Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Can Generative AI Be Trusted to Fix Your Code?

The company, one of four finalists in Black Hat USA's 2023 startup competition, looks for the vulnerabilities an attacker could actually access.

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies \[the software packages automatically brought in by OSS\], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

**Why Reachability Analysis?**

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

    

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

**Return of the Contest**

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

**Speed Round**

**Website:** https://www.endorlabs.com/  
**Founded:** 2022  
**Funding stage:** Seed  
**Total funding raised so far:** $25M  
**Number of employees:** 50  
**If the company were a band, what would its band name be, and what kind of band would it be:** "We would simply be named The Ewoks and play futuristic synth-rock."  
**Pineapple on pizza, yea or nay?:** "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs

Startup Spotlight: Endor Labs Focuses on Reachability

**SAN FRANCISCO, July 6, 2023 —** Black Hat, the producer of the cybersecurity industry’s most established and in-depth security events, today announced Maria Markstedter, Founder of Azeria Labs; Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA); Viktor Zhora, Deputy Chairman of the State Service of Special Communication and Information Protection of Ukraine on Digital Development, Digital Transformations, and Digitalization; and Kemba Walden, Acting National Cyber Director in the Office of the National Cyber Director, as Keynote speakers for the Black Hat USA 2023 event. 

The first day of Briefings on Wednesday, August 9 will feature two separate Keynotes, with the opening Keynote taking place at the beginning of the day, and the second Keynote taking place at the end of the day. The third Keynote will take place at the beginning of the final day of Briefings on Thursday, August 10.

**Black Hat USA 2023 Keynote lineup:**

*   Maria Markstedter is the Founder of Azeria Labs, where she runs a popular blog that teaches the community about Arm, from the instruction set to reverse engineering and exploit development. Markstedter will give her talk, “Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow,” on Wednesday, August 9 at 9:00 AM. This talk will cover challenges AI brings to the cybersecurity industry and how cybersecurity professionals can evolve with the AI revolution and use it to their advantage.She has worked in various cybersecurity sectors, including threat intelligence, pentesting, and reverse engineering, and previously served as the Chief Product Officer of Corellium, an Arm virtualization startup. 
*   Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA), where she was nominated by President Biden in April 2021, and unanimously confirmed by the Senate in July 2021. As Director, Easterly leads CISA’s efforts to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every day. In 2021, Easterly presented her Keynote, "Hacking the Cybersecurity Puzzle," at Black Hat USA, covering ways that hackers, the government, and private sector could work together to confront cyber threats. For Black Hat USA 2023, Easterly will present her talk with Viktor Zhora. Their talk will feature a fireside chat format and take place on Wednesday, August 9 at 4:20 PM.
*   Viktor Zhora is the Deputy Chairman of the State Service of Special Communication and Information Protection of Ukraine on Digital Development, Digital Transformations, and Digitalization. Since January 2021, Zhora has been responsible for cybersecurity in the Ukrainian digital infrastructure, supervising digital transformation and cybersecurity projects, CERT-UA, and the State Cyber Protection Center. He is a graduate of both the Institute of Physics and Technology of the National Technical University of Ukraine and the Institute of Software Systems of the National Academy of Science of Ukraine, as well as an author of numerous scientific publications on information security.
*   Kemba Walden is the Acting National Cyber Director in the Office of the National Cyber Director. Walden served as the inaugural Principal Deputy National Cyber Director for eight months, during which she co-led the organization, overseeing the development and growth of the office. During her tenure, the Office of the National Cyber Director drafted the National Cybersecurity Strategy, managed implementation of Executive Order 14028 – _Improving the Nation’s Cybersecurity_, and spearheaded the first ever National Cyber Workforce and Education Strategy. Her talk will be presented on Thursday, August 10 at 9:00 AM. 

For registration and additional information on Black Hat USA 2023, please visit https://www.blackhat.com/us-23/.

**About Black Hat**

For over 25 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe, and Asia. More information is available at: blackhat.com. Black Hat is brought to you by Informa Tech.

**About Informa Tech**

Informa Tech is a market leading provider of integrated research, media, training, and events to the global Technology community. We're an international business of more than 600 colleagues, operating in more than 20 markets. Our aim is to inspire the Technology community to design, build, and run a better digital world through research, media, training, and event brands that inform, educate, and connect. Over 7,000 professionals subscribe to our research, with 225,000 delegates attending our events and over 18,000 students participating in our training programmes each year, and nearly 4 million people visiting our digital communities each month. For more information, please visit www.informatech.com.

Black Hat Announces Maria Markstedter, Jen Easterly, Viktor Zhora, and Kemba Walden As Keynote Speakers for Black Hat USA 2023

Linus Torvalds led a Linux kernel team in developing a set of patches for the privilege escalation flaw.

Exploit code will soon become available for a critical vulnerability in the Linux kernel that a security researcher discovered and reported to Linux administrators in mid-June.

The bug, which the researcher labeled StackRot (CVE-2023-3269), affects Linux kernel 6.1 through 6.4 and gives attackers a way to escalate privileges on affected systems.

**Affects All Linux Configurations**

Security researcher Ruihan Li of Peking University in China discovered the vulnerability and described it this week as affecting almost all Linux kernel configurations and requiring minimal capabilities to trigger.

A response team, led by Linux creator Linus Torvalds, worked about two weeks on developing a set of patches to address the vulnerability. 

"On June 28th, during the merge window for Linux kernel 6.5, the fix was merged into Linus' tree," Li said in a GitHub post announcing his discovery. "Linus provided a comprehensive merge message to elucidate the patch series from a technical perspective," Li noted.

The patches have since been backported to kernels 6.1.37, 6.2.11, and 6.4.1, "effectively resolving the 'StackRot' bug on July 1," Li wrote. "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

StackRot pertains to the Linux kernel's handing of stack expansion, a mechanism for automatically growing or expanding the stack memory of a running process.

The data structure for managing virtual memory spaces in the Linux kernel handles a particular memory management function in a manner that results in use-after-free-by-RCU (UAFBR) issues, Li said. UAFBR flaws combine the use-after-free vulnerability with what is known as the Read-Copy-Update (RCU) mechanism in the Linux kernel for synchronizing the use of shared data.

Use-after-free is a type of vulnerability where a software program continues to use a memory reference after it has been deallocated or freed. This gives attackers a way to insert arbitrary code into the freed but still used memory space. "An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges," Li said. The Linux kernel uses the RCU mechanism to free or deallocate used memory space.

While UAFBR vulnerabilities can be dangerous, they are not easy to exploit because of a certain delay that happens with memory deallocation when memory spaces are freed using RCU callbacks, Li explained.

**First-of-Its-Kind Exploit**

The researcher described the exploit for StackRot as likely the first to successfully exploit a UAFBR bug. "To the best of my knowledge, there are currently no publicly available exploits targeting use-after-free-by-RCU bugs," Li said. "This marks the first instance where UAFBR bugs have been proven to be exploitable."

The Linux kernel teams fix for the flaw — led by Torvalds — basically modifies the kernel's user mode stack expansion code to prevent the use-after-free condition from happening.

"It's actually something we always technically should have done," Torvalds said in a GitHub post. "But because we didn't strictly need \[it\], we were being lazy ('opportunistic' sounds so much better, doesn't it?) about things."

StackRot Linux Kernel Bug Has Exploit Code on the Way

Vulnerable Nexus 9000 Series Fabric Switches in ACI mode should be disabled, Cisco advises.

Cisco has announced that a high-severity flaw in its data center switching gear could allow threat actors to read and modify encrypted traffic — and there's no patch so far.

Cisco disclosed the cloud security bug, tracked under CVE-2023-20185, on July 5. According to the company, the vulnerability affects its Application Centric Infrastructure (ACI) Multi-Site CloudSec encryption on Cisco Nexus 9000 Series Fabric Switches.

"Cisco has not released software updates to address the vulnerability that is described in this advisory. Customers who are currently using the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card are advised to disable it and to contact their support organization to evaluate alternative options," Cisco warned.

Principal threat hunter for Netenrich, John Bambenek, said Cisco's recommendation to unplug the device should raise alarms for enterprise security teams.

"I'm not sure I've ever seen a vendor say there are no updates, and that they should unplug the device and find another product instead," Bambenek said. "For Cisco to tell its customers to disable the device tells me all I need to know about the severity of this vulnerability, and I would advise anyone to contact support to figure out how to move forward."

The delay in releasing a fix is likely due to the complicated nature of the vulnerability, Callie Guenther, cyber threat senior manager at Critical Start explained in a statement provided to Dark Reading.

"Cisco has not released patches to address this vulnerability, and it is yet to be officially listed by databases like MITRE and NIST," Guenther said. "While the absence of patches and official listings may raise concerns, it is important to understand that addressing vulnerabilities of this nature involves complex processes, coordination, and testing."

Teams would do well to follow the advice to unplug: Cisco explained that Nexus 9000 exploitation could allow cyberattackers to view, and even change encrypted data being transmitted between sites.

"This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches," Cisco said in the advisory. "An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption."

Patchless Cisco Flaw Breaks Cloud Encryption for ACI Traffic

In another MOVEit attack, oil and gas giant Shell saw the release of the private information of its employees.

Shell, the multinational oil and gas company, has confirmed that it is the victim of a MOVEit hack, revealing that personal information regarding its employees was compromised.

According to a July 5 statement: "A cybersecurity incident has impacted a third-party software from Progress called MOVEit Transfer, which was running on a Shell IT platform. MOVEit Transfer is used by a small number of Shell employees and customers. This was not a ransomware event. There is no evidence of impact to any other Shell IT systems. Our IT teams are investigating. Some personal information relating to employees of the BG Group has been accessed without authorization."

Shell has not specified what kind of personal information was compromised, and it confirmed the hack only after the Cl0p cybergang published the data it allegedly stole from the company because Shell refused to negotiate.

The Cl0p ransomware group has used the MOVEit managed file transfer (MFT) to steal data from hundreds of organizations, and millions have been affected by the group's actions, including at US federal government agencies.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Shell Becomes Latest Cl0p MOVEit Victim

Meta's answer to Twitter went live and quickly racked up millions of members — but the social media app's privacy practices are under the microscope.

A full 20 million people (and counting) had signed up for Meta's Twitter competitor within hours of its launch Wednesday evening — but none of those users will be in the European Union, thanks to data privacy concerns.

Instagram Threads collects a wide range of data from users, according to its "App Privacy" blurb on the Apple App Store, including health information, purchase histories, financial data, location, contact lists, search and browsing history, usage data, and a somewhat ominous category of data listed as simply "sensitive info."

Officials at Meta, which was just slapped with a record-breaking $1.3 billion fine for violating the EU's GDPR law on data privacy, told the Irish Independent that it's holding off on the rollout of the service "for now," citing a lack of clarity around the EU's Digital Markets Act, which governs how companies use behavioral advertising and various data sources.

Instagram CEO Adam Mosseri is also on record as acknowledging "complexities with complying with some of the laws coming into effect next year."

    

Source: Instagram via the Apple App Store.

Aaron Mendes, CEO and co-founder of PrivacyHawk, noted in a statement sent to Dark Reading that Threads' data collection policies are intertwined with those of Instagram, and largely follow the same pattern with regard to using that data for targeted advertising, algorithm tweaking, and more. But, he noted, users do have some control.

"It is a reminder of the depth of data Meta collects on its users and that you are the product when you use any of their services," he said. "If you will use them and care about your privacy, take the time to go into their privacy settings and select more private settings than the default. And don't give them access to everything they ask for. And take back things they don’t need anymore. You can still use most of their services without giving them everything they want."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Privacy Woes Hold Up Global Instagram Threads Launch

Public and private sector organizations must collaborate on a shared cybersecurity agenda to protect and benefit society at large.

As a managing partner investing in cybersecurity at Thoma Bravo, "diplomacy" in my world is usually limited to my interactions with business owners and executive teams. The goal is to create new investment opportunities and help our portfolio companies grow and serve their constituents.

But at the 2023 Milken Institute Global Conference in May, I participated in a cybersecurity panel discussion titled "Digital Defense and Diplomacy: Enhancing Global Cyber Coordination." When I was asked to participate in the Milken panel, I was concerned that I might be a bit of an outlier. In a group of specialists with extraordinary expertise in government and public sector cybersecurity, I was asked to represent the "voice of the private sector."

**What Does a Private Equity Firm Have to Do With Cybersecurity?**

Thoma Bravo has been investing in cybersecurity companies since 2009. We have a portfolio of cyber companies with an enterprise value close to $40 billion that generates a total annual revenue of $5.8 billion and employs more than 20,000 people (at end of 2022). My job is to help build great cybersecurity companies through equal parts innovation and business management to generate returns for those investors who trust us with their capital.

So, what could I lend to a conversation about the "high politics" of cyber conflict between countries and the dynamics of government policy involved in these critical discussions on defense, deterrence, and the like?

On the face of it, these seem like very different — and some may even argue incompatible — cultural contexts in which to talk about cybersecurity. However, in practice, the public and private sectors have quite a lot in common when it comes to the digital environment.

**Public and Private Sectors Have Similar Challenges and Goals**

The challenge of digital security is fundamentally equivalent for both the public and the private sector. Both environments share the simple goal of protecting the underlying fabric of today's digital economy and society. As digital transformation proceeds, that increasingly means protecting the economy and society as a whole regardless of sector. All these blurring lines have driven a growing focus on public-private partnerships (PPPs), an attempt to bridge the best of these two cultures and strengthen cybersecurity overall as a result.

That makes good sense; cybersecurity in practice is a societal-level problem that impacts both the private and public sectors. But I find that a great deal of what is said and written (and to a lesser extent attempted) in cybersecurity PPPs tends to be high-level, abstract, and overly aspirational. In private equity, there's little room for dealing in abstraction.

When we invest in cybersecurity companies, I look for concrete actions that can create efficiencies, enhance performance, and result in measurably better outcomes in both security and business terms — and seek to do so sooner rather than later.

**4 Ways to Advance Public-Private Cybersecurity Partnerships**

The Milken panel helped me see how the public sector could better harness that kind of private-sector pragmatism to make progress on a shared agenda. I've crystallized those thoughts into four points of common interest, language, and perspective — actionable areas of crossover that have the potential to advance and accelerate the PPP agenda.

*   **Adapt the calculus:** It's important to recognize that the bad actors we are trying to defend against are making decisions about what and what not to do in a rational, cost-sensitive way. This logic lies not only at the heart of national defense, but also at the heart of a CISO's decisions about what security products to spend precious resources on. But public and private defenders alike need to better understand the granular motivations and calculations of bad actors to make good decisions about cybersecurity priorities and investments. Hacktivists, for example, have a different rational calculation than state actors or pure profit-seeking criminals. An important PPP focus ought to be on sharing what we have each learned about those calculations over time.
    
*   **Cover the basics:** The weakest links in the security value chain are often not the most scientifically sophisticated or interesting attack vectors, nor those that tend to garner the most attention among researchers. More cybersecurity efforts today are still basic protections that amount to fixing the easy holes in our defenses — things we already know how to fix. Both governments and private companies need to pay much greater attention to fundamental cyber hygiene — things like two-factor authorization (2FA) and identity management. This might not be the stuff of exciting storytelling or scientific intrigue, but it's still where defenders often get the most protective bang for the buck. Execution on basics can make a great deal of difference.
    
*   **Innovating for profit:** The acceleration in digital technology — and, of course, most recently in generative AI — means that cybersecurity R&D is absolutely critical to the future of defense. But R&D expenditures by themselves don't always produce appropriate value. We need R&D to be productive, by which I mean great innovation should be channeled and focused by business discipline. With that in mind, the drive for profitability is a feature of productive R&D, not a bug or an unfortunate constraint.
    
*   **Learning to row:** Lastly, I believe that information sharing between the public and private sectors needs to be systematic and specific to be most useful to both. One of my fellow panelists brought up the example of particularly valuable information sharing in the run-up to the Ukraine invasion. We were all "rowing in the same direction," he said, as the government shared pertinent intel with those private companies well-positioned to act on it. We need to constantly be practicing this kind of information sharing — building both the requisite muscle and coordination to row in tandem — especially when neither sector is in crisis.
    

I left the Milken panel with a strengthened belief in the critical role that PPPs will play in the future of cybersecurity. For those PPPs to be successful, it will take less finger-pointing (in both directions) and more substantive collaboration. That means identifying specific areas for partnership and measuring results over time, with the goal of benefiting society in general, including public and private organizations.

Cybersecurity's Future Hinges on Stronger Public-Private Partnerships

Attackers are leveraging well-executed brand impersonation in a Google ads malvertising effort that collects both credit card and bank details from victims.

Threat actors are impersonating the United States Post Office (USPS) in a legitimate-looing malvertising campaign that diverts victims to a phishing site to steal payment-card and banking credentials, researchers have found.

A malicious ad appears on Google searches for both mobile and desktop users looking to track packages via the USPS website, Jérôme Segura, director of threat intelligence at Malwarebytes Labs revealed in a blog post published July 5.

Though it looks "completely trustworthy," it isn't, he said. Instead, it redirects victims to a malicious site that first collects their address and credit card details, and then requires them to log into their bank account for verification, eventually stealing that info as well.

Segura cites Jesse Baumgartner, marketing director at Overt Operator, as the person who first discovered the campaign. Baumgartner shared screenshots of his experience attempting to track a package that led him onto a scam website in a LinkedIn post.

Malwarebytes Labs researchers set out to find the scam themselves and were immediately able to find the authentic-looking ad by performing a simple Google search for "usp tracking."

"Incredibly, the ad snippet contains the official website _and_ logo of the United States Postal Service and yet, the 'advertiser' whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it," Segura wrote.

Malwarebytes Labs has reported the campaign to Google and for its part, Cloudflare has already flagged the domains as phishing sites.

The campaign is yet another reminder that no matter how much awareness there is about malicious ads, links, and websites lurking on the Internet, threat actors still successfully wield oft-used tactics that abuse and impersonate trusted entities to trick and defraud Internet users, he said.

"Malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands," Segura wrote in the post.

A recent malvertising campaign in January also leveraged trusted brands by targeting users searching for Bitwarden and 1Password's Web vaults on Google. Threat actors used paid ads with links to cleverly spoofed sites for stealing credentials to the unsuspecting users' password vaults.

**Creating a Convincing Phishing Campaign**

Segura broke down how the actor or actors behind the USPS campaign managed to make it look so convincing to an end user. Essentially, they used tactics that can apply to various types of malvertising, he said.

There are two ad campaigns — one that targets mobile users, and the other targeting desktop users. While the ads appear to use the official USPS URL while redirecting victims to an attacker-controlled domain, the URLs shown in the ad "are pure visual artifacts that have nothing to do with what you actually click on," Segura explained.

"When you click on the ad, the first URL returned is Google's own which contains various metrics related to the ad, followed by the advertiser's own URL," he said. "Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous."

Victims that click on the ad land on a website that asks them to enter their package tracking number, just as any page for this type of request would. However, upon submitting that information they receive an error informing them that their package couldn't be delivered "due to incomplete information in delivery address."

This might arouse suspicion, but likely not, as it's pretty typical for someone tracking a package to receive this type of notification, Segura noted. However, the next step of the attack — in which users are then asked to enter their full address again as well as submit their credit-card data to pay a small fee of 35 cents — should raise a red flag, he said.

It's at this point where victims enter the phishing site and attackers can steal their data, making the small fee "completely irrelevant," since giving up payment-card data — which can be used by the threat actor or resold on criminal markets — can result in much more damage to someone, Segura observed.

The final step of the attack is a request that victims enter credentials for their financial institution through a dynamic page that generates a template based on the credit-card info provided. For instance, if a person submits data for a Visa card associated with JP Morgan Bank, the page will ask the target to login to the JP Morgan page. Other banks and cards will result in different templates specific to the data provided, Segura said, similar to how banking Trojan overlays work.

**Recommendations to Thwart Malvertising**

As mentioned, malvertising is already a well-known method used by cybercriminals to steal user credentials. However, while awareness is key to avoid falling victim to a campaign, "training can only go so far" because of how legitimate modern malicious scams created by attackers look, Segura wrote.

One way to stop these campaigns before they reach end users is for search engines to apply stricter controls to combat the brand impersonation that threat actors have adopted so successfully, he said.

"When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot, Segura wrote, noting that Microsoft's Bing already has applied policy with success.

Applying real-time browser protection that can disrupt the malvertising kill chain from the initial ad all the way to the payload — whether it be malware, phishing, or another type of scam — also can prevent and mitigate this type of attack.

Google Searches for 'USPS Package Tracking' Lead to Banking Theft

C-suite security leaders are feeling less prepared to cope with cyberattacks and more at risk than last year.

With the chaos of the pandemic now in the rearview mirror, we are finally back to "business as usual." The return to normal operations may imply that chief information security officers (CISOs) can now breathe easier, but the opposite is true. CISOs are feeling less prepared to cope with cyberattacks and more at risk than last year, indicating a reversal from the early days of the pandemic, new research shows.

The "2023 Voice of the CISO" report, Proofpoint's global survey of 1,600 CISOs, found that 68% of respondents feel at risk of experiencing a material cyberattack in the next 12 months. This is a sharp decrease from last year's 48% and a shift back to 2021 levels, when 64% felt at risk. The report also found that 61% of surveyed security leaders believe their organization is unprepared to cope with a targeted cyberattack, compared with 50% in 2022 and 66% in 2021.

**Reasons for CISOs' Elevated Concerns**

The tumultuous cybersecurity events of 2022 may be one reason behind the CISOs' return to an elevated concern. Last year saw increasingly devastating ransomware attacks that shuttered organizations and crippled entire nations. At the same time, geopolitical tensions continued to mount with incidents such as Russia's attacks on US airports and Chinese nation-state actors' targeting telecoms. The shaky economy did not help matters, and 58% of surveyed CISOs shared that the downturn has affected their security budgets negatively. All these events put security leaders on edge, perhaps lowering their confidence in their security posture.

Another explanation for CISOs' elevated concern may be the anomaly of the pandemic. Having conquered the unprecedented challenges caused by the overnight move to remote operations, security leaders felt a sense of calm. Although attack volumes did not abate, CISOs had a brief period of reprieve as they felt their organizations were less at risk. Yet the ability to secure their remote environments may have given CISOs a false sense of confidence. With the return to normal operations, the post-pandemic security metrics likely looked less reassuring, and the optimism wore off.

**Growing Pressures Make the CISO's Job Unsustainable**

Whatever the reason behind CISOs' recalibration of perceptions, their diminished confidence is exacerbated by new concerns about personal liability raised by last year's blockbuster Uber case, which resulted in probation for the company's former chief security officer. The US federal court ruling has deep implications that may set a dangerous precedent, and 62% of CISOs surveyed by Proofpoint agreed that they are concerned about personal liability.

The survey also revealed that 60% of CISOs have experienced burnout in the past 12 months, while 61% feel their job expectations are unreasonable, which is a big jump from the previous year's 49%. When we add these mounting pressures to ongoing struggles such as the cybersecurity talent shortage and new issues such as the recent wave of layoffs, it is not surprising that the CISO's role is becoming unsustainable.

This is a time when CISOs need champions on their board of directors more than ever. The Proofpoint report gives a glimmer of hope in this regard, showing a thawing CISO-board relationship — 62% of CISOs say they see eye-to-eye with their board on cybersecurity issues. This trend has been on an upward trajectory in the past three years.

**Protecting Data a Top Priority — and a Big Challenge**

The Voice of the CISO report shows that data protection remains a top-of-mind priority for CISOs. The ripple effect of the Great Resignation and employee turnover exacerbate the problem of data loss — 63% of surveyed security leaders reported dealing with a material loss of sensitive data in the past 12 months, and 82% said that employees leaving the organization contributed to this loss. Layoffs, like the massive ones we've seen in the technology sector, could especially be an issue because employees may feel wronged and justified in taking corporate data with them on the way out.

Despite the widespread loss of data, 60% of CISOs believe they have adequate controls in place to protect it. This optimism is surprising, especially given CISOs' lack of confidence in their security postures. And we expect that the problem will get worse as the economic uncertainty lingers and more sectors beyond technology — from manufacturing to consulting — pursue mass layoffs.

**Supply Chain All But Secure**

Another area where security leaders are far too optimistic is supply chain security. Nearly two-thirds of CISOs surveyed by Proofpoint said they have appropriate controls for mitigating supply chain risk. However, protecting today's complex and interconnected supply chain is extremely difficult — and a problem the industry has not been able to solve.

Most organizations simply do not have a grasp on third-party risk while relying heavily on a range of partners and suppliers. Threat actors know this well, which is why we have entered a new era of weaponization of trust. As one example, research found an astounding 633% increase in the number of supply chain attacks using malicious components in the past year. That is one of the many reasons supply chain security has become a matter of national security — and part of a new national cyber strategy in the United States.

The good news is that addressing supplier risk is one of the top priorities in the next 12 months among surveyed CISOs. These findings indicate that security leaders realize supply chain security is critical. The question is whether they can continue to devote adequate resources to this area if security budgets hang in the balance.

**Security Risk Is Business Risk**

Added regulatory scrutiny, escalating supply chain attacks, data protection — all these challenges impact investor, consumer, and employee confidence in the enterprise. As trust becomes more important for organizational success, it is important for both CISOs and boards to look at security risk as business risk and understand the implications of systemic risk within their organization. Although solving complex cybersecurity problems requires an industrywide effort, it all starts at the organizational level — and CISOs must lead the conversation.

Source

DARKReading