Strategic insights for leaders from tactical cyber observers 

Friday, July 1, 2022

As the world becomes increasingly dependent on the internet and cyberspace remains a contested environment, leaders must monitor geopolitical and cybersecurity risks more than ever. LookingGlass presents the Cyber Monitor – a weekly rollup of analysis and trending topics in cybersecurity for executives to keep abreast of threats, incidents, and risks to their organization and national security.


TABLE OF CONTENTS

OPERATIONAL UPDATES 

CYBER ACTORS 

TECHNOLOGY

GOVERNANCE


OPERATIONAL UPDATES

CYBER EVENT READOUTS & NEWS AMPLIFICATIONS

The House Appropriations Committee directed the Secretary of Defense to provide a report detailing how Pentagon leadership delineates roles and responsibilities within cyberspace among its different component agencies. The guidance, released Friday, June 24, comes as a companion report to a spending bill for the DoD; it must be carried out within 90 days of the bill’s passing. Reciting a long list of high-level DoD positions and offices, they write that it “remains unclear … which offices and positions at the Department of Defense are responsible for cyber, cybersecurity, and cyberspace policy and activities.” The committee noted, for example, that a Deputy Assistant Secretary of Defense for Cyber Policy and a Deputy Principal Cyber Advisor for Cyber Policy both fall under the office of the Under Secretary of Defense for Policy. The committee wants the report to include an organizational chart listing each office with responsibility over cyber activities, descriptions, and distinctions between each position and their reporting structure to Pentagon leadership. The legislation also pushes the department’s chief information office to look at opportunities to collaborate with CISA on a commercial cyber threat intelligence shared service. It also directs the secretary of defense to provide “supplementary support” to CISA where needed to respond to hacks from countries like Russia and China. Moreover, the committee wants the DoD to collaborate with colleges and universities to recruit cyber-focused students during their junior and senior years with the expectation that students will have a completed security clearance upon graduation. SC Magazine

APTs are employing a new strategy to exploit the insecurity of network, IoT, and OT devices in order to achieve long-term network persistence. The following are the top five risks that companies should be aware of:

  1. Unmanaged devices are frequently vulnerable to high- and critical-level vulnerabilities, as well as a lack of firmware updates, hardening, and certificate validation. Researchers discovered 70% of IoT, OT, and network devices deployed in large organizations have vulnerabilities with a Common Vulnerability Scoring System (CVSS) score of 8 to 10.
  2. Because network, IoT, and OT devices do not support agent-based security software, attackers can install specially compiled malicious tools, modify accounts, and enable services without being detected. They can then maintain persistence because vulnerabilities and credentials are not managed, and firmware is not updated.
  3. Network/IoT/OT devices are ideal for staging secondary attacks on more valuable targets due to their low security and visibility. Once on a network, an attacker can move laterally and stealthily in search of vulnerable, unmanaged IoT, OT, and network devices. Once the devices have been compromised, the attacker can remotely control the victim devices in order to target IT, cloud, or other IoT, OT, and network device assets.
  4. One of the main value propositions of IoT, in particular, for sophisticated adversaries is that the model significantly complicates incident response and remediation. It is extremely difficult to completely eliminate attackers if they have established persistence on just one of the hundreds or thousands of vulnerable, unmanaged devices that reside in most business networks.
  5. Businesses can only prevent these attacks if they have complete visibility into, and access to and management of, their disparate IoT, OT, and network devices. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management. With that said, companies with large numbers of devices will be challenged to secure them manually, so companies should consider investing in automated solutions.

Dark Reading

Analyst Comment: It remains challenging to have good visibility on the threat landscapes of IoT and OT devices, due to general lack of visibility in those layers. For this reason, IoT, OT and firmware have been consistent targets of nation-state adversaries for years. These techniques and attacks are now more often being employed by cybercriminals and ransomware operators for the same reason as well as becoming easier to use and deploy. Attacks at these layers previously required a much greater degree of skill and specialized knowledge, especially when dealing with firmware and OT environments. In recent years these tools have become much more commoditized and widely adopted by cybercriminals.

The LockBit ransomware operation has released “LockBit 3.0,” which includes the first ransomware bug bounty program as well as new extortion methods and Zcash cryptocurrency payment options. After two months of beta testing, the cybercrime group released a ransomware-as-a-service (RaaS) operation called LockBit 3.0, with the new version already used in attacks. The operation asked security researchers to submit bug reports in exchange for rewards ranging from $1k to $1M. LockBit is not only paying bounties for vulnerabilities, but also for “brilliant ideas” on how to improve the ransomware operation and for doxxing the affiliate program manager. A LeMagIT researcher discovered that the LockBit 3.0 operation employs a new extortion model that allows threat actors to purchase data stolen during attacks. Because there are currently no victims on the LockBit 3.0 data leak site, it is unclear how this new extortion tactic will work or if it is even enabled. Bleeping Computer, Twitter

Flockbit 2022 07 01

Analyst Comment: LockBit activity is a great example of how ransomware can evolve over time. Active since at least September 2019, LockBit is one of the oldest groups that has functioned without rebranding. At one point LockBit gang was overshadowed by other ransomware groups, such as REvil and Conti, which, along with the group’s decision to remain politically neutral, may have helped the group. At the same time, like other groups, LockBit have attracted some attention by conducting high-profile attacks, such as the Accenture hack that occurred in August 2021. LockBit also carried out a disinformation campaign when they claimed to have compromised Mandiant on the first day of the RSA Conference. LockBit 3.0 is likely not the last version of ransomware created by the group, and the gang will likely continue to evolve operationally as well.

According to tech analyst Gartner, business leaders should build these strategic predictions into their security strategies for the next two years:

  1. Consumer privacy rights will be extended. Privacy regulation will be extended to cover 5B people and more than 70% of the global GDP.
  2. By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services, and private application access. With the rise of hybrid work, vendors are offering integrated security service edge services across web and cloud application security for tighter integration, fewer consoles, and fewer locations where data must be decrypted, inspected, and re-encrypted.
  3. Many organizations will embrace zero-trust but fail to realize the benefits. By 2025, 60% of organizations will attempt to adopt zero trust security, but more than half will fail to realize the benefits.
  4. Cybersecurity will become key to choosing business partners. By 2025, 60% of organizations will use cybersecurity risk as a “primary determinant” in conducting third-party transactions and business engagements.
  5. Ransomware payment legislation will rise. One in three countries will introduce laws governing ransomware payments soon.
  6. Hackers will weaponize operational technology environments to cause human casualties. Attacks on OT have become more common and more disruptive, Gartner stated, warning that by 2025, threat actors will have “weaponized” operational technology environments to cause human casualties.
  7. Resilience will be about more than just cybersecurity. By 2025, 70% of CEOs will drive a culture of organizational resilience to deal with threats from cybercrime, but also from severe weather events, civil unrest, and political instabilities.
  8. Cybersecurity will matter for the CEO’s bonus. By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.

ZDNet

Analyst Comment: Many Gartner predictions involve ongoing processes, such as zero-trust implementation, cloud services adoption, or ransomware payment legislation etc. While these processes may have already started, it will take time to come up with best practices and better implementation procedures. 

Open-source software (OSS) has become a mainstay of most applications, but it has also created security challenges for developers and security teams, according to several new reports. 41% of organizations don’t have high confidence in their open-source security, Snyk researchers and The Linux Foundation revealed in their The State of Open Source Security report. It also mentions how the time it takes to fix vulnerabilities in open-source projects has steadily increased over the last three years, more than doubling from 49 days in 2018 to 110 days in 2021. According to the report, which is based on a survey of over 550 respondents, the average application development project has 49 vulnerabilities and 80 direct dependencies where a project calls open-source code. Furthermore, the report discovered that less than half of organizations (49%) have a security policy in place for OSS development or usage. The figure for medium- to large-sized businesses is even worse (27%). Another report, the AppSec Shift Left Progress Report, suggests that moving security “left,” or closer to the beginning of the software development lifecycle, can improve OSS security. Based on the report, the ShiftLeft Core product was able to fix 76% of new vulnerabilities within two sprints. One reason vulnerabilities are fixed so quickly is that they are discovered quickly. “Every change in code that a developer makes is scanned in a median of 90 seconds,” says ShiftLeft CEO and co-founder Manish Gupta. “Because the code is still fresh in a developer’s mind, it becomes easier for them to fix the vulnerability.” CSO Online

Analyst Comment: The use of open-source software has been an ongoing debate in the security community. Most recently, the Log4j vulnerability that was discovered at the end of 2021, has highlighted risks associated with the use of free open-source software. However, such vulnerabilities may highlight overall challenges of secure software development.  

A hacking group has released troves of government data in anti-abortion states and is planning more cyberattacks. On Saturday, June 25, SiegedSec posted between seven and eight gigabytes of data online that it says was retrieved from the government servers of Kentucky and Arkansas – states that have both passed restrictive abortion bans in the wake of the Supreme Court’s controversial overturning of Roe v. Wade last week. SiegedSec purportedly accessed the government data in a Telegram post, which included screenshots of what appeared to be lines of addresses and a scanned copy of a financial form with personally identifiable information on it. SiegedSec appears to be a relatively new hacking group that was first noticed days before Russia’s invasion of Ukraine in February this year, according to dark web analysis company DarkOwl. Since its formation, SiegedSec says it has compromised over 100 websites, with the hackers often crudely defacing sites, according to DarkOwl. Several thousand LinkedIn profiles also appear to have been accessed. In addition, there is evidence that the group has leaked information from at least 30 companies globally. Prior to the aforementioned state leaks, DarkOwl had described SiegedSec as a fairly small-scale operation with the potential to evolve into a larger cyber threat. The state leaks may indicate the group is moving in that direction. Newsweek

Analyst Comment: While the recent surge of hacktivist activity is largely attributed to the ongoing war in Ukraine, this event indicates it is likely that newly formed and revived hacktivist groups will focus on other issues they are passionate about. Recent hacktivist activity also demonstrates how quickly the groups can evolve and adopt new tools, making DarkOwl’s assessment of SiegedSec evolving into a larger cyber threat seem accurate.

Russian hacker group Killnet claimed responsibility on Monday, June 27 for a DDoS attack on Lithuania. The group claimed the attack was in response to the country’s decision to block the transit of goods sanctioned by the EU to the Russian exclave of Kaliningrad. “The attack will continue until Lithuania lifts the blockade,” a spokesperson for the Killnet group told Reuters. The spokesperson stated the group has demolished 1652 web resources so far. Kaliningrad is connected to the rest of Russia by a rail link through Lithuania, a member of the EU and NATO. Reuters

Analyst Comment: LookingGlass has observed activity associated with attacks on Lithuanian entities across multiple Telegram channels. Along with Killnet and their subordinate group LEGION – Cyber Spetznaz, other groups claiming participation in the attacks included XakNet, Noname057(16), and From Russia with Love. The groups claim that Lithuanian attacks are a part of a larger campaign called “F**k NATO.” It is common for hacktivists to select provocative names for their campaigns, as it may help attract more attention from the media and the general population. Lithuania has confirmed the attacks, also stating that most important systems were quickly restored.

Back to the top

CYBER ACTORS 

NATION STATES

A China-based APT actor appears to be using ransomware and double-extortion attacks as camouflage for government-sponsored cyberespionage and intellectual property theft. In its attacks, the threat actor has used a malware loader called the HUI Loader – associated exclusively with China-backed groups – to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks tracking the group as “Bronze Starlight” say they have not observed other threat actors use the tactic. Secureworks also identified organizations in multiple countries that the adversary appears to have compromised. The group’s US-based victims include a pharmaceutical company, a law firm, and a media company with offices in Hong Kong and China. Approximately three-quarters of Bronze Starlight’s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber-espionage groups. While Bronze Starlight appears to be financially motivated, its real mission is likely cyberespionage and intellectual property theft in support of Chinese economic objectives, according to Secureworks. The US government last year formally accused China of using threat groups such as Bronze Starlight in state-sponsored cyber-espionage campaigns. Dark Reading

Analyst Comment: HUI Loader has been active since 2015. A41APT, which can be traced to Bronze Starlight, is a well-known campaign that uses HUI Loader in its multi-layer malware attacks. APT10 (a.k.a Red Apollo, MenuPass, Stone Panda, and Potassium) and APT BlackTech were observed in the A41APT campaign, targeting most prominently the Japanese manufacturing sector and its overseas operations, and companies in Hong Kong and Taiwan. The purpose of these attacks is often to steal proprietary information and technology. It is common for APT groups linked to the People’s Liberation Army (PLA) or Ministry of State Security (MSS) of China to share tactics, techniques, and procedures (TTP). Employing multi-layer malware and payloads to carry out stealthy attacks makes it difficult for security teams to detect malicious activities. Using the guise of a ransomware attack to carry out espionage activity would also offer the Chinese government some degree of deniability.

The US Cyber Command is posting malware samples from North Korean hackers on VirusTotal – an information-sharing platform – to increase transparency on North Korean threats. North Korean cyber actors are engaged in corporate espionage attacks involving remote access, backdoors, and other forms of malware designed to infiltrate a computer network and then exfiltrate data to another server within North Korea. These hackers are also engaged in smash-and-grab bank heist-style operations to “fund generation” for the North Korean state. In one attack, a group of North Korean hackers known as APT38 launched a malware attack against the SWIFT interbank messaging system. The corporate espionage attacks represent a theft of US intellectual property and are designed to bolster the North Korean economy and military while the bank heist operations generate funds that can be used for other nefarious programs, such as weapons of mass destruction programs. According to a recent UN report, the North Korean regime has stolen more than $2B, much of which has been diverted to fund weapons programs for different military units. To illustrate both tactics used by North Korean hackers, CYBERCOM uploaded a total of 7 new malware samples so that “white hat” hackers will have a better idea of what North Korean malware looks like and be better prepared to defend against it. CPO Magazine

Researchers have discovered a new attack campaign by the Iran-based Siamesekitten group, which employs a fake Adobe PDF document. The Siamesekitten group, aka Lyceum/Hexane, is based in Iran and is known for launching supply chain attacks in the Middle East and Africa. Over the course of several months, the cybercrime group has built a large infrastructure that allowed it to impersonate the target company and HR personnel. ClearSky researchers discovered that the group is using a new modular malware capable of infecting Windows systems in the latest attack campaign. Researchers say the attackers crafted a PDF lure relating to drone attacks and a reverse shell that mimics an Adobe update. To appear credible, the fake PDF file is signed with a forged Microsoft certificate. They also stated that the attack method is similar to previous drone attacks on Iranians. Cyware

Analyst Comment: This activity is another example of an APT using common attack vectors, such as social engineering or phishing. While sophisticated groups typically have resources to develop unique tools and exploits, they often stick to more commonly utilized methods, as it makes attribution more complex.

DragonForce Malaysia, the hacker group behind the ongoing cyberattack against India, has moved from website defacement and data leaks to ransomware attacks. DragonForce had on June 10 issued a call to all hackers, asking them to join OpsPatuk – a campaign for revenge against suspended BJP spokesperson Nupur Sharma’s derogatory comments about the Prophet Mohammed. The first wave of OpsPatuk included hacking and defacement of hundreds of Indian websites, both government and private, while in the second wave DragonForce hacked the servers of organizations and leaked the personal data of hundreds of thousands of Indians. On Friday, June 24, DragonForce posted a screenshot of a hacked desktop screen, where all the desktop icons were changed to encrypted files that cannot be opened without the encryption key. Certain data in the screenshot was blacked out, supposedly to hide the identity of the victim. The screenshot, which was posted on DragonForce’s dark web forum, was accompanied by a message saying that a ransom demand had been made. Since Thursday, June 23, DragonForce has also posted several other messages claiming to have hacked Indian Windows servers, which have been accompanied by screenshots and one Proof of Concept video showing a recording of the entire hacking process. The Free Press Journal

A pro-China propaganda campaign used bogus social media accounts to incite opposition, including protests, against mining companies that compete with China’s business interests. Mandiant researchers say that while politically motivated disinformation campaigns on social media have become more common, such an operation targeting a specific industry of strategic importance to China is unusual. Researchers refer to the digital campaign as Dragonbridge, and it has flooded Twitter and Facebook in recent months with posts raising environmental and health concerns about the operations of three major mining companies: Australia’s Lynas Rare Earths, Canada’s Appia Rare Earths and Uranium Corp, and USA Rare Earth. The false social media accounts became more aggressive this month after the latter two firms announced new mining plans, according to Mandiant. While the campaign’s impact appeared to be limited, and most of the social media accounts were recently removed, Mandiant’s VP of intelligence, John Hultquist, believes it may indicate that other business competitors to China will be similarly targeted in the future. Reuters

Analyst Comment: Information campaigns on social media platforms supported by the Chinese government have historically been politically motivated. During the 2019 pro-democracy protests in Hong Kong, LookingGlass analysts observed that Beijing employed botnet operations on Twitter and Facebook to discredit protests, and later to support the implementation of the National Security Law.

Some may argue that China’s disinformation mission is taking a new direction as they are targeting businesses that are competing against Chinese companies. LGC analysis suggests that this Dragonbridge campaign is likely politically motivated, as well. In December 2021, Beijing approved the merger of three of China’s biggest rare earth metals state-owned enterprises and two other companies to create the China Rare Earth Group. This is part of President Xi Jinping’s initiatives to gain greater control over strategic core industries. Using a continuous disinformation campaign to disrupt rare minerals production overseas could allow China to maintain its dominant market power of rare-earth metals.

Back to the top

HACKTIVISTS

The Anonymous Collective released 30k emails and 40k files from 2018 to March 2022 containing PII from the Embassy of Ecuador and Moscow. According to a source, the group has shared almost 53 gigabytes of data with journalists on DDoSecrets – a non-profit whistleblower site for news leaks, which has denied making the PII files public. The PII contained passports, documents, and other sensitive information. The Tech Outlook

Hacktivists 2022 07 01

Analyst Comment: According to the article, the leaked data contained PII of Ecuadorian citizens residing in Russia. DDoSecrets has also confirmed that documents regarding Edward Snowden were present in the leak. The Anonymous activity itself was prompted by the war in Ukraine.

A number of Norwegian institutions have been victims of a DDoS cyberattack in the last twenty-four hours, which has been blamed on a “criminal pro-Russian group,” according to the Norwegian NSM security authority. The attacks, which began overnight, targeted private and public institutions providing critical services, according to the agency, which did not name any of those affected. “We are working to find out whether there is a link with state-sponsored actors,” NSM chief Sofie Nystroem later told TV2. “We’ve seen similar attacks in other countries recently, but none of them have reported any long-term consequences,” the NSM stated. Reuters

Analyst Comment: According to Killnet group, the attack on Norway was motivated by their refusal to allow a Russian mining company to transport goods through the country’s territory. While no official ties connecting Killnet to the Russian government have been established, similar to the campaign targeting Lithuania and other European countries, Killnet activity occurred shortly after Russia criticized the country for their decision and threatened retaliation.

Back to the top

CYBERCRIME

A former Canadian government employee has agreed to plead guilty in the US to charges that he worked for the NetWalker ransomware group, which researchers say has received nearly $50M in illegal payments over the last two years. The NetWalker group provides ransomware-as-a-service, which means it rents out its malware to “affiliates” in exchange for a cut of the illegal proceeds. The DOJ described the defendant, Vachon-Desjardins, as an affiliate who was accused of converting Bitcoin stolen from ransomware victims into Canadian currency. However, the full extent of his alleged involvement in cyberattacks is unclear. This is a rare instance of an alleged ransomware hacker facing charges in a US courtroom. While many suspected hackers operate from Russia, where they are beyond the reach of US law enforcement, authorities claim Vachon-Desjardins did the majority of his illegal activity from Canada. #Cybersecurity #CAN #USA Bloomberg

One of Iran’s major steel companies said Monday, June 27 that it was forced to halt production after being hit by a cyberattack that also targeted two other plants, reportedly marking one of the country’s most significant attacks in recent years. The Iranian government did not acknowledge the disruption or blame any specific group for the attack on the state-owned Khuzestan Steel Co and Iran’s two other major steel producers, the latest example of an attack crippling the country’s services in recent months amid heightened regional tensions. An anonymous hacking group claimed responsibility for the social media attack, saying it targeted Iran’s three largest steel companies in response to the Islamic Republic’s “aggression.” The group, “Gonjeshke Darande,” shared what appeared to be closed-circuit footage from the Khuzestan Steel Co factory floor, showing a piece of heavy machinery on a steel billet production line malfunctioning and causing a massive fire. The state-run IRAN newspaper reported that another factory in the southern Iranian port of Bandar Abbas was also targeted in the cyberattack. As a result, neither plant acknowledged any damage or work stoppage. Steel is a critical industry for the government. According to the World Steel Association, Iran is the Middle East’s leading steel producer and one of the top ten in the world. Its iron ore mines supply raw materials for domestic production as well as exports to dozens of countries such as Italy, China, and the UAE. Tech Xplore

Analyst Comment: Gonjeshke Darande operates like a typical hacktivist group by maintaining social media accounts and claiming responsibility for the attacks after they occur, which makes the attacks more visible and attracts attention from the public. Gonjeshke Darande appears to be a sophisticated and capable group. However, due to the ongoing conflict in Ukraine, a lot of other hacktivist activity, including Gonjeske Darande operations, may be overlooked.

In the latest high-profile hack in the digital currency industry, hackers stole the equivalent of $100M from Harmony, a California-based cryptocurrency firm. Harmony joins a long list of cryptocurrency firms that have been plundered by hackers for many millions of dollars at a time. This year alone, hackers have stolen over $1B from cryptocurrency bridges, according to Elliptic, a firm that tracks transactions on the blockchain. Because they store large amounts of liquidity, cryptocurrency bridges are prime targets for hackers, according to Elliptic. It’s unknown who raided Harmony’s digital vaults. CNN

Analyst Comment: This incident highlights the importance of security programs and policies that apply to emerging technology industries. While such incidents have a damaging effect, they also help new industries improve their security posture as they mature.

Chip manufacturing giant Advanced Micro Devices (AMD) stated that it is investigating claims from a digital extortion group that data was stolen from the company. On Monday, June 27, the RansomHouse extortion group added AMD to its list of victims, claiming to have stolen more than 450 GB of data in January. RestorePrivacy was the first to report the RansomHouse allegations, after examining a sample of the stolen data and discovering AMD passwords, system information, and other network files. Employees of the billion-dollar chip company used weak passwords, with some even using “password” for sensitive accounts, according to the extortion group. On its Telegram channel, the group boasted about the attack, offering samples of the data stolen on June 20 to anyone who could guess the company after being given hints. The Record

Analyst Comment: While prominent ransomware groups have a capability to develop or purchase exploits utilizing zero-day vulnerabilities, it is common for them to take advantage of other security issues that may exist within organizations, including weak passwords, and unpatched known vulnerabilities. Although RansomHouse claims are still being investigated, it is a good reminder of why implementing strong passwords and multi-factor authentication is very important.

The Raccoon Stealer malware has returned, with a second major version circulating on cybercrime forums, providing hackers with enhanced password-stealing functionality and increased operational capacity. The Raccoon Stealer operation was shut down in March 2022 after one of its lead developers was killed during Russia’s invasion of Ukraine. The remaining team promised to return with a new version, relaunching the MaaS (malware-as-a-service) project on improved infrastructure and with expanded capabilities. Raccoon Stealer 2.0 is now being promoted on hacking forums, according to Sekoia security analysts, with the first samples captured by malware analysts earlier this month. The malware authors claim that the new Raccoon version was built from the ground up in C/C++, with a new back-end, front-end, and code to steal credentials and other data. Raccoon Stealer 2.0 is able to steal the following information:

  • The fundamentals of system fingerprinting
  • Browser passwords, cookies, autofill data, and credit card information
  • MetaMask, TronLink, BinanceChain, Ronin, Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash are examples of cryptocurrency wallets and web browser extensions
  • Individual files spread across all disks
  • Screenshot captures
  • List of installed applications on victims’ computers

Bleeping Computer

Analyst Comment: LookingGlass has observed the actor “raccoonstealer” announcing the new malware version on the Exploit forum in early June. Previously, raccoonstealer communicated in Russian on multiple forums, but the announcement of the new Racoon Stealer malware version has only been posted on Exploit in English. The actor claims they created version 2.0 to honor the developer they had lost and that version one has been completely discontinued.

Back to the top

TECHNOLOGY 

BLOCKCHAIN & WEB3 

→ While Web 3.0 and the metaverse promise numerous benefits, they also raise concerns, particularly in terms of security. The following are the top five cybersecurity risks that executives should be aware of:

  1. Privacy: A recent survey revealed that 74% of Americans are more concerned with their online privacy than ever before. One of the main privacy issues with the metaverse is the sheer amount of personal data available. A user’s privacy on Web 3.0 will be non-existent if stolen.
  2. Cybercrime: Policing cybercrime will be impossible without central control and data access. Cybercrime will be dependent on users taking greater responsibility for their data. Services such as the Myraah Web 3.0 locker secure a user’s data in a private locker, allowing them to take control of their online security.
  3. Cryptocurrency Wallets: Non-fungible tokens (NFTs) and cryptocurrencies are stored in cryptocurrency wallets. Carrying a wallet will be a necessary act in the metaverse. It will also be associated with your reputation scores and linked to real-world identities. As a result, an individual’s/company’s actions in the metaverse will have an impact on your real-world reality.
  4. Decentralization: Decentralization is critical to ensuring that the internet remains a public resource open to all users. Because Web 3.0 is open source, contributors can collaborate from the start. With this transparency comes severe security flaws in integrated data. All of a user’s personal data will be stored in a single account, which will be protected by a single password.
  5. Technical Limitations: Centralized platforms are powered by cutting-edge technologies. Decentralized networks have latency issues because they are new. Web 2.0 allows for the simple management of the best small business phone systems and other remote capabilities. Web 3.0 is based on a decentralized network that is evolving gradually rather than quickly. As a result, in terms of connectivity, it lags behind.

CXOtoday

Analyst Comment: According to reports, cybercriminals are already conducting phishing attacks using URLs that appear to be real metaverse sites. In extended reality, new cyber risks may develop. Such cyber threats may take the shape of a hacked avatar or deepfake and be used to approve the flow of cash or reveal sensitive business information that could be abused. Both customers and staff may be impacted by the metaverse. Complex systems will be needed for identity identification and verification, especially if new metaverses emerge with distinct governance and verification structures.

Officials in Indonesia are discussing blockchain for elections among other use cases in the country. Blockchain can enable e-Voting, thus eliminating the necessity of a polling station (TPS) and the special election team’s role. According to Dr. Andry Alamsyah, an honorary member of the Indonesian Blockchain Association (ABI), blockchain technology can also cut costs and eliminate the need for paper ballots. According to Budi Rahardjo, an IT practitioner and honorary member of ABI, eVoting is an effective blockchain implementation in Indonesia, but the present digital gap in the country necessitates a hybrid online/offline implementation of the technology. Budi also emphasized the safety of the decentralized technology, stating that hackers must compromise at least 50% plus one of the total number of servers – a near impossibility due to the large number of servers that would be needed for an election. Asih Karnengsih, Chairwoman of ABI, highlighted the many other benefits of blockchain for Indonesia. The technology can improve the distribution of G2P (Government to Person) programs for the distribution of social assistance in Indonesia. It can also make cross-border transactions for the financial industry faster, cheaper, and more secure because they are on the same network and do not require verification from third parties. In the health service industry, blockchain can enable smart hospital systems, namely data integration between hospitals. Moreover, in the Supply Chain Industry, blockchain technology can track the movement and distribution of goods. Yahoo Finance

Back to the top

CRITICAL & EMERGING TECHNOLOGY

A system to analyze the noise produced by individual cameras has been developed by computer scientists at the University of Groningen as part of a project aimed at developing intelligent tools to combat child exploitation. This data can be used to associate a video or image with a specific camera. The researchers developed the computational model to extract camera noise from video frames shot with 28 different cameras from the publicly available VISION dataset, which was then used to train a convolutional neural network. The input videos are processed in three stages. First, the frames are extracted from a video and are then pre-processed. Second, a frame-level classifier is used to predict the class for each frame. Finally, the frame predictions are aggregated to determine the video-level prediction for the given video. They then tested whether the trained system could identify frames captured by the same camera. The system recognized approximately 72% of the frames. The researchers also pointed out that noise can be specific to a brand of cameras, a type of camera, or an individual camera. In another set of experiments, the researchers classified 18 camera models with 99% accuracy using images from the publicly available Dresden dataset. Tech Xplore

Critical Emerging

Analyst Comment: According to the Internet Watch Foundation, the Netherlands is the leading distributor of digital content depicting child sexual abuse in 2019. Forensic tools that analyze digital content are required to determine which images or videos contain suspicious child abuse content. The noise in image or video frames is another untapped source of information. As part of an EU project, these computer scientists at the University of Groningen collaborated with colleagues from the University of León (Spain) to extract and classify noise from an image or video, revealing the “fingerprint” of the camera used. This novel method of identifying camera devices was created with the practical requirement of high throughput in mind for LEAs. In fact, to achieve high accuracy, this method requires only a small number of video frames. Because of this efficiency, the search space for cameras/videos can be expanded. The researchers achieved high performance on the QUFVD data set while also demonstrating the efficacy of their approach on the VISION data set. Currently, the researchers are in contact with forensic specialists and law enforcement agencies to continue this research.

Researchers proposed an AI software supply chain vulnerability concept and provided a proof-of-concept autonomous exploitation framework for software within cyber-physical systems (CPS). The researchers used an autonomous vehicle case study to evaluate the underlying framework, with a traditionally simple goal: for a vehicle to drive at a safe speed in the center of the road. The vehicle system’s components included lidar-based sensors, a speed sensor, throttle, braking, and steering actuators, and an underlying neural network driving controller that made use of the TensorFlow machine learning library within the Docker Hub ecosystem. The researchers identified this component as the most vulnerable component of the system. A multi-layered pipeline performs image discovery, vulnerability analysis, and visualization of related AI/ML images in the framework. The researchers were able to identify vulnerabilities at every layer of the final container package using this method, piecing together the full story of the target application. As a result, this approach discovered vulnerabilities that traditional vulnerability discovery methods had missed. In the future, the researchers will concentrate on integrating hardware-based vulnerabilities as well as assessing the feasibility of injecting AI model trojans into safety-critical applications. They intend to create a behavior-based assurance methodology to provide comprehensive defense against the underlying suite of attacks. IEEE Xplore

Ai Software Supply Chain

Analyst Comment: The researchers discovered flaws in the TensorFlow library output computation as a result of this analysis. The specific vulnerability was discovered within the Linux base image’s LibC library, propagating to all of the underlying connected child images, including the TensorFlow image. By gaining remote access to the container memory via this method, the attacker has the potential to disrupt the locally stored AI model as well as control outputs, resulting in unexpected vehicle behavior. However, not all vulnerabilities identified in an image by this framework may lead to an exploitable path in a deployed container in the wild. This means that there is a discrepancy between the number of vulnerabilities discovered in an image and the actual number of exploitable vulnerabilities. While the vulnerabilities that pose a risk cannot always be identified without a more thorough examination of the entire container, knowing that a specific application contains a library with vulnerabilities can provide an attacker with important hints as to where to look for workable exploits.

Researchers developed a distributed gradient-based optimization technique that allows non-malicious actors to communicate digitized information in a multi-agent system where some agents operate adversarially by delivering fake information. Making decisions and optimizing objectives over a network of spatially distributed agents applies to autonomous systems, smart grids, and distributed learning. In such systems, each agent solves the optimization issue by exploiting local information in coordination with neighbors. In this study, the researchers investigated how a distributed subgradient algorithm works when there are competing agents and only a limited amount of communication bandwidth. They demonstrated that the algorithm became increasingly close to the best solution, as measured by the number of digitization bits and the size of the attack vector. They illustrated their theoretical results via simulations by considering a network comprising n = 10 agents with a fraction of n acting in an adversarial manner. The results show that even when there are adversarial agents, non-adversarial agents can still get close to the best solution if the step size is chosen with respect to the strong convexity and Lipschitz parameters and the subgradient bound is written in terms of suitable step size. The algorithm’s performance is also shown as a function of the adversarial attack vector and digitization fineness. IEEE Xplore

Analyst Comment: Even though the researchers demonstrated convergence of the solution to a neighborhood of the optimal solution, the convergence error increased as the number of adversarial agents in the network increased. Furthermore, while previous research has shown that the convergence of distributed subgradient methods with digitization is dependent on the quantization levels and number of bits, this proposed method adds an adversarial attack to the constraint and still achieves similar convergence characteristics. Under certain conditions, the results hold for strongly convex functions, and researchers who are interested should consider the problem described in this paper for functions that are not strongly convex as an open problem.

Back to the top

GOVERNANCE 

USG UPDATES

According to the Government Accountability Office (GAO), the DHS and the Department of the Treasury should assess the need for a federal response to address insurance against cyberattacks. A performance audit conducted  by GAO between March 2020 and June 2022 found that the government’s Terrorism Risk Insurance Program (TRIP) and private cyber insurance are limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. The watchdog found that private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. Many insurers also have increased premium rates in response to increasing losses. One insurer opted not to insure the energy sector because energy operations can be attacked in multiple ways and because it is concerned that energy operators do not follow robust cybersecurity protocols. According to CISA and FIO officials, one reason they have not yet assessed the need for a federal response to systemic cyber events is that they lack the data to do so; although, they agreed that there is a need for an assessment. DHS stated that it will review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 once available, and work with the Treasury in the interim to determine other data needed. The Treasury confirmed that it has begun collaboration on this effort. HS Today, Risky Biz

Analyst Comment: As cyberattacks and ransom demands continue to grow, insurance is becoming more expensive for both insurers and the insured. As a result, many are questioning the economic viability of the cyber insurance market. Governments are more likely to track cyberattacks than some businesses due to their mandates for transparency, but attacks are still not tracked globally. This creates a systemic data challenge that makes it difficult for insurers to calculate risk.

House appropriators on Friday, June 24, voted in favor of a $2.9B budget for CISA. The amount allocated for CISA is $417M more than the Biden administration requested for the DHS cyber wing and $334M above its fiscal year 2022 allotment. The spending bill also included $12.8M for Homeland Security Investigations – the department’s investigative arm – to “combat cybercrime.” The Record

Back to the top

GEOPOLITICS

Russian officials have begun to use domestic video conferencing facilities (VKS), following the government’s directive to refrain from using foreign applications such as Zoom, Webex, and WhatsApp for official communications, according to Russian newspaper Kommersant. On June 1, Deputy Prime Minister Dmitry Chernyshenko directed officials at all levels of government to stop using foreign messengers for official correspondence. The Ministry of Digital Development, which was tasked with carrying out the order, recommended that officials use the VK service for civil servants. Russian developers anticipate a significant increase in demand for their solutions in response to the new government directives. Stanislav Iodkovsky, CEO of IVA Technologies (IVA MCU service), told Kommersant that demand for the company’s solutions in the state segment increased three to four times in the second quarter compared to the previous three months. Due to the withdrawal of foreign suppliers from Russia, he anticipates even more active demand for domestic products in the corporate sector. TrueConf Development Director Dmitry Odintsov confirmed a significant increase in demand from business customers for the company’s solution. Vinteo reported a threefold increase in demand for a videoconferencing system, with the business segment accounting for 45%, primarily the oil and gas and financial sectors. Risky Biz, Aroged

A Chinese influence operation failed to mobilize US protests against an Australian rare earth mining company planning an expansion in Texas in an effort to defend Beijing’s market dominance, according to researchers. China sees its dominant position in the rare earths market as significant geopolitical leverage, a sentiment shared by American manufacturers and national security officials for years, according to Mandiant researchers. The campaign also targeted Appia Rare Earths & Uranian Corp of Canada and USA Rare Earth of the US. Prior campaigns attributed to Dragonbridge have similarly sought to promote pro-Beijing messages, such as a 2021 effort to incite Asian-American protests in New York City in response to anti-Asian Covid-19 discrimination. However, researchers have linked Dragonbridge efforts to Moscow’s support. The cybersecurity firm published research in May demonstrating how it used legions of fake social media accounts to echo and amplify Russian government messaging on US-backed biological weapons labs in Ukraine. CyberScoop

Analyst Comment: This most recent campaign was crucial in showing how willing the People’s Republic of China is to use such tactics against corporations that jeopardize Beijing’s market hegemony and security interests. In addition to the promotion of geopolitical narratives consistent with PRC political objectives, other information operations actions along the same lines may target other particular industries or businesses that may be crucial to the PRC’s strategic goals. The campaign so far has been unsuccessful at creating meaningful engagement, despite that it has increased its capacity to target audiences and uses legitimate criticism of its target.

Back to the top

LAW & DATA PRIVACY

The use of Google Analytics on Italian websites has been prohibited by the Italian data protection agency. After Austria and France, Italy is now the third country to prohibit the use of Google Analytics. Without the safeguards established by the EU Regulation, the website that employs the Google Analytics (GA) service violates data protection legislation since it transfers user data to the US, “a country without an adequate level of protection,” the agency stated. The Privacy Guarantor said this at the conclusion of a comprehensive inquiry launched in response to a series of complaints and in collaboration with other European privacy authorities. According to the Guarantor’s research, the operators of websites that use GA collect information on user interactions with the aforementioned sites, the individual pages visited, and the services offered via cookies. Among the various pieces of information gathered are the IP address of the user’s device, as well as information on the browser, operating system, screen resolution, language preference, and the date and time of the visit to the page. This data was forwarded to the US, according to the researchers. In deeming the processing illegal, it was underlined that the IP address is personal data, and even if abbreviated, it would not become anonymous data, given Google’s capacity to supplement it with other data it owns, the agency stated. Separately, an FCC commissioner has renewed calls for Apple and Google to remove TikTok from their app stores, citing national security concerns about TikTok’s Chinese-based parent company, ByteDance. Risky Biz, GPDP, CNN

Back to the top

Sign Up for the Cyber Monitor