Phishing Attacks for Initial Access Surged 54% in Q1

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort  organizations in other ways. 

Researchers from Kroll recently analyzed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

Multiple Attack Vectors
Kroll’s analysis shows that attackers leveraged the initial foothold gained via phishing in multiple ways, including to drop ransomware and malware, and to extort without any ransomware or encryption. 

In one incident that Kroll investigated during the first quarter, adversaries acquired an organization’s global admin credentials after an IT employee at the company clicked on a phishing email they had sent. The adversaries used the credentials to take over multiple email accounts belonging to other members of the IT team as well as the C-suite, which in turn they used to download sensitive enterprise data. The attackers followed up with a demand seeking a ransom in exchange for the attack to stop.

In other instances, Kroll’s researchers identified attackers breaking into a network by exploiting a vulnerability and then using that access to launch convincing-looking phishing campaigns. In one incident, the attackers exploited the ProxyShell vulnerability in Exchange Server to access the target network. Once inside, the attackers attempted to phish employees by attaching a malicious .zip file to a reply to a legacy internal email thread. The .zip file was disguised as an invoice, and appeared to be from a trusted internal source: Several users opened it and unknowingly downloaded IcedID on their systems. That organization was subsequently hit with the QuantumLocker ransomware two weeks later, Kroll said.

Phishing was not the only tactic that attackers used to try and gain initial access on a target system or network. In several incidents that Kroll investigated, threat actors exploited widely publicized vulnerabilities such as ProxyLogon and Log4Shell to gain a foothold from which to drop ransomware such as Conti, AvosLocker, and QuantumLocker on target networks. 

Inadequate Defenses
Patrick Harr, CEO at SlashNext, a provider of anti-phishing services, says current organizations defenses are not fully designed to protect against attacks that appear to originate from inside the organization. “You can’t stop phishing that comes from legitimate services with employee awareness training,” he says. “As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats.” 

The broader adoption of work-from-home models over the past two years has also made it easier for attackers to target employees in phishing campaigns — and get away with it. “Remote work certainly created more opportunities for threat actors to execute [business email compromise] and other phishing attacks,” says Hank Schless, senior manager of security solutions at Lookout. “Without being able to walk over to another person’s desk in the office, employees have a much harder time validating unknown texts or emails.”

The increased reliance on smartphones and tablets for internal communications has created several issues, he adds. Spear-phishing attacks on mobile devices, for instance, are much harder to catch than on a desktop. Users also cannot preview link destinations or verify the sender’s identity. So, a lot of the things that employees are trained to recognize as part of their phishing awareness training are hard or almost impossible to spot on a mobile device, Schless says.

Temporary Ransomware Drop-off
Kroll’s analysis showed that ransomware attacks — as a proportion of all attacks — dropped 20% between the fourth quarter of 2021 and the first quarter of 2022 and 30% between the third quarter of 2021 and the first quarter of 2022. At least some of the drop-off in attacks appears to have resulted from law enforcement’s disruption of malicious activity by groups such as REvil, Kroll said. Another factor that likely contributed to the slowdown in ransomware attacks was the voluntary exit from the scene made by groups such as BlackMatter, Kroll added.

However, early data from the second quarter of 2022 suggests that ransomware actors are regrouping and preparing to resume their usual level of activity soon, according to Kroll.

An earlier report from Digital Shadows noted a similar drop-off in ransomware incidents in the first quarter of 2022 but pointed to emerging trends in the space that could have implications for enterprise organizations. One example is the growing trend by ransomware groups to align themselves for or against Russia in that country’s war against Ukraine.

Like Kroll, researchers from Digital Shadows also observed incidents involving extortion, where no ransomware was deployed. One example cited by both companies was the attacks by a group identified as Lapsus$ (aka DEV-0537) that targeted several technology and security firms in the first quarter of 2022. In some of the incidents, the attackers defaced the websites of target organizations and claimed they had suffered a ransomware attack. In other instance, the group used stolen credentials to exfiltrate data and then threatened victims that it would release the data publicly unless paid a ransom.

The flip side of the coin: Why crypto is catnip for criminals

Cybercriminals continue to mine for opportunities in the crypto space – here’s what you should know about coin-mining hacks and crypto theft

Wherever you look these days, cryptocurrencies are in the news. And it’s not just because of the recent slump in their prices. Everybody seems to have grabbed a slice of the crypto pie over the past few years, as ‘things’ like Bitcoin have gone from fringe curiosities to household names in a span of a decade, all while giving rise to hordes of newly-minted crypto millionaires. These days, it feels like you’re either in or you’re out (and left behind by the crypto revolution and the gold rush).

Naturally, the fascination with all things crypto and the (almost) gravity-defying increase in the value of many cryptocurrencies haven’t escaped the notice of criminals. After all, they always want to be where the money is – or in some cases, where it is being created.

Let’s look at how criminals hijack computing power to mine new coins and how they make off with other people’s ‘crypto cash’.

A primer on cryptocurrencies

At its simplest, cryptocurrency is a form of currency that is secured by cryptography and uses a public blockchain ledger to record transactions. Unlike conventional currencies, cryptocurrencies are not backed by governments (though there are some exceptions) and the crypto sector is subject to little to no regulatory oversight. Many people view crypto as a viable alternative to traditional asset classes such as stocks and bonds and as a better store of value than fiat currencies. In May 2021, some 220 million people worldwide were estimated to own cryptocurrencies.

Source: crypto.com

Beyond Bitcoin, the granddaddy of cryptocurrencies, there are thousands more currencies, with new projects springing up and others dying a quick death every day. New coins and tokens are created via cryptomining, a computationally and energy-intensive process where computers solve mathematical puzzles in order to confirm the authenticity of transactions on the blockchain. The owners of these rigs are then rewarded with newly-minted crypto in return.

Pros

  • Crypto proponents swear by its decentralized architecture, improved transaction speeds, lower transaction costs, better privacy, and (pseudo)anonymity.
  • Other advantages, whether actual or perceived, stem from the fact that that the supply of crypto is often finite and scarcity generally drives value higher. Indeed, contrast this with fiat money where governments can fire up “money-printing presses” and inject the money into the economy almost at will.
  • Also, cryptocurrencies involve no barrier to entry, obviously as long as you already have the appropriate means – either to buy the already existing coins and hope for their increase in value or to set up extremely powerful computer rigs that can solve number-crunching puzzles to mine new coins. Ka-ching!
  • Information that is once recorded in the blockchain is stored there forever and can’t be changed. This fosters transparency and helps prevent fraud.
  • Some countries are “crypto tax havens” and you don’t need to explain to the tax man how you’ve amassed your coins.
  • You can also use your crypto to pay for all kinds of services on the internet – not only on the dark web.

Cons

  • As crypto prices fluctuate wildly, “investing” in these assets is not for the faint of heart. In fact, you could argue that dabbling in crypto is a lot like gambling.
  • The market value of a cryptocurrency is a function of demand versus supply, but unlike stocks, cryptocurrencies are not pegged to underlying “real-life assets” such as ownership shares of a company.
  • As the number of available cryptocurrencies increases, there is a risk that the market value of individual coins will be “diluted”.
  • There’s no telling what will happen once all coins have been mined. It’s not out of the question that a cryptocurrency might become the equivalent of a “baseball card” whose value is driven solely by its limited availability.
  • The mining of the individual coins is extremely computing- and energy-intensive, which has an outsized impact on the environment and possibly your energy bills.

Criminals also want a share of the pie

Notwithstanding the perpetual and notorious volatility of cryptocurrencies, the best-known coins have mostly soared in value over the past few years. This part of crypto’s appeal isn’t lost on the criminally-inclined. Add crypto’s relative anonymity to the mix, and it’s becoming clearer why criminals are eager to line their pockets to the brim.

To do so, they have two main options: illicit cryptocurrency mining and cryptocurrency theft.

(Rogue) cryptocurrency mining

As mentioned earlier, new coins are created using a process called cryptocurrency mining. This process requires significant computing power and can be very costly. It relies on graphics processing units aka GPUs (or increasingly even dedicated ASIC miner hardware), any of which is generally better suited for performing the calculations needed to mine new coins than, say, central processing units (CPUs).

The semiconductor chip shortage along with the rush by crypto “prospectors” to build specialized rigs in order to capitalize on the soaring crypto prices have conspired to a burst in demand for GPUs, ultimately sending their prices through the roof.

But these developments also bolstered some pre-existing trends in cybercrime and piqued the interest of many scammers and other cybercriminals who are only too keen on riding the crypto wave without investing their own money into custom hardware. Enter cryptojacking, the practice where your computing resources are hijacked to mine crypto for somebody else.

Of course, such malicious cryptomining is far from new. It is still a threat today, however, even for people who don’t own racks of specialized hardware where they mine crypto on a large enough scale. One risk involves falling victim to campaigns that spread malicious miners that are bundled into, for example, fake copies of legitimate software or that ask you to click on links to download seemingly genuine software updates.

Another threat involves fraudulent offers to rent some of your computing power for cryptomining in return for a share of the newly-minted coins. Such get-rich-quick schemes are just one of the many flavors of cryptocurrency scams that are doing the rounds especially on social media.

Source: Instagram

Theft

Cryptocurrencies are stored in so-called wallets (aka crypto wallets), and it’s hardly surprising that criminals are constantly coming up with new ways of getting their hands on the wallets.

In fact, you can store your crypto in two ways – using either hot or cold wallet storage. Cold wallets are physical devices the size of a USB stick that are kept offline and generally offer much better protection for your digital currency holdings.

Hot wallets, meanwhile, are connected to the internet, either on the user’s device or the server of a service provider. Both end up in attackers’ crosshairs, as they distribute fake apps impersonating legitimate wallet apps and set their sights on cryptocurrency trading exchanges.

But not even cold wallets are 100% secure, either – after all, they have to be connected to a PC at least once in a while in order to transfer coins. Also, research has already shown that even these wallets can be hacked. There’s also a possibility that criminals could place malware on victims’ computers that intercepts this transmission and the keys, although I’m not aware of any such case in real life.

The theft or loss of a physical wallet is arguably a much higher risk. If unauthorized people get their hands on a wallet that is “secured” with an easy-to-guess PIN code, your crypto may be gone forever.

In closing

A hundred years ago, it seemed unthinkable to pay with plastic cards or phones – now it’s part of our daily lives. The world of finance is constantly evolving and whether cryptocurrencies are the future of finance is anybody’s guess. They are definitely a topic du jour, however – including now the cryptocurrency market seems to be melting down.

Regardless of whether you believe that this is the beginning of the end for Bitcoin and its peers or that the tide will turn (again), you should be mindful of the cybersecurity side of things. The growing popularity of cryptocurrencies has had an effect on the threat landscape, and you can bet your last coin that cybercriminals will continue to mine for opportunities to line their pockets.

MITRE Creates Framework for Supply Chain Security

Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over suppliers, supplies, and services – including software.

MITRE’s so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product. 

“An accountant, a lawyer, an operations manager could understand this structure at the top level,” says Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. “The System of Trust is about organizing and amalgamating existing capabilities that just don’t get connected right now” to ensure full vetting of software as well as service provider offerings, for example.

The SoT will make its official public debut next month at the RSA Conference (RSAC) in San Francisco, where Martin will present the framework as a first step in gathering security community support and insight for the project. So far, he says, the sneak-peek, initial feedback has been “very positive.”

MITRE is best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, for the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.

Martin says he’ll demonstrate the SoT framework and provide more details on the project during his RSAC presentation. The framework currently includes 12 top-level risk areas – everything from financial stability to cybersecurity practices – that organizations should evaluate during their acquisition process. More than 400 specific questions cover issues in detail, such as whether the supplier is properly and thoroughly tracking the software components and their integrity and security.

Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting data scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. An enterprise could then more quantitatively analyze a software supplier’s “trustworthiness.”

SBOM Symmetry
Martin says that with software supply chain security, the SoT also goes hand in hand with software bill of materials (SBOM) programs. “SBOMs can give you deeper reason into understanding why you should trust,” for example, a software component. Among several risk factors in the SoT, SBOMs can actually mitigate those risks or, at the least, provide better insight into the software and any risks. 

“If the SBOM has pedigree information, that information would allow for assessment of the tools and techniques used to build the software – whether reproducible builds were used to build the software, memory protection methods [were] invoked during the build” and other details, he notes.

So how does the SoT framework differ from risk management models? Traditional risk management employs probabilities, Martin says. With SoT, there’s a list of risks that can be evaluated and scored to determine whether there is risk in specific areas and, if so, just how bad it really is.

“We want to help provide a consistent way of doing assessments … and we would like to encourage data-driven decisions wherever we can” in supply chain evaluations, he says.

The next steps: introducing the concept of the SoT and offering the live taxonomy for public comment and scrutiny. “Then we can see what parts can be automated and where,” and ensure that it can be integrated into the acquisition process. Vendors, too, could use SoT terminology in their product materials.

“‘Supply chain’ has a lot of different meanings,” Martin explains. “We’re not talking microelectronics in the US versus overseas. We’re not trying to solve port issues. We’re trying to get a culture of organizational risk management that includes supply chain concerns as a normal part of that. We want to bring some consistencies, automation, and data-driven evidence so there’s more understanding of supply chain risks.”

CISA to Federal Agencies: Patch VMWare Products Now or Take Them Offline

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMWare products impacted by a pair of new vulnerabilities or remove them from their networks.

The VMWare bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMWare products to remote code-execution (RCE) attacks. 

CISA said that last month, within just 48 hours of VMware patching its VMWare Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks. 

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA director Jen Easterly in a statement. “CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

How Pwn2Own Made Bug Hunting a Real Sport

In April 2007, when Apple’s “I’m a Mac” ads were telling people that Macs can’t get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don’t exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own’s merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It’s a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

Early Pwn2Own Wins
But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker’s Handbook,” followed by “iOS Hacker’s Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I’m biased about the things I’m good at, but [Safari is] the easiest browser [to hack],” Miller said in an interview after the competition.

Beyond Apple
But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we’ve expanded the attack surfaces,” Gorenc says. “We’ve raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

When ‘Wow’ Is an Understatement
The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when ‘wow’ just isn’t enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare’s virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro’s Childs says. “They combined enough bugs to break out of that [sandbox] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own’s cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance
that can kill bugs, found a severe memory randomization bug in Tesla’s Model 3’s infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We’re dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don’t take ourselves too seriously.”

Pwn2Own’s Contributions to Bug Hunting
When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu’s initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They’re not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don’t know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you’re going to be getting bugs, and you’re going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments

SAN JOSE, Calif., May 18, 2022 /PRNewswire/ — Lacework, the data-driven cloud security company, today announced new features added to the Polygraph® Data Platform which provide enhanced visibility and protection in Kubernetes environments. Through Kubernetes audit log monitoring, integration with the Kubernetes admission controller, and Infrastructure as Code (IaC) security, Lacework customers can now further minimize risks in build time and automate discovery of unusual behavior that could signify cloud account or container compromise. With these new features, Lacework is the only company which can offer automated anomaly detection that provides consistent visibility, context, and security across the entirety of a customer’s multi-cloud environment from a single security platform.

According to Gartner® (1), “by 2026, more than 90% of global organizations will be running containerized applications in production, which is a significant increase from less than 40% today.”

As more organizations leverage container-based application deployment to scale their businesses, they are rapidly adopting Kubernetes to manage containerized workloads. While easier to manage overall, the complexity and sheer size of Kubernetes environments makes it difficult for companies to detect threats, ensure compliance, and efficiently capture relevant security events. Existing security tools and manual procedures aren’t built to secure the Kubernetes attack surface, which slows down agile development and defeats the purpose of using containers. This forces customers to employ additional Kubernetes-specific tools, further slowing down understaffed security teams with additional tool sprawl and alert fatigue. In fact, Red Hat found in its 2021 State of Kubernetes Security Report that more than half of respondents delayed deploying Kubernetes applications into production due to security concerns. Developers need more automated practices to quickly resolve issues and focus on delivering revenue-driving initiatives.

Lacework eliminates this challenge by integrating container security into the Polygraph Data Platform, providing end-to-end, integrated monitoring that enables customers to secure their cloud and Kubernetes environments from build to runtime. By consolidating disparate tools into a single platform, Lacework provides a highly automated solution that empowers organizations to seamlessly integrate security into developer workflows. The new features announced today provide comprehensive visibility, threat detection and alerts, configuration and compliance checks, and vulnerability scans:

Kubernetes Audit Logs Monitoring: A typical Kubernetes environment could include thousands of pods and containers with components constantly being created, shut down, or moved, and generating millions of events daily. This feature enables customers to monitor Kubernetes audit logs and all user and system actions to detect unknown and known threats.

Kubernetes Admission Controller: Through this integration, the Polygraph Data Platform can scan containers for misconfigurations or vulnerabilities prior to deployment on Kubernetes. Customers can use pre-built or customer policies to define the criteria, threshold, and response for a violation.

IaC Security: Using capabilities available following the acquisition of Soluble, Lacework customers can now review Infrastructure as Code prior to deployment to identify and optionally block insecure Kubernetes-related configurations.

“Containerized workloads are already difficult for many security solutions to keep up with because of their ephemeral and constantly changing nature. At scale, it’s impossible for often understaffed security teams to effectively secure these environments,” said Frank Dickson, Group Vice President, Security & Trust research practice, IDC. “Any benefit organizations get from deploying Kubernetes environments is negated by security approaches which don’t provide security teams with the same automation Kubernetes provides to developers.”

“We chose Lacework because it provides a fully integrated platform for cloud security. Before Lacework, we lacked the granularity and depth we needed to assess vulnerabilities due to numerous disparate tools,” said Michael Lyborg, Senior Vice President, Global Information Security & Enterprise IT at Swimlane. “By integrating Lacework and the Swimlane low-code automation platform we automated our container image scans. This has resulted in time savings, better prioritization of work, faster iteration and validation of builds. The integration gave us the ability to retroactively and continuously scan published images so we have a continuous real-time view of risk across our dynamic cloud environment.”

“While so much innovation has focused on helping developers work more efficiently to create revenue-driving initiatives, very little has been applied to the security tools that keep businesses safe, reducing the gains of development teams and ultimately putting organizations at risk,” said Adam Leftik, VP of Product, Lacework. “Security teams are as important as developers in driving revenue for businesses, and these Kubernetes features for the Polygraph Data Platform ensure they can help teams across the business innovate securely and with confidence.”

The Lacework Polygraph Data Platform is the only solution that extends automated anomaly detection across AWS, Google Cloud and now Microsoft Azure and Kubernetes EKS environments. Using accurate, machine learning-based threat detection at scale, the Polygraph Data Platform empowers customers to innovate with confidence.

Kubernetes audit logs monitoring is now available to Lacework customers on AWS EKS in limited availability. The Kubernetes admission controller integration is generally available. Integration with IaC security is available to all Lacework customers.

Additional Resources:

Visit our team at KubeCon EMEA at booth S47 on the show floor.

Check out the Lacework blog to learn more about Kubernetes audit log monitoring, our integration with the Kubernetes admission controller, and IaC security.

Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

For more information about how to join the Lacework team, visit our careers page.

(1) Gartner, “Compute Evolution: VMs, Containers, Serverless — Which to Use When?”,
Refreshed 22 March 2022, Arun Chandrasekaran, Published 1 June 2021,
https://www.gartner.com/document/4002112?ref=TypeAheadSearch

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

About Lacework

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization’s AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

SOURCE Lacework

CISA: Unpatched F5 BIG-IP Devices Under Active Attack

The Cybersecurity Infrastructure and Security Agency (CISA) has issued a warning about active exploits against unpatched F5 Network’s BIG-IP systems. 

A patch for the vulnerability (CVE-2022-1388) was issued on May 4; since then, working proof-of-concept exploits have circulated among cybercriminals, making it easier for even less-skilled attackers to take advantage, CISA explains. 

Along with CISA, the F5 BIG-IP vulnerability alert was issued by the Multi-State Information and Analysis Center (MS-ISAC). Both organizations “strongly urge” administrators to upgrade F5’s BIG-IP systems to a patched version. 

“According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks,” the alert states. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

The Industry Must Better Secure Open Source Code From Threat Actors

Organizations increasingly rely on open source code. Many enjoy the convenience of using open source code to quickly innovate or spin up services without the time-consuming process of developing their own code, but there’s a catch: Open source code can turn into a security nightmare for organizations.

On the eve of 2022, a zero-day vulnerability — Log4j — was exploited by threat actors and placed organizations’ software and Web applications, along with their business-critical data, at an increased risk. What made this attack so far-reaching was that the vulnerability stemmed from widely used open source code.

This points to a broader issue — threat actors rely on subverting open source for malicious purposes. Often, in the case of Log4j and other software such as EspoCRM, Pimcore, and Akaunting, they are able to capitalize on the inherent vulnerabilities associated with this code and remain undetected. As an industry, there is often a belief that vulnerabilities with open source code will be easy to spot, but that isn’t the case — Log4j was put into production in 2013 and nobody noticed any issues until it was already too late.

Open Source Is a Double-Edged Sword
Open source code can be an amazing resource for organizations. At its core, it’s ready-to-use software that enables teams to decrease development time. This speeds innovation and empowers developers to relatively quickly stand up and deploy software. Additionally, this code is supported by a community of developers who volunteer their time. This means that new features can be released and bugs can be fixed by the community with no cost passed on to the developer. It’s this extraordinary benefit that also presents as a security risk.

While there are numerous benefits to utilizing open source code, there also are risks associated with its use. For instance, open source can only be developed based on community involvement. If the community loses interest in the project, or if key individuals get called to work on another project, development will stall. Additionally, bugs may be overlooked as developers assume it’s the community’s responsibility to locate and fix them. While many hands often make light work, this is a common problem with group work that doesn’t have clear processes in place to ensure a consistent product.

There’s also a very common misstep that I see organizations take when it comes to open source. While many of them rely upon open source code, they don’t view the code as their own and often don’t apply the same security controls that they would to their own, natively built code. That means that open source libraries often escape security testing and code reviews, which creates an environment where bugs and security flaws can get baked into a product at a foundational level.

Come Together to Secure Open Source Code
As an industry, there are actions that we can take to better secure our open source code from threat actors. To start, if you’re using a code scanning tool, scan all the open source libraries you’re using. I would also encourage developers to contribute to the project. If enough people get involved, the project owners can institute these security steps themselves. Additionally, always be sure to check what security steps the project follows before using it.

Ensuring that security is built-in upfront will help to ensure that potential vulnerability gaps are closed, and has the added benefit of helping your industry peers who rely on open source.

Address Open Source Concerns With Attacker-Centric Behavioral Analytics
Open source code, and its related vulnerabilities, aren’t going away anytime soon. While government agencies, such as the Federal Trade Commission, have provided guidance to reduce vulnerabilities related to open source, there are additional steps organizations can take to further mitigate any threats.

Vulnerabilities may already be present in your code and organizations cannot solely rely on security teams to find and manage those vulnerabilities. Protection starts with review by their own engineering teams. Additionally, it is important to utilize a solution that will protect your organization from these inherent vulnerabilities and block any attempts to exploit your data. Utilizing attacker-centric behavioral analytics is vital to help your organization mitigate these threats.

Signature-based defenses will often fail at protecting your organization from exploits like Log4j since attacks can be launched in a multitude of ways. Monitoring and detecting suspicious behavior over time will help to identify the various attack patterns so your organization can mount a stronger defense.

If the last two years are any indication, organizations need to be on the lookout for increased cyberattacks. In 2022, I encourage you to start securing your code at the foundational level, and together, work to secure our ubiquitous open source code upon which we so heavily rely.

2022: The Year Zero Trust Becomes Mainstream

Digital transformation, hybrid work, and the shift to the cloud have increased attack surfaces and created new vulnerabilities. Businesses must evolve cybersecurity strategies to protect themselves in today’s threat landscape, as ransomware attacks, data breaches, and software supply chain attacks have become almost daily occurrences.

It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.

Accelerating the Adoption of Zero-Trust Network Access
In today’s age of distributed workforces and multiple devices, we are seeing considerable demand for cloud-based zero-trust and zero-knowledge architecture to store passwords, files, and other confidential information. Zero-trust network access is the only viable solution in a world where the “network perimeter” no longer exists. In addition to securing network connectivity for their distributed workforces, organizations need to ensure that their third-party vendors and business partners can connect to needed network resources securely.

Securing Users Through a Zero-Trust Approach
A zero-trust approach includes strong user and device authentication, role-based access control (RBAC) with least-privilege access, and comprehensive password security, including strong, unique passwords for every user account and multifactor authentication (MFA).

Businesses should require two-factor authentication (2FA) wherever it’s supported, preferably using a time-based one-time password (TOTP) code or a hardware-based FIDO2 key. This way, even if a cybercriminal steals an employee’s password, it’s useless without the second authentication factor. Enforcing these policies, and making them easier for employees to follow, can be accomplished by deploying an enterprise-grade password security platform.

Just one stolen password can bring down tens of thousands, even millions of dollars’ worth of cybersecurity defenses. Password-related cyberattacks are going to keep happening to companies of all sizes, because cybercriminals know that too many organizations play fast and loose with their password security. It is critical to implement a zero-trust network access architecture to include RBAC with least-privilege access and secure access management.

As organizations implement privileged access management (PAM), cybercriminals are looking for the more vulnerable attack vectors in an organization, which are often contractors, new employees, or users who are not very technologically savvy — to then seek privileged escalation. It is therefore imperative that identity security evolves from protecting privileged access to protecting every user and every access device.

Keeping Infrastructure a Secret
Securing human users with zero-trust network access is critically important, but so is securing infrastructure secrets. Over the past years, organizations have been trading on-premises computing for multicloud and hybrid-cloud environments and monolithic applications for modern microservices-based distributed applications. This has resulted in more systems interconnecting and exchanging critical information, often protected by infrastructure secrets such as certificates, database passwords, API keys, and Remote Desktop Protocol (RDP) credentials.

This information unlocks access to highly privileged systems and data, enabling devices and apps to leverage cloud resources and execute sensitive business processes — yet they are often nor managed securely or effectively. For this reason, secrets are prized by cybercriminals for use in highly sophisticated cyberattacks. As an example, among the massive amounts of data stolen during the NVIDIA security breach were code-signing certificates — which threat actors are now using to spread malware in the wild.

Implementing a Comprehensive IT Secrets Management Strategy
As data environments become more complex, and the number of connected devices and apps grows exponentially, organizations need to shore up their IT secrets management. This capability must be integrated with existing DevOps environments and build systems and also with identity and authentication systems.

Organizations can’t afford to take an ad hoc approach to securing data using point solutions. It is important to adopt comprehensive, zero-trust tools and protocols for managing digital authentication credentials to adequately organize and secure their private infrastructure data across user credentials and infrastructure secrets. With modern identity security and access management technology, organizations can dramatically improve their security posture while gaining visibility and control over their critical credentials, secrets, and passwords.

About the Author

DR_KeeperSecurity_SA_5-23-22_headshot.png

Darren Guccione is the CEO and Co-founder of Keeper Security, a top-rated password manager and secure digital vault. Darren is an entrepreneur, tech leader, and serial inventor who is passionate about creating disruptive technologies and finding the intersection between art, science, finance and technology. Darren is an engineer and certified public accountant. In addition to founding Keeper Security, Darren co-founded Callpod, Inc., in 2006 and OnlyWire, LLC, in 2008. He also served as the CFO and co-founder of Apollo Solutions, Inc., which was acquired by CNET Networks (now CBS Interactive).