Tuesday, April 23, 2024

ATT&CK v15 Brings the Action

ATT&CK v15 Brings the Action: Upgraded Detections, New Analytic Format, & Cross-Domain Adversary Insights

v15 is all about actionability and bringing defenders’ reality into focus — we prioritized what you need to detect, and how you can do it more effectively with detection engineering upgrades, and deeper intelligence insights across platforms. This release also reflects the new expansion rhythm, balancing both well-known and emerging behaviors to reflect how trends and activity are experienced in the field.

For the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.

Enterprise | Familiar + Novel = Reality

With v15 we were aiming for the perfect balance of familiar behaviors you’ve probably seen countless times (e.g., T1027.013: Obfuscated Files or Information: Encrypted/ Encoded File, T1665: Hide Infrastructure), as well as newer, emerging trends. The shadowy domain of Resource Development was expanded to illuminate how adversaries are using generative artificial intelligence tools, like large language models (LLMs), to support various malicious activities (T1588.007: Obtain Capabilities: Artificial Intelligence). And it’s not just about gaining initial access anymore — we added T1584.008: Compromise Infrastructure: Network Devices to capture how threat groups are hacking into third-party network devices, including small office/home office routers, to use these devices to facilitate further targeting.

Cloud | More Actionability

As outlined in the ATT&CK 2024 Roadmap, we’re striving to make the Cloud matrix more approachable for defenders of all skill levels. With this release, we focused on providing a broader set of defensive measures, resources, and insights for CI/CD pipelines, Infrastructure as Code (IaC), and Identity. v15 features new mitigations and data sources on token protection, along with more specific references to Okta logs. T1072: Software Deployment Tools was expanded to include broad execution of T1651: Cloud Administration Command, reflecting how threat actors are turning cloud native tools like AWS Systems Manager into remote access trojans.

We ramped up resources for CI/CD pipelines and IaC, and made some refinements to Identity, with the expansion of T1484: Domain Policy Modification to include not just Azure AD, but also other identity-as-a-service providers like Okta. T1556: Modify Authentication Process gained a new sub (T1556.009: Conditional Access Policies) exploring how threat actors have tampered with or disabled conditional access policies for ongoing access to compromised accounts. We also expanded T1136.003: Create Account: Cloud Account with additional service account insights.

What’s Next: v16 will feature robust identity and detection updates, as well as the platform rebalancing operations, where we’re focusing on covering a wider range of cloud environments and threats, while making it more intuitive to prioritize techniques relevant to a specific platform.

Defensive Coverage | Upgrading, Converting & Restructuring Defensive Measures

You’ll find expanded detections in v15 to assist your detection engineering. Previously, we structured our analytics in a pseudo format that was consistent with the Cyber Analytic Repository (CAR). In some cases this was hard to understand.

In v15, we transformed that format into a real-world query language style (like Splunk) that is compatible with various security tools. These upgrades are featured in detections across the framework including some techniques within the Execution tactic.

Our aim with these upgrades, is to reflect the data source itself is the data you should be collecting, and to provide an understandable format that pairs well with every day defender tools (i.e. SIEMs and Sensors).

We have also synced up some mitigations within the parent to sub-technique relationship. Our team has analyzed a list of sub-techniques that had mitigations that the parent technique did not have. In v15, you will find some parent techniques now reflect what mitigations are seen in the sub-technique.

What’s Next: As we gear up for October, we’ll be completing the Execution detections, refining Credential Access detections, diving into Cloud analytics, and restructuring our data sources for better accessibility.

ICS | Cross-Domain Campaigns

We’ve been working to retrofit major incidents in the ICS space to improve understanding and showcase how ICS and enterprise techniques intersect in each event. V15 illuminates some of the ICS-Enterprise integration efforts, with the release of four cross-mapped campaigns:

· Starting with Triton, the Safety Instrumented System attack of 2017 that shook the petrochemical industry to its core.

· Then there’s C0032, a campaign spanning various utilities from 2014 to 2017, often grouped with the petrochemical incident but distinctly different in nature.

· Next up, Unitronics, a spree that zeroed-in on specific devices and impacted utilities and organizations worldwide. This campaign saw adversaries disrupting device interfaces to make them unusable for end users.

· Fast forward to 2022 Ukraine Electric Power, where we witnessed a glimpse into the future of ICS attacks, with hypervisor features and shared domain access exploited to infiltrate ICS systems and unleash havoc. The campaign highlights key considerations regarding hypervisor usage across multiple domains, and the abuse of native features in vendor software.

2022 Ukraine also spawned two new ICS techniques that are featured in this release: T0895: Autorun Image and T0894:System Binary Proxy Execution via vendor application binaries.

What’s Next: v16 will launch ICS sub-techniques, along with a structured cross-walk to enable mapping between deprecated and new techniques. We’ll also be releasing new asset coverage and updates on our exploration into incorporating more sectors into the ICS matrix.

Mobile | New Techniques, Software, Groups & Mitigations

With help from our community, this release incorporates new techniques, including — exploiting software vulnerabilities for initial access and adversaries performing active and automated discovery for the lowdown on your network setup — and incorporated fresh software and groups. We also added a new mitigation to the Mobile matrix, M1059 Do Not Mitigate (for Mobile) as a sneak peek to the new mitigations that will be added in future releases. This release also features the first Mobile campaign, C0033, associated with PROMETHIUM (G0056). The group primarily targets Windows devices, however, recent reporting and external contributions demonstrated a shift to mobile exploitation on Android and iOS devices.

We added in Mobile techniques to existing Groups and Software to illuminate the shift to include mobile exploitation. This includes building out the APT-C-23 (G1028) profile, mirroring this South American threat group’s targeting of Android and iOS devices, and recording how BITTER (G1002) has distributed malicious apps via SMS, WhatsApp, and various social media platforms.

What’s Next: In the coming months, we’ll be rolling out more structured detections, and boosting proactivity across Mobile by evaluating incorporation of pre-intrusion techniques, like active and passive reconnaissance, and acquiring or developing resources for targeting.

Cyber Threat Intelligence | More Cybercriminal, Underrepresented Groups

We’re working towards better reflecting the threat landscape by infusing the framework with more cybercriminal and underreported adversary activity. This release showcases new cybercriminal operations and highlights Malteiro, a criminal group believed to be based in Brazil. They are known for operating and distributing the Mispadu/URSA banking trojan through a malware-as-a-service model. Banking trojans, a notorious threat in Latin America, are increasingly spreading their chaos across borders, courtesy of malware developers selling tools to overseas operators. Malteiro’s operations exemplify this targeting shift, evident in a recent campaign affecting European entities across various sectors.

What’s Next: We’ll continue conducting thorough assessments of Groups, Software, and Campaigns to up the framework realism quotient and provide clearer insights into adversary activities. We’re also teaming up with ATT&CK domain leads to expand coverage of cross-domain intrusions.

Software Dev | TAXII 2.1, FTW

We’ve been working towards our goals of enhancing Navigator’s usability and streamlining processes for ATT&CK Workbench. Most importantly, we’re taking our TAXII server to new heights, and by December 18, we’ll be retiring the TAXII 2.0 server and transitioning to the upgraded TAXII 2.1 version. You can locate the documentation for the TAXII 2.1 server in our GitHub repository.

What’s Next: We’ll be continuing to enhance usability on ATT&CK Workbench and Navigator, and building towards swifter Groups and Software releases. Mark your calendars to update the URLs for TAXII 2.1 clients to connect to https://attack-taxii.mitre.org instead of https://cti-taxii.mitre.org!

In Conclusion | Field Reports, Benefactors

We’re always on the lookout for field reports and insights from those of you on the ground. Your observations play a crucial role in improving ATT&CK’s tactical utility — so remember, if you see something, contrib something. Curious about how a contribution becomes a technique? Check out our video that walks you through the process.

If you’re interested in contributing to ATT&CK’s overall autonomy, flexibility, and free services, you can find more details on our Benefactor page. We are deeply grateful to our initial cohort of benefactors, SOC Prime, Tidal Cyber, and Zimperium, for their generous support.

ATT&CK v15 Brings the Action was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.

from MITRE ATT&CK™ https://ift.tt/xat1mEB

Netgate Releases pfSense Plus Software Version 24.03


With over 10 million deployments across homes, small businesses, enterprises, service providers, and governments, pfSense® is the world’s leading open-source-driven firewall, router, and VPN solution for network edge and cloud secure networking. 

We are excited to announce that pfSense® Plus software version 24.03-RELEASE is now available. Release notes are available for review. 

Major Changes and Features

Significant changes in this release include an improved update process using ZFS snapshots, the ability to export packet flow data, an enhanced gateway recovery process, and changes to the default state policy for increased security. The release also addresses several bugs and other issues. 

  • Introducing Default Password Control: In response to mandates from various regulatory bodies both in the US and Internationally, pfSense Plus 24.03 now implements stringent measures regarding default passwords. Any attempt to use default passwords will be met with a mandatory reset requirement, applicable across both the User Interface (UI) and Command Line Interface (CLI). As part of our commitment to best practices, we strongly advise all pfSense users to proactively adopt this change. By doing so, you bolster the security posture of your system and align with evolving compliance standards, ensuring a safer and more resilient network environment.

  • Enhanced Update Process using ZFS snapshots: This latest release introduces significant improvements to the software update mechanism, leveraging the capabilities of the ZFS file system to bolster stability and minimize downtime throughout the update process. These enhancements not only fortify the reliability of pfSense Plus but also furnish administrators with potent tools, particularly beneficial for those utilizing system snapshots to establish diverse pfSense Plus environments for testing purposes. This empowers administrators with the flexibility to quickly revert to a predetermined environment should the need arise, enhancing the overall manageability and resilience of the system.

Learn More

  • Packet Data Flow Export: A notable addition to this release is the capability to export packet flow data to external collectors via the NetFlow v5 or IPFIX protocol. This feature enables administrators to extract valuable insights from network traffic, which is essential for effective network management. By analyzing flow data, administrators can address various challenges such as optimizing application response times, implementing usage-based accounting, profiling traffic patterns, fine-tuning traffic engineering strategies, detecting potential security threats or intrusions, monitoring Quality of Service (QoS) metrics, and much more. This enhancement equips administrators with powerful tools to enhance network visibility and make informed decisions regarding network performance and security.

Learn More

  • Gateway Recovery: Another change is an enhanced gateway recovery process with options to reset connections made through a backup gateway while the primary gateway is offline. This feature will allow connection fail-back to a primary gateway after downtime, which can be especially useful for metered links.

Learn More

  • State Policy Default Change: For increased security, the default State Policy in pfSense Plus 24.03 software and later releases is changing from Floating states to Interface-bound states.

Learn More

  • Upgrade VPN capabilities: We're excited to announce two major upgrades: Mobile Group Pools and performance enhancements. With the introduction of "Mobile Group Pools," users can access a dedicated tab to configure additional address pools and, if necessary, a DNS server, which may be especially beneficial for larger organizations. This feature allows organizations employing group authentication to define extra address pools for specific user categories, enhancing flexibility to meet diverse requirements

Additionally, we're focused on reducing processing overhead and enhancing performance by updating the IPsec-MB kernel module (iimb.ko) to Intel's latest upstream version 1.5. This update includes optimizations for CPUs supporting AVX512 and AVX2, ensuring smoother operations and improved efficiency. These advancements aim to elevate user experience while maintaining high-performance standards.

Learn More

  • Updated IPsec-MB kernel module: We focused on reducing processing overhead and enhancing performance by updating the IPsec-MB kernel module (iimb.ko) to Intel's latest upstream version 1.5. This update includes optimizations for CPUs supporting AVX512 and AVX2, ensuring smooth operations and improved efficiency. These advancements aim to elevate user experience while maintaining high-performance standards.

  • High Availability on AWS: We're excited to announce the release of High Availability (HA) for pfSense Plus software on AWS. This release builds upon the standard HA features customers have leveraged in data centers, branches, and remote offices worldwide, with additional AWS-specific features that enable fast failover and maintaining connectivity to critical cloud workloads and services. This feature was added to meet the mission-critical needs of enterprise and government customers requiring uninterrupted services in their AWS deployments. With HA on AWS, customers can meet uptime requirements and internal SLAs while safeguarding mission-critical operations within AWS.

Installing the Upgrade

Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.

Users currently running pfSense Plus software

Upgrades from an earlier version of pfSense Plus software are usually made through the user interface. Before any major change, such as an upgrade, it’s always recommended to save a backup of the pfSense Plus configuration. You can find Backup and Recovery instructions in the pfSense documentation.

  • Navigate to System > Update

  • Set Branch to “Current Stable Version (24.03)

  • Click Confirm to start the upgrade process

Users currently running pfSense Community Edition (CE) software

We encourage you to migrate from pfSense CE software to pfSense Plus software. Doing so will ensure you have access to all of the benefits of pfSense Plus software. You can find details on how to get pfSense Plus software here.

Troubleshooting the Upgrade

Please review the documentation on Troubleshooting Upgrades for the most up-to-date information on working around upgrade issues.

This pfSense Plus software release is ready for use in production environments. Should any issues arise, please post to our forum or contact Netgate Technical Assistance Center (TAC) for paid support.

Supporting the Project

When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software. 

You may support this work through one or more of the following:

  • Purchase an official appliance directly from Netgate or from our worldwide reseller partner network. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Purchase TAC support which provides you with direct access to Netgate Global Support
  • Purchase Professional Services, which provides access to our most senior engineers for more complex projects outside the scope of TAC support.
  • Use a genuine pfSense Plus instance from Netgate to connect and protect your cloud workloads on AWS and Azure.

Our efforts are made possible by the support of our customers and the community, and for that we express our sincere thanks. This involvement makes the pfSense project a stronger solution for everyone.

from Blog https://ift.tt/XG4f83e

Modern SaaS Data Security Basics

Securing critical data is a vital security focus for IT ops and SecOps. Data is exploding at an unprecedented rate. Arguably, it is the target of most cyberattacks to either hold data hostage, leak it, or otherwise intentionally expose it for nefarious processes. Let’s look at zero-trust principles and how organizations can implement better data security using a multi-layer strategy.

Principles of zero trust

Organizations worldwide are recommended to adopt an ideology called zero trust. With zero trust, several methodologies help to protect your data. Note the following directives with zero trust:

  • You need to verify everything explicitly
  • There are no assumed “trusted” devices or users
  • Assume that you have a hacker in your network. Yes, seriously, you need to assume your environment is breached, which helps to set the expectations for handling security

If you can apply these principles to your data, it will accelerate your adoption and move to a zero-trust environment.

Understanding data states

One of the essential concepts to understand when dealing with data security is that data exists in different states. Depending on the state the data is in, different means may be available or used to protect your data from breaches. Note the following:

  • Data in transit
  • Data in use
  • Data at rest

When data is transmitted across the network, it is considered in transit. When data moves, it can be potentially exposed to risks and vulnerabilities within the local network or across the Internet. Encryption “in-flight” is often used to encrypt data as it moves across the network.

Data in use is data that is being actively accessed or used. When data is in use, it can include reading, processing, or making changes. When you think about data “at risk”, this is truly what data in use is. After all, it is open to the user and the app they are using to interact with the data. Organizations can implement data protection policies to help protect data that is used or accessed.

Data at rest is data that is inactive. When data is not being used or moving across the network, it is at rest on storage. In this state, it is at less risk than when it is being used, in motion, or in transit. At-rest disk encryption ensures that data stored on disk is encrypted.

Classify and discover your data

When thinking about data security, it is important to discover and classify all data assets. Organizations are amassing large amounts of data, and this trend is growing exponentially.

Due to the enormous amount of data, businesses can’t discover and classify all data using manual means. Instead, automated data discovery and classification tools, along with a few manual methods, are critical.

Automated discovery and classification tools like those in Microsoft 365 solutions allow organizations to discover and classify data using automation. It puts them in a much better position to explicitly implement a zero-trust principle of verifying.

What is sensitive data?

Not all data is deemed as “sensitive”. Sensitive data usually falls into specific categories. It is important to realize that data may need to be protected differently depending on its status and whether it is deemed sensitive.

Sensitive data may also be different types of information for various organizations. However, sensitive data is generally any information you need to protect from unauthorized access. In addition to technology-based protections, physical security may also be needed.

Organizations may deem data sensitive due to the following:

  • Personal privacy
  • Regulatory or compliance requirements
  • Intellectual property
  • Ethical or legal requirements

Protecting sensitive data

With the enormous amount of potentially sensitive business-critical data, organizations must understand which data is sensitive and apply proper controls and access policies to this data. Again, you can’t correctly control or create access policies if you don’t first classify and discover your data with the right tools.

Tools like Microsoft 365 have sensitivity labels that essentially apply a virtual stamp on a piece of data that denotes sensitive data. These sensitivity labels are like metadata that isn’t visible to the apps that consume the data but can be easily integrated into zero-trust workflows.

For instance, once a sensitivity label is applied to an email, document, invite, or other data, the protection settings configured for the sensitivity label are automatically applied. These labels may be used to:

  • Control access to content or apply encryption
  • Mark the content as sensitive
  • Protect content in containers
  • Apply labels automatically to files and emails
  • Set default link types

Below is a sensitivity label applied to an email message.

Below is a sensitivity label applied to an email message

Data loss prevention

A crucial part of protecting sensitive data is ensuring that users do not inappropriately share sensitive data with those who shouldn’t have access to it. The practice of making sure others don’t have access to sensitive data and users can’t overshare this type of data is called data loss prevention (DLP).

Again, only manual attempts by administrators to prevent improper sharing generally come up short. Today, organizations leveraging SaaS solutions like Microsoft 365 need automated solutions for DLP.

Microsoft Purview is Microsoft’s solution in M365 that allows admins to apply policies to define how data is identified, monitored, and protected.

Purview uses deep content analysis to understand the true nature of the content and not just a simple text scan. What does the content analysis use to determine whether or not data is sensitive?

  • Keywords for primary data matches
  • Regular expressions and internal function validation
  • Secondary data matches that are close to the primary data match
  • Machine learning algorithms to detect content that matches DLP policies

Purview uses deep content analysis to understand the true nature of the content and not just a simple text scan

Microsoft Purview is a solution that is available for setup from your Azure Portal and allows onboarding your environment into Purview for DLP policies.

Microsoft Azure | Create Microsoft Purview account

Here is an example of alerts generated with a policy match on an end-user client machine.

Generated with a policy match on an end-user client machine

Depending on which DLP controls Microsoft service, there is some disparity between how the DLP scans run in the Microsoft 365 cloud.

For example, in SharePoint and OneDrive, DLP scans existing and new items and generates alerts when matches are found with a DLP policy. In Exchange, only new emails are scanned, and an alert is generated if a DLP policy matches. It does not scan previous emails.

BitLocker encryption

Another core data security requirement is ensuring data at the endpoint is secured. BitLocker is a standard encryption solution from Microsoft that encrypts entire volumes of data. BitLocker encryption helps to ensure that data remains secure if the device is lost or stolen or is not properly recycled.

Data is inaccessible due to the BitLocker encryption in place, even if the drive is moved to another computer or an attacker runs a software tool against the drive.

Modern BitLocker encryption also works with the Trusted Platform Module (TPM) to help further secure data. With the TPM device, BitLocak can lock the machine startup process until a PIN is supplied from a user or a startup key is inserted.

Modern BitLocker encryption also works with the Trusted Platform Module (TPM) to help further secure data

Device encryption is a new feature in Windows that allows BitLocker encryption to be enabled automatically. Unlike traditionally enabling BitLocker, device encryption is enabled automatically to protect the device. BitLocker is initialized on the OS drive as part of a clean installation of Windows that supports the Modern Standby or HSTI security requirements.

Wrapping up

Modern data security requires organizations to consider many aspects of their data security strategy. It starts with understanding what data you have, where it is located, whether it is sensitive, and automating much of this process using robust technology tools. Also, tools like Microsoft Purview can be used to apply DLP policies and BitLocker encryption to secure data at rest and on end-user client devices. Data is the new gold, and only organizations that use and protect it correctly will succeed and thrive.

from StarWind Blog https://ift.tt/nbRMQga

Suspected CoralRaider continues to expand victimology using three information stealers

Suspected CoralRaider continues to expand victimology using three information stealers

By Joey Chen, Chetan Raghuprasad and Alex Karkins. 

  • Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
  • Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
  • This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 
  • Talos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  

Victimology and actor infrastructure

The campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our telemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil defense service organizations in Syria. The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies.

Suspected CoralRaider continues to expand victimology using three information stealers

We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders. 

CDN edge URLs 

Information Stealer






Cryptbot, Rhadamanthys








Cryptbot, LummaC2



Talos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing. 

Suspected CoralRaider continues to expand victimology using three information stealers

Tactics, techniques and procedures overlap with other campaigns 

Talos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several overlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot campaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts of further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.

Suspected CoralRaider continues to expand victimology using three information stealers

Suspected CoralRaider continues to expand victimology using three information stealers

PowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).

Suspected CoralRaider continues to expand victimology using three information stealers

Suspected CoralRaider continues to expand victimology using three information stealers

String decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).

The Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these PowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not popular and likely specific to the actor and the campaign.  

.(gp -pa 'HKLM:\SOF*\Clas*\Applications\msh*e').('PSChildName')

Multi-stage infection chain to deliver the payload 

Suspected CoralRaider continues to expand victimology using three information stealers

The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through phishing emails.

The Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled CDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script. PowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The PowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs one of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.

Windows Shortcut file to execute the malicious HTA file

Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine. The threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the application classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine. 

Suspected CoralRaider continues to expand victimology using three information stealers

Obfuscated HTA runs embedded PowerShell decrypter  

The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using the String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. 

Suspected CoralRaider continues to expand victimology using three information stealers

The decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an AES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=” and the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell Loader script. 

Suspected CoralRaider continues to expand victimology using three information stealers

PowerShell loader downloads and runs the payload

The PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s machine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its contents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows Defender exclusion list. 

The dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic Identifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a Windows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it checks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will execute them in an elevated context without prompting the user. 




Windows Defender, by default, detects if there are attempts to write to the registry keysHKCU:\Software\Classes\ms-settings\shell\open\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In Windows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ), which is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell uses a default ProgID registry key called CurVer, which is used to set the default version of a COM application. 

In this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID “ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to run the batch script. 

Registry Key




The script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\Software\Classes\ms-settings\CurVer, which will get translated to HKCU:\Software\Classes\ms-settings\shell\open\command. After modifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry key HKCU:\Software\Classes\ms-settings\shell\open\command and executing the dropped batch script. Finally, it deletes the configured registry keys to evade detection. 

Suspected CoralRaider continues to expand victimology using three information stealers

The batch script adds the folder “C:\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script downloads the payload and saves it in the “C:\ProgramData” folder as “X1xDd.exe.”

Suspected CoralRaider continues to expand victimology using three information stealers

After downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the previously dropped batch file with the new instructions to run the downloaded payload information stealer through the Windows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we explained earlier in this section.  

Suspected CoralRaider continues to expand victimology using three information stealers

Actor’s choice of three payloads in the same campaign 

Talos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign, including CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets and financial information. 


CryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to steal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser cookies and credit cards, and creates screenshots of the infected system. 

Talos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the same, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware analysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by the new variant of CryptBot is shown below.

Suspected CoralRaider continues to expand victimology using three information stealers

We observed the new CryptBot variant also includes password manager application databases and authenticator application information in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. 

Suspected CoralRaider continues to expand victimology using three information stealers

CryptBot is aware that the target applications in the victim’s environment will have different versions, and their database files will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted applications for harvesting credentials. 

Suspected CoralRaider continues to expand victimology using three information stealers


Talos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign. LummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the report posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the underground market for years. 

The threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom algorithm. The obfuscation algorithm is saved in another section inside the malware shown below.

Suspected CoralRaider continues to expand victimology using three information stealers

The new version of LummaC2 also presents the same signature of the alert message displayed to the user during its execution. 

Suspected CoralRaider continues to expand victimology using three information stealers

The C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware will attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will use a different key to encrypt the C2.   

Suspected CoralRaider continues to expand victimology using three information stealers

Talos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. 

Encrypted strings

Decrypted Strings



















LummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does not receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating information from infected machines. The basic stealing functionality is the same as the previous version, with the addition of victims’ discord credentials to exfiltrate. 

Suspected CoralRaider continues to expand victimology using three information stealers


The last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground forum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have released a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still v0.5.0.

Suspected CoralRaider continues to expand victimology using three information stealers

The threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a simple Python script that replaces the binary code from 0 to 9 and decodes the second stage. 

Suspected CoralRaider continues to expand victimology using three information stealers

In the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process. We spotted that the threat actor is developing the Python script with the intention of including the functionality of executing a shellcode. 

Suspected CoralRaider continues to expand victimology using three information stealers

Analyzing the final executable file showed us that the malware unpacks the loader module with the custom format having the magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a Rhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the target process for process injection from a hardcoded list in the binary:

  • "%Systemroot%\\system32\\dialer.exe"
  • "%Systemroot%\\system32\\openwith.exe"
Suspected CoralRaider continues to expand victimology using three information stealers


Suspected CoralRaider continues to expand victimology using three information stealers

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.

ClamAV detections are also available for this threat:

















Indicators of Compromise

Indicators of Compromise associated with this threat can be found here.

from Cisco Talos Blog https://ift.tt/mbnlGyT

Content filtering in KSMG 2.1 | Kaspersky official blog

When it comes to spam, we usually think of a bunch of absolutely irrelevant advertising letters, which antispam engines filter out with no trouble at all. However, this is far from the most unpleasant thing that can fall into your mailbox. Sometimes spam is used to carry out a DDoS attack on corporate email addresses, and the victim gets bombarded with completely legitimate emails that don’t raise any suspicion of a standard antispam engine.

Registration confirmations attack

In order to perform a mail bomb attack, attackers can exploit the registration mechanisms on the web resources of totally unrelated companies. Using automation tools, they register on thousands of services from different countries using the victim’s email address. As a result, a huge number of confirmations, links to activate your account, and similar letters end up in your mailbox. Moreover, since they’re sent by legitimate mail servers with a good reputation, the antispam engine considers them legal and doesn’t block them.

Examples of registration confirmation emails

Examples of registration confirmation emails used for DDoS attacks on corporate email addresses

As a target the attackers usually choose an address that’s crucial for the company’s work — something that’s used to communicate with clients or partners; for example, a mailbox of the sales department, technical support, or a bank’s address to which applications for mortgage loans are sent. An attack can last for days, and the plethora of emails  simply overload the victim’s mail server and paralyze the work of the attacked department.

To successfully protect a mailbox from such an attack, a more sophisticated tool is required. As one of the approaches to protection against mail bombs, we propose using the personalized content filtering module built into our updated Kaspersky Secure Mail Gateway In particular, in the above example of an attack through registration mechanisms, the operator can block letters based on the presence of the word “registration” in various languages in the Subject field (Registrace | Registracija | Registration | Registrierung | Regisztráció). As a result, emails will be automatically sent to quarantine without reaching the inbox and overloading the mail server.

Personalized mail filter settings

In Kaspersky Secure Mail Gateway version 2.1 we’ve added the following options for filtering incoming and outgoing mail:

  • by letter size;
  • by attachment types and names;
  • by sender — you can specify a specific sender address or a regular expression;
  • by recipients (including hidden ones);
  • by the presence of certain text in the body of the letter (keywords and regular expressions can be added to the dictionary);
  • by the presence of text in the subject of the letter – by keywords, using masks and regular expressions, indicating specific senders;
  • by X-headers.


Flexible filtering of business mailings

The new capabilities of our solution can be used not only to protect against email bombs attacks. They can be used, for example, for flexible configuration of B2B-mailout filtering. Not all employees perceive all kinds of business mailings in the same way: for some it makes sense to delve into offers to purchase electronic components; for others such advertisements just clog up their inboxes, while they consider various invitations to participate in conferences or conduct seminars extremely valuable.

Therefore, completely blocking legitimate business mailouts isn’t an option. But on the other hand, it’s also not worth allowing their uncontrolled delivery: someone will always be dissatisfied. Therefore, Kaspersky Secure Mail Gateway doesn’t categorize such letters as spam, but allows you to configure their flexible filtering by senders, recipients, text in the subject or body of the letter, and so on.

You can learn more about Kaspersky Secure Mail Gateway, part of Kaspersky Security for Mail Servers solution on our corporate website.

from Kaspersky official blog https://ift.tt/iMHzxsm

Webinar: Learn Proactive Supply Chain Threat Hunting Techniques

Apr 23, 2024The Hacker NewsThreat Hunting / Software Security

In the high-stakes world of cybersecurity, the battleground has shifted. Supply chain attacks have emerged as a potent threat, exploiting the intricate web of interconnected systems and third-party dependencies to breach even the most formidable defenses. But what if you could turn the tables and proactively hunt these threats before they wreak havoc?

We invite you to join us for an exclusive webinar that will equip you with the knowledge and strategies to stay ahead of the curve: "Supply Chain Under Siege: Unveiling Hidden Threats." This comprehensive session, led by industry experts Rhys Arkins (VP of Product) and Jeffrey Martin (VP of Product Marketing), promises an in-depth exploration of the supply chain threat landscape.

Brace yourself for a revelatory journey through:

  • The Anatomy of Supply Chain Threats: Gain a deep understanding of these insidious attacks, their far-reaching consequences, and the vulnerabilities they exploit.
  • Proactive Threat Hunting Methodologies: Uncover cutting-edge techniques tailored specifically for the software supply chain ecosystem, empowering you to identify and neutralize threats before they can strike.
  • Case Studies and Real-Life Examples: Dive into captivating case studies that dissect recent supply chain attacks, exposing the tactics employed by threat actors and providing invaluable lessons.
  • Practical Steps to Boost Resilience: Equip yourself with actionable strategies to fortify your defenses, mitigate risk exposure, and enhance your organization's overall cybersecurity posture.
  • Emerging Trends and Best Practices: Stay ahead of the curve by exploring emerging trends and industry-leading best practices, ensuring your preparedness for the ever-evolving threat landscape.

Don't become the next victim of a supply chain attack. Secure your spot at this exclusive webinar and join us on the frontlines of cybersecurity. Empower yourself with the knowledge and tools to proactively hunt, identify, and neutralize threats lurking within your software supply chain.

Reserve your seat today and embark on a journey to become a supply chain threat-hunting virtuoso – the vanguard against cyber adversaries.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/xPF9W1z

German Authorities Issue Arrest Warrants for Three Suspected Chinese Spies

Apr 23, 2024NewsroomCounterintelligence / National Security

German authorities said they have issued arrest warrants against three citizens on suspicion of spying for China.

The full names of the defendants were not disclosed by the Office of the Federal Prosecutor (aka Generalbundesanwalt), but it includes Herwig F., Ina F., and Thomas R.

"The suspects are strongly suspected of working for a Chinese secret service since an unspecified date before June 2022," the Generalbundesanwalt said.

Thomas R. is believed to have acted as an agent for China's Ministry of State Security (MSS), gathering information about innovative technologies in Germany that could be used for military purposes.

The defendant also sought the help of a married couple, Herwig F. and Ina F., who run a Düsseldorf-based business that established connections with the scientific and research community in Germany.

This materialized in the form of an agreement with an unnamed German university to conduct a study for an unnamed Chinese contractor regarding the operation of high-performance marine engines for use on combat ships.

"At the time of their arrest, the defendants were in further negotiations on research projects that could be useful for expanding China's maritime combat power," the agency said.

"In addition, the defendants purchased a special laser from Germany on behalf of and with payment from the MSS and exported it to China without permission, even though the instrument is subject to the E.U. dual-use regulation."

The development comes as the Generalbundesanwalt announced the arrest of another citizen named Jian G for acting as an agent for the Chinese Secret Service while working for a German Member of the European Parliament since 2019.

"In January 2024, the accused repeatedly passed on information about negotiations and decisions in the European Parliament to his intelligence client," it said. "In addition, he spied on Chinese opposition members in Germany for the intelligence service."

Last week, the Office of the Federal Prosecutor also executed an arrest warrant against a German-Russian citizen Alexander J. for purported secret service agent activity.

The arrests also follow the charging of Christopher Berry, 32, and Christopher Cash, 29, in the U.K. for passing on sensitive information to China in violation of the Official Secrets Act, according to the Metropolitan Police and the Crown Prosecution Service (CPS).

The two individuals, previously arrested on March 13, 2023, from Oxfordshire and Edinburgh, respectively, and later released on bail, have been accused of sharing "articles, notes, documents, or information" which may have been directly or indirectly useful to an enemy nation.

A spokesperson for the Chinese Embassy told BBC News that the allegations amount to "malicious slander" and urged the U.K. to "stop anti-China political manipulation."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/7RTbFH1

Monday, April 22, 2024

Three Ways Organizations Can Overcome the Cybersecurity Skills Gap

Organizations face a significant obstacle: the cybersecurity skills gap. In fact, according to a recent Cybersecurity Ventures report, there are 3.5 million cybersecurity jobs available worldwide.

The talent shortage has become a critical impediment for organizations as they lack the necessary head count to operate a security operations center (SOC). Without skilled professionals to manage and oversee security operations, businesses are left exposed to potential threats.

This disparity between the demand for skilled cybersecurity professionals and the available talent pool is driving organizations to explore alternative avenues, which I will explore in this article.

Three Ways to Overcome Cybersecurity Skill Gap Challenges

Diving in, these solutions include looking into full or partial outsourcing of cybersecurity services as well as establishing better partnerships with vendors, leveraging advances in technology, and investing in training.

1. Embrace Vendor Partnerships

To overcome the talent shortage, finding vendors that align closely with an organization’s goals and exhibit a commitment beyond mere transactional engagements becomes of paramount importance. Forging partnerships with vendors that do not merely offer technology solutions but proactively immerse themselves in solving challenges can prove to be a transformative approach.

The key is to find vendors who provide technology solutions but also truly become an extension of the team—vendors who “wear the customer’s jersey” and sit on their side of the table to collaboratively address issues.

In this dynamic landscape, it is imperative to seek vendors who embrace a consultative role, going beyond selling solutions and focusing on understanding the organization’s unique needs. A successful vendor relationship should surpass sales targets and renewal cycles; it should prioritize adding substantial value to the cybersecurity strategy.

Vendors, for example, who commit themselves to being true catalysts for change within the industry, who are open to challenging norms and who actively participate as partners in the journey toward robust cybersecurity, are the ones to be pursued.

2. The Rise of Automation and Machine Learning

Another innovative solution that has emerged from the skills gap is a greater reliance on automation and machine learning (ML) in cybersecurity operations, as these technologies can automate routine tasks and enhance the capabilities of their existing staff.

ML, in particular, holds great promise in addressing the challenges associated with analyzing extensive data volumes, identifying anomalies and responding to threats. By leveraging ML, organizations have the potential to significantly enhance their threat detection and incident response capabilities, enabling them to stay ahead of emerging threats.

Automation also plays a significant role in cybersecurity by alleviating the burden on cybersecurity teams through a reduction in reliance on human resources for repetitive and mundane tasks. This, in turn, enables security professionals to dedicate their time and expertise to tackling more intricate and complex security challenges that require human judgment and critical thinking.

Moreover, the prevalence of automation in the cybersecurity landscape is increasing, with 57% of organizations already having adopted automation and an additional 26% planning to adopt it in the future.

3. Invest in Training and Development

Organizations should also consider investing in training and development within the cybersecurity domain. Some may hesitate, fearing that trained employees will leave and take their newly acquired expertise with them. However, there is a counterpoint to consider: If organizations fail to invest in training, employees may stay but lack the necessary skills to effectively perform their job and defend against cyberthreats.

By prioritizing training and development, organizations can address the skills shortage. The threat landscape is constantly evolving. Staying updated with the latest knowledge and techniques is essential for effective defense against cyberthreats. Moreover, by offering training opportunities, organizations can attract top talent and retain skilled professionals, creating a positive cycle of growth within the organization.

Promoting internal hiring and cross-functional collaboration is another valuable strategy. Bringing in individuals with diverse backgrounds and skill sets, even from outside traditional security roles, can act as a force multiplier. These professionals can offer fresh perspectives and innovative approaches to security problem-solving, enriching the capabilities of the security team.


The scarcity of skilled cybersecurity professionals cannot be resolved overnight, and the industry must acknowledge this reality. While organizations can invest in training and development programs to upskill their existing employees, it is important to recognize that developing cybersecurity talent takes time and effort.

Nevertheless, by embracing innovative solutions and fostering collaborative efforts, organizations can successfully navigate the cybersecurity skills gap and ensure the protection of their critical data and systems in an increasingly interconnected world.

For more tips on how to build a strong and effective cybersecurity team, read this SOC Hiring Handbook.

This article was adapted from the original post featured here on Forbes.com.

The post Three Ways Organizations Can Overcome the Cybersecurity Skills Gap appeared first on LogRhythm.

from LogRhythm https://ift.tt/r5CJLiS

PinnacleOne ExecBrief | Aviation Cybersecurity

Last week, PinnacleOne reviewed escalation dynamics in the Middle East.

This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Aviation Cybersecurity

The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long nationwide ground stop last year caused by a software update at United Airlines, a network-wide outage at WestJet caused by a service provider, and a ransomware breach at Sabre.

Most concerningly, on Friday, the Department of Homeland Security (DHS) published an official notice stating that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists, warranting the expedited implementation of critical cyber mitigation measures through emergency regulatory authority.

The TSOB – including the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, and a National Security Council representative — convened a meeting to review TSA’s transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding TSA’s emergency determination to issue Joint Emergency Amendment (EA) 23-01.

During the classified briefing, the TSOB was presented with sensitive security information and intelligence regarding the severe cyber threat to the aviation transportation system. The board discussed the circumstances leading to TSA’s issuance of Joint EA 23-01, which requires performance-based cybersecurity measures to prevent the disruption and degradation of critical systems. The TSOB’s recommendation endorsed the need for TSA to proceed with these critical mitigation measures on an emergency basis.

This development came in the context of a September 2023 advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which identified indicators of compromise at an Aeronautical Sector organization as early as January 2023. Nation-state advanced persistent threat (APT) actors exploited vulnerabilities in a public-facing application (Zoho ManageEngine ServiceDesk Plus) and a firewall device to gain unauthorized access, establish persistence, and move laterally through the network. CISA warned that “additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.” APT interest in critical infrastructure means that such exploitation happens on other devices and software, too, not just the Zoho product in this particular alert.

Aviation Cybersecurity Risks

Leaks of intelligence documents in 2023 from Russia indicated a specific interest in targeting operational aviation systems. Further, Chinese threat actors are known to be targeting US critical infrastructure firms (including the aviation sector) given their military doctrine that sees disrupting civilian systems as a means of deterring or coercing US political decision-makers in a time of conflict.

Participants in the USAF Civil Reserve Air Fleet should also expect to be targeted for their role supporting contingency airlift requirements for the Department of Defense, something likely to be activated in a Taiwan crisis situation.

Against this geopolitical backdrop, aviation CISOs face a complex technology and cybersecurity risk environment, resulting from:

  • Growing integration of new tech into legacy systems, including new connectivity interfaces and e-Enabled aircraft;
  • Increasing federal cyber regulations and compliance requirements;
  • Constrained security budgets that limit focus to catastrophic risks and compliance;
  • Security cultures that often silo cyber/IT from the broader organization and create obstacles to effective enterprise engagement and operational collaboration;
  • Tactically oriented people, processes, and tooling aimed at immediate triage, not strategic risk;
  • Complex global supply chains that increase upstream risk exposure; and
  • Increasing third-party risks from the economy-wide move to, and dependency on, cloud-enabled services and the associated shift in risk management responsibilities.

While the geopolitical threats to aviation cybersecurity grow, aviation faces the technical difficulty of defending complex legacy and modern systems. The industry must protect a uniquely broad range of vulnerable elements from its airport and online systems and data to vendor supply chains and airplane electronics. Despite all this, aviation cybersecurity’s resources and incentives lag the threat environment.

Corporate executives must recognize that the aviation industry remains at the frontlines of emerging geopolitical risk, and cybersecurity threats have the potential to cause significant operational, financial, and reputational damage. The TSOB’s recommendation and the CISA advisory underscore the urgency of the situation and the need for high-level, enterprise-wide engagement to address these risks effectively.

Investing in a comprehensive cybersecurity strategy, aligning technical and security stacks, and fostering collaboration between corporate and cybersecurity leadership is essential to mitigate the risk of a catastrophic event. As the DHS notice and CISA advisory demonstrate, the stakes are high, and failure to act decisively could result in severe consequences for the aviation industry and national security.

The aviation sector must consider modern, more expansive risk models to navigate a strategic environment at the nexus of emerging cyber and geopolitical threats. Even when the risks are clear and the gaps manifest, tight budgets and other business priorities can get in the way of building an effective security organization. This requires high-level, executive engagement across the enterprise to help leadership understand how these risks impact operational reliability, customer relations, corporate liability, shareholder value, passenger safety, and national security.

The combination of legacy IT/OT with new connectivity interfaces, sprawling third-party dependencies and digital supply chains, strained corporate balance sheets and infosec budgets, increasing regulatory mandates, highly visible industry stumbles, and aggressive nation-state threats indicate major turbulence ahead.

from SentinelOne https://ift.tt/E8oPLwZ