Cloud CISO Perspectives: Late June 2023
VP, TI Security & CISO, Google Cloud
VP, Mandiant Intelligence, Google Cloud
Welcome to the second Cloud CISO Perspectives for June 2023. In my previous newsletter, I discussed the growing, important role that accurate threat intelligence can play in helping keep organizations secure, and how we centered that at our Security Summit.
Today’s cybersecurity threats can pose dangerous risks to organizations, and have a material impact on their business. It’s vital that leaders and boards need to stay abreast of accurate, timely threat intelligence, so I’m turning the mic over to Sandra Joyce, vice president of Mandiant Intelligence at Google Cloud, to talk more about the current threat landscape.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
What you need to know about the ‘zero-day summer’ threat landscape
By Sandra Joyce, vice president, Mandiant Intelligence at Google Cloud
A series of recent zero-day vulnerability-related incidents has led some members of the security community to refer to this season as a “zero-day summer.” The humorous overtone belies the seriousness of the problem, and it’s important for business leaders and boards to understand that these recent major incidents are rooted in larger trends.
Vulnerabilities in file transfer tools and security products have had serious consequences for several of our customers, and concerns that the trend is snowballing are growing. Zero days discovered thus far this year are slightly ahead of last year’s pace, and unfortunately, a longer, multiyear view reveals the number of zero days is growing.
Recent incidents underscore important trends in facing this zero-day challenge. A profusion of security device zero-day vulnerabilities and internet-exposed systems tied to Chinese cyber espionage activity is now unmistakable. A more subtle trend of financially-motivated threat actors exploiting these vulnerabilities is worth noting as well. Specifically, Mandiant has observed some extortion actors, such as FIN11, leveraging zero-day exploits in their operations. This trend challenges the widely-held belief that zero days are solely a nation-state game.
In 2021 and 2022, Chinese cyber espionage actors have been associated with 10 zero days in security devices such as firewalls, VPNs, email security appliances, networking products, and virtualization software. That’s half of all zero days we tracked as exploited by Chinese cyber espionage actors. These vulnerabilities have enabled intrusions on a global scale, allowing actors such as APT41, a state-sponsored Chinese threat actor, to gain access to a variety of sectors.
A concentration in security devices and virtualization software is unlikely to be a coincidence. We believe these actors are deliberately focusing on these devices because they represent multiple tactical advantages. For instance, these devices are challenging to monitor, reducing the likelihood of detection. Many of these devices do not support endpoint detection and response (EDR) solutions, and they lack solutions to detect modifications or collect forensic images. Furthermore, most of these zero days can be exploited without social engineering, which also limits the opportunity for detection.
A profusion of security device zero-day vulnerabilities and internet-exposed systems tied to Chinese cyber espionage activity is now unmistakable. A more subtle trend of financially-motivated threat actors exploiting these vulnerabilities is worth noting as well.
Chinese cyber espionage has changed dramatically over the last decade from loud, broad intrusion activity to focused targeting in deliberate operations that are far more difficult to detect. In addition to using zero days, these threat actors have largely shifted their attention to the edge of the network, gaining access through internet accessible applications and devices. They are still phishing of course, but they are certainly less reliant on social engineering like actors from North Korea and Iran.
The infrastructure Chinese actors use to support their operations has changed as well. More frequently, we find them using a complex, ephemeral command and control scheme that involves the use of botnets of compromised systems such as small home and home office Wi-Fi routers. This evolution makes them harder for researchers to track.
Even in the case of vulnerabilities that were not first exploited as zero days by Chinese threat actors, Chinese cyber espionage actors have demonstrated an incredible ability to adopt available exploits quickly to target organizations before they can patch. The speed of their process suggests they have deliberately organized and resourced their operations to move quickly and take advantage of opportunities from recently disclosed vulnerabilities.
FIN11’s recent widespread exploitation of a file transfer software vulnerability is the fourth time we have seen this group exploit this type of software in as many years. From late 2020 to today, FIN11 has exploited multiple zero-day vulnerabilities across software and hardware from Accellion, SolarWinds, Forta, and MOVEit.
Mass exploitation of a vulnerability in file transfer software can allow threat actors to efficiently gain access to many organizations’ sensitive files without the need for additional lateral movement. For example, in some cases FIN11 was able to start data theft within minutes of exploiting MOVEit systems, almost certainly reducing the time required to monetize access. Limiting the intrusion activity to the file transfer devices also decreases an attacker’s footprint on the network — and therefore the likelihood of detection. Threat actors may also believe that network defenders are less likely to monitor or detect malicious activity targeting these programs compared to other intrusion and post-compromise activity that interacts with more core components of network infrastructure.
Even if we aren’t in the midst of a record-breaking “zero-day summer,” the factors behind these recent high-impact cybersecurity events are taking their toll on defenders.
The 2020 and 2021 exploitation of Accellion File Transfer Appliance and the 2023 exploitation of MOVEit involved the development of custom malware, which was specifically designed to interact with the targeted programs. Given the apparent success of these campaigns, the threat actors likely view the investment of time and resources into understanding this software, developing or purchasing exploits, and developing malware designed to interact with it as worthwhile.
Since 2019, financially-motivated actors have exploited 30% of the zero days that we have been able to attribute. The majority of these are linked to extortion operations. This almost certainly reflects the lucrative nature of these operations, as threat actors likely reinvested profits into developing and acquiring exploits. Mandiant regularly observes threat actors advertising and seeking zero-day exploits on underground forums and Telegram channels.
For example, in June 2023, the English-speaking threat actor “Vars_Sec” advertised a ZTE device zero day with remote code execution for $2500. Similarly, in April 2023, the exploit broker “vulns-rock” advertised a Windows LPE zero day on the Russian-language forum Exploit.in for $150,000. The continued availability of these exploits almost certainly lowers the barrier to entry for acquiring these capabilities.
Even if we aren’t in the midst of a record-breaking “zero-day summer,” the factors behind these recent high-impact cybersecurity events are taking their toll on defenders. Similar incidents are almost inevitable, as long as threat actors continue to experience success with these approaches.
Predicting the exact nature of the next similar incident is difficult but we can take steps now to mitigate similar risks. One important step organizations can take to mitigate some of these latest zero-day threats to file-transfer systems is to follow our MOVEit Transfer: Containment and Hardening Guide.
The proverbial lazy days of summer will just have to wait.
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 has sold out, but you can still register for the conference. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Check out our scheduled security sessions, and register now.
Safer spaces: How confidential computing can grow secure data collaboration: Confidential Computing is driving a new era of privacy-enhancing tech to help organizations make the most of the cloud without compromising privacy. Read more.
How to migrate sensitive data using Google Cloud’s CDMC-certified architecture: As enterprises accelerate adoption of cloud-based services and products, they want to secure and govern rapidly-expanding volumes of their most sensitive data. The Enterprise Data Management Council (EDM Council) has accredited a new Google Cloud whitepaper and solution source code as a Cloud Data Management Capabilities (CDMC) Certified Cloud Solution. Read more.
GKE Security Posture dashboard now GA with enhanced features: The Google Kubernetes Engine (GKE) Security Posture dashboard is now generally available. It’s designed to streamline the security management of GKE clusters, and now includes a range of powerful features such as misconfiguration detection and vulnerability scanning to help ensure your applications remain safe and secure. Read more.
Now in Assured Workloads: New regions, capabilities, and supported services: Assured Workloads can help organizations more easily achieve and maintain compliance with relevant regimes around the world without refactoring. Here are several new features and services that are now generally available (GA) in Assured Workloads. Read more.
Introducing client authentication with Mutual TLS on Google Cloud Load Balancing: We are excited to announce the Preview of front-end mutual TLS (mTLS) support, allowing you to offload client certificate authentication using External HTTPS Load Balancing. Read more.
Protect data from disasters using new Asynchronous Replication: In today's business landscape, data availability and integrity are paramount. Disasters can disrupt operations and pose a significant risk to critical information. To address this, we have introduced Persistent Disk Asynchronous Replication, which enables disaster recovery for Compute Engine workloads. Read more.
Improving financial control and observability with security monitoring: Over the past few weeks, we’ve introduced new capabilities and solutions to better integrate security monitoring with observability and financial controls, including building better budgets. Read more.
News from Mandiant
How we secure the AI pipeline: Mandiant analysts and responders are already using Bard in their workflows to identify threats faster, eliminate toil, and better scale talent and expertise. Organizations are keen to understand how best to integrate it into their own existing business processes, technology stacks, and delivery pipelines, and ultimately drive business value. Mandiant’s approach to securing the AI pipeline builds on the recently-announced Security AI Framework. Read more.
Detection, containment, and hardening opportunities on compromised VMware hosts: Mandiant researchers focus on the artifacts, logging options, and hardening steps to detect and prevent tactics and techniques seen being used by threat actor group UNC3886. Read more.
Google Cloud Security podcasts
We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:
Can IAM actually be… fun? One of the secrets nobody in cloud security wants you to know is that Identity Access Management (IAM) is exciting, dynamic, and even… enjoyable. At least, that’s according to Ian Glazer, the founder of Weave Identity and co-founder of IDPro. What makes IAM so interesting? And how is it different between cloud providers? Listen here.
Policy-as-Code can help secure your cloud environment: We present a deep dive into the new world of policy-as-code, from who should learn it, to who should manage it, to how it can help secure the cloud. Dominik Richter, founder and head of product at Mondoo, joins us for a Policy-as-Code therapy session, and we even talk about how to tell when it’s succeeding. Listen here.
Will SIEM ever die: What can its past tell us about its future: Security Information and Event Management (SIEM) has been around a long time. We discuss which old SIEM lessons still apply today, which old lessons can harm your organizations, and what are the top modern cloud security use cases for SIEM, with David Swift, security strategist at Netenrich. Listen here.
Threat Trends: A requirements-driven approach to cyber threat intelligence: Dr. Jamie Collier, senior threat intelligence advisor at Mandiant, joins host Luke McNamara to discuss the recent white paper from Mandiant on developing a requirements-driven approach to intelligence, challenges that organizations face in this area, and the importance of recurring stakeholder feedback to a well-functioning cyber threat intelligence team. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.