Attackers Heavily Targeting VPN Vulnerabilities

Threat actors like attacking the technology because they provide a convenient entry point to enterprise networks.

Attacks on virtual private networks, like those this week targeting a trio of known vulnerabilities in Pulse Secure appliances, have intensified in recent months along with the increase in remote and hybrid work environments since the outbreak of COVID-19.

The trend requires organizations to patch VPN and other externally facing devices with the highest priority, says a new report from Digital Shadows.

The report, based on an analysis of vulnerability activity in first quarter of 2021, highlights other threats as well, including increased targeting of remote code execution (RCE) vulnerabilities such as one affecting Oracle WebLogic (CVE-2020-14882) and widespread attacks targeting the ProxyLogon flaws in Microsoft Exchange Server.

“[VPNs] continue to be targeted by a plethora of threat groups, which will almost certainly continue for the remainder of 2021,” says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. “VPN devices, in addition to other remote access software, are often prioritized as a useful entry point that can provide threat groups with a stable foothold onto target networks.”

The threat intelligence firm’s analysis of vulnerability activity in the first quarter of this year shows cyber adversaries are actively targeting VPN vulnerabilities, more so than most other attack avenues, to break into enterprise networks. VPN accesses were among the top three access types listed for sale on cybercriminal forums last quarter, Digital Shadows says.

According to the firm, attackers targeted vulnerabilities in a range of VPN appliances, including one in the Fortinet FortiGate VPN (CVE-2018-13379) and an older, previously patched flaw in Pulse Connect Secure VPN (CVE-2019-11510). Both the Fortinet and Pulse VPN appliances were the subject of a joint advisory last week from the National Security Agency (NSA), FBI, and the Cyber Security & Infrastructure Security Agency (CISA). The advisory warned US organizations of Russia’s Foreign Intelligence Services (SVR) — the actor behind the SolarWinds attack — actively targeting the VPN flaws and flaws in three other products.

“Easily identifiable public-facing infrastructure will always garner significant attention from advanced actors,” Morgan says, pointing to the attacks that targeted Pulse Secure VPNs this week. The attacks — by multiple threat groups, including one believed to have links to the Chinese government — have affected several organizations within the US defense industrial base and other sectors. Researchers are currently tracking as many as 12 separate malware families targeting vulnerabilities in Pulse Secure VPNs. Patches have been available for some time for all three of the vulnerabilities in Pulse Secure VPNs that are being attacked.

Thousands of Attacks
Meanwhile, other significant threat activity that Digital Shadows observed last quarter included heavy targeting of RCE flaws and a barrage of attacks aimed at ProxyLogon, a set of four critical vulnerabilities in Exchange Server, which Microsoft disclosed in March.

“Tens of thousands of companies worldwide were impacted by exploiting and chaining of the four zero-day vulnerabilities,” Morgan says. “Our observation of this particular set of bugs includes a diverse set of threat groups, including both nation-state and cybercriminal actors.”

The sheer scope of the attack activity highlighted both the ease with which the now-patched vulnerabilities could be exploited and the multiple potential courses of action available to an attacker after successful exploitation, he says.

A major concern related to the attacks was the strategy by one hacking group to deploy malicious Web shells on compromised Exchange Server systems so they could maintain a persistent presence on them. Concerns over the Web shells on US systems were so high that a court authorized the FBI to remove the shells from systems on which they have been deployed, including those belonging to private companies.

“While active exploitation of the bugs will likely subside in the aftermath of companies updating their servers, there is a distinct possibility that advanced groups could have created other avenues of approach and entry points onto targeted networks,” Morgan warns. Last week, CISA updated its original guidance around the flaws, which suggests that Exchange Servers are still being compromised via these bugs even though a vast majority of vulnerable systems have been patched, he says.

Digital Shadows’ first-quarter threat analysis shows that RCE flaws were the most commonly exploited flaws, just as they were in the fourth quarter of 2020. Twenty-three percent of attacks involved RCE exploits in the first quarter. The most likely reason for attackers targeting this class of vulnerabilities, according to Digital Shadows, is that they enable a wide range of malicious activities.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

US Formally Attributes SolarWinds Attack to Russian Intelligence Agency

Treasury Department slaps sanctions on IT security firms that it says supported Russia’s Foreign Intelligence Service carry out the attacks.

The Biden administration Thursday officially blamed Russia’s Foreign Intelligence Service, SVR, for the cyberattack on SolarWinds and announced sanctions against a handful of IT security firms for helping enable that attack and other malicious cyber activities over the years.

Among the vendors put on the US Treasury Department sanctions list were Positive Technologies and some other relatively lesser-known IT security firms in the US, including Neobit, Advanced System Technology, and Pasit.

In a related announcement, the National Security Agency (NSA), FBI, and the Department of Homeland Security’s Cyber Security & Infrastructure Security Agency (CISA) today issued a joint advisory warning of the SVR actively targeting widely deployed network and communication technologies on US networks from companies such as Fortinet, Pulse Secure, Citrix, and VMware.

The actions mark the first time the US government has formally named a Russian intelligence agency as the perpetrator of the SolarWinds attack and subsequent intrusions into other networks, including those belonging to government agencies, private firms, and security companies such as FireEye and Mimecast. The attacks have caused considerable concern about large-scale data theft, cyber espionage, and threat actors with persistent presence hidden deep on US networks. Previously, US intelligence and law enforcement agencies had described the attacks as being “most likely Russian in origin” but had stopped short of attributing it to any specific entity.

Kevin Mandia, CEO of FireEye, describes the sanctions as likely making things harder for Russian operators. “Unfortunately, we are unlikely to fully deter cyber espionage, and we will have to take serious action to better defend ourselves from inevitable future intrusions,” he says in an emailed comment responding to this morning’s announcement.

The sanctions that the Treasury Department announced today identified the SVR as one of three Russian intelligence services responsible for carrying out “some of the most dangerous and disruptive cyberattacks in recent history, including the SolarWinds attack.”

The other two Russian intelligence services — the Federal Security Service (FSB) and Russia’s Main Intelligence Directorate (GRU) —already have been hit with three previous sanctions actions. Two of them, in 2016 and 2018, were related to malicious cyber activity, including ransomware campaigns, deployment of NotPetya and Olympic Destroyer malware, attacks on the World Anti-Doping Agency, and numerous government and critical infrastructure systems in multiple countries. In March 2021, the GRU and FSB were sanctioned again, but this time in connection with activities related to proliferation of nuclear weapons and weapons of mass destruction.

The Treasury Department sanctions were imposed under a new executive order that President Biden signed Thursday. Biden’s executive order is in response to what the White House described as ongoing efforts by the Russian government to undermine US democratic processes and engaging in a wide range of malicious cyber activities. It authorizes the Treasury Department to deploy “strategic and economically impactful” sanctions on the SVR and entities that are thought to be materially helping Russian intelligence services carry out their missions.

Impact of Sanctions
The sanctions prohibit US financial firms from participating in Russian markets. They also freeze all US-based property and interests in property belonging to the entities on the Treasury Department sanctions list. All US-based assets that are more than 50% owned by entities on the new sanctions list have also been frozen.

The sanctions are likely going to create some uncertainty and disruption for US organizations currently using technologies from entities on the new sanctions list. “As nation-state tension spills over into the private sector, there may be organizations caught flat-footed by the reality that they are participating with or without their consent in a broader narrative of competing national interests,” says Tim Wade, technical director and CTO at Vectra.

In the immediate term, affected organizations are likely going to have to source new technologies and capabilities, he says. “In the longer term, supplier security itself as a discipline will need to expand its purview of risk to include the collateral damages inflicted by rising national tensions in the cyber domain,” Wade says.

Meanwhile, in a statement Friday, Positive Technologies said the Treasury Department’s accusations against it are  “groundless” and backed by no  evidence of any wrongdoing on its part. The security vendor–which provides a range of penetration testing, security assessment, and other services–described itself as a well-regarded company that has always operated within industry norms and standards. “We truly think that geopolitics should not be a barrier to the technological development of society and we will continue to do what we do best—to protect and ensure cybersecurity around the world,” the company said.

The US government’s action Thursday finally has attached a name to the shadowy entity behind the SolarWinds attack, which numerous security experts have described as one of the most sophisticated malicious cyber operations ever. However, because of how notoriously hard attack attribution can be, some questions are bound to remain about the data that led US intelligence to SVR.

“The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber-espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups,” Paul Prudhomme, cyber threat analyst at IntSights, said in a statement.”It nonetheless remains unclear what specific data points enabled the attribution.”

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, says the fact that the US government is holding Russia accountable should come as no surprise, but more information is needed around the attribution. “The more we learn about the attribution, the more concrete accountability and action can be taken,” he says.

Meanwhile, today’s joint advisory from the FBI, NSA, and CISA warned organizations to be on the alert for targeting a set of five specific vulnerabilities in products from five vendors. According to them, attackers are actively targeting CVE-2018-13379 in Fortinet’s Fortigate VP; CVE-2019-11510, impacting Pulse Secure Pulse Connect Secure VPN; CVE-2019-19781 in Citrix Application Delivery Controller and Gateway; CVE-2020-4006 in VMware Workspace ONE Access; and CVE-2019-9670 in Synacor Zimbra Collaboration Suite.

Pulse Secure said it issued a fix in April 2019 for the vulnerability (CVE-2019-11510) identified in the joint advisory. “The NSA has identified an old issue that was patched on legacy Pulse Secure deployments in April 2019,” a spokeswoman said in an emailed statement. “Customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Pandemic Pushes Bot Operators to Redirect Efforts

As demand for travel, lodging, and concerts plummeted in 2020, bot traffic moved to more popular activities, such as e-commerce, healthcare, and government sites.

Shifts in consumer activity due to the coronavirus pandemic altered the activity of automated software programs, also known as bots, in 2020, according to a new Imperva report.

Heathcare and gambling sites saw notable increases in bots — both those labeled “good” and “bad” by the web application security firm. Bots accounted for 35% of traffic to healthcare sites, up from 21% in 2019, and 34% of traffic to gambling sites, up from 19% in 2019. While bot traffic to healthcare sites climbed throughout the year — almost quadrupling by the end of 2020 — both e-commerce and government sites saw a significant increase only in the last quarter.

The surge in bots to e-commerce sites coincided with the release of next-generation gaming consoles, while the influx of traffic to government sites may be related to the US elections, says Edward Roberts, director of strategy at Imperva.

“The model here is that bots will go wherever they can make money,” he says. “And we expect them to jump to other industries, if there is high demand — and if it is something vital or life-threatening, then [how we respond] becomes even more important.”

The report focuses on bad bots, which the company sees as a threat to its customers. 

Some of the automated activity would likely be considered malicious by most observers. Hustlers who use automation to hoard in-demand items and gouge consumers, and cybercriminals who use bots to attempt credential-based attacks, such as credential stuffing or password spraying, are both bad bots that most would also consider malicious.

Imperva calls such bots “the pandemic of the Internet.”

“Bad bots interact with applications in the same way a legitimate user would, making them harder to detect and block,” Imperva states in the report. “They enable high-speed abuse, misuse, and attacks on your websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities.”

The report found that the actual pandemic affected bot operators in different ways. Changes wrought by stay-at-home orders offered new opportunities for those who wanted to use automation to collect data, while closing off other opportunities. Ticket scalpers, who usually descend on popular concerts to buy tickets, found themselves suffering diminished profits, for example.

“[T]he pandemic resulted in a reduction of traditional scalpers’ sources of income,” the report stated. “Concerts and sporting events were canceled or took place without live audiences.”

Yet, at the same time, a variety of goods — from masks to gaming consoles — became the target of scalpers and hoarders. And with supply chain disruptions causing shortages, scalpers also found additional opportunities to hoard desired goods and bilk consumers.

The divide between good bots and bad bots is pretty fluid because much of the Internet relies on bots. Search firms crawl websites to create indexes and deliver results for specific queries. Other companies rely on scraping data from sites to offer consumer services. While businesses may want to block the leak of such information, most other Internet users would not consider these activities to be bad. In fact, a US appeals court upheld the legality of data analytics firm HiQ Labs scraping data from LinkedIn in a 2019 ruling.

However, from a business perspective, any activity that is not human is often considered bad. Anti-bot service provider Kasada clarified that “if you’re serving up traffic to bots, you’re spending money on infrastructure, systems, tools, and personnel that you shouldn’t have to.”

However, Imperva’s report warned — without evidence — that increased activity to healthcare sites could presage the hoarding of vaccine appointments. Noting the existence of sites such as TurboVax, which uses automated scanning to help people find open vaccine appointments, the company raised the question of whether scammers could use bots to reserve, and then resell, time slots for vaccine appointments. 

“These helpful bots were created with good intentions, but it’s not far-fetched to imagine others creating similar tools in order to sell the appointment to the highest bidder for the opportunity to jump the queue,” the report states.

Asked about the statements, Roberts clarified that the company had actually dismissed the theory.

“People aren’t hoarding vaccine appointments — we put that [question] to ourselves and that doesn’t seem that they could resell those slots,” he says. “I think it is more people creating these helpful bots to try and help people and help society get over this once in a lifetime pandemic.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

6 Tips for Managing Operational Risk in a Downturn

Many organizations adjust their risk appetite in an economic downturn, as risk is expanded to include supplier and customer insolvency, not to mention cash-flow changes.

Many organizations have gone through unprecedented changes in the past year. While some have struggled to cope, others have proven resilient in the face of uncertainty. To handle adversity gracefully and emerge from a period of hardship in good shape requires a deep understanding of your business. To manage operational risk effectively, you must identify threats, craft incident response plans, and establish visibility.

Underpinning a successful strategy is the agility to act swiftly in the face of rapidly changing circumstances. There are various steps any organization can take to gain deeper insight into operations and establish a holistic picture of the threats that matter most. The urgency that a downturn creates can be an opportunity for positive change to build greater resilience.

Many organizations also find the need to adjust their risk appetite in a downturn as operational risk is expanded to include potential risks directly related to downturn such as insolvency of suppliers and customers, and changes to cash-flow patterns, all of which may have been based upon more predictable trading periods.

Understand Your Risk Appetite
It’s crucial to have a clear picture of the risk that your business is prepared to endure. Different businesses will have different tolerances, in terms of the downtime they can handle and what their customers will put up with. The process of identifying where the major risks lie isn’t just about informing mitigation strategies, it can also be a catalyst for necessary change. A dynamic landscape and shifting external pressures can shine a light on areas that require investment, or even parts of the business that must evolve.

Be pragmatic and realistic; risk appetite may have to shift significantly during a downturn. 

As consumer behavior changes, organizations must look beyond maintaining current customer experiences and cater to emerging demand. Traditional retail might close their brick-and-mortar stores, for example, and transition to exclusively online business.

Take a Risk-Based Approach
While compliance is essential, and easily digestible for company boards, a box-ticking approach to cybersecurity cannot cater to the unique risks that each business faces. Transitioning from a compliance-based approach to a risk-based approach is challenging, but the two are not mutually exclusive. What’s vital here is that you align your approach with the overall business strategy and demonstrate the benefits to secure board buy-in. 

Monitor the Threat Landscape
Before you can craft an effective risk-based approach, you must build a clear picture of the threats your organization faces. There are many commonalities, but the precise make-up of the threat landscape is unique to each business. Geopolitical instability has precipitated an enormous change in recent months with a rapidly shifting cast of bad actors with an ever-growing capability to harm. 

Any snapshot of the threat landscape will be rapidly out of date. Organizations must continuously monitor the situation and keep tabs on trends in organized criminal gangs and nation-states. This is complicated when your business operates across multiple jurisdictions because you must learn not only what different threat actors are doing in those geographies, but also what the regulatory landscape is like.

Plan Crisis Management
With a clear plan in place and responsibilities delineated, you can work through any crisis. Make sure that you craft policies and incident response plans to cater to a diverse range of scenarios. When a problem emerges, employees should know what’s expected of them. Empower individuals to take charge and to report back regularly to upper management and the board. Knock down roadblocks to swift action and demolish walls between silos to ensure that different people across your business can work together effectively to resolve issues and guard against any repeat. The whole business must be accountable to spread the load and build understanding across departments and geographies.

Establish Transparency in the Supply Chain
While internal visibility is crucial, you can’t afford to leave third-party partners to their own devices, but sending suppliers many streams of audit forms is not effective. Security becomes a tick-box exercise where partners have an incentive to tell you what you want to hear. It’s better to share specifics and make your expectations of partners crystal clear. Ensure your supply chain is transparent and fully informed by your risk appetite and threat monitoring to effectively manage risk and enable the agility to drive future success.

Share Intelligence and Foster Collaboration
We’ve highlighted the importance of transparency across your business and throughout the supply chain so that everyone takes responsibility and works together, but this spirit of sharing and collaboration can spread further. Work closely with partner organizations, establish intelligence-sharing in your sector, and talk to government departments and even other industries about the threats they have encountered. 

Cybercriminals and other attackers share tactics and success stories. When we fail to share intelligence, the only real winners are the bad actors. They can deploy the same attacks successfully with a range of organizations unless we discuss our experiences and collaborate on defensive strategies to shut them out.

Coping with heightened operational risk during a downturn is a challenge for every business, but it’s far from insurmountable. Strive for transparency, plan for the worst, and pull together across departments, third-party partners, and the wider business community to create a united front.

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management. He is a frequent speaker on the Board’s role in cybersecurity and … View Full Bio

Recommended Reading:

More Insights

Security Gaps in IoT Access Control Threaten Devices and Users

Researchers spot problems in how IoT vendors delegate device access across multiple clouds and users.

A team of Internet of Things security researchers has discovered vulnerabilities in the way IoT device vendors manage access across multiple clouds and users, putting both individuals and vendors at risk.

IoT devices are increasingly managed through clouds operated by device vendors such as Philips Hue, LIFX, and Tuya, or by cloud providers such as Google and Amazon. These clouds mediate the users’ access to specific devices — for example, granting them permission to unlock a smart lock.

The researchers were especially interested in the emerging capability to delegate device access across multiple clouds and users. Some vendors let Google Home control devices under their clouds, so a person can manage multiple devices from different vendors via their Google Home. It’s a win for usability — normally, someone with devices from various vendors would install multiple apps to control them, which becomes a hassle as their IoT device collection grows.

“[The IoT] keeps evolving, and we keep observing new security issues, new security risks coming up, especially when a vendor tries to strike a balance between usability and security,” says Luyi Xing, assistant professor of computer science at Indiana University Bloomington and a member of the research team.

While being able to manage multiple devices from a single hub is convenient, access delegation across IoT clouds is distributed and unverified, researchers report. The problems emerge when one cloud unknowingly violates the security operations and assumptions of another cloud. When this happens, devices may not fully revoke access when someone instructs them to.

“Security always comes behind the functionality, so that’s why this is important,” adds Bin Yuan, post-doc at Huazhong University of Science and Technology and Indiana University Bloomington. “That’s why we did our research in this area, to better understand it and try to solve the security risks here.”

The problem lies in vendors’ protocols, Xing explains. Each vendor independently develops its own delegation protocol with implicit security assumptions, but the protocols from different vendors have to work together to establish the delegation chain between vendor and user.

“When these protocols work together, their security assumptions may conflict with each other, and one vendor may not fully understand the implications [or] the assumptions of another vendor’s operation in terms of security,” he says. One of the vulnerabilities they discovered let a user continue accessing a device after temporary permissions were removed. When someone attempted to revoke the permission, it turned out the user still had control over the device.

In the real world, this could happen with something as simple as a smart lock, Xing says. An Airbnb host may grant temporary access to a guest, but that guest could still have access to their home after the host thinks they’ve checked out.

An Industrywide Problem
This problem affects a broad range of IoT device vendors and clouds. Given this, the researchers sought to develop an approach to verify the protocols of different device manufacturers and determine whether a protocol might be vulnerable to an attack. They created a verification tool to model the operations and data flows of an IoT vendor and automatically discover flaws.

From there, they conducted a systematic study on cross-cloud IoT delegation, in which they investigated 10 mainstream IoT clouds, including Google Home, SmartThings, Philips Hue, LIFX, August, and others. They discovered five serious flaws that, if exploited, could give someone unauthorized access to IoT devices such as smart locks, switches, and safety sensors, they say.

“We can find the individual vulnerabilities for a specific protocol, for a specific vendor, but that doesn’t solve the problem,” Xing says of why they wanted to create a systematic approach. All of the flaws they discovered were reported to the respective vendors, which have deployed or scheduled fixes.

The researchers believe cross-vendor delegation is helpful to users; however, the protocols behind it must be designed with more caution. Protocols they saw in the wild had not undergone rigorous security analysis or verification, Xing says. The team hopes that protocols will eventually become more transparent, so vendors know one another’s security assumptions.

Xing and Yuan will join their fellow researchers, Yan Jia, research associate at Nankai University, and Dongfang Zhao, PhD student at Indiana University Bloomington, to present their research findings in a Black Hat Asia briefing: “How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control,” on May 7.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

How the Biden Administration Can Make Digital Identity a Reality

A digital identity framework is the answer to the US government’s cybersecurity dilemma.

While data breaches and ransomware attacks kept the cybersecurity industry preoccupied last year, the scope of the SolarWinds data breach far surpassed common exploits, garnering mainstream and social media attention. The breach impacted several of the country’s largest technology companies, including Cisco, Microsoft, and NVIDIA, as well as the US Departments of Commerce, Homeland Security, and Treasury. This incident prompted President Joe Biden to quickly sign the American Rescue Plan Act into law, prioritizing cybersecurity and allocating $2 billion to modernize the country’s digital infrastructure.

The Biden administration has promised to broadly improve digital security, monitoring, and response times, establishing a modern “digital identity” system of particular importance. A digital identity system compiles specific information, such as proof of age, passport number, and basic health and financial data, into one “card” that resides on your phone, backed with biometric security.

By using recent European regulations as a foundation to secure individuals’ data and link it to their digital identity, the federal government could close the security gaps that have historically led to fraud. Digital identity authentication would be faster, more accurate, and more useful than manually checking physical ID cards, accelerating public and private sector transactions.

A Holistic Approach to Digital Identity
Digital identity has already gained bipartisan support on Capitol Hill. In 2020, Representatives Bill Foster (D-IL) and John Katho (R-NY) introduced the Improving Digital Identity Act, designed to establish a nationwide approach to improving digital identity. Now, the Biden administration plans to leverage digital identity for modernization of public services, ranging from government assistance to healthcare to licensing.

The act would be a step forward but wouldn’t completely address needs in the public and private sectors. Rep. Foster notes that the bill would primarily address the government’s need for digital identity, paying less attention to issues (e.g., transaction friction, fraud) facing enterprises and consumers. That said, the Biden administration must take a broader, holistic approach to digital identity, eliminating data siloing that would make future digital IDs unnecessarily purpose-specific.

Any error would allow bad actors to access sensitive data and impersonate customers, resulting in fraudulent requests for government services, credit cards, loans, or licenses. Implementing a secure, robust digital identity system is critical as scammers created over 145,000 suspicious domain registrations last year targeting recipients of stimulus checks, exploiting security gaps to intercept another person’s money.

The Biden administration should consider the United Kingdom, which is already making strides in developing a digital identity framework. The UK framework spans public and private organizations and includes a system for “vouching,” allowing officially licensed local authority figures such as accountants, government officers, and even teachers to vouch for or confirm an individual’s identity. A properly developed US framework would meet the security needs of various organizations without unnecessary friction for end users.

It’s About the Who and How, Not the What and Where
Digital transformation across commerce has enabled bad actors to capitalize on security gaps in online transactions. 2020 saw more than 1.3 million identity theft cases — a 113% increase — where bad actors used available information (e.g., Social Security) to target individuals.

Tempting as it may be to avoid linking biometric data to digital identity, the opposite approach is instrumental to securing and authenticating future transactions. Before, fingerprints were required only for fighting crime and licensing certain professionals; however, within the past decade, fingerprint scanning became so ubiquitous in consumer devices that even 3D facial scanning seems standard nowadays. It’s time to determine what should be part of one’s digital identity, with an eye toward modern realities instead of past theoretical concerns.

The US framework should incorporate basic biometrics, and with appropriate consents and disclosures, can even incorporate patterns from past interactions as an additional security layer. Imagine a hospital expediting your registration because your ID thoroughly confirms who you claim to be or an ATM applying greater scrutiny to a potentially fraudulent withdrawal because the fraudster using your ID didn’t follow your withdrawal patterns.

As long as privacy and data security are prioritized, using voluntarily opted-in biometric data is superior to a framework relying on cookies and constant surveillance. A digital identity framework powered by biometrics and a legitimate identity verification system will make it extremely difficult, if not virtually impossible, for bad actors to impersonate others without being flagged.

Making Digital Identity a Reality
The government and technology sectors have not been in sync for years, resulting in severe security gaps and outdated infrastructures. Though horrific, the SolarWinds data breach was the catalyst for long-needed public and private sector data-security changes, making a nationwide digital identity framework more feasible.

With the American Rescue Plan Act passed and the Improving Digital Identity Act pending, funding is available to start implementing solutions. At this point, the only questions are how and when the federal government will move forward on important digital identity initiatives.

The private sector will need to keep applying pressure, including identifying digital identity management and authentication solutions. At a high level, the administration should consider feedback on improving security and reducing fraud from CIOs and CISOs at large enterprises — including corporations damaged by the SolarWinds data breach — as well as innovative startups. A winning solution will be acceptable not only to government officials but also businesses of all sizes and the general public.

Until the federal government actively deploys a digital identity system, bad actors will continue to exploit weaknesses in the outdated current identity system. Beyond federal impacts, annual private sector damage will continue to be measured in billions of dollars, and state agencies will continue to be targets of benefits fraud and other identity-related crimes.

Thankfully, the broad frameworks, specific principles, and advanced technologies required to securely digitize identities are all within our grasp. It’s now just a matter of seizing this opportunity to move public and private cybersecurity forward.

Hal leads the strategy and expansion of Callsign’s Intelligence Driven Authentication in the United States. Previously, Hal was a Senior Director at Early Warning, where he was responsible for developing authentication solutions to protect financial institutions from the … View Full Bio

Recommended Reading:

More Insights

Software Developer Arrested in Computer Sabotage Case

Officials say Davis Lu placed malicious code on servers in a denial-of-service attack on his employer.

A software developer has been arrested and faces charges for allegedly placing malicious code on his employer’s computer servers, the Justice Department reports.

A federal grand jury in Cleveland returned an indictment charging Davis Lu, 51, of Houston, Texas, with one count of damaging protected computers.

Officials say Lu was employed as a senior developer with an unnamed company based in Cleveland. In August 2019, the company was the victim of a denial of service (DoS) attack when production servers crashed and employees were unable to access the servers. The indictment says an investigation found unauthorized code installed on the server, which caused that server to create an infinite loop and crash.

Lu was asked to return his company-issued computer. Officials say before he did, he deleted encrypted volumes and attempted to delete Linux directories as well as two additional projects. He also allegedly searched the Internet for information on how to escalate privileges, hide processes, and delete large folders and/or files.

The company says it suffered a loss of at least $5,000. Lu has not yet entered a plea.

The Department of Justice statement can be read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Google Brings 37 Security Fixes to Chrome 90

The latest version of Google Chrome also introduces HTTPS as the browser’s default protocol.

Google this week released Chrome 90 to the stable channel for Windows, Mac, and Linux. The update, which will roll out over the coming days and weeks, brings 37 security fixes, HTTPS by default, and other updates to the browser.

Chrome 90.0.4430.72 fixes six high-severity vulnerabilities, 10 medium-severity vulnerabilities, and three low-severity flaws reported by external security researchers, in addition to fixes for flaws discovered by its internal team. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) made note of these patches in an advisory published today.

Google reported last month that in version 90, Chrome’s address bar would use https:// by default. Before, if a person typed “” into the address bar, the browser would choose http:// as the default protocol – with the exception of websites in the HSTS preload list, which Chrome will always default to HTTPS.

In Chrome 90, the browser will now default to HTTPS for most typed websites that don’t specify a protocol. IP addresses, single label domains, and reserved hostnames such as test/ or localhost/ will continue to default to HTTP, Google notes in a blog post on the change. For sites that don’t support HTTPS, Chrome will fall back to HTTP when the HTTPS attempt fails.

The HTTPS change will first appear on Chrome Desktop and Chrome for Android in version 90, with a release for Chrome on iOS following “soon after,” Google reports.

Read more details about Chrome 90 here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Lazarus Group Uses New Tactic to Evade Detection

Attackers conceal malicious code within a BMP file to slip past security tools designed to detect embedded objects within images.

Security researchers with Malwarebytes have observed North Korea-affiliated advanced persistent threat actor Lazarus Group employing a new technique to deliver malware while evading security tools.

Lazarus Group, an active and sophisticated group known for attacking targets around the world, recently expanded its primary mission beyond monetary theft to include stealing defense secrets. The group is known for developing custom malware families and using novel tactics.

One of its newest methods involves embedding a malicious HTML Application (HTA) file within a compressed zlib file, within a PNG file. During run time, the PNG file is converted into a BMP file format. Because the BMP file is uncompressed, converting from PNG to BMP automatically decompresses the malicious zlib object. Researchers call this a clever way to evade detection. Because the malicious object is compressed within the PNG image, it bypasses static detection.

This attack likely started with a phishing campaign in which emails arrives with a malicious file attached. When opened, the file prompts its viewer to enable macros. Doing this will lead to a message box; clicking this will load the final phishing lure — a participation form for a fair in a South Korean city. The document is weaponized with a macro that executes when it’s opened.

While attribution is consistently a challenge in cyberattacks, the team found several signs that connect this activity with Lazarus Group, as outlined in a blog post on their findings.

“There are several similarities between this attack and past Lazarus operations and we believe these are strong indicators to attribute this attack to the Lazarus threat actor,” writes Hossein Jazi, senior threat intelligence analyst.

Read the full blog post for more information.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

SolarWinds: A Catalyst for Change & a Cry for Collaboration

Cybersecurity is more than technology or safeguards like zero trust; mostly, it’s about collaboration.

The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more frequently over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world’s increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding to sophisticated attacks.

Ultimately, threat actors have realized that their activities require low capital investment and yield high returns. So, we must continue to navigate these challenges because these attacks are not the Achilles’ heel of digitalization. Instead, they are a symptom of the exponential growth, innovation, and democratization of technology throughout our lives, including in critical infrastructure. We simply need a call to action for change and collaboration.

There are many aspects of technology that will shape our future, but near the top will be the supply chain and our dependence on wider technology ecosystems. This indicates a need to strengthen trust relationships with suppliers and other technology partners. The Sunburst campaign strikes at the very heart of these trust-based relationships. And while not unique, Sunburst remains the most widely covered software supply chain attack that we have ever seen and experienced as a society. As the facts continue to emerge, it is becoming increasingly clear just how disjointed our information network has become in the United States. Sunburst has helped reveal the gaps in that flow.

We will certainly see more cyberattacks across our technology ecosystem. However, given the attention to Sunburst, we have a unique and potent opportunity right now to improve our cybersecurity posture. When it comes to threat actors, we need to be more intentional about identifying, structuring, and leveraging the critical information related to these threats located in various sectors throughout the US technology ecosystem.

Recently, the Atlantic Council’s Cyber Statecraft Initiative, where I have participated and contributed to multiple products, released its full report on SolarWinds, titled “Broken Trust: Lessons From Sunburst.” The report outlines three overarching lessons learned from this attack. The first is that we have seen compromised software supply chains before; what made Sunburst a larger issue is the role of cloud computing as a target. Second, we could have done more to protect and prioritize federal systems. And finally, the lesson that I found to be the most salient: “Sunburst was a failure of strategy.”

So, what exactly does that mean? It means cybersecurity is about more than just deploying technology. It’s about more than just taking action with safeguards like zero trust, which requires the continual verification of users in a system. Cybersecurity is mostly about collaboration.

That is why I am happy to see Congress engaging on this topic. The federal government is well-positioned to help define a strategy for our technology ecosystem and foster collaboration across various sectors. The government can help create a safe and secure continuum of information flow that spans R&D at educational, private, and nongovernmental organizations, as well as the practical knowledge and application found within the private sector. All could fit within a progressive governance framework that is robust enough to define clear guardrails and purpose, but flexible enough to accommodate the nuances of drastically different sectors operating within it. On top of this framework should be a well-articulated national digitalization strategy, which includes cybersecurity as its core principle.

This is particularly critical as the federal government pivots to digitalize vast swaths of its infrastructure in the coming years. Digitalization and cybersecurity are two sides of the same coin. With continued digitalization, this risk will just increase. We can’t allow this risk to hold us back; cybersecurity is challenging, not paralyzing.

Additionally, we can no longer solely depend on data and technology to guard against hackers trying to break into networks. There’s another critical industrywide issue at play here: the talent gap. Cybersecurity positions are growing three times faster than other IT positions, according to a 2019 report from Burning Glass Technologies, an analytics software company providing real-time data on job growth and skills in demand. Additionally, the 2020 (ISC)² “Cybersecurity Workforce Study” estimates that there are roughly 3.1 million unfilled cybersecurity jobs worldwide. It’s crucial to radically recruit and train talented professionals, redefining what it means to be qualified so that more people can help us drive our digital journey into the future.

Finally, and most importantly, ownership will hold all this together. We all must accept extreme ownership of cybersecurity so that, together, we are stronger. Industry must be an active partner in driving needed changes, as both public and private stakeholders focus on a model of operational collaboration rather than simply sharing information. Only then will we be able to execute a sustainable cybersecurity strategy that allows us to build trust and secure our nation’s critical infrastructure over time.

The response to this public attack should lead to meaningful action that moves us forward. By empowering key leaders and organizations to make changes to improve America’s cyber posture, as the Biden administration has done so far, we can meet the challenge of this moment.

Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company’s largest market — ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for … View Full Bio

Recommended Reading:

More Insights