Armo’s platform was developed to protect cloud-native workloads and provide DevOps teams with greater visibility and control.

A new cloud security startup emerged from stealth this week with $4.5 million in funding and a mission to strengthen security for cloud-native workloads.

According to Israel-based Armo, as more companies adopt cloud technologies, many accelerate use of Kubernetes as the container orchestration platform. However, these current solutions give limited visibility and security for cloud-native platforms, Armo officials say in a release. Some use “sidecars,” or bolted-on security tools, but these don’t always provide a seamless and secure environment. 

Armo says its Workload Fabric tool aims to give DevOps teams a new means to protect cloud workloads and deploy applications with security and visibility built in. This tool integrates into the DevOps pipeline at the CI/CD phase and provides an in-memory security layer along with governance layers such as data flow compliance, data protection, and protected tunneling and networking. The idea is to help developers build security into software from the start and detect threats.

How it works: the tool scans binaries, scripts, and configurations for each cloud-based workload and creates an identity for each. It then ensures that only authenticated workloads can run and execute code, communicate with each other, and access data. When it detects potentially anomalous code, it automatically remediates it.

Read the full release for more information.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Most insider incidents don’t get reported to the FBI due to fear of debilitating business disruptions, public embarrassment, and screeching vans skidding into the parking lot to confiscate servers. But is that reality?

Despite stunning incident counts, many if not most insider threats remain unreported. Reasons vary but all bloom from the same stem: 6he victim company’s fear of being harmed again, either by the legal system or law enforcement. But are those fears real and justified, or are they spun from myths? Time to take a look at what actually happens after a company contacts the FBI, formally or informally.

The Scene …
“About three out of every four malicious insider incidents are handled internally, with no legal action or no law enforcement activity taken,” which means “these incidents are significantly underreported,” says Randy Trzeciak, director of the National Insider Threat Center, which is in the CERT division of the Software Engineering Institute at Carnegie Mellon University.

Why do these incidents go unreported? Companies hesitate or decide not to report for several reasons, including fear they may be wrong about the person they suspect, and thus may be held liable. They may also fear significant business disruption during the FBI investigation, uncertainty over the nature of the threat, or who at the FBI to contact. But also because of “fear of negative reputational damage, fear of competitors knowing specifically that these incidents have occurred, and fear they are unable to prove through forensic evidence that an insider did something bad,” Trzeciak says.

Those fears are based on rational business concerns, but they are not foregone conclusions. Nor is avoidance the best path to mitigating any of the risks they fear.

It was a hard-won lesson in the U.S. versus Shan Shi case, wherein valuable trade secrets were stolen and sold to a Chinese company. While FBI Houston’s elite counterintelligence investigators worked for years to destroy Shi’s prolific network and to successfully bring him to justice, “we could have prevented some of the loss had the suspicious behavior been reported earlier,” Roman Rozhavsky, acting section chief of the FBI Counterintelligence Division, told Dark Reading.

How to Tell Houston We Have a Problem
“That’s why we do want contact even on suspicions,” says Rozhavsky. “We follow the rules on opening investigations, but suspicions are often enough for us to work to prevent a future threat or stop ongoing losses.”

While companies may greet this news with a sigh of relief once they realize they don’t have to compile mountains of elusive evidence before they can seek help, the crime reporting process itself may feel overwhelming and thus discourage follow-through.

But that fear, too, is more imagined than real. It turns out there are several ways to easily contact the FBI.

A good place to start is in building relationships with the FBI before trouble happens.

“Have informal conversations and build relationships with FBI agents, even if your company has no infosec section or department,” says Philip E. Frigm Jr., section chief of the FBI Cyber Division.

Companies that outsource infosec to MSSPs, or start-ups and small companies that rely on little more than security software, can establish relationships with the FBI and attend educational security meetings to increase their threat awareness and decisions too. In other words, the FBI is not just for big companies and big cases, although they handle those routinely, too.

Building rapport and establishing relationships between the private sector and the FBI helps the agency, too — primarily in adapting their investigation methods to meet evolving threats.

For those reasons and a few more, the Office of Private Sector (OPS), part of the FBI’s Intelligence Branch, came into being. The OPS “allows for one ‘FBI voice’ and connects private industry with whom they need to connect with — whatever the concern.” This means you can contact almost anyone in the FBI and that person will see to it that any concern you express gets to the right agents within the FBI. It also means you will have contact with the same FBI agent(s) and not have to talk to different people each time there is a concern or incident.

The FBI offers several programs as a means for establishing and maintaining relationships with the private sector that both educate and offer informal communication channels. Two key FBI programs that are well-known throughout the infosec community are InfraGard and Domestic Security Alliance Council (DSAC). Additional resources are available for businesses as well. One key example is iGuardian, a secure information portal for businesses to report cyber intrusion incidents in real time.

While an ongoing relationship ahead of problems is ideal, you don’t have to go that route. You can reach out to the local FBI field office, file a report online at ic3.gov, or simply call 1-800-CALL-FBI (1-800-225-5324).

“Any FBI contact can help direct you. But do converse with us as early as possible. If you wait to tell us about an incident that happened six months ago, we may not be able to get all of the evidence we need or to put the steps in place that may have helped you much sooner,” says Frigm.

Two Can Keep a Secret If One of Them Is from the FBI
Once contact is made, what happens next? Will FBI vans swarm in and take computers, hard drives, and other hardware and software as evidence? Will business come to a screeching or crawling halt during the investigation?

How the FBI responds depends a great deal on the specific circumstances. But in general, “we like to keep our footprint very small. One FBI guy in a regular suit might come in to talk to someone at your company in the boardroom, for example,” Frigm explains. “But we can also meet somewhere else, over coffee maybe.”

You might want to ask your attorney to join the FBI meeting too — but probably not for the reasons you think.

“Legal counsel is desirable for several reasons. For one, bringing them up to speed afterward on our evidence collection delays progress. It’s better to include legal counsel early on rather than repeat everything again later,” Frigm says. “But also, given data privacy laws, you may not have the authority to give us consent — and you may not know that, but your lawyer will. It’s imperative that we collect the evidence according to the rules.”

Having legal counsel present isn’t perceived as an obstacle or a confrontation. “I’ve never encountered a situation that legal counsel wasn’t helpful,” he adds.

“I agree,” says Rozhavsky. “It saves a lot of time.”

So … Now the Screeching Vans?
Once the legalities are dealt with, evidence collection begins. So, do the FBI vans come skidding into the parking lot now? Do FBI agents in jackets with loud neon letters start hauling out company hardware?

“Evidence is collected in the least disruptive way possible. Often, much of the activity tracking and evidence collecting can be done remotely, but if we must collect evidence on site we’ll do so quietly,” Rozhavsky says.

The dedication to drawing zero attention to themselves and their work is not just a matter of courtesy, but of stealth and strategy.

“Insiders do have some legitimacy in accessing company information, so to some extent they are supposed to work with the information. We have to be careful not to tip the bad guy off while we’re investigating,” Frigm says.

And what should you expect once the investigation quickens towards an outcome?

“There will likely be more conversations, but with fewer people,” according to Frigm.

In the end, hopefully a crime is prevented or halted in progress. If not, a criminal is hopefully brought to justice in the courts. In either case, the FBI has likely gone home as quietly as they came.

A prolific writer and analyst, Pam Baker’s published work appears in many leading publications. She’s also the author of several books, the most recent of which is “Data Divination: Big Data Strategies.” Baker is also a popular speaker at technology conferences and a member … View Full Bio

Recommended Reading:

More Insights

Payments to ransomware gangs using cryptocurrency more than quadrupled in 2020, with less than 200 cryptocurrency wallets receiving 80% of funds.

Ransomware payments using cryptocurrency surged 311% in 2020, nearing a total volume of $350 million, as cybercriminals gravitated to crypto-locking as the easiest way to turn compromised systems into cash, blockchain analysis company Chainalysis stated in an analysis this week.

While ransomware payments through cryptocurrencies are skyrocketing, cybercrime overall is accounting for less volume of digital currency transactions, the company stated. Cybercrime transactions using cryptocoins dropped by more than half to $10 billion, but because overall cryptocurrency transaction volume increased, the share of cybercrime dropped even more precipitously to account for only 0.34% of all cryptocurrency transactions in 2020, down from more than 2% in 2019.

The data demonstrates that, while ransomware has become a greater problem, cryptocurrency continues to expand its markets, says Kim Grauer, head of research at Chainalysis.

“Cryptocurrency has a reputation as being driven by cybercrime, speculation and tax-avoidance strategies,” she says. “But it’s increasingly being used as a store of value both in developed markets where asset managers are entering the space and in emerging markets.”

The use of a cryptocurrency money-laundering scheme known as mixing has declined since a spike in the third quarter of 2019, according to Chainalysis data. In the final quarter of 2020, more than 90% of funds leaving ransomware wallets were destined for a cryptocurrency exchange, about half of which were designated “high risk” by Chainalysis. Often, different ransomware groups and strains use the same 

“We can find connections between ransomware strains by examining common deposit addresses to which wallets associated with different strains send funds,” Chainalysis stated in its analysis. “We believe that most of the cases of deposit address overlap represent usage of common money laundering services by different ransomware strains.”

While public reports have focused on the Maze Team — which appears to have shut down in November 2020 — and Egregor, which appears to have replaced Maze, Chainalysis found that the well-known Ryuk malware appears to be the most prolific ransomware threat to companies, both in the number of ransoms paid and the total profit. Three strains of ransomware — Ryuk, Maze, and Doppelpaymer — accounted for more than half of all the known ransom payments.

However, the company cautioned against drawing too many conclusions, as many strains of ransomware are used to enable ransomware-as-a-service (RaaS) offerings. In other words, different cybercriminals groups may be using the same, or a collection, of ransomware.

“Many RaaS affiliates migrate between strains, suggesting that the ransomware ecosystem is smaller than one might think at first glance,” the company stated in the report. “In addition, many cybersecurity researchers believe that some of the biggest strains may even have the same creators and administrators, who publicly shutter operations before simply releasing a different, very similar strain under a new name.”

A key component of the ransomware ecosystem is the ability to launder the money paid by victims to foil law enforcement efforts to track funds. While ransomware demands often use one-time wallets for payments, most funds track back to a limited number of accounts. In fact, 199 deposit addresses account for 80% of the monetary value of ransomware, Chainalysis stated. These are deposit addresses are hosted on exchanges, and often amount to an over-the-counter brokerage or other nested service, says Grauer.

“Mixers are still being used by criminals, but right now we are seeing large, organized criminal groups using laundering infrastructure that is based out of a few exchanges, such as OTC brokers who often specialize in laundering illicit funds,” says Grauer.

Law enforcement could target the relatively low number of deposit addresses as a way to disrupt ransomware schemes. Chainalysis found that 25 deposit addresses accounted for 46% of all funds, and nine of those addresses were primarily used for ransomware payments.

“These services are incentivized to maintain their deposit addresses in the same way a brick-and-mortar business might not want to move locations. They’d have to tell their customers they are moving,” Grauer says. “We don’t know for sure how many total groups are out there, but the fewer deposit addresses that need to be shut down to impact the current money laundering infrastructure, the better for investigation and compliance purposes.”

Cryptocurrency markets are rife with speculation, but cryptocurrencies known as stablecoin, which are backed by assets—most often, US dollars, are growing in popularity in an attempt to shake off the volatility in the pure cryptocurrency markets. Stablecoins can be a hedge for international investors, but also have increased value for money laundering and tax avoidance. In December, US financial regulators warned that stablecoins posed significant financial and regulatory risks.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

In the past 20 years, bug hunting has transformed from a hobby (or maybe even a felony) to a full-time profession for tens of thousands of talented software engineers around the globe. Thanks to the growth in private and public bug bounty programs, men and women with the talent can earn a good living by sniffing out flaws in the code for applications and – increasingly -physical devices that power the 21st century global economy. 

Asus ShadowHammer suggests Supply Chain Hacks are the New Normal

Bug Hunting Smart TVs To Supply Chain

What does that work look like and what platforms and technologies are drawing the attention of cutting edge vulnerability researchers? To find out we sat down with the independent researcher known as Sick Codes (@sickcodes). In recent months, he has gotten attention for a string of important discoveries. Among other things, he discovered flaws in Android smart television sets manufactured by the Chinese firm TCL and was part of the team, along with last week’s guest John Jackson, that worked to fix a serious server side request forgery flaw in a popular open source security module, NPM Private IP

Spotlight Podcast: How Machine Learning is revolutionizing Application Fuzzing

In this interview, Sick Codes and I talk about his path to becoming a vulnerability researcher, the paid and unpaid research he conducts looking for software flaws in common software and internet of things devices, some of the challenges and impediments that still exist in reporting vulnerabilities to corporations and what’s in the pipeline for 2021. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Attackers go after the weak links first, and the Web supply chain provides an abundance of weak links to target.

After the SolarWinds breach that infected thousands of organizations and at least 250 federal agencies and businesses, and with new complex attacks like the one on the Vietnam Government Certification Authority, companies and executives are realizing how susceptible their own systems are to supply chain attacks.

As industry experts have pointed out, the SolarWinds incident shows how some cyberattacks are nearly impossible to detect. It also raises questions about the overall vulnerability of government and private sector networks and prompted the National Security Council to stand up a task force, the Cyber Unified Coordination Group, to coordinate the investigation and remediation of this incident.

As is typical in a supply chain attack, in the SolarWinds incident, the malicious code was inserted during a legitimate software update — in this case, to SolarWinds’ Orion platform — and hidden within a digitally signed software component.

When it comes to supply chains, blind trust and long, complex chains are two key ingredients for disaster. However, these are two constants in nearly every Web application and website that is online right now.

The Web supply chain is a mash-up of third-party code with thousands of ramifications. Today, Web applications have 1,000 modules (also known as code dependencies) on average. Each of these modules has dependencies of its own and so each Web app can quickly rack up thousands of pieces of third-party code. Don’t forget that each of these pieces also represents an increase of the attack surface, especially considering that these third parties often have fewer resources dedicated to security. As we’ve seen several times, it just takes one ill-intentioned user to launch a serious Web supply chain attack.

A 2019 study explored the possible side effects of this reliance on third-party code on the Web. One key problem the authors outlined is the lack of privilege separation on the Web — all pieces of third-party code have the same privileges as code that is developed internally. A breach on a single piece of third-party code can silently send malicious code down the supply chain and into a legitimate software update — just like what happened in the SolarWinds incident. But in the case of the Web supply chain, the picture gets much worse. The same team of researchers found that 20 maintainer accounts can reach more than half of the entire Web ecosystem — meaning that a single breach in one of these accounts can trigger a global Web supply chain attack and affect millions of organizations.

Another approach to Web supply chain attacks, known as Magecart or Web skimming, has also been gaining momentum. This approach consists of injecting malicious code into a third-party script, such as a live chat widget, to load the infected code whenever end users access a certain webpage. In Magecart Web skimming attacks, the code collects all credit card data submitted on payment forms and covertly sends it to attackers’ drop servers.

Could either or both of these approaches lead to massive state-sponsored attacks on the Web? Researchers have spotted clear links between Web supply chain attacks and state-sponsored hacking crews on multiple occasions. We know that attackers always go after the weak links first, and the Web supply chain provides an abundance of weak links to target.

Just like the SolarWinds incident showed, companies can’t risk the critical impact of a supply chain attack. Solving Web supply chain attacks requires taking action now, understanding this security weakness, and actively finding ways to reduce the attack surface.

In practice, organizations must reduce their reliance on third-party code whenever possible, reinforce their vetting practices, and employ mechanisms to detect malicious client-side behavior at runtime. This latter strategy has gained momentum because it allows organizations to detect all signs of malicious behavior in real time without relying on signatures. As such, runtime monitoring can vastly reduce the time needed to detect and block the source of the attack.

Web supply chain attacks keep growing in complexity, taking advantage of the overall chaos of client-side code. A strong commitment to improved application security is surely the best weapon that organizations can bring to this Web supply chain battle.

CEO and Co-Founder of Jscrambler, Rui Ribeiro has led the company since 2007 from bootstrapping to a growing business. Currently, he executes the company’s growth strategy and manages its vision and culture. With over 15 years of experience in the information technology … View Full Bio

Recommended Reading:

More Insights

Apple BlastDoor sandbox

Google Project Zero on Thursday disclosed details of a new security mechanism that Apple quietly added to iOS 14 as a countermeasure to prevent attacks that were recently found to leverage zero-days in its messaging app.

Dubbed “BlastDoor,” the improved sandbox system for iMessage data was disclosed by Samuel Groß, a security researcher with Project Zero, a team of security researchers at Google tasked with studying zero-day vulnerabilities in hardware and software systems.

“One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed ‘BlastDoor’ service which is now responsible for almost all parsing of untrusted data in iMessages,” Groß said. “Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.”

password auditor

The development is a consequence of a zero-click exploit that leveraged an Apple iMessage flaw in iOS 13.5.1 to get around security protections as part of a cyberespionage campaign targeting Al Jazeera journalists last year.

“We do not believe that [the exploit] works against iOS 14 and above, which includes new security protections,” Citizen Lab researchers who revealed the attack last month.

BlastDoor forms the core of those new security protections, per Groß, who analyzed the implemented changes over the course of a week-long reverse engineering project using an M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.

When an incoming iMessage arrives, the message passes through a number of services, chief among them being the Apple Push Notification Service daemon (apsd) and a background process called imagent, which is not only responsible for decoding the message contents but also for downloading attachments (through a separate service called IMTransferAgent) and handling links to websites, before alerting the SpringBoard to display the notification.

Apple BlastDoor sandbox

What BlastDoor does is inspect all such inbound messages in a secure, sandboxed environment, which prevents any malicious code inside of a message from interacting with the rest of the operating system or accessing user data.

Put differently, by moving a majority of the processing tasks — i.e., decoding the message property list and creating link previews — from imagent to this new BlastDoor component, a specially-crafted message sent to a target can no longer interact with the file system or perform network operations.

“The sandbox profile is quite tight,” Groß noted. “Only a handful of local IPC services can be reached, almost all file system interaction is blocked, any interaction with IOKit drivers is forbidden, [and] outbound network access is denied.”

What’s more, in a bid to delay subsequent restarts of a crashing service, Apple has also introduced a new throttling feature in the iOS “launchd” process to limit the number of tries an attacker gets when seeking to exploit a flaw by exponentially increasing the time between two successive brute-force attempts.

“With this change, an exploit that relied on repeatedly crashing the attacked service would now likely require in the order of multiple hours to roughly half a day to complete instead of a few minutes,” Groß said.

“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole.”

Amid the global pandemic, cybercriminals ramped up use of one of the oldest attack techniques around.

Distributed denial-of-service (DDoS) attacks have been a staple of adversary toolkits longer than perhaps any other attack technique. Yet it’s popularity among cybercriminals shows no signs of abating.

In fact, 2020 witnessed what some vendors are describing as a renaissance of the venerable attack technique. Amid major changes fostered by a global pandemic, cybercriminals deployed more DDoS attacks against more organizations in more industries than any time before. DDoS attacks became larger in volume, and the number of attacks exceeding 50 Gbps increased sharply as well.

Organizations targeted in DDoS attacks not only had to contend with volumetrically larger campaigns, but also attacks that combined multiple vectors at the same time — and in some cases lasted longer than ever before. One example is an attack that Akamai encountered last year, which topped 1.4 Tbps and 809 million packets per second.

The attacks, targeted at a large European bank and an Internet hosting company, combined as many as nine different attack vectors, including ACK Flood, NTP Flood, SYN Flood, UDP Flood, and SSDP Flood. Akamai says 65% of the DDoS attacked it mitigated in 2020 involved multiple vectors — one involved 14.

One of the most troubling trends for organizations that vendors reported observing was an increase in so-called ransom DDoS attacks (RDDoS), where adversaries tried extorting money from organizations by threatening them with massive DDoS attacks. Multiple vendors, including Akamai, Cloudflare, and Neustar, reported an uptick in these attacks starting around mid-2020.

“DDoS attacks are a more prevalent threat than ever,” says Michael Kaczmarek, vice president of product management at Neustar, which Thursday released a report summarizing DDoS activity it observed in 2020.

Sharp Uptick
Neustar’s data shows a 154% increase in the overall number of DDoS attacks between 2019 and 2020. The vendor observed an increase in the use of existing DDoS attack vectors, as well as an increase in RDDoS attacks.

The sheer quantity of attacks in 2020 was surprising, Kaczmarek says.

“We always expect the number of attacks to increase year over year and quarter over quarter, but we didn’t expect that the quantity would increase by over 150%,” he says. “This truly reflects the impact of the pandemic and the challenging precedent the ‘new normal’ has set for cybersecurity.”

The number of DDoS attacks that involved two or more vectors increased from 40% in 2019 to 72% in 2020, Kaczmarek added. “This means that the attackers as well as the tools they are using are improving,” he says.

According to Neustar, while the use of DDoS to try and extort ransoms is not new, these attacks grew in persistence, sophistication, and targeting in 2020. Cyber extortionists purporting to belong to well-known nation-state groups went after organizations in industries they have not regularly targeted previously, such as financial services, government, and telecommunications.

“RDDoS attacks surged in Q4 2020 as groups claiming to be Fancy Bear, Cozy Bear, and the Lazarus Group attempted to extort organizations around the world,” says Omer Yoachimik, product manager, DDoS protection at Cloudflare, another vendor that observed the same trend.

With many workforces continuing to be remote, cybercriminals are focusing on attacking organizations’ back-end infrastructure, which is being used to keep employees connected and productive while working from home, Yoachimik says.

Unlike some vendors, Cloudflare says it observed a decline in the overall number of DDoS attacks targeted at the network layer during Q4 2020 compared to the prior quarter. At the same time, though, there was a sharp uptick in network layer attacks that averaged over 500 Mbps and 50,000 packets per second and in attacks that lasted over 24 hours. 

“While the total number of L3/L4 DDoS attacks decreased, the number of larger attacks saw a surge,” Yoachimik says. This might be an indication that bad actors are launching fewer but larger attacks — attacks that are distributed, longer-lasting, and employing multiple attack vectors.

It’s hard to say for sure why large attacks have begun increasing in number, Yoachimik says. But he points to a couple of potential reasons. In Mauritius, the country with the highest level of DDoS attacks, a series of anti-government protests may be linked to the increased DDoS activity, he says. Romania, which ranks No. 2 in the list of countries where most DDoS attacks are launched, has the cheapest, super-fast broadband Internet anywhere. This has made it much easier for adversaries to launch volumetric attacks from within Romania, he says.

RDP Reflection/Amplification
In another twist, in 2020 adversaries also ramped up abuse of Microsoft’s RDP protocol for DDoS attack amplification/reflection, a study by Netscout uncovered. When enabled on UDP port 3389, the RDP service can be abused to amplify attacks by a ratio of almost 86:1, the company noted in a recent report.

Besides causing problems for targeted organizations, attacks leveraging the RDP protocol also inflicted collateral damage on organizations whose servers were used to launch the attacks, Netscout said. This included partial and even full interruption of remote-access services and other service disruptions caused by capacity consumption issues.

“We have seen this vector used as far back as [the second half of] 2019, says Richard Hummel, Netscout’s manager of threat intelligence. “But the number of attacks increased 17% in just the [second half] of 2020. In total, we observed almost 12,000 attacks utilizing this vector in 2020.”

One factor driving interest in this attack vector is the easy access to Internet-exposed RDP services, he says.

“In recent weeks, we’ve seen a significant uptick in attacks leveraging this vector, leading us to believe it has been weaponized in such a way that automated tools and services can now take advantage of this protocol to abuse targets of DDoS attacks,” Hummel says.

He recommends that network operators conduct reconnaissance to identify Windows RDP servers that can be abused on their networks or of their downstream customers. “[They] should be accessible only via VPN services in order to shield them from abuse,” he says.

If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure, he advocates.

Kaczmarek points to several improvements that have been made on the mitigation front to help organizations minimize disruption from DDoS attacks. Among them are capabilities for identifying attacks sooner — such as the small test attacks that bad actors launch before the real one — so defensive measures can be implemented more quickly. Similarly, the availability of always-on mitigation services and advances in application security and Web application firewalls have made a difference, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

The pressure on small to medium-sized enterprises to protect their organizations against cyberthreats is astronomical. These businesses face the same threats as the largest enterprises, experience the same (relative) damages and consequences when breaches occur as the largest enterprises but are forced to protect their organizations with a fraction of the resources as the largest enterprises.

Cybersecurity company Cynet just released findings from a survey of 200 CISOs in charge of small security teams (Download here) to shine “a spotlight into the challenges of small security teams everywhere.”

In addition to better understanding the challenges these CISOs face, the 2021 Survey of CISOs with Small Security Teams delves into the strategies CISOs will employ to ensure their organizations are protected from the ongoing onslaught of cyber threats – all while saddled with limited budgets and headcount.

The survey findings will also be presented in a live webinar, register here to attend.

Some Fascinating Findings

It was clear from the survey that CISOs with small security teams believe they are exposed to a higher risk than enterprises with larger security teams. These CISOs know they are being targeted with the same highly advanced threat and techniques as global enterprises, only a fraction of the budget and manpower.

63% of CISOs surveyed feel that their risk of attack is higher compared to larger Enterprises, who have larger teams, budgets, and tools in place. This sentiment is taking its toll, as a shocking 57% of CISOs admitted that their ability to protect their company is overtly lower than they would like it to be.

Consider that large global financial institutions typically spend over $500 million on cybersecurity annually with an IT security staff of several thousand employees. 70% of the CISOs in the survey have budgets of less than $1 million and five or fewer IT security specialists on staff.

While large global enterprises certainly have a much wider and deeper environment to protect, the threats are very similar, and therefore, the protections required are also similar. The surveyed companies simply do not have the budgets and bandwidth to protect themselves adequately. They know it, and the cybercriminals know it.

Top Challenges Protecting Against Cyber Threats

How Will These CISOs Protect Their Companies in 2021?

Beyond several additional insights regarding the current situation faced by CISOs with small security teams, the survey also delves into the plans these CISOs have for confronting cybersecurity in 2021. These CISOs know they have to do more with less and their overarching plans reflect it. 2021 initiatives fell into three main buckets.

Outsourcing

Roughly half of the companies are outsourcing threat detection and response to a Managed Detection and Response (MDR) service (53%), and the other half (47%) are using a Managed Security Services Provider (MSSP) service. One-third of those using an MDR said the most valuable service 24/7 critical alerts and monitoring. This approach makes sense as 47% of companies said their top challenge is that they don’t have adequate skills and experience to protect against cyber-attacks.

Automation

These CISOs know that they do not have sufficient staff to protect their organizations fully. 48% of CIOs revealed that they could have avoided some security incidents in 2020 if they had a bigger team. Unable to expand their teams, 80% of CISOs responded that they would like to invest more in automation, allowing their current teams to do more with less.

Consolidation

Almost half (49%) of the CISOs said that they need to consolidate security tools, and 43% felt that their team wasted time shifting between tool consoles. As a result, over this year, the CISOs will focus on consolidating security tools and platforms (61%) and replacing complex security technologies (52%).

This is also reflected in the fact that 38% of the CISOs plan to purchase an Extended Detection and Response (XDR) solution as it supports the automation, consolidation, and complexity reduction tactics prioritized by respondents.

Down, But Not Out

The tenacity exhibited by CISOs with small security teams is admirable. Based on the survey results, the CISOs know they have a daunting task ahead of them.

But, they are taking the proverbial bull by the horns and figuring out ways to improve their situation with the limited resources available.

If nothing else, the survey shows these struggling CISOs that they are in good company, fighting for the same things and forging into 2021 in lockstep with their brother and sister CISOs with small security teams.

Download the 2021 Survey for CISOs with small security teams here or register here to attend a live webinar

Lebanese Cedar APT

A “persistent attacker group” with alleged ties to Hezbollah has retooled its malware arsenal with a new version of a remote access Trojan (RAT) to break into companies worldwide and extract valuable information.

In a new report published by the ClearSky research team on Thursday, the Israeli cybersecurity firm said it identified at least 250 public-facing web servers since early 2020 that have been hacked by the threat actor to gather intelligence and steal the company’s databases.

The orchestrated intrusions hit a slew of companies located in the U.S., the U.K., Egypt, Jordan, Lebanon, Saudi Arabia, Israel, and the Palestinian Authority, with a majority of the victims representing telecom operators (Etisalat, Mobily, Vodafone Egypt), internet service providers (SaudiNet, TE Data), and hosting and infrastructure service providers (Secured Servers LLC, iomart).

password auditor

First documented in 2015, Volatile Cedar (or Lebanese Cedar) has been known to penetrate a large number of targets using various attack techniques, including a custom-made malware implant codenamed Explosive.

Volatile Cedar has been previously suspected of Lebanese origins — specifically Hezbollah’s cyber unit — in connection with a cyberespionage campaign in 2015 that targeted military suppliers, telecom companies, media outlets, and universities.

Lebanese Cedar APT

The 2020 attacks were no different. The hacking activity uncovered by ClearSky matched operations attributed to Hezbollah based on code overlaps between the 2015 and 2020 variants of the Explosive RAT, which is deployed onto victims’ networks by exploiting known 1-day vulnerabilities in unpatched Oracle and Atlassian web servers.

Using the three flaws in the servers (CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152) as an attack vector to gain an initial foothold, the attackers then injected a web shell and a JSP file browser, both of which were used to move laterally across the network, fetch additional malware, and download the Explosive RAT, which comes with capabilities to record keystrokes, capture screenshots, and execute arbitrary commands.

“The web shell is used to carry out various espionage operations over the attacked web server, including potential asset location for further attacks, file installation server configuration and more,” the researchers noted, but not before obtaining escalated privileges to carry out the tasks and transmit the results to a command-and-control (C2) server.

In the five years since the Explosive RAT was first seen, ClearSky said new anti-debugging features were added to the implant in its latest iteration (V4), with the communications between the compromised machine and the C2 server now encrypted.

While it’s not surprising for threat actors to keep a low profile, the fact that Lebanese Cedar managed to stay hidden since 2015 without attracting any attention whatsoever implies the group may have ceased operations for prolonged periods in between to avoid detection.

ClearSky noted that the group’s use of web shell as its primary hacking tool could have been instrumental in leading researchers to a “dead-end in terms of attribution.”

“Lebanese Cedar has shifted its focus significantly. Initially they attacked computers as an initial point of access, then progressed to the victim’s network then further progressing (sic) to targeting vulnerable, public facing web servers,” the researchers added.