The open source container tool is quite popular among developers — and threat actors. Here are a few ways DevOps teams can take control.

_Editor's note: For more about the kinds of vulnerabilities Kubernetes presents and how to address them, read our_ _companion article_ _in The Edge._

Since its initial release in 2014, Kubernetes (aka K8s) has become the standard open source container tool for managing software applications. Kubernetes is cost-effective, offers autoscaling, and can run on any infrastructure. Its benefits are why 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies. On top of this, 61% of people use Kubernetes to manage their computer application deployment.

Funso Richard, information security officer at Ensemble, tells Dark Reading that "forward-thinking organizations understand the importance of leveraging containerized microservices to develop scalable and reliable applications as an essential digital transformation strategy" — and Kubernetes has become the leading tool used to achieve this strategy, he adds.

However, Kubernetes also comes with security challenges: It's susceptible to data theft, computational power theft, and denial-of-service (DoS) attacks. Kubernetes' public components (such as kubelets and API authentication) are widely exploited. And threat actors target infrastructure misconfiguration, unpatched software programs, and poor login credentials to gain unauthorized entry to Kubernetes. The vulnerabilities are also widespread. According to Red Hat's "2022 State of Kubernetes" security report, 93% of Kubernetes users experienced at least one security incident in the past 12 months.

As DevOps teams continue to grapple with rising Kubernetes security mishaps, here are a few ways to stay ahead of attackers and keep cloud-native environments secure.

**Securing Kubernetes With Tools**

Kubernetes' security vulnerability affects its efficiency. For instance, concerns over Kubernetes security caused developers to delay application rollouts in 2022, according to Red Hat. Although Kubernetes provides several benefits in application development and container orchestration, says Richard, inadequate security controls expose the open source tool to serious security concerns like misconfiguration, privilege abuse, data exfiltration, credential compromise, exploited public-facing components, and API vulnerabilities. To address these, several Kubernetes security tools have sprung up, including Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.

Kubescape is an open source security platform from ARMO to protect Kubernetes clusters with capabilities such as risk analysis, security compliance, misconfiguration scanning, CI/CD security, RBAC visualizer, and vulnerabilities scanning. One thing that sets Kubescape apart is its library of robust capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.

"As I track Kubernetes security offerings — both commercial and non-commercial offerings — I haven't come across another offering with the same exact components as Kubescape," agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.

Kubescape scans clusters, YAML files, and Helm charts for vulnerabilities either directly or via CI/CD integrations. The idea of scanning infrastructure-as-code (IaC) templates is well-popularized across the industry, says Montenegro. Most IaC scanning is done for cloud resources like Amazon's CloudFormation, HashiCorp's Terraform, and others, with Kubernetes scanning being a more specialized use case, he adds.

There are other offerings in the market — like Red Hat's StackRox (acquired in 2021), Tenable's Terrascan, and Palo Alto Networks' Checkov — offering similar capabilities as Kubernetes.

**Implementing Best Security Practices in Kubernetes**

Richard notes that adherence to cybersecurity fundamentals remains the bedrock of any security effort. While Kubescape is undoubtedly a powerful Kubernetes security tool, he believes developers can effectively secure their Kubernetes clusters by following the basics: implementing proper cluster configuration, pod security standards and policy enforcement, network segmentation, vulnerability scanning, periodic policy reviews, and security audits. "Containers should run with the least privileges and only necessary services, while role-based access controls should be in place to manage user access," Richard says.

While Montenegro says there are several Kubernetes best practices for DevOps and DevSecOps teams to follow, he notes that the following practices must be top on their priority list:

*   **Think about security early on:** Collaborate with your developers/architects to work through a proper threat modeling.
*   **Work with embedding security throughout the application lifecycle:** Security is an end-to-end process, from providing on-the-spot security advice and functionality for a developer working through the code in their development environment, through making sure security tests are part and parcel of the integration stages, then adding the necessary runtime protections to monitor workloads in production.
*   **Safely store Kubernetes secrets:** Implement features like proper namespace separation, use of role-based access control (RBAC).

As Kubernetes grows in adoption, IT teams can avoid security pitfalls by using tools like Kubescape and StackRox, as well as following the best security practices for securing their critical Kubernetes assets.

How to Run Kubernetes More Securely

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

Employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening security.

Bzz, bzz, bzz…  

Like a fly buzzing around your head at 3 a.m., persistent requests from multifactor authentication (MFA) fatigue attacks are keeping security professionals awake at night. However, while silenced phones may help individual users sleep a bit better at night, security professionals are having cyber\-breach nightmares.  

MFA fatigue, also known as an MFA bombing attack, is a type of social engineering scheme where a cybercriminal sends multiple MFA requests — sometimes in the dead of night — in the hope of frustrating a legitimate user. In response, this user may turn off MFA, thinking it's malfunctioning, or the cybercriminal may impersonate a support employee and request the code they need to enter the user's account.  

In the case of the Uber breach this fall, the hacker group Lapsus$ employed the latter strategy. Putting their acting skills and persistence to the test, hackers stole an Uber contractor's credentials and then faked their way into jumping the last barrier protecting Uber's internal systems: a flimsy MFA text code. 

Security professionals can learn a lot from this cyber event and make several changes to their own company's policies to shore up their defenses. 

**MFA Tokens Are Not the Be-All, End-All**

Unfortunately, biometric authentication is as close to absolute as we're going to get. Fingerprint and facial recognition are — as of now — very difficult to replicate. Corporate security teams must encourage all employees to enable biometric authentication to every device and system that supports it. Even the savviest user can fall for phishing attempts, as they become more sophisticated by the day. Large US companies lose about $14.8 million annually to phishers. (In 2015, this figure was $3.8 million.)

To protect company coffers, in addition to valuable company information, it's best to filter out as many phishing attempts as possible with software; however, the onus is still partially on users. 

**Rely on Additional Security Measures Over MFA**

Leave it to cybercriminals to make security professionals rethink what they previously regarded as unbreachable. These days, it's crucial to rely on much more than MFA tokens (and even biometric authentication) alone to keep company systems safe from hackers. Alternatives include rotating access keys, only enabling the absolute minimal privileges, and sticking closely to zero\-trust policies company wide. Additionally, adaptive authentication, a security protocol that asks for additional identity authentication steps depending on the situation and the user, can further strengthen entry points.  

Zero\-trust and adaptive authentication are especially helpful in safeguarding an organization's most sensitive platforms. However, all it takes is for one slip-up or lapse in judgment to let a cybercriminal waltz right into a company's IT ecosystem. How can security teams defend against those? 

**Proactive Threat Prevention Is Optimal**

Proactive detection and real-time response are the best ways for organizations to prevent cyber threats. One step better is to combine prevention and resolution under one platform. A single pane of glass gives teams a holistic, real-time view that's essential in protecting workloads without friction. Malware, ransomware, zero\-days, fileless attacks, advanced persistent threats and more phishing schemes than anyone can count are constantly circling, waiting for someone in an organization to make a mistake. A cyber\-protection solution can squash a threat before it causes a leak.  

**A Delicate Security Balance**

While security teams may be hasty to pile on every additional security measure in existence to supplement MFA, they must not compromise too heavily on convenience. The more inconvenient and time consuming something as simple as logging in is, the more likely it is that employees will cut corners.

It's a delicate balance and a difficult one to strike. Comprehensive employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening your security perimeter. Partnering with a centralized data protection, cybersecurity, and an endpoint management solution can be the extra peace of mind IT leaders need to sleep soundly.

Why Security Teams Shouldn't Snooze on MFA Fatigue

Automating your defenses can bring good tidings of great joy.

_CRON rest ye merry user base; let nothing you dismay!__Remember that the spam filter still works on Christmas Day!__To save us all from scammers' pow'r when we're still on vacay.__O tidings of comfort and joy.__Comfort and joy!__O tidings of comfort and joy._

It's the holiday season, and even the most naughty cybersecurity engineer deserves a little break! Yes, even you, little Timmy. I know you work in the retail sector and this is your busiest time of year, but there are ways to maximize your chances of a happy, peaceful holiday with friends and/or family.

What is this magical methodology that mutes malicious madmen? I'm glad you asked! Please sing this with me, to the tune of Handel's "Hallelujah Chorus."

_Au-to-ma-tion!__Au-to-ma-tion!__Automation.__Automation.__Auto-ma-a-ation!_

That's right: If you want to tip the scales in your favor this holiday season, you have to let the good bots fight the evil bots. No, we're not talking about the evil robot Santa from "Futurama." We're talking about practical cybersecurity preparations that might just save the holidays!

**Making Sure New Accounts Are on the Good List**

Anyone who isn't in B2B is likely to experience an uptick in new account creation during the holiday season. Whether it's because people want to order something from your website or because they simply have more time on their hands during the holidays, new sign-ups aren't exactly uncommon. There will also be people taking advantage of New Year's sales, spending last year's departmental budget while they still can, and registering the warranties on gifted products.

Sadly, that means this time of year is also perfect for anyone creating illicit accounts if they want to be lost in the shuffle. Why is that? Because the sheer volume of new account creation prohibits manually checking each one, at least in medium to large enterprises that experience high volumes around this time.

That's why many naughty little bots pick the holiday season to create a massive number of accounts. They might not _do_ anything with them, at least not for a while. But you don't want all of these accounts sitting around and maturing if it means they can be used in a variety of other attacks down the line.

So before you clock out for the last time in December, make sure your automated account validation services are running properly! Lack of diligence now can burn you in the months to come. Run some tests, make sure that bots are being caught when they make a new account, and double-check the associated logging and reporting functions. If you need help with this, fake account creation detection, alerts, and reporting tools can keep you covered until you get back into the office.

**Keeping Inventory Numbers Accurate for Santa**

Your little elves have been working hard to build up an inventory that will survive the holiday rush. It would be a shame if a mean-spirited competitor or hacker invalidated all of their efforts by messing with your system.

But that's exactly what can happen, and the holidays are the perfect time to execute such an attack. With online carts and real-life fulfillment centers already seeing a ton of action, all it takes is one bad actor with a botnet to ruin the holiday season for a whole lot of people.

The way a botnet can mess with your inventory is via a stockout, also called a denial-of-inventory attack. Fraudulent orders are put on the books to reserve products, only to have the orders canceled after the holiday rush is over. Alternatively, the cancellations and reorders can come in waves, only to end with mass cancellations.

These days, stockout detection is vital. Even in a service-based industry, bots creating meetings or appointments that waste the sales team's time can be an absolute nightmare. **Make sure that the automation is up and running, and test it** before you leave for the holidays.

**Putting Coal in Ad Fraudsters' Stockings**

If you're like most companies, December and January distribute the lion's share of your ad budget. Throwing your hat into the ring for the holiday season is critical to many businesses and can significantly impact how the next 12 months go.

But certain Grinches out there will use your increased ad spend as an opportunity to steal everything they can. Much like the new account fraud crowd, these thieves are hoping that increased legitimate activity will provide cover for their more nefarious activities during the holiday season.

Fake impressions pushed out by the millions can rapidly burn through your holiday ad budget, leaving you running on empty, out of leads and sales. Meanwhile, the metrics of your ad campaigns look great, giving you false positives without producing real results. It's a double betrayal: You've been robbed _and_ you don't even know whether your ads would have been effective under normal circumstances.

The holiday season is ripe for programmatic ad fraud. If you don't have an antifraud system that covers this aspect of your business, you'll want to rectify that as quickly as possible.

**Other Tips Before You Close Up Shop**

The week prior to closing up for the holidays, you should run an analysis of seasonal false positives from holidays past. If you know that you're going to get hit with false positives, make sure that you have a decent idea of what those impressions look like. If you can create more accurate filtering that will catch the bad guys but allow you to sleep in on Boxing Day, you should put that work in before you take off for the year.

Lead generation fraud isn't limited to traditional ad campaigns. Social media click fraud is rampant this time of year. Make sure that your automation covers all of your social profiles, including business profiles such as LinkedIn; otherwise, reputational damage might set in before the social team returns after the holidays.

One thing people tend to forget is smart building access control. Targeting people who are on vacation with everything from biometric access fraud to impersonation attacks is common during the holiday season. With so many people on vacation, physical security is naturally more lax. So make sure to contact your smart building security provider and optimize your building's settings for the end of the year.

**The Gift of Automation**

Cybersecurity is typically the last thing on the minds of most people who are rushing out of the office at the end of the year — sometimes including even cybersecurity professionals! Automation is the answer. It's a great stress reducer because you can set up automated defenses once and permanently enjoy increased security. And everyone needs that, particularly during this time of the year.

So relax. Enjoy the tree, the lights, the music, and the people who surround you, secure in the knowledge that somewhere out there, a good little bot is looking out for you.

Happy holidays!

Give Yourself the Gift of Secure Holiday E-Commerce

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Paying Ransom: Why Manufacturers Shell Out to Cybercriminals

This unique fairytale is available for free just before Christmas to enjoy with the entire family.

**MONTPELLIER, FRANCE, December 19, 2022 /****EINPresswire.com****/ --** Bfore.Ai, an AI-driven predictive cybersecurity solutions company, recently launched the very first cybersecurity book in the market. This book, geared towards children and security specialists alike and titled The King, The Knight & The Snowball, was downloaded over 100 times within the first hour of being available. This unique seasonal tale is available now and free for anyone to download and enjoy, just in time for Christmas.

This short fairytale targets cybersecurity professionals and aims to make predictive cybersecurity an understandable and relatable topic for all ages while promoting how important it is to be security conscious in a world where there are so many threats. While the book is designed to open the understanding of cybersecurity at an early age, it’s intended as a gift to the entire technology community and all age groups.

“In today’s world, security is a high-pressure, demanding field. It’s often hard to share a few quiet moments with those we love. We wanted to capture the spirit of sharing and caring that is essential to this time of year,” said Luciano Allegro, CMO at Bfore.Ai. “We felt the best way to do that was to create a book that gives an introduction to a new wave of cybersecurity technology — a predictive cybersecurity — wrapped in a fun story that anyone could enjoy.”

Developed with security professionals in mind, this book offers a great way to start the conversation about cybersecurity in general and predictive cybersecurity, specifically with anyone of any age. Any parent can use the accessible nature of the tale to share the importance of cybersecurity and even address how the nature of security can sometimes seem mystical. 

Bfore.ai created this fun fairytale adventure to help people of all ages learn about the technology that can prevent them or their companies from being victims of cyber threats without the sales pitch aspect that can turn the average person off. In keeping with their intention to promote sharing and moments of caring, this delightful tale is entirely free and ready for anyone to download to enjoy with the whole family. Please visit The King, The Knight & The Snowball.

About Bfore.Ai:

Headquartered in Montpellier, France, Bfore.AI launched in 2020 to deliver actionable intelligence insights to enterprises, focusing on predictive models that can see vulnerable vectors in enterprise cyber networks. For more information, please visit https://bfore.ai/ or contact Sonia Awan – PR for Bfore.Ai at \[email protected\]

Bfore.Ai Releases 'The King, The Knight & The Snowball' - Cybersecurity Book for Children

The latest bypass for Apple's application-safety feature could allow malicious takeover of Macs.

A bypass vulnerability in macOS for Apple's Gatekeeper mechanism could allow cyberattackers to execute malicious applications on target Macs — regardless of whether Lockdown mode is enabled.

Among the details on the bug (CVE-2022-42821), which Microsoft dubbed "Achilles," is the fact that researchers were able to craft a working exploit using the Access Control Lists (ACL) mechanism in macOS, which allows fine-tuned permissioning for applications.

**Popular Target: Apple Gatekeeper for Vetting Applications**

Apple Gatekeeper is a security mechanism designed to ensure that only "trusted apps" run on Mac devices — i.e., those that are signed by a valid authority and approved by Apple. If the software can't be validated by Gatekeeper, the user gets a blocking pop-up explaining that the app can't be executed.

In theory, this mitigates the threat of malicious sideloaded applications that users might accidentally download from pirate sites or third-party app stores. The issue, though, is that bad actors have devoted quite a bit of time to finding bypass avenues for the feature, Microsoft researchers noted, as shown by previous exploited vulnerabilities such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.

And no wonder: "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS," Microsoft researchers warned in an advisory issued this week. "Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks."

**Uncovering a New Gatekeeper Bypass**

Piggybacking off of details surrounding CVE-2021-1810, Microsoft researchers looked to create a new bypass — which they managed to do by appending malicious files with special permissioning rules via the ACL mechanism.

Apple employs a quarantine mechanism for downloaded apps, according to the advisory: "When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper."

However, there is an additional option in macOS to apply a special extended attribute named com.apple.acl.text, which is used to set arbitrary ACLs.

"Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules," Microsoft researchers explained. "Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute."

And without the quarantine attribute in place, Gatekeeper is not alerted to check the file, which allows it to bypass the security mechanism altogether.

Crucially, Microsoft researchers found that Apple's Lockdown feature, which it debuted in July to prevent state-sponsored spyware from infecting at-risk targets, can't thwart the Achilles attack.

"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft.

The issue was disclosed to Apple in July, with fixes rolling out in the latest macOS version. To protect themselves, Mac users are encouraged to update their operating systems to the latest version as soon as possible.

Microsoft Warns on 'Achilles' macOS Gatekeeper Bypass

With 10 layers of obfuscation and fake payloads, the Raspberry Robin worm is nesting its way deep into organizations.

It's likely the group behind the worm called Raspberry Robin is just testing the waters — launching attacks against telecommunications companies and governments across Australia, Europe, and Latin America to see how far their malware can spread — for now.

Researchers at Trend Micro have been tracking Raspberry Robin since September and are warning the worm is notable for its 10 layers of obfuscation and its ability to deploy a fake payload to throw off detection efforts.

Raspberry Robin infected thousands of endpoints in October. Both October's endpoint attacks and the latest targeting of governments and the telecom sector relied on a malicious USB for initial infection.

"Our initial analysis of the malware, which compromised a number of organizations toward the end of September, showed that while the main malware routine contains both the real and fake payloads, it loads the fake payload once it detects sandboxing tools to evade security and analytics tools from detecting and studying the malware's real routine," Trend Micro reported, adding the team will continue to track the malware's activities.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Raspberry Robin Worm Targets Telcos & Governments

Security Service-backed Trident Ursa APT group shakes up tactics in its relentless cyberattacks against Ukraine.

Physical threats against a Ukrainian cybersecurity researcher and a failed attempt to breach a petroleum refinery inside a NATO-member nation are just the latest notable salvos in Russian state-backed APT group Trident Ursa's campaign against Ukraine.

Researchers at Palo Alto Network's Unit 42 reported on the APT group (also known as Gamaredon, Primitive Bear, Shuckworm, and UAC-0010) tactics over the past 10 months, noting the connection between Trident Ursa and the Russian Federal Security Service.

"As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer," the Unit 42 team explained. "Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NATO-Member Oil Refinery Targeted in Russian APT Blitz Against Ukraine

Searchlight Cyber announces rebrand that reflects its status as a fast-growing cybersecurity business.

**Portsmouth,** **UK** **&** **Washington** **DC,** **US** **–** **December** **20** **2022** **\--** Searchlight Cyber, the dark web intelligence company, has announced its rebrand from Searchlight Security, aligning its legal entity in both the UK (Searchlight Cyber Ltd) and the US (Searchlight Cyber LLC). The name change is accompanied by the launch of a new visual identity including a new company logo, website, and an update to its product design.

Searchlight Cyber’s new website is designed to be a knowledge base for security professionals to learn more about the emerging field of dark web threat intelligence. Enterprises, law enforcement, and MSSPs can easily navigate and access resources on how to combat dark web threats including reports, webinars, videos, blogs, case studies and more.

“I am delighted to announce that we are capping off a very exciting year for the company with a rebrand,” says Ben Jones, CEO of Searchlight Cyber. “Since we launched five years ago we have been on a fast-growth trajectory, and this has never been more apparent than in 2022. In this year alone, our headcount has increased by more than 150 percent, we have grown our customer base in both the UK and US, and we’ve launched exciting capabilities in our products. This new brand reflects the maturity of the company and our mission to help protect society from dark web threats, with our new website in particular geared around the value and insight that we can deliver to our customers.”

Searchlight Cyber’s Ransomware Search and Insights - launched just last week \- is among the many product announcements the company has made this year. This enhancement to Searchlight’s Cerberus platform provides enterprises and law enforcement with a consolidated view of the dark web activity of ransomware groups, to help them better understand and protect themselves from one of the most persistent threats in cybersecurity. The product’s supporting threat intelligence report, Dark Web Profiles: The Most Prolific Ransomware Groups of 2022, is one of the many resources that can be accessed on the new Searchlight Cyber website. 

For more information on the rebrand, read the blog Introducing Searchlight Cyber from Ben Jones, CEO of Searchlight Cyber, on the rationale behind the company’s new website and visual identity. 

About Searchlight Cyber

Searchlight Cyber provides organizations with relevant and actionable dark web threat intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.

Source

DARKReading