Connect with us


Biden’s Zero Trust order unites Big Tech under national security



Microsoft’s accommodations to President Joe Biden’s executive order to hinder cyberattacks on the U.S. will support public and private sectors in establishing the right infrastructure for a bolstered up Zero Trust network security model.

After a full year of ransomware and supply chain attacks, Microsoft is one of 18 cybersecurity firms selected to work in synchronization with the National Institute of Standards and Technology (NIST) to establish network security model, Zero Trust Network, or Zero Trust Architecture, under Presidential Executive Order 14028. 

“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based on promises, or hybrid…security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)),” the order stated. 

With the emergence of the remote work wave, the cybersecurity sector is witnessing an influential lack of business investments, leading to a substantial struggle for enterprises to secure their networks while dealing with security challenges.

Last week, Biden conducted a meeting with some of the biggest names in the tech industry over cybersecurity concerns due to the latest attacks led by cybercriminals on the U.S.’ infrastructure, making it delicate and vulnerable to hacks. 

The meeting included Big Tech leads, Apple, Google, and Microsoft, on the current cybersecurity raised issues, in hope that the U.S.’ technology leads will present the Biden Administration with some long-term solutions and means to prevent the occurrence of any future cyber breaches on the country’s infrastructure.

The Zero Trust Network is a security concept structured on the hypothesis that firms should not blindly trust any factor – whether it is inside or outside its perimeters – and instead must assert a connection verifying every element trying to connect to the organization’s system before giving full access.

Zero Trust’s reliability lies in how it presumes that the organization is already exposed to breaches, instead of fixating its goals on strengthening the network’s framework. By doing so, the model implements a design acknowledging data requirements to simultaneously secure the data internally and externally through managed and unmanaged devices. 

Some of the biggest names in the industry assigned to the Zero Trust Network including Amazon Web Services, Appgate, Cisco, F5, FireEye, IBM, McAfee, MobileIron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable, and Zscaler.

In May, Biden signed the executive order to grow the federal government’s cyber-infrastructure.

The presidential order will oversee the government’s deviation to zero-trust as the main service provider setting the necessary infrastructure for secure networks with obligatory two factor-authentication (2FA) – an additional layer of security used to ensure individuals’ real identity to gain access.

The order came as a direct result of the Solar Winds supply chain breach involving the SolarWinds Orion system, targeting U.S. lead federal agencies, alongside some of the U.S. tech companies, such as Microsoft. 

While the focus was on Solar Winds, Microsoft’s Exchange email server hack and the Colonial Pipeline attack also played a huge role in the order’s execution.

The Zero Trust Network’s scope will be synchronized with the NIST’s National Cybersecurity Center of Excellence (NCCoE) to “develop practical, interoperable approaches to designing and building Zero Trust architectures.” 

It is worth specifying that the project’s approaches will solemnly rely on the commercially available strategies from U.S. cybersecurity firms. 

In the past, Microsoft set the first brick by demonstrating five possible scenarios where zero trust can be adopted to assist agencies in complying with the executive order.

The company’s plan will be built around EO’s 14028, covering five key scenarios cloud-ready authentications apps, web apps with legacy authentication, remote server administration, segment cloud administration, and Network micro-segmentation. 

An essential factor in the Big Tech giant’s schemes heavily relies on Microsoft’s Azure Active Directory, while its suggested proposals will also cover commercial and open-source products. 

This includes endpoint detection and response that detects and investigates suspicious behavior, security measure multi-factor authentication that requires two or more proofs of identity, and threat intelligence approach continuous security monitoring (CSM) that computerizes the monitoring of information security controls.

Even though the White House immensely encourages the private sector taking the lead in promoting “ambitious measures” to secure their networks, Biden’s order will only apply to U.S. federal agencies. 

In parallel, since the executive order acknowledges the vitality of open-source software, the Linux Foundation – alongside open-source communities – rose to the President’s cybersecurity challenge. 

The Foundation revealed a new open-source software signing service, “The Sigstore Project.” It aims to enhance software supply chain security by empowering a flexible adoption of cryptographic software, supported by transparency log technologies. 

Certificate transparency log auditors are software elements that can validate if a certificate is noticeable in a log. This takes place by periodically validating log proofs. 

If the log is not registered or accessible, any connections to sites with such certificates can be declined due to suspicious behavior.

The order’s Zero Trust proposals from various tech vendors align with the NIST SP 800-207. This special publication is a set of cybersecurity measures and guidelines that emphasize the core components of Zero Trust principles.

The NIST SP 800-207, alongside Zero Trust Architecture, was unfolded throughout the meeting with the Federal Chief Information Officer (CIO), serving as a central resource for information on Federal IT, with federal agencies and the tech industry.

To maintain the security of our future, alongside our digital era, the implementation of technology in our day-to-day lives will only grow by the second. If technological elevation lands in the hands of malicious people, the current cyberattacks would just be a teaser as to what could come our way. 

With President Joe Biden going the extra mile to actively enhance and boost digital security by seeking help from Big Tech leads, this could bring the U.S. one step closer to securing the country’s digital security while addressing cybersecurity improvements for a secured future. 


Supernational fronts retaliate against cybercrime group REvil



Cybercrime group REvil was infiltrated by U.S. governmental agencies and obliged to go dark after cybercrime operation attacking from supernational fronts, reported by Reuters. 

Speculations circulating the group’s recent absence following Recorded Future security specialist Dimitry Smilyanets went to Twitter to reveal various messages from the account of a famous REvil operator, ‘0_neday.’

The messages displayed on the microblogging platform elaborated the events that led to the cybercriminal forum XSS, alleging that someone took charge of the cyber group’s Tor payment portal and was controlling sites’ data leaks.

In the message, the account revealed how he and ‘Unknown, ’chief representative of the cyber entity, were the only group members with REvil’s domain keys. Then, the group’s representative’s absence left other members to predict that he was dead.

In September, REvil proceeded with its cybercrime activities. A factor that led to the realization that the group’s domain name was being reached by Unknown’s decryption key.

“The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I’m off,” 0_neday wrote in a message.

After REvil’s Kaseya cybercrime, the FBI acquired a universal decryption key initiating file recovery to those exposed to Kaseya’s breach, without the need to pay a ransom.

Now, with the news message surfacing on Twitter, it seems that that law enforcement officials concealed the fact that they had the key for weeks as it was stealthily going after REvil’s staff, according to Reuters. 

In reference to individuals familiar with the topic, law enforcement and intelligent cyber experts managed to compromise the criminal group’s network infrastructure and security management over some of its servers.

Following Unknown’s vanish, other group members re-obtained control over the websites last month. By doing so, REvil unintentionally restarted some intermetal systems, including the ones already powered by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” deputy head of the forensics lab at the Russian-led security company Group-IB, Oleg Skulkin said in a statement.

“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin added.

Even though trust-worthy backups are perceived as a fundamental defense tactic to counteract ransomware activities, its vitality lies in remaining unconnected with other main networks. Otherwise, those too will be encrypted by cybercrimes groups similar to REvil.

One spokesperson close to the matter revealed that a foreign ally of the U.S. led the hacking mission that managed to infiltrate REvil’s network, while another anonymous former U.S. official commented on the mission saying the operation has not been finalized.

VMWare’s head of cybersecurity strategy, Tom Kellermann, told Reuters that the victory of federal operations immerges from a deep rigidity led by U.S. Deputy Attorney General Lisa Monaco, under the belief that cyberattacks on vital governmental ecosystems should be perceived as a threat to the country’s national security, and falls under the same umbrella as terrorist attacks.

The Kesaya and SolarWinds ransomware attacks are the two main cases that paved the way for harsher approaches to navigate this counterattack – and similar future ones – pushed in June the Justice Department to authorize harsher examinations of cyberthreats to much more paramount priority.

REvil’s attacks provided the Justice Department and different government agencies to consider cybercrimes a legal basis to inquire support from other federal organizations, such as the U.S. intelligence and the Department of Defense.

Both the FBI and the White House National Security Council refrained from commenting on the operation.

Continue Reading


Google nabs phishing attacks from state-sponsored cybercrimes



In a world where everyone is exposed to infiltration on their devices, Google sent Thursday approximately 50,000 alerts to users whose accounts were exposed to breaches by state-sponsored cybercrimes executing phishing and malware campaigns.

“Countering threats from Iran” is the label the Big Tech giant gave to its latest blog post, addressing Google’s Threat Analysis Group’s (TAG) latest tracking of disinformation campaigns, governmental backed hacking, and financially driven abuse.

“We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2011, we’ve sent over 50,000 warnings, nearly a 33 percent increase from this time in 2020,” the blog post stated.

While receiving the warning does mean an account could be exposed to potential cyber threats, not all those who have received the warning have been breached. 

The search engine elaborated that the company’s analytical branch directs these distressing warnings to accounts it perceives as a potential target to governmental-sponsored phishing attempts, brute-force attacks, malware delivery efforts initiated from a state-backed hacking ecosystem.

Google’s cybercrime statistics revealed that TAG has managed to identify more than 270 targets or hacker groups supported by governmental entities from more than 50 countries. Meaning, some of these accounts are targeted by more than one threat, expanding all around the globe.

Fending off cyberattacks from Iran

Iran’s hacking group, APT35, known for pursuing U.S. politicians before the 2020 Presidential elections, seems to have set its mind to proceed with its mission to creep into governmental representatives’ devices and accounts.

The tech mogul’s report not only highlighted that the group is still actively aiming to infiltrate some of the biggest bureaucratic personnel, but it appears that it allocated its goal to developing devious tricks to deter itself from being detected by security tools, then deceiving targets to submit accounts credentials, or into installing spyware on their devices.

APT35’s main line of specialty is indulging in account theft activities that allow it to spy on journalists, activists, government workers, academics, and anyone that might stimulate the Iranian regime’s curiosity.

Wielding Telegram for threat reports

According to one TAG researcher, Ajax Bash, the attackers’ most adopted tactic is exploiting an API for Telegram scripts, a messaging service, by creating bots in the chat app to facilitates accounts’ theft, alongside bank fraud.

“The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API send Message function, which lets anyone use a Telegram bot to send a message to a public channel,” Bach revealed.

In parallel, the messaging platform was informed by Google of the misleading activities accruing on its app, resulting in the bots being netted and eliminated by Telegram.

The governmentally supported group implements this tactic to send device-based data back to the channel, unveiling to hackers sensitive details such as IP, user-agent, and any local visitor to their phishing sites in real-time.

The implementation of Spyware Apps to optimize access

TAG’s systematic outcomes also featured that in May 2020, the company unearthed that APT35 tried to install malicious spyware to Google Play Store via an app masquerading as VPN software. If successfully uploaded, the cybercriminals could have obtained critical data, ranging from call logs, text messages, contacts, location data, and much more.

Once detected, Google eliminated the app from its store before any user installation.

Even though the app was extracted from the store, TAG caught additional attempts by the group to dispense the malicious VPN on other platforms as of July 2021.

Conference-themed phishing emails

ATP35’s most outstanding feature is the parody of conference officials to indulge in phishing attacks. By employing the Munich Security and the Think-20 (T20) Italy conference, attackers allure non-malicious contracts first as email messages for users to answer to. Once they receive a response, hackers then send phishing links in an email as a correspondent follow-up.

Usually, after responding, users would sail through at least one redirect before reaching a phishing domain that will give APT35 access to their email.

For this purpose, the adaptation of link shorteners and click trackers is heavily implemented, and they typically come implanted with PDF files.

In this case, Google broke down attempted cybercrimes using Google Drive, App Scripts, and site pages for specific campaigns as the cybercriminal entity made an effort to break down the tech giant’s embedded defense mechanisms.

If cybercrimes are measured on a governmental scale, once successful, malicious attacks are set to cause irreversible damage. For that reason, cybersecurity enterprises are expecting cyber intrusion rates to heighten in the upcoming years, with the U.S. being its main target. A scheme that could be detrimental to a country recovering its infrastructure from the pandemic’s crippling aftermath that broke its backbone in the past two years.

Continue Reading


US talks global cybersecurity without a key player: Russia



US talks global cybersecurity without a key player Russia

Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.

The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.

White House national security adviser Jake Sullivan called it a gathering of “like-minded” governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. “No one country, no one group can solve this problem,” he said in opening remarks.

The virtual discussions will focus in part on efforts to disrupt and prosecute ransomware networks like the one that attacked a major U.S. pipeline company in May, a senior administration official said. The attack on Colonial Pipeline, which led to gas shortages along the East Coast, was attributed to a Russia-based gang of cybercriminals.

The exclusion of a country so closely tied to the global ransomware phenomena reflects the overall poor relations between Moscow and Washington.

Despite that, the U.S. has used a “dedicated channel” to address cybersecurity with Russia, said the official, who briefed reporters on the condition of anonymity to preview this week’s meeting with around 30 countries and the European Union.

Since President Joe Biden raised the issue directly with President Vladimir Putin this summer in a summit and later phone call, there have been “candid discussions” about cybercriminals operating within Russia’s borders, the official said.

“We’ve had several, and they continue, and we share information regarding specific criminal actors within Russia, and Russia has taken initial steps,” the official said.

It is unclear what steps Putin’s government has taken. Russia does not extradite its own citizens, and FBI Deputy Director Paul Abbate told a security forum last month that he has seen “no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”

The issue was expected to be on the agenda this week in Moscow as Undersecretary of State Victoria Nuland met for talks with Russian Deputy Foreign Minister Sergei Ryabkov.

The Biden administration took office amid a massive cyberespionage campaign known as the SolarWinds attack, which U.S. officials have linked to Russian intelligence operatives. Ransomware attacks, perpetrated generally by criminal hacker gangs rather than state-sponsored groups, have caused tens of billions of dollars in losses to businesses and institutions and become a major source of tension between the two nations.

Ransomware payments reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021, according to the U.S. government.

Actions taken by the Biden administration include imposing sanctions on a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency and issuing security directives that require pipeline companies to improve their cyber defenses.

In addition, the State Department has announced rewards of millions of dollars for information on people who engage in state-sponsored malicious cyber activities aimed at transnational criminal networks that Sullivan said operate “across multiple countries, multiple jurisdictions to carry out their attacks.”

Most of this week’s ransomware meeting is expected to be private as participants attend sessions led by India, Australia, Britain and Germany and will focus on themes such as developing resilience to withstand ransomware attacks.

Other participants include Israel, the United Arab Emirates, Bulgaria, Estonia, France, the Dominican Republic, Mexico, New Zealand, Singapore and Kenya.


Continue Reading