While ransomware and business email compromise (BEC) are leading causes of security incidents for businesses, geopolitics and deepfakes are playing an increasing role, according to reports from two leading cybersecurity companies.

VMware’s 2022 Global Incident Threat Response Report shows a steady rise in  extortionary ransomware attacks and BEC, alongside fresh jumps in deepfakes and zero-day exploits.

To read this article in full, please click here

Read More

The groups’ attacks were reportedly relatively low in sophistication but persistent and well-resourced

Read More

The phishing emails contained Microsoft Word documents that exploited the CVE-2017-11882 flaw

Read More

LogoKit is based on JavaScript and can change logos and text on landing pages in real-time

Read More

Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers.

Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes.

Cryptographers hate being rushed into things, which is why NIST began a competition to create a post-quantum cryptographic standard in 2016. The idea is to standardize on both a public-key encryption and digital signature algorithm that is resistant to quantum computing, well before anyone builds a useful quantum computer.

NIST is an old hand at this competitive process, having previously done this with symmetric algorithms (AES in 2001) and hash functions (SHA-3 in 2015). I participated in both of those competitions, and have likened them to demolition derbies. The idea is that participants put their algorithms into the ring, and then we all spend a few years beating on each other’s submissions. Then, with input from the cryptographic community, NIST crowns a winner. It’s a good process, mostly because NIST is both trusted and trustworthy.

In 2017, NIST received eighty-two post-quantum algorithm submissions from all over the world. Sixty-nine were considered complete enough to be Round 1 candidates. Twenty-six advanced to Round 2 in 2019, and seven (plus another eight alternates) were announced as Round 3 finalists in 2020. NIST was poised to make final algorithm selections in 2022, with a plan to have a draft standard available for public comment in 2023.

Cryptanalysis over the competition was brutal. Twenty-five of the Round 1 algorithms were attacked badly enough to remove them from the competition. Another eight were similarly attacked in Round 2. But here’s the real surprise: there were newly published cryptanalysis results against at least four of the Round 3 finalists just months ago—moments before NIST was to make its final decision.

One of the most popular algorithms, Rainbow, was found to be completely broken. Not that it could theoretically be broken with a quantum computer, but that it can be broken today—with an off-the-shelf laptop in just over two days. Three other finalists, Kyber, Saber, and Dilithium, were weakened with new techniques that will probably work against some of the other algorithms as well. (Fun fact: Those three algorithms were broken by the Center of Encryption and Information Security, part of the Israeli Defense Force. This represents the first time a national intelligence organization has published a cryptanalysis result in the open literature. And they had a lot of trouble publishing, as the authors wanted to remain anonymous.)

That was a close call, but it demonstrated that the process is working properly. Remember, this is a demolition derby. The goal is to surface these cryptanalytic results before standardization, which is exactly what happened. At this writing, NIST has chosen a single algorithm for general encryption and three digital-signature algorithms. It has not chosen a public-key encryption algorithm, and there are still four finalists. Check NIST’s webpage on the project for the latest information.

Ian Cassels, British mathematician and World War II cryptanalyst, once said that “cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” This mixture is particularly difficult to achieve with public-key algorithms, which rely on the mathematics for their security in a way that symmetric algorithms do not. We got lucky with RSA and related algorithms: their mathematics hinge on the problem of factoring, which turned out to be robustly difficult. Post-quantum algorithms rely on other mathematical disciplines and problems—code-based cryptography, hash-based cryptography, lattice-based cryptography, multivariate cryptography, and so on—whose mathematics are both more complicated and less well-understood. We’re seeing these breaks because those core mathematical problems aren’t nearly as well-studied as factoring is.

The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. We’ve learned the hard way how algorithms can get so entrenched in systems that it can take many years to update them: in the transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1, and then SHA-3.

We need to do better. In the coming years we’ll be facing a double uncertainty. The first is quantum computing. When and if quantum computing becomes a practical reality, we will learn a lot about its strengths and limitations. It took a couple of decades to fully understand von Neumann computer architecture; expect the same learning curve with quantum computing. Our current understanding of quantum computing architecture will change, and that could easily result in new cryptanalytic techniques.

The second uncertainly is in the algorithms themselves. As the new cryptanalytic results demonstrate, we’re still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.

We can’t stop the development of quantum computing. Maybe the engineering challenges will turn out to be impossible, but it’s not the way to bet. In the face of all that uncertainty, agility is the only way to maintain security.

This essay originally appeared in IEEE Security & Privacy.

EDITED TO ADD: One of the four public-key encryption algorithms selected for further research, SIKE, was just broken.

Read More

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

User account credentials are both a necessary component of normal operations and a critical vector for a malicious actor’s entrance into an enterprise environment. Compensating for the inherent risk of granting the end user access to corporate systems is a challenge in balancing usability with security. When a user with low-level privileges can have their credentials abused to gain increased levels of access, superior solutions to standard username-and-password schemes become necessary. The use of common multi-factor authentication (MFA) through mandating login approval via a mobile device can enable significantly heightened security without significantly compromising the user experience, while allowing security investigators better visibility into potential attempts to infiltrate infrastructure.

The AT&T Managed Extended Detection and Response (MXDR) SOC analyst team received an alarm for a rejected MFA challenge which was triggered by several login attempts from an unrecognized IP address. After investigating, the SOC discovered that this was the aftermath of a malicious actor attempting to gain access to the customer’s systems through this user’s compromised credentials. After communicating with the customer, it was determined that the user’s asset was lacking essential endpoint protection and security monitoring coverage, which may have caused the initial compromise and was remediated as a result of the SOC’s vigilance.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered by a built-in USM Anywhere rule named “User Reported Suspicious Activity in Okta”. This rule was developed by the Alien Labs team to trigger when an Okta user rejects a login attempt from an unrecognized source. Okta, a popular multi-factor authentication and single sign-on service provider, incorporates this feature into their products to help detect malicious behavior.

Expanded investigation

Events search

In this case, the initial alarm lacked detail: the analyst could tell from where the user rejected the suspicious login, but no information about the suspicious login itself. Additionally, no other alarms had been generated as a result of the user’s activity: could this detection simply be a false positive, or a mistake by the reporter? Additional event information was needed to determine whether this was the case. To begin, additional information derived from the original event used to make the alarm was located.

The information gained from this event was invaluable: not only was the reported IP thousands of miles from the user’s location, but open-source intelligence (OSINT) indicated that the IP address in question was malicious. At this stage, it appeared likely that a malicious entity had gained access to the account’s credentials, but more information was needed to ascertain if any further damage had occurred to the customer’s environment. To locate more events, filters were applied in USM Anywhere to search specifically for events associated with both this malicious actor’s IP address and the user’s account.

Event deep dive

To determine the extent of the compromise, activity to and from the malicious IP was examined. Initially, little of note was found outside of the already-located login activity. However, when the event view was expanded to include events from the last 90 days, it was revealed that the malicious actor had initiated many connections to the customer’s Amazon Web Services (AWS) environment several months prior, perhaps as a form of surveillance. This finding made it clear that the attacker had been interested in the customer for some time but had only initiated clear action at the time of the alarm.

Further examination into user activities revealed shockingly little of note. Successful logins could be found, but no malicious activity after the fact was immediately visible. The user reported the suspicious activity six hours after it initially occurred: did any compromise occur in this time? The answer appeared to be no, but the combination of a seemingly determined, patient attacker and an apparent compromise of credentials made further analysis of the matter essential.

Response

Building the investigation

Utilizing the findings seen above, an investigation was created in the customer’s USM Anywhere instance detailing the activity. Shortly after receiving the investigation, the customer began to examine all information associated with the user’s account internally.

Customer interaction

Upon beginning their internal investigation, the customer escalated the severity of the investigation and confirmed that a true compromise of the user’s credentials had taken place. The customer also confirmed, fortunately, that MFA successfully prevented all logins from causing further harm. Not only did the company’s MFA solution result in the creation of the initial alarm, it also mitigated the impact of the attack. After confirming this, the customer reset the user’s credentials and set out to determine the root cause of their initial compromise as the SOC provided additional details relating to the attacker’s IP to aid in finding any malicious activity which the attacker may have conducted.

As a result of the SOC’s investigation, the customer uncovered a significant gap in security coverage on the affected user’s asset. The monitoring and endpoint protection software suites used by the customer were not properly functioning, creating a blind spot in the customer’s environment that potentially contributed to the initial compromise of the user’s credentials. Because of the SOC’s work, this issue was able to be remediated.

Read More

New social engineering campaign leverages Coinbase

Read More