Cyber security trends for 2022

Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.

Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.

Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.

Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.

Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).

Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.

Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.

Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.

In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.

The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf

“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.

Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.

Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf

Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”

Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks

Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.

3,062 Comments

  1. Tomi Engdahl says:

    Suomalaiset eivät pelkää mobiiliuhkia
    https://etn.fi/index.php/13-news/13741-suomalaiset-eivaet-pelkaeae-mobiiliuhkia

    Samsung Electronics Nordicin teettämän, 1010 suomalaista kattavan kyselytutkimuksen mukaan 67 prosenttia suomalaisvastaajista ei ole huolissaan kyberhyökkäyksen kohteeksi joutumisesta mobiililaitteita käyttäessään. 9 prosenttia vastanneista tietää altistuneensa tietoturvauhkille.

    - Mobiililaitteisiin voi kohdistua yhtä lailla erilaisia turvallisuusuhkia, kuten kyberhyökkäyksiä. Meille Samsungilla vahva tietoturva on oletusarvo, johon panostamme tuotekehityksen kaikissa vaiheissa. Useimmat mobiililaitteemme onkin varustettu Knox -tietoturvaratkaisulla toimiaksemme turvallisemmin nopeasti muuttuvassa digitaalisessa maailmassa, sanoo Samsung Suomen mobiililiiketoiminnan johtaja Mika Engblom.

    Huolimatta tietoturvauhille altistumisista 67 prosenttia suomalaisvastaajista ei tutkimuksen mukaan ole huolissaan tietoturvastaan mobiililaitteita käyttäessään. Sen sijaan jopa 60 prosenttia tutkimukseen vastanneista suomalaisista uskoo kuitenkin, että matkapuhelimien turvallisuusuhat tulevat lisääntymään seuraavien kymmenen vuoden aikana.

    Reply
  2. Tomi Engdahl says:

    One in every 13 incidents blamed on API insecurity report https://portswigger.net/daily-swig/one-in-every-13-incidents-blamed-on-api-insecurity-report
    API insecurity is responsible for between 4.1% and 7.5% of cybersecurity incidents, according to a new study. The study, conducted by the Marsh McLennan Cyber Risk Analytics Center and based on an analysis of nearly 117, 000 unique cybersecurity incidents, found that larger organizations were statistically more likely to have a greater preponderance of API-related incidents. Large enterprises were three to four times more likely to experience API insecurity than small or midsize businesses.

    Reply
  3. Tomi Engdahl says:

    Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign https://thehackernews.com/2022/06/newly-discovered-magecart.html
    A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. To that end, it has come to light that two malware domains identified as hosting credit card skimmer code “scanalytic[.]org” and “js.staticounter[.]net” are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis

    Reply
  4. Tomi Engdahl says:

    Antoaneta Roussi / Politico:
    NSO Group General Counsel Chaim Gelfand tells European lawmakers that at least five EU countries have used Pegasus and that the company had “made mistakes”

    Pegasus used by at least 5 EU countries, NSO Group tells lawmakers
    NSO Group ‘made mistakes,’ its chief lawyer says.
    https://www.politico.eu/article/pegasus-use-5-eu-countries-nso-group-admit/

    The Israeli spyware firm NSO Group on Tuesday told European lawmakers at least five EU countries have used its software and the firm has terminated at least one contract with an EU member country following abuse of its Pegasus surveillance software.

    Speaking to the European Parliament’s committee looking into the use of spyware in Europe, NSO Group’s General Counsel Chaim Gelfand said the company had “made mistakes,” but that it had also passed up a huge amount of revenue, canceling contracts since misuse had come to light.

    “We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”

    At least five EU countries had used NSO’s tool, Gelfand said, adding he would come back to MEPs with a “more concrete number.”

    EU lawmakers launched the inquiry after revelations that the spyware is widespread in Europe and has been used against some of the bloc’s most prominent leaders, including Spain’s Prime Minister Pedro Sánchez, and political groups in Spain, Poland and Hungary.

    In Spain, the scandal has led to a government investigation of the conduct of its intelligence agency CNI, which Catalan political groups accuse of having spied on leaders of the region’s independence movement.

    To fight off the fierce criticism, NSO Group stressed it was eager to see the creation of an international body on spyware regulation, “something similar to a non-proliferation agreement,” where only countries that agree to the established rules will be able to use the technology, Gelfand said.

    “There’s a lot to be done, that’s why we’re calling for an international standard,” he added.

    Reply
  5. Tomi Engdahl says:

    Aqua Security Ships Open Source Tool for Auditing Software Supply Chain
    https://www.securityweek.com/aqua-security-ships-open-source-tool-auditing-software-supply-chain

    Cloud security startup Aqua Security has partnered with the Center for Internet Security (CIS) to create guidelines for software supply chain security and followed up by shipping an open source auditing tool to ensure compliance with the new benchmarks.

    The open source tool, called Chain-Bench, is available for for auditing an organization’s software supply chain stack for security compliance based on the newly created CIS Software Supply Chain Security Guide.

    Chain-Bench can be used by organizations to scan the DevOps stack from source code to deployment and simplify compliance with security regulations, standards, and internal policies, Aqua Security explained.

    In a statement, the company said the new Software Supply Chain Security Guide offers more than 100 foundational recommendations that can be applied across a variety of commonly used technologies and platforms.

    The fruits of the collaboration is meant to establish general best practices that support key emerging standards like Supply Chain Levels for Software Artifacts (SLSA) and The Update Framework (TUF) while adding foundational recommendations for setting and auditing configurations on the Benchmark-supported platforms, Aqua Security said.

    https://github.com/aquasecurity/chain-bench#readme

    Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

    Reply
  6. Tomi Engdahl says:

    Okta says Lapsus$ incident was actually a brilliant zero trust demonstration >

    Okta says Lapsus$ incident was actually a brilliant zero trust demonstration
    https://www.theregister.com/2022/06/22/okta_lapsus_zero_trust_explanation/

    Once former supplier Sitel coughed up its logs, it became apparent the attacker was hemmed in

    Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.

    So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.

    Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta’s (former) outsourced customer service provider – attempted to reset a password to Okta’s systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker’s own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel’s MS365.

    Okta therefore suspended the user and inquired about any issues at Sitel, which admitted to compromise of an Active Directory account.

    “We initially took their word that this compromised account had been contained very quickly, and that there was zero impact to Okta or its customers,” Winterford recalled.

    Once Lapsus$ published its screenshots, Okta came to feel that there was more to the incident than had first been apparent.

    In Winterford’s telling, further analysis revealed that after the attacker failed with their attempt to compromise a Sitel worker with the password reset attempt , they kept trying and found a thin client solution on Sitel’s network.

    “This thin client solution had been configured to allow remote sessions to be monitored by administrators on that network, to the degree that they could also interact with the mouse and keyboard of that remote session if they chose,”

    The actor was able to view and interact with apps that the legitimate support engineer had already authenticated to – but couldn’t just take over, as that would be an obvious red flag.

    Okta’s assessment is that when a support engineer stepped away from their desk, leaving the session connected to Okta’s support environment accessible, the threat actor took the screenshots Lapsus$ published.

    “They were able to view and interact with that [thin client] session for about 25 minutes,”

    “They tried to access the admin console of one customer, but that would have required the consent in the admin console of that customer from their administrator, so that was unsuccessful,” he added.

    “They could potentially have done password and MFA resets, but they would have had to have access to the target inbox of the user that they were resetting.”

    “They also tried to open other applications from the Okta dashboard, but that didn’t work for them either.”

    “So basically, you’ve got a threat on the site or network for five or six days undetected until they tried to leverage that position to compromise Okta. And then in a bit of a last ditch scramble they’ve found a workaround and they’ve tried for 25 minutes to abuse that position and not been particularly successful.”

    Winterford asserted that the event shows that zero trust security – and Okta’s implementation of it – worked.

    Multifactor authentication repelled the attack and prevented takeover of the Sitel engineer’s Okta account, then the customer support tool required extra authentication to access tools that would have allowed the attacker to work with more privileges than those afforded to an outsourced support engineer.

    “The threat actor couldn’t really successfully perform any configuration changes or MFA or password resets and finally, when the threat actor opened the Okta dashboard to try and access more applications, they were presented with a step up authentication they were unable to bypass.”

    Changes to incident response are also in the works. Winterford said Okta acknowledges its initial response to Lapsus$’s allegations made it possible to conclude Okta was not taking responsibility for the situation.

    Reply
  7. Tomi Engdahl says:

    Spyware vendor works with ISPs to infect iOS and Android users
    https://www.bleepingcomputer.com/news/security/spyware-vendor-works-with-isps-to-infect-ios-and-android-users/

    During attacks that used drive-by-downloads to infect multiple victims, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) to get back online after their Internet connection was cut with the help of their ISP.

    Reply
  8. Tomi Engdahl says:

    A collection of awesome penetration testing resources, tools and other shiny things
    https://github.com/enaqx/awesome-pentest

    Reply
  9. Tomi Engdahl says:

    https://en.wikipedia.org/wiki/Boiling_frog

    The boiling frog is an apologue describing a frog being slowly boiled alive. The premise is that if a frog is put suddenly into boiling water, it will jump out, but if the frog is put in tepid water which is then brought to a boil slowly, it will not perceive the danger and will be cooked to death. The story is often used as a metaphor for the inability or unwillingness of people to react to or be aware of sinister threats that arise gradually rather than suddenly.

    Reply
  10. Tomi Engdahl says:

    Gartner: Regulation, Human Costs Will Create Stormy Cybersecurity Weather Ahead
    Experts tell teams to prepare for more regulation, platform consolidation, management scrutiny, and attackers with the ability to claim human casualties.
    https://www.darkreading.com/attacks-breaches/gartner-regulation-human-cost-stormy-cybersecurity-weather

    Reply
  11. Tomi Engdahl says:

    Thanks to the economy, cybersecurity consolidation is coming. CISOs are more than ready.
    https://www.protocol.com/enterprise/cybersecurity-startups-acquisitionss-tools

    The complexities created by security “tool sprawl” are a major headache for a lot of businesses. But with many vendors and buyers expecting a broader economic slowdown, a wave of security industry acquisitions looks to be on the way.

    Reply
  12. Tomi Engdahl says:

    Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say
    A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is “attackability” the best method for prioritizing bugs?
    https://www.darkreading.com/application-security/open-source-software-bugs–attackability

    Reply
  13. Tomi Engdahl says:

    We’re now truly in the era of ransomware as pure extortion without the encryption
    Why screw around with cryptography and keys when just stealing the info is good enough
    https://www.theregister.com/2022/06/25/ransomware_gangs_extortion_feature/

    Reply
  14. Tomi Engdahl says:

    Nämä 5 kriisiä internetissä muuttivat pysyvästi maailmaa https://www.is.fi/digitoday/tietoturva/art-2000008904701.html

    Reply
  15. Tomi Engdahl says:

    CISA warns over software flaws in industrial control systems https://www.zdnet.com/article/cisa-warns-over-software-flaws-in-industrial-control-systems/
    The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should but aren’t always isolated from the internet.

    Reply
  16. Tomi Engdahl says:

    Spyware vendor works with ISPs to infect iOS and Android users https://www.bleepingcomputer.com/news/security/spyware-vendor-works-with-isps-to-infect-ios-and-android-users/
    Google’s Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools. Alkup:
    https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html.
    Lisäksi:
    https://therecord.media/google-seven-zero-days-in-2021-developed-commercially-and-sold-to-governments/

    Reply
  17. Tomi Engdahl says:

    Statutory defense for ethical hacking under UK Computer Misuse Act tabled https://portswigger.net/daily-swig/statutory-defense-for-ethical-hacking-under-uk-computer-misuse-act-tabled
    UK legislators have proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill that would give cybersecurity professionals a legal defense for their activities under the Computer Misuse Act (CMA).

    Reply
  18. Tomi Engdahl says:

    Chinese hackers use ransomware as decoy for cyber espionage https://www.bleepingcomputer.com/news/security/chinese-hackers-use-ransomware-as-decoy-for-cyber-espionage/
    Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities. Lisäksi:
    https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader.
    Lisäksi:
    https://www.zdnet.com/article/these-hackers-are-spreading-ransomware-as-a-distraction-to-hide-their-cyber-spying

    Reply
  19. Tomi Engdahl says:

    NSA shares tips on securing Windows devices with PowerShell https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-securing-windows-devices-with-powershell/
    The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machine. Full pdf here:
    https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/1/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF

    Reply
  20. Tomi Engdahl says:

    NSO Confirms Pegasus Spyware Used by at least 5 European Countries https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html
    The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.

    Reply
  21. Tomi Engdahl says:

    There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families https://unit42.paloaltonetworks.com/api-hammering-malware-families/
    Unit 42 has discovered Zloader and BazarLoader samples that had interesting implementations of a sandbox evasion technique. This blog post will go into details of the unique implementations of API Hammering in these types of malware.

    Reply
  22. Tomi Engdahl says:

    Microsoft: Exchange Server 2013 reaches end of support in 9 months https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-server-2013-reaches-end-of-support-in-9-months/
    Microsoft has reminded customers that the Exchange Server 2013 mail and calendaring platform will reach its extended end-of-support date roughly nine months from now, on April 11, 2021.

    Reply
  23. Tomi Engdahl says:

    Malicious Code Passed to PowerShell via the Clipboard
    https://isc.sans.edu/diary/rss/28784
    Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( )[1].
    The script uses the Windows command-line tool “clip.exe” which is often unknown to people

    Reply
  24. Tomi Engdahl says:

    China’s expanding surveillance allows state to tighten grip https://buffalonews.com/chinas-expanding-surveillance-allows-state-to-tighten-grip/article_1f7e00ec-0006-59cc-8fbe-d27f57666609.html
    BEIJING -China’s ambition to collect a staggering amount of personal data from everyday citizens is more expansive than previously known, a New York Times investigation has found.

    Reply
  25. Tomi Engdahl says:

    Private Network 5G Security Risks & Vulnerabilities https://www.trendmicro.com/en_us/research/22/f/5g-security-risks-vulnerabilities.html
    n The move towards 5G is accelerating as enterprises seek greater security, flexibility, and reliability in 5G than earlier cellular, wireless, or wired connectivity.

    Reply
  26. Tomi Engdahl says:

    Active Adversary Playbook 2022 Insights: Web Shells https://news.sophos.com/en-us/2022/06/22/active-adversary-playbook-2022-insights-web-shells/
    n Public proofs-of-concept of web shell exploits coincide with major spikes in attacks.

    Reply
  27. Tomi Engdahl says:

    Researchers: Oracle Took 6 Months to Patch ‘Mega’ Vulnerability Affecting Many Systems
    https://www.securityweek.com/researchers-it-took-oracle-6-months-patch-mega-vulnerability-affecting-many-systems

    Security researchers have published technical details on a critical Fusion Middleware vulnerability that Oracle took six months to patch.

    Tracked as CVE-2022–21445 (CVSS score of 9.8), the vulnerability is described as a deserialization of untrusted data, which could be exploited to achieve arbitrary code execution. Identified in the ADF Faces component, the issue can be exploited remotely, without authentication.

    The flaw was discovered by security researchers PeterJson of VNG Corporation and Nguyen Jang of VNPT, who reported it to Oracle in October 2021. Oracle released a fix as part of its April 2022 Critical Patch Update, six months after the initial report.

    According to the two security researchers, the pre-authentication RCE issue, which they described as a “mega” vulnerability, impacts all applications that rely on ADF Faces, including Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management.

    PeterJson and Jang also discovered CVE-2022–21497 (CVSS score of 8.1), a server-side request forgery (SSRF) vulnerability that could be chained with CVE-2022–21445 to achieve pre-authentication remote code execution in Oracle Access Manager, a component used for SSO in numerous Oracle online services.

    Reply
  28. Tomi Engdahl says:

    Security Orchestration: Beware of the Hidden Financial Costs
    https://www.securityweek.com/security-orchestration-beware-hidden-financial-costs

    Among the many improvements in cybersecurity technology and tools we’ve seen over the last few years, one of the most significant has been the inclusion of security automation and orchestration capabilities in solution categories beyond SOAR platforms. SIEM providers acquired stand-alone SOAR platforms, and endpoint detection and response (EDR) solutions broadened to include automation and orchestration capabilities to accelerate threat detection and response. So, what’s next?

    Previously, I focused on the evolution of automation from a process-driven to a data-driven approach to unlock even greater efficiencies and effectiveness. Here, we’ll take a closer look at how orchestration is evolving and delivering additional benefits.

    First a little level-setting. We tend to talk about orchestration and automation at the same time and use the terms interchangeably, but they are quite different. Automation is about making steps (e.g., looking up a domain or blocking a port) happen faster to increase security operations efficiency. Whereas orchestration is about getting multiple systems in the Security Operations Center (SOC) to work together so you can detect, remediate and respond across the infrastructure.

    Reply
  29. Tomi Engdahl says:

    US, UK, New Zealand Issue PowerShell Security Guidance
    https://www.securityweek.com/us-uk-new-zealand-issue-powershell-security-guidance

    The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Cyber Security Centres in New Zealand (NZ NCSC) and the United Kingdom (NCSC-UK) have issued joint guidance on the proper configuration and monitoring of PowerShell to eliminate the risk of abuse.

    A scripting language and command line utility in Windows, PowerShell is meant to extend user experience and help with the management of the operating system through the automation of repetitive tasks and by enabling forensics and improving incident response.

    PowerShell is also deployed in Microsoft Azure, where administrators can use it for automating tools and security measures. The latest PowerShell release – version 7.2 – is managed and open sourced by Microsoft.

    The broad availability of PowerShell, along with its ease of use and extensibility, have proven an opportunity for malicious actors during the post-exploitation phase of cyberattacks.

    While some administrators and defenders would completely disable PowerShell to prevent abuse, the joint guidance provides a series of recommendations that can help mitigate risks without impeding PowerShell’s functionality.

    “Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell,” the NSA, CISA, NZ NCSC, and NCSC-UK note in their Cybersecurity Information Sheet (CIS).

    Reply
  30. Tomi Engdahl says:

    The developers call their invention the anti-drone rifle. Until now there are only 80 units of this weapon. It’s operates essentially as a powerful radio jammer emitting directional interfering beam that cuts all the remote drone communications and possibly disrupts its internal signal pathways.
    -
    https://www.technology.org/2022/06/26/ukraine-demonstrates-the-anti-drone-rifle-video/

    Reply
  31. Tomi Engdahl says:

    LockBit 3.0 introduces the first ransomware bug bounty program https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/
    The LockBit ransomware operation has released ‘LockBit 3.0, ‘
    introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options

    Reply
  32. Tomi Engdahl says:

    What Are Shadow IDs, and How Are They Crucial in 2022?
    https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html
    “Shadow IDs, ” or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration.

    Reply
  33. Tomi Engdahl says:

    Tietoturvailmiöt jotka muuttivat maailmaa https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/tietoturvailmiot-jotka-muuttivat-maailmaa
    Kyberturvallisuuden isot myrskyt ravistelevat arkeamme aina hetken aikaa, mutta jokaisesta myräkästä on myös opittu jotain. Uudessa videosarjassamme käydään läpi viisi merkittävää kybertapausta viime vuosikymmeneltä.

    Reply
  34. Tomi Engdahl says:

    Researchers crack MEGA’s privacy by design’ storage, encryption https://portswigger.net/daily-swig/researchers-crack-megas-privacy-by-design-storage-encryption
    However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary. Lisäksi:
    https://mega-awry.io/pdf/mega-malleable-encryption-goes-awry.pdf

    Reply
  35. Tomi Engdahl says:

    Conti vs. LockBit: A Comparative Analysis of Ransomware Groups https://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html
    Here, by comparative analysis of the characteristics of the organizations victimized by these two major ransomware groups, we clarify their differences in attack tendencies.

    Reply
  36. Tomi Engdahl says:

    House Passes ICS Cybersecurity Training Bill
    https://www.securityweek.com/house-passes-ics-cybersecurity-training-bill

    The US House of Representatives has passed a new cybersecurity bill named the “Industrial Control Systems Cybersecurity Training Act.”

    The bill was introduced in May by Rep. Eric Swalwell (D-CA), and it was approved by the House last week. Swalwell said the goal of the legislation is to help strengthen the US’s cybersecurity protections “in light of increased Russian cyber threats.”

    Specifically, the Industrial Control Systems Cybersecurity Training Act would amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency (CISA) to establish a cybersecurity training initiative focusing on industrial control systems (ICS).

    The bill aims to provide the IT workforce with free ICS security training. This includes virtual and in-person training and courses that would be available at different skill levels to help participants develop and strengthen their skills.

    The courses will cover ICS cyber defense strategies and they will be available to both government agencies and private sector entities.

    If the bill becomes law, the House and Senate will receive yearly reports describing the courses and participants. The reports will also include information on the plans to expand access to the training, as well as recommendations for strengthening the state of ICS education and training.

    “With the increased threat of Russian cyberattacks, we must be cognizant of cyberwarfare from state-sponsored actors,” Swalwell said.

    Reply
  37. Tomi Engdahl says:

    What Are Shadow IDs, and How Are They Crucial in 2022?
    https://thehackernews.com/2022/06/what-are-shadow-ids-and-how-are-they.html

    Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

    Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

    “Shadow IDs,” or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization’s external surface –as well as its user identities– may be completely invisible.

    Above all, these Shadow IDs remain unmanaged even after employees leave the organization. This may result in unauthorized access to sensitive customer data or other cloud-based services. Employee-created, but business-related identities are unseen for most IDM/IAM tools also. The graveyard of forgotten accounts belonging to ex-employees or abandoned applications is growing every day, to infinity.

    And sometimes, the dead rise from their graves, as with the Joint Commission On Public Ethics, whose legacy system was breached this year, even though it’s been out of use since 2015. They rightfully notified their legacy users because they understand that password reuse may stretch over several years, and according to Verizon, stolen credentials are still the top contributor to all sorts of breaches and attacks. So when Shadow IDs are left behind, they create an everlasting risk unseen and unmanaged by anyone.

    How to Report on Shadow IT and Shadow IDs?

    Unfortunately, network monitoring misses the mark, as those tools are designed to filter malicious traffic, provide data leakage protection and create category-based rules for browsing. However, they are completely blind to actual logins, and thus cannot differentiate browsing, private accounts, and corporate application signups, (or phishing sites for that matter). To discover and manage Shadow IDs and Shadow IT, there needs to be application and account-level monitoring in place, that can create a trusted, global source of truth across the organization.

    Discovering these assets via monitoring business-related credential usage on any website enables a unified view of unsanctioned or unwanted applications. Inventories of apps and accounts provide visibility of the true scope of external services and identities used across the organization. Also, they allow the reviewing of third-party providers about their policies, security and authentication measures, and how they are managing and maintaining your data.

    It is impossible to properly categorize all of the quarter-million new domains that are registered each day across the globe, so monitoring those that show up on our endpoints is the right approach. As a side-effect, revealing logins on suspicious or new apps will give visibility into successful phishing attacks that were not prevented on a gateway or client-side, and where employees gave away important credentials.

    cirge is a browser-based tool that provides complete visibility into Shadow IDs and Shadow IT, password hygiene for corporate and third-party business web accounts, and even real-time employee education and awareness. And it also has a completely free version for auditing your cloud footprint, so you can get an immediate view of the extent of Shadow IT amongst your employees.

    https://thn.scirge.com/welcome/

    https://thn.scirge.com/audit/

    Reply
  38. Tomi Engdahl says:

    Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage
    https://www.securityweek.com/chinese-apt-bronze-starlight-uses-ransomware-disguise-cyberespionage

    A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

    In attacks observed as early as mid-2021, the threat group started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

    The short lifespan of each ransomware family, victimology, and the access to tools employed by Chinese nation-state threat actors (including known vulnerabilities and the HUI Loader) led researchers with cybersecurity firm Secureworks to believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.

    Since at least 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster.

    Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

    Reply
  39. Tomi Engdahl says:

    7 Steps to Stronger SaaS Security
    Continuous monitoring is key to keeping up with software-as-a-service changes, but that’s not all you’ll need to get better visibility into your SaaS security
    https://www.darkreading.com/cloud/7-steps-to-stronger-saas-security

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*