The BlackByte ransomware gang appears to have made a comeback after targeting at least three U.S. critical infrastructure sectors, according to an advisory from the FBI and the Secret Service.

BlackByte is a ransomware-as-a-service (RaaS) operation that leases out its ransomware infrastructure to others in return for a percentage of the ransom proceeds. The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide. While BlackByte had some initial success—security researchers tracked attacks against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia—the gang hit a rough patch months later when cybersecurity firm Trustwave released a free decryption tool that allowed BlackByte victims to recover their files for free. The group’s simplistic encryption techniques led some to believe that the ransomware was the work of amateurs; the ransomware downloaded and executed the same key to encrypt files in AES, rather than unique keys for each session.

Despite this setback, it appears the BlackByte operation is back with a vengeance. In an alert posted in mid-February, the FBI and the Secret Service (USSS) warned that the ransomware gang had compromised multiple U.S. and foreign businesses, including “at least” three attacks against U.S. critical infrastructure, notably government facilities, financial services, the food industry, and agriculture.

The advisory, which provides indicators of compromise to help network defenders identify BlackByte intrusions, was released just days before the ransomware gang claimed to have encrypted the network belonging to the San Francisco 49ers. BlackByte disclosed the attack the day before the Super Bowl by leaking a few files it claims to have been stolen.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, says that while BlackByte isn’t the most active RaaS operation, it’s been steadily racking up victims over the past few months. However, he adds that because of recent action by the U.S. government against ransomware actors, the gang might take a cautious approach.

“The FBI and Secret Service advisory states that BlackByte has been deployed in attacks on at least three U.S. critical infrastructure sectors, including government. Interestingly, no such organizations are listed on the gang’s leak site, which could indicate that those organizations paid, that no data was exfiltrated or that BlackByte chose not to release the exfiltrated data,” he said. “That final option is not unlikely: since the arrests of members of REvil, the gangs seem to have become more cautious about releasing data, and especially with U.S. organizations.”

Callow said that while all signs suggest BlackByte is based in Russia, since the ransomware, like REvil, is coded not to encrypt the data of systems that use Russian or Commonwealth of Independent States (CIS) languages. That “shouldn’t be taken to mean the attack was carried out by individuals based in Russia or the CIS.”
​
“Affiliates may not be located in the same county as the individuals who run the RaaS,” he added. “They could be based anywhere—including the U.S.”

1Password, a leader in enterprise password management, recently launched Secrets Automation, an easy-to-use way to secure, manage and orchestrate the rapidly expanding infrastructure secrets required in a modern enterprise. Secrets such as corporate credentials, API tokens, keys and certificates can number in the hundreds for midsize businesses and many thousands for enterprises. This scale and complexity lead to huge security risks. Besides the new product launch, 1Password also completed the acquisition of SecretHub, a secrets management company that protects nearly 5 million enterprise secrets a month. The SecretHub team and CEO Marc Mackenbach will join 1Password immediately, adding expertise and engineers to speed up the 1Password Secrets Automation roadmap. 1Password Secrets Automation launches with a host of partnerships and integrations that will make it easy for developers and DevOps teams to integrate with the mission-critical tools and libraries they already use.  

1Password is the first line of defense for over 80,000 businesses worldwide protecting their employees, customers and intellectual property by securing passwords, financial details and other sensitive information. Today's launch and SecretHub acquisition signal a major expansion of 1Password, helping enterprises secure their infrastructure and machine-to-machine secrets alongside their human passwords. 

"Companies need to protect their infrastructure secrets as much as their employees' passwords," said Jeff Shiner, CEO of 1Password. "With 1Password and Secrets Automation, there is a single source of truth to secure, manage, and orchestrate all of your business secrets. We are the first company to bring both human and machine secrets together in a significant and easy-to-use way." 

Secrets Security Not Keeping Pace. With the massive expansion of Software as a Service (SaaS) applications, infrastructure secrets are multiplying as never before, scattered across multiple services and cloud providers. Companies often try to protect these secrets through a combination of home-grown solutions and awkward hacks. Human error within IT and developer organizations happens all the time and is compounded by risky shortcuts taken in the name of speed and productivity. 

Leaked secrets can have widespread ramifications; when an engineer accidentally placed a secret key into source code at Uber, the names, driver's licenses, and other private information of 57 million users were stolen. A recent GitGuardian report detected over 2 million infrastructure secrets exposed on code sharing platforms, growing 20% over the previous year. This underscores the massive and growing issue of properly managing secrets and protecting sensitive customer data. 

1Password Secrets Automation was developed to address directly these challenges. Key features include:

• The security of 1Password--store credentials, tokens and other secrets fully encrypted, using the same security that made 1Password the No. 1 enterprise password manager. 
• A single source of truth for all your secrets--gain complete visibility and auditability in a way that you can't when secrets are spread across multiple services. 
• Granular access control--define which people and services have access and what level of access they are granted. 
• Ease of use--built on 1Password's intuitive user interface, Secrets Automation delivers administrative simplicity, providing for good secrets hygiene. 
• Integration with your existing tools--Secrets Automation integrates with HashiCorp Vault, Terraform, Kubernetes and Ansible, with more integrations on the way. You'll also find ready-to-use client libraries in Go, Node and Python.

1Password and GitHub are also announcing a partnership: "We're partnering with 1Password because their cross-platform solution will make life easier for developers and security teams alike," said Dana Lawson, VP of partner engineering and development at GitHub, the largest and most advanced development platform in the world. "With the upcoming GitHub and 1Password Secrets Automation integration, teams can automate fully all of their infrastructure secrets, with full peace of mind that they are safe and secure."

A Roadmap Driven by Customer Demand. Kira Systems, an AI-based contract review and analysis software company, was one of many customers that requested 1Password expand its offering to solve their secrets management problems. 
​
"We've been a 1Password customer for six years and have long wanted to centralize our secrets management," said Joey Coleman, Kira Fellow and director, systems with Kira Systems. "We store terabytes of sensitive data across many deployments, so it is critical for us to have a secure and efficient way of managing the credentials that give access to that data. Secrets Automation delivers an extra level of security while also removing the manual labor required to manage the volume of passwords and credentials."

AR has populated science fiction, specialized industries, and high-tech experiments for decades. But in the 2010s, major companies—and countless startups—began treating AR headsets as a potential mass-market platform.

Facebook founder Mark Zuckerberg predicted in 2017 that televisions and phones would be replaced by holographic glasses. Apple CEO Tim Cook called AR “a big idea, like the smartphone.” Microsoft envisioned people watching the Super Bowl in its HoloLens headset. Google launched its ambitious Glass platform as a potential successor to phones, then helped propel the AR startup Magic Leap toward billions of dollars in investments. More recently, telecoms have partnered with AR companies like the Chinese startup Nreal, hoping high-bandwidth holograms will create a demand for 5G networks.

These companies’ products—as well as those of other major players, including Snap, Vuzix, and Niantic—often look very different. But most of them promise a uniquely powerful combination of three features.

• Their hardware is wearable, hands-free, and potentially always on—you don’t have to grab a device and put it away when you’re done using it
• Their images and audio can blend with or compensate for normal sensory perception of the world, rather than being confined to a discrete, self-contained screen
• Their sensors and software can collect and analyze huge amounts of information about their surroundings—through geolocation and depth sensing, computer vision programs, or intimate biometric technology like eye-tracking cameras

Over the past decade, nobody has managed to merge these capabilities into a mainstream consumer device. Most glasses are bulky, and the images they produce are shaky, transparent, or cut off by a limited field of view. Nobody has developed a surefire way to interact with them either, despite experiments with voice controls, finger tracking, and handheld hardware.

Despite this, we’ve gotten hints of the medium’s power and challenges—and even skeptics of the tech should pay attention to them.

In 2016, for instance, millions of people fell in love with the phone-based AR game Pokémon Go. When players logged on to catch virtual monsters, many discovered parts of their neighborhoods they’d never thought to visit. But they also found a world built on data that placed more gyms and PokéStops in white and affluent neighborhoods. They forged in-person connections by sharing virtual experiences, but those connections could also allow for real-world harassment.

The effects went beyond people who played the game. The owners of some homes near Pokémon Go gyms experienced a sudden influx of trespassers, leading a few to sue its developer Niantic and secure tweaks to the game’s design. Public memorials like the US Holocaust Museum asked players to respect the space by not chasing virtual monsters into it. Even this early foray into augmented reality exported some of the internet’s biggest flaws—like its ability to collapse context and overwhelm individuals with its sheer scale—into physical space.

Writer and researcher Erica Neely says that laws and social norms aren’t prepared for how AR could affect physical space. “I think we’re kind of frantically running behind the technology,” she says. In 2019, Neely wrote about the issues that Pokémon Go had exposed around augmented locations. Those issues mostly haven’t been settled, she says. And dedicated AR hardware will only intensify them.
​
Smartphone cameras—along with digital touchup apps like FaceTune and sophisticated image searches like Snap Scan and Google Lens—have already complicated our relationships with the offline world. But AR glasses could add an ease and ubiquity that our phones can’t manage. “A phone-based app you have to actually go to,” says Neely. “You are making a conscious choice to engage with it.” Glasses remove even the light friction of unlocking your screen and deliberately looking through a camera lens.

Secretary of State Tony Blinken announced last week plans for the State Department to create a new bureau of cyberspace and digital policy.

Why it Matters. The establishment of the bureau and plans for a new envoy to oversee critical and emerging technology come after a series of significant hack attacks and other online crimes, notably ransomware assaults on U.S. infrastructure.

Details. Blinken said in a memo to staff that following congressional approval, the new envoy and the Bureau of Cyberspace and Digital Policy "provide us with greater leadership and accountability to drive the diplomatic agenda within the interagency and abroad," per AFP. 

• State Department spokesperson Ned Price said at a briefing later Monday that the new Senate-confirmed ambassador-at-large would "lead the immediate technology diplomacy agenda with our allies, partners, and across the range of multilateral fora."
• The envoy would focus on "three key areas: international cyberspace security, international digital policy and digital freedom."

The Big Picture: President Biden signed an executive order in May in response to the cyberattacks in the public and private sectors — from the hacking of the Colonial Pipeline to the SolarWinds and Microsoft Exchange attack.
​

• Some $590 million had been paid by victims of ransomware attacks in the first six months of this year amid a surge in cybercrime, according to a Treasury Department report released earlier this month.

Last year a hacker group used a bit of malicious code it hid in a software update by the company SolarWinds to launch an immense cyberattack against U.S. government agencies and corporations—see Issues 7-27, 7-36, and 7-38.

The group behind the attack, Nobelium, is reportedly being directed by the Russian intelligence service. And they're at it again.

According to Microsoft, one victim of the SolarWinds hack, the group is targeting technology companies that resell and provide cloud services for customers.

"Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain," Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, said in a blog post on the company's website.

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization's trusted technology partner to gain access to their downstream customers," he added.
​
The hacker group hasn't tried to ferret out vulnerabilities in software, Burt said, but has been using techniques like phishing and password spray to gain entry to the targeted networks.

Office 365 users are now in cybercriminals' crosshairs in a new phishing campaign, according to a warning the Microsoft Security Intelligence (MSI) team issued via Twitter. Malicious actors are using email addresses that appear to be legitimate, with display names that mimic bona fide services to dodge email filters.
Microsoft cautioned cybercriminals are going above and beyond to use detection-evasion techniques that are convincing and authentic-looking.

"An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to slip through email filters," MSI explained on Twitter.

The deceptive phishing campaign targets Office 365 organizations with employees who often send attachments to co-workers. MSI found phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained faux Microsoft SharePoint attachments with labels such as "Price Books," "Bonuses" and "Staff Reports."

The phishing emails use a tactic called "typosquatting," which involves registering deliberately misspelled domains that, at first glance, look close to a well-known brand. Most quick readers would overlook the subtle typo.

If users fall for the bait and click on the "Open" link, it will lead them to a page that lures them to type in their Microsoft or Google credentials. According to MSI, these sign-on pages look very convincing, making users believe that they're on a trustworthy path to a legitimate website.

MSI kept emphasizing how authentic these phishing emails looked. Employers may not be able to rely on their employees' good judgment to identify suspicious-looking emails. That's why MSI shamelessly plugged its Microsoft Defender for Office 365 program as a solution, adding that this software "detects and blocks" these emails.
​
Phishing attacks are a huge thorn in the side for many popular companies like Netflix and PayPal, but the Redmond-based tech giant should be particularly concerned. According to a CheckPoint Research study, Microsoft topped the list as being the most imitated brand for phishing attacks.

Benefits. A well-known example of an emerging technology is artificial intelligence (AI). This technology has many facets, including machine learning, natural language processing and speech recognition. In September/October 2020, the Information Systems Audit and Control Association (ISACA) and Protiviti conducted a global survey of over 7,400 IT audit leaders and professionals to get their perspectives on the top technology risks their organizations will face in 2021. Nearly 50% of the over 4,500 global respondents to the ISACA survey showed they are already using AI technologies (22%) or are in the planning and pilot stages of adopting them (27%).

Companies that have adopted emerging technologies, such as AI, hope to benefit from the competitive advantages that these technologies can provide. For example, cost savings and heightened revenues are made possible through increased efficiency and enhanced customer products and experiences.

Companies can speed up the adoption of emerging technologies by investing broadly across the company and using technologies in a way where the responsibility resides with the process owner. This approach generates better cost savings as process owners can solve a business problem specific to them, resulting in operational efficiencies and an increase in quality analysis.

Internal audit can also embrace AI technologies to enhance risk monitoring and control effectiveness. In a use case-specific example, machine learning can analyze general ledger data and pinpoint incorrect or fraudulent journal entries among thousands of other transactions. Note that larger and more complex business problems—which may have a broader impact across multiple areas of the business or have aspects that present greater risk to the company—would require collaboration and consultation with data scientists, who could be internal personnel or consultants.

Risks. Companies adopting emerging technologies must not only consider the benefits but also the associated risks. To develop an understanding of individuals' perceptions, the ISACA survey asked respondents to indicate their views on the risks of adopting AI technologies. Most respondents rated the risks associated with AI to be low (30%) or medium (33%), whereas only 9% determined AI to be high risk. In practice, companies must consider the maturity and complexity of the business processes using AI to determine true risk to the company.

One risk is that these emerging technologies will not achieve companies' expectations. To combat this risk, a clear vision needs to be established and supported by defined objectives with realistic targets. Due diligence involves thorough research to identify requirements for new projects that have a significant impact on the company. IT governance should play a substantial role as emerging technologies are being integrated into the business, including representation across different IT groups—such as application development, security, and infrastructure—within the IT governance process. This will enable communication across various parts of the business and help identify additional needs while streamlining project implementation. Monitoring and regular status updates should be communicated to senior leadership throughout the project, as well as post-launch to help determine if ROI was achieved or miscalculated.

Risks can also emerge from changing regulations that may limit the success of an emerging technology. For example, privacy laws related to the collection of consumer data could impede a company's ability to use successfully certain emerging technologies by disrupting current products and services in production. New regulations are imminent, especially surrounding algorithmic bias for technologies that affect customers. Continuous monitoring of new regulations and nimble development processes are necessary to ensure models comply with changing and new regulations.

Finally, there is a risk that a misconfiguration of the technology could cause an algorithm error issue, which would affect data quality and create threats to data security. These risks can be mitigated by putting strong change management processes in place. These processes ensure test cases are effectively designed and performed, that version controls appropriately log changes to models and source code repositories, and that peer reviews are conducted for coding and model changes. During the planning and building phase, it is critical to be mindful of the data set to identify potential biases and ethical dilemmas.
​
Adopting emerging technologies can create competitive advantages, but these benefits are naturally accompanied with risk. Process owners can take a proactive approach to identify risks by engaging with internal audit or enterprise risk management. Starting discussions about risks and controls early in the technology's implementation will help identify any unaddressed issues and process improvements and ensure emerging technologies are successfully integrated into the business.

Microsoft is officially acquiring RiskIQ, a security software vendor. RiskIQ provides management tools and threat intelligence gathering against a wide range of cyberattacks across Microsoft’s own cloud services, AWS, on-premises servers, and supply chain attacks. While Microsoft hasn’t valued the deal, Bloomberg reported that the company is said to be paying more than $500 million for RiskIQ.

The cloud-based RiskIQ software detects security issues across networks and devices, and the company lists Box, the US Postal Service, BMW, Facebook, and American Express as customers. RiskIQ was originally founded in 2009 and has gradually become an important player in analyzing security threats.

Microsoft hasn’t laid out a detailed plan for how it will integrate RiskIQ into its own security offerings, but it’s bound to use RiskIQ’s software across Microsoft 365 Defender, Microsoft Azure Defender, and Microsoft Azure Sentinel eventually.

“RiskIQ has built a strong customer base and community of security professionals who we will continue to support, nurture, and grow,” says Eric Doerr, vice president of cloud security at Microsoft. “RiskIQ’s technology and team will be a powerful addition to our security portfolio to best serve our mutual customers.”
​
Microsoft has been gradually growing and improving its security tools amid an intense battle with ransomware. The software maker even acquired ReFirm Labs last month to help protect servers and Internet of Things devices from security attacks. The acquisitions come after months of troublesome ransomware attacks. The Russia-linked REvil ransomware group has been wreaking havoc with ransomware and supply chain attacks in recent weeks, and the security industry is still reeling from a sophisticated SolarWinds hack that breached everything from Microsoft to US government agencies.

Microsoft Corp. said the hackers behind the SolarWinds cyberattack recently compromised a new trio of victims using access to one of the company’s customer support agents.

The hacked portal used by the individual agent contained information for a “small number of customers,” which the attackers used to launch a “highly targeted attack,” Microsoft said Friday in a blog post. The company said it has since removed the attackers and secured the compromised device.

Microsoft didn’t identify the victims but said it had alerted the hacked entities through its nation-state notification process. Microsoft’s Threat Intelligence Center attributed the attack to a group called “Nobelium.” That’s the same group of state-sponsored Russian hackers who used sophisticated intrusion techniques in 2020 to infect with malware 18,000 customers of the Texas-based software company, SolarWinds Corp.
​
Microsoft said Nobelium targeted IT companies, governments, non-profits, think tanks and financial services entities across 36 countries during the recent attack. “The activity was largely focused on U.S. interests, about 45%, followed by 10% in the U.K., and smaller numbers from Germany and Canada,” the Redmond, Washington-based software maker said in the blog.

The group behind the massive SolarWinds hacks has also been running a sophisticated email-based spear-phishing campaign, according to Microsoft. In a blog post by company VP Tom Burt, he said the Microsoft Threat Intelligence Center (MSTIC) has detected a wave of cyberattacks by the group called Nobelium against government agencies, think tanks and non-governmental organizations. Nobelium apparently sent out 3,000 emails to 150 organizations after getting access to Constant Contact, the mass mailing service used by the United States Agency for International Development or USAID.

While most of the targets are in the United States, they're spread out in 24 countries overall. At least a quarter of the intended victims are involved in humanitarian and human rights work and, hence, may be the most vocal critics of Russian president Vladimir Putin. The SolarWinds attack is believed to be a Russian-backed campaign, and the United States government retaliated by expelling 10 Russian diplomats from Washington, DC. The Treasury Department also imposed sanctions on six Russian technology companies that were allegedly involved in creating malicious tools for cyberattacks.

According to Microsoft, it first detected the campaign on January 25th, though Nobelium wasn't leveraging USAID's Constant Contact account to phish targets back then. The campaign has evolved several ways since, and it was only on May 25th that MSTIC determined an escalation on the group's part when it sent out 3,000 emails with legitimate-looking USAID addresses through the mailing service. 

Thankfully, automated threat detection systems blocked most of the emails because of the high volume of emails that were sent out. Further, the contents were anything but subtle. The New York Times says one email blasted out highlighted a message claiming that "Donald Trump has published new emails on election fraud." It then linked to a URL that downloads malware into the victim's computer when clicked. Microsoft says some of the earliest emails that went out may have been successfully delivered, though, and the company is advising potential targets to make sure they're sufficiently protected. 

Burt wrote in his post:
​
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts... when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem."