Coalition ESS uses AI to generate dynamic risk scores to help organizations mitigate their most critical risks faster.

**SAN FRANCISCO** **— June 15, 2023** **—** Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today announced the Coalition Exploit Scoring System (Coalition ESS), a unique vulnerability scoring system that helps risk managers mitigate potential cyber threats. Developed by Coalition Security Labs, the company's research and innovation center, Coalition ESS is a security risk prioritization scoring system that leverages real-time monitoring and dynamic scoring to enable businesses of all sizes to efficiently understand which vulnerabilities to patch first. 

"In cybersecurity, timing is everything. Thousands of new vulnerabilities are published monthly, and it’s nearly impossible for IT and security teams to quickly understand and address them all. Defenders need a more efficient way to sift through the noise and prioritize which vulnerabilities to remediate," said Tiago Henriques, Coalition's Head of Security Research. "With Coalition ESS, they have an early source of truth to evaluate which risks to prioritize mitigating _before_ an incident occurs."

Coalition ESS leverages artificial intelligence and large language modeling to scan the descriptions used within newly released CVEs (Common Vulnerabilities and Exposures) and compares them to previously published vulnerabilities to predict the likelihood of exploitability. The result is two probability scores: the Exploit Availability Probability, or the likelihood that code for an exploit will be publicly available, and the Exploit Usage Probability, or the likelihood that threat actors will use an exploit to execute an attack. These scores combined give security managers and IT professionals a prioritization list outlining which vulnerabilities pose the greatest threat, saving time and resources in an otherwise arduous decision-making process. 

Coalition ESS scores are dynamic, responding to changes in available exploit information, unlike the scores derived from the Common Vulnerability Scoring System (CVSS). Coalition ESS scores are available up to one week from the initial vulnerability announcement, unlike other systems where scoring a vulnerability can take anywhere from one week up to one month.

"We created Coalition ESS to prioritize our own vulnerability management efforts as we are often the first line of defense for hundreds of thousands of assets of our customers at scale. We use ESS to evaluate and notify our policyholders about which vulnerabilities have the highest potential to negatively affect them and, today, are releasing it to the broader community," continued Henriques. 

Coalition ESS is available today for public use at: ess.coalitioninc.com. To learn more about Coalition’s cybersecurity research and innovation center, Security Labs, visit: www.coalitioninc.com/security-labs.

Coalition Releases Security Vulnerability Exploit Scoring System

**BOSTON****,** **June 15, 2023** **/PRNewswire/ --** The vulnerability of subdomain takeover in Microsoft Azure continues to pose a threat, with researchers at Keytos discovering approximately 15,000 vulnerable subdomains each month using cryptographic certificates. This relatively common exploit allows cybercriminals to impersonate organizations, launch attacks, and display spam content through legitimate sites. Despite continuous attempts to contact and notify over 1,000 organizations about their domain issues, only 2% have taken action to address the problem.

Subdomain takeover occurs when a domain is left open after deleting an Azure website, providing cybercriminals with a backdoor to create fraudulent sites. These sites appear legitimate since they are hosted on forgotten domains, putting users at risk of credential theft through simple deception. To take preventative measures, Keytos has developed an automated tool called EZMonitor which scans and identifies vulnerable subdomains using certificate transparency logs and checking the availability of Azure-hosted websites. In its first month, EZMonitor identified over 30,000 vulnerable domains, most of which are relatively high-profile organizations that many would think have sophisticated cybersecurity teams within their organizations.

Hardly anyone is aware of the scale and magnitude of this vulnerability. 85% of Fortune 500 companies are currently utilizing Microsoft Azure and are objectively at risk. Microsoft's attempts to address the issue, their solutions like Defender for App Service Dangling DNS detection have not fully resolved the problem, leaving many organizations unknowing vulnerable. Unfortunately, most organizations have not taken the threat seriously, ignoring warnings or only removing the DNS entry without addressing the underlying vulnerability.

These takeovers have severe implications and potential consequences, including the theft of login credentials, legitimizing false information, and distributing malware. End-Users are mostly helpless against these attacks, but they can encourage their organizations to take the issue seriously. Site owners, on the other hand, can take measures to protect themselves. These include implementing certificate transparency monitoring, removing dangling DNS entries, and using Certificate Authority Authorization (CAA) records.

Urgent action is needed to address this critical issue and safeguard domains and users. Keytos' automated scanning tool, EZMonitor, provides an effective means of identifying vulnerable subdomains. It is crucial for organizations to prioritize security and take proactive measures to mitigate this threat.

Want to see if your sites are secure? Keytos offers a free domain scanning tool to examine your organizations' certificates https://portal.ezmonitor.io/

SOURCE Keytos LLC

Keytos Uncovers 15,000 Vulnerable Subdomains per Month in Azure Using Cryptographic Certificates

The company aims to empower enterprises to securely manage their endpoints and remediate vulnerabilities from the cloud, enabling a work-from-anywhere environment with confidence.

**Houston, Texas, June 15, 2023 —** Action1 Corporation, a provider of the #1 risk-based patch management platform designed for work-from-anywhere enterprises, announced today its plans to invest $20 million in its solution. The investment aims to close the gap for easy-to-use secure cloud solutions for continuous remediation of security vulnerabilities on endpoints within distributed networks. The company plans to allocate funds for R&D, focusing specifically on implementing a zero-knowledge architecture into its platform.

Unpatched vulnerabilities accounted for 82% of cyberattacks in H1 2022, making them a leading contributor to breaches. Patching is overlooked due to two main reasons: the complexity of modern IT environments and the lack of automation. Specifically, 73% of enterprises don't automate third-party patching despite having an average of 67 applications per device. Additionally, patching remote endpoints takes 2.5 longer. While cloud-based solutions can address these issues, enterprises are concerned about security risks following software supply chain attacks like SolarWinds and Kaseya, which compromised multiple entities through a single-entry point. 

"The unprecedented growth of online threats in parallel to the growth of distributed workforces is forcing organizations to seek alternatives to legacy endpoint management tools, which not only struggle with scalability, but also hinder their ability to maintain flexibility, cybersecurity, and resilience," said Ken Buckler, Research Director at Enterprise Management Associates®.

The Action1 cloud-native platform empowers enterprises to remediate security vulnerabilities by streamlining the deployment of OS and third-party updates or implementing compensating controls. Unlike many other patch management market players that rely on third-party technologies, Action1 uses its own patching engine, ensuring a 99% patch success rate. Through the integration of zero-knowledge architecture, Action1 eliminates the risk of successful supply chain attacks targeting both the platform and its customers, enabling organizations to secure their endpoints with confidence. 

"Action1 provides us with complete visibility into the patching status across our endpoints, enabling us to develop policies for OS and third-party updates to automatically remediate security vulnerabilities; when combined with the upcoming zero-knowledge feature, it will bring our resilience level at the cutting edge of industry trends," said Matt Lutjen, system administrator at CARR Auto Group.

The zero-knowledge architecture utilizes encryption and digital signatures, ensuring that transactions within the system are proven and verified without revealing any underlying information. This additional layer of defense makes it nearly impossible for attackers to establish persistence within the software supply chain in the event of a compromise.

Key elements of the zero-knowledge architecture:

*   **End-to-end encryption:** Transactions within the system are encrypted, and decryption and execution are only possible with signature keys known only to the system's administrator.
*   **Verification without data revelation:** All commands must be verified for identity before execution, but no entity, including the vendor, has a sensitive level of access to the customer's environment.

"Action1, through its commitment to setting a new standard in patch management, provides enterprises with easy-to-use and powerful solutions for continuous patch compliance, all fortified by advanced security measures. These measures ensure the highest level of protection for the product and its underlying infrastructure, effectively addressing the evolving needs of modern distributed enterprises in mitigating the threat of supply chain attacks," said Mike Walters, President and co-founder of Action1.

Zero-knowledge architecture update to the platform coming H1 2024.

**About Action1 Corporation** 

Action1 is the #1 risk-based patch management platform for distributed networks trusted by thousands of global enterprises. Action1 helps to discover, prioritize, and remediate vulnerabilities in a single solution to prevent security breaches and ransomware attacks. It automates patching of third-party software and operating systems, ensuring continuous patch compliance and remediation of security vulnerabilities.

The company was founded by cybersecurity veterans Alex Vovk and Mike Walters, who previously founded Netwrix, which was acquired by TA Associates.

Learn more at: www.action1.com.

Action1 Announces $20M Investment in Its Patch Management Platform

A third perp has been fingered, but CISA warns that LockBit variants continue to be a major threat on a global scale.

The US Department of Justice has arrested and charged a Russian national, Ruslan Magomedovich Astamirov, for his role as an affiliate for the LockBit ransomware.

Specifically, Astamirov is accused of directly executing at least five attacks between August 2020 and last March, against victim computer systems in the United States and abroad.

"Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended," US Attorney Philip R. Sellinger, District of New Jersey, said in a DoJ statement. "The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity."

Astamirov is charged with conspiring to commit wire fraud and conspiring to intentionally damage protected computers and to transmit ransom demands. If convicted, he faces a maximum penalty of 25 years in prison, along with a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest. The latter number may be larger; CISA and other global cybersecurity authorities this week warned that affiliates using LockBit ransomware variants have collectively extorted around $91 million across 1,700 cyberattacks against US organizations since 2020.

Multiple criminal affiliates use LockBit ransomware, which functions as a ransomware-as-a-service (RaaS) model, so the different attacks vary in how they operate and in their tactics, techniques, and procedures (TTPs), making it more difficult for organizations to protect themselves. Even so, they're finding it increasingly difficult to evade law enforcement scrutiny. 

The latest DoJ announcement follows LockBit-related charges in two other cases from the District of New Jersey. In November, the department announced LockBit-related criminal charges against Mikhail Vasiliev, who is in custody in Canada awaiting extradition to the United States. In May, the department announced the indictment of Mikhail Pavlovich Matveev, for his alleged participation in separate conspiracies to deploy LockBit, Babuk, and Hive ransomware — he remains at large.

**More Recent LockBit Ransomware Activity**

Meanwhile, LockBit attacks continue. The most recent LockBit ransomware activity was observed this year in New Zealand in February, Australia in April, and the United States on May 25.

CISA and fellow authors in the advisory recommended that organizations apply mitigations such as sandboxing browsers, installing Web application firewalls, requiring phishing-resistant multifactor authentication (MFA), and installing up-to-date antivirus software, to prevent against ransomware attacks.

LockBit Affiliate Arrested, as Extortion Totals Reach $91M Since 2020

**MELBOURNE, Australia & PARIS — (****BUSINESS WIRE****) —** Tesserent Limited (ASX: TNT) and Thales (Euronext Paris: HO) are pleased to announce that they have entered into a binding Scheme Implementation Deed (SID) under which it is proposed that Thales will acquire 100% of the shares in Tesserent by way of a Scheme of Arrangement for A$0.13 per ordinary share in cash valuing Tesserent’s equity at A$176m (circa €107 million).

The combination of Thales and Tesserent will create an experienced provider of much needed cybersecurity services in Australia and New Zealand at a time when the market is expecting double-digit growth through to 2026.

The Tesserent business will continue to be known as Tesserent, and its visual identity will incorporate the "Cyber Solutions by Thales" tagline. It will become the lead Cybersecurity offering of Thales Australia and New Zealand. It will accelerate the growth of cyber solutions operations for Thales customers in Australia and New Zealand, supported by the scale, balance sheet and know-how of the global Thales business.

As a global leader in cybersecurity, Thales is involved at every level of the cyber value chain, offering solutions ranging from risk assessment to protection of critical infrastructure, supported by comprehensive threat detection and response capabilities. Its offer is built around **three families of cybersecurity products and services**, which generated sales of €1.5bn in 2022:

1.  Global security products around the CipherTrust Data Security Platform the SafeNet Trusted Access Identity & Access Management as a service solution, and the broader cloud protection & licensing offerings
2.  Sovereign protection products including encryptors and sensors to protect critical information systems
3.  Cybels solutions portfolio, a complete suite of cybersecurity services including risk assessment, training and simulation, and cyberattack detection and response

**Kurt Hansen, CEO of Tesserent,** said: “_I am thrilled that, through the proposed transaction, Tesserent teams would be joining Thales, a global leader in cybersecurity. Together we will address the growing Cyber needs in our country, including those of the Australian Government and Defence sectors. I am convinced this transaction would represent a great opportunity to further grow Tesserent’s business and its people.”_

**Jeff Connolly, CEO of Thales Australia**, said: “_With the acquisition of Tesserent and its highly skilled team of cyber experts, and combined with our own system engineering experts, Thales Australia will establish an Australian/New Zealand leader in Cyber Defence able to best protect the country and its national infrastructure from cyber threats._

_The Tesserent team will have access to global expertise and a strong balance sheet to provide local Australian and New Zealand businesses both a sophisticated and wide cybersecurity offering in a fragmented market._

_After the acquisition of S21sec, Excellium and OneWelcome in Europe in 2022, we continue to accelerate our global cybersecurity strategy and consolidate our leadership in cybersecurity, both for critical infrastructure as well as multinational companies.”_

Recommended by all members of the Tesserent Board2, the implementation of the Scheme is subject to Tesserent shareholders’ and court approval. In addition, the transaction is subject to regulatory approvals and other customary closing conditions. It is expected to be completed during the second half of 2023.

More details on the proposed transaction, including key terms of the Scheme Implementation Deed and indicative timetable, can be found here: https://investors.tesserent.com/site/investor-information/investor-welcome

Thales Proposes to Acquire Tesserent, Expanding its Global Cybersecurity Leadership

Vulcan Connector for Wiz enables mutual customers to reduce cloud risk at scale.

**TEL AVIV - June 13, 2023  —** Vulcan Cyber, developers of the cyber risk management platform for all attack surfaces, today announced the launch of the Vulcan Connector for Wiz and a partnership with leading cloud security provider Wiz as the company unveils Wiz Integrations (WIN). Vulcan Cyber, hand selected as a launch partner, brings the power of the Vulcan Cyber risk management platform to WIN, to help customers seamlessly integrate Wiz into existing vulnerability and asset risk mitigation workflows.

WIN enables Wiz and Vulcan Cyber to share prioritized security risk insights with context including inventory, vulnerabilities, issues, and configuration findings. Mutual customers receive the following benefits: 

*   Risk data aggregation, correlation and deduplication for cloud-native infrastructure, application environments and traditional networks
*   Security risk prioritized with organizational relevance and asset-based context
*   Orchestrated and automated vulnerability risk mitigation campaigns

The combined value of these two offerings will streamline security for organizations that are on a cloud journey, regardless of where they may be on that journey.

The Vulcan Connector for Wiz was one of the first solutions to be built using the new Vulcan Connector engine for efficient, consistent and scalable integration of enterprise volumes of security data. The Vulcan Connector for Wiz aggregates and correlates Wiz cloud vulnerability risk data with associated asset and threat data for contextualized vulnerability risk prioritization. Together, Vulcan Cyber and Wiz help security and cloud operations teams focus on the cyber risk that poses the biggest threat to customers’ organizations, orchestrate mitigating actions, and measure the efficacy of cloud vulnerability remediation efforts.

“The rapid adoption of cloud services has introduced a great deal of unmanaged risk to large organizations. Vulcan Cyber and Wiz are tackling this challenge head on with an integrated cloud risk management solution that provides holistic cyber risk visibility and mitigation across every cloud environment and for all cyber attack surfaces,” said Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber. “The overwhelming challenge of cloud security at scale is now manageable with this combined solution providing contextualized cloud vulnerability risk prioritization and mitigation.”

The Vulcan Cyber integration with Wiz provides cloud security teams with visibility into cloud infrastructure security posture while concurrently delivering the same visibility into other IT and application attack surfaces. Customers use Vulcan Cyber to identify critical risk and attack paths by interpreting volumes of risk and asset data, measuring and prioritizing risk with essential business context, and efficiently orchestrating the work of cloud risk mitigation and remediation validation.

"A best-in-class cloud operating model reduces risk, improves ROI, and drives efficiency," said Oron Noah, Director of Product Management, Wiz. "That value proposition is what lies at the heart of WIN, and what partners like Vulcan Cyber are helping to make a reality. This collaborative philosophy brings real customer benefits and we are so thankful to have Vulcan Cyber on board for this launch.”

WIN is designed to enable a cloud security operating model where security and cloud teams work collaboratively to understand and control risk across their CI/CD pipeline.

The Vulcan Connector for Wiz was built using the new Vulcan Connector engine which facilitates the integration of security data at scale to help large cyber security organizations aggregate, correlate, and de-duplicate data to accurately measure cyber risk and generate meaningful security posture insights. 

Vulnerability risk mitigation is only as impactful as the data used to prioritize remediation actions and to set the right risk mitigation campaigns in motion. The Vulcan Connector engine goes beyond any comparable tool to collect, contextualize and enrich vulnerability scan and asset data, unique asset relationships, and threat intelligence data. The Vulcan Connector engine also allows companies to integrate any unsupported tool into the Vulcan platform within minutes, allowing companies to gain a holistic view of their risk posture.

Learn more about the Vulcan Connector for Wiz here.

**Manage Your Cyber Risk Now**

To experience Vulcan Cyber vulnerability and asset risk management for yourself request a demo or get access to Vulcan Free.

**About Vulcan Cyber**

Vulcan Cyber has developed the industry's first cyber risk management platform, built to help businesses reduce vulnerability and asset risk through measurable and efficient attack surface security. Vulcan Cyber orchestrates and tracks the vulnerability remediation lifecycle from scan to fix by aggregating risk and asset data, prioritizing vulnerabilities using business context, curating and delivering the best remedies, and automating mitigation processes through the last mile of remediation. Vulcan Cyber is proud to offer Vulcan Free, VulnRX and MITRE Mapper as freemium SaaS solutions for IT security teams at businesses of all sizes. The unique capability of the Vulcan Cyber platform has garnered Vulcan Cyber recognition as a 2019 Gartner Cool Vendor and as a 2020 RSA Conference Innovation Sandbox finalist. https://vulcan.io

Vulcan Cyber Is a Launch Partner for Wiz Integrations (WIN) Platform

A PRC-aligned actor used a trio of custom malware to take advantage of inherent weaknesses in edge appliances.

Researchers say the recent compromise of Barracuda Networks email security gateways (ESGs) was carried out by a newly discovered Chinese APT, which used three different backdoors to exploit security failings endemic to edge devices.

According to Barracuda's timeline, on May 18, the company was alerted to anomalous traffic coming from some of its ESGs. The following day, in collaboration with security company Mandiant, it discovered a zero-day vulnerability — CVE-2023-2868 — since assigned a score of 9.8 out of 10 on the CVSS vulnerability severity scale, making it critical-rated.

In multiple statements provided to Dark Reading, Barracuda has indicated that around 5% of active ESG devices worldwide have shown evidence of compromise. The company has a global footprint, with market-share watchers pegging it as claiming around a fifth of the ESG market, with clients that include CVS Health, IBM, and McKesson. 

Now, in a report published Thursday, June 15, Mandiant has connected the campaign to a novel APT it's tracking as UNC4841, assessing "with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China."

A full third of UNC4841's targets have been government organizations, and more than half are in the Americas — though "that may partially reflect the product's customer base," the researchers qualified. In many cases, the hackers collected email data not just from specific targets, but individual targets, including government officials and academics in Southeast Asia.

"They're definitely very competent," says Ben Read, Mandiant's senior manager of cyber espionage analysis, Google Cloud. "To find a vulnerability and exploit it in the ways that they have demonstrates an understanding that would have taken a lot of time and expertise to figure out. They definitely have significant funds."

**UNC4841's Many Backdoors**

UNC4841's attacks began with rudimentary phishing emails containing generic messages and broken grammar. Attached to the emails, however, were malicious tape archive (TAR) files which, when opened, exploited CVE-2023-2868, allowing the attackers to remotely execute code on target machines.

A sample UNC4841 phishing email. Source: Mandiant

Now in control of the privileges afforded to Barracuda ESGs, the attackers deployed three separate backdoors — SALTWATER, SEASPY, and SEASIDE — which each attempted to masquerade as legitimate ESG modules and services.

These backdoors "do have different capabilities, but overlap in terms of allowing for command-and-control (C2) communication to the device," explains Austin Larsen, Mandiant senior incident response consultant, Google Cloud. As he sees it, having three backdoors is a form of fault tolerance: "The actor is shown a pretty intense desire to maintain access to these devices, by establishing redundancy through multiple backdoors."

Even after its backdoors were discovered and addressed, "the threat actor reacted very quickly to any actions taken by Barracuda and Mandiant,” Larsen says. “They wanted to maintain persistence and access to these devices for as long as possible."

Together, this may explain why, even after Barracuda released a series of security patches, UNC4841's malicious activity remained ongoing. Beginning May 31, to finally rid the attackers from the appliances, the company offered to outright replace all affected ESGs at no cost to customers.

**What to Do About Edge Appliances**

Larsen points out that it's not just ESGs — edge appliances in general aren't secure enough.

"The threat that it poses is that network defenders typically don't have visibility into the underlying operating system, and so your traditional countermeasures — like EDR solutions for detection — typically don't run on these appliances," he explains. "And so, actors have realized that it's a great place to operate from, because they can typically avoid detection.”

The issues with edge appliances only mount from there. "They live on the edge of networks, so they're typically exposed in some way to the Internet and a lot of appliances are in a legacy phase at this point," he adds. "And so we're seeing that these appliances aren't quite getting the same level of attention as some more modern products and solutions, in terms of security."

But even if edge appliances themselves are vulnerable, with proper segmentation, the networks they're connected to don't have to be.

"We did identify this specific threat actor attempting to move laterally from the edge devices post-exploitation," Larsen notes. "Had these devices been in an unprivileged segment of the network, that may have prevented some of that lateral movement."

Critical Barracuda ESG Zero-Day Linked to Novel Chinese APT

It's easy to find free training in cybersecurity, but is free the best option for entering the field?

How far can you go for free? It's an interesting question if you're traveling, but it can be critical if you're trying to build a career in cybersecurity. In the last few months, a number of vendors and organizations have announced new or expanded rosters of free cybersecurity classes. Would it be possible to launch a career based only on the not-for-charge offerings?

**From the Ground Up**

There's no question that our industry is dramatically short of skilled and trained professionals to deal with the daily onslaught of attacks and attempted exploits. There is a very real question about the best way to close the gap between open positions and available talent.

One potential method of closing the talent gap isn't a realistic option: There is no way to put enough human beings through formal certification training to meet the need. When I talk to executives at training companies, all admit that, as good as they are, there's just not enough time/bandwidth/money for them to take all the necessary candidates through the process. And that conversation doesn't even begin to look at the question of whether the candidates could afford the time and investment to take the courses.

Among the answers offered to this question is the availability of free training classes in cybersecurity. Recent months have seen a wave of new no-cost options for those interested in getting into cybersecurity. Among the options are:

*   **FedVTE:** The Federal Virtual Training Environment offers free courses on many topics for US military veterans along with federal, state, local, tribal, and territorial government employees, and federal contractors.
*   **IBM****:** IBM SkillsBuild uses Coursera to deliver training for cybersecurity analyst as well as a wide variety of other IT professional positions. Some courses leading to "badges" are free; some certification requires payment.
*   **Cybrary****:** In February, Cybrary announced that more than 500 hours of cybersecurity courses were being made available at no charge. These courses cover topics ranging from cybersecurity fundamentals to professional certification prep as well as role-based material for professional development.
*   **SANS****:** SANS offers courses beginning with the Cyber Aces program on awareness, continuing with free workshops and the ability to "test drive" courses that will be paid offerings. Membership in the SANS.org community is also free and provides access to information from many cybersecurity professionals and instructors.
*   **Oxford Home Study****:** Based in the UK, this organization offers a number of different cybersecurity courses at no cost, some leading to the possibility of certification in cybersecurity.

There are others, of course, but all present the same question to would-be cybersecurity professionals: How far can I go with free courses?

The answer lies as much in what they _don't_ provide as in what they do. With rare exceptions, the free courses can provide knowledge but not credentials. And while that is not the issue in cybersecurity that it might have been 10 years ago, it can't be completely ignored.

**Sidestepping Credentials**

So what is the aspiring cybersecurity professional to do? First, definitely take advantage of free knowledge. Though they may take you only so far, free courses can take a budding cybersecurity professional beyond a first step. Next, get some hands-on experience. For those who are not employed in cybersecurity (and even those who are), capture-the-flag (CTF) exercises can be a valuable and accessible way to gain experience in the hands-on details of the field.

Next, the free courses can be a valuable tool when deciding whether or not it would be worthwhile to invest in a paid course in cybersecurity. In too many cases, the only way to find out whether a field is right for an individual is to spend money to become educated in that field. In cybersecurity, though, individuals have the opportunity to find out whether they want to pursue a career without making a huge monetary investment.

**And the Enterprise?**

A business could be sorely tempted to turn employees toward free courses when the individuals ask for professional training. And if the individual says that they're curious about cybersecurity, free courses could be an appropriate answer. But for professional training that will create an individual ready to step onto the beginning track of cybersecurity, there are paid courses of study that offer much more in the way of training, assessment, and accountability than do the free options.

Free courses in cybersecurity are good for the industry and for individuals, but they have a role to play in cybersecurity training and shouldn't be asked to go wildly beyond that role. Keep expectations realistic and opportunities for hands-on experience readily available, and free courses can play a solid supporting role in early cybersecurity career development.

Free Training's Role in Cybersecurity

The academy is meant to ensure a safe and strong telecommunication service and information technologies for Angola's citizens, the president said.

Angola President João Lourenço announced plans to open a cybersecurity academy to better secure the nation's telecommunications and IT networks.

According to the Angolan Press Agency, Lourenço added that efforts are underway to guarantee trust and security of the country's networks, with a focus on the protection and defense of critical infrastructure and vital information services. The academy is meant to ensure a safe and strong telecommunication service and information technologies user defense.

A number of digital modernization programs are underway in Angola in both the public and private sectors. A strong partnership with the private sector has boosted the use of digital services across verticals including banking, insurance, energy, and health, Lourenço said in his remarks. An emerging startup ecosystem is introducing innovative technologies. Angola has seen a 55% growth in mobile telephone service and 20% increase in the Internet access rate from 2021 to the first quarter of 2023.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Angola Marks Technology Advancements With Cybersecurity Academy Plans

A new version of the infamous browser extension is spreading through files on websites offering pirated wares and leverages unique persistence mechanisms.

Fake websites advertising pirated video games, films, and other wares are spreading a new variant of the ChromeLoader malware dubbed "Shampoo," that is anything but clean: It steals sensitive data, redirects searches, and injects ads into a victim's browser session.

Researchers from HP Wolf Security have been tracking the new campaign, which appears to have been active since March and distributes malware similar to the original ChromeLoader — first discovered in May 2022 — but that's noticeably harder to wash out of the proverbial IT hair thanks to multiple persistence mechanisms, they said.

The goal of the first version of ChromeLoader was to install a malicious Chrome extension for advertising, a process that includes "a particularly complex infection chain" that begins with victims downloading malicious ISO files from websites hosting illegal content that hijack browsers, wrote Jack Royer, an HP malware analyst intern, in a post on the HP Threat Research Blog published this week.

"ChromeLoader used in the Shampoo campaign is very similar; it tricks victims into downloading and running malicious VBScript files from websites, eventually leading to the installation of a malicious Chrome browser extension," he explained. "This campaign is very similar to ChromeLoader, in terms of its infection chain, distribution, and objective," with the two sharing code similarities and the ad-monetization feature.

One notable feature of Shampoo that's different than the original ChromeLoader is how it uses the browser's Task Scheduler to achieve persistence, by setting up a scheduled task to re-launch itself every 50 minutes, they said.

The script runs a PowerShell script that sets up the scheduled task, running a looping script every 50 minutes that downloads and runs another PowerShell script, the researchers said. This script downloads and installs the malicious ChromeLoader Shampoo extension that, once attached to a Chrome session, starts sending sensitive information back to a command and control (C2) server.

"This persistence mechanism allows the malware to remain active despite reboots or the script being killed by a security tool or user," Royer wrote.

**Inside the Shampoo ChromeLoader Infection Chain**

Users who encountered Shampoo did so by downloading illegal content from the Internet, such as movies, video games, or other files, from websites that offer pirated files, the researchers said. Victims are tricked into running malicious VBScripts that they think are pirated wares — for example, Cocaine Bear.vbs or Your download is ready.vbs — which triggers the infection chain, the researchers noted.

"The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps," with its author appearing to have used a free online JavaScript obfuscator to make the malware harder to detect, Royer wrote.

Other malicious activities that ChromeLoader Shampoo carries out on a victim's machine include disabling search suggestions in the address bar; redirecting Google, Yahoo, and Bing searches to the C2; logging the victim's last search query in Chrome's local storage; and logging the last search query in Chrome's local storage and preventing victims from accessing chrome://extensions by redirecting them to chrome://settings, likely to stop them from removing the extension, the researchers said.

The persistence mechanism that sets up the scheduled looping task also unregisters a list of tasks prefixed with "chrome\_" — such as "chrome engine," "chrome policy," and "chrome about," the researchers noted. "This is likely done to remove any previous or competing version of the same malware," Royer wrote.

**Be Wary of Illegal Downloads**

Though the first version of ChromeLoader was similar to Shampoo in that it was mainly aimed at hijacking browser sessions and stealing victim data, it has since evolved into a more dangerous threat, with attackers now using it to drop ransomware, steal data, and crash systems at enterprises.

It's unclear if the Shampoo variant also will be leveraged in this way in the future. However, the researchers advised that people shouldn't take chances, and provided tips for how to avoid infection as well as a list of indicators of compromise in the post.

One obvious way to avoid compromise by the Shampoo variant is not to download pirated material from the Internet, and to avoid downloading any files from untrusted websites in general, they said. This is particularly true for employees using Chrome in a corporate environment, who should be particularly wary of downloading anything from the Internet via a corporate network (or onto a shared work/personal device), lest it spread throughout an organization.

Organizations should also configure email gateway and security tool policies to block files from unknown external sources as added protection, advised Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, in a press statement.

Source

DARKReading