You’re likely familiar with the names of common malware strains such as MOUSEISLAND, Agent Tesla and TrickBot. But do you know how new malware threats get their names?

As a cybersecurity writer, I quickly add new strains to my vocabulary. But I never knew how they came to have those names in the first place. After writing numerous articles on malware, I decided to dig deep into the naming conventions to shed some light on that question. As it turns out, a name can tell you a lot about the malware itself — but it can also sow some confusion. 

Threat Group Names

First, let’s talk about the difference between group names and malware strain names since they often intertwine and sometimes impact each other. With a one-hit-wonder group or a group with no known name, occasionally, the malware shares the group name. However, in most cases, there is a unique name for both the group and the malware.

You can often learn a lot about a group from its name. Group names often reference the nation-state associated with the group, such as Bear for Russia and Panda for China. The name often reflects the group’s motivation as well. “Spider” in the name means that money motivates a group, and “Jackals” refer to hacktivists.

A Few Common Naming Conventions

Now let’s get back to the question of how malware strains themselves are named. The short answer is that strains are named in several different ways. Of course, there are always outliers that get their names in a totally different way, so these are just common examples.

Typically if a cyber criminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain or attack will usually come up with the name, and they sometimes assign one that seems random — but there is usually a pattern or at least some loose methodology.

And yes, that has led to many issues — especially misidentification and misnaming. Without an industry-wide database that lists the official names of all strains, some strains even end up with multiple names. Because many strains turn into families, researchers and the media must use consistent naming conventions. Otherwise, these labels can cause confusion when experts most need clarity. 

6 Common Ways Malware Strains Get Their Names

1. Target of the Attack

Sometimes the simplest (and most notable) thing about a strain is what the attack is trying to disrupt. For example, the Olympic Destroyer malware got its name because it was trying to shut down the Winter Olympics systems in South Korea in 2018.

2. Computer Antivirus Research Organization (CARO) Conventions

Sometimes malware strains have both a formal name and a nickname, just like people. In many cases, we never know or use the name researchers use formally — or the one their mom uses when they’re in trouble. The CARO creates the name based on the strain’s type, platform, family, variant and suffix. Companies such as Microsoft and CrowdStrike often stick to formal names.

3. Unique Aspects of the Attack

When researchers were studying the HeartBeat malware strain, they noticed an echoing sound that mimicked a heartbeat, which coined its name. Meltdown got its name because of what the attack did: break the isolation between applications and the operating system, which opens up the network to attacks leading to a meltdown.

4. Variant of the Threat

Malware often has many strains. And since each strain can vary in significant ways, we need to be able to differentiate between them. This is when the suffix of the CARO name comes into play. The suffix also suggests how the variant is used.

5. Cyber Criminals

Sometimes the threat actors themselves name the strain when they take credit for the malware. Other times, the name is integrated into the attack, such as in the case of WannaCry. Some groups actually create logos for their strains for marketing purposes. 

6. Functionality

The action of the malware is sometimes the reason behind the name, such as Banker or Downloader. In some cases, that functionality combines with another descriptive word to distinguish it from other strains.  

Malware naming conventions can be confusing. But by understanding a bit about common origins, you get a head start on knowing about the strain from the first time you hear the name.

The post Six Common Ways That Malware Strains Get Their Names appeared first on Security Intelligence.

With the cost of data breaches at an all-time high, organizations are working to proactively identify areas of risk on the network. Using pentesters to conduct penetration (pen) testing is becoming more common. To protect themselves, businesses must know their risk areas before hackers find vulnerabilities. Organizations can lower their attack risk by protecting against weaknesses or eliminating them.

The 2022 IBM Cost of a Data Breach found that data breaches cost an average of $4.35 million per breach, an increase of 12.7% from 2020. For many businesses, breaches are becoming a “when”, not an “if” proposition. Of the organizations participating in the study, 83% have experienced more than one data breach — and only 17% said it was their first time.

As a result, many organizations are turning to pen testing to improve their overall security. 

What is Penetration Testing?

During pen testing, pentesters determine how secure an app or network is by trying to break into it. Pentesters often use black box testing, where the tester does not know the underlying infrastructure, apps or code. The process allows pentesters to conduct the tests from the perspective of an outside hacker and uses automated processes to test vulnerabilities.

Other forms of pen testing can be used as well. White box pen testing relies on the tester’s knowledge of the infrastructure to quickly test security using specialized tools. Gray box testing blends white box and black box testing as the tester uses personal knowledge of the infrastructure and both manual and automated tools to exploit weaknesses.

Pen testing provides numerous benefits to companies, including infrastructure knowledge and fewer errors. While some companies balk at the initial price, the approach saves significant costs by reducing risk and the likelihood of a breach. Companies regulated by compliance guidelines often turn to pen testing as part of their compliance process.

While penetration testing is similar to ethical hacking, some differences exist. Mainly, penetration testing focuses on breaching specific systems to take over the environment. Ethical hacking, on the other hand, uses all hacking techniques. Ethical hackers are usually not company employees, although some companies hire ethical hackers as full-time employees. Bug bounty programs are a bit similar, but they’re more focused on all types of bugs instead of just breaching a system. Because bug bounty programs are open to the cybersecurity community, external hackers typically participate as well as the occasional internal employee.

Responsibilities of a Pentester

Pentesters who work as contractors are typically responsible for following testing protocols designed by the hiring agency or organization. Full-time pentesters usually start with a goal and then determine which tools and methods will best help them reach it. After completing their tests, pentesters write documentation detailing the results to help make security changes.

In addition to technical skills, pentesters need good written and verbal communication skills. Pentesters often need to collaborate with the IT department to help create solutions based on the results of the tests. Because of the types of attacks happening in the real world and the technology used by cyber criminals, pentesters need to stay on top of the latest trends in the cybersecurity industry.

Pursuing a Career as a Pentester

Some companies require pentesters to have a computer science degree or cybersecurity certificate. However, many others accept on-the-job experience — especially experience in the cybersecurity industry. While some companies may require a bachelor’s degree, others look for candidates with digital badges or certifications.

Some companies hire internal pentesters, especially for white box pen testing. However, contract pentesters hired for specific projects typically conduct black box pen testing to ensure they don’t have prior knowledge of the infrastructure. If you are looking for a job as a pentester, consider looking for both full-time employment and contract gigs.

Pentesters looking for full-time employment often find jobs at non-technical companies that want to ensure their infrastructure is secure. Other testers work for cybersecurity firms that offer services to other companies. With IT spending on cybersecurity increasing as risks escalate, the demand for pentesters will also likely continue to climb.

Overall, pen testing is a great entry-level career for tech workers or people who want to enter the cybersecurity field. While some technical knowledge is needed, many of the tools and techniques are learned on the job.

The post What is a Pentester, and Can They Prevent Data Breaches? appeared first on Security Intelligence.

Working as a cybersecurity engineer for many years, and closely following the rapid evolution of the space ecosystem, I wholeheartedly believe that space systems today are targets of cyberattacks more than ever.

The purpose of this article is to give you a glimpse of cybersecurity threats and challenges facing the New Space economy and ecosystem, with a focus on smallsats in Low Earth Orbit (LEO), as well as some technologies to assess space cybersecurity risks.

The article series is divided into four parts: Introduction to New Space, Threats in the New Space, Secure the New Space, and finally New Space Future Development and Challenges.

Introduction

The Aerospace and Defense industry is a global industry composed of many companies that design, manufacture, and service commercial and military aircraft, ships, spacecraft, weapons systems, and related equipment.

The Aerospace and Defense industry is composed of different key segments: large defense prime contractors/system integrators, commercial aerospace prime contractors or system integrators, first-tier subcontractors, second-tier subcontractors, and finally third-tier and fourth-tier subcontractors.

The industry is facing enormous challenges that stem from the COVID-19 pandemic, concerns over sustainability, disruptions from new technologies, heightened regulatory forces, radically transforming ecosystems, and, above all, the cyber threats and attacks that are getting more and more worrisome.

The increase of space cyberattacks and cybersecurity risks is stemming from the evolution of the space ecosystem to the New Space Age.

In this first article of the series, we will focus on the New Space notion and the definition of space system architecture.

From Old Space to New Space

Earlier, the space industry was a nation-level domain — and not just any nation; the United States of America and the Union of Soviet Socialist Republics dominated the industry. Space was related to governments and defense departments, and the objectives were essentially political and strategic ones.

Now, there is more involvement in space globally than ever before in history. This new era, led by private space efforts, is known as “New Space Age” — a movement that views space not as a location or metaphor, but as well of resources, opportunities, and mysteries yet to be unlocked.

New Space is evolving rapidly with industry privatization and the birth of new ventures to achieve greater space accessibility for different parties.

Nevertheless, this development in technologies and the fast growth of New Space projects make the space attack surface larger and increase the threat risks in terms of cyberattacks.

Space and Satellite Systems

LEO and CubeSats

LEO is a circular orbit around the earth with an altitude of 2,000Km or less (1,200 miles).

Most LEO Space Vehicles (SV) are small satellites, also known as CubeSats or Smallsats.

A CubeSat is a small, low-cost satellite that can be developed and launched by colleges, high schools, and even individuals. The 1U (Unit) size of a CubeSat is (10cm x 10cm x 10cm) and weighs about 1Kg. A CubeSat can be used alone (1U) or in groups (up to 24 U).

CubeSats represent paradigm shifts in developing space missions in the New Space Age.

Nowadays, CubeSats, and all the other SV types, are facing different challenges: environmental challenges, operational challenges, and cybersecurity challenges.

Space System Design

Any space system is composed of three main segments: ground segment, space segment, and link segment. In addition, we have the user segment.

Space System Design (Source: Space Security Info)

Ground segment: The ground segment includes all the terrestrial elements of the space systems and allows the command, control, and management of the satellite itself and the data coming from the payload and transmitted to the users.

Space segment: The space segment includes the satellites, tracking, telemetry, command, control, monitoring, and related facilities and equipment used to support the satellite’s operations.

Link/communication segment: The link or communication segment is the data and signals exchanged between the ground and space segments.

User segment: The user segment includes user terminals and stations that can launch operations with the satellite in the form of signal transmissions and receptions.

Conclusion

The New Space age makes the space field more accessible to everyone on this planet. It’s about democratizing access to space.

This new age was characterized by the increase of Smallsats development and especially CubeSats in LEO. These types of satellites are part of the space architecture in addition to the ground, communication, and user segments. Nevertheless, is this space system design threatened by cyberattacks?

In the next article in the series, we will explore the answer to this question.

The post Cybersecurity in the Next-Generation Space Age, Pt. 1: Introduction to New Space appeared first on Security Intelligence.

The art of cyber crime is in a constant state of flux and evolution. Simply staying on pace with these trends is a significant part of the CISO’s job.

Today’s modern CISO must ensure they are always prepared for the next big trend and remain ahead of adversaries.

As we begin to navigate 2023, the security landscape has transformed from a year ago, let alone a decade ago. The Russian invasion of Ukraine, emerging technologies like Web3 and AI, and new, post-pandemic ways of organizing the workforce have all led to significant shifts in the world of hacking.

In this article, we’ll look at how hacking is different in 2023, some of the key threats CISOs must contend with and some of the best defenses available.

What Does Modern Hacking Look Like?

Before we start, it’s worth noting that even the term “hacker” has undergone some evolution over the years. Once largely associated with hostile actors, many security professionals now refer to themselves as hackers. The term “white hat hacker” also exists; this refers to hackers using the same methods as cyber criminals to carry out ethical tasks like pressure-testing security systems.

So what are the concrete ways hacking has changed today compared to five, ten and even twenty years ago? There are several significant trends to highlight that look set to dominate the cybersecurity conversation in 2023.

A Lower Barrier to Entry

In the past, threat actors needed highly developed skill sets honed over many years. Hacking, especially targeting high-level organizations with valuable assets, wasn’t something just anyone could do — the bar was set high.

Today, with the emergence and growth of DIY hacking kits and services — available in places like the dark web — even fairly low-skilled cyber criminals can inflict damage and successfully commit crimes. This is concerning news because it means the pool of potential attackers is soaring.

Taking Advantage of the Shift to Remote Work

Although the COVID-19 pandemic is now receding, many effects still linger. One of the most notable is the sustained shift to remote working patterns. While more remote work options come with great employee benefits such as work-life balance and productivity, this style of working also carries inherent security risks.

With millions of companies now operating either partially or fully remote, along with escalating levels of cloud adoption, security teams have the challenging task of defending sensitive information and assets. Employees access all this data from a wide range of locations — including unsafe wireless networks and even public places.

Emerging Technologies Will Play a Greater Role

Emerging technologies like blockchain, the internet of things and artificial intelligence are expected to play a more prominent role in our lives in 2023, making them a more attractive target for attackers.

We’ve already seen a number of high-profile attacks on Web3 infrastructures, like the 2022 hacking of the Binance exchange for $570 million. Threat actors can also turn new technologies to their own advantage; for example, by harnessing AI tools to automate their attacks and quickly identify easy targets.

Bigger Targets and Heavyweight Players

The invasion of Ukraine in early 2022 sparked a new era of geopolitics, shifting the cybersecurity landscape. Russia has been targeting critical infrastructure in Ukraine with cyberattacks. As tensions between the West and its adversaries reach the highest point in decades, it’s realistic to expect more such attacks against Western targets.

CISOs at all levels must prepare for attacks by nation-state actors, which could even target assets like regional power grids.

What Will Be the Most Popular Hacking Methods of 2023?

Which techniques will malicious actors use to achieve their goals in 2023? While it’s difficult to predict, we’ll likely see a continuation of recent trends.

• Phishing. Despite  — or perhaps because of — its simplicity, phishing remains an extremely effective method for threat actors of all types. Tricking victims into sharing sensitive data, including company information, is a tried-and-tested attack vector that organizations must prepare for with widespread employee education and more robust password policies.
• DDoS attacks. Distributed Denial of Service attacks work by overwhelming the target’s servers with traffic, causing them to crash. In many cases, attackers are using cloud infrastructure to bolster their DDoS attacks.
• Ransomware. This method has been skyrocketing year over year and will probably trend upward in 2023. During an attack, malicious actors seize an organization or individual’s data, encrypt it and demand a ransom for its return. Ransomware can be devastating, leading to enormous financial losses and irreparable reputation damage.
• Targeting missing patches. Many threat actors are actively searching for security patches that organizations have failed to keep up to date. Then, they take advantage of those vulnerabilities.

What Does Defense Against Hacking Look Like in 2023?

As hacking continues to evolve, so do the methods cybersecurity teams are deploying to combat those threats.

Here are some of the key trends in defense against hacking to be aware of in 2023:

Automation and AI

AI is being harnessed by cyber criminals more and more, but when used correctly, it can also be a powerful tool for defense. AI algorithms are excellent at analyzing huge datasets and making accurate predictions about when and where attacks will take place, giving security teams a valuable advantage.

According to research by IBM, companies that use AI and automation to defend against data breaches save an average of $3.05 million compared to those that don’t — a difference of 65.2%.

Secure Cloud Assets

As cloud assets and infrastructure become increasingly popular targets, companies will focus on defending in this area. Stricter security controls, greater enforcement of access requirements and better education and coordination between teams are all excellent places to start.

Make Cybersecurity a Priority

The past few years have seen a growing trend of organizations taking a much more focused approach to cybersecurity with company-wide education policies and growing cyber spending.

As we enter 2023 and beyond, companies look certain to continue along this path, emphasizing security responsibility for everyone in the organization, not just security teams.

The post What CISOs Should Know About Hacking in 2023 appeared first on Security Intelligence.

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds.

What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately?

Blacklisted Exchanges and Mixers

Between 2014 and 2017, the BTC-e crypto exchange allegedly cashed out nearly 95% of all ransomware payments worldwide. Feds asserted that BTC-e ringleader Alexander Vinnik also played a role in the theft of about 800,000 bitcoin (about $400 million at the time) from the Japanese Mt. Gox exchange. Eventually, the U.S. government indicted Vinnik, who was sentenced to five years in jail. BTC-e eventually shut down, along with all its accounts. Meanwhile, many legitimate BTC-e customer account holders remained stuck in limbo.

Then came SUEX, the OTC cryptocurrency broker reportedly receiving $160 million from ransomware and other scammers. In 2021, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) placed the Russia-based broker on the Specially Designated Nationals and Blocked Persons (SDN) List. Americans are prohibited from doing business with any company on the SDN list.

More recently, the virtual currency mixer Tornado Cash was sanctioned. According to the U.S. Treasury, the mixer “has been used to launder more than $7 billion worth of virtual currency since its creation in 2019.” A State Department spokesman said the mixer had provided “material support” to the Lazarus Group — an organization believed to work on behalf of the North Korean government. As of August 2022, the platform was also on the SDN List.

Given these incidents, how can you tell if a crypto platform is being used for nefarious purposes? What signs indicate that criminals could use your exchange, too?

Putting Things In Perspective

The reality is that malicious actors can use any financial entity for fraudulent purposes. In 2021, the illicit share of all cryptocurrency transaction volume reached an all-time low of 0.15%. Meanwhile, the UN estimates the amount of fiat money laundered globally in one year is 2 to 5% of the global GDP, or $800 billion to $2 trillion.

It’s not unheard of for criminals to use multinational banks to launder money. But if you invest in crypto and your platform gets sanctioned overnight, you might not be able to recover your coins the next day.

How Crypto Platforms Deter and Detect Illicit Activity

Three key policies can help crypto businesses to deter money laundering and ransomware payouts. When evaluating the platform you use, ask if they implement:

1. Know Your Customer (KYC). This means requiring customer verification when establishing a business relationship when a customer carries out a transaction and if required by law. Verification can include collecting customer data such as their name, address and date of birth.
2. Travel Rule. According to the Financial Action Task Force’s “Travel Rule,” crypto platforms must collect and share data on parties in transactions. The data collection threshold (transaction size) differs between countries.
3. Transaction monitoring. This includes a system for ongoing transaction monitoring to detect signs of money laundering. For example, exchanges can analyze wallet addresses and transaction hashes.

Some red flags crypto businesses look out for that might indicate money laundering include:

• Transactions of unusual size, location or pattern. For example, a sudden, large transaction between two parties with no prior connection.
• Sending cryptocurrency to darknet marketplaces, mixing services, questionable gambling sites, fraudulent exchanges and platforms with lax anti-money laundering (AML) standards. Blockchain analysis can detect the use of mixing services.
• Structuring several transactions, all just below reporting thresholds. This is how criminals break down large payouts into smaller sums.

Cryptocurrency Business Regulation

Given the ongoing cryptocurrency scams, many are calling for regulatory action. A recent DIFC Fintech conference outlined the current cryptocurrency regulatory scenario. Some of the highlights include:

• Approximately 95% of regulators have a team working on crypto regulations now.
• The crypto industry is lobbying for clear regulatory action. Regulations can have a positive effect on cryptocurrency business development.
• When global cryptocurrency exchange Binance introduced KYC verifications, more than 96% of its customer base complied.
• The SEC imposed approximately $2.35 billion in total monetary penalties against digital asset market participants in 2021.

Complex Cryptocurrency Jungle

In a recent executive order and strategy documents, President Biden pledged to support the development of cryptocurrencies and to restrict their illegal uses. But regulation often hinders innovation speed. Meanwhile, the United States continues to develop cryptocurrency policies with a global impact. These policies include sanctioning cryptocurrency exchanges, recovering ransomware payments and improving collaborative security efforts with other countries.

KYC and AML policies have been applied to U.S. cryptocurrency exchanges for years. Still, this can’t prevent actors from pivoting to exchanges in other less regulated countries that enable illicit transactions. For now, the only way to combat this is to continually monitor for platforms involved in illegal activity.

In November 2021, less than two months after the SUEX sanctions, the Treasury Department followed up with sanctions on Chatex, another Russian platform, as well as three of Chatex’s suppliers. Then, in April 2022, the Treasury Department added a third exchange operating in Russia, Garantex, to the SDN List.

Looking Ahead

So far, the efforts to fight cryptocurrency crime are all a step in the right direction. Still, no in-depth analysis has measured the overall impact of these actions on levels of crypto crime.

Sanctions and policing efforts have also been accompanied by a call to develop a U.S. central bank digital currency (CBDC). However, a CBDC collides with privacy and sovereignty issues that largely gave rise to cryptocurrencies in the first place.

Undoubtedly, no simple solutions exist for cryptocurrency-related crimes. But easy answers never existed with paper money either.

The post How to Spot a Nefarious Cryptocurrency Platform appeared first on Security Intelligence.

Almost every day, my spouse and I have a conversation about spam. Not the canned meat, but the number of unwelcomed emails and text messages we receive. He gets several nefarious text messages a day, while I maybe get one a week. Phishing emails come in waves — right now, I’m getting daily warnings that my AV software license is about to expire. Blocking or filtering has limited success and, as often as not, flags wanted rather than unwanted messages.

Our ritual of comparing phishing attempts acts as informal security crowdsourcing. While most of these messages are clearly a poor attempt at social engineering, something realistic seeps in every so often.

So we talk about it. We review basic security practices. Just one wrong click could have a devastating impact on his work network.

We all know that phishing and malicious messages have been effective attack vectors since the earliest days of the internet, and yet users continue to fall victim. Spammers and threat actors know that recipients of these messages will continue to fall for their schemes.

What helps threat actors and hurts the rest of us is the inability to do anything to stop phishing attacks. It’s not just a matter of filtering something to go into the junk folder.

What will make a difference is the ability to take the information about malicious messaging and report it back to communication providers, network administrators and security teams so everyone can work together to eliminate threats.

Crowdsourcing Security is Common

Using crowdsourcing as a way to prevent phishing attacks builds on other popular crowdsourced security methods. Large tech companies have used bug bounties for years, with monetary rewards offered to users who find vulnerabilities in their systems.

The more people who look for something, the greater their chance of finding it. This is the theory that crowdsourcing is based on. Some organizations see crowdsourcing as ongoing penetration testing, and if the rewards are high enough, users will continue to be watchful for potential bugs in the system.

But as we’ve seen repeatedly, what works for security works for the bad guys as well. Threat actors also use crowdsourcing for cyber crime.

“Cyber crime is just crowdsourced security but without any of the ethical elements. The reward structure mimics the way that cyber crime operates more closely than traditional security testing methods,” explained a blog post from Detectify.

Crowdsourcing Phishing Shows Promise

A study conducted by ETH Zurich found that the exercises used to train users to recognize phishing attempts have the opposite effect — rather than becoming resilient, users become more susceptible to falling for nefarious messaging. What does work, the research found, was crowdsourcing through collective phishing detection.

“Such crowdsourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable and the employees remain active over long periods of time,” the report stated.

When a “Report Phishing” button was added to an email platform, the study found that users would report suspicious emails within five to 30 minutes of receipt. Users were fairly accurate in detecting a potentially dangerous email: they were right 68% of the time for a phishing attack and 79% when spam was included.

Even better, there appears to be no reporting fatigue for users and little burden to organizations adopting a crowdsourcing system. The quick response from the users means that security teams can address the threat quickly.

The Bigger Picture of Crowdsourcing Security

Crowdsourcing goes beyond internal security. The ultimate goal is to leverage information from individual users to detect and prevent phishing attacks on millions of users within a network.

For example, with the release of iOS 16, users have the ability to report spam sent through iMessage directly to Apple. This won’t prevent the sender from sending messages, but the user’s device will block further messages once reported. It’s an option that has been available on Android devices for a while.

MSSPs and security vendors are using tools and applications that share phishing information across their network of clients. When one user or company reports a suspected phishing message through the tool, this information can benefit investigations of similar attacks against other organizations and stop potential threats.

The federal government also encourages crowdsourcing phishing information. On the Federal Trade Commission’s phishing information page, users can take a quiz to test their knowledge of phishing attacks and are urged to forward phishing emails to the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org. APWG analyzes this data to build phishing activity trend reports. Organizations can see the type of impacts phishing attacks have — what industries are seeing the most attacks, how the attacks are happening and the type of malware (mostly ransomware) affecting networks — and then use the information to offer the best security plan for their needs.

Crowdsourcing Security Helps Keep Your Organization Safe

Sharing data surrounding phishing attacks and other types of malicious messaging allows organizations to develop more effective cybersecurity defense systems and increases overall security awareness. As the ETH Zurich study showed, traditional methods of phishing awareness training have been found wanting. Actively engaging employees to not only know how to spot phishing attacks but also to properly report them will increase their own sense of ownership in the organization’s security posture. Once more invested, they are more likely to use better security practices more consistently. In the long run, this helps organizations reduce costs related to cyber risks.

When done right, crowdsourcing security is an effective cybersecurity tool, especially for phishing and malicious messaging attacks.

The post Why Crowdsourced Security is Devastating to Threat Actors appeared first on Security Intelligence.

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.

Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk assessment, oversight, patching of critical systems and proper system configuration.

Many factors have contributed to this gap in essential cybersecurity workers. Some of the top reasons the survey identified were a lack of internal promotion opportunities, struggles with turnover and attrition, budget issues and a lack of qualified talent. But what defines “qualified talent” in cybersecurity today?

The industry has two options. The first is to cut the pie by continuing to focus on degree and certification holders. The other is to make a bigger pie by widening the talent pool and offering on-the-job training to applicants with the passion and mindset to succeed.

Looking for Talent in All the Wrong Places?

The term “cybersecurity” has been overly mystified. Does it involve a reclusive hoodie-wearing night owl? A math whiz writing complex code or working with cryptography?

Unfortunately, misconceptions and complexity have built a wall around the industry. This, at least in part, may explain the high percentage of people with university degrees working in cybersecurity fields. In fact, 82% of the workforce have a Bachelor’s or Master’s degree.

That level of formal education may have been necessary in the past, but the industry requires all types of workers right now. The first step to closing that worker gap will be to ensure that the public understanding of “cybersecurity” is demystified. Core skills aren’t coding or highly advanced math; core skills are problem-solving, investigative thinking, dedication and hard work.

The Making of a Cybersecurity Specialist

Recently, the Australian Signals Directorate (ASD) identified that a “cybersecurity specialist” is “just your average person” that can come from varying backgrounds. This is completely true, especially when key cybersecurity tasks today revolve around monitoring, detection and the ability to spot anomalies. Contrary to popular thinking, cybersecurity is not a bunch of blinking lights and super-secret artificial intelligence — though there are elements of that.

The cybersecurity industry could be morphing into a 21st Century version of manufacturing and assembly lines. Yes, there are still skilled labor requirements. But there is still no substitute for “hands-on keyboard” or “taking live fire” during an incident response case. That comes through experience.

Therefore, this begs the question: Who is better suited for a cybersecurity position? Somebody with a high school diploma but has managed computers and IT systems since they were a teenager, making mistakes along the way but solving them with passion and curiosity? Or a person with a cybersecurity degree who read about the field in a book, spending limited time with hands on a keyboard?

Focus on the Person, Not the Paper

Let’s return to the (ISC)2 study. Participants are trending towards practical skills and experience as more important qualifications. Certification, degrees and training are nice, but problem-solving abilities and related work experience are what employers are looking for. Interestingly, certifications are seen to be more valuable for skills growth than a means to jump into a career in cybersecurity.

It almost feels as though there is an elephant in the room: are we considering the right people for cybersecurity jobs, especially for entry-level jobs?

Granted, some positions require a strong mix of experience, paper qualification and/or validation, and years of battle hardening. For instance, a CISO or senior-level SOC analyst will almost certainly have done time in the trenches.

But some positions grant some low-risk, hands-on experience. If an organization finds a candidate with sincere curiosity, problem-solving skills and the appropriate soft skills, their paper qualifications may not matter. Rather, what will determine success is the organization’s ability to train the individual on the necessary tools and the core technical competencies required to complete the job. A curious person with problem-solving skills can figure out the rest. Just do not leave them hanging because they may suffer from burnout.

Training Can Bridge the Gap

Back to the assembly line analogy: Let’s say you are new to the machinery or protocols in a manufacturing shop. If you can be trained, shadow somebody more experienced for a period of time and have the right work ethic you can pick up the skills and excel. It’s the same principle in cybersecurity.

This is how to bridge the gap, especially in the short term. Waiting three to seven years for individuals to complete advanced degrees may no longer be practical, given the high demand. Technologies will change and there is no guarantee of “hands on keyboard” battle scars.

It’s time to start thinking outside the box. Pitch these two scenarios to a hiring manager today:

1. Individual A works on IT systems and remotely manages a SIEM. They have no certifications or paper qualifications but have worked like this for a couple of years, come highly referred as a dedicated worker, are dependable and require little oversight.
2. Individual B completed a Bachelor’s degree in computer science and a Master’s degree in cybersecurity. They also have completed some basic cybersecurity certifications but have no previous work experience or references.

Based on these surface descriptions, who are you inclined to interview first for a cybersecurity job?

The Pathway to Filling Future Needs

The above example is not a knock on those seeking university degrees or certifications; rather, it is a reality check. If 80% of workers in the industry have university degrees and there are not enough people to meet the need, well, you need to start looking elsewhere to fill the gap. Otherwise, expect retention problems.

For hiring managers, that will mean carefully crafting your requisitions and keeping your expectations in check. These new hires will be your apprentices for a while. Know that if you get them early, reward them with the opportunity and treat them right, you may also be filling a long-term need.

The post Bridging the 3.4 Million Workforce Gap in Cybersecurity appeared first on Security Intelligence.

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.

Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.

Signature-Based Antivirus Software

Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective property. With signature-based detection, traditional antivirus products can scan a computer for the footprints of known malware.

These malware footprints are stored in a database. Antivirus products essentially search for the footprints of known malware in the database. If they discover one, they’ll identify the malware, in which case they’ll either delete or quarantine it.

When new malware emerges and experts document it, antivirus vendors create and release a signature database update to detect and block the new threat. These updates increase the tool’s detection capabilities, and in some cases, vendors may release them multiple times per day.

With an average of 350,000 new malware instances registered daily, there are a lot of signature database updates to keep up with. While some antivirus vendors update their programs throughout the day, others release scheduled daily, weekly or monthly software updates to keep things simple for their users.

But convenience comes at the risk of real-time protection. When antivirus software is missing new malware signatures from its database, customers are unprotected against new or advanced threats.

Next-Generation Antivirus

While signature-based detection has been the default in traditional antivirus solutions for years, its drawbacks have prompted people to think about how to make antivirus more effective. Today’s next-generation anti-malware solutions use advanced technologies like behavior analysis, artificial intelligence (AI) and machine learning (ML) to detect threats based on the attacker’s intention rather than looking for a match to a known signature.

Behavior analysis in threat prevention is similar, although admittedly more complex. Instead of only cross-checking files with a reference list of signatures, a next-generation antivirus platform can analyze malicious files’ actions (or intentions) and determine when something is suspicious. This approach is about 99% effective against new and advanced malware threats, compared to signature-based solutions’ average of 60% effectiveness.

Next-generation antivirus takes traditional antivirus software to a new level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by ML and AI as well as threat intelligence to:

• Detect and prevent malware and fileless attacks
• Identify malicious behavior and tactics, techniques and procedures (TTPs) from unknown sources
• Collect and analyze comprehensive endpoint data to determine root causes
• Respond to new and emerging threats that previously went undetected.

Countering Modern Attacks

Today’s attackers know precisely where to find gaps and weaknesses in an organization’s network perimeter security, and they penetrate these in ways that bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:

• Memory-based attacks
• PowerShell scripting language
• Remote logins
• Macro-based attacks.

To counter these attackers, next-generation antivirus focuses on events – files, processes, applications and network connections – to see how actions in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors and activities; once identified, the attacks can be blocked.

This approach is increasingly important today because enterprises are finding that attackers are targeting their specific networks. The attacks are multi-stage and personalized and pose a significantly higher risk; traditional antivirus solutions don’t have a chance of stopping them.

Explore IBM Security QRadar Solutions  

Endpoint Detection and Response

Endpoint detection and response (EDR) software flips that model, relying on behavioral analysis of what’s happening on the endpoint. For example, if a Word document spawns a PowerShell process and executes an unknown script, that’s concerning. The file will be flagged and quarantined until the validity of the process is confirmed. Not relying on signature-based detection enables the EDR platform to react better to new and advanced threats.

Some of the ways EDR thwarts advanced threats include the following:

• EDR provides real-time monitoring and detection of threats that may not be easily recognized by standard antivirus
• EDR detects unknown threats based on a behavior that isn’t normal
• Data collection and analysis determine threat patterns and alert organizations to threats
• Forensic capabilities can determine what happened during a security event
• EDR can isolate and quarantine suspicious or infected items. It often uses sandboxing to ensure a file’s safety without disrupting the user’s system.
• EDR can include automated remediation and removal of specific threats.

EDR agent software is deployed to endpoints within an organization and begins recording activity on these endpoints. These agents are like security cameras focused on the processes and events running on the devices.

EDR platforms have several approaches to detecting threats. Some detect locally on the endpoint via ML, some forward all recorded data to an on-premises control server for analysis, some upload the recorded data to a cloud resource for detection and inspection and others use a hybrid approach.

Detections by EDR platforms are based on several tools, including AI, threat intelligence, behavioral analysis and indicators of compromise (IOCs). These tools also offer a range of responses, such as actions that trigger alerts, isolate the machine from the network, roll back to a known good state, delete or terminate threats and generate forensic evidence files.

Managed Detection and Response

Managed detection and response (MDR) is not a technology, but a form of managed service, sometimes delivered by a managed security service provider. MDR provides value to organizations with limited resources or the expertise to continuously monitor potential attack surfaces. Specific security goals and outcomes define these services. MDR providers offer various cybersecurity tools, such as endpoint detection, security information and event management (SIEM), network traffic analysis (NTA), user and entity behavior analytics (UEBA), asset discovery, vulnerability management, intrusion detection and cloud security.

Gartner estimates that by 2025, 50% of organizations will use MDR services. There are several reasons to support this prediction:

• The widening talent shortage and skills gap: Many cybersecurity leaders confirm that they cannot use security technologies to their full advantage due to a global talent crunch.
• Cybersecurity teams are understaffed and overworked: Budget cuts, layoffs and resource diversion have left IT departments with many challenges.
• Widespread alert fatigue: Security analysts are becoming less productive due to “alert fatigue” from too many notifications and false positives from security applications. This results in distraction, ignored alerts, increased stress and fear of missing incidents. Many alerts are never addressed when, ideally, they should be studied and acted upon.

The technology behind an MDR service can include an array of options. This is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks they have access to detect.

Cybersecurity is about “defense-in-depth” — having multiple layers of protection to counter the numerous possible attack vectors. Various technologies provide complete visibility, detection and response capabilities. Some of the technologies offered by MDR services include:

• SIEM
• NTA
• Endpoint protection platform
• Intrusion detection system.

Extended Detection and Response

Extended detection and response (XDR) is the next phase in the evolution of EDR. XDR provides detection and protection across various environments, including networks and network components, cloud infrastructure and Software-as-a-Service (SaaS).

Features of XDR include:

• Visibility into all network layers, including the entire application stack
• Advanced detection, including automated correlation and ML processes capable of detecting events often missed by SIEM solutions
• Intelligent alert suppression filters out the noise that typically reduces the productivity of cybersecurity staff.

Benefits of XDR include:

• Improved analysis to help organizations collect the correct data and transform that data with contextual information
• Identify hidden threats with the help of advanced behavior models powered by ML algorithms
• Identify and correlate threats across various application stacks and network layers
• Minimize fatigue by providing prioritized and precise alerts for investigation
• Provide forensic capabilities needed to integrate multiple signals. This helps teams to construct the big picture of an attack and complete investigations promptly with high confidence in their findings.

XDR is gaining in popularity. XDR provides a single platform that can ingest endpoint agent data, network-level information and, in many cases, device logs. This data is correlated, and detections occur from one or many sources of telemetry.

XDR streamlines the functions of the analysts’ role by allowing them to view detections and respond from a single console. The single-pane-of-glass approach offers faster time to value, a shortened learning curve and quicker response times since the analysts no longer need to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big-picture view of detections. These tools are able to see what occurs not only on the endpoints but also between the endpoints.

The Future of Antivirus Software

Security is constantly evolving, and future threats may become much more dangerous than we are observing now. We cannot ignore these recent changes in the threat landscape. Rather, we need to understand them and stop these increasingly destructive attacks.

The post The Evolution of Antivirus Software to Face Modern Threats appeared first on Security Intelligence.

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and disruption. 

Wyler shows that threat hunters can help prevent a cybersecurity catastrophe. But what is a threat hunter, and how can they improve an organization’s security posture?

What is Threat Hunting?

While enterprise security systems are a key part of cybersecurity, threat hunters provide organizations extra protection. A threat hunter reviews all the security data and systems to look for abnormalities and potential malware issues. Threat hunting complements automated security tools and is best used in conjunction with that technology. By combining the strengths of both human expertise and artificial intelligence (AI) tools, companies can find cyber threats faster and reduce damage.

Responsibilities of a Threat Hunter

Threat hunters search, log, monitor and neutralize threats to find issues before they become serious problems. In some companies, threat hunters design the threat-hunting program, which starts by building the hypothesis the program is looking to answer, such as searching for malware with specific criteria. Threat hunting typically involves looking for malware threats incorporated into commercial technology but not yet known.

Threat hunters use three approaches: structured, unstructured and situational.

During structured tests, the threat hunter leverages indicators of attack (IoAs) and the tactics, techniques and procedures (TTPs) of an attacker. Unstructured hunts occur when a trigger indicates a compromise, and the hunter looks at patterns before and after the detection. Situational hunts commence when a risk assessment is warranted, such as knowing attacks are happening at similar companies.

What makes threat hunting different from other cybersecurity tasks is that they don’t just use security information and event management (SIEM), endpoint detection and response (EDR) and other typical processes. Instead, threat hunters search through security data to look for patterns that indicate malware or attackers. Once they discover a cyber criminal’s potential entry method, they work to patch the issue to prevent future incidents.

Pursuing a Career as a Threat Hunter

Threat hunting is often one of the responsibilities of a cybersecurity analyst. However, some managed service professionals (MSPs) hire threat hunters whose primary responsibility is threat hunting for clients. Cybersecurity firms also hire threat hunters to provide the service to their clients. Additionally, threat hunters can work freelance for companies that need threat-hunting expertise but don’t want to hire an MSP.

Companies often look for certifications or bachelor’s degrees when hiring for analyst and threat-hunting positions. Candidates can also go into threat hunting with digital badges or certifications. However, cybersecurity analysts can learn threat-hunting skills on the job and then move into a threat-hunting role.

Threat hunters need strong technical skills and expertise with cybersecurity tools. However, the most important skills are problem-solving and analysis because the role requires manually reviewing data. Threat hunters must also have a strong interest in cybersecurity and a willingness to continually stay updated on cyber criminals’ latest TTPs. Additionally, threat hunters need good written skills to communicate findings to IT leaders. Because threat hunters often work on a team with other cybersecurity professionals, they also need the ability to collaborate and verbally communicate with others.

As cybersecurity risks and threats continue to increase, threat hunting is apt to become an even more crucial facet of cybersecurity. Organizations need the human touch to catch sophisticated threats, even using sophisticated tools. Cybersecurity professionals specializing in threat hunting or adding it to their skill set will likely have solid employment opportunities.

The post How Do Threat Hunters Keep Organizations Safe? appeared first on Security Intelligence.

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces.

Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications and policy creation to define what communications are permitted. In effect, microsegmentation restricts lateral movement, isolates breaches and thwarts attacks.

Given the spotlight on breaches and their impact across industries and geographies, how can segmentation address the changing security landscape and client challenges? IBM and its partners can help in this space.

Breach Landscape and Impact of Ransomware

Historically, security solutions have focused on the data center, but new attack targets have emerged with enterprises moving to the cloud and introducing technologies like containerization and serverless computing. Not only are breaches occurring and attack surfaces expanding, but also it has become easier for breaches to spread. Traditional prevention and detection tools provided surface-level visibility into traffic flow that connected applications, systems and devices communicating across the network.  However, they were not intended to contain and stop the spread of breaches.

Ransomware is particularly challenging, as it presents a significant threat to cyber resilience and financial stability. A successful attack can take a company’s network down for days or longer and lead to the loss of valuable data to nefarious actors. The Cost of a Data Breach 2022 report, conducted by the Ponemon Institute and sponsored by IBM Security, cites $4.54 million as the average ransomware attack cost, not including the ransom itself.

In addition, a recent IDC study highlights that ransomware attacks are evolving in sophistication and value. Sensitive data is being exfiltrated at a higher rate as attackers go after the most valuable targets for their time and money. Ultimately, the cost of a ransomware attack can be significant, leading to reputational damage, loss of productivity and regulatory compliance implications.

Organizations Want Visibility, Control and Consistency

With a focus on breach containment and prevention, hybrid cloud infrastructure and application security, security teams are expressing their concerns. Three objectives have emerged as vital for them.

First, organizations want visibility. Gaining visibility empowers teams to understand their applications and data flows regardless of the underlying network and compute architecture.

Second, organizations want consistency. Fragmented and inconsistent segmentation approaches create complexity, risk and cost. Consistent policy creation and strategy help align teams across heterogeneous environments and facilitate the move to the cloud with minimal re-writing of security policy.

Finally, organizations want control. Solutions that help teams target and protect their most critical assets deliver the greatest return. Organizations want to control communications through selectively enforced policies that can expand and improve as their security posture matures towards zero trust security.

Microsegmentation Restricts Lateral Movement to Mitigate Threats

Microsegmentation (or simply segmentation) combines practices, enforced policies and software that provide user access where required and deny access everywhere else. Segmentation contains the spread of breaches across the hybrid attack surface by continually visualizing how workloads and devices communicate. In this way, it creates granular policies that only allow necessary communication and isolate breaches by proactively restricting lateral movement during an attack.

The National Institute of Standards and Technology (NIST) highlights microsegmentation as one of three key technologies needed to build a zero trust architecture, a framework for an evolving set of cybersecurity paradigms that move defense from static, network-based perimeters to users, assets and resources.

Suppose existing detection solutions fail and security teams lack granular segmentation. In that case, malicious software can enter their environment, move laterally, reach high-value applications and exfiltrate critical data, leading to catastrophic outcomes.

Ultimately, segmentation helps clients respond by applying zero trust principles like ‘assume a breach,’ helping them prepare in the wake of the inevitable.

IBM Launches Segmentation Security Services

In response to growing interest in segmentation solutions, IBM has expanded its security services portfolio with IBM Security Application Visibility and Segmentation Services (AVS). AVS is an end-to-end solution combining software with IBM consulting and managed services to meet organizations’ segmentation needs. Regardless of where applications, data and users reside across the enterprise, AVS is designed to give clients visibility into their application network and the ability to contain ransomware and protect their high-value assets.

AVS will walk you through a guided experience to align your stakeholders on strategy and objectives, define the schema to visualize desired workloads and devices and build the segmentation policies to govern network communications and ring-fence critical applications from unauthorized access. Once the segmentation policies are defined and solutions deployed, clients can consume steady-state services for ongoing management of their environment’s workloads and applications. This includes health and maintenance, policy and configuration management, service governance and vendor management.

IBM has partnered with Illumio, an industry leader in zero trust segmentation, to deliver this solution.  Illumio’s software platform provides attack surface visibility, enabling you to see all communication and traffic between workloads and devices across the entire hybrid attack surface. In addition, it allows security teams to set automated, granular and flexible segmentation policies that control communications between workloads and devices, only allowing what is necessary to traverse the network. Ultimately, this helps organizations to quickly isolate compromised systems and high-value assets, stopping the spread of an active attack.

With AVS, clients can harden compute nodes across their data center, cloud and edge environments and protect their critical enterprise assets.

Start Your Segmentation Journey

IBM Security Services can help you plan and execute a segmentation strategy to meet your objectives. To learn more, register for the on-demand webinar now.

The post Contain Breaches and Gain Visibility With Microsegmentation appeared first on Security Intelligence.

Even Apple can’t escape change forever.

The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices.

While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for Apple, applications and appropriate device protection.

The DMA: Taking a Bite Out of Apple

While the DMA doesn’t come into full force until March 6, 2024, many organizations are acting now to minimize disruption, and Apple is among them. The company is apparently on track to allow users to download and install third-party app stores on their iOS devices. Apple is on the hook to comply with changes to cable connections. By 2024, the company will add USB-C ports to all iPhones.

Breaking the locks on digital gatekeeping offers benefits for both application developers and end-users. From the developer’s perspective, using a third-party app store to sell their software lets them avoid commissions taken by Apple, which can be up to 30% of user payments per app. From the user side, being able to go outside the iOS app ecosystem offers both more choice and more control. Instead of waiting for Apple to vet and approve new software, users could find versions of their favorite apps already for sale on third-party marketplaces or available directly for download.

The Risks of Removing Gatekeepers

Not surprisingly, Apple executives aren’t exactly thrilled about the shift, calling software sideloads “a cyber criminal’s best friend”.

Some of their concern is motivated by a desire to retain control over application distribution and the revenue it brings. However, they do have a point. The closed-loop nature of iOS has long been a selling point for Apple, which claims that it reduces security risk. The claim does have some merit: recent data found that 10 months after the release of Android OS version 12, 30% of federal employees were still running older, less secure versions. In the case of iOS 15, this number was just 5%. For the most part, the difference comes from control. Apple’s oversight of devices means updates are harder to avoid, while Android provides greater choice, but potentially greater risk.

However, the shift to third-party app stores and sideloaded software impacts Apple’s ability to deliver consistent security. For example, apps downloaded from non-iOS stores may include critical security vulnerabilities or even malware. If attackers can fool on-device security scans, they may be able to compromise user devices.

Since Apple won’t have any monetary stake in these apps, the company may not make protection a priority. This could offer a potential side benefit for Apple; they won’t have to spend money on third-party security, and if users get burned by rotten apps, they may come back to the iOS tree.

How Security Teams Can Prepare

Whether you see the shift to open digital borders as good or bad, change is coming. As a result, security teams are well served taking time to prepare. Here are three approaches to help bolster iOS security post-change:

Ban Third Party App Stores and Sideloading

One approach is banning both third-party app stores and sideloading on business-owned iOS devices and enforcing this policy with mobile device management (MDM) tools.

While this will provide a measure of security, it also comes with potential drawbacks. First is the pushback from staff, especially if they use personal devices to work from home or while traveling. By blocking third-party app stores on personal devices, businesses may discover that staff simply stop using these devices for work, in turn reducing total productivity.

There’s also the case of useful apps that are available sooner on third-party app stores than through official channels. A total ban means companies are waiting longer to access features or functions that could improve operations.

Leverage Additional Security Tools

Another approach is leveraging additional security tools such as next-generation web application firewalls (NGFWs) and AI-driven behavior analysis to evaluate the potential risk of third-party apps or sideloaded software. If these tools detect a problem, they can prohibit downloads. If the software is all clear, they can permit installation.

The key here is follow-up. Even if apps appear legitimate and pass initial scans, this doesn’t guarantee safety. As a result, continuous monitoring is critical to ensure both user devices and business networks remain protected.

Create New Security Guidelines

IT teams may also want to consider creating new guidelines around where users can download apps when they can sideload software and what steps they need to take to reduce total risk.

For example, teams might analyze popular app store options and only allow access to a select few based on what they offer and what (if any) security policies they have in place. Companies can also make it mandatory for staff to inform IT staff about any new downloads on their device. They might give teams a chance to analyze the apps for risk. Companies also need to lay out clear consequences if rules around app downloads aren’t followed.

Worth noting? There’s no hard-and-fast rule here. With regulations in flux, organizations need to find approaches to third-party apps and sideloading that balance device security with user autonomy and control.

From Closed Loops to Open Borders

The days of closed-loop iOS stores are ending in the EU. But with increased choice comes a higher risk of getting a malicious app that wreaks havoc on user devices — and potentially puts businesses at risk.

To reduce the chance of compromise, IT teams should consider a three-pronged approach. This should include banning shady app stores and sideloading, using additional security tools to detect potential problems and creating new security guidelines to provide clear roles and responsibilities for users.

The post Third-Party App Stores Could Be a Red Flag for iOS Security appeared first on Security Intelligence.

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity.

Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk.

To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a forum with both government leaders and private companies to assess both current and emerging EV threats. While the discussion didn’t delve into creating cybersecurity standards for these vehicles, it highlights the growing need for EV roadmaps that help reduce cyber risk.

Lighting Strikes? The State of Electric Adoption

EV sales in the United States are well ahead of expert predictions. Just five years ago, fully electric vehicles were considered niche. A great idea in theory, but lacking the functionality and reliability afforded by traditional combustion-based cars.

In 2022, however, the tide is turning. According to InsideEVs, demand now outpaces the supply of electric vehicles across the United States. With a new set of tax credits available, this demand isn’t going anywhere but up, even as manufacturers struggle to improve the pace of production.

Part of this growing interest stems from the technology itself. Battery life increases as charging times fall, and the EV market continues to diversify. While first-generation electric vehicle makers like Tesla continue to report strong sales, the offerings of more mainstream brands like Ford, Mazda and Nissan have helped spur consumer interest.

The result? The United States has now passed a critical milestone in EV sales: 5% of new cars sold are entirely electric. If the sales patterns stateside follow that of 18 other countries that have reached this mark, EVs could account for 25% of all cars sold in the country by 2025, years ahead of current forecasts.

Positive and Negative — Potential EV Issues

While EV adoption is good for vehicle manufacturers and can ease reliance on fossil fuels, cybersecurity remains a concern.

Consider that in early 2022, 19-year-old security researcher David Colombo was able to hack into 25 Teslas around the world using a third-party, open-source logging tool known as Teslamate. According to Colombo, he was able to lock and unlock doors and windows, turn on the stereo, honk the horn and view the car’s location. While he didn’t believe it was possible to take over and drive the car remotely, the compromise nonetheless showed significant vulnerability at the point where OEM technology overlaps third-party offerings. Colombo didn’t share his data immediately; instead, he contacted TelsaMate and waited until the issue was addressed. Malicious actors, meanwhile, share no such moral code and could leverage this kind of weakness to extort EV owners.

And this is just the beginning. Other possible cyber threat avenues include:

Connected vehicle systems

EV systems such as navigation and optimal route planning rely on WiFi and cellular networks to provide real-time updates. If attackers can compromise these networks, however, they may be able to access key systems and put drivers at risk. For example, if malicious actors gain control of the vehicle’s primary operating system, they could potentially disable key safety features or lock drivers out of critical commands.

Charging stations

Along with providing power to electric vehicles, charging stations may also record information about vehicle charge rates, identification numbers and information tied to drivers’ EV application profiles. As a result, vulnerable charging stations offer a potential path to exfiltrated data that could compromise driver accounts.

Local power grids

With public charging stations using local power grids to deliver fast charging when drivers aren’t at home, attackers could take aim at lateral moves to infect car systems with advanced persistent threats (APTs) that lie in wait until cars are plugged in. Then, malicious code could travel back along power grid connections to compromise local utility providers.

Powering Up Protection

With mainstream EV adoption looming, it’s a matter of when, not if, a major cyberattack occurs. Efforts such as the ONCD forum are a great starting point for discussion about EV security standards. However, well-meaning efforts are no replacement for effective cybersecurity operations.

In practice, potential protections could take several forms.

First is the use of automated security solutions to manage user logins and access. By reducing the number of touchpoints for users, it’s possible to limit the overall attack surfaces that EV ecosystems create.

Next is the use of security by design. As noted by a recent Forbes piece, new vehicles are effectively “20 computers on wheels,” many of which are embedded in hardware systems. The result is the perfect setup for firmware failures if OEMs don’t take the time to make basic security protocols — such as usernames and passwords that aren’t simply “admin” and “password”, and the use of encrypted data — part of each EV computer.

Finally, there’s a need for transparency across all aspects of EV supply, design, development and construction. Given the sheer number of components in electric vehicles which represent a potential failure point, end-to-end visibility is critical for OEMs to ensure that top-level security measures are supported by all EV hardware and software components.

Getting from Here to There

As EVs become commonplace, a cybersecurity roadmap is critical to keep these cars on the road up to operator — and operational — safety standards.

But getting from here to there won’t happen overnight. Instead, this mapping mission requires the combined efforts of government agencies, EV OEMs and vehicle owners to help maximize automotive protection.

The post Defensive Driving: The Need for EV Cybersecurity Roadmaps appeared first on Security Intelligence.

After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next?

As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration.

If not Walden, who else might take over from Inglis? The best answer is to look at the senior cybersecurity folks in the Biden administration who advise Biden directly.

A Group of Well-Qualified Successors

The national cybersecurity of the United States has been a priority for President Biden. To ensure that the most efficient protocols are being followed, the president has designated several senior members from his team to serve as direct advisors with specific responsibility for cybersecurity issues. These advisors bring extensive expertise in national security operations and risk management from multiple sectors. They played key roles in establishing national defenses, and are expert problem-solvers in the face of evolving threats. This highly specialized group provides the strength and stability needed to maintain national cybersecurity in a rapidly evolving threat landscape.

The key senior cybersecurity officials include the aforementioned Chris Inglis as the first National Cyber Director, Jen Easterly as the Director of the Cybersecurity and Infrastructure Security Agency (CISA), Alejandro Mayorkas as the Secretary of Homeland Security, Kemba Walden as the first Principal Deputy National Cyber Director, Neal Higgins as Deputy National Cyber Director for National Cybersecurity and Rob Knake as Deputy National Cyber Director for Budget and Policy.

A Promising Candidate

While everyone here plays a crucial role, Jen Easterly stands out based on her comprehensive cybersecurity background. Easterly is an internationally renowned cybersecurity expert, formerly serving as the Deputy Director of the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Senior Advisor to the Under Secretary for National Protection and Programs Directorate at the Department of Homeland Security (DHS). Before joining CISA, she held management positions in both private industries and within the government. This included a four-year tenure with IBM Global Services as Senior Consulting Analyst.

Ms. Easterly’s expansive career has seen cybersecurity accomplishments in both the public and private sectors. Many of her notable successes occurred while working at CISA, initiating groundbreaking efforts to enhance information sharing among critical infrastructure sectors, as well as leading work that addressed cyber threats from foreign actors. She also spearheaded cybersecurity workforce development and led a collective effort to modernize Federal government organizations’ response to ever-increasing threats from malicious actors online.

Outside of her government service, Easterly was also instrumental in creating several successful commercial programs focused on protecting corporate IT assets through best practices such as risk assignment and attack surface reduction.

Initial Concerns Vanquished

Though many promising candidates have emerged for National Cyber Director, the role itself was not without contention. After the appointment of Chris Inglis, concerns arose that there were “too many cooks” in the federal cyber leadership kitchen. Additionally, there was uncertainty as to who would be the true “quarterback” taking over command of national cybersecurity going forward. While Inglis’ extended background in national security steered much of the discourse toward a sense of assurance, undertones still remained that he was just one man wielding undue power without a larger organization behind him for support.

Though uncertain at the time, these concerns have since dissolved. Inglis has proven himself more than capable of tackling national cybersecurity amid a coalition of national leaders and organizations.

The Role of National Cyber Director

The National Cyber Director has provided immense benefits to the public and private sectors over the past year and a half. The director essentially acts as a bridge between the two sectors, ensuring that national interests remain on top of government agendas while also fostering collaboration with industry stakeholders.

As National Cyber Director, Inglis developed national-level policies to protect organizations of all sizes from cyber threats and worked with government agencies to identify areas of need throughout the cybersecurity landscape. As a result, businesses could prioritize cybersecurity investments. know their threats better, remain at the cutting edge of technological innovation and adopt best practices — all in an effort to ensure national security.

IBM Security Intelligence reached out to the Office of the National Cyber Director (ONCD) about the role. They responded with the following statement:

“ONCD’s mission is to create a resilient, safe and equitable cyber space. We’re doing so by focusing on long-term strategic planning while executing on near-term tactics to mitigate existing vulnerabilities. Ultimately, we desire to seize the initiative back from the adversary and reimagine cyberspace with an affirmative vision consistent with our values.”

How ONCD Meets Its Goals

ONCD’s statement went on to elaborate on how it has tackled those objectives:

“Most notably, ONCD is leading the interagency drafting process for the Biden-Harris Administration’s National Cybersecurity Strategy. A process through which we’ve solicited input from over 300 stakeholders across industry, foreign governments, academia and the nonprofit sector. This exceptional level of collaboration is a recognition that the terrain in cyber space is principally privately owned, and public-private partnerships are paramount to addressing cybersecurity challenges successfully. “We also initiated an ongoing series of topical executive fora. By using the unique convening power of the White House, we’re bringing together industry executives with Cabinet Secretaries and Deputies to share threat intelligence and drive collaboration at the highest levels possible. Among these was the National Cyber Workforce and Education Summit in July. At the Summit, ONCD announced the development of a National Cyber Workforce and Education Strategy. A resulting RFI received over 150 responses from a broad section of stakeholders. ONCD is reviewing those and working to publish the full strategy, incorporating many of those inputs, in the coming months. “Finally, we worked aggressively with our colleagues across the interagency to bring enhanced security to the federal enterprise. This included overseeing the implementation of Executive Order 14028, deployment of Zero Trust Architecture, release of first-of-its-kind ‘Spring Guidance’ on cybersecurity budgeting and initiating a planning process for post-quantum encryption.”

Closing In On the Next National Cyber Director

This still leaves the identity of the next National Cyber Director in question. As the U.S. government bolsters its cyber defenses, replacing Inglis remains a priority. This influential role will develop and coordinate the nation’s cybersecurity strategy.

Asked about any insights as to plans once Chris Inglis retires, the ONCD states:

“With respect to Director Inglis’ retirement —  he will retire sometime this year after five decades of public service. At that time, Principal Deputy Kemba Walden will become Acting National Cyber Director and continue to lead the organization with the same passion as she has as Deputy Principal.”

Whether it’s Walden, Easterly or another senior official, the country’s cybersecurity efforts appear to be in good hands.

The post Who Will Be the Next National Cyber Director? appeared first on Security Intelligence.

The Evolution of Kronos Malware

The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

After remaining dormant for a few years, the Kronos banking trojan reemerged in 2018, under the name Osiris, and was used in a banking trojan campaign. While there were some differences between the two strains, both Osiris and Kronos shared the same technique for stealing information.

Kronos made yet another resurgence — this time combined with ransomware — and in late 2022 IBM Security Trusteer saw an increase in Kronos malware activity in Mexico. In these attacks, it was used to launch JavaScript web-injects on financial institutions with a malicious chrome extension.

A Brief Review of the Kronos Malware Attack in Mexico

The first victim of the 2022 Kronos malware had the malware automatically installed through a malicious chrome extension called “Seguridad” (Security).

This is the first time we have observed malware utilizing a chrome extension with web injects on financial institutions.

The Kronos malware utilizes a configuration file to identify targeted pages within a victim’s web browsing session. Once a victim navigates to one of these pages, the malware will initiate a call to an external resource and inject a malicious JavaScript payload. Once the malicious chrome extension is installed, if the user attempts to access one of the targeted Mexican financial institutions, the extension will inject malicious JavaScript with the name: “8vZ9d1-ad.js” or “ok.js”:

This payload can then be used to steal sensitive information from the victim’s device.

Stealthy Web Injection Capabilities

During an investigation of the Kronos malware’s web-injects, it was found that the main goal of the attacker is to steal sensitive information from the victim, such as login credentials (username, password), mobile tokens, OTP tokens, and more. These stolen pieces of information can then be used by the attacker to gain unauthorized access to the victim’s accounts or to commit other fraudulent activities.

Example for Web-Inject:

Once a user is infected with the Kronos malware, the malware may wait for the user to enter their login credentials on a targeted website. At this point, the JavaScript component of the malware will begin to inject itself into the victim’s web browser, displaying a fake loading animation (commonly known as a “loader gif”) in order to obscure the fact that the user’s information is being stolen. This technique is commonly used by malware to avoid detection and increase the likelihood of successfully stealing sensitive information from the victim:

The malware may then prompt the user for additional sensitive information, such as a telephone number, under the guise of verifying the user’s identity. This information is then used by the attacker for various nefarious purposes.

Main JavaScript function:

Once the malware has fully initialized and its various functions have been enabled, it will use the “send_home” function to exfiltrate any stolen information back to the attacker’s server. This function is typically used to transmit sensitive data that has been collected by the malware during the victim’s web browsing session:

The “send_home” function is used by the Kronos malware to transmit stolen information to the attacker’s command and control (C&C) server. This transmission typically includes a unique token and a link to the financial institution from which the information was stolen. This allows the attacker to easily identify the source of the stolen information and track the progress of the malware’s activities.

Example: hxxps://tomolina.top/uadmin/gate.php?pl=token&link=hsbc_mx1.1

C&C Panel (uadmin)

The “uadmin” panel is a C&C interface used by attackers to manage various aspects of their malware campaigns. It allows the attacker to configure web injects and other options, as well as view sensitive information that has been collected from victims. This information, which may include login credentials, mobile tokens, and OTP codes, is typically used by the attacker for various nefarious purposes.

Inside C&C (uadmin):

The source code for the “uadmin” panel has been leaked in the past, and below is an example of the main admin code:

Main page:

Main Token Page:

This page contains logs of infected victims, including:

• The last time the victim connected to the targeted bank.
• The victim’s IP address.
• Device information (e.g., operating system and web browser type).
• The name of the targeted bank that the attacker has configured.
• Quick data showing the victim’s login credentials.
• The “redirect” feature, which redirects all existing and new bots to present links on each page.
• The “block” feature, which blocks access to the page after the user enters their credentials.
• Comments from the C&C owner.

• Statistics on the number of infected bots and other metrics.
• A list of infected bots, including their IP addresses and other details.
• The ability to remotely control infected bots.
• The ability to export logs of stolen information.
• Settings for the stealer component of the malware.
• A blacklist of web pages that the malware should not target.

Targeted Financial Institution: Mexico Region

During an observed attack on a Mexico region financial institution, we identified multiple indicators of compromise.

IOC:

In this instance, we were able to successfully retrieve Indicator of Compromise (IOC) from the JavaScript configuration file located at “8vZ9d1-ad.js”.

• hxxps://dlxfreight.bid/mx/
• hxxps://dlxfreight.bid/w1Q5DXr7te/gate.php
• hxxps://pnlbanorte.dlxfreight.bid
• hxxps://dlxfreight.bid/
• hxxp://tomolina[.]top/
• hxxps://facturacionmexico.net/choa.php
• hxxps://dlxfreightmore.com

How to Stay Safe from Kronos

To protect against Kronos, it is important to use reputable antivirus and anti-malware programs, as well as to keep systems updated with the latest security patches and software updates. Additionally, employees should be educated on how to recognize and avoid phishing emails, and organizations should implement email filtering and other security measures to block malicious emails.

If a system is suspected to be infected with Kronos, it is important to take the system offline immediately and perform a thorough scan using antivirus and anti-malware tools. Any sensitive data that may have been compromised should also be changed immediately.

It is suspected that this malware campaign may potentially spread to the North American region and potentially also to the European region. Due to its advanced functionality and ability to evade detection, it is important for individuals and organizations in these regions to be aware of the threat it poses and take the actions noted above to better protect against it.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

The post Kronos Malware Reemerges with Increased Functionality appeared first on Security Intelligence.

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking.

Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up.

How Caffeine PhaaS is Different

PhaaS vendors advertise and sell their products as phishing kits. A phishing kit includes everything required to launch a successful phishing attack, such as email templates and even templates for rogue websites to send victims to. Some phishing kits also include lists of potential targets.

As per Mandiant, what makes Caffeine different from most other PhaaS offerings is its low barrier of entry. To sign up for Caffeine services, only an email is required. Unlike Caffeine, other PhaaS platforms typically only communicate through referrals, underground forums or encrypted messaging. Also, Caffeine provides email templates directed at Russian and Chinese targets, which is unusual for PhaaS.

Other Caffeine features include:

• Tools to orchestrate and automate phishing campaigns
• Self-service phishing kit customization
• Capability to manage intermediary redirect pages and final-stage lure pages
• Dynamic URL generation for hosted malicious payloads
• Ability to track campaign email activity
• Caffeine news feed: announces feature updates and expansions of accepted cryptocurrencies.

According to Mandiant, the average PhaaS platform costs from $50 to $80, making Caffeine relatively expensive. Caffeine may be pricier due to its unlimited customer service support options and its extensive anti-detection and anti-analysis features.

Rise of Commercialized Attack Services

Caffeine represents a continued trend of Cyber-Crime-as-a-Service, which makes it easy for non-technical adversaries to launch massive attacks. Like legitimate subscription-based software, the programming and business organization behind these attack platforms is highly sophisticated. Caffeine even offers three service tiers (Basic, Professional and Enterprise at $250, $450 and $850 per month, respectively).

Undoubtedly, security professionals wince when they compare the low cost of phishing services versus the $4.35 million average cost of a data breach.

Phishing Attack Protection

Given the ease of access to phishing attack kits, companies must implement effective anti-phishing security. Training employees to be aware of these scams is a key starting point. Some organizations will even send out internal bogus phishing emails to keep team members on their toes. Still, even with the best training, attacks can slip through the cracks. For this reason, more comprehensive strategies are required.

Solutions, such as security information and event management (SIEM), have evolved to include advanced analytics such as user behavior analytics (UBA), network flow insights and artificial intelligence (AI) to accelerate detection. SIEM also integrates with security orchestration, automation and response (SOAR) platforms for incident response and remediation.

Other approaches, such as zero trust, manage privileged access to ensure that users are only granted access to data essential to their jobs.

The growth of nefarious services like Caffeine makes us jittery. Solid, well-developed security can help keep us calm.

The post Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery appeared first on Security Intelligence.

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures.

What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and train together as a team with the goal of being prepared for potential incidents.

Another force driving demand for cyber ranges is the rapid growth of high-profile attacks with seven-figure loss events and the public disclosure of attacks, impacting reputation and financial results. Damaging attacks, like data breaches and ransomware, have cemented the criticality of effective incident response to prevent worst-case outcomes and rapidly contain eventual ones.

Once you decide that your cybersecurity team and other actors in your cyberattack response protocols need to practice together, the economics for a dedicated cyber range is compelling. An organization can train many more employees more quickly through a dedicated cyber range.

But before you pull the trigger and order a cyber range, you should make a full evaluation of the pros and cons. The primary con, of course, is that a dedicated cyber range might be oversized for the organization’s long-term needs. You might not use it enough to justify the costs of building and operating an actual range. Alternatively, you might prefer to run cyberattack exercises remotely to more closely simulate the real work environment of your teams.

This post will provide a primer on conducting a graduated cyber range evaluation and help set up processes to think through what type of drilling grounds might be best suited for your team.

Why Build a Cyber Range? Mandatory Training, Certifications and Compliance

The most compelling reason for building a cyber range is that it is one of the best ways to improve the coordination and experience level of your team. Experience and practice enhance teamwork and provide the necessary background for smart decision-making during a real cyberattack. Cyber ranges are one of the best ways to run real attack scenarios and immerse the team in a live response exercise.

An additional reason to have access to a cyber range is that many compliance certifications and insurance policies cite mandatory cyber training of various degrees. These are driven by mandates and compliance standards established by the National Institute of Standards and Technology and the International Organization for Standardization (ISO). With these requirements in place, organizations are compelled to free up budgets for relevant cyber training.

There are different ways to fulfill these training requirements. Per their role in the company, employees can be required to undergo certifications by organizations such as the SANS Institute. Training mandates can also be fulfilled by micro-certifications and online coursework using remote learning and certification platforms, such as Coursera. The decision to avail a company of a cyber range does not always mean building one in-house.

A Cyber Training Progression in Stages: From Self-Study to Fully Operational Cyber Ranges

In talking with our customers, we offer them multiple options for cyber range setups, and we advise them to carry out the implementation in stages. Each stage is appropriate for a different level of commitment, activity and desire for a fully immersive cyber range experience.

Stage 1: Self-Training, Certifications and Labs

Stage 1 is blocking and tackling, the bare minimum for competent cybersecurity training. This provides the basics required for continuing education and fulfilling cyber training requirements. Stage 1 can include:

• SANS training course in desired areas of expertise
• Completion of Coursera online self-paced or Massive Open Online Course classes with requisite certification of completion
• Specific class focus, such as reverse engineering malware or network forensics to explain how attackers traverse networks without being detected, etc.

An added part to Stage 1 is holding hands-on labs where participants complete tasks or simulate blue team or red team activities. The labs should focus on outcomes and metrics as much as they focus on completion. Participants should understand whether they are able to efficiently and effectively find indicators of compromise and mitigate attacks, as well as map the primary tactics, techniques and procedures (TTPs) associated with those attack simulations.

Stage 2: Team and Wider-Scale Corporate Exercises

In Stage 2, the more mature companies can escalate to coordinated group exercises that are planned and follow a curriculum. This requires dedicated compute infrastructure or hardware (some organizations choose to do it all from their existing workstations). In these exercises, all stakeholders take the lessons they have learned and bring them together to orchestrate a coordinated response. You may choose to have red teams attempt to infiltrate and go up against blue teams and involve threat intelligence teams and other security staff in the company’s security operations center.

If you want to make this stage a more immersive and realistic experience, you may also choose to include other teams, such as marketing. Bringing in operational technology (OT) teams at this stage is strongly suggested. Many of the most recent ransomware attacks have targeted not just laptops and other IT devices but also OT devices.

Business leaders tend to benefit strongly from witnessing and experiencing immersive coordinated exercises. Giving them insights into what other teams are experiencing and how they need to respond provides invaluable context that comes into play during an actual crisis. The most advanced team cyber response exercises can involve dozens or hundreds of team members and last several days.

Stage 3: The Collaborative Cyber Range With Vendors, Customers and Partners

Coordinating responses for your organization is a great start. But what about those around you — your customers, vendors and partners? The nature of your digital infrastructure, the ubiquitous connection to application programming interfaces, the proliferation of connected devices and the varying types of connections make it critical to coordinate an attack response with your closest third parties.

It’s easy to understand the criticality of an orchestrated response. The world has become more and more connected; the digital links among vendors, customers and partners have grown. An organization can have hundreds of third-party connections at a time. This has increased the attack surface and made supply chain attacks a preferred tactic with cyber criminals and nation-state actors alike. Supply chain attacks can be hard to detect because they come through a trusted intermediary. They are also a general-purpose exploit for securing future access, traversing networks and expanding horizontally inside an organization.

With awareness of third-party risk management, software supply chain risk growing and attacks in this realm more complex than ever, we are seeing customers asking to take their cyber readiness and exercises to the ecosystem level.

More than a concept to eventually consider, we actually see some companies demanding this participation as a condition of a partnership or becoming a key vendor. Chief information security officers (CISOs) and risk teams want to see beyond the attestations of SOC2 or ISO 2700 and test out the actual capabilities and readiness of their core partners and vendors.

For example, if an organization uses a bank that employs a payment processor that subsequently uses a clearinghouse, all three are tightly knit and have likely established some playbooks on how to work together, how to identify where the chain of interactions encounters a problem or when a breach has occurred. Ultimately, they should know how to contain and stop a cyberattack involving one or more of the three entities. Proactively establishing a risk-aware working relationship and identifying and introducing specific risks for each stakeholder can facilitate a more robust, comprehensive and rapid response in case of an attack. Often this is the point of bringing several parties into the collaborative exercise: to set up the procedures and norms for a collaborative response that’s agile and precise.

Keeping Your Training and Range Lively With Fresh Content and Context

A key part of why we believe organizations are seeking to build their own cyber ranges is the rapid acceleration of attack types and the extent of attacks. Threats that used to emerge over the course of months now emerge in weeks or days. CISOs and risk management leaders recognize this and understand that there are two key ways to address this shift:

• Increase the frequency of exercises
• Improve the content of exercises to keep things fresh over time

With cyber ranges, we can use both static, curriculum-driven content for stage 1 exercises and push evolving content with industry context for those moving to more elaborate exercises. We typically insert lessons and exercises based on attacks that may be happening concurrently with the exercise itself.

Ideally, you want your range to allow for customizable content that can be modified on the fly. This allows a company with a cyber range to load up an exercise on a major attack days after the attack is revealed. That capability makes cyber ranges more relevant and valuable because it enables organizations to speed up their security metabolism and learn faster.

Conclusion: Are You Ready for a Dedicated Cyber Range?

Before you get to the point of thinking about a dedicated cyber range, we highly recommend you work through stage 1 and stage 2 capabilities. At a minimum, you should run a cyber range exercise as a one-off to see how it works for your team and your organization. Most crucially, consider what the utilization rate of your cyber range will be when planning. Ideally, it should be in use most of the time to maximize your investment. Think through whether this is viable for your team and your enterprise before pulling the trigger. As a mitigating factor, think through whether you can use your dedicated cyber range as a pop-up or quick-start cyber operations command center in case of emergency.

After you feel comfortable with the idea of a cyber range and have confirmed its value, consider the positives and negatives of the three types of cyber ranges or outsourcing exercises to a trusted vendor.

• Dedicated on-premise ranges are more expensive to build and maintain but can help teams create in-person chemistry. This has become a more viable option in the past year as more workforces are convening in person again.
• Creating an entirely virtual cyber range prior to the pandemic was not something many organizations were considering. Virtual versions are cheaper to stand up and upgrade and offer more flexibility. However, for some organizations, face-to-face interactions are important.
• A number of customers have come to us requesting hybrid versions with both virtual and in-person components. Hybrid models are flexible and can extend to vendors and partners but are also the more expensive installations.

Having a cyber range at the ready is a fabulous foundation for upping your security metabolism and readiness. Follow a rigorous decision-making process to ensure you get the right kind for your organization and needs. To learn whether a cyber range is right for your organization and how to set up a cyber range program, talk to IBM X-Force Cyber Range Consulting here.

Want to hear directly from the experts? Register for the webinar, Tips and Best Practices for Cyber Ranges: How Your Organization Can Train as First Responders in the Face of an Attack.

The post Everyone Wants to Build a Cyber Range: Should You? appeared first on Security Intelligence.

On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer’s worst nightmare.

In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week prior. According to reports, they infiltrated the company’s Slack by tricking an employee into granting them access. Then, they spammed the employees with multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.

Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role info-hungry actors and audiences can play when dealing with sensitive information and intellectual property.

Stephanie Carruthers, Chief People Hacker for the X‑Force Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent these types of attacks.

“But We Have MFA”

First, Carruthers believes one potential and even likely scenario is the person targeted at Uber may have been a contractor. The hacker likely purchased stolen credentials belonging to this contractor on the dark web — as an initial step in their social engineering campaign. The attacker likely then used those credentials to log into one of Uber’s systems. However, Uber had multi-factor authentication (MFA) in place, and the attacker was asked to validate their identity multiple times.

According to reports, “TeaPot” contacted the target victim directly with a phone call, pretended to be IT, and asked them to approve the MFA requests. Once they did, the attacker logged in and could access different systems, including Slack and other sensitive areas.

“The key lesson here is that just because you have measures like MFA in place, it doesn’t mean you’re secure or that attacks can’t happen to you,” Carruthers said. “For a very long time, a lot of organizations were saying, ‘Oh, we have MFA, so we’re not worried.’ That’s not a good mindset, as demonstrated in this specific case.”

As part of her role with X-Force, Carruthers conducts social engineering assessments for organizations. She has been doing MFA bypass techniques for clients for several years. “That mindset of having a false sense of security is one of the things I think organizations still aren’t grasping because they think they have the tools in place so that it can’t happen to them.”

Social Engineering Tests Can Help Prevent These Types of Attacks

According to Carruthers, social engineering tests fall into two buckets: remote and onsite. She and her team look at phishing, voice phishing and smishing for remote tests. The onsite piece involves the X-Force team showing up in person and essentially breaking and entering a client’s network. During the testing, the X-Force teams attempt to coerce employees into giving them information that would allow them to breach systems — and take note of those who try to stop them and those who do not.

The team’s remote test focuses on an increasingly popular method: layering the methods together almost like an attack chain. Instead of only conducting a phishing campaign, this adds another step to the mix.

“What we’ll do, just like you saw in this Uber attack, is follow up on the phish with phone calls,” Carruthers said. “Targets will tell us the phish sounded suspicious but then thank us for calling because we have a friendly voice. And they’ll actually comply with what that phishing email requested. But it’s interesting to see attackers starting to layer on social engineering approaches rather than just hoping one of their phishing emails work.”

She explained that the team’s odds of success go up threefold when following up with a phone call. According to IBM’s 2022 X-Force Threat Intelligence Index, the click rate for the average targeted phishing campaign was 17.8%. Targeted phishing campaigns that added phone calls (vishing, or voice phishing) were three times more effective, netting a click from 53.2% of victims.

What Is OSINT — and How It Helps Attackers Succeed

For bad actors, the more intelligence they have on their target, the better. Attackers typically gather intelligence by scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly-documented online activities, attackers can easily profile an organization or employee.

Carruthers says she’s spending more time today doing OSINT than ever before. “Actively getting info on a company is so important because that gives us all of the bits and pieces to build that campaign that’s going to be realistic to our targets,” she said. “We often look for people who have access to more sensitive information, and I wouldn’t be surprised if that person (in the Uber hack) was picked because of the access they had.”

For Carruthers, it’s critical to understand what information is out there about employees and organizations. “That digital footprint could be leveraged against them,” she said. “I can’t tell you how many times clients come back to us saying they couldn’t believe we found all these things. A little piece of information that seems harmless could be the cherry on top of our campaign that makes it look much more realistic.”

Tangible Hack Prevention Strategies

While multi-factor authentication can be bypassed, it is still a critical security tool. However, Carruthers suggests that organizations consider deploying a physical device like a Fido2 token. This option shouldn’t be too difficult to manage for small to medium-sized businesses.

“Next, I recommend using password managers with long, complex master passwords so they can’t be guessed or cracked or anything like that,” she said. “Those are some of the best practices for applications like Slack.”

Of course, no hacking prevention strategies that address social engineering would be complete without security awareness. Carruthers advises organizations to be aware of attacks out in the wild and be ready to address them. “Companies need to actually go through and review what’s included in their current training, and whether it’s addressing the realistic attacks happening today against their organization,” she said.

For example, the training may teach employees not to give their passwords to anyone over the phone. But when an attacker calls, they may not ask for your password. Instead, they may ask you to log in to a website that they control. Organizations will want to ensure their training is always fresh and interactive and that employees stay engaged.

The final piece of advice from Carruthers is for companies to refrain from relying too heavily on security tools. “It’s so easy to say that you can purchase a certain security tool and that you’ll never have to worry about being phished again,” she said.

The key takeaways here are:

• Incorporate physical devices into MFA. This builds a significant roadblock for attackers.
• Try to minimize your digital footprint. Avoid oversharing in public forums like social media.
• Use password managers. This way, employees only need to remember one password.
• Bolster security awareness programs with particular focus on social engineering threats. Far too often, security awareness misses this key element.
• Don’t rely too heavily on security tools. They can only take your security posture so far.

Finally, it’s important to reiterate what Carruthers and the X-Force team continue to prove with their social engineering tests: a false sense of security is counterproductive to preventing attacks. A more effective strategy combines quality security practices with awareness, adaptability and vigilance.

Learn more about X-Force Red penetration testing services here. To schedule a no-cost consult with X-Force, click here.

The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services.

Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest Java package repository.

When Log4j was discovered, CISA Director Jen Easterly said, “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious.”

Since Log4j surfaced, how has the security community responded? What lessons have we learned (or not learned)?

Significant Lingering Threat

Log4Shell is no longer a massive, widespread danger. Still, researchers warn that the vulnerability is still present in far too many systems. And actors will continue to exploit it for years to come.

Log4Shell was unusual because it was so easy to exploit wherever it was present. Developers use logging utilities to record operations in applications. To exploit Log4Shell, all an attacker has to do is get the system to log a special string of code. From there, they can take control of their victim to install malware or launch other attacks.

“Logging is fundamental to essentially any computer software or hardware operation. Whether it’s a phlebotomy machine or an application server, logging is going to be present,” said David Nalley, president of the nonprofit Apache Software Foundation, in an interview with Wired. “We knew Log4j was widely deployed, we saw the download numbers, but it’s hard to fully grasp since in open source you’re not selling a product and tracking contracts. I don’t think you fully appreciate it until you have a full accounting of where software is, everything it’s doing and who’s using it. And I think the fact that it was so incredibly ubiquitous was a factor in everyone reacting so immediately. It’s a little humbling, frankly.”

According to Nalley, they had software fixes out within two weeks. Alarmingly, Apache still sees up to 25% of downloads involving non-patched versions of Log4j.

Continued Log4j Attack Incidents

Threat actors continue to exploit the Log4j vulnerability to this day. CISA has released alerts regarding Iranian and Chinese actors using the exploit. From Iran, cyber threat actors took advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server, installed crypto mining software, moved laterally to the domain controller, compromised credentials and implanted reverse proxies on several hosts to maintain persistence. Meanwhile, the top Common Vulnerabilities and Exposures (CVEs) most used by Chinese state-sponsored cyber actors since 2020 is Log4j.

Given the danger and ongoing threat, why do so many vulnerable versions of Log4j still persist? Could it be that some IT pros don’t really know what’s in their software?

The Risk of Open-Source Software

The problem isn’t software vulnerability alone. It’s also not knowing if you have vulnerable code hiding your applications. Surprisingly, many security and IT professionals have no idea whether Log4j is part of their software supply chain. Or even worse, they choose to ignore the danger.

Part of the challenge is due to the rise of open-source software (OSS). Coders leverage OSS to accelerate development, cut costs and reduce time to market. Easy access to open-source frameworks and libraries takes the place of writing custom code or buying proprietary software. And while many applications get built quickly, the exact contents might not be known.

In a Linux Foundation SBOM and Cybersecurity Readiness report, 98% of organizations surveyed use open-source software. Due to the explosion of OSS use, it’s clear that supply chain cybersecurity may be impossible to gauge for any given application. If you don’t know what’s in your supply chain, how can you possibly know it’s secure?

Security Starts With SBOM

The threat of vulnerabilities (both known and zero-day) combined with the unknown contents of software packages has led security regulators and decision-makers to push for the development of software bills of materials.

According to CISA:

A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components.

If you have a detailed list of individual software components, you can assess risk exposure more accurately. Also, with a well-developed SBOM, you can match your list against CISA’s Known Exploited Vulnerabilities Catalog. Or, if you hear about an emerging mass exploit like Log4j, you can quickly confirm if your stack is at risk. If you don’t have an SBOM, you’re in the dark until you are notified by your vendor or until you get hacked.

Finding Millions of Vulnerabilities

If you were to scan your systems for software vulnerabilities, you might discover hundreds of thousands of weaknesses. Also, if you merged with another company recently, you inherit their risk burden as well. For larger enterprises, detected vulnerabilities can number in the millions.

Trying to patch everything at once would be impossible. Instead, proper triage is essential. For example, vulnerabilities nearest to mission-critical systems should be prioritized. Also, an organization should audit, monitor and test its software vulnerability profile often. And since IT teams might add applications at any moment, an up-to-date network inventory and scheduled vulnerability scanning are critical. Automated software vulnerability management programs can be a great help here.

Many companies don’t have the time or qualified resources to identify, prioritize and remediate vulnerabilities. The process can be overwhelming. Given the high risk involved, some organizations opt to hire expert vulnerability mitigation services.

Still More to Learn

While Log4j sent some into a frenzy, others didn’t even seem to notice. This gives rise to the debate about cyber responsibility. If my partner hasn’t patched a vulnerability, and it affects my operations, should my partner be held responsible?

In one survey, 87% of respondents said that given the level of cyber risk posed by Log4j, government regulatory agencies (such as the U.S. Federal Trade Commission) should take legal action against organizations that fail to patch the flaw.

Only time will tell how far the security community will take responsibility for vulnerabilities — whether by being proactive or by force.

The post Log4j Forever Changed What (Some) Cyber Pros Think About OSS appeared first on Security Intelligence.

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.”

Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a long time since I attempted to do a binary patch diff analysis, so I thought this would be a good bug to do root cause analysis and craft a proof-of-concept (PoC) for a blog post.

On October 21 of last year, I posted an exploit demo and root cause analysis of the bug. Shortly thereafter a blog post and PoC was published by Numen Cyber Labs on the vulnerability, using a different exploitation method than I used in my demo.

In this blog — my follow-up article to my exploit video — I include an in-depth explanation of the reverse engineering of the bug and correct some inaccuracies I found in the Numen Cyber Labs blog.

In the following sections, I cover reverse engineering the patch for CVE-2022-34718, the affected protocols, identifying the bug, and reproducing it. I’ll outline setting up a test environment and write an exploit to trigger the bug and cause a Denial of Service (DoS). Finally, I’ll look at exploit primitives and outline the next steps to turn the primitives into remote code execution (RCE).

Patch Diffing

Microsoft’s advisory does not contain any specific details of the vulnerability except that it is contained in the TCP/IP driver and requires IPsec to be enabled. In order to identify the specific cause of the vulnerability, we’ll compare the patched binary to the pre-patch binary and try to extract the “diff”(erence) using a tool called BinDiff.

I used Winbindex to obtain two versions of tcpip.sys: one right before the patch and one right after, both for the same version of Windows. Getting sequential versions of the binaries is important, as even using versions a few updates apart can introduce noise from differences that are not related to the patch, and cause you to waste time while doing your analysis. Winbindex has made patch analysis easier than ever, as you can obtain any Windows binary beginning from Windows 10. I loaded both of the files in Ghidra, applied the Program Database (pdb) files, and ran auto analysis (checking aggressive instruction finder works best). Afterward, the files can be exported into a BinExport format using the extension BinExport for Ghidra. The files can then be loaded into BinDiff to create a diff and start analyzing their differences:

BinDiff summary comparing the pre- and post-patch binaries

BinDiff works by matching functions in the binaries being compared using various algorithms. In this case there, we have applied function symbol information from Microsoft, so all the functions can be matched by name.

List of matched functions sorted by similarity

Above we see there are only two functions that have a similarity less than 100%. The two functions that were changed by the patch are IppReceiveEsp and Ipv6pReassembleDatagram.

Vulnerability Root Cause Analysis

Previous research shows the Ipv6pReassembleDatagram function handles reassembling Ipv6 fragmented packets.

The function name IppReceiveEsp seems to indicate this function handles the receiving of IPsec ESP packets.

Before diving into the patch, I’ll briefly cover Ipv6 fragmentation and IPsec. Having a general understanding of these packet structures will help when attempting to reverse engineer the patch.

IPv6 Fragmentation:

An IPv6 packet can be divided into fragments with each fragment sent as a separate packet. Once all of the fragments reach the destination, the receiver reassembles them to form the original packet.

The diagram below illustrates the fragmentation:

Illustration of Ipv6 fragmentation

According to the RFC, fragmentation is implemented via an Extension Header called the Fragment header, which has the following format:

Ipv6 Fragment Header format

Where the Next Header field is the type of header present in the fragmented data.

IPsec (ESP):

IPsec is a group of protocols that are used together to set up encrypted connections. It’s often used to set up Virtual Private Networks (VPNs). From the first part of patch analysis, we know the bug is related to the processing of ESP packets, so we’ll focus on the Encapsulating Security Payload (ESP) protocol.

As the name suggests, the ESP protocol encrypts (encapsulates) the contents of a packet. There are two modes: in tunnel mode, a copy of IP header is contained in the encrypted payload, and in transport mode where only the transport layer portion of the packet is encrypted. Like IPv6 fragmentation, ESP is implemented as an extension header. According to the RFC, an ESP packet is formatted as follows:

Top Level Format of an ESP Packet

Where Security Parameters Index (SPI) and Sequence Number fields comprise the ESP extension header, and the fields between and including Payload Data and Next Header are encrypted. The Next Header field describes the header contained in Payload Data.

Now with a primer of Ipv6 Fragmentation and IPsec ESP, we can continue the patch diff analysis by analyzing the two functions we found were patched.

Ipv6pReassembleDatagram

Comparing the side by side of the function graphs, we can see that a single new code block has been introduced into the patched function:

Side-by-side comparison of the pre- and post-patch function graphs of Ipv6ReassembleDatagram

Let’s take a closer look at the block:

New code block in the patched function

The new code block is doing a comparison of two unsigned integers (in registers EAX and EDX) and jumping to a block if one value is less than the other. Let’s take a look at that destination block:

The target code has an unconditional call to the function IppDeleteFromReassemblySet. Taking a guess from the name of this function, this block seems to be for error handling. We can intuit that the new code that was added is some sort of bounds check, and there has been a “goto error” line inserted into the code, if the check fails.

With this bit of insight, we can perform static analysis in a decompiler.

0vercl0ck previously published a blog post doing vulnerability analysis on a different Ipv6 vulnerability and went deep into the reverse engineering of tcpip.sys. From this work and some additional reverse engineering, I was able to fill in structure definitions for the undocumented Packet_t and Reassembly_t objects, as well as identify a couple of crucial local variable assignments.

Decompilation output of Ipv6ReassembleDatagram

In the above code snippet, the pink box surrounds the new code added by the patch. Reassembly->nextheader_offset contains the byte offset of the next_header field in the Ipv6 fragmentation header. The bounds check compares next_header_offset to the length of the header buffer. On line 29, HeaderBufferLen is used to allocate a buffer and on line 35, Reassembly->nextheder_offset is used to index and copy into the allocated buffer.

Because this check was added, we now know there was a condition that allows nextheader_offset to exceed the header buffer length. We’ll move on to the second patched function to seek more answers.

IppReceiveEsp

Looking at the function graph side by side in the BinDiff workspace, we can identify some new code blocks introduced into the patched function:

Side-by-side comparison of the pre- and post-patch function graphs of IppReceiveEsp

The image below shows the decompilation of the function IppReceiveEsp, with a pink box surrounding the new code added by the patch.

Decompilation output of IppReceiveESP

Here, a new check was added to examine the Next Header field of the ESP packet. The Next Header field identifies the header of the decrypted ESP packet. Recall that a Next Header value can correspond to an upper layer protocol (such as TCP or UDP) or an extension header (such as fragmentation header or routing header). If the value in NextHeader is 0, 0x2B, or 0x2C, IppDiscardReceivedPackets is called and the error code is set to STATUS_DATA_NOT_ACCEPTED. These values correspond to IPv6 Hop-by-Hop Option, Routing Header for Ipv6, and Fragment Header for IPv6, respectively.

Referring back to the ESP RFC it states, “In the IPv6 context, ESP is viewed as an end-to-end payload, and thus should appear after hop-by-hop, routing, and fragmentation extension headers.” Now the problem becomes clear. If a header of these types is contained within an ESP payload, it violates the RFC of the protocol, and the packet will be discarded.

Putting It All Together

Now that we have diagnosed the patches in two different functions, we can figure out how they are related. In the first function Ipv6ReassembleDatagram, we determined the fix was for a buffer overflow.

Decompilation output of Ipv6ReassembleDatagram

Recall that the size of the victim buffer is calculated as the size of the extension headers, plus the size of an Ipv6 header (Line 10 above). Now refer back to the patch that was inserted (Line 16). Reassembly->nextheader_offset refers to the offset of the Next Header value of the buffer holding the data for the fragment.

Now refer back to the structure of an ESP packet:

Top Level Format of an ESP Packet

Notice that the Next Header field comes *after* Payload Data. This means that Reassembly->nextheader_offset will include the size of the Payload Data, which is controlled by the size of the data, and can be much greater than the size of the extension headers. The expected location of the Next Header field is inside an extension header or Ipv6 header. In an ESP packet, it is not inside the header, since it is actually contained in the encrypted portion of the packet.

Illustrated root cause of CVE-2022-34718

Now refer back to line 35 of Ipv6ReassembleDatagram, this is where an out of bounds 1 byte write occurs (the size and value of NextHeader).

Reproducing the Bug

We now know the bug can be triggered by sending an IPv6 fragmented datagram via IPsec ESP packets.

The next question to answer: how will the victim be able to decrypt the ESP packets?

To answer this question, I first tried to send packets to a victim containing an ESP Header with junk data and put a breakpoint on to the vulnerable IppReceiveEsp function, to see if the function could be reached. The breakpoint was hit, but the internal function I thought did the decrypting IppReceiveEspNbl, returned an error, so the vulnerable code was never reached. I further reverse engineered IppReceiveEspNbl and worked my way through to find the point of failure. This is where I learned that in order to successfully decrypt an ESP packet, a security association must be established.

A security association consists of a shared state, primarily cryptographic keys and parameters, maintained between two endpoints to secure traffic between them. In simple terms, a security association defines how a host will encrypt/decrypt/authenticate traffic coming from/going to another host. Security associations can be established via the Internet Key Exchange (IKE) or Authenticated IP Protocol. In essence, we need a way to establish a security association with the victim, so that it knows how to decrypt the incoming data from the attacker.

For testing purposes, instead of implementing IKE, I decided to create a security association on the victim manually. This can be done using the Windows Filtering Platform WinAPI (WFP). Numen’s blog post stated that it’s not possible to use WFP for secret key management. However, that is incorrect and by modifying sample code provided by Microsoft, it’s possible to set a symmetric key that the victim will use to decrypt ESP packets coming from the attacker IP.

Exploitation

Now that the victim knows how to decrypt ESP traffic from us (the attacker) we can build malformed encrypted ESP packets using scapy. Using scapy we can send packets at the IP layer. The exploitation process is simple:

CVE-2022-34718 PoC

I create a set of fragmented packets from an ICMPv6 Echo request. Then for each fragment, they are encrypted into an ESP layer before sending.

Primitive

From the root cause analysis diagram pictured above, we know our primitive gives us an out of bounds write at

offset = sizeof(Payload Data) + sizeof(Padding) + sizeof(Padding Length)

The value of the write is controllable via the value of the Next Header field. I set this value on line 36 in my exploit above (0x41 😉).

Denial of Service (DoS)

Corrupting just one byte into a random offset of the NetIoProtocolHeader2 pool (where the target buffer is allocated), usually does not immediately cause a crash. We can reliably crash the target by inserting additional headers within the fragmented message to parse, or by repeatedly pinging the target after corrupting a large portion of the pool.

Limitations to Overcome For RCE

offset is attacker controlled, however according to the ESP RFC, padding is required such that the Integrity Check Value (ICV) field (if present) is aligned on a 4-byte boundary.

Because

sizeof(Padding Length) = sizeof(Next Header) = 1,

sizeof(Payload Data) + sizeof(Padding) + 2 must be 4 byte aligned.

And therefore:

offset = 4n - 1

Where n can be any positive integer, constrained by the fact the payload data and padding must fit within a single packet and is therefore limited by MTU (frame size). This is problematic because it means full pointers cannot be overwritten. This is limiting, but not necessarily prohibitive; we can still overwrite the offset of an address in an object, a size, a reference counter, etc. The possibilities available to us depend on what objects can be sprayed in the kernel pool where the victim headerBuff is allocated.

Heap Grooming Research

The affected kernel pool in WinDbg

The victim out of bounds buffer is allocated in the NetIoProtocolHeader2 pool. The first steps in heap grooming research are: examine the type of objects allocated in this pool, what is contained in them, how they are used, and how the objects are allocated/freed. This will allow us to examine how the write primitive can be used to obtain a leak or build a stronger primitive. We are not necessarily restricted to NetIoProtocolHeader2. However, because the position of the victim out-of-bounds buffer cannot be predicted, and the address of surrounding pools is randomized, targeting other pools seems challenging.

Demo

Watch the demo exploiting CVE-2022-34718 ‘EvilESP’ for DoS below:

Takeaways

When laid out like this, the bug seems pretty simple. However, it took several long days of reverse engineering and learning about various networking stacks and protocols to understand the full picture and write a DoS exploit. Many researchers will say that configuring the setup and understanding the environment is the most time-consuming and tedious part of the process, and this was no exception. I am very glad that I decided to do this short project; I understand Ipv6, IPsec, and fragmentation much better now.

To learn how IBM Security X-Force can help you with offensive security services, schedule a no-cost consult meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

References

1. https://www.rfc-editor.org/rfc/rfc8200#section-4.5
2. https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html
3. https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/#diffing-microsoft-patches-in-2021
4. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
5. https://datatracker.ietf.org/doc/html/rfc4303
6. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

The post Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP” appeared first on Security Intelligence.