IT security teams, business execs still not on same page
Also: Guri the air-gap guru strikes again, while pro-Ukraine hackers set up a proxy network in Russia
In brief Let's start with the good news: according to a survey of security and business leaders, executives have become far more aware of the importance of cyber security in the past two years, better aligning security teams and leadership.
Now for the bad news: understanding and prioritizing cyber security hasn't led to smoother operations. If anything, it's been more of the same, cyber security firm LogRhythm wrote in its 2022 State of the Security Team report.
LogRhythm last issued its security team report in 2020, at which time only 43 percent of respondents said they received enough executive support for budget, strategy and buy-in necessary to stay safe.
In 2022, 83 percent say the same, which LogRhythm said indicates "a significant improvement in understanding." With that understanding has come more internal pressure to improve on security measures, as well as external pressure from partners and customers.
According to the study, which surveyed 1,175 security and business leaders, 91 percent of companies have been asked by customers to provide proof they meet specific security requirements, while 85 percent were asked the same by business partners.
Those standards aren't always being met, either: 67 percent of respondents said their business lost a deal "due to the customer's lack of confidence" in their company's security strategy.
Some of that uncertainty may be because of the problem of overlapping solutions, which 74 percent of companies said they were dealing with – down from 85 percent in 2020. Most of that overlap is accidental, too.
Despite accidental overlap, which LogRhythm said can lead to additional work and slower response times, deploying new security solutions was ranked as the third most popular priority for security teams, only beaten by improving defenses and reducing response time.
So while business leaders think they've got their finger on the pulse of cyber security, that might not actually be the case – at least if you ask stressed out security teams.
The big thing to avoid? Being lured into "the trap of deploying unnecessary technology," LogRhythm argued, adding that executives should focus on the priorities of their frontline security teams, as well as prioritize consolidation of tools, training and staff retention.
Air-gap guru has another new way to exfiltrate data
Mordechai Guri, head of R&D at Israel's Ben-Gurion University's Cyber Security Research Center, has published yet another method of exfiltrating data from air-gapped systems.
This time, Guri is relying on malware that can manipulate CPU loads, which he said can be used to generate low-frequency electromagnetic radiation in the 0–60KHz band. A device equipped "with a small $1 antenna" placed within two meters of the air-gapped machine can be used to receive signals in the form of binary data at speeds of up to 1,000 bits per second.
That's not particularly fast for your average stroll around the internet, but according to the paper 1,000bps would enable real-time keylogging, could transmit an entire 4096-bit RSA key in a little more than four seconds, and could steal private cryptocurrency keys in a quarter of a second.
Guri said that countermeasures could include fixating CPUs on certain frequencies, as well as ensuring that any antivirus software on the machine can detect suspicious CPU patterns.
This is only the latest in Guri's many side-channel air gap attacks he's demonstrated over the years. Guri has also side-stepped air gaps using a power supply to generate noise in transformers and capacitors, sniffed data out of cables using a $30 off-the-shelf kit, transmitted data ultrasonically to a smartphone gyroscope and pulled off other stunts.
- Japan, Australia, to bolster cyber-defenses, maybe offensive capacity too
- Legit Android apps poisoned by sticky 'Zombinder' malware
- Taiwan bans state-owned devices from running Chinese platform TikTok
- Rackspace confirms ransomware attack behind days-long email meltdown
Cyber-espionage group spotted building proxy network
A mysterious cyber espionage group known as Cloud Atlas, or Inception, has been targeting Russia, Belarus and Russian-held Ukraine with malware that includes a new trick: A malicious DLL that lets them use compromised systems as proxies.
Checkpoint shared the news in an update about Cloud Atlas's latest strategy, and said that while it's known about the group since 2014 it hasn't detected this particular method of proxying from the group before.
Initial compromise appears to stem largely from phishing emails and malicious attachments, which the group uses to load its signature malware: a PowerShell backdoor called PowerShower. The group's targets have largely been among Russian and Belarusian diplomatic, government, energy and tech companies.
Ultimately, the malware's installation chain leads to a DLL that is responsible for relaying commands between servers that Checkpoint said is likely part of a sequence of proxies used by Cloud Atlas to hide its traffic. Checkpoint said Cloud Atlas has allegedly operated a world-wide proxy network in the past, but that "it was never mentioned that they achieved this with DLLs on Windows."
Ultimately, Cloud Atlas's malware acts like typical cyber espionage software, and Checkpoint notes it hasn't even changed much in the seven years since it was first discovered. That shouldn't make anyone feel comfortable though – with a worldwide proxy network it'd be easy, presumably, for Cloud Atlas to mask its traffic behind what appears to be a trustworthy machine. ®