Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Source: Poptika via Shutterstock

When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider's Jira server. 

Once inside the company's project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

"A year ago, the term NHI did not exist, and now everyone is talking about them," says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

**Where NHIs Are Vulnerable**

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there's greater likelihood that they have excessive permissions without expiration dates.

"There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership," explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

"As NHI continues to evolve, so are the notable vendors in this space," says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian's initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

**Role of NHI Security **

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

"To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates," noted GitGuardian product manager Soudanya Ain in a blog post. "They've become the number one vector for a successful attack, frequently overlooked."

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

*   Microsoft's Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.
    
*   The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.
    
*   Last summer's GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.
    
*   A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 
    

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia's Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

"That figure is only likely to increase going forward," he wrote. 

"We do expect NHI growth is going to accelerate further," added Maxine Holt, senior director of Omdia's cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

"These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability," she said. "Of course, we need the audit trail there as well. We believe that it's really important to recognize non-human identities as a vital link in the cyber threat chain."

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

"There's definitely that trend toward understanding NHI security better and addressing them," said John Yeoh, CSA's global VP of research, at a public meeting in September. "We only expect the NHI field to explode and get out further."

**Blending NHIs and Human Identities **

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix's Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

"Our customers are asking for a 360-degree view of the human and the non-human identities," Jackson says. "But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it's creating the connections in a secure manner."

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

"That's the plan," says Pierre Le Clézio, the company's lead product manager. "But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems."

**Anticipate M&A Activity **

As NHI security continues to evolve, so will the notable providers, EMA's Steffen says.

"It seems very likely that larger technology players are going to jump into this space," he says. "Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution."

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

"They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions."

Omdia's Holt also anticipates M&A activity.

"The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities," she said. "But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Vendors Chase Potential of Non-Human Identity Management

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

Source: Bits And Splits via Shtterstock

Threat actors appear to have found yet another innovative use case for artificial intelligence in malicious campaigns: to create decoy ads for fooling malvertising-detection engines on the Google Ads platform.

The scam involves attackers buying Google Search ads and using AI to create ad pages with unique content and absolutely nothing malicious about them. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data.

With malvertising, threat actors create malicious ads that are rigged to surface high up in search engine results when people search for a particular product or service. The ads often spoof popular and trusted brands and involve webpages and content that are replicas of the originals but serve instead to redirect users to phishing pages or download an attacker's malware of choice on systems of users who interact with the malicious ads.

While many malvertisement campaigns are targeted at consumers, there have been several recently focused on corporate users as well. One example is a campaign that sought to distribute the Lobshot backdoor on corporate systems, and another that phished employees at Lowe's.

**A Steady, Post-Macro Increase in Malvertising**

"We are seeing more and more cases of fake content produced for deception purposes," researchers at Malwarebytes said in a report on the campaign this week. These so called "white pages," as they are being referred to in the criminal underground, serve as legitimate-looking decoys, or front-end webpages that hide malicious content and activities behind them, according to Malwarebytes.

Related:Manufacturers Lose Azure Creds to HubSpot Phishing Attack

"The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check," Malwarebytes security researcher Jerome Segura wrote. White pages, incidentally, are in contrast to "black pages," which are the actual malicious landing pages containing harmful content or malware.

The use of AI to plant decoy content on Google Ads adds a new wrinkle to malvertising scams, which have seen a remarkable surge in volume recently. Malwarebytes has pinned the increase to Microsoft's decision in 2022 to block macros in Word, Excel, and PowerPoint files downloaded from the Internet — a top malware vector for threat actors. That decision forced attackers to look for other malware distribution vectors, one of which happens to be malvertising, according to Malwarebytes.

Though Google and operators of other major online ad distribution networks have been battling against the scourge — and have gotten better at quickly identifying and removing malvertising content — bad actors have consistently managed to remain a step ahead. A Malwarebytes study found Amazon to be the most spoofed brand in malvertising campaigns, followed by Rufus, Weebly, NotePad++, and TradingView.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

**Spoofing Brands With AI-Generated Content**

In its report, Malwarebytes provided two examples of AI-generated decoy ads it spotted recently on Google Ads. One of the decoy ads targeted users searching the Internet for the Securitas OneID mobile app, and the other targeted users of the Parsec remote desktop app, which is popular among gamers.

The Securitas OneID scam involved an entirely AI-generated website, complete with AI-generated images of supposed executives of the company.

"When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious within it," Segura wrote.

With the Parsec ad, the threat actors used some creative license of their own to generate a heavily Star Wars\-influenced website, replete with references to the parsec astronomical measurement unit. The artwork for the website even included several AI-generated Star Wars-themed posters, which while impressive, would likely have suggested to users that the site had nothing to do with the legitimate Parsec app.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

"Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical," Segura wrote. Even so, as a cloaking mechanism for a malvertising campaign," he added, "the website would have passed Google's validation checks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malvertisers Fool Google With AI-Generated Decoy Content

The draft of the long-awaited update to the NCIRP outlines the efforts, mechanisms, involved parties, and decisions the US government will use in response to a large-scale cyber incident.

Source: Andrii Yalansky via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a draft version of the National Cyber Incident Response Plan (NCIRP), outlining how public- and private-sector organizations should handle significant cyber incidents. The public comment period ends Jan. 15, 2025.

The plan outlines the roles that private, state, local, and tribal governments and federal agencies should play in responding to incidents. It also describes how they should work together on integrated responses. The guidance was formulated after an analysis of real-world incidents, training exercises, and updates to statute and policy, CISA said. 

NCIRP defines cyber incidents as events over a network that involve exploitable vulnerabilities, security procedures, internal controls, or implementations that impact computers, communication systems or networks, physical infrastructure, or information. Significant cyber incidents refer to events that result in "demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."

The draft updates the original version published in 2016. The White House's 2023 National Cybersecurity Strategy pushed to update the plan since the cybersecurity landscape and national response ecosystem have "changed dramatically."

The NCIRP is not intended to be a step-by-step instruction manual for incident response but rather a structure that "responders can use to shape their efforts and maximize both efficiency and coordination," CISA said.

The four lines of effort outlined in the NCIRP are asset response, threat response, intelligence support, and affected entity response. It also incorporates coordination mechanisms and key decision point, and offers guidance on prioritization. It outlines both a "detection" phase of an incident, which encompasses monitoring, analysis and detection, and a "response" phase on how to contain, eradicate, and recover from incidents. 

"While voluntary for all stakeholders outside the federal government, CISA encourages private sector, SLTT government, and all other non-federal stakeholders to review the NCIRP to understand how the U.S. government will partner with them in cyber incident response," CISA said.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

CISA Releases Draft of National Cyber Incident Response Plan

A balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation is key to managing and mitigating risk.

Rob T. Lee, Chief of Research & Head of Faculty, SANS Institute

December 19, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

Israel's electronic pager attacks targeting Hezbollah in September highlighted the dangerous ramifications of a weaponized supply chain. The attacks, which leveraged remotely detonated explosives hidden inside pager batteries, injured nearly 3,000 people across Lebanon, as a worst-case reminder of the inherent risk that lies within global supply networks.

The situation wasn't just another doomsday scenario crafted by financially motivated vendors hoping to sell security products. It was a legitimate, real-world byproduct of our current reality amid the escalating proliferation of adversarial cybercrime. It also underscored the dangers of relying on third-party hardware and software, with roots back to foreign countries of concern — something that happens more often than one might expect. For example, on Sept. 12, a US House Select Committee Investigation revealed that 80% of the ship-to-shore cranes at American ports are manufactured by a single Chinese government-owned company. While the committee did not find evidence that the company used its access maliciously, the vulnerability could have enabled China to manipulate US maritime equipment and technology in the wake of geopolitical conflict. 

As nation-state actors explore new avenues for gaining geopolitical advantage, securing supply chains must be a shared priority amongst the cybersecurity community in 2025. Verizon's "2024 Data Breach Investigations Report" found that the use of zero-day exploits to initiate breaches surged by 180% year-over-year — and among them, 15% involved a third-party supplier. The right vulnerability at the wrong time can put critical infrastructure in the crosshairs of a consequential event.

Implementing impactful supply chain protections is far easier said than accomplished, due to the complexity, scale, and integration of modern supply chain ecosystems. While there isn't a silver bullet for eradicating threats entirely, prioritizing a targeted focus on effective supply chain risk management principles in 2025 is a critical place to start. It will require an optimal balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation.

**Rigorous Supplier Validation: Moving Beyond the Checkboxes**

Whether it's cyber warfare or ransomware, modern supply chain attacks are too sophisticated for organizations to fall short on supplier validation. Now is a vital time to move beyond self-reported security assessments and vendor questionnaires and migrate toward more comprehensive validation processes that prioritize regulatory compliance, response readiness, and secure-by-design.

Ensuring adherence to evolving industry standards must be a foundational driver of any supplier validation strategy. Is your supplier positioned to meet the European Union's Digital Operational Resilience Act (DORA) and Cyber Resilience Act (CRA) regulations? Are they aligned with the National Security Agency's CNSA 2.0 timelines to defend against quantum-based attacks? Do their products possess the cryptographic agility to integrate the National Institute of Standards and Technology's (NIST's) new Post-Quantum Cryptography (PQC) algorithms by 2025? These examples are all important value drivers to consider when selecting a new partner.

Chief information security officers (CISOs) should still push further by mandating actual evidence of cyber resilience. Conduct annual on-site security audits for suppliers that assess everything from physical security measures and solution stacks to IT workflows and employee training programs. In addition, require your suppliers to provide quarterly penetration testing reports and vulnerability assessments, then thoroughly review the documents and track remediation efforts.

Equally crucial to rigorous validation is gauging a supplier's incident response readiness via notification procedures, communication protocols, practitioner expertise, and cross-functional collaboration. Any joint cyber-defense strategy should also be underpinned by a shared commitment to secure-by-design principles and robust product security testing protocols that are integrated into supply chain risk assessments. Implemented during the early stages of product development, secure-by-design helps reduce an application's exploit surface before it is made available for broad use. Product security testing provides a comprehensive understanding of how utilizing a particular product will impact your threat model and risk posture.

**Purposeful Data Exposure: Less Is Always More**

Less (access) is more when it comes to protecting data in supply chain environments. Organizations should be focused on adopting purposeful approaches to data sharing, carefully considering what information is truly necessary for a third-party partnership to succeed. Limiting the exposure of sensitive information to external suppliers via scaled zero-trust concepts will help reduce your supply chain attack surface exponentially, which in turn simplifies the management of third-party risk. 

An important step in this process involves implementing stringent access controls that restrict credentials to only essential data and systems. Data aging and retention policies also play a crucial role here. Automating processes to phase out legacy or unnecessary data helps ensure that even if a breach occurs, the damage is contained and privacy is maintained. Leveraging encryptions aggressively across all data touchpoints accessible to third parties will also add an extra layer of protection for undetected breaches that occur throughout the wider supply chain ecosystem.

**Meticulous Preparation: Assumption of Breach Mindset**

As supply chain attacks accelerate, organizations must operate under the assumption that a breach isn't just possible — it's probable. An "assumption of breach" mindset shift will help drive more meticulous approaches to preparation via comprehensive supply chain incident response and risk mitigation.

Preparation measures should begin with developing and regularly updating agile incident response processes that specifically cater to third-party and supply chain risks. For effectiveness, these processes will need to be well-documented and frequently practiced through realistic simulations and tabletop exercises. Such drills help identify potential gaps in the response strategy and ensure that all team members understand their roles and responsibilities during a crisis. 

Maintaining an up-to-date contact list for all key vendors and partners is another crucial component to preparation. In the heat of an incident, knowing exactly who to call at Vendor X, Y, or Z can save precious time and potentially limit the scope of a breach. This list should be regularly audited and updated to account for personnel changes or shifts in vendor relationships.

Organizations should also have a clear understanding of the shutdown and containment procedures for each critical application or system within their supply chain. While it's impossible to predict every potential scenario, a well-positioned team armed with comprehensive response plans and intimate knowledge of their supply chain environment is far better equipped to combat adversarial threat actors.

**About the Author**

Chief of Research & Head of Faculty, SANS Institute

Known as the “Godfather of Digital Forensics and Incident Response (DFIR),” Rob T. Lee is one of the most renowned cybersecurity experts and thought leaders working today, with over 20 years of experience in computer forensics, incident response, threat hunting, vulnerability and exploit discovery, and intrusion detection/prevention. Rob has mentored many of the cybersecurity experts working today.

Rob currently serves as chief of research and head of faculty at SANS Institute, the world’s leading cybersecurity and digital forensics training company. He is also regularly hired as a consultant and technical adviser by US Congress, federal agencies, and the US military to investigate and review data security breaches. Within the private sector, Rob helps corporations as a hands-on cybersecurity practitioner to look into security breaches, trade secret thefts, and other cybersecurity issues.

Supply Chain Risk Mitigation Must Be a Priority in 2025

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

Source: Ketut Agus Suardika via Shutterstock

Cyberattacks targeting India-based organizations continue to double year-over-year, a rate far higher than the global average, highlighting the rapidly rising risk facing companies and government agencies in South Asia.

Overall, organizations in India encountered nearly 1.2 billion attacks in the third quarter of 2024, up from about 600 million in the same quarter in 2023, according to a quarterly report published by Indusface, a managed application security provider. Some 377 million denial-of-service (DoS) events and 215 million bot-based requests targeted API services and Web servers utilizing the firm's Web application and API protection (WAAP) service.

While attackers typically have used denial-of-service (DoS) attacks powered by bots against businesses, they are evolving, Ashish Tandon, founder and CEO of Indusface, said in a statement to Dark Reading.

Attackers are now focusing "on exploiting websites and APIs using diverse attack vectors," he said. "The rise of large language models (LLMs) has significantly lowered the barrier for executing vulnerability attacks, as reflected in our data, which shows triple-digit growth in such incidents."

The third-largest economy in Asia, India saw 5.4% growth overall in the third quarter, which is driving attackers to more often target Indian organizations — 44% of businesses have suffered a data breach costing at least $500,000 in the past three years, PricewaterhouseCoopers (PwC) stated in its "2025 Global Digital Trust Insights" (India edition). The attacks have resulted in Indian executives prioritizing cybersecurity over other risks, with 61% designating it one of their top three priorities.

Related:African Reliance on Foreign Suppliers Boosts Insecurity Concerns

"Top cyber-risks, including cloud-related threats, attacks on connected products, social engineering and software supply chain compromises, are areas where security executives feel particularly underprepared," PwC India stated in the report.

**Cyberattacks in India Accelerating**

In the second quarter of 2024, cyberattacks doubled both globally and against India-based organizations, rising 105% and 115%, respectively, Indusface stated. While the number of cyberattacks continued to balloon in the third quarter, the expansion decelerated globally, growing only 26% in the third quarter of 2024, compared with a year earlier.

In India, however, attacks continued to skyrocket, jumping 92% compared to the same quarter the previous year, the company stated in its "State of Application Security" report for Q3 2024. In August, the Reserve Bank of India (RBI) issued a warning to companies that their increasing use of digitization comes with increased risks.

Related:Middle East Cybersecurity Efforts Catch Up After Late Start

"While the DDoS attacks in India \[were\] similar to the last year, there was a huge growth in the bot and vulnerability attacks in India," the company stated, adding that attacks in general were on the rise because of attackers' use of AI tools.

"A big part of \[the increase\] could be because of the widespread use of LLM tools such as ChatGPT, which enable novice hackers to easily find and deploy scripts that could exploit open vulnerabilities," the company said. "This accessibility has lowered the barrier to entry for cybercriminals, resulting in an unprecedented rise in vulnerability exploitation."

**Cyber-Risks Heightened for Banks, Utilities**

Cyberattackers have tended to target specific industries in India, with the banking, financial services, and insurance industries collectively seeing twice as many attacks compared with the global average, while power and energy saw four times as many attacks per website, Indusface stated in its report.

"We believe that these industries are targeted for geopolitical reasons, as this will lead to disruption in all essential services," says Phani Deepak Akella, vice president of marketing for Indusface. He adds, "Last year, we saw more DDoS attacks, but this year we are seeing more growth in attacks targeting vulnerabilities. This could be because of LLM adoption, where hackers can get ready made scripts to exploit vulnerabilities such as SQL injection, for example."

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

Companies in India suffer from many of the same issues as businesses worldwide, especially around managing vulnerabilities in their attack surface area. Only 19% of companies use an automated scanner to manage their API security, with 45% using manual penetration testing and more than a third (36%) not testing their APIs, according to Indusface.

In addition, companies are slow to patch vulnerabilities in the software used to serve APIs, with more than 30% of critical and high-severity CVSS vulnerabilities remaining unpatched more than six months after discovery. Some 5 million attacks targeted the vulnerable API services, the firm noted.

Security misconfiguration and identification and authentication failures were the top classes of vulnerabilities discovered in production API servers, according to the firm's report. Web applications typically had blind SQL injection, server-side request forgery, and HTML injection issues.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Sees Surge in API Attacks, Especially in Banking, Utilities

The agency asks the cybersecurity community to adopt "romance baiting" in place of dehumanizing language.

Source: Olga Yastremska via Alamy Stock Photo

NEWS BRIEF

Victims of online scams are being deterred from coming forward for fear of being associated with language like "pig butchering," a phrase used to describe long-con romance fraud schemes, according to Interpol, which has released an awareness campaign advocating for the use of "romance baiting" in its place.

Romance-baiting cybercrimes start with a fake relationship, in which the target "pig" is "fattened up" before they are scammed into sending money, then "butchered" and subsequently ghosted once they've handed over the "whole hog" of their assets. Once victims realize they've been manipulated and scammed, they're left heartbroken and embarrassed, and further labeling them as a pig isn't helpful, Interpol argues as part of its wider "Think Twice" campaign.

Run by sprawling international cybercrime operations, pig butchering scams cost victims billions every year. One large pig butchering operation was discovered to be running full-fledged call centers staffed by forced labor in Cambodia, Laos, and Myanmar, raking in more than $60 billion over the past three years. The pig butchering tactic has likewise been used in the war between Russia and Ukraine.

"Academic research clearly shows the links between the tactics of fraudsters and of perpetrators of domestic abuse and coercive control," Dr. Elisabeth Carter, associate professor of criminology and forensic linguist at Kingston University London, said in a statement from Interpol. "It is imperative that we do not adopt the terminology of these criminals but instead use terms that assist public protection and support victim reporting."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Interpol: Can We Drop the Term 'Pig Butchering'?

The threat intelligence business, which is set to be acquired by Mastercard for billions, is officially vendor non grata in Putin's regime.

Source: JHG via Alamy Stock Photo

NEWS BRIEF

The Russian government has set a new precedent for itself by officially designating Recorded Future, the cyber threat intelligence (CTI) company, as "undesirable." It's a development that the company's CEO sees as a badge of honor.

The term is the country's official parlance for sanctioning, and it means that Recorded Future won't be able to operate within Russia or interact with any Russian companies or individuals. It's a status that was first introduced in 2015 as a way to cut off Russian citizens from the influence of nongovernmental organizations (NGO), media organizations, and other members of civil society that call out human rights abuses and other concerns about Vladimir Putin's regime, which is widely characterized as repressive and authoritarian.

Recorded Future is the first infosec organization and one of very few businesses to "earn" the designation, though the Russia Federation's Office of the Prosecutor General incorrectly labeled it as an NGO in its Dec. 18 announcement about the "undesirable" labeling.

Among the company's supposed crimes against the state: being funded by American businesses; providing services for searching, processing, and analyzing data including on the Dark Web; "specializing in cyber threats"; and actively interacting with the CIA and other foreign intelligence forces.

The Prosecutor General also called out the company, which incidentally is being acquired by Mastercard for $2.65 billion, for spreading "propaganda" and engaging in "offensive information campaigns" regarding its war with Ukraine, tracking Russian Army activities, and feeding intelligence to the Ukrainian authorities.

For his part, Recorded Future CEO Christopher Ahlberg took the news better than in stride, posting on X, "Some things in life are rare compliments. This being one."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Source: Anatolii Babii via Alamy Stock Photo

Attackers are spoofing Google Calendar invites in a fast-spreading phishing campaign that can bypass email protections and aims to steal credentials, ultimately to defraud users for financial gain.

The campaign, discovered by researchers at Check Point Software, relies on modified "sender" headings to make emails appear as if they were sent via Google Calendar on behalf of a legitimate entity, such as a trusted brand or individual, they revealed in a blog post published Dec. 17.

Initially, messages included malicious Google Calendar .ics files that would lead to a phishing attack, the threat hunters wrote. However, "after observing that security products could flag malicious Calendar invites," attackers began aligning those files with links to Google Drawings and Google Forms to better disguise their activity.

**Mass-Scale Financial Scamming Is the Goal**

Given that Google Calendar is used by more than 500 million people and is available in 41 different languages, the campaign provides a massive attack surface, so "it is no wonder it has become a target for cybercriminals" seeking to compromise online accounts for financial gain, the team noted.

"After an individual unwittingly discloses sensitive data, the details are then applied to financial scams, where cybercriminals may engage in credit card fraud, unauthorized transactions or similar, illicit activities," the researchers wrote in the post. Stolen data also can be used to bypass security measures on other victim accounts to lead to further compromise, they added.

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Attackers also are moving fast with the campaign, with researchers observing more than 4,000 emails associated it in a four-week period. In those messages, attackers used references to about 300 brands in their fake invites to make them appear authentic, they wrote.

**What a Google Calendar Phish Looks Like**

A message associated with the campaign looks like a typical invite from Google Calendar in which someone known to or trusted by the individual targeted shares a calendar invite with them. The appearances of the messages vary, with some that really look almost identical to typical Google Calendar notifications, "while others use a custom format," the team wrote.

As noted previously, the emails include a calendar link or file (.ics) that includes a link to Google Forms or Google Drawings in an attempt to bypass email-scanning tools. Once a user takes the bait, they are then asked to click on another link, "which is often disguised as a fake reCAPTCHA or support button," that forwards them to a page "that looks like a cryptocurrency mining landing page or bitcoin support page," according to the post.

Related:Wallarm Releases API Honeypot Report Highlighting API Attack Trends

"These pages are actually intended to perpetrate financial scams," the team wrote. "Once users reach said page, they are asked to complete a fake authentication process, enter personal information, and eventually provide payment details."

**How to Avoid Becoming a "Google" Phishing Cyber Victim**

Check Point contacted Google about the campaign, which recommended that Google Calendar users enable the "known senders" setting in the app to help defend against this type of phishing. This setting will alert a user when they receive an invitation from someone not in their contact list or someone with whom they have not interacted with from their email address in the past, the company said.

Corporate defenders can used advanced email security solutions that can identify and block phishing attacks that manipulate trusted platforms with the inclusion of attachment scanning, URL reputation checks, and AI-driven anomaly detection, the Check Point team wrote.

Organizations also should monitor the use of third-party Google Apps and use cybersecurity tools that can specifically detect and warn its security teams about suspicious activity on third-party apps.

Related:Texas Tech Fumbles Medical Data in Massive Breach

Finally, two often-cited pieces advice for organizations when recommending phishing defense — the use of multifactor authentication (MFA) across business accounts and employee training on sophisticated phishing tactics — also can work in cases like this to shore up security.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

PRESS RELEASE

SAN FRANCISCO--(BUSINESS WIRE)--Wallarm, the leader in real-time blocking of API attacks, on Dec. 17 unveiled a comprehensive security research report based on data collected from the world's first globally distributed API honeypot network. The findings reveal critical insights into the growing threat landscape for APIs, showcasing their increasing vulnerability to rapid discovery and exploitation.

APIs have surpassed web applications as the primary targets of attackers, underscoring the urgency for businesses to implement robust API security measures. Organizations are plagued by uncontrolled API sprawl and lack of API governance, leading to significant breaches from exposed APIs. Wallarm’s study highlights several alarming trends that demand immediate attention from organizations deploying APIs.

Key Findings from the Report:

*   APIs Are the Prime Target: APIs now attract more attacks than traditional web applications.
    
*   Rapid Discovery: Newly deployed APIs are discovered by attackers in as little as 29 seconds.
    
*   Immediate Exploitation: Unprotected APIs are exploited within one minute of discovery.
    
*   High Velocity Data Theft: Attackers using batched API requests can exfiltrate millions of user records in seconds.
    
*   Targeting Well-Known Products: Recognizable and widely used API products face heightened targeting by attackers.
    

Related:Interpol: Can We Drop the Term 'Pig Butchering'?

Wallarm’s globally distributed honeypot, spanning 14 locations, captures data from diverse geographies and providers, revealing critical trends. The honeypot provides targeted responses to API requests across multiple protocols, including REST, XML-RPC, GraphQL, and others. Over half (54%) of observed request types were API-specific, demonstrating that APIs are the preferred vector for attackers. Among these, 40% of requests targeted known vulnerabilities (CVEs). While port 80 emerged as the most commonly discovered entry point, interactions were distributed across many ports, demonstrating that protecting only common ports is insufficient.

“This report sheds light on a rapidly evolving attack surface and represents a groundbreaking effort in API security research,” said Ivan Novikov, CEO and founder at Wallarm. “APIs are the foundation of modern applications, but their widespread deployment and inadequate protection make them an attractive target for attackers. We hope this research helps organizations invest in strong protection for their APIs.”

Wallarm’s full report offers actionable insights and recommendations to safeguard APIs. To access the full research report and learn more about securing your APIs, visit http://www.wallarm.com/resources/api-honeypot-report.

Related:Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Source

DARKReading