The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It's worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but, more notably, the breaches have led to data compromises for more than 1 million of the company's users.

That may well be the key to why the bad guys keep coming back. Because of the nature of its business, GoDaddy is a connecting link to millions of businesses around the world. As Brad Hong, customer success lead at Horizon3ai puts it: "This is the equivalent of your landlord's office being left unlocked, giving a bad actor access to the keys to your house."

**GoDaddy's Three-Headed Breach**

While the world was coming to grips with COVID-19, thousands of GoDaddy customers had a second problem on their hands. In March 2020, the company discovered that an attacker had compromised the login details for a small number of their employees, as well as 28,000 of their hosting customers.

It was a harbinger of worse things to come.

In November 2021, a threat actor got their hands on a password that allowed them access to Managed WordPress, GoDaddy's hosting platform for building and managing WordPress sites. This case touched 1.2 million Managed WordPress customers.

There was yet more. In a statement published alongside its 10K, GoDaddy shared details of yet a third compromise.

"In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected," the company said. It turned out that an attacker had breached and planted malware on the company's hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

In their statement, the company claimed to "have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."

**The Supply Chain Problem With Hosting Services**

According to Domain Name Stat, GoDaddy is far and away the largest domain name registrar on the Internet, capturing more than 12% market share with its nearly 80 million registered domains. Scale, alone, would make it an attractive target for cyberattacks, but being a hosting service makes this a whole other animal.

"GoDaddy and other Web hosting sites are prime targets for adversaries looking to conduct supply chain attacks," says Allie Roblee, intelligence analyst at Resilience. A company may take care to implement strong security practices and software, shunting phishing attacks, and patching up software bugs, yet still be vulnerable through a trusted provider like their Web hosting service. "Breaching large service providers like GoDaddy allows adversaries to compromise organizations and individuals they may have been unable to get into directly."

Of course, once attackers get in through the side entrance, they can do anything from stealing credentials to dropping malware, redirecting users to malicious sites, planting backdoors for later use, and much more. But "the implications for these compromises go even beyond that of security," Hong warns.

Consider an innocent person who intends to visit a business's website, but instead ends up redirected to a malicious site. Would that person ever risk visiting that business' website again? This, Hong points out, "hurts the reputation and operations of thousands, if not millions, of legitimate businesses."

Beyond that, there's a broader cost. "Weak security at this vendor level additionally allows attackers to force multiply their ability to carry out whatever objective they wish to," he explains. Such compromises "not only provide them with rich PII and private key data intelligence, but also an extensive network of websites and servers to do their bidding — similar to an IoT botnet, but instead of multiplying traffic, it multiplies the chances of successfully carrying out attacks which rely on humans as a weakness."

**What GoDaddy Customers Can Do**

If it didn't end that first or second time, how likely is it that the campaign against GoDaddy is over now? "It's possible," Roblee warns, "that the attackers still have access to GoDaddy's infrastructure or have the capability to find vulnerabilities in the stolen source code they can exploit to regain access."

For that reason, she says, "customers should audit any recently changed or uploaded files on their website to ensure that malware has not been installed. Additionally, I would recommend checking historical DNS records to see if any of their domains had been temporarily redirected."

Hong's advice is even simpler. "Affected businesses should change everything!" including all potentially affected login credentials, "and especially deprecating and creating fresh SSL private keys if using them."

Preventative measures will be more necessary going forward than ever before. As GoDaddy assessed in their 10K, the risk of attack "is likely to increase as we expand the number of cloud-based products we offer and operate in more countries."

GoDaddy declined to comment for this article beyond its published statement when contacted by Dark Reading.

What GoDaddy's Years-Long Breach Means for Millions of Clients

Access-as-a-service took off in underground markets with more than 775 million credentials for sale and thousands of ads for access-as-a-service.

The cybercrime economy centered around access to compromised systems, services, and networks has grown dramatically in the past year — with a sixfold increase in the number of credentials stolen via malware and offered for sale.

With cyberattackers using information-stealing malware to gather credentials, the expansion of access-as-a-service offerings has blossomed in the criminal underground with thousands of advertisements offering would-be cybercriminals access to compromised systems, according to findings in Recorded Future's newly published annual report.

In addition, the collection of data, use of stolen accounts, and phishing are among the top 10 most-discussed tactics in cybercriminals forums, according to the report.

The analysis of the most popular topics from underground forums demonstrates that stolen credentials and the sale of initial access continue to dominate cybercriminal markets, says David Carver, a senior manager at Recorded Future's Insikt research group.

"Credentials are a massive business because they continue to be successful and profitable for criminals," he says. "So as long as there continues to be fairly easy ways to monetize credentials at scale, which has been true for criminal markets for a long time, I don't see the drive for that type of theft changing."

    

Stolen credentials logged by info-stealing malware grew significantly in 2022. Source: Recorded Future

A decade ago, cybercriminals focused on stealing valuable data or on compromising specific companies that not only could be exploited but would also pay the attacker to leave them alone. Yet with the popularity of ransomware and the ability to use cryptocurrencies as a method of payment, attackers have been able to monetize nearly any breach of an organization. Thus, selling stolen credentials and opportunistic access has become the go-to product of the underground economy.

**MFA Fail**

Deploying stolen credentials has become more difficult for cybercriminals thanks to multifactor authentication (MFA), but attackers have countered with bypass techniques for many types of MFA, so credential theft has continues to be a standard post-breach tactic and access-as-a-service continues to thrive, Recorded Future's Carver explains.

"Until either our concept or our fundamental methods around identity change, there's not going to be a change in the criminal market, or at least not in the way that we're seeing right now," he says.

In 2021, the attackers focused on finding valuable systems and encrypting them with ransomware, with data encrypted for impact (T1486) and system information discovery (T1082) topping the list of trending tactics, techniques, and procedures uncovered by Recorded Future. In 2022, cybercriminals shifted their focus to the collection of data from local aystems (T1005) and the use of valid accounts (T1078) for access, according to the "2022 Annual Report."

The trend shows that access has become increasingly important, as cybercriminals have more options than just ransomware to monetize compromised systems, leading to information-stealing functionality becoming popular, the firm said. Ransomware payments decreased by nearly 60% in 2022 compared with 2021, according to Recorded Future's data.

"Credential sales remain popular on dark web marketplaces, typically for use in account takeover and credential stuffing attacks," the report stated. "The tactic has grown in sophistication with the rise of information-stealing malware and the proliferation of the malware-as-a-service model."

Recorded Future would not discuss the specifics of where its credential numbers came from, but its researchers believe that they have captured evidence of at least half of total campaigns from major info stealers.

"This is as close to 'bare metal' as you can get in terms of what is being exfiltrated and exposed as part of multiple different info-stealer malware campaigns," Carver says. "So to some extent, we're getting these directly as a result of understanding what data that malware is pulling in."

**Not Just Usernames and Passwords**

An attacker's focus on collecting credentials following a compromise has evolved as more information about the user has become necessary to bypass some security controls. Now, attackers are likely to collect session tokens from the browser cache, geographical information, browser version information, and other data in addition to usernames and passwords, Carver says.

"When we think about credential theft, what we actually need to be thinking about is the kind of complete browser fingerprint that some of these info sealers are looking for," he says.

Companies should assume that threat actors have employees' basic credentials, and that multifactor authentication could be bypassed, Carver said. They also need to ensure they can detect anomalous account behavior.

"The absolute first thing that \[companies should\] look at is identity and access management, making sure that across the complete scope of identities or platforms, or users that have access to anything internal, that there is a really robust and well understood security program," he says. "To me, that's table stakes right now for a more secure program, given the rise of info stealers."

Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets

Overcoming the obstacles of this security principle can mitigate the damages of an attack.

When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company's most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it.

"Least privilege" is defined by NIST's Computer Security Resource Center as "the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function." That sounds simple, but things have changed. Data is now spread across multiple clouds, hundreds of SaaS apps, and systems old and new. As a result, all modern companies accumulate "access debt" — unnecessary permissions that were either too broad in the first place or no longer necessary after a job change or termination.

A KPMG study found that 62% of US respondents experienced a breach or cyber incident in 2021 alone. If any employee falls prey to phishing, but they only have access to non-sensitive information, there may be no economic impact at all. Least privilege mitigates the damage of an attack.

There are three obstacles to achieving least privilege: visibility, scale, and metrics.

**Visibility Is the Foundation**

It's hard to manage something you can't see, and access permissions are spread across countless systems in the enterprise. Many are managed locally within the unique access controls of a system (e.g., Salesforce admin permissions). Even when companies implement an identity provider, such as Okta, Ping, or ForgeRock, this only shows the tip of the iceberg. It cannot show all the permissions that sit below the waterline, including local accounts and service accounts.

    

Source: Veza

This is especially relevant today, with so many companies conducting layoffs. When terminating employees, employers revoke access to the network and SSO (single sign-on), but this does not propagate all the way to the myriad systems in which the employee had entitlements. This becomes unseen access debt.

For companies where legal compliance mandates periodic access reviews, visibility is manual, tedious, and vulnerable to omissions. Employees are dispatched to investigate individual systems by hand. Making sense of these reports (often, screenshots) might be possible for a small company, but not for one with a modern data environment.

**Scale**

Any company might have thousands of identities for employees, plus thousands more for non-humans, like service accounts and bots. There can be hundreds of "systems," including cloud services, SaaS apps, custom apps, and data systems such as SQL Server and Snowflake. Each offers tens or hundreds of possible permissions on any number of granular data resources. Since there is an access decision to make for every possible combination of these, it's easy to imagine the challenge of checking a million decisions.

To make the best of a bad situation, companies take a shortcut and assign identities to roles and groups. This addresses the scale problem but worsens the visibility problem. The security team might be able to see who belongs to a group, and they know the label on that group, but labels don't tell the whole story. The team can't see access at the level of tables or columns. When identity access management (IAM) teams are receiving a never-ending stream of access requests, it's tempting to rubber stamp approvals for the closest-fit group, even if that group confers broader access than necessary.

Companies can't overcome the scale challenge without automation. One solution is time-limited access. For example, if an employee was given access to a group but doesn't use 90% of the permissions for 60 days, it's probably a good idea to trim that access.

**Metrics**

If you can't measure it, you can't manage it, and nobody today has the tools to quantify how much "privilege" has been granted.

CISOs and their security teams need a dashboard to manage least privilege. Just as Salesforce gave sales teams the object model and dashboards to manage revenue, new companies are creating the same foundation for managing access.

How will teams quantify their access? Will it be called "privilege points"? Total permission score? A 2017 paper coined a metric for database exposure called "breach risk magnitude." Whatever we call it, the rise of this metric will be a watershed moment in identity-first security. Even if the metric is an imperfect one, it will shift a company's mindset toward managing least privilege like a business process.

**Going Forward**

The landscape has changed, and it has become practically impossible to achieve least privilege using manual methods. Fixing this will require new technologies, processes, and mindsets. The CISOs and CIOs I work with believe least privilege is possible, and they're making prudent investments to move beyond the bare minimum of quarterly access reviews. It won't be long before manual reviews are a thing of the past, and automation tames the complexity of modern access control.

Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?

A new report from Adaptive Shield looks at the how volume of applications being connected to the SaaS stack and the risk they represent to company data.

The software-as-a-service (SaaS) app footprint is expanding nonstop at every organization across the globe. Employees are granting third-party apps access to the company's core SaaS apps, like Microsoft 365 (M365) and Google Workspace, causing security risks. Meanwhile, security teams and organizations are unable to track the number of connected apps or quantify the level of risk these apps are causing.

The recently released report from Adaptive Shield, "2023 SaaS-to-SaaS Access Report: Uncovering the Risks & Realities of Third-Party Connected Apps," found an average of 4,371 connected apps in a typical 10,000 SaaS-user organization that are connected to both M365 and Google Workspace. Furthermore, over 89% of third-party apps connected to Google Workspace and 67% of apps connecting to M365 represent a high or medium risk to a company's SaaS data. Disturbingly, many of these apps are granted high-risk permissions that allow them to delete or share confidential and proprietary corporate data.

Providing insights into the unknown SaaS abyss, Adaptive Shield has aggregated anonymized customer data from hundreds of tenants to provide security teams with a realistic view of the ubiquity of third-party apps and explain today's SaaS-to-SaaS realities and risks in depth.

**Understanding the Issue**

Here's a scenario a typical employee could be facing: Google Docs lacks a native mail merge feature. Users who need this feature can find an app that does this. Mailmeteor, for example, can provide this functionality — and requires the employee to grant permissions enabling it to delete Google spreadsheets and send emails on behalf of the user.

Mail Merge, a different app, requests permission to see, edit, create, and delete all Google Docs documents, all Google Sheets spreadsheets, all Google Slides presentations, and any other Google Drive file. Mail Merge also requests permissions to manage drafts and send email, change settings and filters in Gmail, and run when users are not present.

In this scenario, Mail Merge is a more high-risk app for the employee to install. If a threat actor gained control of their Mail Merge application, they could easily delete, download, or encrypt entire Google Drives containing critical corporate data.

**Volume of Third-Party Connected Applications**

The sheer volume of third-party apps makes third-party connected apps nearly unmanageable. As companies grow, the number of apps increases in proportion to that growth.

These are the numbers of M365 connected apps on average by company size:

*   <5,000 users: 522 connected apps
*   5,000-10,000 users: 1,253 connected
*   10,000-20,000 users: 3,508 connected apps

Furthermore, apps connected to Google Workspace are significantly higher than M365. As shown in the chart below, these are the numbers of Google Workspace connected apps on average by company size:

*   <5,000 users: 1,309 connected apps
*   5,000-10,000 users: 4,216 connected apps
*   10,000-20,000 users: 13,913 connected apps

Based on these shocking stats, this means that, on average, a company with 1,000 users should expect to see over 600 apps connected to Google and 200 apps connected to M365.

    

Figure 1: Average number of apps integrated with Google Workspace by users.

A cursory glance at this data might lead one to think that the M365 environment has less cause for concern due to fewer connected applications. However, that is not the case.

While there are more third-party applications typically connected to the Google Workplace, when running the numbers, the amount of oversight and control needed by the security team working with Microsoft and Google to secure the connected apps are on a similar scale.

**Risky Permission and Scopes**

Every third-party app requests specific permissions when connecting to a SaaS app. The report categorizes these permissions as low, medium, and high risk, based on the types of permissions being requested by the application.

The "2023 SaaS-to-SaaS Access Report" details how 39% of apps connected to M365 are considered high risk, and another 28% are medium risk. Only 11% of apps connected to Google Workspace are high risk, but an overwhelming 78% are medium risk and require access to sensitive permissions.  

    

Figure 2. Risk level for apps connected to M365 and Google Workspace

Many applications with high permission scopes are able to read, update, create, and delete content. Apps are often granted full access to mailboxes, and can send emails as the user.

    

Figure 3: Top 3 high-risk permissions requested by apps connected to M365 and Google Workspace.

These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt, or publish the data that they find.

**Staying on Top of SaaS-to-SaaS Access**

The scope of SaaS-to-SaaS access makes it impossible to manage manually. Organizations trying to control this attack surface and protect data from the risks imposed by third-party apps require an automated tool.

SSPMs automate third-party app monitoring, providing visibility into each app connected to your SaaS stack and the permissions granted to each application.

Download the full report to read all the insights and findings.

**About the Author**  

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield.

New Report: Inside the High Risk of Third-Party SaaS Apps

Researchers exploited issues in the authentication protocol to force an open redirection from the popular hotel reservations site when users used Facebook to log in to accounts.

Flaws in the authorization system of the Booking.com website could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com, researchers have found.

Researchers from Salt Security discovered the issues in the platform's implementation of OAuth, an open authorization standard designed to allow cross-application access delegation for different sites to share login credentials, according to a blog post published today. Though it was not specifically designed for this purpose, the protocol has become a standard for allowing websites to read data from Facebook profiles, or log in to a site using Google credentials, for example. Most people are familiar with the "Log in with Facebook"-type options for some online accounts that allow users to sign in without creating a new set of login credentials.

"A security breach \[via\] OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more," Yaniv Balmas, vice president of research at Salt Security, wrote in the post.

Specifically, researchers discovered an open redirection vulnerability in Booking.com and achieved log in success by accessing the site through the "log in with Facebook" option. They ultimately exploited three security issues and chained them together to gain full account takeover, according to the post.

"Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user's personal information," Balmas wrote.

The issue could have caused a serious data breach for customers of the widely used hotel reservations website, which is part of the Booking Holdings Fortune 500 company and has more than 500 million visitors per month, he said. The site also allows users to rent cars and book taxis.

"An attacker could potentially make unauthorized requests on behalf of a victim, cancel existing reservations, or access sensitive personal information such as booking history, personal preferences, and future reservations," Balmas wrote in the post.

Salt Security disclosed the issues to Booking.com, which researchers lauded for responding quickly to address and completely mitigate them. Moreover, there had been no evidence of compromise to the Booking.com platform before the issues were resolved, Booking.com said in a statement provided by Salt Security.

"On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved," the company said. "We take the protection of customer data extremely seriously."

**How OAuth Works**

To understand how researchers compromised Booking.com's OAuth implementation, it's important to understand how the standard in a site operates and how the Booking.com's interpretation of it was flawed.

OAuth comes into play when a user logs in to a website and clicks on the "Log in with Facebook" option that many sites use to allow cross-platform authentication. The site will then open a new window to Facebook and, if it's the user's first time visiting the site, ask for permission to share details with the site. If not, Facebook automatically authenticates the user to the site.

Once the user clicks on a button to, for example, "Continue as Jane," Facebook generates a secret token that is private for the website and associated with the user's Facebook profile. Facebook then uses the token to direct the user to the website, which uses the token to communicate directly with Facebook to get the user's email address. Facebook then approves the address and its association with the user, which the site uses to log in the user successfully.

All of this communication between Facebook and the sites involves various redirections to different URLs, which is where the researchers were able to exploit the implementation of OAuth to steal the token or code of the victim, they said. Bad implementations are not uncommon; indeed, in a breach last May, attackers used OAuth tokens stolen from Salesforce subsidiary Heroku to gain access sensitive customer account data.

**Finding Means for Exploit**

Knowing this token is where the attacker opportunity lies, the researchers investigated the security of the standard's implementation by causing "unexpected behaviors of the flow" by changing various parameters to see how this would allow them to launch a successful attack, Balmas said. What they found were ways to manipulate the URL redirects that occur in the communication between the two sites to redirect users to URLs controlled by the researchers, thus creating an open redirection bug in Booking.com.

"We created a link that takes over any account on Booking.com that uses Facebook," Balmas wrote. "The link itself points to a legitimate Facebook.com or Booking.com domain, which makes it difficult to detect (manually or automatically)."

This method also allowed for account takeover on Kayak.com and affected users signing into Booking.com from Google, the researchers said.

**Wider Cyber-Risk of Poor OAuth Implementations**

While researchers only divulged how they used OAuth to compromise Booking.com in the report, they discovered other sites with risk from improperly applying the authentication protocol, Balmas tells Dark Reading.

"We have observed several other instances of OAuth flaws on popular websites and Web services," he says. "The implications of each issue vary and depends on the bug itself. In our cases, we are talking about full account takeovers across them all. And there are surely many more that are yet to be discovered."

OAuth provides an easy solution to bypass the user login process for site owners, reducing friction for which is a "long and frustrating" problem, Balmas says. However, though it seems simple, implementing the technology successfully and securely is actually very complicated in terms of proper technical implementation, and a single small wrong move can have a huge security impact, he says.

"To put it in other words — it is very easy to put a working social login functionality on a website, but it is very hard to do it correctly," Balmas tells Dark Reading.

Overall, Balmas advises site owners to treat OAuth "as a sensitive part of your service and either build the internal deep knowledge of the field, undergo continuous security testing and reviews to validate your assumptions, or, of course, both." 

He adds, "This is general advice that is relevant for any sensitive path/technology that is part of one's service."

Booking.com's OAuth Implementation Allows Full Account Takeover

It's 10 p.m. Do you know what your children are playing? In the age of remote work, hackers are actively targeting kids, with implications for enterprises.

Video games are a part of nearly every kid's life, and distributed work is increasingly a part of every adult's. According to experts, it's a recipe for small-time gaming scams to turn into larger-scale business compromises.

Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.

The story doesn't necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent's workplace.

An attack that targets a business, through an employee or through an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.

**How Games Get Hacked**

Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. "The file would be downloaded by the child," explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, "and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running."

This is just one of many forms that gaming scams can take. For example, "we've seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Another gaming-related vector we've seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it."

Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.

The potential damage caused by such a compromise is clear. "Trojans like this can break applications, corrupt or remove data, and send information to the hacker," Fuchs says.

What's less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.

**How Gaming Hacks Spread to Businesses**

Fuchs puts it bluntly: "The perimeter no longer exists."

"We can access work documents on home computers and vice versa," he says, "but it also relates to game usage."

Young children, especially, often play games from their parents' PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.

Fuchs theorizes that kids "could be playing on their parents' computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud." But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.

"In the era of BYOD and remote working," LaRose explains, "attackers often just need to compromise a user's personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user's corporate credentials stored in their computer."

**How Businesses Can Stop the Spread**

In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.

"By entering the numbers from your bank card," Kaspersky explained, "you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary."

LaRose stresses that "gaming is not innately any more insecure an activity than normal Web browsing." Still, because gaming can be _just as_ insecure, "businesses should do everything they can to separate a user's presence in the corporate environment and the personal one."

He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.

The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.

"If BYOD is absolutely necessary for a business to function," LaRose says, "they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures."

Hackers Target Young Gamers: How Your Child Can Cause Business Compromise

There's never enough time or staff to scan code repositories. To avoid dependency confusion attacks, use automated CI/CD tools to make fixes in hard-to-manage software dependencies.

Software dependencies, or a piece of software that an application requires to function, are notoriously difficult to manage and constitute a major software supply chain risk. If you're not aware of what's in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal.

A simple React-based Web application can have upward of 1,700 transitive NodeJS "npm" dependencies, and after a few months "npm audit" will reveal that a relatively large number of those dependencies have security vulnerabilities. The case is similar for Python, Rust, and every other programming language with a package manager.

I like to think of dependencies as decaying fruit in the unrefrigerated section of the code grocer, _especially_ npm packages, which are often written by unpaid developers who have little motivation to put in more than the bare minimum of effort. They're often written for personal use and they're open sourced by chance, not by choice. They're not written to last.

    

NodeJS dependencies, highly vulnerable, live in production! I took this from an actual, production React-Native application found on GitHub.

Recently (as of the writing of this article), PyTorch, one of the top two most popular machine learning libraries for Python, was compromised for five days via its dependency "torchitron." The attacker was able to collect system information and steal 1,000 files from each affected user's home directory. In 2021, Log4j was famously compromised and because it was bundled into basically every Web-facing Java project, DevSecOps teams were under a lot of pressure to identify where exactly they were vulnerable.

    

Too many dependencies to reliably keep track of, even if most are "mostly" secure.

Even 20 _intentional_ dependencies are too many for a development team to continually audit, much less 2,000 _transitive ones_.

**What's Been Done So Far?**

Not all hope is lost. For _known_ (reported and accepted) vulnerabilities, tools exist, such as pip-audit, which scans a developer's Python working environment for vulnerabilities. Npm-audit does the same for nodeJS packages. Similar tools exist for every major programming language and, in fact, Google recently released OSV-Scanner, which attempts to be a Swiss Army knife for software dependency vulnerabilities. Whether developers are encouraged (or forced) to run these audits regularly is beyond the scope of this analysis, as is whether they actually take action to _remediate_ these known vulnerabilities.

However, luckily for all of us, automated CI/CD tools like Dependabot exist to make these fixes as painless as possible. These tools will continually scan your code repositories for out-of-date packages and automatically submit a pull request (PR) to fix them. Searching for "dependabot\[bot\]" or "renovate\[bot\]" on GitHub and filtering to active PRs yields millions of results! However, 3 million dependency fixes versus hundreds of millions of active PRs at any given time is an impossible quantification to attempt to make outside of an in-depth analysis.

**State of the Art Isn't Quite Good Enough**

You need to keep in mind that these auditing tools do nothing to protect developers against zero-day exploits or N-days that were reported but have yet to be officially accepted. In the case of the PyTorch vulnerability previously mentioned, none of the auditing tools would have caught this _class_ of dependency vulnerability, because there was no traditional "software vulnerability" being exploited. These "dependency confusion" attacks take advantage of the fact that package managers look to their "default" repository before checking other repositories that dependencies may select for _their_ dependencies. In the case of PyTorch, the "torchitron" dependency was self-hosted by the PyTorch Foundation. When the attacker uploaded their version to PyPI, it took precedence over the official version.

How long will this continue? Forever. If there is value in exploiting these vulnerabilities, attackers will continue to take advantage of them. Luckily, in the case of PyTorch, "only" data exfiltration took place. Future victims might not be so lucky, however. A sophisticated attacker only needs one successful attempt at access to remain persistent in a victim's system (and network).

**What Does This Mean for Me?**

Did you install your packages from the command line? If so, did you type them in properly? Now that you've installed your dependencies "correctly," did you verify that the code for each dependency does exactly what you think it does? Did you verify that each dependency was installed from the expected package repository? Did you ….

Probably not, and that's OK! It's inhumane to expect developers to do this for every single dependency. The best bet for software developers, software companies, and even individual tinkerers is to have some form of runtime protection/detection. Luckily for us all, there are detection and response tools that have relatively recently been created which are now part of a healthy and competitive ecosystem! Many of them, like Falco, Sysdig Open Source, and Osquery, even have free and open source components. Most even come with a default set of rules/protections.

On Shaky Ground: Why Dependencies Will Be Your Downfall

The automated capabilities can discover misconfigurations, compliance violations, and risk or excessive privileges in Kubernetes clusters.

Ermetic has introduced new Kubernetes security posture management capabilities to its cloud-native application protection platform (CNAPP). Customers can take advantage of the automated features to discover and fix misconfigurations, compliance violations, and risk or excess privileges in Kubernetes clusters. Ermetic CNAPP provides a detailed inventory of the resources inside all Kubernetes clusters, performs continuous posture assessment and prioritization of risks, and offers remediation guidance, the company said.

The platform queries the Kubernetes API for each cluster, and uses agentless scanning and analysis of node configurations and containers. These findings are then combined with signals from the platform's cloud workload protection (CWP), infrastructure as code (IaC) scanning, cloud security posture management (CSPM), and cloud infrastructure entitlement management (CIEM) functionality to provide full visibility into threats, the company said. Customers can get a list of prioritized vulnerabilities within the context of cloud configuration, permissions, and network access. Customers can also enforce least privilege for users and services using the internal Kubernetes role-based access controls.

While Kubernetes is powerful for deploying and managing containerized applications across multiclouds, it can also be challenging for security teams to effectively track configuration changes, manage secrets, ensure proper role-based access control, and identify vulnerabilities. "Existing approaches to Kubernetes security typically provide a siloed view, which results in high false positive rates," Ermetic's chief product officer Sivan Krigsman said in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ermetic Adds Kubernetes Security to CNAPP

**NEW YORK: March 1, 2023 –** Octillo, a women-owned cybersecurity, data privacy, and technology-focused law firm, is pleased to announce the launch of their 2023 Octillo Women’s Cybersecurity Scholarship program, administered by the Center for Cyber Safety and Education.

The Octillo Women's Cybersecurity Scholarship program builds upon one of Octillo’s core missions, to promote diversity, equity, and inclusion in the cybersecurity industry and support the next generation of female cyber professionals through mentorship and education. One $4,000 scholarship will be awarded to a woman pursuing or planning to pursue a degree focusing on cybersecurity, data protection, or a similar field at the undergraduate or graduate level.

“As the technological, data security, and privacy landscapes evolve, the need for cybersecurity professionals continues to grow,” says Octillo Managing Director, Kara Hilburger. “Women are still very much underrepresented in the cybersecurity and technology industries. Octillo is proud to be on the forefront, helping to break down some of these barriers to help women obtain the resources they need to pursue in this highly specialized field.”

Applications for the 2023 Octillo Women’s Cybersecurity Scholarship open on March 1st and close on May 1st at 11:59 PM ET. The recipient will be notified in June. For more information on eligibility and application requirements, visit: https://www.iamcybersafe.org/s/octillo-womens-cybersecurity-scholarship

**About Octillo:** Octillo is a woman-owned technology law firm and one of the few firms in the United States with a recognized focus solely on data security, privacy and technology compliance, incident response, and litigation. Guided by their core values of excellence, drive, and originality, Octillo attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, technology contracts, incident response, government investigations, technology intellectual property, and emerging technologies. Octillo is a NetDiligence® Authorized Breach Coach – a recognition offered only to firms with a proven track record of competency and experience responding to data incidents. Octillo has offices from California to New York. Learn more at www.octillolaw.com.

**About the Center for Cyber Safety and Education:**The Center for Cyber Safety and Education (Center), formerly (ISC)² Foundation, is a non-profit charitable trust committed to making the cyber world a safer place for everyone. The Center breaks down barriers in exposure and access to the cyber profession and provides opportunities for individuals, groups, and organizations with the most need to benefit from the commitment of (ISC)2 to the profession. Learn more at www.iamcybersafe.org.

Octillo Launches Women's Cybersecurity Scholarship in Partnership With the Center for Cyber Safety and Education

Volume of SaaS assets and events magnifies risks associated with manual management and remediation.

**NEW YORK****,** **March 1, 2023** **/PRNewswire/ --** DoControl, the automated Software-as-a-Service (SaaS) security company, today released its 2023 SaaS Security Threat Landscape Report, which quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of medium companies (50 to 1,000 employees) and large companies (1,001 to 6,696 employees). The report found that large and medium companies had an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.

SaaS applications, while both vital and ubiquitous within business technology stacks, expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape.

"While we all rely on SaaS applications to improve productivity and collaboration, few have stopped to consider the sheer number of assets that flow in and out of these tools each day," said Adam Gavish, CEO and Co-founder, DoControl. "Enterprises increasingly consider security when entering business transactions and engagements, which means the risks of a poor SaaS security posture can act as a spoiler for business outcomes. The goal of this report is to quantify and illustrate the chaos so businesses can better understand their risk exposure and act accordingly to regain control of their SaaS estate."

The vulnerabilities covered in the SaaS Security Threat Landscape Report are broken out into five different categories:

**Insider Threats** 

Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found that 81% of medium-sized companies and 78% of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61% of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.

**External Actors & Access** 

Control of a company's data or intellectual property can become tenuous when collaboration extends beyond the company's security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies in DoControl's study had on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average.

Compounding this issue is that over-provisioning access to SaaS files can result in those assets being distributed to external collaborators beyond those which they were originally intended. DoControl found large companies had an average of 94,455 publicly-shared assets stored in SaaS applications. Companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.

**Third-Party to Fourth-Party Sharing**

One of the ramifications of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, DoControl identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.

**Outdated Permissions**

There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. DoControl found 67% of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old.

The second form of outdated permission is access that persists after employees have parted ways with their employer. Out of all companies, 31% have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Unsurprisingly, large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee – especially a disgruntled one – can present an unacceptable risk.

**Third-Party OAuth Applications**

Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. Unfortunately, it's not uncommon for some of these third-party applications to be overprivileged.

At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.

DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the SaaS Security Threat Landscape Report by providing centralized, automated, granular data access controls over the SaaS applications in companies' technology stacks. DoControl's no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.

According to Gartner, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements by 2025. To view more insights and begin your own enterprise audit across the five SaaS security benchmarks, download the full 2023 SaaS Security Threat Landscape Report.

**Additional Resources:**

*   Download the SaaS Security Threat Landscape Full Report
*   Download the SaaS Security Threat Landscape Executive Summary
*   Register for the Webinar
*   Read the Blog 

To learn more about DoControl, visit the website or request a demo.

**Methodology**

This report aggregates findings across a subset of companies for which DoControl performed an audit of SaaS data access control and exposure. We have compiled the findings from audits of a cross-section of companies ranging in size from 11 to 6,696 employees. In situations where DoControl saw significant differences in the findings by company size, it broke those results out into two groups — medium-sized companies (50 to 1,000 employees) and large enterprises (1,001 to 6,696 employees). In situations where the difference between the two groups was insignificant, DoControl reported just one overall statistic.

**About DoControl**

Founded in 2020 and headquartered in New York, DoControl is an automated data access controls platform for SaaS applications, improving security and operational efficiency with ease for enterprises. DoControl is backed by investors Insight Partners, StageOne Ventures, Cardumen Capital, RTP Global and global cybersecurity leader CrowdStrike's early stage investment fund, the CrowdStrike Falcon Fund. The company's leadership team combines product, engineering and sales experience across cybersecurity, enterprise and SaaS innovators. For more information, please visit www.docontrol.io. Follow us on Twitter and LinkedIn.

Source

DARKReading