After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

A vulnerability in a commonly used file transfer service called GoAnywhere has allowed the Clop ransomware group to breach about 130 organizations. Weeks later, details are still emerging about the sprawling attack.

Up until now, those details weren't coming from GoAnywhere parent company Fortra. It's been the victim organization making headlines with public data breach disclosures. GoAnywhere customers which have disclosed that they were breached through the GoAnywhere MFT remote code execution vulnerability, tracked under CVE-2023-0669, so far include Community Health Systems, Hatch Bank, cybersecurity company Rubrik, Hitachi Energy, and the City of Toronto, which, when totaled up, represent the exposure of millions of people's private data to the worst cybercriminal elements.

Clop cybercriminals were eager to provide details of their campaign, claiming on their leak site they used the exploit over the course of 10 days to breach more than 130 companies, according to reports.

For its part, Forta has remained publicly quiet about the steady stream of disclosures. But today, it gave Dark Reading a statement with reassurances that it's committed to helping its customers navigate what is evolving into a communications, as well as a cybersecurity, crisis for the company.

"On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution," Fortra says in a statement issued to Dark Reading. "We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch."

Fortra added that it remains committed to supporting its affected users.

"We are working diligently to notify customers who may have been impacted and we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue," Fortra's spokesperson's statement adds. "We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue."

**Fortra's Communications Under Fire**

First reports of the GoAnywhere zero-day were shared on Feb. 2 by cybersecurity news site KrebsOnSecurity, which, after finding the advisory stuffed behind a login page, simply pasted the information for the public to see. Days later a patch was issued by Fortra. Betting on patch lagging, in the ensuing days, the Clop ransomware threat actors were able to take advantage. On Feb. 10, the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities catalog. 

Nonetheless, companies have continued to get caught up in the ongoing campaign. And despite Fortra's assurances, cybersecurity analysts, experts, and watchers are widely critical of the company's lack of communication and slow response in offering guidance to victims and targets. The attack surface is broad, too, it should be noted: According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. And according to data from Enlyft, most of those are large organizations — with at least 1,000 and often more than 10,000 employees — mostly based in the United States.

"This one wasn't communicated well, challenging even the best security teams to respond," Heath Renfrow, co-founder of Fenix24 tells Dark Reading in response to the freshly issued statement from Fortra. "This is a good example of how it is necessary for security professionals to have multiple sources of threat intelligence — beyond just their providers — to cover every base. That said, it has been communicated now and anyone using the solution should patch immediately."

Slow communication can be especially detrimental in a software supply chain attack scenario, Dirk Schrader, vice president of security research at Netwrix said.

"To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened," he noted via email. "It helps other links in this chain to be prepared for an upcoming threat and minimizes possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner."

Dark Reading asked Fortra for a response to the criticism of its handling of the cybersecurity incident but has not received a response. Meanwhile, Forta's customer, the City of Toronto, when asked about its communications with Fortra regarding the breach, gave a simple response by email: "Fortra has been communicating with the City and continues to do so."

This isn't the first time users of Clop ransomware have pulled off a mass breach like this. Russian-based FIN11 used Clop ransomware in December 2020 to jump on a similar Accellion zero-day flaw.

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

Indicators point to Twitter's source code being publicly available for around three months, offering a developer security object lesson for businesses.

Some of Twitter's proprietary source code had been publicly available on Github for nearly three months, according to information gleaned from a DMCA Takedown request filed on March 24.

GitHub is the world's largest code hosting platform. Owned by Microsoft, it serves more than 100 million developers and contains nearly 400 million repositories in all.

On March 24, GitHub honored a Twitter employee's request to remove "proprietary source code for Twitter's platform and internal tools." The code had been published in a repository called "PublicSpace," by an individual with the username "FreeSpeechEnthusiast." The name is an apparent reference to Elon Musk's _casus belli_ for taking over Twitter back in October (a philosophy which has been unevenly implemented in months since).

The leaked code was contained in four folders. Though inaccessible as of March 24, some of the folder names — like "auth" and "aws-dal-reg-svc" — seem to give some hint at what they contained within.

    

Source: TorrentFreak

According to Ars Technica, FreeSpeechEnthusiast joined Github on Jan. 3 and committed all the leaked code that same day. That means, in all, the code was entirely accessible to the public for nearly three months.

**How Enterprise Source Code Leaks Happen**

Major software companies are built on millions of lines of code and every so often, for one reason or another, some of it can leak.

"Bad actors, of course, play a major role," says Dwayne McDaniel, developer advocate for GitGuardian. "We saw it last year in cases like Samsung and Uber involving the Lapsus$ group."

Hackers aren't always a part of the story, though. In Twitter's case, circumstantial evidence points to a dissatisfied employee. And "a good deal of it also comes from code ending up where it does not belong unintentionally, as we saw with Toyota, where a subcontractor made a copy of a private codebase public," he adds. "The complexity of working with git and CI/CD combined with an ever-growing number of repos to deal with for modern applications means code on private repos can become public by mistake."

**The Problem of Source Code Leaks for Enterprises**

For Twitter and companies like it, source code leaks can be a much bigger problem for cybersecurity than copyright infringement. Once a private repository becomes public, all kinds of harm can follow.

"It's important to remember that source repositories often contain more than just the code," notes Tim Mackey, principal security strategist for the Synopsys Cybersecurity Research Center. "You'll find test cases, potentially sample data along with details on how the software should be configured."

There may also be sensitive personal information and authentication information hidden in the code. For example, "for some applications that are never intended to be shipped to customers, the default configuration contained in the source code repository might just be the running configuration," Mackey says. Hackers can use stolen authentication and configuration data to carry out bigger and better attacks against the victim of a leak.

That's why "companies should adopt a more secure secrets management strategy, combining secrets storage with secrets detection," says GitGuardian's McDaniel. "Organizations should also audit their current secret\[s\] leakage situation to know what systems are at risk if a code leak does occur and where to focus prioritization."

But in cases where the leak comes from the inside — like Twitter's — even greater caution is warranted. It requires thorough threat modeling and analysis of an enterprise's source code management, says Mackey.

"This is important because if someone can trigger a source code leak, then they may also have the ability to change the source code," he says. "If you're not using multifactor authentication for access, enforcing limited access to only approved users, enforcing access rights, and access monitoring, then you may not have a full picture of how someone might exploit the assumptions your development teams have made when they secured their source code repository."

Twitter's Source Code Leak on GitHub a Potential Cyber Nightmare

From rising stars to veterans heading up research teams, check out our profiles of women making a big impact in cyber defense as the threat landscape expands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Women Leading the Charge in Cybersecurity Research & Analysis

Key vaults, aka key-management-as-a-service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.

As cloud infrastructure and compliance regulations become more complicated, companies are looking to simplify data security by adopting more pervasive encryption of sensitive data and consolidating key management into a single repository or service.

On March 22, email and file security firm Virtru became the latest data-protection firm to offer customers a single vault for key management, when it announced a private keystore that works with Google Workspace, Google Cloud, and the company's other products. The product manages encryption keys, configures policies, and allows audits of access to encrypted data.

Virtru had already offered encryption for email and files stored in the cloud, but the sensitivity of data and need for complying with government requirements led customers to ask for a "hold-your-own-key," or HYOK, capability, says Mike Morper, senior vice president of product at Virtru.

"We have customers that have come to us, who ... want to ensure absolutely no entity other than the intended recipient has access to \[a particular piece of\] information," Morper says. "We first started hearing this rooted in a lot of data-sovereignty conversations, particularly with some of our customers in Europe ... and it was paramount to them that they would have the ability to manage their own private keys."

As companies increasingly look to protect data with pervasive encryption, consolidated key management is coming into its own. Currently, 62% of companies have an encryption policy that is consistently applied, up from 50% in 2021, but more than half of companies still have trouble identifying all sensitive data, and 59% of businesses find key management to be very painful, according to Entrust's "2022 Global Encryption Trends Study."

Moreover, a set of headaches — including managing keys, limiting who can access data, and auditing that access — have grown more severe as companies need to comply with privacy regulations from multiple countries and ensure the security of data across multiple clouds, says Kevin McKeogh, vice president of product management for data protection solutions at Entrust.

"Encrypting data is easy. Managing the keys that are used to encrypt the data is what becomes increasingly challenging for organizations as they scale operations," he says. "With a growing volume of data now processed across distributed systems — on-premises and in multicloud environments — organizations need to maintain control of the keys to ensure data is protected and available to the applications that need to use the data, and to stay compliant to regulations."

**Key Management Plus Granular Access Control**

Take the move to multiple clouds — a significant operational challenge for data protection systems. By 2024, international data residency and privacy requirements will push more than 40% of organizations to adopt a third-party, multicloud key-management-as-a-service (KMaaS) offering instead of relying on the bespoke key management services offered by many cloud providers, states a Gartner report on KMaaS offerings commissioned by Thales, a data-protection provider.

The challenge of managing encrypted data, permissions, and access lists across multiple clouds and their associated key management systems has resulted in at least half of companies encrypting less than 40% of their sensitive data in the cloud, according to the "2022 Thales Data Threat Report."

"The typical enterprise has at least five different key managers deployed, so key sprawl is an issue," says Todd Moore, vice president of encryption products at Thales. "This complicates things like key rotation and retiring keys. The best practice is to have one centralized key management platform that can support the vast majority of your key management operations."

A central vault for sensitive keys can help make even complex situations simpler. This year, for example, at least 81% of companies are expected to use multiple cloud infrastructures, up from 60% in 2022, according to Forrester Research's "Unlocking Multicloud's Operational Potential" report, commissioned by secrets management firm HashiCorp. For those companies, encrypting data across cloud services and using a centralized vault to manage access to that data through keys allow for more control.

In addition, companies that rely on a single cloud provider's key management solution may be at greater risk. Privacy and data-protection regulations, such as the European General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), explicitly require — or heavily imply — that encrypting sensitive data is necessary and that self-custody of keys is preferred, says Andy Manoske, principal product manager for cryptography and security at HashiCorp.

"This is especially the case if data sovereignty requirements attempting to protect against a privileged adversary within a client's cloud service infrastructure are at play," he says. "While an adversary may not be able to compromise that key management system, they could render it inoperable if they have privilege within a single cloud hosting both data encryption and key management."

**Private Keystore or Key Management as a Service?**

While a private keystore is a solution, it is not the only one. Key-management services that provide HYOK can satisfy government regulations and business security requirements, while still giving companies the expertise and support they need to manage a complex task. Keys need to be protected, but defenders must understand the company's threat model and what types of attacks are likely in order to best select the appropriate encryption technologies.

Deploying encryption and maintaining a private keystore require some deep expertise within a company, Manoske says.

"Private keystores usually provide flexibility in how keys are retrieved and used for cryptography — a flexibility usually necessary when deploying cryptography within high-performance applications with significant automation," Manoske says. "This flexibility comes at the cost of usually requiring more sophistication from the defender in protecting against side-channel attacks — attacks that 'go around' the mathematical protections of cryptography to tamper with or steal keys."

While a company can retain ownership of critical keys, some KMaaS offerings can simplify the business' data security and provide necessary capabilities, such as access control and auditability, says Virtru's Morper.

"That's the hard part and, frankly, probably where the preponderance of adoption and friction come into play," he says. "So it really starts to become a balance for organizations. It's a security-policy decision and a business decision they need to make — what level of friction is appropriate and against what degree of risk?"

Drive to Pervasive Encryption Boosts Key Management

Don't assume stakeholders outside security understand your goals and priorities, but consider how you'll communicate with them to gain their support.

In the two decades I've spent in cybersecurity, I've observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization's security measures before attackers exploit them. We fight.

The combative mindset of security professionals finds its way into our interactions with colleagues within our organization. We witness and sometimes contribute to conflicting opinions regarding the urgency with which security issues should be addressed, and we disagree on the best ways to address security risks. And we fight for a share of the budget that might shrink if other departments' needs are prioritized above our own.

This cybersecurity vs. everyone way of operating is counterproductive because it contributes to security professionals being seen as detractors and distractors. To succeed in today's workplace, we must operate as business enablers, not blockers. We can do this by adjusting our mindset, developing empathy for the role and objectives of colleagues throughout the organization, and communicating security benefits in business terms.

**Collaboration: The Future of Security**

Security teams are often seen as separate entities by the rest of the organization. To increase integration and understanding, all teams at the company need to have open conversations about their shared goals and objectives. After all, each team may have different skill sets and roles, but both ultimately want the organization to succeed. 

Start here: Have those in each team define what success looks like to them. Then look at how that can be achieved within the context of broader business objectives. Differences are OK and expected, but finding the thread that ties us together is the only way to find common ground. Looking at wider business objectives makes it easier to understand how teams can work together to shift the organization closer to those goals.

Agreeing on shared objectives — while recognizing each team's unique roles and interdependencies — will allow everyone to collaborate more smoothly.

**Invest in Persuasion, Communication for Security Buy-in**

Like it or not, cybersecurity leaders often have to work harder than others to justify our presence and initiatives. Yet our initiatives often span multiple departments and depend on buy-in from other executives. Therefore, we need to put extra care into how we persuade and communicate outside the security team to get support for our efforts.

To gain others' support for a security request or project, there are multiple considerations.

*   **Who needs persuading?** Understand the dependencies of your security effort to determine which teams — and which specific individuals — are stakeholders in your effort. Depending on whether they'll be initially supportive or skeptical, you'll need to tailor your communications accordingly.

*   **What are their objectives?** Presumably, you already understand why you're pursuing a particular security project, but how does it support the needs of your stakeholders outside security? Understand what's important to them, so they'll be more inclined to support you.

*   **What do they need to know?** Some want to see technical details, but not everyone. Some people focus on costs, others on revenue, others don't think in financial terms at all. Present the information appropriate for the individual to get their buy-in.

*   **Why should they trust you?** Whether you're seeking funding, expertise, or time from others, consider how you'll demonstrate that their support will not go to waste. To signal credibility, present metrics from earlier security projects or point to your initiatives that succeeded in the past.  

Instead of assuming that others understand what you're looking to achieve and why the effort is important, consider what steps you'll take to persuade and communicate with non-security stakeholders to gain their support.

**Link to Business Needs in Budget Discussions**

The importance of positioning security in business, rather than technology terms is most important during budget discussions. While it's good news that cybersecurity is one area where spending remains fairly stable, any security leader needs to firmly justify their requests.

Start by answering the persuasion and communication questions above to establish the foundation for your budget discussion with the CFO or other relevant parties. 

Next, understand the business scenarios that the company is considering for its next year: Is the organization expecting its revenue to shrink? Will some product lines likely expand? Any changes in the geographic regions the company services? Can you expect business as usual, or will the company's activities likely to experience significant disruption?

Continue by outlining your security objectives, then link them to the company's business objectives. Since the exact future is unknown, be prepared to discuss how your requests might change based on the scenario in which your company might find itself. For example, if the firm might open an office in a new country, you might need to hire a security person to support that region. Or if your firm will introduce a new product, you might need to fund the training of your application security team in the corresponding technologies.

Be ready to not only clarify how the security expense item benefits the company but also why now is the time to invest in that project, person, or initiative. Explain how the company might be affected if that item doesn't get funded, but do so without spreading fear, uncertainty, and doubt, which often dominate security discussions with stakeholders.

Cybersecurity vs. Everyone: From Conflict to Collaboration

The joint partnership represents expanded market opportunities.

**BETHESDA, Md.****,** **March 24, 2023** **/PRNewswire/ --** Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to combine their unique offerings to address the rapidly increasing threat to critical infrastructures around the world. This partnership couples the CyberSecure IPS Manhole Protection System with Lockdown's suite of security devices to strengthen the Defense in Depth (DiD) critical infrastructure security portfolio. This combination presents a series of defensive mechanisms which are layered in order to protect valuable data and information. In the unlikely event one mechanism fails, another is triggered immediately to thwart an attack. This multi-layered approach with intentional redundancies increases the security of a system as a whole and addresses many different attack vectors.

"Our emphasis in developing time-tested software disciplines for the critical infrastructure/enterprise market is a natural fit for the products and services pioneered by LockDown. Our software already meets government-standards for the broad-based cyber-physical security sector. Working together with David and the LockDown team we can ensure current and new customers have access to the industry's leading capabilities, taking our customer focus to another level," states Scott Rye, CEO and Co-Founder of CyberSecure.

David Barton, VP of LockDown, continues, "Our company's founding and growth reflects a focus on solving customer problems at each turn. We see this strategic alliance as a springboard to expand our addressable customer market building upon our long history within underground infrastructure and government installations. CyberSecure's industry leading software solutions and Manhole Protection System will ensure that customers truly have confidence to meet the ever-growing requirements for best-of-breed security."

Scott concluded, "Aligning with LockDown as every area of critical infrastructure demands greater capabilities just makes good business sense. We together can now address Power systems, Chemical, Energy, Telecommunications and a host of critical infrastructure sectors in a way that brings complete one-stop solutions to the table for security officers and their Boards."

**About CyberSecure IPS**

A global leader in the cybersecurity space, CyberSecure IPS constantly innovates its suite of patented software and hardware solutions which integrate to bring the physical realm under constant surveillance and provide holistic protection. The most advanced national governments and biggest data centers worldwide look to CyberSecure IPS to protect their critical infrastructure. Learn more at cybersecureips.com.

**About Lockdown Inc.**

LockDown Inc. is the most trusted and installed provider of infrastructure security devices in the world. We have installed 100,000+ devices at more than 150 military bases and hundreds of other secure locations in 30+ countries. Since 1996, we have secured infrastructure at major universities, data centers, telecoms, municipalities, utilities, corporations and manufacturers. Our devices even secure the White House and the Pentagon. Learn more at https://lockdowninc.com

CyberSecure Announces Strategic Alliance

In two days, ethical researchers from 10 countries have unearthed more than 22 zero-day bugs in a wide range of technologies at the annual hacking contest.

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle's safety and other components.

One of the exploits involved executing what is known as a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla's Gateway energy management system. They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.

The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities that researchers from 10 countries uncovered during the first two days of the three-day Pwn2Own contest this week.

**Gaining Deep Access to Tesla Subsystems**

In the second hack, Synacktiv researchers exploited a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset to break into Tesla's infotainment system and, from there, gain root access to other subsystems. The exploit garnered the researchers an even bigger $250,000 bounty and Pwn2Own's first ever Tier 2 award — a designation the contest organizer reserves for particularly impactful vulnerabilities and exploits.

"The biggest vulnerability demonstrated this year was definitely the Tesla exploit," says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which organizes the annual contest. "They went from what's essentially an external component, the Bluetooth chipset, to systems deep within the vehicle."

Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. Tesla head units are the control unit of the car's infotainment system and provide access to navigation and other features.

**A Slew of Zero-Day Bugs**

Some of the other significant discoveries included a two-bug exploit chain in Microsoft SharePoint that fetched Singapore-based Star Labs $100,000 in rewards, a three-bug exploit chain against Oracle Virtual Box with a Host EoP that earned Synacktiv researchers $80,000, and a two-bug chain in Microsoft Teams for which researchers at Team Viette received $75,000.

The bug discoveries have fetched the researchers a total of $850,000 in winnings. ZDI expects that payouts for vulnerability disclosures will hit the $1 million mark by the end of the contest — or about the same threshold as last year. "We're heading towards another million-dollar event, which is similar to what we did last year and slightly larger than what we did at our consumer event last fall," Childs says.

Since launching in 2007 as a hacking contest largely focused on browser vulnerabilities, the Pwn2Own event has evolved to cover a much broader range of targets and technologies including automotive systems, mobile ecosystems, and virtualization software.

At this year's event, researchers, for example, had an opportunity to take a crack at finding vulnerabilities in virtualization technologies such VMware and Oracle Virtual Box, browsers such as Chrome, enterprise applications like Adobe Reader and Microsoft Office 365 Pro Plus, and server technologies such as Microsoft Windows RDP/RDS, Microsoft Exchange, Microsoft DNS, and Microsoft SharePoint.

**A Wide Range of Hacking Targets**

The available awards in each of these categories varied. Eligible exploits and vulnerabilities in Windows RDP/RDS and Exchange for example qualified for rewards of up to $200,000. Similarly, VMware ESXi bugs fetched $150,000, Zoom vulnerabilities qualified for $75,000, and Microsoft Windows 11 bugs earned $30,000.

Vulnerabilities in the automotive category — unsurprisingly — offered the highest rewards, with a total of $500,000 available for grabs to researchers who unearthed bugs in Tesla's systems, including its infotainment system, gateway, and autopilot subsystems. Researchers had an opportunity to try their hand against the Model 3 and Tesla S. Those who found ways to maintain root persistence on the car's infotainment system, autopilot system, or CAN bus system had the opportunity to earn an additional $100,000. The total offered payout of $600,000 is the largest amount for a single target in Pwn2Own history.

Ironically, the browser category, which is what Pwn2Own was all about in its early years, drew no researcher interest this year. "We're seeing about the same level of participation as in years past with the exception of the browser category," Childs says. "No one registered for that, and we can only speculate on why that is."

So far, in the 16 years that the event has been around, researchers have discovered a total of 530 critical vulnerabilities across a range of technologies and received some $11.2 million for their contribution.

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

GitHub hastens to replace its RSA SSH host key after an exposure mishap threatens users with man-in-the-middle attacks and organization impersonation.

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of the encryption scheme in an open GitHub repository.

While some may jump in alarm, assuming that the private keys were exposed due to the malicious intent of a threat actor, in truth, this occurred because of human error. There are private and public versions of SSH keys, and though public keys can be shared or published, it's essential that private keys are kept ... well, private. Though GitHub has not disclosed who published the keys or where they were published, administrators posted on their blog explaining the situation.

"This week, we discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes," GitHub stated in the blog post.

GitHub replaced the RSA SSH host key to protect their users from the possibility that an adversary had seen the private key. Threat actors could use it to monitor users' operations or impersonate GitHub for follow-on attacks. 

The blog post explained that the change does not affect any customer data, requires no change for ECDSA or Ed25519, or the infrastructure of GitHub — only the operations "over SSH using RSA."

If users see a warning message, they'll need to remove old keys by way of three options: manually updating the file to remove the old entry; running a new command that GitHub listed on its blog; or via automatic updates if those are turned on. Once users see the fingerprint that reads "SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s," they will have verified that their hosts are connected to the new RSA SSH key.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

A new threat actor is racking up victims and showing unusual agility. Part of its success could spring from the use of the Nim programming language.

A nascent ransomware gang has burst onto the scene with vigor, breaching at least 10 organizations in less than a month's time.

The group, which Trellix researchers have named "Dark Power," is in most ways like any other ransomware group. But it separates itself from the pack due to sheer speed and lack of tact — and its use of the Nim programming language.

"We first observed them in the wild around the end of February," notes Duy Phuc Pham, one of the authors of a Thursday blog post profiling Dark Power. "So it's only been half a month, and already 10 victims are affected."

What's odd is that there seems to be no rhyme or reason as to whom Dark Power targets, Trellix researchers said. The group has added to its body count in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the US, across the agricultural, education, healthcare, IT, and manufacturing sectors.

**Using Nim as an Advantage**

One other significant way that Dark Power distinguishes itself is in its choice of programming language.

"We see that there is a trend where cybercriminals are extending to other programming languages," Pham says. The trend is fast spreading among threat actors. "So even though they're using the same kind of tactics, the malware will evade detection."

Dark Power utilizes Nim, a high-level language its creators describe as efficient, expressive, and elegant. Nim was "a bit of an obscure language originally," the authors noted in their blog post, but "is now more prevalent with regards to malware creation. Malware creators use it since it is easy to use and it has cross-platform capabilities."

It also makes it more difficult for the good guys to keep up. "The cost of the continuous upkeep of knowledge from the defending side is higher than the attacker’s required skill to learn a new language,” according to Trellix.

**What Else We Know About Dark Power**

The attacks themselves follow a well-worn ransomware playbook: Social-engineering victims through email, downloading and encrypting files, demanding ransoms, and extorting victims multiple times regardless of whether they pay.

The gang also engages in classic double extortion. Even before victims know they've been breached, Dark Power "might have already collected their sensitive data," Pham explains. "And then they use it for the second ransom. This time they say that if you're not going to pay, we're going to make the information public or sell it on the Dark Web."

As always, it's a Catch-22, though, because "there is no guarantee that if you pay the ransom, there will be no consequences."

Thus, enterprises need to have policies and procedures in place to protect themselves, including the ability to detect Nim binaries.

"They can try to establish robust backup and recovery systems," says Pham. "This is, I think, the most important thing. We also suggest that organizations have a very precise, very powerful incident response plan in place before all of this can happen. With that, they can reduce the impact of the attack if it occurs."

Zoom Zoom: 'Dark Power' Ransomware Extorts 10 Targets in Less Than a Month

The second malicious ChatGPT extension for Chrome has been discovered, giving malicious actors access to users' Facebook accounts through stolen cookies.

Yet another version of the malicious, Facebook account-stealing ChatGPT browser extension for Google Chrome has emerged, representing a new variant in a campaign affecting thousands of users daily.

The extension, discovered by Guardio Labs, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22.

The extension also had been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAI's latest Chat GPT4 algorithm. Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit "ChatGPT for Google" webpage, then led to the malicious extension's page on Chrome's official store.

Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victim's Facebook account.

"Based on version 1.16.6 of the open source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code — leaving no reasons to suspect it," Nati Tal, head of Guardio Labs, wrote in a blog post.

The latest version of the malicious extension follows one discovered earlier this month by the researchers at Guardio, which could hijack Facebook Business accounts.

From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious "Quick access to ChatGPT" Chrome extension from the Google Play app store.

If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility.

**Malicious Chrome Extensions a Growing Threat**

Malicious Chrome extensions have been a global concern for users of the popular browser. In August 2022, a group of McAfee Labs analysts published a list of five browser extensions that engage in cookie stuffing, one of them using the video streaming service Netflix as a hook.

These extensions monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.

In that case, the applications were downloaded 1.4 million times, according to their findings.

In November 2022, researchers at Zimperium zLabs uncovered a "Swiss Army knife-like" malicious browser extension called Cloud9, aimed at Chrome and Microsoft Edge users. It enables attackers to seize control of a user's browser session remotely and execute a broad range of attacks.

The Zimperium report noted that because the Cloud9 malware does not target any specific group, it is as much an enterprise threat as it is a consumer threat.

**Kimsuky North Korean Threat Actors Target Chrome**

More recently, the German Federal Office for the Protection of the Constitution (BfV) and the South Korean intelligence service (NIS) issued a warning of a cyber-espionage group that is said to target government agencies and research organizations worldwide.

The Kimsuky group of cybercriminals, aka Velvet Chollima or Thallium, is thought to be based in North Korea and uses malicious Chrome browser extensions as well as app store services to target individuals conducting research on the inter-Korean conflict.

The hackers use so-called spear-phishing attacks. In these, targets are lured by emails to fake versions of well-known websites disguised as legitimate or tricked into installing a manipulated browser extension.

In the process, login data and other personal information could be intercepted by the attackers. Another method used by the hackers is to install malware unnoticed on Android smartphones via the Google Play app store.

Source

DARKReading