in information security management, IT compliance, fraud examination, IT audit, computer forensics, ethical hacking, business continuity planning, project management, cloud security, and process improvement.  

Prior to Paychex, Bradley served as vice president and chief information security officer at Paylocity. Previously, he served as Director of Information Security at Midland States Bank, senior vice president and chief information security and privacy officer at Midwest Bank, senior manager of IT risk and security at Zurich Financial Services, and held senior security positions at Experian and Arthur Andersen. He is licensed to practice law in Illinois and is a member of the United States Supreme Court Bar.

Why I'm Excited About the Future of Application Security

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

The European Union adopted a new law setting EU-wide cybersecurity requirements for connected devices to ensure their safety.

Source: Deco via Alamy Stock Photo

The Council of the European Union adopted the Cyber Resilience Act earlier this month, a new law that will ensure that connected devices – including consumer products such as smart doorbells, televisions and toys, as well as commercial devices such as IP cameras – meet new cybersecurity requirements before going to market. 

The new regulations establish an EU-wide framework that encompasses design, development, production and the sale of hardware and software products that connect either directly or indirectly to another device or network. 

The law enhances existing cybersecurity legislation, making regulations more coherent and ensuring that “Internet of Things” (IoT) products are secure from supply chain to end-of-life. It applies to all products connected either directly or indirectly to another device or network.

CRA is designed to allow consumers to make informed decisions when shopping for connected digital products by making it easier for them to identify hardware and software with proper cybersecurity features. New products will be labeled with “CE” to signify they meet the requirements. Products that are already regulated by existing EU rules like medical devices, aeronautical products and cars are exempt from the new regulations.

In the coming weeks the legislative act will be signed by the presidents of the Council and of the European Parliament and be published in the EU’s official journal. The regulation will enter into force 20 days after publication and apply 3 years later, in 2027, although some provisions will apply at earlier stages. 

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Source

DARKReading