Guest Editorial by Chris Strand, Chief Risk & Compliance Officer at 2022 ‘ASTORS’ Homeland Security Award Winner Cybersixgill
I felt deja vu to learn recently that APT5, a Chinese state-sponsored cybercrime group, had exploited a vulnerability in Citrix’s Application Delivery Controller to get inside organizations’ systems and hide and execute commands remotely.
The irony is inescapable, as this advanced persistent threat was discovered within a week of the anniversary of the December 2021 log4j exploit – an exploit using similar remote execution tactics.
This type of breach occurs quite frequently, in fact.
Cybercriminals appear to be using a template to carry them out: to find a vulnerability in a software used by many organizations, use it to enter those businesses’ systems avoiding or going around authentication, and execute commands remotely to move freely about, exfiltrate data, and perform various, nefarious deeds.
(Learn more from Shawn Henry, the president of services and chief security officer at CrowdStrike, to discuss the “Log4j” vulnerability, which has exposed hundreds of millions of devices to hackers. He explains what you can do to protect your information and devices from hackers and discussed some of the greatest cybersecurity threats for the coming year. Courtesy of CBS Mornings and YouTube. Posted on Dec 27, 2021.)
We don’t know precisely how long ago the bad actors first exploited the vulnerability in Citrix’s popular ADC (formerly NetScaler). We do know the Chinese government has been seeking this opportunity for quite some time.
Another state-sponsored advanced persistent threat (APT) group, APT41, exploited weaknesses in Citrix ADC and other popular technologies in January 2020, in a cybercrime campaign noted for its scope and scale.
ADC is a plum for China, to be sure. It orchestrates and automates applications in cloud and hybrid environments including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. Its very large client base serves as a treasure trove for cybercriminals.
We don’t know exactly when APT5 first carried out this year’s campaign, how many systems the attackers may have breached, or how much damage they’ve done while lurking inside those companies.
However, we do know that these breaches, like the Apache log4j exploitation breaches and others of this kind, most likely could have been avoided.
(Learn more about Log4j, a subsystem for recording events such as error and status reports, an important component of modern applications. Developed by the Apache Software Foundation, Log4j is a free, open-source software package written in Java. First released on January 8, 2001, the package became a foundational component of an extremely large number of projects due to its lightweight and easy-to-use characteristics. Courtesy of A10 News and YouTube. Posted on Oct 31, 2022.)
An Ounce of Prevention, a Pound of Cure
What would it take to protect your enterprise against these advanced persistent threat exploits?
Not fancy tools or sophisticated techniques or even threat intelligence – although, I won’t lie: threat intelligence makes it easier.
But what organizations of every size and stripe need is pretty basic:
You need to fully understand and gain control of your data and other assets, and how they function and change within your organization.
And you need to know where your security vulnerabilities are, and which are most urgent to shore up now – to protect your data and assets.
Keeping your applications patched and up to date is also important. This particular vulnerability exists only in versions of ADC that are more than two years old. Newer versions reportedly don’t have it.
This checklist seems simple because it is.
If every organization performed these acts, the APT exploits and log4js of this world would very likely cease to happen, for the most part. But it appears that few entities are performing these basic tasks.
As a result, organizations using versions of ADC with this vulnerability – cataloged as CVE-2022-27518 – now must devote emergency time and money during the holiday season to applying the Citrix software update, investigating whether APT5 entered their systems, understanding what might have been compromised, and reverting to their last known good state to eject the intruders.
On the heels of last holiday season’s log4j exploit, it’s “deja vu all over again” at organizations around the world.
No Citrix ADC User Discovered this Exploit
The person who found the APT5 Citrix exploit wasn’t a security professional at a Citrix-using organization. No one spotted the vulnerability and evidence of its exploitation during a systems scan or assessment. That’s worrisome.
Instead, a security researcher at GitHub reported it, meaning the discovery was very likely an accident. Investigators don’t yet know how long APT5 has been lurking inside Citrix users’ systems, executing commands remotely, inserting malware, pilfering data, and more.
It’s possible that China has been privy to these enterprises’ most valuable assets for quite some time.
Financial services organizations, IT companies and the entities they serve, health care and educational organizations and others may have unwittingly hosted malicious actors who might have stolen sensitive and personal data, probed their security systems, taken money and proprietary information, and perhaps done much more.
It’s a sad state of affairs, and it didn’t have to be this way.
(See how to continuously expose the earliest indications of risk, before OSINT distributes them, before incident responders report them, and before a threat actor executes their mission. Courtesy of Cybersixgill and YouTube.)
Our Deep-Web Analysis of the Exploit
Our threat intelligence software provides a number of insights about the vulnerability‘s discovery and early discussion:
An Arizona security researcher listed on their GitHub repository a series of technical components that, the researcher said, might indicate that CVE-2022-27518 had been exploited by malicious actors. The security researcher cited as evidence commands that APT5 had executed in malicious operations, taking advantage of this flaw.
The Chinese security site Hackdig posted an overview of the CVE-2022-27518 vulnerability, with the scope of the risks involved and mitigation strategies to safeguard against possible exploitation of the flaw by APT5 and other threat actors.
In a post on the online discussion site Reddit, users discussed the U.S. National Security Agency’s Dec. 13 warning about Chinese government-backed hackers’ exploiting the CVE-2022-27518 zero-day vulnerability in Citrix products to gain access to targeted networks.
Putting an End to this Problem
This exploit likely gave the Chinese government unmitigated access to troves of organizational data and let them make changes to firewalls and systems that let them burrow deeply and hide themselves.
For affected organizations, this news is sobering if not alarming. But other, less obvious, effects could also cause problems.
Banks and IT organizations, in particular, are subject to a raft of regulations mandating vulnerability management and prioritization, part of a current focus on data protection and upholding privacy mandates.
Zero-day attacks such as the APT5 exploit make compliance with these mandates very difficult, especially for mid-sized organizations that may lack the resources to continuously monitor their systems for each new threat.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA, which was also Recognized in the 2022 ‘ASTORS’ Homeland Security Awards Program), for instance, one year ago introduced new requirements for vulnerability management by federal agencies and contractors. Essentially, it mandates a risk-based approach, part of a growing trend.
Risk-based means working proactively to understand where your sensitive and critical data reside and how it moves about within your systems, and how it may be processed.
You must also find all your entity’s vulnerabilities and categorize them in order of severity and importance to the organization – the amount of harm each could cause if exploited.
You’ll need to rationalize your categorization of each weakness with documentation to support your decision – auditors will tend to insist on this evidence, and it will help accelerate the audit.
You’ll then need to apply controls to all your critical vulnerabilities that include constant monitoring – ideally, not only of your systems but the entire threat environment. You will also frequently scan your own systems for vulnerabilities that might creep in: an errant line of code, for instance, or an outdated encryption algorithm.
You don’t necessarily need threat intelligence for these tasks. But having it really helps.
Being able to constantly monitor the deep and dark web – where criminals hang out and talk – means you’ll know about their plans while threat actors are making them.
You’ll be able to pivot on a virtual dime to check whether a new scheme or vulnerability they’re discussing might affect your company and protect the organization.
And when the compliance-audit time rolls around, threat intelligence can give you the evidence you need to justify your vulnerability management to the auditor, your board, and your CEO.
You’ll sleep better at night, while threat actors stay up late trying without avail to get into your systems.
About the Author
Cybersecurity strategist, entrepreneur, and evangelist Chris Strand, Chief Risk & Compliance Officer at Cybersixgill, has more than 20 years of extensive global industry expertise aligning security and cyber-regulatory advancements.
Strand has acquired vast experience delivering strategic market vision to various audiences worldwide at industry events, with C-level executives and the board, or to the media.
Accustomed to being a company spokesperson and thought leader for new disruptive market-leading solutions, along with his ability to speak many cybersecurity languages from sales/marketing/techie, with ease, Strand works effectively across a broad spectrum of company divisions while leading, building, and motivating diverse teams and partners.
Cybersixgill was founded with a single mission: to protect organizations against malicious cyber attacks from the deep and dark web, before they materialize.
To Learn More, please visit www.cybersixgill.com.
Cybersixgill Earns a Win in First ‘ASTORS’ Homeland Security Awards Program
American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now entering it’s Eighth Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.
Best Threat Intelligence Solution
The deep and dark web is designed for obscurity, hiding a vast criminal network with illicit transactions equivalent to the world’s third-largest economy. Here is where attacks get planned; here is where the tools to conduct them are bought and sold. But threat intelligence doesn’t penetrate this shadowy network.
Without information or insight into these hidden schemes, security teams make decisions using irrelevant, incomplete, or even obsolete information.
Those who do probe the deep and dark web may do so manually, and so may miss important chatter pointing to threats against their enterprise. As every aspect of business operations goes digital, the attack surface expands, making it increasingly difficult to stay current.
In the face of these challenges, using automated threat intelligence tools and processes that scour the web becomes ever more critical, and Cybersixgill uniquely enables customers to leverage its cyber threat intelligence (CTI) in three critical ways:
Exposing threats by covertly infiltrating and scraping data from limited-access underground sources in any format, language, or platform, enriching each item with critical context to derive valuable threat intelligence that is timely, accurate, and relevant.
Preempting attacks, as its collection mechanisms are fully autonomous, capturing emerging threats, TTPs, and IOCs in real-time as they first surface, ensuring that users receive the earliest possible intel of potential threats before they can materialize into an attack.
Streamlining defense and remediation activities, by tailoring its threat intelligence to meet each customer’s needs, correlating their assets with its data to trigger automated alerts and actionable playbooks, workflows, prioritization, and remediation processes within an organization’s existing security stack.
(See how Cybersixgill continuously exposes the earliest indications of risk before OSINT distributes them; before incident responders report them; and before a threat actor executes their mission. Courtesy of Cybersixgill and YouTube.)
As soon as Cybersixgill customers begin using its solutions, they eliminate the dark-web “bottleneck” that slows their threat responses and can diminish their security. Their teams can perform analyses in hours instead of weeks, and their insights are much more comprehensive and effective thanks to the increased data from more sources that we provide in near-real time.
Cybersixgill customers also save money on personnel – or avoid gaps in staffing amid the perennial cybersecurity talent shortage. This is because its automated solutions do so much of the work for them. Our customers report saving hundreds of thousands of dollars in personnel alone.
- *Cybersixgill is a new competitor to the 2022 ‘ASTORS’ Awards Program.
Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border and crime rates that are dramatically higher than before the Pandemic across the United States.
These challenges have become a national priority with an influx of investments in innovative new technologies and systems.
Enter American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields, with a circulation of over 75,000 readers and many tens of thousands more who visit our AST website at www.americansecuritytoday.com each month.
The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Ceremony Luncheon Banquet, an exclusive, full-course plated meal event, in the heart of New York City.
This year’s exclusive sold-out ‘ASTORS’ luncheon featured representatives of law enforcement, public safety, and industry leaders who came together to honor the selfless service of those who stand on the front lines, and those who stand beside them – providing the capabilities and technologies to create a safer world for generations to come.
This year marks the 20th anniversary of the Department of Homeland Security (DHS), which came out in force, to discuss comprehensive collaborations between private and public sectors that have led to the development of intelligence and technologies which serve to protect our nation.
The continually evolving ‘ASTORS’ Awards Program emphasized the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders.
The keynote address was provided by U.S. Customs and Border Protection (CBP) Office of Field Operations (OFO) Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino, who described the changes to CBP through the tragedy of 9/11 and the relentless commitment to its mission and ongoing investment in the latest technologies and innovations to protect our borders and Homeland.
The resounding theme of the DEAC’s remarks was her pride in the women and men of the CBP and their families who support them.
AST was also joined by Legendary Police Commissioner William Bratton, who spoke, as always, about his love for the City of New York, the Profession of law enforcement to which he has dedicated his life, and for which he continues to drive thought leadership and innovation.
New York City Police Department (NYPD) Chief of Department Kenneth Corey, came out to address Luncheon attendees and shared some of his experiences and the changes in policing he’s witnessed over his more than three decades of service.
FDNY Chief Joseph Jardin honored the men and women of the FDNY, not only those who currently serve but all of those who have selflessly served, with a special recognition of those lost on 9/11.
Chief Jardin spoke about the continuing health battle of many following 9/11 with cancer and respiratory disease, yet now knowing the full consequences, would not have made a different decision to respond.
As Chief Jardin noted, mission-driven service is in the lifeblood of every firefighter, volunteer and sworn and has been so throughout the history of the Fire Service.
Former head of the FBI’s active shooter program, Katherine Schweit joined AST to sign complimentary copies of her book, ‘STOP THE KILLING: How to End the Mass Shooting Crisis,’ thanks to the generosity of our 2022 ‘ASTORS’ Awards Sponsors.
The 2022 ‘ASTORS’ Awards Program was Proudly Sponsored by NEC National Security Systems (NSS), ATI Systems, Automatic Systems of America, guardDog AI, Fortior Solutions, IPVideo Corporation, Rajant Corporation, RX Global, and SIMS Software!
We were pleased to welcome the esteemed New York City Fire Department (FDNY); the New York City Police Department (NYPD); and the NYC Hospital Police, as well as Executive Management from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and many other DHS agencies, Federal law enforcement agencies, and private/public partnerships such as the National Association of Women Law Enforcement Executives (NAWLEE), the 30×30 Initiative, a coalition of professionals advancing the representation of women in policing; and Operation Lifesaver, Inc. (OLI) (rail safety advocates).
The prestigious Annual ‘ASTORS’ Homeland Security Awards Program highlights the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.
In 2022 over 240 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields.
Each year, to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands at ISC East, the Natural Disaster & Emergency Management Expo (NDEM EXPO), and the ASIS NYC Expo.
ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.
Corporate firms, the majority of which return year to year to build upon their Legacy of Wins, include:
Advanced Detection Technologies, AMAROK, ATI Systems, Axis Communications, Automatic Systems, BriefCam, Canon U.S.A., Cellbusters, CornellCookson, CyberArk Fortior Solutions, guardDog.ai, Hanwha Techwin of America, High Rise Escape Systems, IPVideo Corporation, Konica Minolta Business Solutions, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Select Engineering Services LLC, Singlewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and West Virginia American Access Control Systems, just to name a few!
Why American Security Today?
The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.
American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.
American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.
Harness the Power of the Web – with our 100% Mobile Friendly Publications
AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.
‘PROTECTING OUR NATION, ONE CITY AT A TIME’
AST Reaches both Private & Public Experts, essential to meeting these new challenges.
Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.
These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.
AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.
AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.
Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.
To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, Be On the LookOut for the 2022 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2022 ‘A Year in Review’.
The Annual CHAMPIONS edition includes a review of ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.
It will serve as your Go-To Source throughout the year for ‘The Best of 2022 Products and Services’ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.
From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware, and Networking Security – to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.
It will also include featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2022 ‘ASTORS’ Awards Program.
To view a complete list of 2022 ‘ASTORS’ Award Winners begin here.
For more information on All Things American Security Today, as well as the 2023 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at email@example.com.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos