Unknown attackers made off with a raft of PII, the Justice Department says — but witnesses in the protection program are still safe.

The US Marshals Service (USMS), which is tasked with hunting down fugitives and administering the Witness Security Program, was hit with a "major" ransomware incident and data breach in mid-February, officials said.

Despite the ransomware element, USMS's fugitive-hunting operations have continued in the wake of the cyberattack, officials said. However, on Feb. 17, unidentified cyberattackers absconded with a treasure trove of important data, according to Drew Wade, a Justice Department spokesperson.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information \[PII\] pertaining to subjects of USMS investigations, third parties, and certain USMS employees," he told NBC News.

Meanwhile, the outlet cited unnamed sources within the DoJ as confirming that the Witness Security Program (known as the "witness protection program" in films and TV) was not affected.

The attack impacted a "standalone USMS system," Wade said, which was quarantined from the rest of the network. Even so, the incursion should be seen as a "major incident,” he added.

A concrete motive for the attack and the culprits behind it may emerge over the course of the investigation, but targeting the PII could be a prelude to a broader cyber offensive, according to Lior Yaari, CEO and co-founder of Grip Security.

"The US Marshals data breach is another example of how cybercriminals aim for identities — the most common threat target," he says, noting that the data in general would be valuable to a wide range of attacker types. "In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes."

US Marshals Ransomware Hit Is 'Major' Incident

Marcus Hutchins, who set up a "kill switch" that stopped WannaCry's spread, later pled guilty to creating the infamous Kronos banking malware.

It's a new chapter for Marcus Hutchins, the security researcher who was hailed a hero in May 2017 after inadvertently stopping the spread of the infamous WannaCry worm with a sinkhole he created.

Hutchins, who was arrested for creating and selling the Kronos banking Trojan a few months after his kill switch quelled WannaCry, has been named the first-ever fellow for the cybersecurity online training platform Cybrary, which serves some 3 million students. In his new role, Hutchins will head up training events and mentoring programs, advise on training content, and help build new virtual labs and other hands-on educational tools.

"When I started out in cybersecurity, high-quality training resources were few and far between. My peers and I often found ourselves making do with a mismatch of random blog posts and forum discussions. Since then, I've always strived to create the resources I wish I had access to back then," Hutchins said in a statement. "I'm a strong believer in expanding access to these foundational training resources and increasing the accessibility of the domain-specific material that is required to help people find their place in our industry."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WannaCry Hero & Kronos Malware Author Named Cybrary Fellow

The opportunistic "SCARLETEEL" attack on a firm's Amazon Web Services account turns into targeted data theft after the intruder uses an overpermissioned service to jump into cloud system.

A vulnerable Kubernetes container and lax permissions allowed an attacker to turn a opportunistic cryptojacking attack into a wide-ranging intrusion that targeted intellectual property and sensitive data.

The attack, which cloud-security firm Sysdig dubbed "SCARLETEEL," started with a threat actor exploiting a Kubernetes cluster, using an internal service to gain temporary credentials, and then used those credentials to enumerate other Elastic Compute Cloud (EC2) services that had been deployed in the targeted company's infrastructure. In the end, the company — which was not named in the incident report published today — had properly limited the scope of permissions for the stolen identity, which blunted the attack.

The incident, however, underscores that companies need to be careful when configuring the controls that allow cloud resources to interact with each other, says Michael Clark, director of threat research at Sysdig.

"Having EC2 roles being able to access other resources can be common, though usually it is tightly scoped to prevent incidents like this one," he says. "It's more about understanding how misconfigurations like this can combine with other issues leading to a larger breach."

The sophisticated cyberattack also shows that attackers are increasingly targeting cloud infrastructure in better ways. In the past, threat actors have focused on rudimentary interaction with cloud services, such as deploying cryptojacking software, but as they understand the vulnerabilities introduced by businesses in their own environments, cloud-focused attacks are becoming more popular.

In fact, observed cloud exploitation cases nearly doubled in 2022, while the number of incidents where threat actors interacted with cloud resources nearly tripled, cybersecurity services firm CrowdStrike stated in its latest annual "Global Threat Report" published on Feb. 28.

"It took a while for them to figure out how to operate in the cloud," says Adam Meyers, head of intelligence at CrowdStrike. "Organizations really need to be taking a hard look at their cloud security, because the cloud comes secure out of the box, but as people start to operate on it and change it, they make it less secure."

**From Minor to Major Security Breach**

The attacker compromised the target's cloud infrastructure through a vulnerable Internet-exposed service that allowed access to a Kubernetes pod, a technology used to manage and deploy containerized applications. Once inside the cluster, the attacker used the access to deploy containers with cryptojacking software, essentially stealing processing capacity from the victim's cloud infrastructure to mine for cryptocurrency.

"This is a common practice in automated container threats," Sysdig researchers stated in their analysis, adding that the attackers then "exploited that role to do enumeration in the cloud, search for sensitive information, and steal proprietary software."

The attackers had knowledge of how to move through the AWS cloud, including EC2 services, connecting to Lambda serverless functions, and using the continuous integration and continuous deployment (CI/CD) service known as Terraform. Because Terraform often saves the state of its pipeline to Simple Storage Service (S3) buckets, the attacker was able to retrieve those files and find at least one more additional credential in the plaintext data.

The second identity, however, had limited permissions, stopping the attacker's lateral movement, Sysdig stated in its analysis. Meanwhile, the attacker's attempts to enumerate users and cloud infrastructure led to detection, Clark says.

"It was caught by abnormal amounts of AWS actions being taken, especially from roles that shouldn't be making those types of requests," he says. "There is a threat intelligence aspect \[too\] — some of the IP addresses, which were involved, have been associated with malicious activity in the past."

**Misconfiguration, Not Lack of MFA**

The takeaways of the attack? For one, companies need to ensure that they have good visibility into the operation and telemetry of their cloud infrastructure. In addition, limiting access — even assigning read-only access to specific cloud resources — can make all the difference in stopping an attack while in progress. The more attackers hammer at resources using stolen identities, the greater chance of detecting them, according to Sysdig.

"First, zero trust and the principle of least privilege are important and if you implement them, you will reduce the likelihood of compromise," the researchers wrote. "Second, strong detections and alerts should help you catch these activities before an attacker gets too deep."

Clark also points out that multifactor authentication (MFA) technologies will likely not make a great deal of difference in blunting cloud infrastructure attacks, since most of the cloud identities that attackers take advantage of are machine identities — so, alternate protections need to be put into place.

"MFA may have been helpful for the other involved accounts to prevent their access," Clark says, "but these were internal accounts made for automation purposes rather than ones that were expected to be logged into by a person."

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist

Separate attacks on two subsidiaries of an Asian conglomerate reflect a surge of cyber-espionage activity in the region in the last 12 months.

China's Blackfly advanced persistent threat (APT) group hit two subsidiaries of an Asian conglomerate in the materials and composites sector with cyberattacks recently. Researchers say it's part of a broader, "relentless" assault of various sectors in the region aimed at stealing intellectual property (IP). 

According to a blog post published today by researchers at Symantec (which is owned by Broadcom Software), the latest activity from Blackfly (aka APT41, Winnti Group, or Bronze Atlas) occurred late last year and early this year, and it shows the group relying more on open source tools than its usual trove of custom malware. This trend is reflected by other threat groups targeting the region, which has been a hotbed of activity. Last week, for instance, researchers at Symantec revealed a new threat group dubbed Hydrochasma targeting Asia-based organizations associated with COVID-19 treatments and vaccines in an intelligence-gathering operation — solely using open source and commodity malware and tools.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, tells Dark Reading that this puts Blackfly's incursions in context. "This investigation is a small piece of the jigsaw," he says. "The bigger picture is that there seems to be a fairly relentless intelligence operation underway on multiple fronts."

The open source tools tactic helps them avoid detection, which in the case of Blackfly — members of whom already have been indicted by the US government — would be an attractive proposition, O'Brien says.

"This shift toward open source tools is something we've seen a lot of attackers doing," he tells Dark Reading. "It makes attacks more difficult to attribute."

**Not One, but Two Threat Groups**

Blackfly is one of the longest known threat groups operating out of China. The group originally earned notoriety by attacking the gaming industry, but has evolved to target a diverse range of organizations and sectors, including industrial control systems, semiconductor, telecommunications, pharmaceutical, media and advertising, hospitality, and more, the researchers said.

Different research groups track the APT using different monikers. In fact, some use the umbrella label APT41 to denote not just Blackfly, but also another China-backed APT known as Grayfly because the two groups are so closely associated. In 2020, the US government indicted seven men on charges relating to hundreds of cyberattacks carried out by both groups, which highlighted the link between them by identifying two Chinese nationals alleged to have worked with both, the researchers said.

As security experts have already predicted, the public attention from that indictment on APT41 has apparently done nothing to deter the group, which continues its onslaught in an attempt to steal IP from multiple business sectors, O'Brien says.

"Blackfly and a number of its peers have been highly active over the past 12 months," he says.

**A Move to Open Source Cyberattack Tools**

While the latest attacks continue the patterns of activity that researchers have seen from Blackfly in recent years, as mentioned, one new aspect is the use of open source tools that haven't been a hallmark of previous activity, O'Brien says.

Early Blackfly attacks were distinguished by the use of the PlugX/Fast/Korplug, Winnti/Pasteboy, and ShadowPad malware families. The Winnti backdoor and other custom tools were used in the recent spate of attacks (for taking screenshots, dumping credentials, querying SQL databases, and configuring proxies), but Blackfly also used for the first time an open source, proof-of-concept (PoC) app called ForkPlayground to create a memory dump of an arbitrary process, and the publicly available credential-dumping tool Mimikatz.

"While the group's technical sophistication has remained consistent, there's been a regular refreshing of its toolset, no doubt in a bid to stay ahead of detection," O'Brien notes.

**Protecting the Enterprise From Chinese APTs**

Symantec advises using an overall in-depth defense strategy and the adoption of multifactor authentication (MFA) across the enterprise network to help avoid compromise by Blackfly and other APTs aimed at stealing IP. This entails "using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain," O'Brien says.

Organizations should also monitor the use of dual-use tools inside the enterprise network and ensure that the latest version of PowerShell is deployed, as well as enable logging, and only allow remote desktop protocol (RDP) from specific known IP addresses, he adds.

Proper audit and control of administrative account usage can also help organizations avoid attacks, as well as introducing a policy for one-time credentials for administrative work on the network "to help prevent theft and misuse of admin credentials," O'Brien says.

"We'd also suggest creating profiles of usage for admin tools," he adds. "Many of these tools are used by attackers to move laterally undetected through a network."

China's BlackFly Targets Materials Sector in 'Relentless' Quest for IP

The war on critical infrastructure demands a better security strategy.

This year started off with a bang, with critical infrastructure attacks — both physical and cyber — at an all-time high. The Cybersecurity and Infrastructure Security Agency (CISA) released 12 industrial control system (ICS) advisories warning of critical security flaws, while the hacker group GhostSec, aka Anonymous Operations, claimed to have used ransomware in encrypting an industrial remote terminal unit of the type relied on by critical infrastructure.

**Critical Infrastructure Becoming Favorite Attacker Target**

Operational technology in critical infrastructure is the new favorite target for attackers. Why?

*   **Critical infrastructure attacks result in widespread impacts.** Every second of downtime at energy suppliers, utilities, and hospitals around the world can leave communities stranded and even cost lives, forcing parties to respond quickly. Shutting down train service or a gas pipeline has enormous, highly visible consequences, including significant threats of financial harm and risk to human safety.

*   **These attacks draw international attention.** The sensitivity and value of industrial targets makes for a more compelling news story than hitting a corporate target's IT network. This is why adversaries such as GhostSec prioritize developing and publicizing their operational technology (OT) attack capabilities.

*   **Critical infrastructure attacks also increase the success of a ransomware payout.** There's an increasing need to interconnect OT networks and assets safely with IT and cloud assets to support new business initiatives (e.g., supporting today's distributed workforce via remote access), and there's a glaring lack of effective mechanisms for providing it securely, which is causing the OT attack surface to balloon. Enter attackers with sophisticated ransomware techniques at the ready.

*   **Successful attackers can and do sell their tools and tactics to adversarial governments.** For instance, disruption to Western energy suppliers can benefit an adversarial regime such as Russia's when those attacks increase European dependency on Russian energy supplies.

**DoJ Disrupts Ransomware Group Attacking Critical Infrastructure**

In the fight against ransomware, the Department of Justice (DoJ) has made progress. According to a Jan. 26 press release, the department launched a "months-long disruption campaign against the Hive ransomware group that has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure."

This announcement is a win for the DoJ, but we also need to be realistic. Adversaries are smart, and this win is bound to be short-lived. There is a lesson here for anyone responsible for securing critical infrastructure.

**Protecting Critical Infrastructure Requires a New Mindset**

Massive digital transformations happening in industrial segments (like energy, manufacturing, and utilities) require a new perspective to cybersecurity — this will become central not only to effective operations but to keeping society safe in 2023. In order to protect the world's energy infrastructure amid rising geopolitical tensions, shifting market dynamics, and fast digital transformation efforts — and all in the face of highly motivated adversaries — it's no longer enough to know you've been hacked. Preventative cybersecurity is a must, especially when it comes to safeguarding our world's scarcest resources.

If we don't shift our mindset and find ways to not only detect adversaries but also block them from being able to inflict harm, we'll continue to see these ransomware attacks succeed. They're always one step ahead and bound to already be searching for new ways to break through and impact our day-to-day lives in order to achieve their goals.

It's time for critical infrastructure operators to tackle the challenge of securely interconnecting OT assets with IT and the cloud without exposing vulnerable devices to corporate or public networks. They need to support business initiatives to allow distributed workforces and vendors to access critical components that can have a physical impact on the real world, in order to provide upgrades or manage urgent issues rapidly without opening up to new attack vectors. As OT assets grow more distributed, along with the experts who build, operate, and maintain them, this challenge will only increase. Now is the time for critical infrastructure organizations to invest in modernizing their access management and data security, leveraging zero trust strategies, to stay ahead of cyberattackers.

Rigorous cyber hardening of critical operations needs to happen — immediately. The mindset must shift from not just detecting cyberattacks, but to blocking them outright. The massive uptick in attacks should serve as a wakeup call to the industry. Even the minority of attacks that are reported publicly have become too numerous to ignore. And with the latest cybersecurity innovations, preventing harm is possible, even once the threat has already infiltrated inside an operational network.

The DoJ Disruption of the Hive Ransomware Group Is a Short-Lived Win

**Hampshire, UK – 27th February 2023:** A new study from Juniper Research has found that the number of digital identity apps in use will exceed 4.1 billion globally by 2027; rising from 2.3 billion in 2023.

This represents a growth of 82% over the next four years. This increase will be driven by the use of government-backed digital identities to replace physical identity documents as a source of verification for third-party apps, such as banking and financial services. This will be critical, as businesses aim to reduce identity theft and meet increasingly stringent KYC (Know Your Customer) regulations. Find out more about the new research: Digital Identity: Solutions Assessment, Regional Analysis & Market Forecasts 2023-2027.

**Verification Moves to Zero Trust**

The research also identified a move away from reliance on passwords for identity verification, with these replaced by biometric verification and MFA (Multi-factor Authentication) under a zero-trust model, where identities are authenticated continuously. This approach is more resistant to traditional hacking methods, such as phishing; reducing the risk of data breaches.

Zero trust will be delivered via SSO (Single Sign On), which allows the user to access multiple accounts via a central, secured system. Critical to SSO is the use of mobile subscriber identity, with the number of mobile devices using their mobile number for SSO predicted to reach 2 billion in 2027; up from 922 million in 2023.

Research author Michael Greenwood explained: _“Consumers are highly motivated by convenience; making a streamlining of user experience significant for attracting and retaining them. SSO can achieve this, whilst also appealing to security-conscious users.”_

**Identity Apps vs Digital Wallets**

The primary competition for dedicated digital identity apps will come from digital wallets, which offer payment functionality alongside a digital identity capability. For instance, in some US states, digital driver’s licences held within Apple Wallets are fully recognised. However, these digital wallets will struggle to monetise identity in the same way as they have payments, due to competition from government-run schemes limiting adoption.

Digital Identity market research: https://www.juniperresearch.com/researchstore/fintech-payments/digital-identity-research-report

Juniper Research provides research and analytical services to the global hi-tech communications sector; providing consultancy, analyst reports and industry commentary.

Active Digital Identity Apps to Surpass 4.1B by 2027

The publisher of the Wall Street Journal, New York Post, and several other publications had last year disclosed a breach it said was the work of a state-backed actor likely working for China.

The state-sponsored attackers behind a breach that News Corp disclosed last year had actually been on its network for nearly two years already by that time, the publishing giant has disclosed.

In a letter to employees last week, News Corp said an investigation of the incident showed the intruder first broke into its network in February 2020, and remained on it until discovered on Jan. 20, 2022. Over that period, the adversary had access to what News Corp described as business documents and emails pertaining to a "limited number of employees." Data that the attacker had access to at the time included names, dates of birth, Social Security numbers, driver's license numbers, and health insurance numbers, News Corp said.

**An Intelligence-Gathering Mission**

"Our investigation indicates that this activity does not appear to be focused on exploiting personal information," the letter noted, according to reports. "We are not aware of reports of identity theft or fraud in connection with this issue."

When News Corp — the publisher of the Wall Street Journal, New York Post, and several other publications — first disclosed the breach last January, the company described it as an intelligence-gathering effort involving a state-sponsored advanced persistent threat (APT). In a Feb. 4, 2022 report the Wall Street Journal identified the actor as likely working on behalf of the Chinese government and focused on gathering the emails of targeted journalists and others.

It's unclear why it took News Corp more than a year after initial breach discovery to disclose the scope of the intrusion and the fact that the attackers had been on its network for nearly 24 months. A spokesperson for News Corp did not directly address that point in response to a Dark Reading request for comment. However, he reiterated the company's previous disclosure about the attack being part of an intelligence-collection effort: "Also as was said then, and was reported on, the activity was contained, and targeted a limited number of employees."

**An Unusually Long Dwell Time**

The length of time the breach at News Corp remained undetected is high even by current standards. The 2022 edition of IBM and the Ponemon Institute's annual cost of a data breach report showed that organizations on average took 207 days to detect a breach, and another 70 days to contain it. That was slightly lower than the average 212 days it took in 2021 for an organization to detect a breach and the 75 days it took for them to address it.

"Two years to detect a breach is way above average," says Julia O'Toole, CEO of MyCena Security Solutions. Given that attackers had access to the network for such a long time, they most likely got away with a lot more information than was first perceived, O'Toole says.

While that's bad enough, what's worse is that less than a third of breaches that happen are actually detected at all. "That means many more companies could be in the same situation and just don't know it," O'Toole notes. 

One issue is that threat detection tools, and security analysts monitoring those tools, cannot detect threat actors on the network if the adversaries are using compromised login credentials, O'Toole explains: "Despite all the investment in \[threat detection\] tools, over 82% of breaches still involve compromised employee access credentials."

**A Lack of Visibility**

Erfan Shadabi, cybersecurity expert at Comforte AG, says organizations often miss cyber intrusions because of a lack of visibility over their assets and poor security hygiene. The increasingly advanced tactics that sophisticated threat actors use to evade detection — like hiding their activity in legitimate traffic — can make detection a huge challenge as well, he says.

One measure that organizations can take to bolster their detection and response capabilities is to implement a zero-trust security model. "It requires continuous verification of user identity and authorization, as well as ongoing monitoring of user activity to ensure security," Shadabi tells Dark Reading.

Organizations should also be using tools such as intrusion detection systems (IDS) and security information and event management (SIEM) systems to monitor their networks and systems for unusual activity. Strong access control measures including multifactor authentication (MFA), vulnerability management and auditing, incident response planning, third-party risk management, and security awareness training are all other crucial steps that organizations can take to reduce attacker dwell times, he says.

"Generally speaking, organizations, particularly large ones, have a difficult time detecting attacks because of their vast technology estates," says Javvad Malik, lead awareness advocate at KnowBe4. "Many organizations don't even have an up-to-date asset inventory of hardware and software, so monitoring all of them for breaches and attacks is extremely difficult," he says. "In many cases, it boils down to complexity of environments."

Attackers Were on Network for 2 Years, News Corp Says

Cloud security vendor Wiz has raised $900 million since its founding in 2020.

Cloud security vendor Wiz has reached $10 billion valuation in the wake of a $300 million Series D round. Wiz plans to use the latest investment for product development and to increase the size of its workforce.

Security teams can use Wiz's cloud security platform to analyze infrastructure hosted in public cloud services such as Amazon Web Services, Azure, and Google Cloud, as well as to monitor infrastructure-as-code, APIs, and containers for vulnerabilities and misconfigurations. The platform consolidates a range of capabilities, including cloud security posture management, external attack surface management, cloud detection and response, and cloud-native application protection. At the heart of Wiz’s offering is the "security graph," which triages and correlates attack paths so that developer and security teams have information about the cause of a breach and how to respond.

The company's rise has been stratospheric, launching in March 2020 and hitting unicorn status a year later with a valuation of $1.7 billion. Wiz was valued at $6 billion after raising $250 million in a Series C funding round in October 2021. Wiz has raised $900 million to date.

The excitement around Wiz underscores a red-hot cloud security market that has accelerated as organizations shift more of their workloads to the cloud to accommodate a growing remote workforce and to support digital transformation initiatives. There are several cloud security vendors carving out space in the market, such as Palo Alto Networks and Check Point, and quite a few are chasing venture capital funding, such as Sentra, Gem Security, Dig Security, Laminar, and Ops Security.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Wiz Reaches $10B Valuation With Consolidated Cloud Security Platform

Vouched now covers more than 85% of the global population, as demand accelerates for its platform to securely automate KYC and KYP compliance to better serve patients and drive revenue.

**SEATTLE****,** **Feb. 27, 2023** **/PRNewswire/ --** Vouched, an AI-driven identity verification platform, today announced $6.3 million financing led by BHG VC and SpringRock Ventures, as well as prior investors Darrell Cavens and Mark Vadon.

Vouched's expansion plans build upon the company's rapid growth over the past year. The company now serves more than 300 banks, fintechs, and healthcare providers, including Alloy and Hims Health. Vouched's proprietary AI and computer vision platform now covers more than 85% of the global population.

"Vouched delivers the industry's most accurate and seamless identity verification AI, enabling companies to securely accelerate onboarding, provide frictionless customer experience, and unlock new growth opportunities," said John Baird, CEO, Vouched. "We look forward to enhancing the value of our identity verification platform to the healthcare market, and ensuring we remain a trusted partner-of-choice for businesses in highly regulated markets who want a solution that can prioritize both compliance and growth." 

As businesses continue to migrate toward digital-first strategies, fast and accurate identity verification tools will become the de facto standard. By 2030, digital identity is forecast to create economic value equivalent to six percent of GDP in emerging economies on a per-country basis and three percent in mature economies, according to a report from McKinsey Digital. It is more critical than ever for financial and healthcare verticals to ensure they are in full regulatory compliance while remaining focused on delivering a secure and seamless online experience to their existing and prospective customers.

"SpringRock Ventures recognizes the increasing importance of high reliability, real-time identity verification for expanding, consumer centric businesses such as telehealth, banking, or hospitality." said Kirsten Morbeck, Managing Director. "Vouched has built an automated, AI-powered, proprietary solution that is faster, more accurate, more configurable, more scalable and less expensive than existing solutions. Vouched is poised to be a leader in providing this lynchpin of consumer confidence and transaction security to help businesses grow faster."

"Covid-19 has accelerated demand for digital identity verification while fundamentally shifting more business processes online," says Andrew Stone SVP, Fraud Management & Financial Crimes. "With this knowledge, BHG VC has been impressed by the platform's growth and development, and we're excited for the company's success in regulated industries, including financial services and healthcare."

The company will use its latest financing to enhance its platform, recruit top-tier talent, and extend its support for financial services and healthtech businesses. Founded in 2018, Vouched has raised more than $18 million to date.

**About Vouched**

Vouched is an industry leading provider of AI-based identity verification for regulated and commercial businesses who need to quickly and accurately verify individuals in order to provide access to services, while minimizing fraud risk. Vouched delivers identity verification for anyone, anywhere, providing a multi-dimensional, dynamic verification of any individual's identity, including hard-to-identify populations. Vouched is the only IDV solution that is adaptive to ensure customer growth and acquisition goals are met, while maintaining compliance requirements through a proven, deterministic decision process that leads the industry in definitive response rates. Based in Seattle, Vouched is privately held and backed by Madrona Venture Labs, Mark Vadon and Darrell Cavens, Ascend Ventures, Flying Fish VC, BHG VC, SpringRock Ventures, SeaChange Ventures. Learn more at Vouched.id and follow us on LinkedIn.

Vouched Raises $6.3M to Expand AI Identity Verification Offering to Telemedicine and Healthcare

The exposure and exploitation of hardcoded secrets continues to drive software supply chain attacks. One solution: zero new hardcoded secrets.

Secrets embedded in source code pose a risk to developers and the organizations they work in. Secrets can be used to take over both user and service accounts, which can lead to sensitive data exposure, operational risks, and financial or reputational damage.

There are many commercial and open source projects available to detect hardcoded secrets, but mitigating — by removing, obfuscating, or rotating — exposed secrets is extremely hard. For example, rotating a secret tied to a service in your cloud environment can cause a denial of service across your application if that service is consumed by other code where the secret is not detected. This may be the case even if the secret is stored securely in a secrets management service.

The risk of having secrets in a source code repository is that the secret is immediately exposed to any other users who clone this repository. All historical secrets can be detected by scanning the files or the commits in the git history of the repository.

Therefore, mitigating secrets before they are exposed in the files or git history is a more desirable approach. Pipelineless security enforces a "zero new hardcoded secrets" policy by keeping secrets out of the source code repositories.

**Where Are Hardcoded Secrets Traditionally Detected?**

A typical code delivery flow begins with a developer cloning or downloading the latest version of the code repository and making changes to the local repository. Pushing the code changes back to the remote repository often kicks off a series of checks and scanners — for example, GitHub supports Checks API, while Azure DevOps supports service webhooks. Before the new features (or fixes) can be deployed to production, the developer's code branch needs to be merged into the main branch, which typically triggers another round of checks and build/CI pipelines to ensure that the application will still work properly after the merge. For example, container builds can occur at this time to speed up the pipeline after the code is merged.

Secret-scanning checks can be implemented in several places in the developer workflow: IDE plugins, pre-commit hooks, pre-receive hooks, webhooks to scanner, and CI/CD pipeline. Each method has pros and cons.

**IDE plugins.** Secrets can be scanned as the developers write code. It is an effective approach to help avoid committed secrets into the git history, but due to the various IDE tools and versions within engineering organizations, it is hard to ensure that 100% of developers will use it. This approach lacks an enforcement capability, which means developers can bypass this control — a serious drawback to any client-side security control.

**Pre-commit hooks.** Automated scripts run before code is committed into the local git history. This control has the same pros and cons as IDE plugins. Additionally, commits resulting from suggested code changes on a pull request can end up unscanned if they get accepted by the developer.

**Pre-receive hooks.** These are like pre-commit hooks, but they run on the source code management (SCM) side. This means that 100% coverage can be reached. However, they require administrative access to the underlying operating system, which cloud-based offerings such as GitHub cannot provide.

**Webhooks to scanner.** This is an effective approach, as it can provide 100% coverage as well. While webhooks cannot prevent push events from successful execution, they are delivered quickly and can be easily deployed on both cloud and on-premises deployments, which makes them very popular. Note that the results of the GitHub Checks API are visible to all users with access to the repository — which means that if a secret is exposed, others will know.

**Pipeline.** Implementing secrets scanning across 100% of the repositories is hard because pipelines typically require code changes. Additionally, it takes time to get a runner to kick off and execute a job, which makes it less effective when it comes to immediate secret mitigation. As is the case with webhooks, the results of the pipelines are visible to all users with access to the repository.

**Where 'Zero New Hardcoded Secrets' Comes In**

The concept of zero new secrets is fairly simple. A service that enforces such a policy needs to be built with the following in mind:

1.  Subscribe your secret mitigation service to **all important events across all repositories**, e.g. subscribe to code push, pull requests, and audit events.
2.  Kick off **out-of-band automated git-based guardrails**, such as resetting a branch to a pre-pushed state.
3.  Provide **isolated feedback to the code pusher**, at minimum. Ensure that the new secret finding is not presented to unnecessary users.

This is also known as pipelineless security. In a pipelineless implementation, a series of checks and services handles secrets detection right as the code is being pushed to the remote repository. When the developer pushes code from the local branch to the remote repository, a webhook is sent to the pipelineless security service, which runs the secret detection script. If no secret is found, the code is pushed normally.

However, if a secret is detected, the service resets the branch to the pre-push state. This way, the commits containing the secrets will not be accessible to adversaries poking around the repository's commit history. The developer is then notified privately and given instructions on how to back up the changes and fetch the code so that it can be fixed — both to minimize the risk of hardcoded secret exposure and to prevent any stigma from attaching to the developer.

A zero new hardcoded secrets policy, enabled by a pipelineless approach, can be effective in preventing the exposure of new secrets while developers work to resolve the backlog of historical secrets. Such a policy offers 100% coverage, the ability to mitigate newly pushed secrets in seconds, and direct feedback to the developer to act without exposing code to unnecessary parties.

Source

DARKReading