App developers are ignoring laws and guidelines regulating data protection measures aimed at minors, putting their monetization plans in jeopardy and risking user trust.

The popular and increasingly controversial social media app TikTok must pay a fine of 12.7 million pounds (equivalent to around $16 million) in the UK for disregarding data protection for children.

The British data protection authority Information Commissioner's Office (ICO) announced this week that TikTok had allowed up to 1.4 million children under the age of 13 in the country to open accounts in 2020, despite the app's own rules prohibiting it.

Children's personal data had also been used without parental consent, it said, despite UK law requiring it.

"TikTok also failed to implement adequate controls to identify and remove underage children from its platform," an ICO statement added.

While some senior TikTok executives had raised concerns internally, the company had not responded appropriately, the ICO said.

Meanwhile, a new report from Pixalate analyzing the privacy policy of every US-registered child-directed app in the Apple App Store found that the majority (54%) of those apps appear to violate the Children's Online Privacy Protection Act (COPPA).

COPPA is a US federal law enacted in 1998 to protect the privacy of children under the age of 13 on the Internet. COPPA applies to websites and online services that collect personal information from children under the age of 13, such as their name, address, email address, phone number, and other identifiable information.

They must also post a clear and comprehensive privacy policy on their website or online service and provide parents with the option to review and delete their children's personal information.

**Privacy for Kids**

Due to skyrocketing online activity by children and teens, protecting their privacy and security online has become one of the most discussed topics in 2023.

The Biden administration has called on Congress to strengthen privacy protections, ban targeted advertising to children, and demand technology companies stop collecting personal data on children.

In children’s privacy enforcement actions against publishers and advertising platforms, the FTC has imposed hefty fines, customer refunds, and lengthy compliance and auditing obligations.

**App Violations Widespread**

According to the Pixalate report, 21% of apps in the Apple Store don't even have a privacy policy, despite Apple's claim that all apps in the store are required to have a privacy policy.

Among the US-registered, child-directed apps that do have a privacy policy, 34% are missing a Children's Privacy Disclosure, and 13% are missing contact information.

Jalal Nasir, CEO of Pixalate, explains there are multiple risks for app developers who ignore the regulations and names three that stand out.

"The first involves FTC fines, settlements, oversight and other similar remedies, and the second concerns losing the ability to monetize, for example undergoing business practices scrutiny, or being dropped by ad partners as they look to shed risk," he says. "The third involves losing your customers' trust."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says the penalties for violating the COPPA Rule can be substantial.

"The FTC has the authority to bring enforcement actions against violators, and it may seek civil penalties of up to $43,280 per violation," he explains.

In addition to monetary penalties, violators may also be required to take corrective action, such as deleting the personal information of children that was collected in violation of COPPA.

"The larger issue is that it can also harm a company's reputation and lead to a loss of trust among customers and partners," Vishnubhotla says.

**Holes in Apple Oversight**

Nasir says for smaller developers, lack of awareness or lack of resources are likely two of the biggest factors when it comes to failing COPPA compliance. But the biggest factor may be Apple's failure to provide reasonable oversight.

Apple, as the gatekeeper of its app ecosystem, needs to take a much stronger stance in protecting children’s privacy, he says.

"Apple not only needs to do a much better job of giving its developers the resources necessary to be compliant with the latest privacy laws, but it also seems to need to step up monitoring and enforcement of its own app store policies," Nasir says.

He adds that if app developers work with any third parties — including any advertising partners — they must ensure that those partners also have compliant privacy policies and practices.

"It creates a complicated web," Nasir says.

The real problem concerns the vast number of apps and frequent releases, he says, which makes it difficult for the Federal Trade Commission or any organization to check for noncompliance.

"Stores must provide these regulatory organizations with a dashboard or notifications in order to make it viable," he notes. "Public stores may not allow that. It's almost impossible to accomplish this in a proactive, feasible, and structured manner."

**"Technical Debt" for App Developers**

Melissa Bischoping, director of endpoint security research at Tanium, says development of applications must balance available resources, regulatory requirements, and competing business priorities in their planning and execution.

"While almost no one would disagree that privacy and protection of children's data is always a priority, the technical debt and workload can make engineering the compliance a long and expensive process," she says.

She adds that complying with these, and other regulations and security best practices requires not only the talent to implement the solutions but also adequate staff to test and review that the designed solution meets the desired outcome.

"This is, effectively, engineering a safer airplane while it's in flight," she explains. "It takes the work of multiple teams to engineer and assure. This effort, and others like it that are centered around protecting vulnerable populations, cannot be ignored."

TikTok, Other Mobile Apps Violate Privacy Regulations

Consolidating identity management on one platform gives organizations real-time access management for all identities on hybrid and multicloud installations. (First of a two-part series.)

Did you know that more than 40,000 permissions exist across the top three leading cloud platform providers? And yet 99% of these permissions are going unused. This has created a dangerous permissions gap in which a single server admin could potentially access thousands of permissions across multiple cloud infrastructures.

As this permissions gap expands, so too does an organization's attack surface. Current identity and access management (IAM) solutions are ill-equipped to manage multicloud identity infrastructure, and many security teams are unable to enforce the zero-trust tenet of least privilege access due to the sheer volume of permissions within their organizations.

As organizations work to modernize their IAM model for multicloud environments, there are a few best practices to keep in mind. For example, single sign-on and multifactor authentication can be implemented alongside new identity governance and permissions solutions to create a comprehensive IAM model that improves security without interfering with end-user productivity.

Read on for our top tips on optimizing IAM for multicloud environments.

**Securing Identity Starts With Individual Usage Profiles**

One of the first things that security teams will need to do is audit their current IAM model. For that audit to be successful, the IT department will need to create an individual usage profile for each unique user and nonhuman workload identity within the organization.

Workload identities are a type of nonhuman or machine identity that is assigned to software workloads to authenticate and access other services and resources. Though the use of workload identities can vary from organization to organization, they’re typically used to allow software entities to authenticate with some system. Their rise in popularity represents a new kind of security risk for organizations, as workload identities currently outnumber human identities 10:1. And while human users typically have one identity that is used to access multiple resources, software workloads can use multiple credentials to access different resources.

By creating individual usage profiles for all human and nonhuman workload identities, security teams can understand how many identities exist within their organizations, who has access to what, and how those permissions are currently being used. This provides better visibility into current risks. It also allows security teams to determine whether past permissions are still necessary — for example, when a contractor's work is complete or an employee has transitioned into a new position.

Additionally, because the rising adoption of multicloud environments has led to a boom in identities, permissions, and resources, organizations need to ensure that they have visibility across all of their cloud providers. Cloud infrastructure entitlement management (CIEM) is one solution.

**What Is CIEM?**

Originally coined by Gartner, CIEM comprises seven core pillars: account and entitlements discovery, cross-cloud entitlements correlation, entitlements visualization, entitlements optimization, entitlements protection, entitlements detection, and entitlements remediation. Essentially, CIEM uses analytics and machine learning to determine whether a permission has been granted unnecessarily, is being used incorrectly, or whether a previously granted permission is going unused. From there, security teams can use CIEM to enforce least privilege access and monitor permission risks across their entire networks.

CIEM differs from security information and event management (SIEM) in that it is more focused on addressing access management risks. SIEM is used to collect and analyze event and log data from multiple sources into a single centralized platform. From there, SIEM can deliver threat detection, prioritize security alerts, offer response guidance, and more. CIEM works with SIEM to deliver that same level of security and comprehensive monitoring across hybrid and multicloud environments using zero trust principles.

When implementing CIEM or any other IAM model, organizations must ensure that they don’t interfere with end-user productivity. These access decisions must be granular enough to cover all identities and workloads within the organization while also being responsive enough to adapt to real-time risk assessments. By unifying identity management procedures within a single centralized solution, organizations can enable real-time access decisions for all identities across hybrid and multicloud environments. This, in turn, instills greater trust in every digital experience and interaction that power everyday operations.

_Part 2: How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments_

Close the Permissions Gap With Identity and Access Management for Multicloud Workforces

Vulnerabilities in the device firmware and drivers underscore how printers cannot be set-and-forget technology and need to be managed.

A rash of printer-related vulnerabilities in 2023 have punctuated security expert warnings that printers continue to be a significant source of vulnerability within companies — especially as remote workers require printing resources or access to corporate printers.

So far in 2023, Lexmark advised that a publicly available remote exploit had already targeted a code execution flaw in its printers, HP warned of a vulnerable firmware version on some of its enterprise printers, and Microsoft fixed three remote code execution vulnerabilities in its printer drivers. And four months ago, security researchers at the Pwn2Own contest in Toronto showed off more than a dozen exploits against bugs in top printer brands, including Canon, HP, and Lexmark.

The spate of vulnerabilities underscores that printers remain a likely soft spot in most companies' attack surface area, says Matt Lewis, commercial research director at NCC Group, particularly because printers are not always part of company's asset management process and are often left out of security assessments.

"Many organizations don't know where their printers are, what security status or configuration they are in, and they are certainly not monitoring or logging activity on those printers," he says. "We don't typically see printers featuring as any sort of priority on organizational security plans and risk registers."

While security researchers have raised the issue of printer vulnerabilities over the past decade or more, the security of printers continues to be a major area of concern for companies. Only a quarter (26%) of information technology and cybersecurity professionals feel completely confident that their printing infrastructure is secure, according to the "Global Print Security Landscape Report 2022" published by technology-analyst firm Quocirca. In addition, 61% of CIOs and 44% of CISOs had difficulty keeping up with print-security challenges and demands, the report stated.

    

Home printers are tied for the No. 4 security concern of IT professionals. Data source: Quocirca

The digital vein of printer vulnerabilities is far from being tapped out, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, which runs the Pwn2Own competition.

"As evidenced by the number of printer-related patches released by Microsoft every month, the attack surface is broad and poorly defended," he says. "Printers are the sort of devices people don't want to touch once they get them working. As a consequence, they rarely receive firmware updates or other routine maintenance — at least until something breaks."

**Overlooked Dangers**

The hands-off approach to managing printers — or failing to manage printers — can sometimes be a blessing, as in the case of the latest vulnerability in some enterprise HP printer models. On April 3, the company acknowledged a vulnerability in the latest FutureSmart firmware (version 5.6), pulling down the six-week-old software and directing customers to revert their printers to FutureSmart version 5.5.0.3. The devices can leak information when IPSec is enabled, the company said in an advisory.

In a statement to Dark Reading, HP noted that the vulnerability only affected its printers for about a six-week window — between mid-February and the end of March — and only those installed with a specific version of firmware. The company did not say how many customers had downloaded or installed the vulnerable firmware and stated it would patch the latest version and make it available in 90 days.

Overall, printers represent a blind spot in most company's infrastructure and an opportunity for attackers, says NCC Group's Lewis.

"Printers can still offer an easy and less-detectable method for attackers to infiltrate a network and remain stealthy via backdoors planted within compromised printers," he says. "Most modern printers lack security detection and prevention measures and are often not monitored by organizations — for these reasons, there's no concrete data on how much printer compromise might actually be occurring globally."

**Bringing the Danger Home**

A significant twist in the printer threat landscape is the expansion of hybrid work and the commensurate risks posed by employees' home printers. Nearly two-thirds of companies (67%) are worried that home printers may pose risks to their business's security, according to the Quocirca report.

Whether home printers are yet getting targeted is not clear, but they do pose a significant attack surface, says NCC Group's Lewis.

"Home printers ... typically lack any organizational configuration and policy lockdown, thus there is a need for organizations to provide useful advice and guidance for home workers on how they can secure their home printers," he says.

Companies should ensure that their printers — both managed at the office and unmanaged at employees' homes — are part of their security assessments. Overlooking those devices puts companies at risk, says Trend Micro's Childs.

"Many enterprises only look at the big printers in their offices if they look at all," he says. "They rarely consider the printers in the home office of their remote workers when threat modeling."

Less than four in ten companies have reporting and analytics (38%) or formal risk assessments that include printers (38%) in place, according to the Quocirca report. Nearly nine in 10 companies will have or plan to implement a broad range of printer security measure in 2023, with seven in 10 companies planning to increase spending on security this year, the report stated.

Printers Pose Persistent Yet Overlooked Threat

Security teams need to find the best, most effective uses of large language models for defensive purposes.

AI is dominating headlines. ChatGPT, specifically, has become the topic du jour. Everyone is taken by the novelty, the distraction. But no one is addressing the elephant in the room: how large language models (LLMs) can and will be weaponized.

The Internet has become incredibly large and complex, exposing our most precious crown jewels. Whereas a decade ago a company had a single website, today it may have dozens — filled with unknown and untracked assets and subsidiaries — that an attacker can use to exfiltrate IP and/or breach into their network and systems. Recent research we conducted provided an eye-opening glimpse into this reality:

*   Companies' attack surfaces fluctuate 9% in size each month, making security gaps harder to detect. 

*   Organizations have, on average, 104 subsidiaries (i.e., entities owned by a parent company, which might be business units, brands, or standalone companies), and the core security team is unaware of 10 to 31 of them.

*   Invisible or hard-to-detect subsidiaries contain an average of 56% of the critical and high-priority vulnerabilities affecting customer assets.

In short, companies' attack surfaces have never been larger and more vulnerable. And security leaders are in constant fear that another issue like Log4j is going to cripple their business.

And as if we didn't have enough security threats to contend with, large language models like ChatGPT have entered the mainstream, shining a light on language AI as a potential weapon for cyberattacks. Should we be worried? The short answer is yes. But there is a bright side, which I'll address later.

**Large Language Models Can and Will Be Used Against You**

There are several stages of cyberattacks where LLMs can give bad actors a major advantage of scale, scope, reach, and speed. Here are a few:

*   **Automated reconnaissance.** Map and discover any assets (devices, files, etc.) and subsidiaries, brands, and services associated with your organization. Find sensitive information such as exposed credentials in AWS directories.

*   **Vulnerability discovery.** Find weaknesses in the targeted network.

*   **Exploitation.** To begin, initial exploitation is about using a technique like phishing to gain access to a network. Then, targeted exploitation might use watering-hole attacks to develop and exploit vulnerabilities within the network. 

*   **Data theft.** Copy or exfiltrate sensitive or valuable data from the network.

Also, consumer applications based on LLMs, most notably ChatGPT, can be used both intentionally and unintentionally by employees to leak company IP, simply by using the free public version. Companies like JP Morgan caught on to this early and were swift to ban corporate use of ChatGPT.

Spear-phishing campaigns provide another use case. High-quality phishing is based on deep understanding of the target; that is precisely what large language models can do quite well, because they process large volumes of data very quickly and customize messages effectively. Emails created by a large language model can impersonate a boss, co-worker, friend, or reputable organization with increasing precision and believability. Since 82% of data breaches involve a human element, including phishing and the use of stolen credentials, this will be an area to watch as hackers use LLMs to ramp up such attacks.

**Security Teams Can Turn the Tables on Attackers**

There is good news: Security teams can also use machine learning and LLMs to do reconnaissance on their own companies and remediate vulnerabilities before attackers get to them. They can use them to quickly and cost-effectively scan and map their own attack surfaces deeply to find exposed sensitive assets, personal identifiable information (PII), files, etc. By contrast, performing the same feat with manual methods could take months and/or cost hundreds of thousands of dollars.

Knowing the business context of any given asset is the only way security teams can effectively prioritize risk — and machine learning can help. For example, machine learning could recognize a database holding PII and play a role in revenue transactions. 

Machine learning can also determine the business purpose of an asset, distinguishing between a payment mechanism, a critical database, and a random device — and classify its risk profile. This context allows exponentially better risk prioritization and a higher level of threat intelligence. Without proper prioritization, security teams confront endless lists of vulnerabilities with labels like Urgent and Critical that are often, in fact, not correct. 

**Preparing for a New Era of Attacks**

There is every reason to expect attackers will make the most of large language models to automate reconnaissance and map your attack surfaces. It is time for security teams to embark on yet another learning curve: Find the best, most effective uses of large language models for defensive purposes. Right now, someone somewhere is looking for your organization's vulnerabilities, and it's just a matter of time before they use this newly popular type of tool to find them.

Bad Actors Will Use Large Language Models — but Defenders Can, Too

Your family's SUV could be gone in the night thanks to a headlight crack and hack attack.

Automotive security experts have uncovered a novel method for stealing cars by breaking into their control systems through a headlight.

The key (so to speak) is the controller area network (CAN) bus, the Internet of Things (IoT) protocol through which devices and microcontrollers in a vehicle communicate with one another. It’s basically the car's onboard, local communications network that cyberattackers can subvert to potentially stop and start the car, open doors and windows, play around with the radio, and much more.

While car hacking is hardly new, in a blog post published April 3, Ken Tindell, CTO of Canis Automotive Labs, described how attackers manipulated an electronic control unit (ECU) in a Toyota RAV4's headlight to gain access to its CAN bus, through which they were able to, ultimately, steal the vehicle. That's an approach that hasn't been seen before. Once connected via the headlight, they hacked their way into the CAN bus — responsible for functions like the parking brakes, headlights, and smart key — through a gateway and then into the powertrain panel, wherein lies the engine control.

    

How ECUs in a RAV4 are wired together with CAN bus. Source: Canis CTO blog

This type of CAN injection will require manufacturers to rethink control network security in their vehicles, he warns.

"When you're a car engineer," Tindell tells Dark Reading, "you're trying to solve all sorts of problems: minimizing the wiring, reliability, cost. You're not thinking 'cyber, cyber, cyber' all the time."

"We're not wired that way," he says. "Forgive the pun."

**Cyber Theft Auto**

On April 24 last year, Ian Tabor woke up to find that his Toyota RAV4's front bumper and left headlight had been manhandled, while it was parked out on the street in London.

> No fcuking point having a nice car these days, came out early to find the front bumper and arch trim pulled off and even worse the headlight wiring plug had been yanked out, if definitely wasn't an accident, kerb side and massive screwdriver mark. Breaks in the clips etc. C&#ts pic.twitter.com/7JaF6blWq9  
> 
> — Ian Tabor (@mintynet) April 24, 2022

One month later, those same areas of the car were again obviously tampered with. Tabor didn't realize the full scope of the sabotage until it was too late.

One day, the vehicle was gone.

> I know what they were doing, the car is gone! My @ToyotaUK app shows it's in motion. I only filled the tank last night. FCUK! https://t.co/SWl8PcmfZJ
> 
> — Ian Tabor (@mintynet) July 21, 2022

Tabor, it should be noted, is an automotive security consultant. The irony was not lost on Tabor's friend, Tindell. "When I first read his tweet, I thought: Someone's making a point," he says. "But no, not at all."

Tindell, it turned out, was in a unique position to help. He'd helped develop the first CAN-based platform for Volvo vehicles — an experience applicable to the situation given that the CAN proved to be the RAV4's key weakness.

**How Hackers Typically Steal Cars**

To break into a modern vehicle, the key is usually … the key.

"The car is defended with the key," Tindell explains. "The wireless key is a perimeter defense. It talks to an engine control unit (ECU), which asks: 'Are you the real key?' The key responds: 'Yeah.' Then the message goes to the engine immobilizer: 'OK, the owner's here with the key.'"

To breach this line of communication, thieves have historically opted for so-called "relay attacks." Using a handheld radio relay station, attackers can beam a car's authentication request to its associated smart key, presumably lying in a nearby home. The key responds, and the car accepts the message because it is, in the end, valid.

Attuned to this, manufacturers now commonly design keys to go to sleep after a few minutes of inaction. Owners with keys that don't go to sleep can store them inside of a radio-impenetrable metal box

Other attack types include subverting mobile apps, and making use of flaws in the infotainment systems of cars — the latter of which became a lightning rod for reform after the famed hack of the 2014 Jeep Cherokee by Charlie Miller and Chris Valasek in 2015. In that case, the discovery of a wide open cellular communications port 6667 ultimately led to their ability to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed.

Cybercriminals 'CAN' Steal Your Car, Using Novel IoT Hack

By developing new tools to defend against adversarial AI, companies can help ensure that artificial intelligence is developed and used in a responsible and safe manner.

On Wednesday, KPMG Studios, the consulting giant's incubator, launched Cranium, a startup to secure artificial intelligence (AI) applications and models. Cranium's "end-to-end AI security and trust platform" straddles two areas — MLOps (machine learning operations) and cybersecurity — and provides visibility into AI security and supply chain risks.

"Fundamentally, data scientists don't understand the cybersecurity risks of AI, and cyber professionals don't understand data science the way they understand other topics in technology," says Jonathan Dambrot, former KPMG partner and founder and CEO of Cranium. He says there is a wide gulf of understanding between data scientists and cybersecurity professionals, similar to the gap that often exists between development teams and cybersecurity staff.

With Cranium, key AI life-cycle stakeholders will have a common operating picture across teams to improve visibility and collaboration, the company says. The platform captures both in-development and deployed AI pipelines, including associated assets involved throughout the AI life cycle. Cranium quantifies the organization's AI security risk and establishes continuous monitoring. Customers will be able to establish an AI security framework, providing data science and security teams with a foundation for building a proactive and holistic AI security program.

To keep data and systems secure, Cranium maps the AI pipelines, validates their security, and monitors for adversarial threats. The technology integrates with existing environments to allow organizations to test, train, and deploy their AI models without changing workflow, the company says. In addition, security teams can use Cranium's playbook alongside the software to protect their AI systems and adhere to existing US and EU regulatory standards.

With Cranium's launch, KPMG is tapping into growing concerns about adversarial AI — the practice of modifying AI systems that have been intentionally manipulated or attacked to produce incorrect or harmful results. For example, an autonomous vehicle that has been manipulated could cause a serious accident, or a facial recognition system that has been attacked could misidentify individuals and lead to false arrests. These attacks can come from a variety of sources, including malicious actors, and could be used to spread disinformation, conduct cyberattacks, or commit other types of crimes.

Cranium is not the only company looking at protecting AI applications from adversarial AI attacks. Competitors such as HiddenLayer and Picus are already working on tools to detect and prevent AI attacks.

**Opportunities for Innovation**

The entrepreneurial opportunities in this area are significant, as the risks of adversarial AI are likely to increase in the coming years. There is also incentive for the major players in the AI space — OpenAI, Google, Microsoft, and possibly IBM — to focus on securing the AI models and platforms that they are producing.

Businesses can focus their AI efforts on detection and prevention, adversarial training, explainability and transparency, or post-attack recovery. Software companies can develop tools and techniques to identify and block adversarial inputs, such as images or text that have been intentionally modified to mislead an AI system. Companies can also develop techniques to detect when an AI system is behaving abnormally or in an unexpected manner, which could be a sign of an attack.

Another approach to protecting against adversarial AI is to "train" AI systems to be resistant to attacks. By exposing an AI system to adversarial examples during the training process, developers can help the system learn to recognize and defend against similar attacks in the future. Software companies can develop new algorithms and techniques for adversarial training, as well as tools to evaluate the effectiveness of these techniques.

With AI, it can be difficult to understand how a system is making its decisions. This lack of transparency can make it difficult to detect and defend against adversarial attacks. Software companies can develop tools and techniques to make AI systems more explainable and transparent so that developers and users can better understand how the system is making its decisions and identify potential vulnerabilities.

Even with the best prevention techniques in place, it's possible that an AI system could still be breached. In these cases, it's important to have tools and techniques to recover from the attack and restore the system to a safe and functional state. Software companies can develop tools to help identify and remove any malicious code or inputs, as well as techniques to restore the system to a "clean" state.

However, protecting AI models can be challenging. It can be difficult to test and validate the effectiveness of AI security solutions, since attackers can constantly adapt and evolve their techniques. There is also the risk of unintended consequences, where AI security solutions could themselves introduce new vulnerabilities.

Overall, the risks of adversarial AI are significant, but so are the entrepreneurial opportunities for software companies to innovate in this area. In addition to improving the safety and reliability of AI systems, protecting against adversarial AI can help build trust and confidence in AI among users and stakeholders. This, in turn, can help drive adoption and innovation in the field.

Fight AI With AI

A flaw in Twitter code allows bot abuse to trick the algorithm into suppressing certain accounts.

A vulnerability in Twitter's code was recently discovered that allows users to game the algorithm with mass blocking actions from large numbers of accounts, in an effort to suppress specific users showing up in people's feeds — essentially, it allows bot-created "shadow bans" in the parlance of social media censorship critics.

Now, the flaw has been assigned a CVE number as an officially recognized security vulnerability: CVE-2023-29218.

"The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023," the MITRE CVE entry explained.

The vulnerability was first flagged by infosec researcher Federico Andres Lois after analyzing Twitter's source code, which was leaked to the public and later posted on GitHub by Twitter as part of its commitment to transparency.

The bug means that botnet armies have the ability to game the algorithm with mass blocks, mutes, abuse reports, spam reports, and unfollows to drive down the number of times specific accounts show up in Twitter's recommendation engine.

"The current implementation allows for coordinated hurting of account reputation without recourse," Lois wrote in his disclosure. "Any other time I would just report this information using a vulnerability channel, but given that this is already popular knowledge there is no use to do so."

The vulnerability has since been discovered by others, prompting a cryptic, yet splashy, response from Twitter CEO Elon Musk.

"Who is behind these botnets?" Musk tweeted. "Million dollar bounty if convicted."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Twitter 'Shadow Ban' Bug Gets Official CVE

In next-gen, credential-harvesting attacks, phishing emails use cloud services and are free from the typical bad grammar or typos they've traditionally used (and which users have learned to spot).

Cybercriminals continue to target victims with cleverly crafted phishing attacks, this time from QuickBooks online accounts, aimed at harvesting credentials. The gambits use a level of legitimacy and social engineering indicative of a new wave in business email compromise (BEC) efforts, researchers said.

The attacks show how cybercriminals are continuing to evolve phishing tactics as security and detection for these types of offensives improves, switching to maneuvers that are even more evasive. That's according to researchers from Avanan, a Check Point company, who said in a blog post on April 6 that this evolution of attacks can be considered "BEC 3.0." 

Threat actors are now signing up for free accounts for legitimate services and then targeting victims from within those services, using email addresses from domains that won't be flagged by typical scanning tools, the researchers said.

"The most unique \[aspect of the attack\] is the evolution from hackers here," Jeremy Fuchs, Avanan cybersecurity researcher/analyst and author of the blog post, tells Dark Reading. "Hackers are incredibly adept at adjusting. So much money and technology has been thrown at \[what\] we consider BEC 2.0, and many solutions have gotten really good at stopping it. So, hackers have to adjust — and they have here."

Avanan already has found evidence of similar attacks coming from within PayPal and Google, as well as previous attacks that already came from legitimate QuickBooks accounts. Worsening matters is the fact that attackers couple this tactic with carefully written and socially engineered emails that are free from the typical bad grammar or typos that phishing emails traditionally have used and which users have learned to spot, Fuchs said.

"All the typical phishing hygiene tricks are thrown out the window," he wrote in the post. "You can't see a discrepancy in the sender's address. The links are legitimate. The spelling and grammar are on point."

**Common Lure Without the Typos**

One reason why phishing remains one of the primary initial access vectors: the growing use by attackers of legitimate software-as-a-service (SaaS) and cloud offerings such as LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it.

In the case of the latest QuickBooks attack, the messages inform victims that their subscriptions for a Norton antivirus product — Norton LifeLock — are about to be renewed and request action from the victim to call a phone number to verify or cancel an automatic renewal payment.

This latter detail may be the only thing that appears questionable to even the savviest of email user, however, as Fuchs says, "plenty of people use Norton LifeLock — and that goes for both consumers and businesses."

If a victim falls for the bait, the campaign packs a one-two punch, as attackers can harvest not only potential payment credentials, but also a victim's phone number for future attacks from chat apps like WhatsApp, he wrote in the post.

Overall, the attack demonstrates that hackers are adjusting tactics by creating messages that appear not only convincing to end users but are also difficult for security protections to pick up because they come from legitimate sources, Fuchs says. QuickBooks, for example, is a perfectly safe website, and, as it's income-tax season in the US and other countries, an email from the service likely won't surprise users, Fuchs says.

"What hackers have done is taken that safety and used it to their advantage," he says. "By placing unsafe links or messages inside a safe receptacle, it can easily evade detection, because the security service is seeing that the receptacle is safe and passing it forward."

Indeed, all the standard checks — domain, SPF, DMARC, etc. — would allow this type of email to pass, and many security services will see the Intuit domain and just send it through without further checks, according to Fuchs.

"There isn't a newly created domain to look at," Fuchs wrote in the post. "Natural language processing won't do much good. This is what makes these attacks so incredibly tricky to top."

**Mitigation Tactics**

With attackers stepping up their phishing game in novel ways, enterprises and other organizations also have to keep pace in terms of security protection and arming employees with tools to identify BEC 3.0 messages, the researchers said.

Advanced employee education about the new types of phishing attacks can go a long way to mitigating them, according to Fuchs.

"This requires a new wave of education for users," he wrote in the post. "Hovering over links isn't as helpful — now users have to be wary of all links. This requires a whole new approach."

One key thing that organizations can ask employees to do is to Google phone numbers included in suspicious messages that require them to make a phone call to take action, he says. In the case of the attack investigated by Avanan, a Google search of the phone number included in the message flagged it as being used in scams, the researchers found.

Organizations can also implement policies for the type of actions that BEC emails request that require independent verification from a second employee and can help to decrease the probability of a successful attack, Fuchs says.

Other steps enterprises can take to avoid compromise by advanced phishing attacks include implementing data-protection policies that can highlight when a credit card or other payment method is used, alerting security teams and finance teams that something is amiss, he says.

Fuchs adds: "Utilizing browser security that follows a link through all its intended actions is helpful too."

'BEC 3.0' Is Here With Tax-Season QuickBooks Cyberattacks

It's time to get ahead of attacks before they even happen.

The constant stream of cyberattacks sweeping making headlines may seem almost inevitable by this point. And while sometimes the organizations being attacked have clearly made themselves easy targets by leaving sizable gaps in their cybersecurity defenses, others are simply unlucky to have fallen into the sights of sophisticated, nation-sponsored hackers.

Enough is enough. It's high time our country stopped playing defense and actively fought against these cybercriminals.

Right now, on the federal level, we have seen very few results from our efforts to prevent nation-states from successfully attacking US targets. Businesses, banks, hospitals, and critical infrastructure organizations that fall prey to breaches have no recourse but to react as best they can — try to halt the damage, clean up the mess, suffer the public distrust, and return to normal operations as quickly as possible. The human and financial costs of this can be high. Sensitive personal data can be compromised and sold on the Dark Web. Human lives can be lost when hospital systems go down for extended periods of time. And the costs for firms to engage with all the necessary insurance companies, lawyers, and cybersecurity experts can be astronomical.

**Falling Short of Adequate Protections**

What's more, evidently, even our own government is falling exceedingly short of adequate protections for its systems, if the recent FBI InfraGard breach is any proof. The InfraGard hacker was simply given access to the FBI's critical-infrastructure intelligence portal after posing as the CEO of a financial institution. This individual's identity was never properly verified (which even a simple phone call might have accomplished), and now 87,000 high-profile cybersecurity stakeholders and private-sector individuals have had their personal data compromised. In addition, some of our nation's classified data may have been exposed as well.

Worse still, the recommendations provided by the FBI came nearly one week after the breach — leaving those 87,000 stakeholders vulnerable and without a clear understanding of what sensitive data was at risk for far too long. While the latest response provided by the FBI appears to be thorough, it lacks accountability for this epic fail of data protection. When attacks are conducted by nation-states or hackers seeking to damage our national interests, as they so often are, our government has a duty to protect its citizens and prevent the attacks in the first place — and as quickly as possible.

In fact, we should be looking to the Australian government for a strong model of how to stand up to cybercrime. In the wake of massive breaches at telecommunications giant Optus and Medibank, Australia's largest private health insurer, in which millions of people's personal data was exposed, Australia declared outright war against cybercriminals. The new offensive, built upon a joint cyber-policing task force between the Australian Federal Police and the Australian Signals Directorate, has one clear mission: Hunt down cybercriminals and disrupt their operations. Some call this “various forms of takedown.”

Not only has this task force already made progress in identifying the hackers behind the Medibank attack, promising they will be brought to justice, it has also made it a point to send a clear message to any and all would-be attackers. As the country's cybersecurity minister, Clare O'Neil, has said, the task force will, "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyberattacks, and disrupt their efforts."

**Take the Offensive**

Here in the US, we need to follow suit. We need to take the offensive and make it clear we won't allow cybercrimes against American citizens to go without serious consequences.

Implementing even the most basic safeguards requires organizations to take accountability here as well, heading cybercriminals off at the pass — i.e., automating regular password resets, enabling two-factor authentication, encrypting sensitive information, conducting regular penetration tests and, ultimately, having an incident response team at the ready when threats or breaches occur.

While it's heartening to see our Congress' recent steps to prioritize cybersecurity development and protection at the federal level — the following examples are only starting points:

*   Sen. Mark Warner's latest proposed policies for healthcare are a good model.
*   The House of Representatives is exploring a bill focused on the feasibility of establishing a Cyber Defense National Guard
*   The White House Cyber Strategy document suggests sanctions and offensive approaches
*   The Senate Committee on Homeland Security and Government Affairs hearings are beginning to address the challenges healthcare faces from cyber threats

Senators Peters, Blumenthal, Hawley, Rosen, Paul, Sinema, and others are also suggesting that the federal government could do more to help. Regulations and defensive tactics can only take us so far, and we need to do more.

It's time to punch back. It's time to get ahead of attacks before they even happen, catching and making examples out of nation-sponsored hackers who attack our national security, our businesses, and the lives of our citizens. After all, the best defense is a good offense.

Australia Is Scouring the Earth for Cybercriminals — the US Should Too

New threats from generative AI demand a generative AI security response.

Generative artificial intelligence technologies such as ChatGPT have brought sweeping changes to the security landscape almost overnight. Generative AI chatbots can produce clear, well-punctuated prose, images, and other media in response to short prompts from users. ChatGPT has quickly become the symbol of this new wave of AI, and the powerful force unleashed by this technology has not been lost on cybercriminals.

A new kind of arms race is underway to develop technologies that leverage generative AI to create thousands of malicious text and voice messages, Web links, attachments, and video files. The hackers are seeking to exploit vulnerable targets by expanding their range of social engineering tricks. Tools such as ChatGPT, Google's Bard, and Microsoft's AI-powered Bing all rely on large language models to exponentially increase access to learning and thus generate new forms of content based on that contextualized knowledge.

In this way, generative AI enables threat actors to rapidly accelerate the speed and variation of their attacks by modifying code in malware, or by creating thousands of versions of the same social engineering pitch to increase their probability of success. As machine learning technologies advance, so will the number of ways that this technology can be used for criminal purposes.

Threat researchers warn that the generative AI genie is out of the bottle now, and it is already automating thousands of uniquely tailored phishing messages and variations of those messages to increase the success rate for threat actors. The cloned emails reflect similar emotions and urgency as the originals, but with slightly altered wording that makes it hard to detect they were sent from automated bots.

**Fighting Back With a "Humanlike" Approach to AI**

Today, humans make up the top targets for business email compromise (BEC) attacks that use multichannel payloads to play off human emotions such as fear ("Click here to avoid an IRS tax audit...") or greed ("Send your credentials to claim a credit card rebate..."). The bad actors have already retooled their strategies to attack individuals directly while seeking to exploit business software weaknesses and configuration vulnerabilities.

The rapid rise in cybercrime based on generative AI makes it increasingly unrealistic to hire enough security researchers to defend against this problem. AI technology and automation can detect and respond to cyber threats much more quickly and accurately than people can, which in turn frees up security teams to focus on tasks that AI cannot currently address. Generative AI can be used to anticipate the vast numbers of potential AI-generated threats by applying AI data augmentation and cloning techniques to assess each core threat and spawn thousands of other variations of that same core threat, enabling the system to train itself on countless possible variations.

All these elements must be contextualized in real time to protect users from clicking on malicious links or opening bad attachments. The language processor builds a contextual framework that can spawn a thousand similar versions of the same message but with slightly different wording and phrases. This approach enables users to stop current threats while anticipating what future threats may look like and blocking them too.

**Protecting Against Social Engineering in the Real World**

Let's examine how a social engineering attack might play out in the real world. Take the simple example of an employee who receives a notice about an overdue invoice from AWS, with an urgent request for an immediate payment by wire transfer.

The employee cannot discern if this message came from a real person or a chatbot. Until now, legacy technologies have applied signatures to recognize original email attacks, but now the attackers can use generative AI to slightly alter the language and spawn new undetected attacks. The remedy requires a natural language processing and relationship graph technology that can analyze the data and correlate the fact that the two separate messages express the same meaning.

In addition to natural language processing, the use of relationship graph technology conducts a baseline review of all emails sent to the employee to identify any prior messages or invoices from AWS. If it can find no such emails, the system is alerted to protect the employee from incoming BEC attacks. Distracted employees may be fooled into quickly replying before they think through the consequences of giving up their personal credentials or making financial payments to a potential scammer.

Clearly, this new wave of generative AI has tilted the advantage in favor of the attackers. As a result, the best defense in this emerging battle will be to turn the same AI weapons against the attackers in anticipation of their next moves and use AI to protect susceptible employees from any future attacks.

**About the Author**

    

Patrick Harr is the CEO of SlashNext, an integrated cloud messaging security company using patented HumanAI™ to stop BEC, smishing, account takeovers, scams, malware, and exploits in email, mobile, and Web messaging before they become a breach.

Source

DARKReading