Each quarter HP’s security experts highlight notable malware campaigns, trends and techniques identified by HP Wolf Security. By isolating threats that have evaded detection tools and made it to endpoints, HP Wolf Security gives an insight into the latest techniques used by cybercriminals, equipping security teams with the knowledge to combat emerging threats and improve their security postures.

Discover the following highlights uncovered this quarter.

Threat actors continued to thrive off living-off-the-land tactics in Q3, abusing tools built into Windows to conduct their attacks. The HP Threat Research team identified a new malware campaign that relied entirely on living-off-the-land tools. The attackers impersonated a shipping company to spread Vjw0rm and Houdini script malware.2 3 But time may be up for these malware families, given the deprecation of VBScript announced by Microsoft in October 2023. We expect threat actors will shift to tools written in other interpreted languages like Batch and PowerShell in response.

The team identified a surge in the abuse of Excel add-in (XLL) files in Q3.5 Macro-enabled Excel add-in malware rose to the 7th most popular file extension used by attackers, up from 46th place in Q2. HP Wolf Security detected attackers trying to infect devices with Parallax RAT through malicious Excel add-ins masquerading as scanned invoices.

In Q3, HP Wolf Security detected a malware campaign targeting hotels in Latin America with macro-enabled PowerPoint add-ins. The presentations, sent via email, were disguised as information from a hospitality management software vendor.

HP uncovered attackers hosting fake remote access trojans (RATs) on GitHub, attempting to trick inexperienced cybercriminals into infecting their own PCs. The code repositories claim to contain full versions of a popular malware kit called XWorm that sells for up to $500 USD, but instead downloads and runs malware on the aspiring hacker’s machine.

Click here to read the full report. To find out more about HP’s Workforce Security Solutions click here.

Cybercrime, Security

With digital technology increasingly vital to business, the CIO role is quickly evolving, placing IT leaders under threat from business executives who offer the blend of business and technical savvy necessary to lead transformational strategies in the future.

A recent report by market intelligence firm IDC has placed IT leaders at a crossroads, predicting that, by 2026, 60% of APAC CIOs will find their roles challenged by LOB (line-of-business) counterparts who can better demonstrate the ability to align technology with the organization’s mission and customers.

Already under pressure to accelerate digital transformation, CIOs now often find their voices drowned out by LOB executives who are heavily involved in making technology decisions, according to the report. This trend could leave CIOs vulnerable to decreased influence over the corporate technical agenda, or pushed into a secondary C-suite role.

Narottam Sharma, who recently quit his role as global CIO of Indian multinational Mastek to advise enterprises on digital transformation, cuts to the heart of the issue: “Technology is getting democratization but the pace at which business is learning technology is faster than the pace at which technology is learning business. As a result, CIOs find their roles being challenged by LOB counterparts.”

Increasingly fragmented technology budgets and transformation strategies could accelerate this crisis, he says.

“The fallout of this is challenging for CEOs as it results in distribution of money in different pockets within an organization,” Sharma says. “Also, there is a lack of cohesive and holistic transformation in the company, which eventually hinders realization of collective value for the organization”

The growing stature of LOBs

Malaysia-based Ts Saiful Bakhtiar Osman, head of IT for Asia Pacific at financial services company The Ascent Group, has experienced this situation first hand, to damaging results.

“I have been in this situation in the past when frustrated LOB managers resorted to lobbying, by using speed-to-market as an excuse, with the top management for allowing them to proceed with their own initiatives,” Osman says. “Such bulldozing without proper planning and IT best practices in place led to the initiative backfiring. IT was later dragged in to clean up the mess.”

“This not only added unnecessary workload to IT but also exposed the organization to unnecessary incompliance audit findings and threat vulnerabilities. Had IT been consulted from the beginning, it would have saved the company time and cost to combat all the bugs and security issues. The IT security governance standard is put there for a reason,” he says.

Still, Osman agrees that active participation from LOBs can have positive impact as well, provided proper controls are in place. Business would be able to grow rapidly with LOB executives leading initiatives in their area of expertise. And nurturing ownership from business executives can also mitigate pushback. “In the absence of control, the enterprise would be at risk due to shadow IT and the IT department can turn into a convenient scapegoat to be blamed for any failed initiatives,” he says.

Naren Gangavarapu, CIO and digital officer at Northern Beaches Council, a local government organisation in Sydney, is all for this trend, seeing the shift not as a “passing fad that is temporary” but as something CIOs should expect will become the new normal.

“This is the direction businesses should be heading to,” he says. “Right now, most organisations have multiple strategies such as digital strategy, IT strategy, security strategy, business strategy, and corporate strategy. To get these to work in a harmonious way is a challenge and they end up collecting dust and reviewed once a year or more thus losing relevancy in a fast-changing world. There should be only one strategy and that is ‘strategy for the digital world.’ Advances in AI and quantum computing will further put LOBs in the driver’s seat.”

In his previous role, Gangavarapu was embedded in business where he was responsible for delivering efficiencies, which involved leading digital transformation initiatives within the LOB (Department of Planning). He was able to “halve assessment timeframes for state significant projects resulting in $18 billion dollars of investment into New South Wales creating 59,000 jobs during FY 18/19.”

How CIOs can remain relevant

Even as LOB executives get more tech savvy, the past few years have proven how critical the CIO role is for businesses to stay resilient and execute on their digital transformation strategies.  

To ward off LOB heads from their turf, Linus Lai, chief analyst and digital business research lead at IDC A/NZ, says CIOs must be able to demonstrate to other members of the C-suite how their actions and decisions directly boost the bottom and top lines. CIOs should also build stakeholder relationships within LOBs and leverage business relationship managers to better serve customer-facing organizations.

“CIOs will have to ensure effective joint business outcomes from IT and LOBs by delivering strategic digital business advice and enabling effective upwards communication. They must initiate a critical review of sourcing practices to manage the supplier ecosystem to maintain architectural goals and spending targets. Also, IT leaders will need to manage technical debt across the application portfolio with agile portfolio management and value stream mapping,” he says.

For CIOs to hold their own, Sharma says IT leaders can’t stop at business acumen, but instead must develop great interpersonal skills and be able to lead people in a cross-functional and cross-geographical environment. They should also be able to leverage emerging technologies to lend business a competitive edge.

To do this in his former roles as CIO, Sharma created a cross-functional decision committee comprising functional leaders, such as the CFO and CHRO, and technical leaders, such as the CIO or head of applications. “That helped in democratizing the process and enabling a smooth sale though and execution of any project,” he says.

Gangavarapu says such efforts are vital for addressing this trend, which includes “a shift in technology resources’ mindset to a new direction by preparing them to blend into the LOBs through awareness, training, and a culture shift. Besides recruiting a digital-savvy workforce for the future that is aligned to customer expectations, CIOs should themselves gear up to become an advisory function,” he says.

To do this, Gangavarapu has established a digital council at Northern Beaches Council to get the board, which consists of 15 Councillors who are elected by the community, to buy into his vision and direction. He is updating the workforce strategy and capability framework, which outlines the digital skills expected of each new hire based on their role.

“We are decentralizing budget from IT back to individual business units where they have ownership and drive the lifecycle of the contract and services. We also embed skills into LOB resources on an ongoing basis so that they are equipped to handle technology changes, compliance, and regulatory shifts around technology,” he says. “Here IT is taking an advisory role and LOBs are taking the lead. By connecting LOBs to market innovators in respective areas, with IT support, we encourage innovation.”

According to Gangavarapu, these initiatives have resulted in quite a few LOBs being self-sufficient and running their own digital initiatives with centralized coordination from IT.

Measuring progress during this journey, he shares that “employee engagement went up by 9%, wellbeing up by 13%, progress up by 18%, and customer satisfaction score shift from 71% in 2019 to 88% in 2022.”

What the future CIO role could look like

It is a given that CIOs in the future will perform beyond their IT functions. With the recent pandemic and the increasing push for digital transformation, CIOs are already wearing multiple hats to help evolve the business. “CIOs are now required to become a marketing strategist, a business analyst, a finance advisor, and an operation expert while delivering their core expertise as an IT champion. This is the way ahead and CIOs need to keep on upgrading, reskilling, and upskilling to stay relevant,” Osman says.

Going forward, there will be opportunities for CIOs to step into other CXO functions to add value and stay relevant, and this imperative will apply to all other technology resources who will realise that they cannot work siloed in a standalone IT business unit anymore but must be embedded in the LOB, understand context, and be able to add value.

As Gangavarapu says, “Digital and technology function will get embedded into LOBs driving strategies and offering products and services for the digital world. The function of information technology teams will reduce as quite a few will move to the LOBs and IT will end up running the plumbing works such as infrastructure, communications, and cybersecurity. [Cross-functional teams] will become a core ingredient of a succeeding in a digital world.”

And this shift to embedded IT will further transform the CIO role, Gangavarapu says.

“Driving digital adoption in business is easier being a part of business rather than driving from IT, as it is seen as external — someone is doing this to us — instead, ‘We are driving this’; hence, CIOs must start picking up roles in LOBs with various titles such as chief translation officer, chief digital advisory officer, or chief innovation officer,” he says.

IT leaders not willing to change may soon be out of luck, Sharma says, as he sees the CIO role getting replaced, unless they acquire the necessary skills to remain relevant, by that of a chief transformation officer, who would work closely with the CEO and act as a bridge between the CIO office and LOBs.

“The chief transformation officers will identify business transformation opportunities within the enterprise and will work closely with the business. The arrangement would be such that the ownership of the project will lie with the respective LOBs while the company-level value creation and competitive edge will be jointly shared between them,” he says, adding that the CIO could become the chief custodian or chief architect, and if unable to add any value to the board, the CIO may end up reporting to the chief transformation officer.

IDC’s Lai agrees.

“I believe the role of the CIO will evolve to being a chief business technology officer role, which many CIOs may find challenging, but is one where they are partners to the business to deliver on the promise of new digital business and operating models,” he says.

“C-level executives are increasing their focus on profitability and improved operational efficiency by concentrating on enhancing employee productivity, innovation, and time to market,” he says. “If CIOs are to play a technology/business orchestration role in the leadership team, part of that effort will involve building or strengthening relationships with business counterparts.”

Roles

One of the biggest cloud security threats your company faces isn’t malicious. In fact, it originates from inside your IT organization.

Accidental misconfigurations pose one of the leading security vulnerabilities IT organizations contend with in the cloud. According to a recent study, 79% of companies had experienced a cloud data breach in the past 18 months—and 67% of respondents had identified security misconfiguration as the top security threat.

Despite incredible advances in cloud security, misconfigurations tend to happen more often in the cloud than on-premises, leading to leaked data, service disruptions, and other costly troubles. This article explores some of the most common misconfiguration risks and how you can address them to tighten up cloud security.

Why misconfigurations happen

Misconfigurations occur for various reasons. Although today’s cloud is more secure than ever, it also has more settings and protocols to be aware of, especially in a multi-tenant environment. Simple oversights such as not ticking a box can have major repercussions. In fact, Gartner estimates 99% of cloud security failures will be the customer’s fault—at least through 2025. 

One reason is that, as data and workloads shift to the cloud, necessary skillsets become much more specialized. Most established IT professionals have far more experience with on-premises security and much less experience and training in the cloud, increasing the chances of accidental misconfiguration. Meanwhile, while newer, less-tenured staff may be more accustomed to publishing data to the cloud, they’re not necessarily accustomed to dealing with security, leading to configuration missteps.

Furthermore, when data and workloads reside on-premises, a firewall provides an extra layer of protection. So even when a setting gets misconfigured, there’s a lower chance of exposure outside the firewall. But if something gets misconfigured in the cloud, the risk is much higher.

Common cloud misconfiguration gotchas

As with many things, prevention begins with awareness. Be on the lookout for these common cloud misconfiguration gotchas.

Overly permissive access privileges

Overly permissive access policies and privileges enable expanded access to far more assets than needed. You may think user credentials are limited only to find out later that they were unlimited.

Storage misconfiguration

Misconfiguration opportunities abound when it comes to cloud storage. Confidential or regulated assets can inadvertently get mislabeled and find their way to external audiences. Furthermore, weak encryption can further expose assets.

Insufficient or misconfigured logging and monitoring

Monitoring and logging play a foundational security role in threat detection and mitigation. When monitoring and logging are compromised, it makes it difficult to detect events and changes and where they originated.  

Not securing inbound and outbound ports

Ports provide opportunities for bad actors. Minimizing unnecessary inbound and outbound ports is half the battle. Restricting access is the other half.

Default system credentials

If a new server is spun up and it doesn’t have a default credential, it may have all-encompassing access. Ensure all systems have default credentials.

Development settings in production

Imagine making changes in development, only to log off and realize you were in production, potentially breaking the application or locking users out. Misconfigured development settings are often the culprit in such scenarios.

Minimizing misconfiguration risk

In addition to awareness, organizations can enhance security practices and policies to help minimize misconfigurations. This includes ensuring clear infrastructure visibility as well as implementing strategies such as automation, targeted training, and regular security audits.

To eliminate many of the traditional misconfiguration concerns of the public cloud, consider leveraging HPE GreenLake in a privatized custom-built cloud, either on-premises or in the cloud. Furthermore, HPE GreenLake Management Services provides managed security services including security monitoring, privileged access management, vulnerability management, and security hardening.

GDT can help your organization make the most of HPE solutions to improve your cloud security posture. Contact the security experts at GDT to learn more.

Cloud Security

Unit 42 is Palo Alto Networks’ world-renowned threat intelligence and security consulting team.

The key headline of the latest Unit 42 Cloud Threat Report isn’t about the most sophisticated attacks. It’s that nearly all organizations we analyzed lack the proper controls to keep their cloud resources secure.

The term for this in cloud security is identity and access management (IAM), and it refers to the policies that define who has permission to do what in a cloud environment. A fundamental best practice for policies like this is to apply least privilege access – ensuring that each user or group has the minimum access required to perform necessary functions. This helps minimize the damage an attacker can do in the event of a compromise as the attacker will only gain access to the limited information and capabilities of that one compromised cloud resource.

Unfortunately, we found a different situation when we studied how organizations are managing access to their cloud environments. We analyzed more than 680,000 identities across 18,000 cloud accounts from 200 different organizations and found that a staggering 99% of cloud users, roles, services and resources were granted excessive permissions. This matters because the majority of known cloud incidents start with a misconfigured IAM policy or a leaked credential.

How Could Lax IAM Policies Impact You?

Throughout the pandemic, many organizations moved significant amounts of data and business operations into the cloud. We found that 69% of organizations now host more than half their workloads in the cloud, compared with just 31% in 2020.

This makes the cloud a more tempting target for adversaries looking to—for example—steal sensitive data, deliver ransomware or take advantage of computing resources that don’t belong to them. While sophisticated attacks on cloud resources are possible, attackers don’t need to go to those lengths to achieve their goals when organizations allow excessive permissions and overly permissive policies. If your organization isn’t following best practices for IAM permissions in the cloud, you could be making an attacker’s job easier.

Improving Cloud Security: Recommendations

Your security should be just as native to the cloud as the applications you run there. CISOs should look into Cloud Native Application Protection Platform (CNAPP) suite integration. This can help bring disparate security functions into a single user interface, all tailored to cloud security.

Your security team should also harden IAM permissions. Our recent Cloud Threat Report includes an eight-step best practices guide that could help you.

Finally, as is common in cybersecurity today, an overabundance of alerts is likely hampering your security team and reducing their efficiency. Look into tools and workflows you can deploy to increase security automation, allowing your team the breathing room to get your overall security posture right, rather than being stuck responding to one alert after another.

Want to learn more? Download the full report here: Unit 42 Cloud Threat Report, vol 6

Cloud Security, IT Leadership

How do attackers exploit applications? Simply put, they look for entry points not expected by the developer. By expecting as many potential entry points as possible, developers can build with security in mind and plan appropriate countermeasures.

This is called threat modeling. It’s an important activity in the design phase of applications, as it shapes the entire delivery pipeline. In this article, we’ll cover some basics of how to use threat modeling during development and beyond to protect cloud services.

Integrating threat modeling into the development processes

In any agile development methodology, when business teams start creating a user story, they should include security as a key requirement and appoint a security champion. Some planning factors to consider are the presence of private data, business-critical assets, confidential information, users, and critical functions. Integrating security tools in the continuous integration/continuous development (CI/CD) pipeline automates the security code review process that examines the application’s attack surface. This code review might include Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Infrastructure as a Code (IaC) scanning tools.

All these inputs should be shared with the security champion, who would then identify the potential security threats and their mitigations and add them to the user story. With this information, the developers can build in the right security controls.

This information also can help testers focus on the most critical threats. Finally, the monitoring team can build capabilities that keep a close watch on these threats. This has the added benefit of measuring the effectiveness of the security controls built by the developers.

Applying threat modeling in AWS

After the development phase, threat modeling is still an important activity. Let’s take an example of the initial access tactic from the MITRE ATT&CK framework, which addresses methods attackers use to gain access to a target network or systems. Customers may have internet-facing web applications or servers hosted in AWS cloud, which may be vulnerable to attacks like DDoS (Distributed Denial of Service), XSS (Cross-Site Scripting), or SQL injection. In addition, remote services like SSH (Secure Shell), RDP (Remote Desktop Protocol), SNMP (Simple Network Management Protocol), and SMB (Server Message Block) can be leveraged to gain unauthorized remote access.

Considering the risks, security teams should review their security architecture to ensure sufficient logging of activities, which would help identify threats.

Security teams can use the security pillar of AWS Well-Architected Framework, which will help identify any gaps in security best practices. Conducting such a self-assessment exercise will measure the security posture of the application across various security pillars – namely, Identity Access Management – to ensure there is no provision for unauthorized access, data security, networking, and infrastructure.

Although next-gen firewalls may provide some level of visibility to those who are accessing the applications from source IP, application security can be enhanced by leveraging AWS WAF and AWS CloudFront. These services would limit exposure and prevent potential exploits from reaching the subsequent layers.

Network architecture should also be assessed to apply network segmentation principles. This will reduce the impact of a cyberattack in the event one of its external applications is compromised.

As a final layer of protection against initial access tactic methods, security teams should regularly audit AWS accounts to ensure no administrator privileges are granted to AWS resources and no administrator accounts are being used for day-to-day activities.

When used throughout the process, threat modeling reduces the number of threats and vulnerabilities that the business needs to address. This way, the security team can focus on the risks that are most likely, and thus be more effective – while allowing the business to focus on truly unlocking the potential of AWS.

Author Bio

TCS

Ph: +91 9176292448

E-mail: raji.krishnamoorthy@tcs.com

Raji Krishnamoorthy leads the AWS Security and Compliance practice at Tata Consultancy Services. Raji helps enterprises create cloud security transformation roadmap, build solutions to uplift security posture, and design policies and compliance controls to minimize business risks. Raji, along with her team, enables organizations to strengthen security around identity access management, data, applications, infrastructure, and network. With more than 19 years of experience in the IT industry, Raji has held a variety of roles at TCS which include CoE lead for Public Cloud platforms and Enterprise Collaboration Platforms.

To learn more, visit us here.

Internet Security

Key Takeaways from this Report

2021 was another record year for global DDoS attacks. At 9.84 million, the number was lower than the 10.1 million attacks in 2020 but still represented a 14 percent increase over the 2019 numbers.

A few factors account for the slight decrease in global attacks from 2020 to 2021. First, 2020 was a full lockdown year where the world operated remotely, giving threat actors a unique landscape against which to launch unprecedented numbers of DDoS attacks. Second, cryptocurrency had an incredible year in 2021, creating a lucrative opportunity for threat actors to redirect their botnet resources, the ones typically used in DDoS attacks, to crypto mining activities.

The number of DDoS attacks is likely much higher than reported, as some corporations have extensive internal resources to withstand attacks without noticeable disruptions and typically don’t publicly report the total number of attacks against their networks, applications, and infrastructure.

About this report

The 2021 Comcast Business DDoS threat report focuses on multi-vector attacks that target Layers 3, 4, and 7 simultaneously. Although a small percentage of the overall attacks experienced by our customers, we believe the sophistication and potential damage caused by these attacks warrants a deeper look.

Download PDF

Network Security