On July 24, 2024, the USDoD group announced an English-language cybercrime forum, stating that they had obtained and leaked CrowdStrike’s comprehensive threat actor database.
The group provided a link to download the alleged list and shared sample data fields to substantiate their claims.
The leaked information reportedly includes:
Adversary aliases
Adversary status
The last active dates for each adversary
Region/Country of Adversary Origin
Number of targeted industries and countries
Actor type and motivation
The sample data contained “LastActive” dates up to June 2024, while the Falcon portal’s last active dates for some actors extend to July 2024, suggesting the potential timeframe of the data acquisition.
Cyber Press researchers stated that they were able to view some of the documents leaked.
Background on USDoD
USDoD has a history of exaggerating claims, likely to enhance its reputation within hacktivist and eCrime communities.
For example, they previously claimed to have conducted a hack-and-leak operation targeting a professional networking platform, which was later debunked by industry sources as mere web scraping.
Since 2020, USDoD has engaged in both hacktivism and financially motivated breaches, primarily using social engineering tactics.
In recent years, they have focused on high-profile targeted intrusion campaigns and have sought to expand their activities into administering eCrime forums.
USDoD also claimed to possess “two big databases from an oil company and a pharmacy industry (not from the USA).” However, the connection between these claims and the alleged CrowdStrike data acquisition remains unclear.
The potential leak of CrowdStrike’s threat actor database could have significant implications for cybersecurity:
Compromise of ongoing investigations
Exposure of tracking methods for malicious actors
Potential advantage for cybercriminals in evading detection
This story unfolds following a CrowdStrike update that caused Windows machines to experience the Blue Screen of Death (BSOD) error.
CrowdStrike’s Response
CrowdStrike, a leading cybersecurity firm known for its threat intelligence and incident response services, has responded to the claims. The company stated:
“The threat intel data noted in this report is available to tens of thousands of customers, partners, and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
While USDoD has been involved in legitimate breaches, its credibility in this specific case is questionable.
Their history of exaggeration, the inconsistencies in the leaked data, and CrowdStrike’s response all cast doubt on the authenticity and severity of the claimed leak.
Continuous Threat Exposure Management (CTEM) is an evolving cybersecurity practice focused on identifying, assessing, prioritizing, and addressing security weaknesses and vulnerabilities in an organization’s digital assets and networks continuously. Unlike traditional approaches that might assess threats periodically, CTEM emphasizes a proactive, ongoing process of evaluation and mitigation to adapt to the rapidly changing threat landscape. Here’s a closer look at its key components:
Identification: CTEM starts with the continuous identification of all digital assets within an organization’s environment, including on-premises systems, cloud services, and remote endpoints. It involves understanding what assets exist, where they are located, and their importance to the organization.
Assessment: Regular and ongoing assessments of these assets are conducted to identify vulnerabilities, misconfigurations, and other security weaknesses. This process often utilizes automated scanning tools and threat intelligence to detect issues that could be exploited by attackers.
Prioritization: Not all vulnerabilities pose the same level of risk. CTEM involves prioritizing these weaknesses based on their severity, the value of the affected assets, and the potential impact of an exploit. This helps organizations focus their efforts on the most critical issues first.
Mitigation and Remediation: Once vulnerabilities are identified and prioritized, CTEM focuses on mitigating or remedying these issues. This can involve applying patches, changing configurations, or implementing other security measures to reduce the risk of exploitation.
Continuous Improvement: CTEM is a cyclical process that feeds back into itself. The effectiveness of mitigation efforts is assessed, and the approach is refined over time to improve security posture continuously.
The goal of CTEM is to reduce the “attack surface” of an organization—minimizing the number of vulnerabilities that could be exploited by attackers and thereby reducing the organization’s overall risk. By continuously managing and reducing exposure to threats, organizations can better protect against breaches and cyber attacks.
CTEM VS. ALTERNATIVE APPROACHES
Continuous Threat Exposure Management (CTEM) represents a proactive and ongoing approach to managing cybersecurity risks, distinguishing itself from traditional, more reactive security practices. Understanding the differences between CTEM and alternative approaches can help organizations choose the best strategy for their specific needs and threat landscapes. Let’s compare CTEM with some of these alternative approaches:
1. CTEM VS. PERIODIC SECURITY ASSESSMENTS
Periodic Security Assessments typically involve scheduled audits or evaluations of an organization’s security posture at fixed intervals (e.g., quarterly or annually). This approach may fail to catch new vulnerabilities or threats that emerge between assessments, leaving organizations exposed for potentially long periods.
CTEM, on the other hand, emphasizes continuous monitoring and assessment of threats and vulnerabilities. It ensures that emerging threats can be identified and addressed in near real-time, greatly reducing the window of exposure.
2. CTEM VS. PENETRATION TESTING
Penetration Testing is a targeted approach where security professionals simulate cyber-attacks on a system to identify vulnerabilities. While valuable, penetration tests are typically conducted annually or semi-annually and might not uncover vulnerabilities introduced between tests.
CTEM complements penetration testing by continuously scanning for and identifying vulnerabilities, ensuring that new threats are addressed promptly and not just during the next scheduled test.
3. CTEM VS. INCIDENT RESPONSE PLANNING
Incident Response Planning focuses on preparing for, detecting, responding to, and recovering from cybersecurity incidents. It’s reactive by nature, kicking into gear after an incident has occurred.
CTEM works upstream of incident response by aiming to prevent incidents before they happen through continuous threat and vulnerability management. While incident response is a critical component of a comprehensive cybersecurity strategy, CTEM can reduce the likelihood and impact of incidents occurring in the first place.
4. CTEM VS. TRADITIONAL VULNERABILITY MANAGEMENT
Traditional Vulnerability Management involves identifying, classifying, remediating, and mitigating vulnerabilities within software and hardware. While it can be an ongoing process, it often lacks the continuous, real-time monitoring and prioritization framework of CTEM.
CTEM enhances traditional vulnerability management by integrating it into a continuous cycle that includes real-time detection, prioritization based on current threat intelligence, and immediate action to mitigate risks.
KEY ADVANTAGES OF CTEM
Real-Time Threat Intelligence: CTEM integrates the latest threat intelligence to ensure that the organization’s security measures are always ahead of potential threats.
Automation and Integration: By leveraging automation and integrating various security tools, CTEM can streamline the process of threat and vulnerability management, reducing the time from detection to remediation.
Risk-Based Prioritization: CTEM prioritizes vulnerabilities based on their potential impact on the organization, ensuring that resources are allocated effectively to address the most critical issues first.
CTEM offers a comprehensive and continuous approach to cybersecurity, focusing on reducing exposure to threats in a dynamic and ever-evolving threat landscape. While alternative approaches each have their place within an organization’s overall security strategy, integrating them with CTEM principles can provide a more resilient and responsive defense mechanism against cyber threats.
CTEM IN AWS
Implementing Continuous Threat Exposure Management (CTEM) within an AWS Cloud environment involves leveraging AWS services and tools, alongside third-party solutions and best practices, to continuously identify, assess, prioritize, and remediate vulnerabilities and threats. Here’s a detailed example of how CTEM can be applied in AWS:
1. IDENTIFICATION OF ASSETS
AWS Config: Use AWS Config to continuously monitor and record AWS resource configurations and changes, helping to identify which assets exist in your environment, their configurations, and their interdependencies.
AWS Resource Groups: Organize resources by applications, projects, or environments to simplify management and monitoring.
2. ASSESSMENT
Amazon Inspector: Automatically assess applications for vulnerabilities or deviations from best practices, especially important for EC2 instances and container-based applications.
AWS Security Hub: Aggregates security alerts and findings from various AWS services (like Amazon Inspector, Amazon GuardDuty, and IAM Access Analyzer) and supported third-party solutions to give a comprehensive view of your security and compliance status.
3. PRIORITIZATION
AWS Security Hub: Provides a consolidated view of security alerts and findings rated by severity, allowing you to prioritize issues based on their potential impact on your AWS environment.
Custom Lambda Functions: Create AWS Lambda functions to automate the analysis and prioritization process, using criteria specific to your organization’s risk tolerance and security posture.
4. MITIGATION AND REMEDIATION
AWS Systems Manager Patch Manager: Automate the process of patching managed instances with both security and non-security related updates.
CloudFormation Templates: Use AWS CloudFormation to enforce infrastructure configurations that meet your security standards. Quickly redeploy configurations if deviations are detected.
Amazon EventBridge and AWS Lambda: Automate responses to security findings. For example, if Security Hub detects a critical vulnerability, EventBridge can trigger a Lambda function to isolate affected instances or apply necessary patches.
5. CONTINUOUS IMPROVEMENT
AWS Well-Architected Tool: Regularly review your workloads against AWS best practices to identify areas for improvement.
Feedback Loop: Implement a feedback loop using AWS CloudWatch Logs and Amazon Elasticsearch Service to analyze logs and metrics for security insights, which can inform the continuous improvement of your CTEM processes.
IMPLEMENTING CTEM IN AWS: AN EXAMPLE SCENARIO
Imagine you’re managing a web application hosted on AWS. Here’s how CTEM comes to life:
Identification: Use AWS Config and Resource Groups to maintain an updated inventory of your EC2 instances, RDS databases, and S3 buckets critical to your application.
Assessment: Employ Amazon Inspector to regularly scan your EC2 instances for vulnerabilities and AWS Security Hub to assess your overall security posture across services.
Prioritization: Security Hub alerts you to a critical vulnerability in an EC2 instance running your application backend. It’s flagged as high priority due to its access to sensitive data.
Mitigation and Remediation: You automatically trigger a Lambda function through EventBridge based on the Security Hub finding, which isolates the affected EC2 instance and initiates a patching process via Systems Manager Patch Manager.
Continuous Improvement: Post-incident, you use the AWS Well-Architected Tool to evaluate your architecture. Insights gained lead to the implementation of stricter IAM policies and enhanced monitoring with CloudWatch and Elasticsearch for anomaly detection.
This cycle of identifying, assessing, prioritizing, mitigating, and continuously improving forms the core of CTEM in AWS, helping to ensure that your cloud environment remains secure against evolving threats.
CTEM IN AZURE
Implementing Continuous Threat Exposure Management (CTEM) in Azure involves utilizing a range of Azure services and features designed to continuously identify, assess, prioritize, and mitigate security risks. Below is a step-by-step example illustrating how an organization can apply CTEM principles within the Azure cloud environment:
STEP 1: ASSET IDENTIFICATION AND MANAGEMENT
Azure Resource Graph: Use Azure Resource Graph to query and visualize all resources across your Azure environment. This is crucial for understanding what assets you have, their configurations, and their interrelationships.
Azure Tags: Implement tagging strategies to categorize resources based on sensitivity, department, or environment. This aids in the prioritization process later on.
STEP 2: CONTINUOUS VULNERABILITY ASSESSMENT
Azure Security Center: Enable Azure Security Center (ASC) at the Standard tier to conduct continuous security assessments across your Azure resources. ASC provides security recommendations and assesses your resources for vulnerabilities and misconfigurations.
Azure Defender: Integrated into Azure Security Center, Azure Defender provides advanced threat protection for workloads running in Azure, including virtual machines, databases, and containers.
STEP 3: PRIORITIZATION OF RISKS
ASC Secure Score: Use the Secure Score in Azure Security Center as a metric to prioritize security recommendations based on their potential impact on your environment’s security posture.
Custom Logic with Azure Logic Apps: Develop custom workflows using Azure Logic Apps to prioritize alerts based on your organization’s specific criteria, such as asset sensitivity or compliance requirements.
STEP 4: AUTOMATED REMEDIATION
Azure Automation: Employ Azure Automation to run remediation scripts or configurations management across your Azure VMs and services. This can be used to automatically apply patches, update configurations, or manage access controls in response to identified vulnerabilities.
Azure Logic Apps: Trigger automated workflows in response to security alerts. For example, if Azure Security Center identifies an unprotected data storage, an Azure Logic App can automatically initiate a workflow to apply the necessary encryption settings.
STEP 5: CONTINUOUS MONITORING AND INCIDENT RESPONSE
Azure Monitor: Utilize Azure Monitor to collect, analyze, and act on telemetry data from your Azure resources. This includes logs, metrics, and alerts that can help you detect and respond to threats in real-time.
Azure Sentinel: Deploy Azure Sentinel, a cloud-native SIEM service, for a more comprehensive security information and event management solution. Sentinel can collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
STEP 6: CONTINUOUS IMPROVEMENT AND COMPLIANCE
Azure Policy: Implement Azure Policy to enforce organizational standards and to assess compliance at scale. Continuous evaluation of your configurations against these policies ensures compliance and guides ongoing improvement.
Feedback Loops: Establish feedback loops using the insights gained from Azure Monitor, Azure Security Center, and Azure Sentinel to refine and improve your security posture continuously.
EXAMPLE SCENARIO: SECURING A WEB APPLICATION IN AZURE
Let’s say you’re managing a web application hosted in Azure, utilizing Azure App Service for the web front end, Azure SQL Database for data storage, and Azure Blob Storage for unstructured data.
Identification: You catalog all resources related to the web application using Azure Resource Graph and apply tags based on sensitivity and function.
Assessment: Azure Security Center continuously assesses these resources for vulnerabilities, such as misconfigurations or outdated software.
Prioritization: Based on the Secure Score and custom logic in Azure Logic Apps, you prioritize a detected SQL injection vulnerability in Azure SQL Database as critical.
Mitigation: Azure Automation is triggered to isolate the affected database and apply a patch. Concurrently, Azure Logic Apps notifies the security team and logs the incident for review.
Monitoring: Azure Monitor and Azure Sentinel provide ongoing surveillance, detecting any unusual access patterns or potential breaches.
Improvement: Insights from the incident lead to a review and enhancement of the application’s code and a reinforcement of security policies through Azure Policy to prevent similar vulnerabilities in the future.
By following these steps and utilizing Azure’s comprehensive suite of security tools, organizations can implement an effective CTEM strategy that continuously protects against evolving cyber threats.
IMPLEMENTING CTEM IN CLOUD ENVIRONMENTS LIKE AWS AND AZURE
Implementing Continuous Threat Exposure Management (CTEM) in cloud environments like AWS and Azure involves a series of strategic steps, leveraging each platform’s unique tools and services. The approach combines best practices for security and compliance management, automation, and continuous monitoring. Here’s a guide to get started with CTEM in both AWS and Azure:
COMMON STEPS FOR BOTH AWS AND AZURE
Understand Your Environment
Catalogue your cloud resources and services.
Understand the data flow and dependencies between your cloud assets.
Define Your Security Policies and Objectives
Establish what your security baseline looks like.
Define key compliance requirements and security objectives.
Integrate Continuous Monitoring Tools
Leverage cloud-native tools for threat detection, vulnerability assessment, and compliance monitoring.
Integrate third-party security tools if necessary for enhanced capabilities.
Automate Security Responses
Implement automated responses to common threats and vulnerabilities.
Use cloud services to automate patch management and configuration adjustments.
Continuously Assess and Refine
Regularly review security policies and controls.
Adjust based on new threats, technological advancements, and changes in the business environment.
IMPLEMENTING CTEM IN AWS
Enable AWS Security Services
Utilize AWS Security Hub for a comprehensive view of your security state and to centralize and prioritize security alerts.
Use Amazon Inspector for automated security assessments to help find vulnerabilities or deviations from best practices.
Implement AWS Config to continuously monitor and record AWS resource configurations.
Automate Response with AWS Lambda
Use AWS Lambda to automate responses to security findings, such as isolating compromised instances or automatically patching vulnerabilities.
Leverage Amazon CloudWatch
Employ CloudWatch for monitoring and alerting based on specific metrics or logs that indicate potential security threats.
IMPLEMENTING CTEM IN AZURE
Utilize Azure Security Tools
Activate Azure Security Center for continuous assessment and security recommendations. Use its advanced threat protection features to detect and mitigate threats.
Implement Azure Sentinel for SIEM (Security Information and Event Management) capabilities, integrating it with other Azure services for a comprehensive security analysis and threat detection.
Automate with Azure Logic Apps
Use Azure Logic Apps to automate responses to security alerts, such as sending notifications or triggering remediation processes.
Monitor with Azure Monitor
Leverage Azure Monitor to collect, analyze, and act on telemetry data from your Azure and on-premises environments, helping you detect and respond to threats in real-time.
BEST PRACTICES FOR BOTH ENVIRONMENTS
Continuous Compliance: Use policy-as-code to enforce and automate compliance standards across your cloud environments.
Identity and Access Management (IAM): Implement strict IAM policies to ensure least privilege access and utilize multi-factor authentication (MFA) for enhanced security.
Encrypt Data: Ensure data at rest and in transit is encrypted using the cloud providers’ encryption capabilities.
Educate Your Team: Regularly train your team on the latest cloud security best practices and the specific tools and services you are using.
Implementing CTEM in AWS and Azure requires a deep understanding of each cloud environment’s unique features and capabilities. By leveraging the right mix of tools and services, organizations can create a robust security posture that continuously identifies, assesses, and mitigates threats.
With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are completely confident in their cybersecurity skills, while 21% have no confidence at all. Given that 74% of data breaches are caused by human error, it is crucial that upskilling practices are in place.
One of the best ways to develop the necessary skills is through hands-on learning which allows employees to practice in a low-risk environment and better understand the methods used by cyber-attackers. This kind of experience is vital for security teams to be able to anticipate threats and capably protect the business.
The importance of testing security teams’ skills
Automated defense technologies are highly effective for commodity threats – those which are based on programs that are readily available and require no customization to launch an attack. But integrating AI/ML capabilities into security operations can generate a false sense of security. Attackers can still create the exact same program with millions of different file hashes or apply human ingenuity to evade known defenses.
Anti-virus is built on a massive signature-database-shaped house of cards that easily crumbles by changing text within programs. The same applies for network signatures, endpoint detection and response. There are certain behaviors that traditional defense technologies focus on, but ultimately, malware is just software. The more it can blend into common software activity, the less likely it is that an attack will be detected. And this is easier than it seems.
Security teams need easily replicable techniques to emulate threat scenarios to test their defense skills against the skill level of cyber-attackers. Testing is how businesses find out the cybersecurity teams’ skill level without waiting for a breach.
At least yearly, there should be a full red team assessment; the red team is made up of offensive security professionals whose role is to exploit the company’s vulnerabilities and overcome cybersecurity controls. But given attackers always operate in real time, there should be a weekly exercise for individual tactics, techniques and procedures (TTPs).
Start with the basics
Even the most advanced cyberattacks leverage basic techniques that have been around for years. Businesses need to focus on fully leveraging the tools they have to detect even the most basic of techniques and then move their way up to more advanced techniques from there. That will remove the most common threat from the equation first. This allows them time to identify and build the expertise and infrastructure required to be mature enough to defend against the most advanced or dangerous threats.
Anticipate the risk by using threat simulation learning models
One example of such an exercise is a blue team friendly attack simulation. The blue team here refers to security experts who are aware of the organization’s objectives and security strategy and are trying to defend and respond to attacks performed by the red team. One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.
However, these types of simulations are performed on extensive cyber ranges that take a lot of time and effort to create, and don’t always accurately reflect the enterprise environment. In addition, it requires security teams to take several days off to play through the exercise. The quality of these simulations depends on the team that developed it and the complexity of the available cyber range resources. The rapid evolution of threats means that the work cyber teams do can have a short shelf life, as does the ability to properly prepare defenders.
Defenders need to be able to rapidly test against new tactics and techniques in their everyday environment. This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. This is important to the concept of ‘becoming the threat’. What cybersecurity teams really need is the ability to test individual tactics in their organization’s live environment, without the overhead of a full red team exercise.
Hone skills and build confidence through hands-on learning
Simulations are a good way to understand how to best defend and respond against different attacks and determine whether employees need to upskill. At its basic level, if the blue team wins, they can be confident when it comes to a cybersecurity threat. But if they lose, the organization still has work to improve their defense strategy.
When simulating various TTPs, you can categories them two ways. First by level of expertise required to perform the specific attack. Second, by the area, or type of data in which the attack should be detected.
The concept of defense in depth is that even if you miss one component of an attack, you can ideally catch others so that you can prevent the attackers achieving their goal. Measurement is based on the time it takes for a team to detect and respond to a particular TTP once launched, by category of the technique. Skill, process, and technology gaps can then be mapped by identifying where response times were low, or there was no response time at all.
Up to date skills central to staying ahead of the hackers
Cyber teams play a constant cat and mouse game to keep up with the evolving threat landscape. However, organizations can adopt specific practices to ensure teams have built in skills to defend against cyber-attacks and protect the business.
Providing employees with first-hand experiences of how a cyber-attack plays out can break down the barrier between the defender and the attacker to better understand the threat and anticipate the risks. This type of learning pathway is crucial for an organization who needs to know how well equipped their teams are for when a cyber-attack inevitably occurs. Only then can decisions be made to fill skills gaps with additional training or if their current level of expertise is enough to protect the business.
When it comes to cyber-attacks, security teams must act extremely quickly to minimize the impact in stressful environments. Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.
Identity isn’t a security problem — it’s the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”
The field of cybersecurity is rife with acronyms. From AES to VPN, these technical alphabet soup terms have been part of the knowledge of not only cybersecurity experts but also organizations that are planning to buy security solutions or implement security technologies.
Enterprise Strategy Group (ESG) has released its 2023 Technology Spending Intentions Survey, and it includes four terms those concerned with cybersecurity need to be acquainted with. Not all of them are new, but it is advisable to be familiar with them, as they are expected to be important areas of cybersecurity spending in 2023.
XDR – Extended Detection and Response
Extended Detection and Response (XDR) is an approach in cybersecurity characterized by unified and integrated data visibility. It was developed in response to the rapidly evolving nature and increasing volumes of cyber threats by allowing organizations to proactively defend themselves with the full awareness of multiple attack vectors.
Markets and Markets project that the XDR market size will reach $2.4 billion by 2027, expanding at a CAGR of 19.1 percent for the period 2022 to 2027. Other estimates put the CAGR at over 20 percent, reflecting the increased internet in this cybersecurity approach in view of the rapidly evolving nature of the threat landscape.
One of the biggest cybersecurity challenges XDR addresses is the overwhelming amounts of security data organizations have to deal with. Security visibility is all about having information about attack surfaces and security events, which have become massive nowadays because of the number of new devices and technologies. However, the abundance of data can also pose a problem, as it hampers the prompt response to crucial alerts because of inefficient data handling. It is common for organizations to use disjointed tools that generate huge amounts of data including false positives and less important alerts. Organizations have a hard time going over all of the data, prioritizing them, and responding to each and every one of them.
XDR addresses this problem by unifying various disjointed security tools under a common dashboard, which makes it easy to view and analyze data from different sources. Also, XDR enables scalable automated responses to address simple security events, which comprise most of the security alerts. This frees up significant time for human security analysts so they can focus on more important concerns.
MXDR – Managed Detection and Response
MXDR refers to the combination of XDR and Managed Detection and Response (MDR). It is a new term used to encapsulate the setup wherein organizations purchase cybersecurity products that provide advanced functions for them to tinker with while having the advantage of not worrying about settings and the optimal use of available features and functions.
XDR is a cybersecurity product that can be obtained in full from a single vendor. MDR, on the other hand, is a cybersecurity solution managed by a third-party provider. Both have advantages and drawbacks, and organizations are not limited to just one or the other. In 2023, innovative solutions that embody the MXDR concept are set to gain traction or at least have improved awareness among customers.
ESG Research suggests that MXDR will be a popular option and not just a mere concept that brings together the benefits of XDR and MDR. A significant 34 percent of the organizations surveyed by ESG said that if they were to choose an MDR vendor, they would go for one that is primarily focused on XDR.
This is not surprising given that many cybersecurity professionals tend to be keen on being hands-on with the systems they are using. However, the reality is that the cybersecurity skills shortage continues to be a problem. The limited cybersecurity experts overseeing an organization’s security posture do not have the luxury of being too meticulous and involved in all aspects of their security operations. They could use some support from managed services.
DRs
This is not an actual cybersecurity term but a portion common among multiple acronyms like Endpoint Detection and Response (EDR) and Cloud Detection and Response (CDR). Essentially, these are “more DRs.”
While XDR is a reliable approach to defending organizations from various cyber threats, it is not a magical tool capable of addressing all kinds of attacks. It is far from perfect, and there will be instances when organizations would have to employ other solutions to fortify their security posture.
XDR brings together different “detection and response” solutions to achieve more efficient handling of security data and events. It maximizes the real-time functionality of EDR and the network traffic analysis strengths of NDR (Network Detection and Response). However, XDR may not have everything it needs to address emerging threats. There will come a time for new approaches such as Data Detection and Response and Identity Detection and Response to be incorporated into an organization’s security posture
XDR is not a fixed cybersecurity approach. It can continue integrating other DRs the way it did with EDR and NDR. However, its existence does not prevent the rise of other possibly more advanced DR technologies that are more attuned to specific emerging threats in 2023 and beyond.
SBOM
SBOM refers to the Software Bill of Materials. The United States Cybersecurity and Infrastructure Security Agency (CISA) defines this as “a nested inventory, a list of ingredients that make up software components.” It is regarded as a key component in software security and the management of risks in the software supply chain.
SBOM gained prominence when it was mentioned in the 2021 Executive Order of the United States President regarding the need to enhance software supply chain security in response to major cyber attacks that targeted the software supply chain. This was around the time when the SolarWinds attack was made known.
The software bill of materials is not a specific cybersecurity product or technology, but it is a crucial part of the application security and attack surface management discussion. With the surge in open-source software use and cloud-native application development, it becomes more important than ever to pay attention to SBOM to enable community engagement and development.
By now, it should be clear that cybersecurity is best undertaken as a global collaborative endeavor. It would be extremely difficult to secure the software supply chain when there is no transparency of software components. The knowledge of these software components allows everyone to examine and detect potential security issues and resolve them before threat actors get to exploit them.
Some say that the cybersecurity industry is one of the biggest offenders when it comes to introducing gimmicky acronyms and terms. This is not enough reason, though, to ignore or downplay important terms and concepts that address actual problems and bolster the cyber defense.
The field of cybersecurity is rife with acronyms. From AES to VPN, these technical alphabet soup terms have been part of the knowledge of not only cybersecurity experts but also organizations that are planning to buy security solutions or implement security technologies.
Enterprise Strategy Group (ESG) has released its 2023 Technology Spending Intentions Survey, and it includes four terms those concerned with cybersecurity need to be acquainted with. Not all of them are new, but it is advisable to be familiar with them, as they are expected to be important areas of cybersecurity spending in 2023.
An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.
While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.
Evolution of GuLoader Malware
On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTesla, FormBook, Nanocore, NETWIRE, Remcos, and the Parallax RAT using the VBS downloader.
GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems.
It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.
A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected.
GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.
Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.
Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.
There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.
In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking.
Anti-Analysis Techniques
Here below we have mentioned the anti-analysis techniques used:-
Anti-Debugging
Anti-Virtual Machine
Process Hollowing
It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.
Here are eight top security threats that IT is likely to see in 2023.
Top 8 security threats for next year
1. Malware
Malware is malicious software that is injected into networks and systems with the intention of causing disruption to computers, servers, workstations and networks. Malware can extract confidential information, deny service and gain access to systems.
IT departments use security software and firewalls to monitor and intercept malware before it gains entry to networks and systems, but malware bad actors continue to evolve ways to elude these defenses. That makes maintaining current updates to security software and firewalls essential.
2. Ransomware
Ransomware is a type of malware. It blocks access to a system or threatens to publish proprietary information. Ransomware perpetrators demand that their victim companies pay them cash ransoms to unlock systems or return information.
So far in 2022, ransomware attacks on companies are 33% higher than they were in 2021. Many companies agree to pay ransoms to get their systems back, only to be hit again by the same ransomware perpetrators.
Ransomware attacks are costly. They can damage company reputations. Many times ransomware can enter a corporate network through a channel that is open with a vendor or a supplier that has weaker security on its network.
One step companies can take is to audit the security measures that their suppliers and vendors use to ensure that the end-to-end supply chain is secure.
3. Phishing
Almost everyone has received a suspicious email, or worse yet, an email that appears to be legitimate and from a trusted party but isn’t. This email trickery is known as phishing.
Phishing is a major threat to companies because it is easy for unsuspecting employees to open bogus emails and unleash viruses. Employee training on how to recognize phony emails, report them and never open them can really help. IT should team with HR to ensure that sound email habits are taught.
4. IoT
In 2020, 61% of companies were using IoT, and this percentage only continues to increase. With the expansion of IoT, security risks also grow. IoT vendors are notorious for implementing little to no security on their devices. IT can combat this threat by vetting IoT vendors upfront in the RFP process for security and by resetting IoT security defaults on devices so they conform to corporate standards.
If your organization is looking for more guidance on IoT security, the experts at TechRepublic Premium have put together an ebook for IT leaders that is filled with what to look out for and strategies to deal with threats.
5. Internal employees
Disgruntled employees can sabotage networks or make off with intellectual property and proprietary information, and employees who practice poor security habits can inadvertently share passwords and leave equipment unprotected. This is why there has been an uptick in the number of companies that use social engineering audits to check how well employee security policies and procedures are working. In 2023, social engineering audits will continue to be used so IT can check the robustness of its workforce security policies and practices.
6. Data poisoning
An IBM 2022 study found that 35% of companies were using AI in their business and 42% were exploring it. Artificial intelligence is going to open up new possibilities for companies in every industry. Unfortunately, the bad actors know this, too.
Cases of data poisoning in AI systems have started to appear. In a data poisoning, a malicious actor finds a way to inject corrupted data into an AI system that will skew the results of an AI inquiry, potentially returning an AI result to company decision makers that is false.
Data poisoning is a new attack vector into corporate systems. One way to protect against it is to continuously monitor your AI results. If you suddenly see a system trending significantly away from what it has revealed in the past, it’s time to look at the integrity of the data.
7. New technology
Organizations are adopting new technology like biometrics. These technologies yield enormous benefits, but they also introduce new security risks since IT has limited experience with them. One step IT can take is to carefully vet each new technology and its vendors before signing a purchase agreement.
8. Multi-layer security
How much security is enough? If you’ve firewalled your network, installed security monitoring and interception software, secured your servers, issued multi-factor identification sign-ons to employees and implemented data encryption, but you forgot to lock physical facilities containing servers or to install the latest security updates on smartphones, are you covered?
There are many layers of security that IT must batten down and monitor. IT can tighten up security by creating a checklist for every security breach point in a workflow.
While knowing full well that human lives may be at stake, criminal gangs have been increasingly targeting the healthcare sector with high-impact attacks like ransomware.
1. Tighten up email security
Healthcare providers should set up numerous layers of defense for a variety of email-borne threats. A good email security solution should be the first layer but will only be effective if it is able to detect multiple malicious signals (malicious IPs, suspicious URLs, hidden malware files, etc.).
Training staff to recognize malicious emails can be useful, but personnel should not bear the brunt of responsibility when it comes to catching signs of attack. Instead, training should focus on the importance of proper policies, such as confirming payments and transfers with a second channel outside of email.
2. Follow best practice for passwords and credentials
Obtaining login credentials is a primary goal in most cyberattacks, and many threat actors now specialize in selling information on to others. Investigations by the Trustwave SpiderLabs team found a large quantity of stolen login credentials and browser sessions enabling access to healthcare facilities advertised on dark web markets.
In addition to following best practices around phishing emails, all employees should be using complex passwords that can’t be easily guessed. When storing passwords, organizations must make sure to use modern and robust password hashing algorithms. Two-factor authentication should also be implemented across the organization as a priority (Note: SMS 2FA should not be considered secure).
3. Improve cyber security awareness
While the responsibility of spotting and stopping cyberattacks should not rest on ordinary healthcare personnel, a well-trained workforce can make a real difference in averting disaster. Attackers will be counting on healthcare staff being too busy and focused on supporting their patients to concentrate on security.
Security training is often limited to a few one-off PowerPoint-driven seminars, but this will do little to increase awareness. Healthcare providers should instead consider more in-depth exercises that replicate serious incidents such as ransomware attacks. This will help decision makers to gain experience in making snap decisions under pressure, better equipping them for when a real crisis looms.
4. Prepare for ransomware attacks
Ransomware is a threat to all sectors, but healthcare is particularly vulnerable to its disruptive effects. A paralyzed IT network will mean more than lost data or productivity – human lives may be on the line if data and equipment are locked down. Callous criminals are counting on healthcare providers caving and paying up to restore systems quickly. Further, attackers increasingly exfiltrate data to pile on more pressure and secure additional profits from dark web buyers.
A strong email security system will stop most malicious emails, but not all – and organizations should be prepared for that. Effective managed detection and response (MDR) capabilities, backed by a skilled team of threat hunters, will help identify and stop ransomware quickly to reduce its impact. A managed security service provider (MSSP) is one of the most affordable ways of acquiring these capabilities on a limited budget.
5. Secure extended IoT networks
Internet of Things (IoT)-enabled equipment has been hugely beneficial in enabling healthcare providers to automate and facilitate remote working. But if not properly monitored and patched, these connected devices can also provide threat actors with an easy attack path.
Hospitals are likely to have hundreds of devices deployed across their facilities, so keeping them all updated and patched can be an extremely resource-heavy task. Many health providers also struggle to accommodate the required downtime to update vital equipment.
Automating device discovery and update processes will make it easier to keep devices secured. Providers should also vet future purchases to ensure they have key security functionality and are accessible for maintenance and updates.
6. Understand supply chain risks
Healthcare providers sit in the center of extremely large and complex supply networks. Suppliers for medical materials, consultants, hardware, and facilities maintenance are just a few examples, alongside a growing number of digital services.
These suppliers often have a large degree of network connectivity or access to data, making them a prime target for threat actors seeking a way into the healthcare provider’s network. Organizations can also become the victim of a second-hand breach if a firm trusted to host or manage their data is attacked.
Supply chain risk can be reduced by vetting the security level of all third-party connections. This can be achieved without invasive network scans through publicly available information such as DNS server configurations and the presence of insecure ports open to the internet (e.g., MS-TERM-SERV, SMB, etc.).
7. Test out your preparations
Security is never a one-and-done affair. Even if the right solutions are in place, the workforce has been well-trained and processes are watertight, it is important to continually test defenses and look for ways to improve them.
Regular vulnerability scans are essential for keeping up with the shifting IT and cyber threat landscape. Application and network penetration tests will take things a step further by leveraging the ingenuity of experienced security personnel to look for a crack that can be found and exploited.
Larger healthcare providers such as hospitals may also consider physical penetration tests to determine if their facility’s IT infrastructure is vulnerable to an intruder on their grounds.
Defending against healthcare threats: Preparation is everything
Hospitals and other frontline healthcare providers are used to dealing with medical emergencies. Personnel have the equipment and processes they need in place, and they have the training to adopt the cool head needed to handle a crisis.
As attackers continue to target the sector, the same level of preparation is increasingly essential for cyber threats.
Criminal gangs are counting on budget cuts and staffing shortages to leave healthcare organizations vulnerable to their attacks. By focusing on these seven steps, providers will be able to present a hardened target that sends these callous opportunists in search of easier prey.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
Conclusion
The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.
This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.
The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.
In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.
But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.
An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.
Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.
While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.
Distributed Denial of Service (DDoS) Attacks
A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.
DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.
DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.
Nation-State Sponsored Cyber Attacks
With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.
Nation-state-sponsored cyber attacks aim to
Hinder communication
Gather intelligence
Steal intellectual property
Damage to digital and physical infrastructure
They are even used for financial gain.
Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.
Ransomware
Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.
Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).
These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.
The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.
What The Public Sector Can Do to Stay Ahead?
Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.
You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.
As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.
Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.
Just Look out for the Humans
But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.
Humans: The Biggest Cyber Security Threats
When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?
But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.
Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.
This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.
Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.
Here’s a breakdown of the leading issues:
Credential problems account for nearly 50% of non-error, non-misuse breaches
Phishing accounts for nearly 20% of breaches
Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
Vulnerability exploits account for less than 10% of attacks
The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.
3 Types of Internal Threats
The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.
These are the three types of internal threats to be aware of:
Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.
How To Prevent the Biggest Cyber Security Attacks
It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.
So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.
Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.
Naturally, this will mean investing in training. These are the key topics that should be addressed:
Password management
Phishing attacks, how they work, how to avoid them
Encryption and digital signing
Authentication
Creating backups
Best practices in sending personal or sensitive information
Account access and privileges as well as oversight and management
Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.
Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.
An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.
“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”
The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.
The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.
Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.
MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.
CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.
The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.
BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”
Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-
“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”
These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).
Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.
Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The attackers used online storage services to exfiltrate data and drops their malicious payloads.
The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”
The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.
The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.
Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.
“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report
I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.
Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.
ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.
The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges. Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative. ENISA seeks to provide targeted as well as general reports, recommendations, analyses and other actions on future cybersecurity scenarios and threat landscapes, supported through a clear and publicly available methodology.
By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. The following threat landscapes could be considered as examples.
Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.
Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.
The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).
You can download the ENISA Threat Landscape Methodology here:
When CISOs, CIOs, CTOs, security engineers, security analysts and security architects were asked to rank the primary capabilities of a traditional SIEM according to how satisfied they were with those capabilities, an interesting picture emerged. The survey results indicated that every primary capability of traditional SIEM solutions, at best, only somewhat met the majority of users’ needs. Some capabilities were irrelevant to many users. This tepid level of satisfaction is what drove many security teams to undertake the effort to build their own security monitoring tools.
Data Coverage and Data Use
Less than 25% of the respondents believed that their SIEM covered more than 75% of their security-relevant data. Nearly 17% responded that their existing platform covered less than a quarter of their data.
Furthermore, when asked if they believed their current SIEM platform were capable of handling the volume of security data their organization will generate in the future, a third of the respondents said they expected their existing platform to keep falling behind.
These results underscore the risks security teams (and their organizations) are forced to tolerate due to the cost and overhead required to bring high volumes of security-relevant data into traditional SIEM platforms. Without full visibility into all necessary data, security teams will undoubtedly have blind spots that impede their ability to protect their organizations.
OK, so what can they do instead? Well, a cloud-native architecture capable of ingesting, normalizing and analyzing terabytes of data per day cost-effectively is necessary to keep up.
Moving From Static to Dynamic
Security professionals are well aware of the static nature of traditional SIEM platforms. Many believe they pay too much for the capabilities provided and are concerned about what the future holds.
SIEMs were designed over ten years ago when the world was a very different place. The technology hasn’t evolved its approach to keep up with the needs of cloud-scale environments. Adequate security today depends on full visibility into security-relevant data, structured, scalable data lakes, cloud-native workflows and fast detection and response times. Security teams need a modern approach to security monitoring built for the cloud-first world.
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Below are recommendations provided by the FBI:
Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Threat intelligence feeds are a critical part of modern cybersecurity. Widely available online, these feeds record and track IP addresses and URLs that are associated with phishing scams, malware, bots, trojans, adware, spyware, ransomware and more. Open source threat intelligence feeds can be extremely valuable—if you use the right ones. While these collections are plentiful, there are some that are better than others. Being an actively updated database doesn’t guarantee that it is a highly reliable or detailed one either, as some of the best online haven’t necessarily been updated in a few months.
We will try to keep our own tally of some of the better open source threat intelligence feeds below, regularly updating it with new feeds and more details about each one. A share of the entries will be managed by private companies that have premium, or at least closed-source, offerings as well. This list is meant to cover free and open source security feed options.
Developed and offered by Proofpoint in both open source and a premium version, The Emerging Threats Intelligence feed (ET) is one of the highest rated threat intelligence feeds. ET classifies IP addresses and domain addresses associated with malicious activity online and tracks recent activity by either. The feed maintains 40 different categories for IPs and URLs, as well as a constantly updated confidence score.
This being backed by the Federal Bureau of Investigation definitely gives it some clout. It’s actually a collaboration between the FBI and the private sector, with its information freely available to private companies and public sector institutions to keep appraised on threats relevant to 16 specific categories of infrastructure identified by the Cybersecurity and Infrastructure Security Agency (a department of the US Department for Homeland Security). Sectors include energy and nuclear power, communications, chemicals, agriculture, healthcare, IT, transportation, emergency services, water and dams, as well as manufacturing and financial.
Dan is a collection of 10 tools that together report on IP and domain information. It includes info on IP subnets, the TOR status of IP addresses, DNS blacklists, IP address checking for autonomous systems, and node lists.
The CINS Score is supported by Sentinel. Like ET’s confidence score, the CINS Score rates IP addresses according to their trustworthiness. They add data about suspected or confirmed attacks from those IPs in the form of frequency, nature and breadth. They also try to create ‘personas’ around the sorts of attacks those IPs are tied to: scanning, network or remote desktop vulnerabilities, malware bots, or command-and-control servers.
Blocklist.de pays attention to server attacks from SSH, FTP, email and webserver sources. Their site claims to report an average of 70,000 attacks every 12 hours using a combo of the abusix.org database, Ripe-Abuse-Finder, and Whois information.
hpHosts is a searchable database and hosts file that is community managed. While it was last updated in August 2019, it is considered one of the more reliable data stores of malicious IPs online. It can also be sorted by PSH and FSA-only.
AlienVault Open Threat Exchange (OTX) is the company’s free, community-based project to monitor and rank IPs by reputation. It generates alert feeds called “pulses,” which can be manually entered into the system, to index attacks by various malware sources. While some pulses are generated by the community, AlienVault creates its own as well that automatically subscribes all OTX’s users. Most pulses are automatically API-generated and submitted via the OTX Python SDK. This example, SSH bruteforce logs 2016-06-09, shows the indicators, geoip of the attacks, and a full list of the IPs used. It also links to reports in other pulses that include the same IPs.
This abuse.ch offering focuses on botnets and command-and-control infrastructure (C&C). The blocklist is an amalgamation of several minor blocklists with attention paid to Heodo and Dridex malware bots. There were 5,374 entries as of 03-03-2020.
Of course, the name itself is a direct response to an older trojan virus called Feodo, which was a successor to the Cridex e-banking trojan. (to which both Dridex and Heodo both trace their source code). Feodo Tracker also tracks an associative malware bot, TrickBot.
The first of two projects from Swiss website abuse.ch, URLhaus is a depository of malicious domains tied to distributing malware. The database can be accessed via a URLhaus API, allowing you to download CSV collections of flagged URLs, those site’s respective statuses, the type of threat associated with them, and more. Ready-made downloads include periods of recent additions (going back 30 days), or all active URLs.
The full URLhaus dataset—as updated every 5 minutes—is automatically and immediately available for CSV download. It also includes a ruleset suited for use in Suricata or Snort. URLhaus also offers a DNS firewall dataset that includes all marked URLs for blocking.
Threat actors are actively exploiting public cloud services from Amazon and Microsoft to spread RATs such as Nanocore, Netwire, and AsyncRAT used to steal sensitive information from compromised systems.
The malware campaign was spotted by Cisco Talos in October 2021, most of the victims were located in the United States, Italy and Singapore.
Threat actors leverages cloud services like Azure and AWS because they can be easily set up with minimal efforts making it more difficult for defenders to detect and mitigate the campaigns.
The attackers used complex obfuscation techniques in the downloader script.
The attack chains starts with a phishing email using a malicious ZIP attachment that contain an ISO image with a loader in the form of JavaScript, a Windows batch file or Visual Basic script. Upon executing the initial script, the victim’s machine download the next stage from the C2 server, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.
“To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans.” reads the analysis published by Talos. “Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure.”
Once installed the malware on the target system, it can be used to steal confidential data or to deliver additional payloads such as ransomware attacks. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates.
“Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.” concludes the report that also includes Indicators of Compromise (IoCs).
These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.
The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.
During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.
“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.
“In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.
Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.
An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.
Microservices Security in Action: Design secure network and API endpoint security for Microservices applications
Security expert from Morphus Labs recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.
MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.
Morphus Labs security researcher and SANS Internet Storm Center (ISC) handler Renato Marinho revealed to have uncovered two different malicious campaigns that were abusing MSBuild for code execution.
The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.
“Now, let’s look at the malicious MSBuild project file in Figure 3. Using the same principle, when called by MSBuild, it will compile and execute the custom C#, decode and execute the Cobalt Strike beacon on the victim’s machine.” wrote Marinho.
In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.
The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.