The IT Nerd

Today, Palo Alto Networks Unit 42 released research on dozens of scam campaigns using deepfake videos featuring the likeness of various public figures, including CEOs, news anchors and top government officials.

The research found that these campaigns appear in a variety of languages, with each typically targeting victims in a single country, including Canada, Mexico, France, Italy, Turkey, and more. While 2024 is predicted to be the largest voting year in history, the impact of deepfakes is not limited to the political domain. 

Highlights include:

• As of June 2024, Unit 42 discovered hundreds of domains being used to promote these campaigns, with each having been accessed an average of 114,000 times since going live
• Unlike typical phishing or malware domains, these domains are relatively long-lived, with an average active time of 142 days
• These campaigns appear in English, Spanish, French, Italian, Turkish, Czech and Russian
• Due to their infrastructural and tactical similarities, it’s believed these campaigns likely stem from a single threat actor group
• The campaigns leverage numerous prominent figures, including Elon Musk and Tucker Carlson

You can find the full research report here: https://unit42.paloaltonetworks.com/dynamics-of-deepfake-scams/

In addition to today’s research, Palo Alto Networks most recent Canadian Ransomware Barometer which found that Canadian IT decision-makers are concerned with the potential threat artificial intelligence (AI) poses to their organizations.  More than two-thirds of respondents (69%) believe the emergence of more AI technologies has increased the threat level to their organizations.

Palo Alto Networks , the leader in cybersecurity, has released a new 2024 Incident Response Report from Unit 42.

This report details the most exploited attack vectors of the past year. It also spotlights the cybercriminal group known as Muddled Libra and analyzes its most successful attack patterns to determine how the most sophisticated attackers may attempt to breach your defenses.

Unit 42 found that software vulnerabilities are often the main attack entry point, sophisticated attacks often involve the exploitation of multiple attack vectors, including compromised credentials, phishing, and brute force methods.

While cybersecurity can often feel like an endless battle between attackers and defenders. At Unit 42, we believe intelligence, insight, and preparation still gives defenders the edge needed to protect themselves.

You can read the report here.

What: Palo Alto Networks is making available to customers its Secure AI by Design product portfolio, aiming to secure organizations’ GenAI usage and development of enterprise AI applications by providing visibility, control, and protection specific to AI, addressing new risks and threats. As businesses increasingly integrate AI, the portfolio enables them to confidently build and use AI-powered apps, while also prioritizing the integrity of AI security frameworks from development to deployment.

Why: The need for securing AI applications has become increasingly important as businesses continue to integrate AI and LLMs into their operations. With employees adopting AI applications at a rapid pace and organizations across various industries gaining a competitive edge through AI-powered applications, the Secure AI by Design portfolio aims to securely enable AI deployments.

While the promises of AI are significant, it’s essential to acknowledge the associated risks with equal emphasis in order to realize its full potential. Bad actors are using AI to ramp up the scale of attacks, so it is important that organizations are proactive in their defense.

How: Organizations will be equipped to create a secure AI ecosystem that prioritizes the integrity of AI security frameworks from development to deployment. Businesses can fully harness the potential of AI without compromising security through the following use cases:

• Securely enable GenAI applications: With the growing trend of employees using GenAI apps for business purposes, AI Access Security enables organizations to use AI tools with confidence. It gives security teams full visibility, application and data access controls, and continuous data risk monitoring.
• Fortify AI supply chain: Businesses must be aware and rectify against possible risks. With Prisma Cloud AI Security Posture Management (AI-SPM), organizations can secure their AI ecosystem by identifying vulnerabilities and misconfigurations in models, applications and resources. It improves compliance and minimizes data exposure, thus improving the integrity of your AI security framework.
• Protect enterprise AI applications: It is critical for organizations to see every component of their AI app ecosystem— including AI applications, models, inference and training datasets. AI Runtime Security is designed to help solve this, and protect against evolving zero-day and AI-specific threats, such as data leakage from AI models and applications, and safeguard models from misuse and attacks.

When: To start the roll out, AI Runtime Security is now available on Google Cloud and will be available later in August on Amazon Web Services (AWS) and Microsoft Azure. To follow, AI-SPM will be available on August 6 and AI Access Security will be available on August 19.

Additional Information: Learn more about our Secure AI by Design portfolio, read our latest blogs on AI Runtime Security and AI-SPM. Explore Precision AI by Palo Alto Networks, which powers our cybersecurity platforms and solutions.

Today, Palo Alto Networks Unit 42 released research about a Chinese APT group that has been conducting an ongoing campaign, Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia since at least late 2022. 

Highlights in Unit 42’s analysis of the active campaign include:

• The threat actor’s long-term espionage operations against at least 7 government entities, leveraging rare email exfiltration techniques against compromised servers. 
• Operation Diplomatic Specter closely monitors contemporary geopolitical developments, attempting to acquire sensitive and classified military, political, and diplomatic data, which can potentially jeopardize national security and economic stability. 
• The threat actor uses rare and unique techniques, tools and procedures, to exploit internet-facing server vulnerabilities, adapting their tactics to infiltrate mail servers for daily exfiltration.
• As part of its espionage activities, the group makes use of a previously undocumented family of backdoors, including those that we have named TunnelSpecter and SweetSpecter.

Given the Government of Canada’s recent announcement of its first Enterprise Cyber Security Strategy, with a focus on ensuring that the Government can quickly and effectively combat cyber threats and address vulnerabilities across the government’s digital estate, this new report from Palo Alto Networks information ties in well with the cybersecurity landscape and the looming electoral landscape.
 
To explore the full analysis, please click here. 

Palo Alto Networks have announced its latest innovations to future-proof and transform the workforce with the launch of Prisma^® SASE 3.0. Prisma SASE 3.0 now delivers Zero Trust to secure both managed and unmanaged devices with the industry’s first natively integrated enterprise browser, AI-powered data security, and acceleration of dynamic applications to perform up to five times faster.

In today’s work environment, employees demand the freedom to be productive from anywhere, using any device, and accessing any application. Current legacy SASE implementations are falling short of meeting these needs, inhibiting innovation and agility. Prisma SASE 3.0 includes enhanced capabilities to combat many challenges enterprises encounter as they rely on data to drive business:

• Prisma Access Browser protects organizations with a natively integrated enterprise browser that extends Zero Trust protection to unmanaged devices in minutes. AI-powered security identifies up to 2.3 million new and unique attacks every day. Since 2022, more than half of employees, contractors, and third parties access corporate data from BYO devices like personal laptops and mobile devices, according to Forrester.¹ With Prisma SASE 3.0 IT professionals can monitor and mitigate threats in real time, safely enabling the workforce to use any device to access any application.
• AI-Powered Data Security is the breakthrough capability in data classification accuracy for Palo Alto Networks’ already comprehensive Data Security solution. The industry-first LLM-powered classification combines the strengths of context-aware machine learning (ML) models with the power of LLM-based natural language understanding to increase the accuracy of ML behavioral analytics to monitor and protect where sensitive data resides and travels. Prisma SASE 3.0 allows SaaS, GenAI, and cloud applications to drive business growth while securing corporate data.
• App Acceleration provides up to 5x boost in applications’ performance compared to accessing them directly through the internet to help ensure maximum productivity and security. Prisma SASE with App Acceleration is the industry’s first SASE solution that accelerates applications individually for every user, leveraging patented app-aware technology. Palo Alto Networks is working with leading cloud service providers and enterprise applications, including Amazon Web Services (AWS), Slack, ServiceNow, Google, Zoom and SAP to enhance application performance, benefiting joint customers with faster response rates.

Prisma SASE continues to deliver industry-leading SLAs for security processing and app performance. Prisma SASE 3.0 and its updated capabilities will be generally available in the coming months.

Palo Alto Networks’ recently released The State of OT Security 2024 report. The report revealed the reality, extent, and changing nature of security threats to operational technology (OT) in industrial environments.

Spotlighting the frequency of cyberattacks and examining the struggles and implications organizations’ face when navigating these threats, the report found that within Canada:

• Almost two-thirds industrial organizations have experienced cyberattacks in the past year.
• 1 in 4 Canadian and global organizations had to shut down operations due to an attack.
• IT is the main attack vector, with 71% of attacks originating there.
• Nearly 75% reported that AI-enabled attacks on OT-infrastructure is currently a critical issue; 81% agreed that AI-enabled security solutions are critical in detecting and stopping OT-infrastructure attacks.
• 82% of respondents believe Zero Trust is the right approach to OT security.

The full global report can be viewed here or downloaded here.

Researchers at Palo Alto Networks have have revealed a significant surge in ransomware victims in 2023, with almost 4,000 companies listed on ransomware leak sites, marking a 50% increase from the previous year. The study also indicates that ransomware groups were attacking nearly 80 organizations weekly, a figure likely higher due to unreported incidents.

The study found 25 new leak sites emerged in 2023, accounting for a quarter of the total postings. Some of these sites were by existing groups and some by new groups that appeared last year for the first time.

Manufacturing remained the primary sector targeted by ransomware, followed by professional services, high-tech, wholesale/retail, construction, healthcare, finance, and education.

Almost half of the victims were based in the US, with 6.5% in the UK, 4.6% in Canada, 4% Germany, and 3.4% in France.  “The US presents a very attractive target, especially when examining the Forbes Global 2000… In 2023, the US accounted for 610 of these organizations, consisting of almost 31% of the Forbes Global 2000, indicating a high concentration of wealthy targets.”

Emily Phelps, Director, Cyware had this comment:

   “Ransomware continues to be a pervasive threat because of its low barrier to entry. Ransomware-as-a-Service platforms have made it easier for less technical cybercriminals to launch these lucrative attacks, contributing to the rise in incidents. Adopting more proactive strategies to combat ransomware attacks starts with threat intelligence and intelligence operationalization. Organizations need timely, relevant intelligence and the right technology to automatically route it to the right team members who can use those insights to take meaningful actions. “

HYAS CEO David Ratner follows with this:

   “The ransomware report clearly demonstrates the criticality of not just utilizing proactive threat intelligence as part of one’s defenses but ensuring that cyber resiliency solutions are deployed as part of a security-in-depth strategy. This needs to be a top priority not just for organizations themselves but for MSSPs, MSPs, and anyone providing true protection today.”

I’ve been saying this a lot lately, but I’ll say it again. Ransomware is at crisis levels. Everyone needs to pitch in to stop it from getting out of hand. And unfortunately, based on this report it seems that we might be close to having ransomware reach a point where it simply cannot be stopped.

Palo Alto Networks Unit 42 Researchers today published details on an active campaign called EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations:

Unit 42 researchers have identified an active campaign we are calling EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. We believe these operations have been active for at least two years and are still active today.

We found that the actor was able to detect and use the exposed IAM credentials within five minutes of their initial exposure on GitHub. This finding specifically highlights how threat actors can leverage cloud automation techniques to achieve their goals of expanding their cryptojacking operations.

Jeff Williams, co-founder and CTO of Contrast Security, commented: 

“Disappointing that we are struggling with the very simplest of cybersecurity issues.  It’s not complicated, you just don’t post your keys in public. However, it’s also not fair to blame developers.  There are thousands of these kinds of issues, and they have to perform perfectly on all of them or get dragged for being dumb or lazy.  We need better authentication systems that make it easier for developers to make good choices.  They should never be tempted to put their keys in AWS because doing things the right way is too difficult.  Let’s make the secure path the easiest one as well.”

This Unit 42 report is very much worth reading as it provides a ton of insightful and actionable information. Thus you should put reading this report on your to do list.

According to a survey conducted by Palo Alto Networks, 39% of global organizations reported a surge in breaches over the past year. The security vendor polled over 2500 respondents in the US, Australia, Germany, France, Japan, Singapore and the UK:

• 90% said they are unable to detect, contain and resolve cyber-threats within an hour
• 42% reported an increase in mean time to remediate
• 30% reported a major increase in intrusion attempts and unplanned downtime

Part of the challenge appears to be the complexity of their cloud security environments – partly caused by tool bloat.

• 76% said that the number of cloud security tools they use creates blind spots
• 77% said they struggle to identify what tools are necessary to achieve their objectives

A previous Palo Alto study revealed that organizations rely on over 30 tools for security, including 6–10 cloud security products.

I have two comments on this. The first is from Dave Ratner, CEO at HYAS:

   “The growing complexity of cloud environments, whether it is hybrid cloud, multi-cloud, or simply a growing infrastructure, means that it’s easy to lose the visibility of what’s actually going on inside the environment.  Without the proper visibility, it’s increasingly difficult to ensure proper controls, which provides great opportunities for bad actors to hide without being seen, communicate with their command-and-control for instructions and data exfiltration without being detected, and otherwise perform nefarious actions at will.  

   “What’s required is the proper level of visibility and observability into the environments to detect, in real-time, any and all anomalous communications — only then can organizations actually enforce their controls, cut down on the mean-time to detect anomalous communications, and shine a light on the bad actors’ hiding spots.  

   “While this visibility may have been performed in the past through deep packet inspection or other mechanisms, the growth and complexity of the cloud environments makes that nearly impossible at scale; nevertheless, organizations which monitor and track their DNS traffic can actually address this problem in a light-weight, easy to deploy, easy to manage, and inexpensive to operate manner.  This allows organizations to shift left, move into a true business resiliency and business continuity program, detecting and shutting down anomalies in the network before they become significant breaches and issues.”

Bryson Bort, Founder and CEO at SCYTHE follows up with this:

   “A threat can only hack what they can touch: surface area is the technical range of this. The more code (software) with the more features accessible (beware default configurations!), the more opportunities you have provided a potential threat. A large percentage of software is installed with the default configurations (this is now part of the threat’s text matrix for their attacks) or sub-optimally configured (likely increasing risk).

   “First step, which takes a just few minutes: map all of your tools by category of what they defend (assets, users, etc) against the NIST CSF defensive phases: Identify (Configuration Management), Protect, Detect, Respond, and Recover. Now you know what’s generally covered and you’ve identified overlap where you are over-exposed. Now, make the tools work for you! Invest in validating your assumptions (does this block/see what I think it does?) and optimizing how they’re configured.

   “Security is defined by the threat, so a Continuous Threat and Exposure Management approach is the best practice by driving real threat behaviors safely in your environment and continuously so it’s helping you adapt to the rate of change of your business.”

The complexity of managing cloud environments has clearly become the next battleground between threat actors and those who defend against them. Hopefully those who are on the side of the good guys read reports like these and take action to prevent bad things from happening to them.