The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

Source: Christophe Coat via Alamy Stock Photo

An advanced persistent threat (APT) tied to Iran's Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.

UNC1860 has been the gateway for attacks by notorious groups like Scarred Manticore and OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on breaching and establishing a foothold in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.

Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in espionage of Mideast telecommunications companies; prepared the ground for wiper attacks in Albania and Israel; and more.

**UNC1860's Many Backdoors**

In March, Israel's National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called "Stayshante" and a dropper called "Sasheyaway," just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.

UNC1860 isn't the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a target's network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors. 

Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like "Templedoor," "Faceface," and "Sparkload." For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like "Templedrop," or "Oatboat," which loads and executes payloads such as "Tofupipe" and "Tofuload," TCP-based passive listeners.

"To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy," says Stav Shulman, senior researcher with Mandiant by Google Cloud.

"Most backdoors would leverage common API calling, so most engines would detect them," Shulman explains. "But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you won't detect their calls."

**UNC1860's Trick to Staying Undetected**

Besides its lack of destructive behavior, there's another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesn't send any information out from target networks, and doesn't need to maintain any kind of command-and-control (C2) infrastructure.

"Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests," Shulman says. "That inbound traffic they listen to can come from any number of stealthy sources \[including\] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a target's network."

In 2020, for example, the group was observed using one of its victims' networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.

And, as Shulman notes, "To escalate the operation, they only need to send one command at any random point in time to activate the backdoor." Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to vet incoming network traffic.

"How do we detect \[malicious traffic\]? How do we decide if incoming traffic is malicious or not?" Shulman says. "Because even \[when UNC1860 is abusing\] documented API calls that cybersecurity engines would catch, there's plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860's activity."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Meet UNC1860: Iran's Low-Key Access Broker for State Hackers

The company has jettisoned hundreds of thousands of unused apps and millions of unused tenants as part of its Secure Future Initiative.

Source: JeanLucIchard via Shutterstock

Microsoft so far has eliminated some 730,000 unused applications and 5.75 million inactive tenants within its cloud environment as part of its sweeping Secure Future Initiative (SFI), designed to shore up security following a couple of major intrusions into its network over the past year.

The company has also deployed 15,000 new, locked-down devices for software production teams over the past three months and implemented video-based identity verification for 95% of its production staff. In addition, Microsoft has updated its Entra ID and Microsoft Account (MSA) processes for generating, storing, and rotating access token signing keys for public and government clouds.

**Secure Future Initiative**

The changes are part of a broader Microsoft effort to reduce its attack surface, strengthen cloud identity and authentication mechanisms, and boost its ability to detect and respond to threats. "Since the initiative began, we've dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history," said Charlie Bell, executive vice president of Microsoft Security in an update this week.

Microsoft launched SFI in November 2023, a few months after China's Storm-0558 breached the company's Exchange Online infrastructure and accessed email accounts across more than two dozen government agencies. Among those affected were senior officials working on US relations with China. In a second incident last year that Microsoft only discovered and reported in January 2024, Russia's Midnight Blizzard breached the company's corporate email accounts via a low-tech password spraying attack.

The US Department of Homeland Security's Cyber Safety Review Board (CSRB) conducted a fact-finding analysis of the Storm-0558 incident and concluded the intrusion stemmed from a "cascade of security failures at Microsoft" at a strategic and cultural level. The board made several recommendations for Microsoft to bolster cloud security, especially around identity and authentication.

Microsoft has identified six areas for improvement with SFI: identity and secrets; security around cloud tenants and production systems; protections for engineering systems; network security; threat detection and monitoring; and incident response and remediation.

**Sweeping Security Changes at Microsoft**

Bell's report this week provided an update on the progress the company has been making in each of those areas. The updates to Entra ID and Microsoft Account, for instance, are part of an effort to better protect critical signing keys for remote authentication, from misuse. Storm-0558 actors took advantage of a single, errant signing key and a vulnerability in Microsoft's authentication system to grant themselves the ability to access essentially any Exchange Online account around the world.

Similarly, the elimination of hundreds of thousands of unused apps and millions of inactive tenants are part of an effort to reduce the surface area for potential attacks against cloud tenants and production systems.

On the network security front, Microsoft has implemented mechanisms for improving visibility: The company now maintains a central inventory for more than 99% of physical assets on its production network. "Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement," Microsoft's Bell wrote.

To protect engineering systems, Microsoft has begun using centrally managed pipeline templates for 85% of its production builds for the commercial cloud, reduced the lifespan of personal access tokens to seven days, and disabled Secure Shell Access to internal Microsoft engineering repos. Proof of presence checks are now mandatory for critical points along Microsoft's software development process.

**Exec-Level Accountability**

This is the second update that Microsoft has provided on the progress the company has been making with SFI. A previous one in May focused largely on changes that Microsoft has been making at the organizational level to — among other things — hold executives directly responsible for security.

The changes the company has made at the organizational level include tying compensation for senior leadership to specific security goals and milestones, tying the threat intelligence team more tightly to the enterprise CISO's office, and requiring engineering and security teams to work together.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Trims Cloud Cyberattack Surface in Security Push

Some users complain they had no idea the switch would be automatic on their devices, vowing to uninstall the unwanted antivirus software.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Kaspersky has pulled back its anti-malware software from its US customers' devices, due to a ban put in place by the US Department of Commerce, and is now partnering with antivirus provider UltraAV to automatically replace the lost software. 

Kaspersky shut down its US operations and laid off its US-based employees after its June addition to the Entity List, a catalog of "foreign individuals, companies, and organizations deemed a national security concern."

The ban was first announced by the Biden administration in June, due to potential national security risks. Kaspersky then began emailing customers in September, assuring them that they would receive continued cybersecurity protection from UltraAV — the notice, however, reportedly failed to mention that the switch of software in user systems would be automatic.

Kaspersky has not responded to a request for comment.

**Roll Up the Welcome Mat**

Some users who experienced this update aren't pleased with the change. 

"I don't trust UltraAV for a few reasons," said one user on Reddit. "Not only do I not trust it but apparently I need to login to even do a system scan."

Another user thought that a virus had been installed on their system because they didn't know about the transfer and planned on uninstalling UltraAV. A third user agreed, stating that they had already switched to Bitdefender.

Kaspersky assures former customers, however, that it worked together closely with UltraAV to maintain security standards, and that the transition went into effect on Sept. 19 to ensure that "users would not experience a gap in protection upon Kaspersky's exit from the market."

However, if customers find themselves looking to ditch their new antivirus software, other users have posted step-by-step instructions as to how they got rid of their own — though while these methods have certainly been tried, it's unclear if they will remain true and keep the newly downloaded software out.

Kaspersky Rolls Back for US Customers, Makes Way for UltraAV

The $2.65B buy validates the growing importance of threat intelligence to enterprise security strategies.

Source: incamerastock via Alamy Stock Photo

Mastercard's $2.65 billion acquisition of Recorded Future has focused attention on the increasing value of cyber-threat intelligence (CTI) to enterprise security strategies.

Security experts in the space perceive the deal as validating the business criticality of CTI and accelerating its mainstream adoption.

**A Multibillion-Dollar Bet**

Mastercard on Sept. 12 announced it had agreed to acquire Recorded Future for $2.65 billion — nearly equivalent to the cumulative amount it paid in nine previous purchases of cybersecurity vendors. Mastercard has said it will leverage Recorded Future's threat intelligence capabilities to bolster its own anti-fraud capabilities and to strengthen the third-party services it delivers via previous acquisitions such as RiskRecon.

The deal is expected to close in Q1 of 2025.

Fernando Montenegro, an analyst with Omdia, says Mastercard's acquisition aligns with the financial firm's efforts to integrate multiple capabilities around its suite of anti-fraud services. "One of the key components of successful anti-fraud initiatives is accurate threat intelligence, so it makes sense for Mastercard to improve their capabilities there," Montenegro says. "I think the deal shows that threat intelligence can be immensely valuable not only to pure-play cybersecurity efforts, but to broader anti-fraud initiatives as well."

The Business Research Company expects demand for cyber-threat intelligence services to hit some $11.5 billion in revenue in 2024, and to more than double to $25.68 billion in 2028, at a compound annual growth rate (CAGR) of 21.7%. The analyst firm identified the primary growth drivers as an increase in the volume and sophistication of cyberattacks, cloud adoption, a constantly expanding attack surface, and increasing regulatory pressures. Others, like Statista think the market is currently even larger — $14.59 billion in 2023 — but have a more modest annual growth rate expectation of 14.7% between now and 2030.

**Validation for CTI?**

Beenu Arora, CEO and co-founder of Cyble, sees the pending transaction as further cementing the role of threat intelligence in business strategies. The rapidly changing and increasingly sophisticated threat landscape has increased the importance of intelligence on emerging threats, threat groups, and their tactics, techniques, and procedures, Arora says. Now perceived as a highly technical component of SecOps, CTI has moved to front and center of security strategy at a growing number of organizations.

"If you speak to any seasoned CTO, CISO, or chief executive, there’s always concern about how they can make the right decisions" around what assets to protect, how, and against whom, Arora says. "Over the last 10 to 15 years, I think there has been much greater awareness with regard to how threat intelligence can sit at the center of day-to-day decision making for the business, whether that’s managing risk, safeguarding assets, or using external intelligence to help guide business decisions."

Analyst firm IT-Harvest, which maintains a dashboard tracking the performance of more than 4,050 cybersecurity vendors globally, counts 123 vendors as currently engaged in the cyber-threat intelligence space. Of that number, 63 have experienced headcount growth this year. Mastercard's recent acquisition underscores the value these vendors can bring to enterprise security strategies, says Richard Stiennon, chief research analyst at IT-Harvest.

"I think the acquisition is good for the 122 other threat intelligence vendors whose prospects will improve in the eyes of investors," Stiennon says.

The $2.65 billion that Mastercard has agreed to pay for Recorded Future is roughly 6.5 times the latter's annual revenue run rate. While that valuation is less than the 10-times valuations that cybersecurity firms garnered back in 2021 and 2022, it still is a healthy number, Stiennon says.

Many of the organizations that deliver CTI services, such as Recorded Future, Group-IB Flashpoint, and Digital Shadows, are what might be regarded as pure-play vendors in the space. Others, such as Mandiant, CrowdStrike, Kaspersky, IBM X-Force, Cisco Talos, and Palo Alto Networks, deliver threat intelligence as part of a broader portfolio of security services. All these vendors use a combination of open source intelligence (OSINT) and information from proprietary sources to deliver their CTI feeds.

"The acquisition validates the widespread, growing recognition that threat intelligence is no longer a complement to an organization's security posture," says Josh Lefkowitz, founder and CEO of Flashpoint. Organizations and government agencies are using threat intelligence to combat ransomware, protect data, lock down supply chains, prioritize critical vulnerabilities, and protect their people and assets.

"I’m constantly speaking with security leaders at organizations that consider these applications of threat intelligence critical to their daily operations," Lefkowitz notes.

He adds that Mastercard's Recorded Future purchase is bringing attention to the board level of the business criticality of CTI.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Mastercard's Bet on Recorded Future a Win for Cyber-Threat Intel

Cyber ranges are a great way for cyber professionals to keep up on emerging threats and new technologies — while having a little fun.

Source: dpa picture alliance via Alamy Stock Photo

Staying on top of the evolving cyber threat landscape can be a challenge for cybersecurity professionals. The daily grind of the job leaves little time for mastering the latest threats and tools, but cyber ranges offer a way to keep skills fresh — and maybe have a little bit of fun at the same time.

Governments, universities, and workplace training organizations have been running these simulated training environments, which give users a place to practice using the networks, systems, tools, and applications they will encounter on the job, for more than two decades. Yet cyber ranges remain a vital tool in the arsenal of the cyber professional looking to stay on top of emerging threats and new technologies.

Most recently, last month the National Aviation University in Ukraine launched the Cyber Range UA, a virtual platform dedicated to simulating real-world attacks, as part of an effort to provide cybersecurity training in Ukraine. And last October the US Navy announced the opening of the Department of Defense's fourth cyber range, the National Cyber Range at Naval Air Station Patuxent River, dedicated to testing and training initiatives for aircraft, their subsystems, and supportive technologies. Its other cyber range facilities focus on the Air Force, submarines and ships, and mission-force training.

"On top of being the most capable, defense technology is also required to be cyber-resilient," said John Ross, deputy director of the National Cyber Range, part of the Naval Air Warfare Center Aircraft Division (NAWCAD), in a statement. "We harden warfighter systems by performing vulnerability assessments and recommending mitigations — ultimately preventing adversaries from stealing our data or defeating our technology."

**Cyber Ranges as a Business**

But cyber ranges aren't all wargames. In the private sector, the SANS Institute has been running its NetWars cyber range competition since 2009 for the wider cybersecurity community, and its free Holiday Hack Challenge has about 20,000 participants annually. SANS holds a variety of cyber range competitions for individuals and teams, all focused on making sure cybersecurity professionals are at the top of their game.

"How do you maintain mission preparedness? How do you make sure that you're ready on a continuing basis? That's where ranges come in," says Ed Skoudis, president of the SANS Technology Institute, who leads the team that develops cyber ranges for SANS.

The organization designs its ranges to build real-world skills in a gaming environment. Some of the ranges are designed to be completed in three to six hours, while others can be accessed over the course of four months, depending on the complexity and time commitment users and companies are able to make. SANS also builds custom ranges for clients who are looking to bolster specific skill sets or experience business-relevant training simulations.

"Sometimes customers will come to us with a very specific need," Skoudis says. "They need something with certain specific content, maybe a particular mix of cloud providers, a particular SIEM solution, or particular challenges associated with certain applications or SaaS offerings. They'll come to us, and we will create custom ranges for them."

The team members make sure they're up-to-date on the current threat and technology environments by working as cybersecurity consultants or range designers.

"We'll learn things from the real world, build it in the range, see people attacking it and dissecting it, and doing all kinds of things with it, and then we can take that and apply it in our consulting services," Skoudis says. "So it's this virtuous cycle of consulting and range building."

At the same time, the designers are working to make participation as entertaining as it is practical, no matter how well they do, he adds.

"We try to make our ranges fun," Skoudis says. "I want the person who came in 92nd place ... to say, 'I really enjoyed that. I learned from it. I had a good time. I am a better cybersecurity professional for having participated in that range, even though I came in 92nd place.'"

**Gamification for National Security**

Singapore's Home Team Science & Technology (HTX) agency recently commissioned a custom cyber range from SANS to help boost the skills of its practitioners in an engaging way.

"The gamification of cybersecurity helps to raise awareness of new attack surfaces from emerging technologies, such as artificial intelligence (AI), in a more engaging manner," says Tay Sze Ying, head of cyber threat intelligence and hunting, xCybersecurity, at HTX. "It also allows the participants to better understand how such emerging technologies are used in the field of homeland security and the potential impact they have on daily lives. We also hoped that the participating teams could, through this initiative, explore how AI is useful in investigating cyber incidents on Internet of Things (IoT) devices, such as drones and networked cameras."

Leadership at the agency was looking for innovative ways to benchmark the team's cybersecurity competency on both a local and international level, and senior management was excited by the idea of gamification when it came to homeland security use cases, Tay says.

The team's biggest struggles came from finding ways to complete the project in the tight time frame.

"During this journey, we had to quickly adapt to the dynamics of organizing a large-scale physical event, articulate homeland security contexts to the challenge developers, and even validate each of the technical challenges within the cyber range," Tay says. "This was a truly enriching and memorable experience. Now that we have experience in doing this, we will explore creating more innovative competition formats in the future."

**Cyber Ranges Built Right In**

Companies are also dreaming up new ways to leverage cyber ranges for training and to differentiate their offerings from the competition. For example, managed detection and response provider Critical Start has worked a cyber range feature into its dashboard so that customers can practice responding to system alerts in real time. The cyber range feature is available to all of Critical Start's managed service customers for free, but it's also a valuable sales and onboarding tool, says Chris Carlson, chief product officer at Critical Start.

"While we hook them up to the security tools, and while we onboard their MDR service, their analysts now can start looking at curated and anonymized real-world alerts and get started right away," Carlson says. "Now they can start to practice and be prepared when these alerts start happening."

The offering is something the company hopes will be a highlight for customers, as it gives an easy way to keep training and learning how to combat emerging threats while on the job. The company will continue to update the range as threats develop in the wild.

"There's not a lot of training that kind of happens to cybersecurity professionals, right? They have certain credentials, they get the job, and they're doing the job 50 hours a week, and there's no time to learn," Carlson says. "This is now a built-in capability in the same platform where they do their day job."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Target Practice: Honing Critical Skills on Cyber Ranges

After launching an investigation in February into vehicles made by foreign adversaries, the Biden administration is finally making its move in the name of national security.

Source: Daniren via Alamy Stock Photo

The US Department of Commerce (DoC) today announced a proposed ban on the software and hardware made by foreign adversaries, particularly that of China and Russia, used in connected vehicles on US roads.

"Connected" vehicles are those with onboard network hardware that allows for Internet access, permitting them to share data with devices both inside and outside the vehicle.

This move is reportedly due to national security concerns and would ban nearly all Chinese vehicles from the US market. It would also prohibit the testing of self-driving cars in the US by foreign adversaries as well as force American automakers to remove the software and hardware from these adversaries in their vehicles.

"When foreign adversaries build software to make a vehicle, that means it can be used for surveillance, can be remotely controlled, which threatens the privacy and safety of Americans on the road," Commerce Secretary Gina Raimondo said in a briefing, noting that foreign adversaries could cause crashes and block roads in extreme circumstances. 

This isn't the first time automotive cybersecurity concerns have brought up by the Biden administration, however. Back in February, the White House launched an investigation into whether Chinese vehicle imports were a threat to national security — it's now clear that the administration found its answer. 

A senior administration official reportedly confirmed that while nearly all Chinese cars and trucks will be banned, foreign automakers of concern will be allowed to seek out special authorizations to be exempted from such regulations.

The proposal is expected to make the software ban effective in the 2027 model year and the hardware ban in the 2030 model year or January 2029. The public will have 30 days to comment on the proposal, and the Commerce Department expects to have it finalized by Jan. 20.

**About the Author**

Commerce Dept. Proposes Ban on Automotive Software &amp; Hardware From China, Russia

Data discovery and classification are foundational for data security, data governance, and data protection.

Todd Thiemann, Senior Analyst, Enterprise Strategy Group

September 23, 2024

3 Min Read

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

When it comes to your sensitive data, not knowing where your crown jewels are located and ensuring they are adequately secured can have catastrophic consequences. Data resilience is the subset of cyber resilience focused on an organization's data assets. Security teams need a strategic approach to data resilience — understanding where their sensitive data stores are located and what's inside — to effectively secure their data. 

Data discovery and classification are foundational for data security, data governance, and data protection (backup and recovery). You can't secure what you don't know exists (discovery), and you need to know what is inside a data store (classification) to take appropriate action to mitigate your risk. 

My latest Enterprise Strategy Group research, conducted with my colleague Jon Brown, explores how enterprises are ensuring data resilience, which is the intersection of data security posture management (DSPM), data security (hardening data with encryption, masking, etc.), data protection (backup and recovery), and data governance. We surveyed 370 IT and cybersecurity professionals from midmarket and enterprise companies about data resilience and DSPM. In the fast-evolving DSPM space, the research found that the first phase of a DSPM deployment to locate, categorize, and establish policies around sensitive data took less than six months for 76% of the respondents, with the largest cluster being four to six months for more than 40% of those responding. 

DSPM vendors differentiate themselves on the time to value (TTV) for their offerings, and the different technologies probably have a significant impact on TTV. Implementing DSPM is like any other project in combining people, process, and technology. Much of the time required to operationalize a technology deployment comes from the people and process side of the equation. While the TTV varies, in talking to various chief information security officers (CISOs) and vendors, we found that the typical steps in a project are:

*   Align stakeholders and plan.
    
*   Identify exposed data stores and mitigate.
    
*   Identify data stores with critical data.
    
*   Classify data (cardholder data for PCI DSS, protected health information, personally identifiable information, information covered by GDPR) to your organization's categories (public, internal, sensitive, restricted.
    
*   Identify/delegate data owners.
    
*   Identify users with access to sensitive/restricted data and validate access is needed (the stale access problem).
    
*   Restrict access to need to know, least privilege.
    
*   Identify misconfigurations and mitigate.
    

*   Determine necessary security controls to protect data based on classification.
    

In speaking to both security leaders and DSPM vendors, the initial step of achieving stakeholder alignment and planning for the rollout is probably the most important to project success. Here are all the steps:

*   Engage key stakeholders: Start by aligning key stakeholders, such as GRC (governance, risk, and compliance), data teams, IT data protection, cloud architects, and security teams. Ensure that everyone understands the objectives, benefits, and their respective roles in the DSPM deployment process. Focus on the win-win. 
    
*   Define goals, definitions, and metrics: Collaboratively establish the goals of the DSPM initiative, such as reducing data exposure, achieving compliance, improving overall data security posture, or facilitating generative AI deployment. Arrive at what data is sensitive to the business and data classification definitions. Agree on key performance indicators (KPIs) to measure progress and success. Planning upfront avoids or minimizes friction as the project progresses. 
    
*   Secure executive buy-in: Present a clear case to constituents, highlighting the importance of DSPM in mitigating data risks, achieving regulatory compliance, and supporting business goals. Ensure top-down support for resource allocation and prioritization. DSPM has many constituents, and getting executive buy-in ensures adequate resourcing and team responsiveness. 
    
*   Assign roles and responsibilities: Clearly define the responsibilities of each team. For example, GRC will focus on compliance and policy alignment, data teams will manage data classification and ownership, and security teams will oversee the implementation of security controls and monitoring. 
    

Getting off on the right foot and achieving alignment at project inception will increase your chances of overall DSPM project success. 

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Senior Analyst, Enterprise Strategy Group

Todd Thiemann is a senior analyst at the Enterprise Strategy Group, researching data security and identity and access management (IAM). He is an information security veteran with more than a decade of information security experience across a range of subjects including encryption, key management, IAM/authentication, identity security, and security operations at leading cybersecurity companies including Arctic Wolf Networks, Trend Micro, Vormetric/Thales, and Nok Nok Labs. He graduated from Georgetown University with a bachelor of science degree, and earned an MBA from the Anderson School at UCLA. He enjoys cybersecurity because it is ever-changing and continually challenges us to simply explain things while not losing essential nuance.

Data Security Posture Management: Accelerating Time to Value

The APT group uses spear-phishing and a vulnerability in a geospatial data-sharing server to compromise organizations in Taiwan, Japan, the Philippines, and South Korea.

Source: kb-photodesign via Shutterstock

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The group uses public cloud services for hosting malicious files, and appears not to be connected to other known advance persistent threat (APT) groups, although at least one analysis has found overlap between APT41 — also known as Wicked Panda and Brass Typhoon.

The majority of the group's infrastructure is based in China, and its attacks target nations of Chinese national interest, says Ted Lee, a threat researcher with Trend Micro.

"In recent campaigns, their primary targets are government agencies and other critical infrastructures — \[such as\] telecommunication — in the APAC region," he says. "In addition, we also found the decoy documents they used to lure victims are related to some significant conferences or international meetings."

The attack comes as China appears to be ramping up its attacks on governments and companies in the Asia-Pacific region. Operation Crimson Palace, a collection of three Chinese APT groups working in concert, has successfully compromised more than a dozen targets in Southeast Asia, including government agencies. In another recent case, a Chinese espionage group used a malicious fake document in an attempt to compromise systems at the US-Taiwan Business Council, prior to its 23rd US-Taiwan Defense Industry Conference.

**Spear-Phishing, With a Side of GeoServer**

The latest attacks primarily employ spear-phishing, either sending a file or a link, using regional conferences as a lure.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," Trend Micro stated in its analysis. "Notably, we also discovered a decoy document written in simplified Chinese, suggesting that China is also one of the impacted countries. However, due to limited information, we cannot accurately determine which sectors in China are affected."

In a limited number of cases, Trend Micro has noticed that the threat group uses a known flaw in the open source geospatial sharing service GeoServer to gain a beachhead within an organization. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

Whether it uses a vulnerability or spear-phishing, the next step is to use one of two techniques, dubbed GrimResource and AppDomainManager injection, to further compromise targeted systems.

Discovered in June, GrimResource uses a cross-site scripting (XSS) flaw to execute JavaScript on the victim's machine and, together with a second exploit, gain arbitrary code execution. AppDomainManager injection is an older — but still not widely known — technique that can be used to load run malicious code and is starting to be abused by state-backed groups, NTT Security stated in an analysis (via Google Translate).  
"Since this method is not widely known at this time, it is clear that it is a unilateral advantage for the attackers," the translated analysis stated. "As a result, there is concern about the possibility that such attacks will expand in the future."

**All Roads Lead to Cobalt Strike?**

Compromise in any case leads either to a custom backdoor known as EagleDoor, or the installation of an implant by a pirated version of the red-team tool Cobalt Strike, whose use is common among cybercriminal and cyber-espionage groups because of its powerful lateral movement and command-and-control (C2) capabilities.

In addition, the commonness of the tool means investigators gain no attribution information from its use, Trend Micro's Lee says.

"While its use can be a red flag, attackers often modify its components to evade detection," he says. "On the other hand, it’s difficult for analysts to finish group attribution based on Cobalt Strike because it is a shared tool used by many different groups."

The Cobalt Strike component drops two executables, Hook and Eagle, which make up the EagleDoor backdoor, which allows communication over DNS, HTTP, TCP, and Telegram. The commands are used to exfiltrate data from the victim's system and installing additional payloads, Trend Micro stated in its analysis.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

The FOCAL plan outlines baselines to synchronize cybersecurity priorities and policies across, as well as within, agencies.

Source: ronstik via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency released a plan to align the “collective operational defense capabilities” of federal agencies to reduce their cyber-risk. The plan’s focus is to have more synchronized and robust cyber defenses, improved communications, and better agility and resilience in the federal government.

For the most part, federal agencies built out their own defense capabilities based on the threats they are facing. As a result, the agencies vary widely in how effectively they manage risks, and there is no “no cohesive or consistent baseline security posture," CISA said. This discrepancy means despite investing in cybersecurity, the agencies are still vulnerable to threats.

“Collective operational defense is required to adequately reduce risk posed to more than 100 FCEB agencies and to address dynamic cyber threats to government services and data,” CISA said.

In the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) plan, CISA sets out both “broad organizing concepts for federal cybersecurity” and tactical guidance agencies should implement. The plan covers daily activities and processes organizations should be using to defend their data and information systems, and spans five areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management, and incident response. It also sets collective security goals for the enterprise and provides a framework for coordinated support and services.

It is not intended to provide a comprehensive or exhaustive list of everything that an agency has to accomplish.

“The actions in the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said in a statement.

The essential components of FOCAL are “solid,” says John Vecchi, security strategist at Phosphorus Security. There are “very wide disparities” between agencies from a cyber maturity and culture perspective, but these agencies can achieve a “more consistent cybersecurity posture and baseline security hygiene” if FOCAL’s basics are implemented, Vecchi says.

However, accomplish a task of this magnitude can be challenge, Vecchi notes. Agency IT teams still need the staff, knowledge, and skills to actually deploy and implement the technologies and processes. The sheer number of security tools needed to accomplish the various elements in the plan could pose problems for agency security teams. While the focus on patching and vulnerability management is essential, these two areas are difficult to implement at scale.

It's also important to remember that about a third of the assets across these agencies represent smart devices, Internet of Things , operational technology, and embedded devices, Vecchi says. These types of systems are often out of compliance in terms of security hygiene.

“Resource allocation will most certainly be an issue here, but my guess is that the vast number of disparate teams and cultural differences across all of the agencies will present an even bigger and more immediate challenge,” Vecchi says. “It can be quite challenging for different teams within a single agency to collaborate effectively, let alone across so many unique, independent agencies and networks.”

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

CISA Releases Plan to Align Cybersecurity Across Federal Agencies

The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).

Source: Kristoffer Tripplaar via Alamy Stock Photo

Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.

The vulnerability (CVE-2024-8963, CVSS 9.4) is a path traversal in Ivanti CSA that allows a remote, unauthenticated attacker to access restricted functionalities. Attackers have chained it to the previously disclosed flaw, CVE-2024-8190, which is a high-severity OS command injection flaw that can allow unauthorized access to devices. The chain can be exploited for remote code execution (RCE), if the attacker has admin-level privileges.

"If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance," the enterprise said.

The news comes during an ongoing series of security issues Ivanti has faced since 2023.

**Not First & Likely Not the Last**

Just this year alone, Ivanti has faced flaw after flaw; in February, the Cybersecurity and Infrastructure Security Agency (CISA) ordered Ivanti VPN appliances be disconnected, rebuilt, and reconfigured in 48 hours, after there were concerns that multiple threat actors were exploiting security flaws found in the systems.

In April, foreign nation-state hackers took advantage of vulnerable Ivanti gateway devices and attacked MITRE, breaking its 15-year streak of being incident free. And MITRE wasn’t alone in this, as thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities.

And in August, Ivanti's Virtual Traffic Manager (vTM) harbored a critical vulnerability that could have led to authentication bypass and creation of an administrator user without the patch that the enterprise provided.

"These known but unpatched vulnerabilities have emerged a favorite target for attackers because they are easy to exploit and oftentimes organizations have no idea that devices with EOL systems are still running in their network," Greg Fitzgerald, co-founder of Sevco Security, said in an emailed statement to Dark Reading.

**Protection in an Ongoing Storm**

To mitigate this threat, Ivanti recommends that its customers upgrade the Ivanti CSA 4.6 to CSA 5.0. They can also update CSA 4.6 Patch 518 to Patch 519; however, this product has entered end of life, so it's recommended to upgrade to CSA 5.0 instead. 

In addition to this, Ivanti recommends that all customers ensure dual-homed CSA configurations with eth0 as an internal network.

Customers should review the CSA for modified or newly added administrators if they are concerned that they may have been compromised. If users have endpoint detection and response (EDR) installed, it's recommended to review those alerts as well. 

Users can request help or ask questions by logging a case or requesting a call through Ivanti's Success Portal.

Source

DARKReading