In-person conversations are a productive way to understand the state of the industry and learn new techniques. Take advantage of peers' experience, compare notes, and boost your skill set.

The security community is always pressured to jump to the next thing. So, it's easy to guess what will likely dominate conversations at the 2023 RSA Conference later this month — geopolitical events/cyberwarfare and nefarious uses for ChatGPT. There's a lot going on with respect to these topics and security, but in my opinion, they shouldn't consume the lion's share of attention.

As a community, I would rather we spend more time focusing on an area that we don't talk enough about but should: the state of the industry. In other words, where we — as security practitioners, experts, and vendors — are right now, and what we need to do better.

**Use the Conference to Chart Best Way Forward**

Attacks and compromises aren't going away. Instead, they're growing and becoming more costly. Does this mean that, as defenders, we aren't getting better at what we do? Or are attackers getting better at what they do, while we stay the same, not learning lessons based on our own experiences or from our peers? When we attend conferences like RSA, this is what we should be talking about.

This proposed topic is even aligned with this year's conference theme: "stronger together." Instead of jumping to the next thing, let's take advantage of the opportunity to meet in person to look at some of the areas where the same types of compromises keep happening, and discuss how we can do better as a community. Here are a few suggestions.

**Supply Chain Security**

Supply chain attacks are nothing new; they've been around for years. In 2015, we saw hardware supply issues where motherboards were found to have malicious microchips in them. And a couple of years later routers and switches were compromised, affecting users in numerous countries. On the software side, not that long ago a spate of supply chain attacks on software from companies such as Accellion, Kaseya, and SolarWinds affected millions of users downstream. And with respect to source code, over the years we continue to see incidents of JavaScript, Log4j, Perl, and Python libraries being compromised, putting software companies that use them as part of their offering at risk.

Why do these types of compromises continue to exist? Are we not getting the message across that supply chain security is critical? Or is it being ignored? No one wants the government to step in and legislate things that don't make sense without the industry putting in place the proper tools, processes, and standards to be effective. But that's exactly what's occurring because the need to reduce these risks is critical, and the security community isn't being proactive enough.

**Industrial Control Systems Security**

Attacks on industrial control systems (ICS) are another classic example. There was Stuxnet in 2010, attacks on Ukraine's power grid in December 2015 and December 2016, and then another, more damaging wave with WannaCry and, subsequently, NotPetya, which resulted in an estimated $10 billion in damages. Since the pandemic, we've seen attacks against pipelines, food and water supplies, and other critical infrastructure. And electrical systems and telecom providers have come under attack since Russia's invasion of Ukraine.

We knew about the potential for damaging attacks as far back as the 1990s, when the Purdue Model, a reference data flow model for computer-integrated manufacturing, was developed for ICS security. Since then, we've made additional, significant advances in capabilities to secure critical infrastructure networks and systems and the federal government has numerous resources available to help. And yet these attacks continue.

**Cloud Security**

There are tons of cloud security vendors, and cloud providers also have their own security offerings, which continue to improve and change. But we still see outages due to a number of factors — bad configurations, unauthorized access, and insecure interfaces/APIs, to name a few. It's similar to what we see happening on-premises; we've just moved these problems to the cloud, and now 45% of all data breaches happen in the cloud.

There are also many vulnerabilities that threat actors aren't actively exploiting yet, but they will when the rewards are great enough. And as cloud providers proliferate, not all clouds are created equal. Diversity creates diverse problems, which makes cloud security even harder. It raises the question: Are cloud providers, users, and security vendors learning from each other?

**Make the Most of In-Person Meetings**

We've only recently started to get back into the swing of attending conferences and meeting face to face. Not only are these experiences more fun than online events, they also tend to foster more open communication and strong connections. Let's use the opportunity to build relationships and start to get more information about existing threats and what people are doing about them.

As one of the largest gatherings of cybersecurity community members, RSA Conference also provides an opportunity for cross-pollination. When we talk to people outside of our own industry vertical and listen to what they're doing and what they're facing, we can gain even more insights. There may be a lot of overlap in terms of the threats they face and their approach to setting up their security posture that can be adapted for use in other industry verticals.

In-person conversations are an incredibly productive way to understand the state of the industry. So, enjoy the conference and use it as an opportunity to focus on what we can do better right now.

What to Discuss at RSA Conference — and It's Not ChatGPT

An emerging, illicit marketplace proves that financial cybercrime is still on the rise, with a need for countries to collectively put safeguards in place.

Styx Marketplace, which opened in January, is a new platform on the Dark Web that focuses on financial fraud, designed to provide cybercriminals with the necessary resources — such as credit card information, forged documents, victim reconnaissance, and SIM cards, among others — to carry out their malicious acts.

Though the marketplace only opened this year, analysts noted its launch being discussed back in 2022 on the Dark Web. At the time, Styx Marketplace's creators were still building the platform and its process of authorizing transactions between buyers and sellers of illegal cybersecurity-related products and services. Now that the marketplace is up and running, once users are registered, they can peruse a variety of services, albeit illicit ones, that can be purchased with Bitcoin (BTC), Ethereum (ETH), or Tether (USDT), according to a blog post by analysts at Rescurity who studied the marketplace.

The threat actors behind Styx Marketplace target geographies across the globe, including the US, UK, EU, Canada, Australia, and countries in Asia and the Middle East, proving that combating cybercrime, especially cyber-enabled financial crime, will take a collective, international effort. With the discovery of the marketplace, there is a newfound urgency to put protections in place on behalf of the financial industry in order to safeguard the sensitive information of individuals and organizations alike.

"The banking sector remains vulnerable to threats related to identity authentication," the Resecurity analysts stated in their blog post. "Cybercriminals are leveraging weaknesses in KYC verification process, while also leveraging new tactics to plant money mules in FIs to facilitate cash-outs and other laundering services."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Styx Marketplace Provides Hub for Financial Cybercrime

Faced with enterprise challenges, the Holy See looks to ensure it avoids a "holey" mobile device management solution.

The world's smallest and most antiquated army is taking a step towards modernizing its cyber defenses.

Just ahead of the pre-Easter Holy Week for Catholics, Samsung announced that the Pontifical Swiss Guard (GSP) — the elite security force charged with protecting the Vatican and the Pope — is adopting the Knox Suite, a bundle of services for managing and securing mobile devices.

Strange as the fit might be, multilayered security is necessary for an organization whose long history includes plenty of targeted cyberattacks.

"Protecting the Vatican could be subtitled 'Mission Impossible,'" Approov CEO Ted Miracco says. "It's a high-profile target, with a vast array of sensitive information and valuable assets that make it attractive for cybercriminals, hackers, and other powerful groups opposing it."

**Why the Vatican Needs Cybersecurity**

In 2011, hacktivist group Anonymous carried out a 25-day-long cyber campaign against an unspecified target. The attack employed "around 10 to 15 skilled hackers," according to one report, but the victim was prepared. "All attacks on the application were blocked and logged by a Web application firewall." So, the attack proved unsuccessful.

Later reporting revealed the winning defender to be the Vatican. "It might sound strange for churches to be associated with technology," admits Bogdan Botezatu, director of threat research and reporting at Bitdefender, "but these institutions have long since made the technological leap."

In some sense, the Vatican's hand has been forced. In only the last few years, the papacy has been targeted by politically motivated and nation-state-level actors. There have been espionage campaigns carried out by China's TA416 in 2020 and other APTs and a website takedown by a Russian-aligned attacker late last year.

    

The Swiss Guard is the Pope's elite protection team. Source: Stephen Bisgrove via Alamy Stock Photo.

The Vatican's popularity as a punching bag among sophisticated APTs requires a degree of security on par with other nation-states, despite its size aligning more closely with large enterprises.

"It probably shares the same pain points with other organizations of similar size," Botezatu hypothesizes, but "it's still tasked with the protection of an iconic figure, so network, data, and device security should be a top concern."

However, when it comes to security, "the specific strategies and tactics may differ due to the unique context and challenges of the Vatican as a religious institution," Miracco says.

In general, though, "the same security principles apply everywhere." The Vatican would need sufficient endpoint security, he says, alongside network security, physical security, "and perhaps an underestimated angle: training and awareness in an organization that is not particularly technology savvy."

**The Shortcomings of All-in-One MDM Solutions**

Specifically, Samsung Knox will offer the Vatican and the Swiss Guard the following:

*   Device enrollment for both IT admins and device users, enabling thousands of devices to be set up at once and configured easily;
*   Allow system admins to remotely manage and monitor the location of every device used by the Pontifical Swiss Guard, and erase data in the event that a device is lost or stolen;
*   And can be used to instantly share threat information across multiple devices, while patrol leaders are able to view where all members of the Pontifical Swiss Guard are deployed at any one time.

Something like Knox Suite may help the Swiss Guard with their cyber woes, but it isn't without its drawbacks — drawbacks that are, in some sense, endemic to mobile device management (MDM) across other organizations of its size and scope — such as integration, or patching.

Miracco thus expects that "rolling that out across a diverse organization will be challenging."

He continues, "The Vatican, by selecting Samsung Knox, believes they can restrict employee access to the use of dedicated compatible devices, however, it may not be fully compatible with other mobile devices used by the Vatican staff. This could potentially limit the effectiveness of the security solution and create additional complexity and management challenges."

Perhaps this is less of a hurdle in an army of 135 obedient soldiers, but "in general, in a world where bring-your-own device (BYOD) is common, this may no longer be feasible, especially for organizations with a large global employee base."

Botezatu echoes the point, from a supplier perspective. "The smartphone market is largely split between iOS and Android, with both operating systems limiting the integration capabilities of third-party mobile solutions," he laments. "This inability to deeply integrate with the operating system leaves mobile security vendors unable to scan the entire file system, to inspect network traffic, or to run behavioral detection technologies."

He cites the fragmented mobile ecosystem, and a lack of "enterprise-grade tools for mobile device management that would work consistently on multiple smartphone brands and models," as some of the most severe fault lines in mobile security today.

At the end of the day, "protecting the Vatican is a difficult challenge," Miracco concludes. "Samsung Knox is one step."

The Pope's Security Gets a Boost With Vatican's MDM Move

**San Jose, CA - April 5, 2023** **\-** Noname Security, the leading provider of complete and proactive API security, today announced Noname Public Sector’s Hardened Virtual Appliance making the API security platform available to the U.S. Federal Government, highly regulated industry customers, and FedRAMP-authorized vendors. The appliance is the first of its kind in the comprehensive API security space and is designed to deliver a drop-in, secure, and scalable system for discovering, monitoring, and protecting mission-critical APIs and data. 

_“Governments and highly regulated industries have unique security needs. Having worked closely with many Federal agencies during my career, I know how impactful it will be to provide this level of security and insight into APIs and provide options that make it easy to meet government standards,”_said Dean Phillips, Executive Director of Public Sector Programs at Noname Security. _“The government and regulated industries are not immune from cyber criminals, they are targeted as much – if not more – than most organizations. We’re excited to arm them with the tools they need to protect their assets.”_

Federal agencies can use the Noname API Security Platform to protect their APIs in real-time and detect vulnerabilities before they are exploited. Noname Security’s Hardened Virtual Appliance makes the API security platform available completely offline with no reliance on internet connectivity, perfect for isolated and controlled environments. It is a finely tuned package of advanced software and premium support built and secured to Federal Government specifications, enabling customers to comply with the most rigorous standards, including Federal Information Processing Standards (FIPS)1 and Defense Information Systems Agency (DISA) Secure Technical Implementation Guides (STIGs)2. Noname collaborated with a FedRAMP 3PAO, The MindPoint Group, on the development of the Noname Hardened Virtual Appliance.

Noname Security’s Hardened Virtual Appliance enables access to a powerful, complete, and easy-to-use API security platform that helps: 

*   **Discover all APIs, data, and metadata** \- Unlike other API solutions that only look at traffic sources, Noname Security discovers more APIs by combining traffic sources with the configuration of infrastructure and applications. The end result: visibility into more APIs and deeper insights into customers’ API security posture.
*   **Analyze API behavior and detect all API threats** \- The Noname API Security Platform uses AI-based detection to identify the broadest set of API vulnerabilities, including data leakage, data tampering, misconfigurations, data policy violations, suspicious behavior, and cyber attacks.
*   **Prevent attacks and remediate API vulnerabilities** \- Noname Security allows federal customers to prevent attacks in real-time, fix misconfigurations, automatically update firewall rules, webhook into their WAFs and gateways to create new policies against suspicious behavior, and integrate with existing workflows (ticketing and SIEMs).

Noname Public Sector LLC has made it easier to deploy, configure and manage the platform via the new Noshell(™) interface. The shell offers innovative features such as the ability to perform on-demand STIG audits of the internal system itself, while aiming to reduce the overall attack surface of the system.

To learn more about Noname Security’s hardened platform, please contact \[email protected\].

**Supporting Resources**

*   Noname Website
*   Follow Noname Security on LinkedIn
*   Follow Noname Security on Twitter
*   Noname’s API Security Disconnect Research Report 2022
*   The 2022 API Security Trends Report

****About Noname Security & Noname Public Sector LLC****

Noname Public Sector LLC empowers the world’s most critical organizations to protect their most important data. With decades of military and civilian public sector experience, Noname Public Sector combines a deep understanding of government agency requirements with leading expertise on their unique API security considerations. Government agencies using Noname’s complete, proactive API security solutions can securely harness their data to serve the public and stay ahead of adversaries. Noname Public Sector LLC is privately-held and based in Herndon, VA.

Noname Security is the leading provider of complete, proactive API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope — Discovery, Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in Tel Aviv and Amsterdam.

Noname Security Announces Hardened API Security Platform

BlackBerry integrates award-winning CylanceGUARD and BlackBerry AtHoc technologies for "combat-ready" cyber event continuity planning and response.

**WATERLOO, ON****,** **April 5****, 2023**  **/PRNewswire/ --** BlackBerry Limited (NYSE: BB) (TSX: BB) today announced a new integration that combines the award-winning Managed Detection and Response (MDR) protection of CylanceGUARD® with secure Critical Event Management (CEM) powered by BlackBerry® AtHoc®. In the event of a cyberattack, organizations that select a CylanceGUARD subscription with AtHoc features will benefit from secure, multi-channel internal and stakeholder communications for incident response actions, with the ability to alert, communicate and collaborate from within the CylanceGUARD platform, even when the usual communications infrastructure is not available.

John Giamatteo, President, BlackBerry Cybersecurity, says: "Organizations need to consider how they would communicate when their network is compromised. If email and chat services are down or can't be trusted, how would they mobilize the right people to act, and provide guidance across the company as the situation unfolds? Too often, secure and reliable communication is a critical missing element of cyber incident response that creates costly uncertainty and delays.

"We're the only cybersecurity company with our own multi-channel emergency communication capability that makes companies "combat-ready". Our industry-first integrated solution provides assured situational awareness and dramatically improves organizations' ability to respond when – not if – a cyber incident strikes."

BlackBerry AtHoc is an interoperable CEM system that is trusted by organizations and used by over 75% of U.S. federal government employees for crisis communications and incident response. Users can quickly activate incident response plans for impacting situations, capture real-time information, and rapidly deploy secure communication to specified groups. For organizations with limited IT resources that typically select CylanceGUARD protection, the opportunity to upgrade to a CylanceGUARD subscription with AtHoc features will bring benefits previously available to large, well-resourced entities available to defenders of any size and scale.

Applying this agility in response to cybersecurity events means organizations protected by CylanceGUARD will be able to send secure, out-of-band communications from within the CylanceGUARD dashboard to a globally distributed workforce and stakeholder groups using BlackBerry AtHoc. The integration will allow administrators to manage receipt and response of deployed communications and bring IT and cybersecurity leaders together in protected communication channels. Escalation alerts will contain a brief description and a link to the escalation in the CylanceGUARD portal to speed analyst investigation and support. 

Dr. Alison Brooks, Research Vice President, Worldwide Public Safety at IDC, added, "The cyber landscape is vast and advancing at an unprecedented rate. Communicating in times of crisis is key to their technology, and ensuring a strong foundation, and security standards are vital in ensuring those involved can communicate internally and externally in a secure and unified way."

CylanceGUARD with BlackBerry AtHoc CEM integration will be available to new and existing CylanceGUARD customers starting May 2023.

For more information on how BlackBerry's comprehensive, prevention-first, AI-driven cybersecurity solutions can help your business prepare for, prevent, detect and respond to cyber threats, please visit BlackBerry.com.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry Introduces Integrated Solution to Assure Secure Bi-Directional Response Communications During Cyber Incidents

CISA is advising Nexx customers to unplug impacted devices until the security issues are addressed — but so far, it's crickets as to patch timeline.

Garage door controllers, smart plugs, and smart alarms sold by Nexx contain cybersecurity vulnerabilities that could enable cyberattackers to crack open home garage doors, take over smart plugs, and gain remote control of smart alarms, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

And although independent cybersecurity researcher Sam Sabetan reported that he discovered several vulnerabilities in late 2022 and alerted Nexx to the issues, the company has yet to respond.

Nexx has not replied to Dark Reading's request for comment, either.

CISA's April 4 warning applies to three specific Nexx Internet of Things (IoT) products: Nexx Garage Door Controller (NXG-100B, NXG-200), version nxg200v-p3-4-1 and prior; Nexx Smart Plug (NXPG-100W), version nxpg100cv4-0-0 and prior; and Nexx Smart Alarm (NXAL-100), version nxal100v-p1-9-1 and prior.

The Nexx products have five identified vulnerabilities, according to CISA, the highest of which has a critical CVSS vulnerability severity score of 9.3.

1.  CVE-2023-1748: Use of Hard-Coded Credentials CWE-798 (CVSS 9.3)
2.  CVE-2023-1749: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 6.5)
3.  CVE 2023-1750: Authorization Bypass Through User-Controlled Key CWE-639 (CVSS 7.1)
4.  CVE-2023-1751: Improper Input Validation CWE-20 (CVSS 7.5)
5.  CVE-2023-1752: Improper Authentication CWE-287 (CVSS 8.1)

Until Nexx issues a fix, Sabetan and CISA recommend that users unplug affected devices. 

"If you are a Nexx customer, I strongly recommend disconnecting your devices and contacting Nexx to inquire about remediation steps," Sabetan said in his disclosure. "It is crucial for consumers to be aware of the potential risks associated with IoT devices and to demand higher security standards from manufacturers."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Garage Door Openers Open to Hijacking, Thanks to Unpatched Security Vulns

Application security is the dominant trend for this year's startup contest, but AI, blockchain, and compliance are all represented as well.

The need for complying with government rules, securing post-pandemic distributed workforces, and improving artificial intelligence (AI) capabilities is driving the cybersecurity startup scene this year, as demonstrated by the 10 finalists for the RSA Conference 2023 Innovation Sandbox competition.

"\[A\]pplication security (AppSec) is well represented in the competition, which is symptomatic of where we are in the digital transformation process," wrote Omdia senior principal analyst Rik Turner. (Link requires registration.)

Turner attributed the continued rise in AppSec interest to the growth of remote access fueled by the COVID-19 pandemic that closed offices and schools worldwide and forced organizations to adapt to remote access.

"The WFH trend is, at least in part, certain to continue, even as the pandemic ebbs into endemic status," he said.

At the live event on Monday, April 24, at RSA Conference in San Francisco, judges will hear presentations from these 10 finalists, listed in alphabetical order: AnChain.AI; Astrix Security; Dazz; Endor Labs; HiddenLayer; Pangea; Relyance AI; SafeBase; Valence Security; and Zama.

**Big Year for AppSec**

The importance of AppSec — eliminating security vulnerabilities at the application level during development and implementation — was underscored by the Log4j crisis.

"With modern app architecture increasingly componentized and ever more willing to reach out to third-party apps for services such as payments and maps, threat actors can now compromise one website to gain access to the apps on many others," Turner said.

Astrix aims to secure the communications between apps of all kinds, an area sometimes called SaaS-to-SaaS security. It emphasizes extending access management to machine and other nonhuman identities to make connecting an organization's core systems to cloud services safer.

Dazz offers "accelerated cloud remediation," which uses automation to winnow down security alerts and smooth out developers' workflow. Besides its potential to improve the speed and accuracy of a first wave of incident response, automation can reduce alert fatigue, a much-discussed element of burnout.

Endor Labs focuses on tracking and managing open source components, which Log4j revealed as a largely untracked and widespread source of potential vulnerabilities. Software bills of materials (SBOMs) grew in prominence when US President Joe Biden issued an executive order in May 2021, mandating the creation of SBOMs in the wake of the Colonial Pipeline hack.

"\[E\]ven before then, the sheer amount of open-source libraries that developers were embedding in their code had become a major source of concern, giving rise to the emergence of an entirely new market segment, called software composition analysis (SCA)," Turner pointed out.

Pangea helps organizations create secure, compliant cloud security services by using a block-based API builder and hosting the services itself.

"Organizations don’t necessarily know whether the APIs written by their own developers are secure, let alone the third-party APIs that their apps may be using once they're in production," Turner wrote.

By using this library of secure APIs, developers avoid the entanglements of open source libraries typically tapped when building applications.

**The Role of AI**

AI has been hot, but with ChatGPT having a pop culture moment — and raising its own security concerns — companies are couching their products in AI terms wherever sensible. And while some AI hype is just jumped-up automation, AI has brought a lot of benefits to cybersecurity.

Relyance AI emphasizes machine learning as a way to track personal data as it moves through internal and third-party APIs, as well as other systems, in order to ensure compliance with privacy regulations. Turner classed the company as "a data security company that also has one foot in the AppSec world ... with technology designed to address the business environment that digital transformation creates."

HiddenLayer looks to secure an underrated business asset: machine learning data sets. Its technology, which the company calls machine learning detection and response (MLDR), monitors ML algorithms' inputs and outputs to look for "anomalous activity consistent with adversarial ML attack techniques," the company says.

The stakes are high — if the machine learning training data is corrupted, its outputs will be faulty, and it's difficult to peer inside the black box to see what the problem is.

"After all, anyone who can 'poison the well' of data being used in such analytical exercises has the potential to skew their outcomes, resulting in bad or erroneous insights, whether they be for business decisions, medical procedures, or even military strategy," Turner said.

**Web3 Protections**

AnChainAI secures a very Web3 asset: the blockchain. With a recent wave of cryptocurrency heists and concomitant calls for regulation, organizations that maintain crypto wallets need to ensure they are not a victim of — or party to — crime. The company built a predictive engine to identify and flag suspicious transactions, and it aims to sell its Know Your Wallet, forensics, and contract evaluation services to financial institutions, asset owners, and governments.

Zama also addresses Web3 concerns with a set of open source cryptographic tools for building fully homomorphic encryption (FHE) applications that protect data security. The company says its tools allow data to be processed without being decrypted, which allows true end-to-end encryption. Zama sees its technology as enabling the next stage of Web security, "httpz," which the company says goes beyond https-based security to encryption.

**Serious Business**

SafeBase creates a centralized repository of security policies and compliance documentation to make security reviews faster. It addresses a specialized but necessary part of third-party risk management, including distributing updated certifications and managing nondisclosure agreements.

Turner noted the value of a "single source of truth, but pointed out, "The big question must be how those customers can then verify that the data they are receiving from the Trust Center is legitimate."

Valence Security secures cloud workflows using SaaS security posture management (SSPM). It uses a combination of services to monitor a client's mesh of third-party SaaS applications, detect and remediate misconfigurations, and manage identity security. Turner noted that while there's lots of opportunity in the SSPM space and cloud security market, that means Valence faces a fair amount of competition as well.

The winner will be announced at the end of the presentations. The judges this year are Niloofar Razi Howe, senior operating partner at Energy Impact Partners; Paul Kocher, independent researcher and founder of Cryptography Research; Shlomo Kramer, co-founder and CEO of Cato Networks; Barmak Meftah, co-founder and general partner at Ballistic Ventures; and Christopher Young, executive VP of business development, strategy, and ventures at Microsoft. All but Meftah are returning as judges from last year.

AppSec Looms Large for RSAC 2023 Innovation Sandbox Finalists

Using only ChatGPT prompts, a Forcepoint researcher convinced the AI to create malware for finding and exfiltrating specific documents, despite its directive to refuse malicious requests.

A security researcher has tricked ChatGPT into building sophisticated data-stealing malware that signature and behavior-based detection tools won't be able to spot — eluding the chatbot's anti-malicious-use protections.

Without writing a single line of code, the researcher, who admits he has no experience developing malware, walked ChatGPT through multiple, simple prompts that ultimately yielded a malware tool capable of silently searching a system for specific documents, breaking up and inserting those documents into image files, and shipping them out to Google Drive.

In the end, all it took was about four hours from the initial prompt into ChatGPT to having a working piece of malware with zero detections on Virus Total, says Aaron Mulgrew, solutions architect at Forcepoint and one of the authors of the malware.

**Busting ChatGPT's Guardrails**

Mulgrew says the reason for his exercise was to show how easy it is for someone to get past the guardrails that ChatGPT has in place to create malware that normally would require substantial technical skills.

"ChatGPT didn't uncover a new, novel exploit," Mulgrew says. "But it did work out, with the prompts I had sent to it, how to minimize the footprint to the current detection tools out there today. And that is significant."

Interestingly (or worryingly), the AI-powered chatbot seemed to understand the purpose of obfuscation even though the prompts did not explicitly mention detection evasion, Mulgrew says.

This latest demonstration adds to the rapidly growing body of research in recent months that has highlighted security issues around OpenAI's ChatGPT large language model (LLM). The concerns include everything from ChatGPT dramatically lowering the bar to malware writing and adversaries using it to create polymorphic malware to attackers using it as bait in phishing scams and employees cutting and pasting corporate data into it.

Some contrarians have questioned whether the worries are overhyped. And others, including Elon Musk, an early investor in OpenAI, and many industry luminaries, have even warned that future, more powerful AIs (like the next version of the platform that ChatGPT is based on) could quite literally take over the world and threaten human existence.

**Prompting Malicious Code Into ChatGPT**

Mulgrew's research is likely to do little to calm those who see AI tools as posing a major security risk. In a Forcepoint blog post this week, Mulgrew provided a step-by-step description of how he coaxed ChatGPT into building a full-fledged malware tool starting with an initial request to generate code that would qualify as malware.

When ChatGPT's content filter predictably denied that request, Mulgrew decided to take an approach where he would try and get the AI tool to generate small snippets of code which, when put together, would function as data-stealing malware.

His first successful prompt was when he got ChatGPT to generate code that would search for PNG image files larger than 5MB on the local disk. Using that code, he then asked ChatGPT for additional code for encoding any discovered PNGs with steganography. It was a prompt to which ChatGPT responded by providing a call to readily available steganographic library on GitHub. 

Using a series of other prompts, Mulgrew then got ChatGPT to generate additional code to look for and find Word and PDF documents on the local disk. He then figured out a way to get ChatGPT to write code for breaking up files larger than 1MB into smaller chunks, inserting them into the PNGs, and using steganography to hide them. 

The final piece was getting the chatbot to write code for uploading the data to an external Google drive account — Mulgrew successfully tricked the AI into creating malware despite its training to refuse malicious requests.

**Zero Detections on Virus Total**

To test if malware detection tools would flag the ChatGPT-generated code as malicious, Mulgrew uploaded the code to Virus Total. He found that five vendors out of 60 marked the file as suspicious. After figuring out the issue might have to do with how the ChatGPT code called the steganographic library, Mulgrew asked the chatbot to tweak the code, after which only two vendor products flagged it as suspicious. After some further tweaking, he finally ended up with code that no products on VirusTotal detected.

For initial infiltration, Forcepoint researchers asked ChatGPT to create a SCR file or screensaver file and embed the executable inside it under the disguise of additional "ease of use" for everyday business applications, Mulgrew says. 

"ChatGPT happily generated step-by-step instructions on how I could do that and configure the SCR file to auto launch the executable." While the method is not unique, it was interesting that ChatGPT generated the content without Forcepoint researchers having to find ways to bypass its guardrails, he says.

Mulgrew says it's almost certain that ChatGPT would generate different code for similar prompts meaning that a threat actor would relatively easily be able to spin up new variants of such tools. He says that based on his experience, a threat actor would need little more than basic knowledge of how to write malware to get past ChatGPT's anti-malware restrictions. 

"I don't write malware or conduct penetration tests as part of my job and looking at this is only a hobby for me," he says. "So, I'd definitely put myself more in the beginner/novice category than expert hacker."

Researcher Tricks ChatGPT Into Building Undetectable Steganography Malware

The homepage of a widely used Dark Web forum for stolen cookies and other compromised data has been replaced by a seizure notice by the US federal law enforcement agency.

The FBI has seized the Genesis Market, one of the largest and most widely used Dark Web forums for stolen cookies, credentials, and tokens, plus bots and other tools for initial access to victim networks. It's yet another blow dealt by international law enforcement to those engaged in cybercriminal activity worldwide.

On Tuesday, the homepage of the marketplace was replaced with a notice that "this website has been seized" by the FBI as part of "Operation Cookie Monster." The notice cited a seizure warrant issued by the United States District Court for the Eastern District of Wisconsin as the impetus for the activity.

The seizure of Genesis was a collaborative effort between international law enforcement agencies and the private sector, according to the notice, which included the logos of European law enforcement agency Europol; Guardia Civil in Spain; Polisen, the police force in Sweden; and the Canadian government.

The FBI also is seeking to speak those who've been active on the Genesis Market or who are in touch with administrators of the forum, offering an email address for people to contact the agency.

**Takedown of a Significant Initial Access Broker**

Genesis was founded in 2017 as an invitation-only marketplace offering malicious actors access to other people’s data, from credentials and cookies to digital fingerprints.

    

Screenshot of Genesis Market seizure notice.

A report last August by Sophos shed light on just how impressive an operation the site had become as an initial access broker (IAB), a service that helps threat actors gain a foothold in targeted networks to conduct various nefarious activity, including ransomware and cyber espionage.

"Genesis Marketplace is one of the earliest full-fledged IABs, and certainly one of the most polished," Sophos researchers said in the report at the time.

At that point, the site listed 400,000 bots, or compromised systems, and provided not only stolen data that cybercriminals could use to launch phishing and other cyberattacks, but also offered well-maintained tools—including bespoke offerings to help would-be threat actors evade detection and facilitate their abuse of that data.

Indeed, Genesis demonstrated the "growing professionalization and specialization of the cybercrime sphere," with the site earning money by gaining and maintaining access to victim systems until administrators could sell that access to other criminals, according to Sophos.

The various tasks that the Genesis Market bots could undertake included large-scale infection of consumer devices to steal digital fingerprints, cookies, saved logins, and autofill-form data stored on them. The marketplace would package up that data and list it for sale, with prices ranging from less than $1 to $370, depending on the amount of embedded data that the packages contained.

**Another Win for Law Enforcement**

Its position as a resource for rampant malicious cyber activity gained Genesis the attention of international authorities, which have been working together in a collaborative effort to take down not only various cybercriminal gangs but the Dark Web sites that help facilitate their activity.

Indeed, Genesis is another feather in the cap of the FBI and its cohorts, which already have put out of commission two other forums that provided significant resources for cyber-threat actors.

In March, the BreachForums underground hacker site went offline less than a week after its alleged leader was arrested in New York. Five days before the shutdown, US federal agents arrested man called Conor Brian Fitzpatrick, who they alleged was the chief operator behind BreachForums' administrator handle "pompompurin," in Peekskill, NY.

BreachForums itself had emerged in April 2022 in the wake of the takedown by the Department of Justice and other international agencies of another Dark-Web cybercriminal resource, RaidForums. Both marketplaces were major facilitators for cyberthreat activity, allowing users to buy and sell data obtained from breaches.

Other arrests of notable and alleged cybercrime figures in the last year include last week's arrest of one of the LockBit ransomware gang's ringleaders in Ontario, Canada; last month's extradition of Ukrainian national Yaroslav Vasinskyi from Poland to the US to be brought up on charges for his role as a member of the Sodinokibi/REvil ransomware group; and October's arrest by Brazil's Federal Police of a Brazilian man suspected to be a member of the cybercrime organization Lapsus$ Group.

FBI Seizes Genesis Cybercriminal Marketplace in 'Operation Cookie Monster'

Multiple QNAP operating systems are affected, including QTS, QuTS hero, QuTScloud, and QVP Pro appliances, and some don't yet have patches available.

A pair of zero-day vulnerabilities in several Quality Network Appliance Provider (QNAP) operating systems (OS) for network-attached storage (NAS) appliances are impacting an estimated 80,000 devices worldwide. They remain unpatched for two of the four affected OSes.

QNAP provides gear and software for Internet of Things (IoT) storage, networking, and smart video. The OS bugs, discovered by researchers at Sternum, are memory access violations, which could cause unstable code and could provide a path for an authenticated cybercriminal to execute arbitrary code.

The vulnerabilities, tracked under CVE-2022-27597 and CVE-2022-27598, impact the QTS, QuTS hero, QuTScloud, and QVP OS, according to Sternum, and have been fixed in QTS version 5.0.1.2346 build 20230322 (and later) and QuTS hero version h5.0.1.2348 build 20230324 (and later). The QuTScloud and QVP OS remain unpatched, but QNAP said that it is "urgently fixing" the flaws.

    

Source: QNAP

Sternum researchers explain the memory access violations affect the performance, as well as the security of the QNAP devices.

"From a performance point of view, they could lead to stability issues and unpredictable code behavior," Sternum's director of security of research Amit Serper says. "From a security perspective, they can be used for arbitrary code execution by a malicious threat actor."

The QNAP security advisory adds, "If exploited, the vulnerability allows remote authenticated users to get secret values."

While the bugs are rated "low severity," and so far, Sternum's researchers have not seen them exploited in the wild, getting a patch in place quickly matters — QNAP users continue to be a favorite target among cybercriminals.

**Why Is QNAP Cyberattacker Catnip?**

The DeadBolt ransomware group in particular was seen exploiting a range of zero-day vulnerabilities in a series of wide-rangingcybercampaigns against QNAP users in 2022 alone, surfacing regularly in May, June, and September.

DeadBolt is clearly dead set, as it were, on putting effort into finding — and exploiting — QNAP flaws, preferably critical zero-days, according to Mark Parkin, senior technical engineer with Vulcan Cyber.

"It's sometimes said that finding one vulnerability in a target will lead people into looking for more," Parkin explains. "The issue here is that they are finding more as they look. It almost makes you wonder if the attackers don't have access to the source code, or some other way to get an inside track."

Collusion suspicions aside, it's up to organizations to make sure their highly targeted QNAP systems are up to date, especially given that new bugs are coming to light with some frequency. In addition to the most recent findings from Sternum, in February, users of QNAP QTS OS were alerted to a critical SQL injection issue with a CVSS score of 9.8. The disclosures just widen the attack surface further.

In the case of the most recent vulnerabilities, users with systems without a patch available should employ a strong endpoint detection and response (EDR) solution and look for indicators of compromise. Because cyberattackers would need to be authenticated, doing an audit of who has access to vulnerable systems and providing additional authentication protection could also help mitigate an attack.

One researcher warns that even in cases where patches are available, truly locking down the appliances might require a shift in mindset for some companies. 

"QNAP devices are very attractive to cybercriminals whose strategy is to ask a large number of victims for a small amount of money," Bud Broomhead, CEO of Viakoo says. "Because QNAP devices, along with many other IoT devices, are largely managed outside of IT, they are often misconfigured, left unprotected by a firewalls, and left unpatched."

He adds, "These devices often are invisible to corporate IT and security teams and do not get audited or observed when they fall out of compliance, such as by being on out-of-date and insecure firmware."

Source

DARKReading