Security Bytes - Issue 1
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
This week three news items stood out for me. First, we see Apple is automating CAPTCHA verification, which opens up an interesting conversation. Spyware is big business and various reports and activities, especially over the last 3-5 years, are showing businesses are getting access to government-level zero-day exploits. Finally, researchers align cyberespionage activities to a government-sponsored group hiding behind a ransomware attack.
Computer Tricking Computers
Invented in 1997 and coined CAPTCHA in 2003, the “Completely Automated Public Turing test to tell Computers and Humans Apart” protocol was intended to ensure that the computer was interacting with a human, as opposed to script, robot, or malware. This week Apple announced a feature in IOS 16 called Automatic Verification that will allow your IOS powered device to automate the CAPTCHA response, effectively making it moot.
Automation is the future, but as we move forward, we have to be mindful of automating potential key steps because it’s an inconvenience. And security, let’s be honest, can be exceedingly inconvenient. Therefore, there are a couple lessons for the security industry here… 1) if you become a barrier, people will automate around you, and 2) embrace solutions that minimize inconvenience while maximizing security and security options.
The vCISO practice can help organizations better understand and improve their customer and user interactions with their environment from a security perspective. Advances in a wide range of technology, such as facial recognition, CASB, SASE , MFA, Zero Trust models, and the advent of FIDO provide organizations with a lot of options. The vCISO practice can help organization look at how technologies and standards can be applied to improve the user experience, while simultaneously improving security.
Links:
https://www.theregister.com/2022/06/21/believe_it_or_not_apple/
Spying is Big Business
Google’s Threat Analysis Group (TAG) released a new report this week detailing an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan that leveraged zero-day vulnerabilities. In fact, TAG noted that 7 of the 9 zero-days they discovered 2021 we developed by commercial companies and sold to government agencies. They go on to note more than 30 vendors are selling exploits to government sponsored groups, but added commercial surveillance companies - high-end spyware vendors (e.g., NSO Group and their Pegasus Project, etc.)– are now gaining access to such capabilities historically only accessible to deep government pockets.
Moreover, just last week reports from Lookout expressing a link between Hermit, an enterprise level surveillance malware, and Italian company RCS, again identifying how spyware for hire is huge business. Italy has some history in this space, such as CloudEye from 2020 and other similar companies and organization deploying highly impactful tools for spying by governments, state sponsored groups, businesses, and criminal organizations.
There are a few take-aways for companies on this topic. First, there is enterprise grade, highly sophisticated spyware available on the market and can be easily used against your company by governments, NGO’s, competitors, or any entity that has interest in what you and your teams are doing. Secondly, these types of zero-day exploits that are being developed and traded across these communities will and have been leaked into the wild, effectively arming every hacker.
For clients it comes down to a threat assessment. Understanding the threats that represent potential and categorizing them based on TTPs, motivation, and overall what the organization represents. The vCISO practice can assist in evaluating threats and characterizing them in a manner that can be prioritized. From there, identified threat practices and tactics can then be used to refine protective measures.
Links:
Lookout: https://securityaffairs.co/wordpress/132363/malware/hermit-spyware-italian-surveillance-firm.html
Google’s report: https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/
The Tornado in the Hurricane
Researchers from Secureworks’s Counter Threat Unit (CTU) published a compelling report on the use of a specific loader used to implant RATs (remote access trojans) in a method that is wrapped in a ransomware attack. Based on threat tactics combined with the observed ransomware attack strategy, there is convincing evidence demonstrating it’s likely Chinese government-sponsored groups using ransomware as a distraction appearing as financially motivated attack to cover for targeted cyberespionage.
It is a proven tactic to camouflage a “real” attack in the chaos of a headline grabbing, panic inducing attack, like DDoS and, of course, ransomware. This research provides the basis of – at a minimum – confirming what we inherently know is happening, but difficult to address directly. The challenge facing organizations is coming to grips that when you are under attack the likelihood of there multiple threat dynamics, TTPs, and targets happening simultaneously.
The vCISO practice can help in multiple ways. For starters, we can review incident response plan and processes to ensure that key practices for detecting all the threats are incorporated into the execution of the plan and organization. In a wider aspect, we can assess monitoring and detection capabilities and practices to determine the ability to address a multi-threat attack.
Links:
Research: https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
About vCISO
The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.
