Technology has unintended consequences, and that fact is getting much of the security world’s attention as events unfold this year.
This week at the Black Hat 2022 cybersecurity conference, there was news about creating an open standard for analyzing enterprise data, new security tools, and things getting worse with the former government cybersecurity chief.
Much of the discussion at the annual meeting in Las Vegas revolved around three examples of how technology can have unintended consequences: the cyber war in Ukraine, ongoing problems with log 4G access device vulnerabilities, and growing concerns over security threats in Web3. On Black Hat’s 25th anniversary, the issues are even more significant than the carefree days of 1997 when the first DVD players debuted.
“Like everything else in security, we know it along the way,” said Jeff Moss, founder of Black Hat, who marked 25 years of cybersecurity. We need more people trying to explain what’s going on in the room now, what the unintended consequences of the technology are.
Focus on cyber warfare
The security community is closely monitoring the use of cyber weapons in Ukraine because the tools being used by Russian attackers are a preview of future nation-state and criminal-underground threats.
ESET security researchers updated the Black Hat audience on Wednesday about cyberattacks against Ukraine. Viktor Zora, the Chief Digital Transformation Officer of the Special Communications and Information Protection Service of Ukraine, made a surprise appearance at a conference session.
The Ukraine conflict has shown how technology-enabled attacks can be used to disrupt government and communications services, along with utility infrastructure. Zora noted that the number of cyber attacks in his country has tripled this year, and Russia has revealed its biggest weapon to date – Industroyer2, which will launch a series of malware-sweeping attacks on Ukrainian networks.
Industroyer2 Malware It is believed to be the latest iteration of a 2016 shutdown of Ukraine’s electricity grid that shut down power to parts of the country. However, Russia inexplicably staged the Industriir2 attack in April, launching it at 6pm on a Friday afternoon when several power stations were shut down, Zora said. With the help of ESET and Microsoft Corporation, Ukraine was able to thwart the Industri2 attack.
“It was a well-planned and technically sophisticated operation, with a lot of equipment that we found later,” Zora said. This was an attack on civilian infrastructure.
Perhaps alarmingly, security researchers discovered another malware tool – CaddyWiper – was used by Russia as an operational lead for Industrioer2. This is based on an analysis of Russian attacks presented by security researchers at Sentinel ON Inc. during another black hat session on Wednesday, where Industroyer2 recovers from damage caused by Industroyer2 by destroying key data and files.
“Remember, this is the tip of the iceberg,” said Juan Andres Guerrero-Sade, chief threat researcher at Sentinel ON. “I assure you there is a lot more going on that we don’t know about.”
Log4j issues persist.
Tech’s unintended consequences have also become an issue in the open source community this year as organizations continue to address vulnerabilities in the Apache Log4j tool.
Log4j is a popular Java-based logging utility used in many software packages. When a vulnerability was first identified last year, it was assigned a 10 out of 10 scale by the National Vulnerability Database.
Shortly after Log4j was announced, Microsoft began to exploit Log4j vulnerabilities for cybercriminals. The threat posed by the open-source tool set off alarm bells as high as the federal government, where a White House-mandated Cybersecurity Review Board changed plans to initially focus on the SolarWinds breach and instead investigated Log4j.
The chairman of the CSRB, which released its report on the vulnerability in July, appeared on Black Hat on Wednesday and delivered an unequivocal message: The issues caused by the Log4j flaw are not close to being fixed.
“Log4j is not over,” said Robert Silvers, under secretary for policy at the Department of Homeland Security. This was ‘there was no looking back and now we’re in the clear’. It’s likely that organizations will be dealing with Log4j issues for at least a decade, and possibly longer.
Part of the problem is the lack of knowledge on where Log4j is installed so that fixes can be applied quickly. To support remediation, the Cybersecurity and Infrastructure Security Agency has compiled a number of listings on GitHub, including a “Vendor and Software Affected” catalog.
Several cybersecurity organizations have been working to implement fixes for Log4j. Black Hat startup Psycognito Inc. released a report showing that 70% of companies surveyed are still struggling to patch vulnerable assets and prevent new Log4j-related scenarios.
Log4j is widely used in the tech community and software engineers can deploy it for many purposes, said a Psychognito executive. “It makes the process of identifying visibility and risk a thousand times more difficult,” said Rob Gurzev, co-founder and CEO of Psychognito, in an exclusive interview with SiliconAngle. “Most of the Log4j vulnerabilities we see are on these companies’ properties that haven’t been properly tested.”
China’s role in the Log4j issue provides an interesting subplot. The flaw was first reported to the Apache Software Foundation in late November when a security engineer at Alibaba Cloud Enterprise discovered a vulnerability in Log4j.
The CSRB report, which included discussions with Chinese government officials who agreed to participate, found no evidence that China tried to exploit the vulnerability before it became public knowledge in December. However, the board indicated that the Chinese government would not comment on the report that Alibaba was fined for first revealing the flaw to the Apache Foundation, and expressed concern that China could exploit the flaws in the future.
“We found no evidence of an exploit prior to the vulnerability becoming public,” Silvers said in a Black Hat appearance. “China’s regulatory system is around vulnerability disclosure. The board expressed concern that this could preempt the most serious exposures to China.
Web3 confirms its vulnerability
As Web3 begins to gather traction in the technology ecosystem, the consequences of emerging digital financial tools such as blockchain, cryptocurrencies, and smart contracts are shaping up in the public eye to impact security. The reality is that most blockchain and cryptocurrency projects have been operating at a low level of security maturity, and that’s starting to ring alarm bells as investment goes in and issues grow.
“If people are collecting cryptocurrencies and NFTs, they want people to know that they’re actually collecting, so they’re becoming their own targets,” said Nathan Hamiel, senior director of security research at Kudelski, in a Black Hat presentation on Thursday. “We have high-value targets with public exposure and an unknown attack surface. The time to exploit these things is incredibly fast and we’re not used to what we’re seeing.”
Hundreds of millions of dollars have been stolen in what security researchers are seeing as a rapidly escalating series of attacks. One of the most important to date is the hack of the Ronin network of blockchain game provider Axie Infinity, which netted hackers at least $620 million in March.
According to a statement released by the provider Sky Mavis, the authentication nodes on the Ronin network have been compromised. Hamiel also found hackers like Beanstalk, hackers who use protocol management to digitally generate flash loans to give them leverage.
Web3 World has built a following based on the principles of decentralized autonomous organizations, or DAOs, and community ownership. But that’s showing a vulnerability that actors are only too happy to exploit.
“It’s a feature of decentralization and an obstacle, nobody owns it,” Hamill said. “You can’t solve tactical problems with a DAO, a piece of software shouldn’t be community-driven. We haven’t found all the security issues yet.”
Photo: Mark Albertson/SiliconAngle
Show your support for our mission by joining our Cub Club and Cube Event community of professionals. Join a community of experts and experts including Amazon Web Services and Amazon.com CEO Andy Jacin, Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and more.