Zero trust is useful in some situations, but organizations should not be trying to fit zero trust everywhere. In some cases, identity-based networking is an appropriate alternative.

People like to tout NIST’s SP 800-207 \[Zero Trust Architecture\] as the hot new thing, but the fact is, zero trust network models have been around for over a decade. Google took zero trust way past the proof of concept stage with its BeyondCorp model, and by the time 2010 rolled around, the company had the most functional zero trust network on the planet.

Fast forward a dozen years, and zero trust is once again the _craze-de-jour_ of the cybersecurity industry. The question is: _Should_ it be?

Zero trust isn’t the silver bullet that many it is, and zero trust shouldn’t be the new normal.

**What's the Problem with Zero Trust?**

Briefly: Zero trust presumes that no network connection, internal or external, can be trusted. Every user authenticates with multi-factor, every system’s authentication is reverified multiple times on the network, and the default access policy for everything is ‘deny’.

The primary methods of establishing and maintaining zero trust are micro-segmentation, overlay networks, enhanced identity governance, and policy-based access controls.

Setting aside the issues and the expense associated with incorporating zero trust into an existing network, the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesn’t coexist well with zero trust.

This is where we see a lot of hand waving on how to make things work. The compromises, the shortcuts, and the sacrifices that organizations wind up making to allow federation under a zero trust model should give pause to even the most hardcore CIO.

But more to the point, the problem with zero trust is that humans don’t work in a zero trust manner, and for a good reason. It’s a waste of time and resources to re-validate someone’s identity over and over again when they haven’t even left the room. Our human trust cycle relies on logic, probability, and casual observation to establish and track the identities within an observable range. Interactions with low or no trust tend to be seen as low value, or even hostile.

So what kind of trust model can fully incorporate federation, and emulate more human and relatable trust cycles?

**What About Identity-First Networking?**

To usefully emulate the kind of ‘informed trust’ model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk.

That’s where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Think of it as federation taken to an entirely new level. Or perhaps, a new _layer_. Identity is established at the network transport layer. This means that some of the most traditionally difficult resources to secure (databases, container clusters, etc.) can have their access levels centrally managed by integrating them with a trusted identity provider.

Identity is inextricably intertwined with the concept of trust. All network activity is automatically identity indexed, which means usage patterns are easy to track, and any attempts at unauthorized access are immediately flagged up. If a user or process tries to access something unusual, they’ll stick out like a sore thumb. DNS filters do most of the heavy lifting.

The risk of identity forging is greatly reduced, because the ID provider acts as the one true source of knowledge. The attacker would need the ID provider’s root certificate in order to be effective, a highly unlikely circumstance.

Computationally, this process is far less expensive than zero trust. In the case of zero trust, the work of checking and rechecking authentication several times during any given transaction adds up. In the case of identity-first, the packet doesn’t make it through the front door (or any doors in between as far as internally forged packets are concerned) without the right identity and attached permissions.

Multi-factor authentication is required for identity-first networking, but that’s hardly a bad thing in this day and age. The incorporation of identity-first makes VPNs redundant, which is only a sad story for the VPN providers.

**Zero Trust Should Not Be All-Encompassing**

There are places where zero trust is entirely appropriate. There are certainly government, national defense, and financial sector applications where zero trust shines.

But unless you’re creating your network from scratch, zero trust requires some expensive retooling to fully implement. This makes it inappropriate for many SMEs, as well as any organization that would rather adopt a model based on heavy federation.

In theory, the expense of zero trust is balanced out by the lower cost per security breach. But if a method such as identity-first networking can get the job done, there’s a new cost to benefit analysis that needs to be made on a per-organization basis.

Zero Trust Shouldn’t Be The New Normal

New features bring greater visibility and context into SaaS applications access and activity.

**NEW YORK****,** **Dec. 15, 2022** **/PRNewswire/ --** Axonius, the leader in cybersecurity asset management and SaaS management, today announced the release of two new capabilities within Axonius SaaS Management to help organizations better understand their overall SaaS application risk. Behavioral Analytics and SaaS App-to-Device Correlation allow IT and security teams to gain added visibility and context into the users and devices accessing SaaS applications, and whether suspicious activity is occurring for critical SaaS apps.

SaaS continues to represent an ever-expanding component of an organization's attack surface. Not only does the increase in adoption of SaaS applications change IT and security operations, it also adds new role and skill expectations for IT and security team members – like using already scarce resources to track organization SaaS app utilization and identify misconfigured SaaS settings potentially exposing sensitive data. All of this adds to more complexity and can have a profound impact on an organization's security posture.

"A lot of sensitive data is stored in and shared between SaaS applications, and oftentimes, it's very difficult to understand which users and devices have access to those applications," said Amir Ofek, CEO of AxoniusX, the innovation unit of Axonius. "For IT and security teams tasked with protecting their organization's entire SaaS app stack, they need the right information to help them better understand the who, the what, and the how of SaaS app usage. These new capabilities within our SaaS management solution will bring necessary context to the questions surrounding SaaS security."

**SaaS App-to-Device Correlation**

SaaS App-to-Device Correlation helps understand if unmanaged and unauthorized devices are being used to access various SaaS apps. By leveraging Axonius Cybersecurity Asset Management and its hundreds of adapters across the technology stack, Axonius SaaS Management will now automatically correlate each SaaS user to their associated devices and provide a more comprehensive view of an organization's security posture. Organizations will now have visibility into unmanaged or unauthorized devices accessing SaaS apps, and be able to decrease the risk of data loss.

"SaaS App-to-Device correlation ultimately helps organizations contextualize their SaaS application data," continued Ofek. "Using both Axonius Cybersecurity Asset Management and SaaS Management products, organizations gain a more complete view of their device security posture than they might receive with standalone integrations. No other solution on the market today can offer this much comprehensive and rich data."

**Behavioral Analytics** 

Over the past year, we've seen an increase in data breaches originating from SaaS applications. For example, the Okta breach in early 2022 demonstrated how one compromised SaaS application can often have a domino effect throughout an entire organization.

By adding Behavioral Analytics capabilities within Axonius SaaS Management, organizations will gain visibility into user behavior within SaaS applications over time – and be able to detect any anomalies or suspicious activity that could pose organizational risk. The solution aggregates log data across various sources, including Okta, Microsoft Azure AD, and Google Workspace, to identify suspicious activity, events, and complex behavioral patterns. As a result, Axonius helps facilitate in-depth investigations by the incident response and SOC teams within the organization.

Beyond identifying suspicious behavior, the behavioral analytics capability can help organizations investigate temporary privileges granted for existing users, identify anomalous login activities that deviate from the user's normal activity and other baselines, minimize data theft or leakage of confidential data, and more.

"These latest developments and the integration of the Axonius Cybersecurity Asset Management and SaaS Management products ensure comprehensive visibility and further correlation across SaaS applications, devices, cloud services, and users in an organization's environment, streamlining efforts to reduce the attack surface amidst an increasingly complex cyber landscape," said Ofek.

To learn more about these latest capabilities and to better understand how Axonius can help you control complexity across your entire IT environment, visit the website or request a demo.

**About Axonius**

Axonius gives customers the confidence to control complexity by mitigating threats, navigating risk, automating response actions, and informing business-level strategy. With solutions for both cyber asset attack surface management (CAASM) and SaaS management, Axonius is deployed in minutes and integrates with hundreds of data sources to provide a comprehensive asset inventory, uncover gaps, and automatically validate and enforce policies. Cited as one of the fastest-growing cybersecurity startups, with accolades from CNBC, Forbes, and Fortune, Axonius covers millions of assets, including devices and cloud assets, user accounts, and SaaS applications, for customers around the world. For more, visit Axonius.com.

SOURCE Axonius

Axonius Bolsters SaaS Management Offering With New Behavioral Analytics and SaaS User-Device Association Capabilities to Help Teams Address SaaS Application Risk

InfraGard's members include key security decision-makers and stakeholders from all 16 US civilian critical-infrastructure sectors.

A hacker using the handle "USDoD" has reportedly stolen contact information on more than 80,000 members of an FBI-run program called InfraGard and put the information up for sale on an English-speaking Dark Web forum.

The information the hacker accessed from InfraGard's database appears to be fairly basic and in some cases does not even include an email address, according to KrebsOnSecurity, which first reported on the incident this week. But the information belongs to CISOs, security directors, IT and C-suite executives, healthcare professionals, emergency managers, and law enforcement and military personnel directly responsible for protecting US critical infrastructure.

**A Potentially Valuable Asset**

As such, the stolen data represents a valuable asset for adversaries, says former InfraGard member Chris Pierson, currently CEO of BlackCloak, an online privacy-protection service for top executives and corporate leaders.

"The InfraGard database of contacts is a big win for any intelligence agency or nation-state to possess," Pierson says. The compromised data is nowhere close in sensitivity compared to major breaches such as the one that the US Office of Personnel Management (OPM) disclosed in 2015. Still, it is very practical and easy to use from an attacker's perspective, he says.

"While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation's critical infrastructure is immensely valuable," Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation's collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

According to KrebsOnSecurity, the hacker "USDoD" gained access to the InfraGard database by first applying for a new account using the name, date of birth, and Social Security number of a chief executive officer at a large financial services company. The hacker apparently applied for InfraGard membership in November and provided an attacker-controlled email address and the actual phone number of the CEO, as contact information.

**An Opsec Lapse?**

Though InfraGard was supposed to have vetted that information, they never did and instead approved the application based on the information that the hacker had provided, KrebsOnSecurity reported. Similarly, though accessing InfraGard's portal requires two-factor authentication, the hacker found he could use the email address as a second factor instead — thereby obviating the need for access to the real CEO's phone.

Once on the portal, the attacker discovered that InfraGard user information could be relatively easily accessed via an API built into several components on the website, KrebsOnSecurity said, citing a direct conversation with the attacker. The hacker then apparently got a friend to code a Python query for retrieving all available InfaGard member information via the API. KrebsOnSecurity quoted the attacker as setting an asking price of $50,000 for the stolen dataset, but not really expecting any buyers at that price because of the basic nature of the information.

InfraGard member Will Carson, director of IT and cybersecurity at Cybrary, expressed frustration over the incident. “As an InfraGard member, it certainly isn't great to hear your information may have been disclosed from a news outlet before you hear from the impacted organization," he said in a statement responding to the news. He expressed disappointment over being unable to log into his InfraGard account after the apparent breach.

"Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional," he says.

The FBI did not immediately respond to a Dark Reading request for comment submitted via email to its press office.

Stolen Data on 80K+ Members of FBI-Run InfraGard Reportedly for Sale on Dark Web Forum

Facebook's parent company has also expanded bug-bounty payouts to include Oculus and other "metaverse" gadgets for AR/VR.

Facebook parent Meta will pay up to $300,000 to security researchers who report exploitable remote code execution (RCE) vulnerabilities in the Android and iOS versions of Facebook, Messenger, Instagram, and WhatsApp.

The actual amount will vary depending on the amount of user interaction — measured in "clicks" — to trigger the flaw. To qualify for the maximum payout, a security researcher would need to include working proof-of-concept code for exploiting the flaw in any of the current or previous two versions of Android or a currently supported version of Apple's iOS.

**Updated Payout Guidelines**

In addition to the updated guidelines for mobile RCE, Meta this week also released new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities. 

The maximum payout for a 2FA flaw is $20,000, while that for an ATO vulnerability is $130,000. Here again, the actual payout will depend on the ease with which an attacker can exploit a vulnerability. For instance, a researcher who reports and demonstrates an exploitable zero-click authentication bug can garner the $130,000 payout, while a one-click ATO will fetch a $50,000 reward.

The company also introduced new payout guidelines for bugs reported in its Meta Quest Pro and other virtual reality (VR) technologies, making Meta one of the first companies to set rewards for vulnerabilities in VR and mixed-reality devices.

Meta's updated payout guidelines for mobile RCE bugs and its new rewards for ATO and authentication bypass flaws are the latest tweaks to the company's nearly 11-year bug-bounty program. Under it, Meta has so far paid some $16 million to freelance researchers from around the world who have reported bugs in its online platforms.

The latest changes are part of the company's effort to ensure that the bug bounties Meta offers and the products that are covered under the program remain aligned with evolving threats, says Neta Oren, the security engineer who leads Meta's bug-bounty initiative.

"Every year, we continue to learn new things about how to best engage with the community and adjust our program to address some of the most impactful areas in evolving spaces," Oren says. "Our program has grown from just covering Facebook's Web page in 2011 to now cover all of our Web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace, and more."

**Crowdsourced Cybersecurity**

Meta's bug-bounty program is similar to those of the hundreds of other companies that have implemented crowdsourced vulnerability-hunting programs in recent years. Many security experts consider these programs as a relatively cost-effective way of finding vulnerabilities that internal security teams might have missed. The programs give ethical hackers a structured way to find and report vulnerabilities they might discover on a website or Web application — and receive a reward for their effort.

Many of these programs include Safe Harbor clauses that exempt security researchers working under the bug-bounty program from legal liability for their research. For vendors, the programs offer a way to get top-notch security researchers to essentially conduct penetration tests on their platforms in a relatively cost-effective manner. Importantly, it also gives them a better shot at ensuring that researchers report a vulnerability directly to them rather than disclosing it publicly before a fix is available, or worse, selling it to a gray-market purchaser.

Some, though, have cautioned about such programs collapsing under the volume of bug reports that researchers can submit, especially if the organization's security team isn't mature enough or ready enough to respond to them.

**Large Volume of Reports**

Since Facebook launched its bug-bounty program in 2011, the company has received more than 170,000 reports from bug hunters around the world. The company identified more than 8,500 of those reports to be valid vulnerability disclosures, for which it has paid a total of $16 million in rewards. 

So far this year, Meta has received some 10,000 reports from researchers in 45 countries and issued bounties totaling more than $2 million for 750 or so identified vulnerabilities. India, Nepal, and Tunisia topped the list of countries in terms of where bounties were awarded so far this year.

"One benefit of having a 10-plus-year bug-bounty program is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services," Oren says. "These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn't necessarily know to look for."

One example of impactful-but-niche was an account takeover and 2FA bypass chain issue that a long-time security researcher reported this year in Facebook's phone number-based account recovery flow; the vulnerability could have allowed an attacker to reset passwords and take over accounts unprotected by 2FA. Meta awarded $163,000 for the discovery.

Meta Ponies Up $300K Bounty for Zero-Click Mobile RCE Bugs in Facebook

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Sweeping operation took down around 50 popular DDoS platforms, just one of which was used in 30M attacks, Europol says.

About 50 of the most popular platforms available for hire to launch distributed denial-of-service (DDoS) attacks against critical Internet infrastructure have been shut down, their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

Europol, along with law enforcement from the UK, US, the Netherlands, Poland, and Germany participated in the takedown targeting DDoS-for-hire services, also called "booter services."

Seven administrators have been arrested, according to Europol's announcement, adding that just one of the services shut down by Operation Power Off was responsible for more than 30 million DDoS attacks.

"DDoS booter services have effectively lowered the entry barrier into cybercrime: for a fee as low as EUR 10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic," Europol's announcement of the success of Operation Power Off said. "The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Attack Platforms Shut Down in Global Law Enforcement Operation

Money-lending apps built using the Flutter software development kit hide a predatory spyware threat and highlight a growing trend of using personal data for blackmail.

An Android malware campaign dubbed MoneyMonger has been found hidden in money-lending apps developed using Flutter. It's emblematic of a rising tide of blackmailing cybercriminals targeting consumers — and their employers stand to feel the effects, too.

According to research from the Zimperium zLabs team, the malware uses multiple layers of social engineering to take advantage of its victims and allows malicious actors to steal private information from personal devices, then use that information to blackmail individuals.

The MoneyMonger malware, distributed through third-party app stores and sideloaded onto victims' Android devices, was built from the ground up to be malicious, targeting those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme and promising quick money to those who follow a few simple instructions.

In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive a loan. These permissions are then used to collect and exfiltrate data, including from the contact list, GPS location data, a list of installed apps, sound recordings, call logs, SMS lists, and storage and file lists. It also gains camera access.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.

While the open source user interface (UI) software kit Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

In this case, MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis, Zimperium researchers explained in a Dec. 15 blog post.

**Risk to Enterprises Stems from Wide Range of Data Collected**

Richard Melick, director of mobile threat intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but by the nature of this threat and how attackers steal sensitive information for blackmail, they are also putting their employers or any organization they work with at risk, too.

"It’s very easy for the attackers behind MoneyMonger to steal information from corporate email, downloaded files, personal emails, phone numbers, or other enterprise apps on the phone, using it to extort their victims," he says.

Melick says MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

"Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device," he says. "Victims of this predatory loan might be compelled to steal to pay the blackmail or not report the theft of critical enterprise data by the malicious actors behind the campaign."

Melick says that personal mobile devices represent a significant, unaddressed attack surface for enterprises. He points out that malware against mobile only continues to get more advanced, and without the threat telemetry and critical defense in place to stand up against this growing subset of malicious activity, enterprises and their employees are left at risk.

"No matter if they are corporate-owned or part of a BYOD strategy, the need for security is critical to stay ahead of MoneyMonger and other advanced threats," he says. "Education is only part of the key here and technology can fill in the gaps, minimizing the risk and attack surface presented by MoneyMonger and other threats."

It's also important to remember to avoid downloading apps from unofficial app stores; official stores, like Google Play, do have protections for users, a Google spokesperson emphasized to Dark Reading.

"None of the identified malicious apps in the report are on Google Play," he said. "Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

**Resurgence of Banking Trojans**

The MoneyMonger malware follows the resurgence of the Android banking Trojan SOVA, which now sports updated capabilities and an additional version in development that contains a ransomware module.

Other banking Trojans have resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by a joint international task force in January 2021.

Nokia's 2021 "Threat Intelligence Report" warned that banking malware threats are sharply increasing, as cybercriminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

**Blackmailing Threats Expected to Continue in 2023**

Melick points out blackmail is not new to malicious actors, as has been seen in ransomware attacks and data breaches on a global scale.

"The use of blackmail on such a personal level, targeting individual victims, though, is a bit of a novel approach that takes an investment of personnel and time," he says. "But it is paying off and based on the number of reviews and complaints around MoneyMonger and other predatory loan scams similar to this, it is only going to continue."

He predicts market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.

"Just as we saw predatory loan scams rise up in the last recession," he says, "it is almost guaranteed we will see this model of theft and blackmail continue into 2023."

Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps

It's time for on-the-record answers to questions about data destruction in cloud environments. Without access, how do you verify data has been destroyed? Do processes meet DoD standards, or do we need to adjust standards to meet reality?

These days, most big companies and many midsize ones have some form of a data-governance program, typically including policies for data retention and destruction. They have become an imperative because of increasing attacks on customer data and also state and national laws mandating protection of customer data. The old mind set of "Keep everything, forever" has changed to "If you don't have it, you can't breach it."

In some ways, managing data-retention policies has never been easier to implement in the cloud. Cloud vendors often have easy templates and click-box settings to retain your data for a specific period and then either move it to quasi-offline cold digital storage or straight to the bit bucket (deletion). Just click, configure, and move on to the next information security priority.

**Just Click Delete?**

However, I'm going to ask an awkward question, one that has been burning in my mind for a while. What really happens to that data once you click "delete" on a cloud service? In the on-premises, hardware world, we all know the answer; it would simply be deregistered on the disk it resides on. The "deleted" data still sits on the hard drive, gone from the operating system view and waiting to be overwritten when the space is needed. To truly erase it, extra steps or special software are needed to overwrite the bits with random zeros and ones. In some cases, this needs to be done multiple times to truly wipe out the phantom electronic traces of the deleted data.

And if you do business with the US government or other regulated entities, you may be required to comply with Department of Defense standard 5220.22-M, which contains specifics on data destruction requirements for contractors. These practices are common, even if not required by regulations. You don't want data you don't need any more coming back to haunt you in the event of a breach. The breach of the Twitch game-streaming service, in which hackers were able to gain access to basically all of its data going back almost to the inception of the company — including income and other personal details about its well-paid streaming clients — is a cautionary tale here, along with reports of other breaches of abandoned or orphaned data files in the last few years.

**Lack of Access to Verify**

So, while the policies are easier to set and manage in most cloud services versus on-premises servers, assuring it is properly done to the DoD standard is much harder or impossible on cloud services. How do you do a low-level disk overwrite of data on cloud infrastructure where you don't have physical access to the underlying hardware? The answer is that you can't, at least not the way we used to do it — with software utilities or outright destruction of the physical disk drive. Neither AWS, Azure, or Google Cloud Services offer any options or services that do this, not even on their dedicated instances, which run on separate hardware. You simply don't have the level of access needed to do it.

Outreach to the major services either was ignored or answered with generic statements about how they protect your data. What happens to data that is "released" in a cloud service such as AWS or Azure? Is it simply sitting on a disk, nonindexed and waiting to be overwritten, or is it put through some kind of "bit blender" to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or be willing to say on the record.

**Adjust to New Reality**

We must develop a cloud-compatible way of doing destruction that meets the DoD standards, or we must stop pretending and adjust our standards to this new reality.

Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided. It would probably be cheaper than fees charged by some of the companies providing certified physical-destruction services.

Amazon, Azure, Google, and any major cloud service (even software-as-a-service providers) need to address these issues with real answers, not obfuscation and marketing-speak. Until then, we will just be pretending and hoping, praying some brilliant hacker doesn't figure out how to access this orphaned data, if they haven't already. Either way, the hard questions on cloud data destruction need to be asked and answered, sooner rather than later.

Data Destruction Policies in the Age of Cloud Computing

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

The feds' mobile service provider guidance details cybersecurity threat vectors associated with 5G network slicing.

A working group pulled together by the US National Security Agency (NSA) has issued a report outlining the cybersecurity threats related to mobile broadband 5G network slicing.

Network slicing allows operators to bring together several network attributes or components, potentially across multiple operators, that support specific applications or services for 5G users, the report explains. While efficient for delivering services, 5G network slicing casts a wide threat net that includes potential weak points in policy and standards, the supply chain, and more.

"Although network slicing is not solely unique to 5G, it is a critical component because 5G specifications call for network slicing as a fundamental component and therefore require network operators to adopt security practices that can mitigate threats like those described in this paper," the report said.

Potential threats include denial of service (DoS), man-in-the-middle (MitM) attacks, and configuration attacks, it added.

The NSA, along with the Cybersecurity and Infrastructure Security Agency (CISA), assembled members of the public and private sectors to address 5G slicing security concerns. The resulting 5G network slicing cybersecurity report looks toward how the architecture will play a role in enabling emerging technologies, including autonomous vehicles, and how to secure it.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading