researchers create new approach to detect brand new
TRANSCRIPT
INSIDE:
6 Threats Enterprises Should Care About >>
Researchers Create New Approach to Detect Brand Impersonation >>
New Framework Aims to Describe & Address Complex Social Engineering Attacks >>
Security 101: The ‘PrintNightmare’ Flaw >>
SEPTEMBER 2021 Sponsored by
6 Threats Enterprises Should Care AboutEvery day, black-hat attackers and white-hat researchers are discovering new security vulnerabilities in widely used systems and applications that might be exploited to compromise your data. Are you aware of the newest — and potentially most impactful — vulnerabilities that have been discovered/disclosed? In this Tech Insights, top researchers and experts discuss some of the most dangerous emerging vulnerabilities and what you can do to prevent them from being exploited in your organization.
September 2021 2
6 Threats Enterprises Should Care AboutAt this year’s Black Hat USA, researchers explored a host of vulnerabilities and exploits within Active Directory, Web app communications, next-gen Macs, and more.By Ericka Chickowski, Contributing Writer, Dark Reading
W hile much of the business world is still slowly spinning up operations in the
recovery from pandemic lockdowns, one thing is clear: Cyberattackers never
really took much of a break while the rest of the world was preoccupied. They
kept pressing enterprise resources with new zero-day attacks, new ransomware meth-
ods, and new ways of probing the weaknesses of enterprise systems.
The SolarWinds breach set the tone for industry conversation about enterprise threats
throughout 2021. Unsurprisingly, security researchers and ethical hackers are ramping up
their investigation of how easy it is for attackers to manipulate connections and relation-
ships between platforms, software developers, cloud infrastructure, and IT providers to
exploit systems across an entire technology supply chain.
This was one of the prevailing themes of Black Hat USA this year, but there was plenty
more where that came from, as researchers dove into exploring a host of vulnerabilities and
exploits within Active Directory, Web app communications, next-gen Macs, and more.
Supply Chain and Digital Ecosystem ThreatsWhen attackers managed to take advantage of a vulnerability within SolarWinds’ Orion
suite of IT tools in order to quietly install backdoor code and malware in its products, the
compromises cascaded. Not only were they used to push out malicious code to 18,000
FEATURE
September 2021 3
SolarWinds customers, but they also compromised the net-
works of big technology providers, including FireEye and
Microsoft, to attempt attacks on those companies’ down-
stream customers.
For six months after the SolarWinds debacle, security
experts have been warning that this was no singular event
but instead a harbinger of what’s to come. This summer,
the Kaseya ransomware breach proved the point that this
was the blueprint for what is shaping up to be a very lucra-
tive supply chain attack pattern.
The cloud-based services from Kaseya, a provider of re-
mote management and monitoring software, are used heav-
ily by numerous managed service providers to tap into client
environments in order to broadly deliver their IT administra-
tive and security services. In July, the Russian attack group
REvil managed to exploit numerous vulnerabilities — includ-
ing a zero-day — within Kaseya’s Virtual System Admin-
istrator (VSA) platform to deliver a sweeping ransomware
attack that affected more than 1,000 businesses across Ka-
seya’s downstream technology ecosystem. Most of these
were not directly Kaseya customers. The company estimat-
ed fewer than 60 of its customers were compromised. But
since these customers themselves were managed service
providers, all with their own established base of hundreds or
thousands of clients, the impact spread rapidly.
“Cybercriminals continue to target organizations that
provide services or products to a large number of cus-
tomers or clients in an attempt to maximize their attack
footprint,” says James McQuiggan, KnowBe4 security
awareness advocate.
In recent years, much of the drumbeat for awareness
about software supply chain security issues has been fo-
cused on open source component hygiene and how devel-
opment organizations govern and manage the third-party
libraries, microservices, and other bits of code that makes
it into their code repositories. That’s still a major concern,
but SolarWinds and Kaseya taught us that the IT supply
chain issues are way more pernicious than that.
According to Matt Tait, a longtime security researcher
and chief operating officer at Corellium, these incidents il-
lustrate one of the most challenging types of supply chain
attacks that we’ll see rising in the coming years: the manip-
ulation of software delivery mechanisms such as automatic
update systems and service provider remote management
connections. These connections provide an exceedingly
effective method to widely broadcast malicious code.
As a keynote speaker at Black Hat USA, Tait explored IT
supply chain integrity issues in depth. He wasn’t the only
one. The show featured a number of interesting talks about
what could come next in supply chain attacks against enter-
prise organizations. Time and again, they showed the sup-
ply chain attack model has legs for lots of further evolution
because there are endless permutations of how an attack-
er goes about finding and exploiting vulnerabilities that can
scale to downstream organizations.
For example, among the highlights at Black Hat, sever-
al sets of speakers explored weaknesses in 5G network
infrastructure that could be used to broadly compromise
network users’ wireless devices. Meanwhile, an industri-
al security researcher with Otorio showed how the OPC
Unified Architecture (OPC-UA) protocol popular in indus-
trial communication could be used to target the customer
bases of numerous industrial automation and industry 4.0
6 Threats Enterprises Should Care About
,
,
This summer, the Kaseya ransomware breach proved that SolarWinds was the blueprint for what is shaping up to be a very lucrative supply chain attack pattern.
September 2021 4
vendors. And a trio of researchers from Nvidia explored
how weaknesses in the UEFI ecosystem could be used to
establish exploit paths in firmware that’s fundamental to a
broad array of system hardware — paths that could enable
attackers to get deep into the most fundamental parts of
the IT supply chain.
New Class of DNSaaS FlawsPerhaps the most logistically plausible and troubling sup-
ply chain attack demonstrated at the show was a two-fer,
delving into the important topic of DNS security in the
cloud age as well. This one came by way of a pair of re-
searchers from Wiz.io, Shir Tamari and Ami Luttwak. They
discovered a new class of DNS vulnerabilities, one that
affects DNS-as-a-service providers. The flaws are in the
logic of how these DNS providers build out their services,
which typically are on an iteration of old-school DNS tech-
nology built for cloud-based enterprise infrastructure. This
is a dangerous combination in many instances because
traditional DNS software is built for trusted internal enter-
prise domains in a world before different customers shared
cloud-based name servers.
This creates unintended operational consequences that
can put a lot of the DNS-as-a-service customers at risk of
exposing sensitive information to other customers of that
service. This happens because endpoints reveal informa-
tion when they query their DNS server. That’s not a prob-
lem when that server is a trusted internal domain name
server. But when different customers of a DNSaaS share a
server, the possibility of leaked info between different or-
ganizations arises.
Tamari and Luttwak explained to dramatic effect how this
could look through one such flaw that they found initially
in Amazon Web Services’ Route53. They were able to use
the company’s self-service domain registration system to
set up a hosted zone as the same name as the AWS name
server it was using. That simple change made it possible
to have DNS query traffic pointed to them from 15,000
AWS customers and over a million endpoints. Tapping into
that traffic allowed them to scoop up valuable information
about Fortune 500 companies and government agencies
worldwide.
“We understood then that we were on top of an unbeliev-
able set of intelligence, just by tapping for a few hours into
a small portion of the network,” Luttwak says. “I called it a
nation-state intelligence capability using a simple domain
registration.”
The talk offered up yet another example of how the com-
plexities of today’s digital ecosystems can be exploited in
many different ways.
6 Threats Enterprises Should Care About
September 2021 5
The PrintNightmare ThreatWhat was arguably one of the most universally impactful
threats to enterprises detailed at Black Hat actually broke
loose about a month before the show when a researcher
mistakenly opened a proof-of-concept (PoC) Pandora’s
box. It involved a vulnerability dubbed PrintNightmare,
which is a critical remote code execution flaw in Windows
Print Spooler with huge enterprise risk implications. Dis-
covered by three researchers from Sangfor Technologies
in China and explored in depth during their Black Hat pre-
sentation, PrintNightmare makes privilege escalation trivial
for attackers on just about any system running Windows
Print Spooler.
“The Microsoft Windows Print Spooler service fails to re-
strict access to functionality that allows users to add printers
and related drivers, which can allow a remote authenticated
attacker to execute arbitrary code with system privileges on
a vulnerable system,” a CERT Vulnerability Note explains.
Every system running some kind of Windows version that
didn’t already have Windows Print Spooler disabled was
vulnerable — including domain controllers and Active Direc-
tory admin servers, as well as other mission-critical servers
within most enterprise infrastructure. This opens the path
to exploits that completely compromise an affected system
with arbitrary code execution, creation of new accounts,
and access to and control over all system data.
“The implications for Windows are widespread since the
Print Spooler service is enabled by default on most client
and server platforms,” says Jeff Costlow, researcher with
ExtraHop. “According to ExtraHop’s threat research data,
93% of environments could be vulnerable to PrintNight-
mare, making it the most severe issue since SolarWinds.”
The pre-show controversy occurred when one of the
Black Hat researchers who discovered the flaw mistakenly
released PoC code on GitHub at the very end of June. The
PoC demonstrated how to exploit PrintNightmare to take
over an entire Active Directory domain. It was quickly tak-
en down, but not before others had cloned it and the code
made its way in the wild as active exploits attacking the
vulnerability.
There initially was some confusion about the PrintNight-
mare PoC because Microsoft had released a patch earli-
er in June for a different, unnamed Print Spooler remote
code execution vulnerability that some thought was to fix
PrintNightmare in the run-up to the publicized Black Hat
talk. However, it was quickly determined that this was a
completely different bug when the exploit provably worked
on systems with the June 8 patch installed. After the PoC
dropped, the security community was forced to utilize
workarounds, including disabling Print Spooler on sensi-
tive systems, for about a week until Microsoft was able to
provide an out-of-band patch for the flaw. In that interim,
the bad guys were already building active campaigns us-
ing the exploit and further variations built off of it.
The flaw and the mitigating workarounds that the securi-
ty world scrambled to create before Microsoft was able to
issue its update offer a dramatic example of how important
it is for enterprise defenders to harden their systems by re-
ducing attack surfaces on critical systems. Often, disabling
services and connections not strictly used by crucial sys-
tems like domain controllers or mission-critical servers is
the best preventative measure to reduce the risk of being
blindsided by flaws like these.
Active Directory ThreatsIt’s no surprise that the PrintNightmare researchers went
straight to Active Directory as a possible theater for ex-
ploitation. As the dominant means for identity and access
6 Threats Enterprises Should Care About
PrintNightmare makes privilege escalation trivial for attackers on just about any system running Windows Print Spooler.
September 2021 6
management within both on-premises and cloud systems,
Active Directory has become one of the most important
battlefields for cyber defense in the enterprise today.
In fact, according to security practitioners at Mandiant
Consulting who presented at Black Hat Asia earlier this
spring, some 90% of the attacks that their team investi-
gates involve Active Directory in some form or other. At-
tackers could be utilizing it for the initial attack vector, to
escalate privileges, to sneakily distribute malware to other
systems, or all of the above.
“It’s not just to reach the crown jewels to extract the
data alone; the attackers are also using Active Directory
as a living-off-the-land technique in order to push binaries
across domainwide systems,” says Anurag Khanna, prin-
cipal consultant for Mandiant, who together with colleague
Thirumalai Natarajan Muthiah, also principal consultant,
warned organizations that they need to be more proactive-
ly hunting their environments for Active Directory threats.
Misconfigurations, backdoors, and living-off-the-land
techniques within Active Directory environments are more
difficult to detect than more obvious malware or malicious
behavior. And due to the position Active Directory holds
within most enterprise architecture, when these issues are
missed, they can often provide long-term privileges across
a whole range of systems and platforms.
Eradicating these kinds of quiet compromises is like the
enterprise security equivalent of the battling the mythic
hydra because of how comprehensively Active Directory
is integrated into so many facets of access control and
authentication, including domain services, certificate ser-
vices, federation services, and rights management.
At Black Hat USA, Will Schroeder and Lee Christensen,
technical architects for the firm SpecterOps, homed in par-
ticularly on the broad impact that risks from misconfigura-
tion and abuse of functionality can have on Active Directo-
ry Certificate Services. Those services form the backbone
of Microsoft’s public key infrastructure (PKI) capabilities
that integrate with Active Directory to help users (and ma-
chines) to log on not just with a password but a certificate.
This service handles all nature of duties, including manag-
ing certificates for multifactor authentication, code signing,
SSL, machine-to-machine authentication, and more.
Schroeder and Christensen provided the audience with
eight varied methods that attackers can use to escalate
privileges from low access to a very high level of access
within Active Directory environments, often ending up with
an attacker being able to make themselves the domain ad-
ministrator or enterprise admin in the network. This means
that the risks cascade across anything that uses Active
Directory for authentication, such as Exchange or Share-
Point, according to Christensen.
“If you’re able to elevate in a domain to the privileges that
we’re talking about, you’re able to completely take over
control of those integrated services. It’s another path that
lets you take over those systems and have complete con-
trol,” he says. “Just keep in mind that for any additional
services you have in the network, if we can abuse this, we
can most likely log to those services.”
In their talk, the duo explained that rooting out the kinds
of misconfigurations in Active Directory Certificate Ser-
vices that they detailed is a struggle for enterprises for a
number of reasons. Scale is one, as the service potential-
ly touches hundreds of thousands of users or machines
at a time. Legacy integration and long-term configuration
drift is another, as old misconfigurations and vulnerabilities
pile on one another in deployments that no one wants to
touch for fear of breaking. A lack of understanding about
the system and also who owns the security of the services
6 Threats Enterprises Should Care About
Active Directory has become one of the most important battlefields for cyber defense in the enterprise today.
September 2021 7
is another, due to the service straddling so many different
technical functions across the enterprise.
“There’s a general lack of understanding about Active Di-
rectory Certificate Services and security implications. And
it’s not a simple system — it’s pretty complex,” Schroeder
says. “It’s pretty old, so it can span multiple departments
and functional roles with identity management teams or
Active Directory teams or infrastructure teams. I think that
compounds the problem as well.”
He and Christensen say that security engineering and inci-
dent response teams often don’t have processes and plans
in place to assess Active Directory Certificate Services when
a compromise occurs. These enterprise defenders need to
put processes in place for how to check if an attacker has
abused the service, how to revoke certificates quickly, and
so on to meet this threat appropriately, they say.
Next-Gen Mac MalwareAs Mac usage continues to steadily increase among busi-
ness users, Mac penetration into the enterprise has now
grown to the point that macOS devices make up a statis-
tically significant percentage of endpoints at many orga-
nizations. According to figures from IDC earlier this year,
almost a quarter of enterprise computers are now Macs.
Their growing enterprise footprint makes Macs an increas-
ingly alluring target for cybercriminal attack campaigns, and
it means security professionals can no longer afford to dis-
count Macs as outlier systems. This spring alone brought
news of several different macOS vulnerabilities discovered
by security researchers to have been actively exploited in
the wild, including one exploited by a Mac Trojan called
Shlayer that made it possible for attackers to completely by-
pass Macs’ security mechanisms with malware that could
be installed without an end-user prompt.
Since 2018, the number of Mac vulnerability discoveries
has gone up significantly — from 87 that year to 218 in
2020. This year’s numbers are on track to be slightly lower,
but severity scores are also edging upward, according to
analysis by stack.watch.
The next evolution of this Mac threat that enterprise se-
curity defenders will need to be mindful of: issues stem-
ming from Mac’s new M1 silicon, an ARM 64-based micro-
processor that’s powering Apple’s next generation of Macs
and iPad Pro devices. Broadly, it comes with new baked-
in security features, including remote exploitation defense
and physical access protection.
At Black Hat this year, Mac security researcher Patrick
Wardle reiterated that attackers are becoming more so-
phisticated about how attackers approach Mac systems
— and that includes M1-powered Macs. He reported that
attackers are already compiling new and existing malware
binaries to run natively on ARM systems. His talk detailed
that many security controls today struggle to identify these
ARM-native malware samples and that the security com-
munity is going to need to put its shoulder into discovering
and detecting these variants more consistently in order to
stay up on the threats as they target newer Mac devices.
The Risks of JSON ParsersMost enterprise users don’t even know what JSON is, but
the modern Internet today is run on it. JSON is a coding
syntax used in Java apps as a lightweight way to store and
transmit data objects between Web app services, clients/
6 Threats Enterprises Should Care About
Their growing enterprise footprint makes Macs an increasingly alluring target for cybercriminal attack campaigns, and it means security professionals can no longer afford to discount Macs as outlier systems.
September 2021 8
servers, and so on, using a text-based key-value pairs to
represent structured data. Popular JSON parsers are cru-
cial modules in the foundation of modern Web apps as
they’re used constantly to serialize — that is, encode data
objects into key-values strings for storage or transport —
and also deserialize encoded strings back into data objects
so the apps can use them properly.
JSON is programming language agnostic and has won
over developers with its simplicity and corresponding per-
formance gains compared with the more cumbersome use
of XML or nonstandardized native formats for serializing
data objects. The simplicity of JSON objects is also often
viewed as plus for security, as that means they provide few-
er means for attackers to maliciously subvert the deserial-
ization process to manipulate the application.
Insecure deserialization stands as an OWASP Top 10 vul-
nerability across all Web applications. When attackers are
able to exploit an application by making it deserialize
maliciously crafted data objects that can modify application
logic, they’re often able to achieve remote code execution
(RCE) or facilitate privilege escalation attacks. JSON might
be less prone to these kinds of attacks than many serializa-
tion formats, but it’s not immune.
In the past year, several security researchers have high-
lighted how vulnerabilities in JSON parsers can be exploit-
ed with dramatic impact. For example, earlier in 2021, Jake
Miller with Bishop Fox did a comprehensive study of 49
different JSON parsers used across 10 different program-
ming languages to show how the same JSON document
can be parsed with different values across microservices,
incurring a lot of security risk in the process. Inconsistency
in how different JSON parsers handle duplicate keys and
represent numbers ends up masking business logic vulner-
abilities in what otherwise looks like clean code.
“I think that one of the key takeaways that we had from
that research was that there’s more complexity to JSON
than you probably think,” says Dan Petro, lead researcher
at Bishop Fox. “It looks really simple, and myself included
when Jake [Miller] was doing it I thought, nah, JSON’s too
simple, there’s no way you’re going to have much fall out
from it — but that turned out not to be true.”
For example, Miller offered up a theoretical situation where
an e-commerce application using multiple services for
handling the cart and payments could be manipulated with
these JSON flaws to ship $700 products for $300. In anoth-
er example, Miller offered up how an attacker could game
a multitenant application using multiple APIs with different
JSON parsers for managing users and permissions to illicitly
establish superadmin privileges. In much the same vein, two
researchers with Tencent Security Xuanwu Lab presented
at Black Hat how they were able to exploit a deserialization
zero-day for the Fastjson parser to not only achieve RCE in
certain Java Web services for blockchain nodes, but also to
chain that into an attack that would allow them to steal pub-
lic blockchain users’ assets without notification.
ConclusionExploring these six emerging and evolving threats high-
lighted in recent security research provides a great jump-
ing-off point for security executives and practitioners alike
to tweak their approaches and update their security road
maps. But clearly, they’re just a tip of the iceberg on how
the risks will change in the next year.
About the Author: Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.
6 Threats Enterprises Should Care About
In the past year, several security researchers have highlighted how vulnerabilities in JSON parsers can be exploited with dramatic impact.
September 2021 9
Researchers Create New Approach to Detect Brand ImpersonationA team of Microsoft researchers developed and trained a Siamese Neural Network to detect brand impersonation attacks.By Kelly Sheridan, Senior Editor, Dark Reading
S ecurity researchers have designed a new way to detect
brand impersonation using Siamese Neural Networks,
which can learn and make predictions based on small-
er amounts of data.
These attacks, in which adversaries craft content to mimic
known brands and trick victims into sharing information, have
grown harder to detect as technology and techniques improve,
says Justin Grana, applied researcher at Microsoft. While busi-
ness-related applications are most often spoofed in these types
of attacks, criminals can forge brand logos for any organization.
“Brand impersonation has increased in its fidelity, in the sense
that, at least from a visual [perspective], something that is mali-
cious brand impersonation can look identical to the actual, le-
gitimate content,” Grana explains. “There’s no more copy-and-
paste, or jagged logos.” In today’s attacks, visual components of
brand impersonation almost exactly mimic true content.
This presents a clear security hurdle, he continues, because
people and technology can no longer look for artifacts that pre-
viously distinguished fake content from the real thing. “Those
visual cues are not there anymore,” says Grana of a key chal-
lenge the research team faced.
Most people are familiar with the concept of image recognition.
What makes detecting brand impersonation different is twofold:
For one, a victim may receive different types of content that
aim to imitate the same brand. An impersonation attack spoof-
ing Microsoft, for example, might send one malicious email that
mimics Excel, and another designed to look like Word.
“Those are two very different pieces of content, even though
they both represent Microsoft,” Grana says.
While too many types of content can present a detection chal-
lenge, too few can do the same. Many brands, such as regional
banks and other small organizations, aren’t often seen in brand
NEWS
September 2021 10
Researchers Create New Approach to Detect Brand Impersonation
impersonation, so there might only be a handful of training
examples for a system to learn from.
“The standard deep learning that requires tons and tons
of examples per class — class is the brand in this case —
really wouldn’t work in our situation,” he notes.
To address the issue of detecting brand impersonation
attacks, Grana teamed up with software engineer Yuchao
Dai, software architect Nitin Kumar Goel, and senior ap-
plied researcher Jugal Parikh. Together, they developed
and trained a Siamese Neural Network on labeled imag-
es to detect these types of attacks. Unlike standard deep
learning, which is trained on many examples, Siamese
Neural Networks are designed to generate better predic-
tions using a smaller number of samples.
The team’s dataset consists of more than 50,000 screen-
shots of malicious login pages spanning more than 1,000
brand impersonations. Each image is a collection of num-
bers, Grana says, and the team translated those numbers
into what he describes a “point” on an N-dimensional co-
ordinate plane. Instead of an image, which has three di-
mensions of all its different pixels, it becomes numbers.
The team sought a way to make the numbers meaningful
and in doing so, distinguish fake from real brand images.
“Our algorithm that we used, we rewarded it for … trans-
lating content of the same brand to similar numbers, and
contents of different brands to different numbers, so that
way, when we look at these new numbers that are now
meaningful because we trained our network to do so, any
numbers that were close together were likely from the
same brand,” he explains.
Their Siamese Neural Network learns to embed images
of the same brand relatively close together in a low-dimen-
sional space, while images of different brands are embed-
ded further apart. They then do a “nearest neighbor classi-
fication” in the embedded space.
Training Models, Learning LessonsGrana says the team faced quite a few challenges and
learned some lessons along the way.
“Dealing with skewed data is a large issue,” he notes.
“When you have a dataset that only has a couple observa-
tions per brand or per class, it really does require special
techniques. We did some testing with the normal neural
network, and it just wasn’t sufficient for our purposes.”
Determining the specific techniques that will work requires
a lot of trial and error, Grana says of the research process.
Which method will best suit the data you have? “There’s the
science behind machine learning, but there is also the art of
it, to say, ‘which optimization algorithm should we try, which
network architecture should we try,’” he explains.
The researchers’ work is still ongoing, he adds. Their
next goal is to examine how this approach might work with
a smart and adaptive adversary, as a means of improving
the technology and response to attackers’ evolving tech-
niques. The screenshots they used in this research won’t
be the same ones used in future attacks, and security tech
needs to keep pace.The researchers discussed their ap-
proach, further applications, and planned improvements in
a Black Hat USA Briefing, “Siamese Neural Networks for
Detecting Brand Impersonation.”
About the Author: Kelly Sheridan is a Senior Editor at Dark Reading, where she focuses on cybersecurity news and analysis.
“Brand impersonation has increased in its fidelity, in the sense that, at least from a visual [perspective], something that is malicious brand impersonation can look identical to the actual, legitimate content.” —Justin Grana, Microsoft
September 2021 11
New Framework Aims to Describe & Address Complex Social Engineering AttacksAs attackers use more synthetic media in social engineering campaigns, a new framework is built to describe threats and provide countermeasures.By Kelly Sheridan, Senior Editor, Dark Reading
Deepfake and related synthetic media technologies
have helped attackers develop ever-more-realistic
social engineering attacks in recent years, putting
pressure on defenders to change the strategies they use to
detect and address them.
The FBI warned synthetic media will play a greater role
in cyberattacks in March, when officials predicted “mali-
cious actors almost certainly will leverage synthetic con-
tent for cyber and foreign influence operations in the next
12-18 months.” Some criminals have already started: In
2019, attackers used artificial intelligence-based soft-
ware to impersonate the voice of a chief executive and in
doing so, facilitate a transfer of $243,000 USD from the
target organization.
While deepfake videos garner the most media atten-
tion, this case demonstrates how synthetic media goes
far beyond these. The FBI defines synthetic content as
a “broad spectrum of generated or manipulated digital
content” that includes images, video, audio, and text. At-
tackers can use common software like Photoshop to cre-
ate synthetic content; however, more advanced tactics
use AI and machine learning technologies to help distrib-
ute false content.
Matthew Canham, CEO of Beyond Layer 7, has re-
searched remote online social engineering attacks for
the past four to five years. His goal is to better under-
stand the human element behind these campaigns: how
humans are vulnerable and what makes us more or less
susceptible to these kinds of attacks. Ultimately, the re-
search led to a framework that Canham hopes will help
NEWS
September 2021 12
New Framework Aims to Describe & Address Complex Social Engineering Attacks
researchers and defenders better describe and address
these kinds of attacks.
His first experience with synthetic media-enabled social
engineering involved gift card scams using bot technolo-
gy. The first few interactions of these attacks “were almost
identical, and you could tell they were being scripted,”
Canham says. After some conversation, when they got a
person to respond, they would pivot to person-to-person
interaction to carry out the attack.
“The significance of this is that it allows the attackers to
scale these attacks in ways they weren’t able to previous-
ly,” he explains. When they shifted from scripted chats
to live ones, Canham noticed “a very dramatic change in
tone,” a sign the fraudsters were well-practiced and knew
how to push people’s buttons.
While today’s defenders have access to technolo-
gy-based methods for detecting synthetic media, attack-
ers are constantly evolving to defeat the most modern
defense mechanisms.
“Because of that you have … an arms race situation, in
which there’s never really parity between the two groups,”
Canham explains. “There’s always sort of an advantage
that slides dynamically between the two.”
Another issue, he adds, is that many technologically
based platforms are based on datasets that don’t have
deliberate anti-forensic countermeasures built in. This is
an important point, because attackers often try to defeat
defensive systems by injecting code into deepfakes and
synthetic media that will help them circumvent filters and
other types of defense mechanisms.
And finally, while today’s technology is constantly im-
proving, it’s not always readily available to the average
user and remains difficult to apply in real time. Many vic-
tims, even if they recognize a synthetic media attack, may
not know which steps they should take to mitigate it.
A Human-Centric ApproachGiven these difficulties, Canham is focused on hu-
man-centered countermeasures for synthetic media so-
cial engineering attacks. He proposes a Synthetic Media
Social Engineering framework to describe these types of
attacks and offer countermeasures that are easier to im-
plement.
The framework spans five dimensions that apply to an
attack: Medium (text, audio, video, or a combination),
Interactivity (whether it’s pre-recorded, asynchronous,
or in real-time), Control (human puppeteer, software, or
hybrid), Familiarity (unfamiliar, familiar, or close), and In-
tended Target (human or automation, individual target, or
broader audience).
Familiarity is a component that he calls “a game-changing
aspect of synthetic media,” and it refers to the victim’s re-
lationship with the synthetic “puppet.” An attacker might
take on the appearance or sound of someone familiar,
such as a friend or family member, in a “virtual kidnapping”
attack in which they threaten harm to someone the victim
knows. Alternatively, they could pretend to be someone
the victim has never met — a common tactic in catfishing
and romance scams, Canham says.
Behavior-focused methods for describing these attacks
can help people spot inconsistencies between the actions
of a legitimate person and those of an attacker. Proof-of-
life statements, for example, can help prevent someone
from falling for a virtual kidnapping attack.
He hopes the framework will become a useful tool for
researchers by providing a taxonomy of attacks and a
common language they can use to discuss synthetic me-
dia. For security practitioners, it could be a tool for antici-
pating attacks and doing threat modeling, he says.
[Canham discussed the framework’s dimensions in a
Black Hat USA Briefing, “Deepfake Social Engineering: Cre-
ating a Framework for Synthetic Media Social Engineering.”]
About the Author: Kelly Sheridan is a Senior Editor at Dark Reading, where she focuses on cybersecurity news and analysis.
September 2021 13
Security 101: The ‘PrintNightmare’ FlawA closer look at the printer software vulnerability — and what you can do about it.By Jai Vijayan, Contributing Writer, Dark Reading
W hen a remotely exploitable vulnerability affecting all versions of Mi-
crosoft Windows is being actively exploited and no patch is avail-
able, the security industry kicks into high alert.
Such was the case with “PrintNightmare,” a vulnerability in the infamously
buggy Windows Print Spooler service that burst into the limelight recently
with the US Cybersecurity & Infrastructure Security Agency (CISA), CERT Co-
ordination Center (Cert CC), and others advising urgent action around it.
In separate alerts, CISA and CERT CC urged organizations to disable Print
Spooler services on all critical systems, including domain controllers and Ac-
tive Directory admin systems, citing concerns over the flaw. Those concerns
were exacerbated, too, by some confusion over whether PrintNightmare was
the same flaw as one some thought Microsoft had already patched in a previous
security update.
After some initial silence, Microsoft clarified that PrintNightmare was a sep-
arate flaw from the one it patched on June 8 and issued a new vulnerability
identifier (CVE) for it. Then on July 6, the company released an emergency
security update for the flaw and urged organizations to apply it immediately.
NEWS
September 2021 14
Security 101: The ‘PrintNightmare’ Flaw
Here’s a closer look at PrintNightmare and why it has
evoked so much concern.
What Is PrintNightmare?PrintNightmare is a critical remote code execution (RCE)
vulnerability in the Microsoft Windows Print Spooler service
(CVE-2021-34527). The vulnerability stems from the service’s
failure to properly restrict access to “RpcAddPrinter-
DriverEx(),” a function for installing a printer driver on a
Windows system. The vulnerable code exists in all Win-
dows versions.
Windows Print Spooler is software that serves as an
interface between the Windows operating system and a
printer. It handles a variety of tasks, including loading print-
er drivers and buffering queuing and ordering print jobs.
Microsoft describes it as software that enables systems
to act as a print client, administrative client, or print server.
PrintNightmare is just one of numerous vulnerabilities that
have been uncovered in the Windows Print Spooler service
over the past decade or so. Researchers from China-based
Sangfor Technologies discovered the flaw.
Why Is PrintNightmare So Dangerous?The PrintNightmare vulnerability gives an authenticated at-
tacker a way to gain system-level access on vulnerable
systems — which include core domain controllers and Ac-
tive Directory admin servers. Attackers can exploit the flaw
to run arbitrary code, download malware, create new user
accounts or view, change and delete data.
Some experts have expressed particular concern over
the fact that the flaw lets any attacker with a domain
account easily take over Active Directory. Microsoft it-
self has said “domain controllers are affected if the print
spooler service is enabled.” Similarly, all client systems
and servers that are not domain controllers are impacted
as well. A successful exploit against PrintNightmare can
result in a total loss of confidentiality, integrity and avail-
ability, the company has warned.
Microsoft has provided multiple workarounds in ad-
dition to releasing updates for fixing the flaw across all
versions of Windows. In the meantime, proof-of-concept
code for exploiting the vulnerability is publicly available,
and attackers are already using it to target the flaw.
The scope of the flaw is staggering: ExtraHop says
some 93% of Windows Print Spooler environments could
be vulnerable to PrintNightmare, making it one of the
most serious security issues since SolarWinds.
“PrintNightmare provides system level privileges against
domain controllers often over an encrypted channel, al-
lowing attackers to use remote code execution to install
programs, modify data, and create new accounts with
full admin rights,” said ExtraHop CISO Jeff Costlow, in
a statement to Dark Reading. “The service is enabled by
default on most Windows clients and server platforms,
creating a huge attack surface of entry points.”
What Can You Do About PrintNightmare?Microsoft recommends all organizations immediately ap-
ply the patch against the flaw. It also has some suggested
workarounds if they cannot be immediately applied. One is
to disable the Print Spooler service if such an option is vi-
able; doing so will block both local and remote printing ca-
pabilities. The second option is to disable inbound remote
Some experts have expressed particular concern over the fact that the flaw lets any attacker with a domain account easily take over Active Directory.
September 2021 15
printing so remote attackers cannot exploit
the flaw. In this case, local printing would
still be available to a directly attached de-
vice, but remote printing would be unavail-
able altogether.’
Organizations could take a few mitiga-
tion actions as an alternative to disabling
printing, according to Microsoft. The gist
of these steps is to reduce the attack sur-
face by reducing the number of users with
printing rights as much as possible.
“Attempt to reduce membership as
much as possible, or completely empty the
groups where possible,” Microsoft said.
[Researchers from Sangfor Technologies
discussed Print Nightmare in a Black Hat
USA Briefing, “Diving into Spooler.”]
About the Author: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He specializes in writing on information security and data privacy topics. He was most recently a Senior Editor at Computerworld. He is a regular contributor to Dark Reading, CSO Online, and TechBeacon.
Security 101: The ‘PrintNightmare’ Flaw
