As cloud adoption grows, organizations need to rethink their approaches to securing hybrid cloud and multicloud environments.

Cloud technology is a powerful tool that facilitates collaboration among distributed workforces and allows businesses to quickly scale their digital workloads. According to a Microsoft survey, 95% of respondents said cloud technology was critical to their organizations' successes, and 86% planned to increase their investments in hybrid cloud and multicloud tech. 

However, cloud technology also comes with increased risks. The lack of visibility and coverage across hybrid and multicloud environments can make it difficult for security teams to identify and resolve risks. Security teams are also being asked to monitor fragmented tools across different clouds, which can make it difficult to create a unified view of their comprehensive security posture. 

Microsoft research from earlier this year found that 86% of surveyed decision-makers believed their current cybersecurity strategies were not sufficient to secure their multicloud environments. So how should organizations adapt their security approach?

**Create a Single-Pane-of-Glass View**

Cloud technology enables businesses to quickly scale their digital workloads because they are not constrained by managing physical devices or IT infrastructure. However, this agility can also make it difficult for them to keep track of their various workloads, data streams, and applications because they are scattered across a mix of different cloud platforms and on-premises locations. Securing a hybrid or multicloud environment requires organizations to have visibility and cross-platform control in a single-pane-of-glass view. That way they can visualize the security posture of multiple workloads at once, regardless of location.

**Use CNAPP For Code-to-Cloud Context**

For many organizations, security and compliance used to be distinct silos — making it difficult for development and security teams to protect applications in the cloud. More than half (54%) of enterprises do not integrate security into their DevOps pipelines, according to Microsoft's "Enterprise DevOps Report." Cloud-native application protection platforms (CNAPPs) integrate these silos into a single, easy-to-reference platform to help organizations secure and protect cloud-native applications.

Strong security hygiene means being able to monitor and remediate code within the same pane-of-glass view that organizations use to manage their overall cloud security posture. CNAPPs enable increased collaboration and integration between development and security teams while also reducing the possibility of code issues being moved into the cloud. By intaking all infrastructure-as-code scanning signals and combining them with data sensitivity, identity, and runtime intelligence, CNAPPs enable security teams to make recommendations and prioritize risks within the context of the entire hybrid or multicloud network.

**Fortify Security Hygiene With Threat Detection and Response**

Active threat detection is a critical component of securing the cloud environment against potential cybersecurity breaches. For example, organizations should examine the connections among applications, data stores, and workstreams to anticipate how threat actors could conceivably move through their environments to compromise operations.

When protecting workloads, it's critical that developers, security administrators, and security operations center analysts are all on the same page. It's also important that organizations take a cohesive, collaborative approach to cloud security by ensuring that all of the key players are working together to build security integrations that cover the full scope of your threat landscape. This can look like embedding anti-malware scanning tools into DevOps to ensure a company's code is protected against malware or preventing attackers from entering its network by hardening container security.

_— This article was written by Yuri Diogenes, a member of the Microsoft Security Team._

3 Tips to Increase Hybrid and Multicloud Security

We're still unprepared to fight the security bugs we already encounter, let alone new AI-borne issues.

From the first rumbles of hype for the latest culture-shattering AI tools, developers and the coding-curious alike have been using them to generate code at the touch of a button. Security experts quickly pointed out that, in many cases, the code being produced was poor quality and vulnerable and, in the hands of those with little security awareness, could cause an avalanche of insecure apps and Web development to hit unsuspecting consumers.

And then there are those who have enough security knowledge to use it for, well, evil. For every mind-blowing AI feat, it seems there is a counter-punch of the same technology being used for nefarious purposes. Phishing, deep fake scam videos, malware creation, general script kiddie shenanigans — these disruptive activities are now achievable much faster, with lower barriers to entry.

There is certainly a lot of clickbait touting this tooling as revolutionary, or at least coming out on top when matched with "average" human skill. While it is looking inevitable that large language models–style (LLM) AI technology will change the way we approach many aspects of work — not just software development — we need to take a step back and consider the risks beyond the headlines.

And as a coding companion, its flaws are perhaps its most "human" attribute.

**Poor Coding Patterns Dominate Its Go-To Solutions**

With ChatGPT trained on decades of existing code and knowledge bases, it's no surprise that for all its marvel and mystery, it too suffers from the same common pitfalls people face when navigating code. Poor coding patterns are the go-to, and it still takes a security-aware driver to generate secure coding examples by asking the right questions and delivering the right prompt engineering.

Even then, there is no guarantee that the code snippets given are accurate and functional from a security perspective; the technology is prone to hallucination, even making up nonexistent libraries when asked to perform some specific JSON operations. This could lead to "hallucination squatting" by threat actors, who would be all too happy to spin up some malware disguised as the fabricated library recommended with full confidence by ChatGPT.

Ultimately, we have to face the reality that, in general, we have not expected developers to be sufficiently security-aware, nor have we as an industry adequately prepared them to write secure code as a default state. This will be evident in the enormous amount of training data fed into ChatGPT, and we can expect similar lackluster security results from its output, at least initially. Developers would have to be able to identify the security bugs and either fix them themselves or design better prompts for a more robust outcome.

The first large-scale user study examining how users interact with an AI coding assistant to solve a variety of security-related functions — conducted by researchers at Stanford University — supports this notion.

Between this and the inevitable AI-borne threats that will permeate our future, developers, now more than ever, must hone their security skills and raise the bar for code quality, no matter its origin.

**The Road to a Data Breach Disaster Is Paved With Good Intentions**

It should come as no surprise that AI coding companions are popular, especially as developers are faced with increasing responsibility, tighter deadlines, and the ambitions of a company's innovation resting on their shoulders. However, even with the best intentions, a lack of actionable security awareness when using AI for coding will inevitably lead to glaring security problems. All developers with AI/ML tooling will generate more code, and its level of security risk will depend on their skill level. Organizations need to be acutely aware that untrained people will certainly generate code faster, but so too will they increase the speed of technical security debt.

Even our preliminary test with ChatGPT in April revealed it will generate very basic mistakes that could have devastating consequences. When we asked it to build a login routine in PHP using a MySQL database, functional code was generated quickly. However, it defaulted to storing passwords in plaintext in a database, storing database connection credentials in code, and using a coding pattern that could result in SQL injection (although, it did do some level of filtering on the input parameters and spitting out database errors). All rookie errors by any measure:

    

Source: Pieter Danhieux and Matias Madou

Further prompting ensured the mistakes were amended, but it takes significant security knowledge to course-correct. Unchecked and widespread use of these tools is no better than unleashing junior developers onto your projects, and if this code is building sensitive infrastructure or processing personal data, then we're looking at a ticking time bomb.

Of course, just like junior developers undoubtedly increase their skills over time, we expect AI/ML capabilities to improve. A year from now, it may not make such obvious and simple security mistakes. However, that will have the effect of dramatically increasing the security skill required to track down the more serious, hidden, non-trivial security errors it will still be in danger of producing.

**We Remain Ill-Prepared to Find and Fix Security Vulnerabilities, and AI Widens the Gap**

While there has been much talk of "shifting left" for many years, the fact remains that, for most organizations, there is a significant lack of practical security knowledge among the development cohort, and we must work harder to provide the right-fit tools and education to help them on their way.

As it stands, we're not prepared for the security bugs we already encounter, not to mention the new AI-borne issues like prompt injection and hallucination squatting that represent entirely new attack vectors that are set to take off like wildfire. AI coding tools do represent the future of a developer's coding arsenal, but the education to wield these productivity weapons safely must come now.

When It Comes to Secure Coding, ChatGPT Is Quintessentially Human

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Newbie Akira Ransomware Builds Momentum With Linux Shift

Two Mideast nations that were at odds until recently have announced the "Crystal Ball" project, aimed at better protecting against cyberattacks via collaboration and knowledge sharing.

In a watershed moment for two once-fractious regional neighbors, the United Arab Emirates (UAE) and Israel are to work together on a threat intelligence-sharing platform to battle cybersecurity threats.

Announced this week, the “Crystal Ball” project is a digital platform for detecting and repelling hackers via collaboration and knowledge sharing around national-level cyberthreats. It was described as being enabled to "design, deploy and enable regional intelligence enhancement," according to a presentation slide seen during this week's Tel Aviv Cyber Week.

The project will be backed by Microsoft, Israel's Rafael Advanced Defense Systems, and Abu Dhabi's CPX, and an unspecified number of countries will also participate, according to The Circuit.

**The Need for a Joined-up Response**

Emirati cybersecurity chief Mohamed Al Kuwaiti said the platform will enable partner countries to "easily and seamlessly share information," and will be strengthened by the combination of the countries' joint abilities, processing power, and a high volume of data.

In an address to the Cyber Week conference, Al Kuwaiti said, "Cyber threats do not distinguish between nations, do not distinguish between entities or people, and that is why we need to unite against those threats. The Crystal Ball that we are aiming for the whole community will be the first step toward that."

Nadir Izrael, co-founder and CTO of Armis, says he welcomes the joint effort in the Middle East because he is "a strong believer that nations need to work together to develop a comprehensive and effective response to cyber warfare, in order to build a more secure and resilient world."

He adds: "As we saw with the cyberattacks on Israel this late April, coordinated efforts from groups associated with Iran and Russia are looking to increase geopolitical tensions and create instability amongst citizens. In a world that has become polarized, it is a must to invest in cybersecurity measures to protect whole nations from these kinds of attacks."

Izrael also noted that the Crystal Ball project should be a model for others. "Governments and organizations need to take threats seriously, and allocate resources to build robust and resilient cybersecurity systems," he says. "Those advanced systems will allow for threat intelligence, which can help detect malicious behavior and stop an attack even before it happens."

**Improved Diplomatic Relations**

Al Kuwaiti said the UAE's connection with Israeli tech companies has been especially helpful in his country's transition to a digital economy, after the UAE and Israel normalized diplomatic relations as part of the September 2020 Abraham Accords, leading to the bolstering of both commercial and strategic ties between the countries.

Ryan Westman, senior manager of threat intelligence at eSentire, says the collaboration of threat intelligence sharing between Israel and the UAE will be key to better securing the region. "In general, any information-sharing agreement will likely benefit organizations in the countries covered, as the more insights we have on threats and vulnerabilities to organizations, the better the job we can do at responding to those the risk those threats and vulnerabilities present," he says. "By sharing information on those threats and vulnerabilities, the easier it is for security teams to respond to the risks." 

He notes that while information sharing and analysis centers (ISACs) have existed for some time now and are not novel, the collaboration between two states that used to be at geopolitical odds is notable.

"Partnerships like this can have a wider impact, improving the security posture for everyone, because it makes it easier to detect potential issues in the wider threat landscape," he says. "Working together in this way benefits everyone, whether they are in the two countries concerned or in others within the region."

UAE, Israel Ink Pivotal Joint Cyber-Threat Intelligence Agreement

Swiss intelligence warns that Russia ramping up cyberattacks on infrastructure and cyber espionage as on-the-ground options evaporate.

Russia's diminishing position on the world stage has limited its physical options on the ground both for kinetic attacks and traditional spycraft — leaving Putin's regime increasingly reliant on cybercrime to carry out its oppositional activities against Ukraine and the rest of the West.

Switzerland's Federal Intelligence Service (FIS) released its 2023 security assessment on June 26 predicting that Russia will increasingly launch cyberattacks on critical infrastructure as part of its war strategy not just in Ukraine, but against NATO member states as well.

It also pointed to Moscow's dwindling human spy apparatus — and few options for shoring it up — as driving an uptick in cyber activity.

**Russia's Cybercrime Spree, a Spark for WWIII?**

Although neutral Switzerland maintains some distance from the direct impact of Russian cyberattacks, the FIS is concerned about follow-on affects within its borders.

Worryingly, the report assesses that cyberattacks on NATO-member state infrastructures could ultimately trigger the North American Treaty's Article 5 commitments to join in war against any nation that attacks a member state. The FIS added that NATO has suggested in the past that a cyberattack on critical infrastructure could, in fact, be considered a trigger under Article 5, kicking off a third world war.

In late March, evidence was leaked by Russian contractor NTC Vulkan detailing how Russian intelligence agencies use private companies to launch cyber threat campaigns across the world. The documents included materials for trainings run by Vulkan on how to takeover railroads and power plants.

Cyber threats to critical infrastructure fall into two categories, according to the FIS report: direct cyber attacks against infrastructure; and ransomware attacks that could potentially hobble supply chains.

"Attacks against critical infrastructure have widespread impacts," Timothy Morris, chief security advisor with Tanium tells Dark Reading. "Damage can run the gamut from disruptive inconveniences to economic stress to catastrophic life altering or threatening impacts. Also, collateral damage can happen with cyberattacks, as often happens with kinetic warfare."

Dangerously, throughout the Russian war against Ukraine, many ransomware attacks against infrastructure are being carried out by non-state actor threat groups, making their actions often unpredictable. Erratic behavior by a threat group not directly affiliated with the Russian state could cause a miscalculation in attributing a cyberattack, or prompting unnecessary escalation of hostilities," the FIS warned.

"The activities of non-state actors engaged in the war are still the main problem," the report said. "The threat and the unpredictability which such activities give rise to should not be underestimated, even if these threat actors have so far attracted more attention by announcing their intentions that by carrying them out."

The challenge in protecting critical infrastructure across multiple nations is a lack of common rules, according to John Anthony Smith, CEO of Conversant Group. 

"There are widely varying degrees of cyber defenses in place across these critical infrastructure sectors and entities, since the entities protecting critical infrastructure as well as providing oversight include both private and public sector organizations: no one agency or institution provides guidance, rules, or controls on how cybersecurity is conducted, tested, and configured," Smith explains.

**Russian Cyberespionage Supplants Real Spies**

Russian cyber threat actors are also increasingly responsible for gathering intelligence in lieu of actual human operatives on the ground, according to the report. The FIS noted that the phenomenon dates as far back as 2018 and the attempted murder of Sergei Skripal, a former Russian intelligence officer living inside the UK and acting as a double agent for the West.

The poisoning started an expulsion of Russian diplomats and intelligence officers from throughout the world that has continued in force since the invasion of Ukraine in February 2022. Mistrust of Russian diplomats, many of whom were declared _persona non grata_ by Western governments, will have a hard time recruiting and developing new sources and operating for years to come, the FIS added — meaning that cyber espionage and advanced persistent threats will have to fill the gap.

"The Russian leadership's war of aggression against Ukraine has made the work of its intelligence services more important, but at the same time has made it harder to operate," the FIS report said.

Callie Guenther, cyber threat researcher with Critical Start noted in response to the FIS assessment that the correlation between expelling spies and increased cyber espionage would be difficult to verify but sounds reasonable.

"While there's no direct evidence linking the expulsion of spies to an uptick in digital espionage, it's plausible that countries compensate for lost physical assets by enhancing their cyber intelligence efforts," Guenther tells Dark Reading. "Increased digital espionage poses significant threats, potentially disrupting vital infrastructure and leading to serious societal and economic consequences, compromising national security, and even triggering an act of war."

**Russian Intelligence Eyeing AI and Machine Learning**

The increasing digitization of information coupled with the capabilities of artificial intelligence and machine learning will lure cyberattackers to massive stashes of data stored by organizations like financial services providers, social media platforms, hotels, and critical infrastructure operators, the FIS warned.

The promise of accessing this breadth of sensitive data is also driving investments in AI and ML cyber threat intelligence capabilities by Russia, as well as by China and Iran, the FIS added.

Troves of stolen sensitive data could be used in a variety of ways by authoritarian governments, including to harass and intimidate opposition activists, interfere in elections, circumvent sanctions to buy and sell goods, and more the FIS report added.

Democracies are urged by the FIS to get ahead of Russian, Iranian, and Chinese intelligence services' implementation of espionage AI and ML tools by starting to regulate now.

"For states governed by democracy and the rule of law, this means, among other things that there is an urgent need to legislators and supervisory bodies to take a detailed look at the use of these capabilities," the report said.

It's incumbent on the cybersecurity community to be aware of the emerging cybersecurity tools used in warfare, Darren Guccione, CEO of Keeper Security, explains to Dark Reading about the FIS assessment.

"Cybersecurity is both national and international security, and must be prioritized as such," he says. "In the digital age, it's clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks."

Russian Spies, War Ministers Reliant on Cybercrime in Pariah State

Enterprises can now integrate 1Password with Duo, OneLogin, JumpCloud, Ping Identity, and more.

**TORONTO****,** **June 28, 2023** **/PRNewswire/ --** 1Password, the leader in human-centric security and privacy, today announced the availability of Unlock with Single Sign-On (SSO) for additional identity providers with the new generic OpenID Connect (OIDC) configuration for 1Password Business. Business customers can now integrate 1Password with more identity providers like Duo, OneLogin, JumpCloud, and Ping Identity, to strengthen their existing security infrastructure, enforce stronger and auditable security policies from their identity provider, and allow employees to easily access their passwords and sensitive information.

"While the single sign-on provider protects logins for approved apps that are specifically added to them, 1Password protects virtually everything else," said Steve Won, chief product officer at 1Password. "Making the easy thing the secure thing is at the core of everything we do, and unlocking 1Password with SSO benefits IT teams, employees, and businesses in that regard. Enterprises can continue to secure their employees, no matter how they need to sign in."

The OIDC identity protocol is a modern, secure identity layer built on top of the OAuth 2.0 protocol. It is simpler, more flexible, and includes support for native and mobile applications. Building a generic OIDC configuration has allowed 1Password to offer secure support for many providers at once using the same underlying zero-knowledge architecture, encryption, and trusted device model as Unlock with Okta and Azure AD.

*   **Unlock 1Password with your SSO identity provider**: Vaults can now be unlocked with a single click via SSO, with zero-knowledge architecture and end-to-end encryption.
*   **Set fine-grained permissions and customizable access controls**: Pair 1Password with existing identity and access management (IAM) infrastructure to simplify adoption, enable secure sharing, and strengthen auditing, compliance, and reporting workflows.
*   **Easy, secure access to passwords and sensitive information**: 1Password's integration with additional identity providers allows employees to authenticate 1Password without an account password and access their vaults in a single click.

"Unlocking 1Password with single sign-on has been a game changer for our organization. We pride ourselves on maximizing security and minimizing friction for our users, and with this capability, we've accomplished both of these goals," Jason Waits, CISO at Inductive Automation. "By eliminating the need to remember a separate password for 1Password, we've made it easier for our employees to access their accounts so they can get their jobs done without compromising security. Streamlining the login process is a win for both the security team and our employees."

The news comes on the heels of Unlock with Okta and Azure earlier this year. Effective today, 1Password Business customers can unlock 1Password with identity providers that support generic OpenID Connect. For more information, visit our website.

**About 1Password** 

1Password's human-centric security keeps people safe at work and at home. Our solution is built from the ground up to enable anyone – no matter their level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning security platform is reshaping the future of authentication, including passwordless. 1Password is trusted by over 100,000 businesses such as IBM, Slack, Snowflake, Shopify, and Under Armour and protects the most sensitive information of millions of individuals and families across the globe. The company's ultimate goal is to help consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

SOURCE 1Password

1Password Launches Unlock With Single Sign-On for OIDC-Supported Identity Providers

Generative AI chatbots like ChatGPT are the buzziest of the buzzy right now, but the cyber community is starting to mature when it comes to assessing where it should fit into our lives.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

6 Ways Cybersecurity Is Gut-Checking the ChatGPT Frenzy

The popular package manager for software developers has been vulnerable to this attack vector for a while, and negligent in fixing the problem, according to a former employee.

A weakness in Node Package Manager (npm) could allow anybody to hide malicious dependencies and scripts within their packages, a former GitHub employee claims.

Npm is owned by GitHub and is used for JavaScript code sharing, serving more than 17 million developers. It's the world's largest software registry, containing more than 2 million packages, according to the website.

In blog post on June 27, Darcy Clarke, former staff engineering manager for npm's command line interface team, detailed a weakness in the site he named "manifest confusion."

The "confusion" arises from the fact that npm doesn't validate the metadata associated with any given package, theoretically enabling any publisher to hide certain information about their packages, including the scripts it runs and the dependencies on which it relies.

**What Is Manifest Confusion?**

Npm — and other repositories like it — has been under pressure in recent months, with more and more hackers devising novel methods to poison packages and spread their malware through the code supply chain.

Not all credit goes to the hackers, though — some npm security risks arise from the way the platform itself works, as with its lagging efforts against typosquatting, and, now, manifest confusion, Clarke said.

The problem is that npm doesn't automatically cross-reference a package's "manifest" — what users first see when they visit a package on the site — against its package.json, the standard file describing its contents. Both the manifest and package.json contain metadata including, crucially, what scripts and dependencies the package runs on.

It stands to reason, then, that they should agree with one another, but a publisher can simply manipulate a package's manifest, and npm won't notice. As a case in point, Clarke created an npm package with a manifest stripped of any evidence of the dependencies in its package.json.

Theoretically, hackers could do the same with their own packages, in order to conceal the existence of malware from unwitting software developers.

**Why npm Doesn't Validate**

Clarke posited an historical precedent for manifest confusion. "Before the node ecosystem became what it is today," he wrote, "the number of people contributing to the corpus of software you trusted to use and download was very small. With a smaller community, you have more trust, and even as the npm registry was being developed, most aspects were open source and freely available to be contributed to and code inspected."

Even today, "various references in docs.npmjs.com \[point\] to the fact that the registry stores the contents of package.json as the metadata — and nowhere does it mention that the client is responsible for ensuring consistency," Clarke explained.

Exactly why the system works this way isn't clear. At the time of publication, GitHub had not responded to Dark Reading's request for comment.

"\[Who knows\] the real reasons they chose to do validation client-side versus server-side?" says Mike Parkin, senior technical engineer at Vulcan Cyber. "It seems they chose to lean toward easier organic growth versus a path that would have given more security but would have impacted ease of use."

**No Signs Manifest Confusion Will Be Fixed Soon**

According to Clarke, GitHub has been aware of the manifest confusion weakness since at least Nov. 4 last year, and Clarke himself submitted a report on it March 9. However, "GitHub closed that ticket and said they were dealing with the issue 'internally' on March 21st," he lamented in his posting. “To my knowledge, they have not made any significant headway, nor have they made this issue public.”

But "GitHub is understandably in a tough spot," he acknowledged. "The fact that npmjs.com has functioned this way for over a decade means that the current state is pretty much codified."

Clarke, it may be noted, is the founder of an alternative website for JavaScript packages, vlt.

With no solution in sight, it will be up to developers to make sure they're not downloading anything they don't realize is in a package. Clarke recommended that developers rely only on the metadata indicated by the package's contents, not its manifest, to account for any potential discrepancies.

To Parkin, taking care around third-party code needs to be mandatory practice for any developer and organization. "That's especially true with obscure libraries, or older ones that haven't seen a lot of active development and may have been orphaned, or libraries that were recently added," he says. "While none of those factors are immediate red flags that would preclude using them in a project, they are factors that make vetting the sources even more important."

It doesn't have to be difficult, though — plenty of vendors have been working on this problem for a while.

"There are automated tools that can scan code for unusual features and obvious exploits, and those tools need to be part of the developer's toolkit," Parkin says, pointing to OWASP's list of source code analysis tools.

"Validating your packages should not be an optional step," he concludes. "Instead, it should be built into any coding project that relies on third party libraries. Full stop."

Npm Plagued With 'Manifest Confusion' Malware-Hiding Weakness

With at least 13,000 compromised devices in the data leak, it is still unknown who the threat actor is or whether or not victims will be personally notified.

LetMeSpy, an Android phone-tracking company that has been used to track more than 236,000 phones, was hacked on June 21, resulting in threat actors gaining unauthorized access to its users' data dating as far back as 2013.

The hack was discovered by a Polish security research team at Niebezpiecznik, which contacted the maker of the spyware app — but the researchers instead received a response from the threat actor, suggesting the person had taken over the LetMeSpy domain. It is unknown who the threat actor is or what the motives are. 

The phone-tracking app, designed to be hidden from the home screen of a phone in order to remain undetected, was created for and marketed toward parents to control the phone usage of minors and for employers to monitor employees. But the app can also be used in more malicious and threatening "stalkerware" ways, such as an abusive spouse planting the app in a partner's phone, allowing access to any data the stalker deems necessary. Once the app is downloaded, it uploads information — including texts, call logs, and location data — so that an individual can be tracked to a precise location.

**Target for Leaks and Hacks**

Because they have a deep level of accessibility into phone, these types of apps are targets for leaks and hacks.

"The database we reviewed contained current records on at least 13,000 compromised devices, including detailed phone records, though some of the devices shared little to no data with LetMeSpy (LetMeSpy claims to delete data after two months of account inactivity)," stated TechCrunch, which obtained a copy of the leaked data.

LetMeSpy has stated that it has notified law enforcement and its local data protection authority, UODO, but it is unknown as to whether or not it will be notifying victims who have compromised phones.

LetMeSpy Phone-Tracking App Hacked, Revealing User Data

Because social engineering usually succeeds, companies need to test whether their defenses can block adversaries that gain employees' trust.

When Alethe Denis conducts a social engineering attack as part of a red team exercise, the Bishop Fox security consultant often presents the targets with the exact email template that her team intends to use — such as a dress-code missive from human resources — and yet the attack almost always succeeds.

"They've literally seen the email template, and I've highlighted the fact in my training that HR-based pretexts are extremely common and incredibly successful — 'Here's an example of a dress-code e-mail template,'" she says. "And they go, 'Yes, yes, yes.' And then on the day that I send the campaign, at least one person clicks."

Pretext attacks and phishing have taken off as attackers have come to rely on them as an effective approach to compromising businesses, with about one in every six attacks including a social engineering component, according to Verizon's recently released "2023 Data Breach Investigations Report" (DBIR). For that reason, social engineering has also become a necessary part of red team exercises and penetration tests, and more providers are expanding their service offerings. Bishop Fox, for example, announced on June 28 that the firm had expanded its red team offerings to include social engineering attack emulation, more in-depth reporting on human-focused attacks, and the ability for customers to "ride along" to both learn from and oversee any exercises.

The goal is not only to show the potential threat that the social engineering vector poses for initial access, but to highlight how companies can react effectively following a successful attack, Denis says.

"We don't rely simply on testing humans when we're conducting social engineering," she says. "Our goal is to understand the weaknesses and then make recommendations that would allow the organization to put technical controls in place to prevent phishing and social engineering."

The shift is another way that today's red team engagements and penetration testing differ from those of a decade ago. Consultants are more focused on emulating the attackers, not just outfoxing the defenders and finding the easiest way to a business' crown jewels. In addition, penetration testing is more integrated with other security tools, such as those used by security operations centers and application security teams. And because more companies have grown accustomed to crowdsourcing, penetration-testing services now offer more frequent engagements.

**Understanding the Impact of Social Engineering**

By including social engineering in a penetration-testing engagement, companies gain the opportunity to learn about specific weak points in their training and environments, such as lax security protocols and a lack of security awareness among employees, says Chris Scott, managing partner at Unit 42 at Palo Alto Networks.

"These tests are more than just seeing if an attack could succeed, but also to discover how it could succeed within your environment," he says. "Social engineering is part of the early phases of an attack, and being able to detect and respond to these attacks is key to limiting their impact."

Attackers continue to gather more passive intelligence on their targets, prior to an attack, according to experts. While a penetration test can help you discover easily exploitable vulnerabilities, focusing on social engineering tactics will make it that much harder for an attacker to succeed, says Andrew Obadiaru, chief information security officer at crowdsourced pen-testing service Cobalt.

"Threat actors understand what motivates people to enter their credentials, reply to an email, or click a link," he says. "Mitigating endpoint security, such as social engineering, is important because it shows how people react to urgent situations and whether or not they are willing to disclose personal or intellectual information."

**Purple Is the New Black**

The ultimate reason to add social engineering to a red team exercise or penetration-testing engagement is to allow companies to uncover the unexpected ways that an attacker could parlay a simple email message into a significant compromise. Conducting tabletop exercises internally has its limits, says Erich Kron, a technical evangelist at security awareness firm KnowBe4.

"Testing yourself for vulnerabilities is a lot like grading your own homework, so it is important to have an outside view and approach to finding vulnerabilities in your organization," he says.

Thus, the "purple team" approach — where penetration testers, or red teams, work with the internal security team, or blue team — is critical, Kron adds.

"A penetration test that provides the organization with a list of vulnerabilities is far less useful than coordinating with the defensive team so they understand the vulnerabilities and how to mitigate them," he says.

Overall, companies need to make sure that their security operations can respond in the right way to a successful social engineering attack and find ways to prevent the initial compromise. Putting rules in the browser that prevent people from visiting newly registered domains and rolling out multifactor authentication are two good ways for businesses to harden their IT environments against social engineering, Bishop Fox's Denis says.

"Regimented, compliance-driven phishing exercises are great to support training efforts and security awareness training to help individuals identify when they're being manipulated," she says. "But while they're great for training purposes, they should not be relied upon for protection of the organization against social engineering."

Source

DARKReading