Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.

Uber has suffered yet another high-profile data leak that exposed sensitive employee and company data. This time, attackers breached the company by compromising an Amazon Web Services (AWS) cloud server used by a third party that provides Uber with asset management and tracking services.

The incident happened over the weekend, when a threat actor named "UberLeaks" began posting data they claimed was stolen from Uber and Uber Eats. The data turned up on the BreachForums hacking forum, the successor of now-defunct RaidForums, media outlets reported, and included employee email addresses, corporate reports, and IT asset information stolen.

Hackers posted a number of archives that they said are source-code associated with various mobile device management (MDM) platforms used by Uber, as well as by Uber Eats and third-party vendor services, according to reports. While no user information appears to have been compromised in the breach — which appears to entirely have affected corporate assets — the personal information of 77,000 Uber employees was leaked.

**Hacker Breaches Tequivity AWS Server **

Uber acknowledged the incident and pointed the media to a breach notification by a company called Tequivity, which it uses for asset management and tracking services.

Tequivity explained that "customer data was compromised" due to "unauthorized access" to the company's systems by "a malicious third party," according Tequivity's release. Specifically, attackers gained access to the company's AWS backup server, which houses code and data files related to Teqtivity customers, the company said.

It's unclear if that access was due to a misconfiguration of the cloud bucket, or if there was an actual compromise to blame.

Information exposed by the attack included information housed on various Uber employees' IT devices, including serial number, make, models, and technical specifications, as well as employee information, including first and last names, work email addresses, and work location details, according to Teqtivity.

Teqtivity has notified affected customers and is currently investigating as well as working to contain the incident, according to the notification. It's unclear if the breach affects other companies beyond Uber.

**Ongoing Security Issues**

This latest incident is indeed not Uber's first rodeo when it comes to data breaches, as the company has experienced several highly publicized incidents over the past several years that have had significant ramifications for the company.

In fact, a previous third-party breach that occurred in 2016 and exposed the data of some 57 million customers and drivers turned into an absolute public-relations nightmare for Uber, the effects of which are still being felt.

That incident — in which attackers also gained access to Uber data stored in third-party cloud storage — resulted in the firing of its now-former CISO Joe Sullivan after it was discovered that the company engaged in a cover-up of the incident. Sullivan was even found guilty in federal court on charges related to the incident in October.

Uber also experienced a significant breach in September and was forced to take some of its operations offline due to the compromise of its own internal systems, when an attacker socially engineered his way into an employee's VPN account before pivoting deeper into the network.

**Is the Lapsus$ Gang Responsible for the Uber Breach?**

While no particular threat group has claimed responsibility or has yet been found to be the guilty party behind the latest breach, there are some initial clues that tie the incident to the well-known cybercriminal extortion group Lapsus$.

The post on BreachForums about the Uber leak reportedly mentions the threat group, while Lapsus$ is believed to be responsible for the Uber September breach as well, Robert Ames, threat researcher from SecurityScorecard, tells Dark Reading.

Ames also notes the responsibility of Lapsus$ for a January incident at Okta, another "major third-party service for many firms," as a potential clue that the threat group also is at play here. That incident was determined to have affected about 366 Okta customers, the company acknowledged.

Lapsus$ went quiet around July after a spate of incidents earlier in the year including not only the one against Okta, but also attacks on Microsoft and Nvidia. Its responsibility for the September attack on Uber could be a sign of another flurry of activity from the threat group, experts say.

**Time to Manage Third-Party and Cloud Cybersecurity Risk**

No matter who's responsible, the latest Uber incident, like the one in 2016, once again highlights the third-party risk that all enterprises face when partner companies are responsible for or have access to corporate data and assets, security experts say.

A core issue is that many organizations don't secure third-party access to internal data in the same way they secure it within organization IT assets, which leaves that data unnecessarily exposed to outside threats, Ames says.

"Vendors and other third-parties are often granted the same access as employees but with fewer security measures, making them a weak link and therefore a popular target for threat actors," he says. "When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations."

Indeed, this is an issue not unique to Uber, but one that demonstrates that "companies everywhere must better prioritize their cybersecurity measures," especially when it comes to third parties, Stephan Chenette, co-founder and CTO at AttackIQ, says.

Some ways companies can do this include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent, and respond to these threats, he says.

"They should also continuously evaluate their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses," Chenette says.

Enterprises also should be continuously monitoring their specific third-party cybersecurity posture to reduce the likelihood of attacks, Ames says. This will help give them a more complete picture of their entire attack surface as they seek ways to gain visibility into potential and existing vulnerabilities.

Ames adds that participating in tabletop exercises and threat emulation to ensure that security administrators and employees alike are familiar with countering and responding to threat actors also can help organizations better respond to third-party threats.

Uber Breached, Again, After Attackers Compromise Third-Party Cloud

Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.

Enterprise security teams can add three more ransomware variants to the constantly growing list of ransomware threats for which they need to monitor.

The three variants — Vohuk, ScareCrow, and AESRT — like most ransomware tools, target Windows systems and appear to be proliferating relatively rapidly on systems belonging to users in multiple countries. Security researchers at Fortinet's FortiGuard Labs who are tracking the threats this week described the ransomware samples as gaining traction within the company's ransomware database.

Fortinet's analysis of the three threats showed them to be standard ransomware tools of the sort that nevertheless have been very effective at encrypting data on compromised systems. Fortinet's alert did not identify how the operators of the new ransomware samples are distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.

**A Growing Number of Variants**

"If the growth of ransomware in 2022 indicates what the future holds, security teams everywhere should expect to see this attack vector become even more popular in 2023," says Fred Gutierrez, senior security engineer, at Fortinet’s FortiGuard Labs.

In just the first half of 2022, the number of new ransomware variants that FortiGuard Labs identified increased by nearly 100% compared with the previous six-month period, he says. The FortiGuard Labs team documented 10,666 new ransomware variants in the first half of 2022 compared with just 5,400 in second half of 2021.

"This growth in new ransomware variants is primarily thanks to more attackers taking advantage of ransomware-as-a-service (RaaS) on the Dark Web," he says.

He adds: "In addition, perhaps the most disturbing aspect is that we are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023."

**Standard but Effective Ransomware Strains**

The Vohuk ransomware variant that Fortinet researchers analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. 

The malware drops a ransom note, "README.txt," on compromised systems that asks victims to contact the attacker via email with a unique ID, Fortinet said. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably to reassure victims they would get their data back if they paid the demanded ransom.

Meanwhile, "ScareCrow is another typical ransomware that encrypts files on victims’ machines," Fortinet said. "Its ransom note, also entitled 'readme.txt,' contains three Telegram channels that victims can use to speak with the attacker." 

Though the ransom note does not contain any specific financial demands, it's safe to assume that victims will need to pay a ransom to recover files that were encrypted, Fortinet said.

The security vendor's research also showed some overlap between ScareCrow and the infamous Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. 

Submissions to VirusTotal suggest that ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.

And finally, AESRT, the third new ransomware family that Fortinet recently spotted in the wild, has functionality that's similar to the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker's email address, and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.

**Will Crypto-Collapse Slow the Ransomware Threat?**

The fresh variants add to the long — and constantly growing — list of ransomware threats that organizations now have to deal with on a daily basis, as ransomware operators keep relentlessly hammering away at enterprise organizations. 

Data on ransomware attacks that LookingGlass analyzed earlier this year showed there were some 1,133 confirmed ransomware attacks in the first half of 2022 alone — more than half (52%) of which affected US companies. LookingGlass found the most active ransomware group was that behind the LockBit variant, followed by groups behind Conti, Black Basta, and Alphy ransomware.

However, the rate of activity isn't steady. Some security vendors reported observing a slight slowdown in ransomware activity during certain parts of the year.

In a midyear report, SecureWorks, for example, said its incident response engagements in May and June suggested the rate at which successful new ransomware attacks were happening had slowed down a bit.

SecureWorks identified the trend as likely having to do, at least in part, with the disruption of the Conti RaaS operation this year and other factors such as the disruptive effect of the war in Ukraine on ransomware gangs.

Another report, from the Identity Theft Resource Center (ITRC), reported a 20% decline in ransomware attacks that resulted in a breach during second quarter of 2022 compared with the first quarter of the year. ITRC, like SecureWorks, identified the decline as having to do with the war in Ukraine and, significantly, with the collapse of cryptocurrencies that ransomware operators favor for payments.

Bryan Ware, CEO of LookingGlass, says he believes the crypto-collapse could hinder ransomware operators in 2023. 

"The recent FTX scandal has cryptocurrencies tanking, and this affects the monetization of ransomware and essentially makes it unpredictable," he says. "This does not bode well for ransomware operators as they are going to have to consider other forms of monetization over the long term."

Ware says the trends around cryptocurrencies has some ransomware groups considering using their own cryptocurrencies: "We’re unsure that this will materialize, but overall, ransomware groups are worried about how they will monetize and maintain some level of anonymity going forward."

Rash of New Ransomware Variants Springs Up in the Wild

Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.

Cybercriminals are often seen as parasites, feeding off a wide swath of victims of every size and stripe. But as it turns out, they've become targets in their own right, with a host of bottom-feeding "metaparasites" flocking to Dark Web marketplaces to find their own set of marks.

It's a phenomenon that has the happy side effect of exposing a rich vein of threat intelligence to researchers, including contact and location details of cybercriminals.

Sophos senior threat researcher Matt Wixey took to the stage at Black Hat Europe 2022 to discuss the metaparasite ecosystem, in a session entitled "Scammers Who Scam Scammers, Hackers Who Hack Hackers." According to research he did with fellow researcher Angela Gunn, the underground economy is riddled with a wide variety of fraudsters, who successfully extract millions of dollars per year from their fellow cybercriminals.

The pair examined 12 months of data across three Dark Web forums (Russian-speaking Exploit and XSS, and English-speaking Breach Forums), and uncovered thousands of successful scam efforts.

"It's pretty rich pickings," Wixey said. "Scammers scammed users of these forums out of about $2.5 million US dollars over the course of 12 months. The amounts per scam can be as little as $2 on up to the low six figures."

    

Source: Sophos

The tactics vary, but one of the most common — and the most crude — is a gambit known as the "rip and run." This refers to one of two "rip" variants: A buyer receives goods (an exploit, sensitive data, valid credentials, credit-card numbers, etc.) but doesn't pay for them; or, a seller is paid and never delivers what's been promised. The "run" portion refers to the scammer disappearing from the marketplace and refusing to answer any enquiries. Consider it a Dark Web version of the dine-and-dash.

There are also plenty of scammers hawking fake goods — such as nonexistent crypto accounts, macro builders that build nothing nefarious, fake data, or databases that are either already publicly available or have previously been leaked.

Some of these can get creative, Wixey explained.

"We found a service claiming to be able to bind an .EXE text to a PDF, so that when the victim clicked on the PDF, it would load while in the background, the .EXE would run silently," he said. "What the scammer actually did was just sent them back a document with a PDF icon, which wasn't actually a PDF nor did it contain an .EXE. They were hoping that the buyer didn't really know what they're asking for or how to check it."

Also common are scams where a seller offers legitimate goods that aren't quite of the quality that has been advertised — like credit card data claiming to be 30% valid, when in reality only 10% of the cards work. Or the databases are real but being advertised as "exclusive" while the seller is actually reselling them to multiple takers.

In some cases, fraudsters work in tandem in more of a long-con fashion, he added. Sites tend to be exclusive, which foments "a degree of intrinsic trust" that they can play upon, according to Wixey.

"One will build a rapport with a target and offer to provide a service; they'll then say that they actually know someone else who can do this work much better, who's an expert on the subject," Wixey explained. "They will often point them to a fake forum that a second person works and operates, which requires some sort of deposit or registration fee. The victim pays the registration fee, and then both scammers just disappear."

**How Forums Fight Back**

The activity has an adverse effect on the use of Dark Web forums — acting as an "effective tax on criminal marketplaces, making it more expensive and more dangerous for everyone else," Wixey noted. As such, ironically, many markets are implementing security measures to help curb the tide of fraud.

Forums face several challenges when it comes to putting in safeguards: There's no recourse to law enforcement or regulatory authorities for one; and it's a semianonymous culture, making it difficult to track culprits. So, the anti-fraud controls that have been put in place tend to focus on tracking the activity and issuing warnings.

For instance, some sites offer plug-ins that will check a URL to make sure it links to a verified cybercrime forum, not a fake site where users are defrauded via a bogus "joining fee." Others might run a "blacklist" of confirmed scammer tools and user names. And most have a dedicated arbitration process, where users can file a scam report.

"If you've been scammed by another user on the forum, you go to one of these arbitration rooms and you start a new thread and you supply some information," according to Wixey. That may consist of the username and contact details of the alleged scammer, proof of purchase or wallet transfer details, and as many details of the scam — including screenshots and chat logs — as possible.

"A moderator reviews the report, they ask for more information as it's needed, and they will then tag the accused person and give them somewhere between 12 and 72 hours to respond, depending on the forum," Wixey said. "The accused might make restitution, but that's pretty rare. What more commonly happens is that the scammer will dispute the report and claim it's due to a misunderstanding of the terms of the sale."

Some just don't respond, and in that case, they're either temporarily or permanently banned.

Another security option for forum users is the use of a guarantor — a site-verified resource that acts as an escrow account. The money to be exchanged is parked there until the goods or services are confirmed as being legitimate. However, guarantors themselves are often impersonated by fraudsters.

**A Treasure Trove of Threat Intelligence**

While the research offers a view into the inner workings of an interesting subsliver of the Dark Web world, Wixey also noted that the arbitration process in particular gives researchers a fantastic source of threat intelligence.

"Forums demand proof when a scam is alleged, and that includes things like screenshots and chat logs — and victims are typically only too happy to oblige," he explained. "A minority of them redact that evidence or restrict it, so it's only visible to a moderator, but most don't. They will post unredacted screenshots and chat logs, which often contain a treasure trove of cryptocurrency addresses, transaction IDs, email addresses, IP addresses, victim names, source code, and other information. And that's in contrast to most other areas of criminal marketplaces where OpSec is normally pretty good."

Some scam reports also include full screenshots of a person's desktop, including date, time, the weather, the language, and the applications — offering breadcrumbs to location.

In other words, normal precautions go out the window. A Sophos analysis of the most recent 250 scam reports on the three forums found that almost 40% of them included some kind of screenshot; only 8% restricted access to evidence or offered to submit it privately.

"In general, scam reports can be useful both for technical intelligence and for strategic intelligence," Wixey concluded.

"The big takeaway here is that threat actors don't seem to be immune to deception, social engineering or fraud," he added. "In fact, they seem to be as vulnerable as anyone else. Which is kind of interesting because these are exactly the kinds of techniques that they're using against other users."

Metaparasites & the Dark Web: Scammers Turn on Their Own

More than 10 days after a ransomware attack, affected Rackspace customers are being told the incident had a "limited impact," and have been invited to a webinar for additional details.

Customers affected by a ransomware attack on Rackspace's Hosted Exchange Email have experienced service outages and a forced transition to Microsoft 365 — and have widely expressed outrage about an overall lack of transparency from the company about the breach.

But Rackspace's latest email to them, provided to Dark Reading by a reader, tries to put a positive spin on the company's response.

"As you know, on Friday, December 2, 2022, Rackspace experienced a ransomware incident in its Hosted Exchange Email business, a managed email solution provided to small and medium businesses," the Rackspace email to customers said. "Due to swift action on the Company's part in disconnecting its network and following its incident response plans, industry-leading global cybersecurity firm CrowdStrike has confirmed the incident was quickly contained and limited solely to the Hosted Exchange Email business."

It then invites them to attend a webinar on Tuesday hosted by a panel of Rackspace leadership, including its CISO Ed Pawlowski, for additional information and an opportunity to ask questions.

"This was an incident with limited impact," according to the email — a claim that customers are begging to differ on. Users have already filed suit against Rackspace for negligence and have complained bitterly about a lack of customer support with the transition to Microsoft 365, a lack of access to their data, and limited communications with the company.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Amid Outrage, Rackspace Sends Users Email Touting Its Incident Response

Shopify Plus stores can now easily implement passwordless login with Passkeys support to help reduce drop rate and increase conversion using the free OwnID plug-in.

**NEW YORK****,** **Dec. 12, 2022** **/PRNewswire/ --** OwnID, the passwordless infrastructure for the internet, announced today the release of Passkeys support for all Shopify Plus stores. The new plugin is a low-code way to add passwordless authentication to your store. By eliminating the need to create and remember passwords, it allows users to register and log in with a single click on any device. OwnID offers the technology at no cost, up to 10,000 logins per month. The news comes following OwnID's release of a no-code WordPress plugin.

With Passkeys support, Shopify Plus site owners can eliminate the dependency on passwords, improve the conversion rate by 20% or more, and reduce user drop-offs by 35%. This is based on actual case studies showing improved metrics following the deployment of the OwnID solution. Streamlining the purchase flow and reducing the user drop-off rate are crucial for store owners and marketers. Both can be achieved by eliminating passwords.

Shopify Plus store owners who wish to add passwordless support to their website, will simply follow 4 easy steps to enable multipass login in their store, and connect the Shopify plugin to the OwnID console using a API key. The implementation process was designed to be as simple and easy as possible.

Earlier this year, Apple, Google and Microsoft joined hands with the FIDO Alliance and the World Wide Web Consortium to work on removing passwords for user authentication across the platforms. Apple announced its own implementation of this standard called Passkey. Microsoft and Google released similar statements announcing their own Passkeys implementation.

OwnID is a revolutionary authentication solution that offers a frictionless, faster, and cheaper way to verify a user's identity. It delivers a secure, seamless, and personalized experience for the user. The OwnID solution is a complete end-to-end platform that can be utilized by any application or website to significantly reduce the drop-off rate, improve user experience, and protect users from fraud. It supports Passkeys out of the box. This means that the OwnID solution works for all users, regardless of device type – Apple, Samsung, Google, Microsoft, or any other.

Named as "Best Passwordless technology" by the 2022 CISO Choice Awards, OwnID has helped many top brands adopt a passwordless solution, including Carrefour, Delonghi, Nestle, Carnival Cruise Line and more.

To get started visit ownid.com. 

For more information about Passkeys visit passkeys.com.

**About OwnID**

Helping businesses connect better with their customers online. Dor Shany and Rooly Eliezerov founded OwnID believing that if a business identifies a customer, it will better understand that customer's needs and serve them better. Exceptional service and personalized experiences pave the way for long-term relationships between your business and your customers. But traditional registration and login are cumbersome and get in the way of these relationships. OwnID is here to offer a more friendly and secure authentication experience that keeps you connected to your customers.

Learn more on OwnID.com.

Shopify Plus Stores Can Easily Add Passwordless Login With Passkeys Support

Visibility into every environment, including cloud, enables businesses to mitigate operating risks.

In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.

Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.

This is unfortunate, since what we can't see can hurt us. That being said, it is great news that cloud visibility has become a top priority for many businesses. Here are a few areas where many businesses are looking for visibility to play a key role.

**Compliance**

Compliance may not be the most exciting part of our jobs, but it is necessary. Whether because of regulatory requirements, audit requirements, or otherwise, businesses need to show compliance. There are many ways to do so, and visibility is one of them. There is no better way to provide evidence that we are compliant with a given requirement than to have ground-truth data that clearly shows we are.

**Monitoring**

Before we can detect security and fraud issues within our cloud infrastructure, applications, and APIs, we need to be able to monitor them. This necessitates having the requisite visibility at the network, application, and user layers. This means having logging and insight into the cloud environment at the same level we have within the on-premises environment.

**Investigation**

When we either detect a security or fraud issue or are notified of one, we need to begin an investigation. We need to interrogate the data to understand what happened, when it happened, where it happened (to what infrastructure), why it happened (root cause), and how it happened. As straightforward and logical as this seems, without proper visibility it is impossible. It is best to address visibility sooner rather than later, as there is no way to "put back" data we aren't currently collecting when we need it most.

**Response**

Once an incident has been investigated, the proper response can be architected and implemented. If we don't have proper visibility, however, we can't be sure that we are effectively remediating the issue in its entirety. Without adequate visibility, how can we be sure that we haven't missed other issues or other resources that may be impacted?

**API Discovery**

We can't protect what we don't know exists. Believe it or not, unknown APIs — those which security and fraud teams are unaware of — occur more often than we would like to admit. As such, API discovery is another great use case that shows the value of visibility. It is worth the investment of time, energy, and money to discover APIs that may be deployed at various locations around the cloud, on-premises, and/or hybrid infrastructure. Once we are aware of these APIs, we can begin to take steps to gain visibility into those previously unknown environments.

**Application Breaches**

When an application is compromised, it is not necessarily so easy to detect. Unlike network-level or host-level compromises, application-level compromises don't always look like intrusions. Sometimes, they spring from stolen credentials. Other times, they happen due to business logic abuse. At yet other times, they result from attackers hopping through or "piggybacking" on the sessions of legitimate users.

In all of these cases, without the proper visibility into both the application layer and the user layer, it will be nearly impossible to become wise to a breach. This is another area where visibility plays a big role in detecting application breaches early, thus mitigating the risk that results from breaches that persist for long periods of time.

**Malicious User Detection**

With the move to software-as-a-service (SaaS), user authentication and authorization have become increasingly important for granting and controlling access to applications and resources. Malicious users aren't necessarily hackers or attackers. Rather, they may be users who have logged into one or more resources with the intent to misuse or abuse those resources. Visibility into user behavior as the user navigates the session allows us to look for patterns and signs that the user may actually be a malicious one.

We have been a bit behind in terms of ensuring the requisite visibility into cloud environments. We have lost some time, though it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.

What We Can't See Can Hurt Us

Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format.

Web application firewalls (WAFs) from five major vendors are vulnerable to malicious requests that use the popular JavaScript Object Notation (JSON) to obfuscate database commands and escape detection.

That's according to application-security firm Claroty, whose researchers have found that WAFs produced by Amazon Web Services, Cloudflare, F5, Imperva, and Palo Alto fail to identify malicious SQL commands coded in the JSON format, allowing the forwarding of malicious requests to the back-end database. The research uncovered a fundamental mismatch: Major SQL databases understand commands written in JSON, while WAFs do not.

The technique allows attackers to access and, in some cases, change data as well as compromise the application, says Noam Moshe, a security researcher with Claroty's Team82 research team.

"By bypassing WAF protection, attackers can exploit other vulnerabilities in web applications and potentially take over said applications," he tells Dark Reading. "This is even more relevant in cloud-hosted applications, where many WAFs are deployed by default."

Web application firewalls are a critical layer to protect against application attacks, and often are used to give developers a bit more breathing room from nefarious types trying to exploit coding errors. While they are often relied on as a security crutch by many companies, WAFs are far from perfect and researchers and attackers have found many ways to bypass them. 

In a 2020 survey, for example, four in 10 security professionals claimed that at least half of application attacks had bypassed the WAF. In more recent research released in May, a team of academic researchers from Zhejiang University in China used a variety of methods of obfuscating injection attacks on databases, finding that — among other techniques — JSON could help hide the attacks from cloud-based WAFs.

"Detection signatures were not robust due to various vulnerabilities," the researchers said at the time. "Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs."

**WAFs Don't "Get" JSON**

The researchers' first inkling of a potential attack came from unrelated experiments probing the Cambium Networks' wireless device management platform. The developers of that platform appended user-supplied data directly to the end of a query, a technique that convinced Claroty to investigate a more general application.

In the end, the researchers found they could append legitimate JSON queries to benign SQL code, allowing them to bypass the ability of WAFs to detect injection attacks, and giving attackers the ability to gain direct access to back-end databases, Claroty's research showed.

The technique worked against most major relational databases, including PostgreSQL, Microsoft’s MSSQL, MySQL, and SQLite. While the company had to overcome three technical limitations — such as initially only being able to retrieve numbers and not strings of characters — the researchers eventually created a general-purpose bypass for major Web application firewalls.

"After we bypassed all three limitations, we were left with a big payload allowing us to extract any data we chose," the researchers wrote in Claroty's advisory. "And indeed, when we used this payload we managed to exfiltrate sensitive information stored in the database ranging from session cookies to tokens, SSH keys and hashed passwords."

**Obfuscate to Escape**

Obfuscating malicious code to bypass anti-injection security measures has a long history. In 2013, for example, attackers began exploiting a vulnerability in the Ruby on Rails framework that allowed JSON code to be used to bypass authentication and inject SQL commands into a web application.

Companies should upgrade their WAFs solutions to gain the advantage of the latest fixes, Moshe says. The security researcher also stressed the companies should have extra security in place to catch future bypass techniques.

"It is important to not use a WAF solution as your sole line of defense," he says. "Instead, it is recommended to secure your applications using many security mechanisms, like limiting access to your application \[and\] enabling security features."

The researchers notified all five vendors of the vulnerable WAFs, each of which confirmed the issue and have since added JSON syntax support to their products, Claroty stated in its advisory.

Popular WAFs Subverted by JSON Bypass

Ensuring stronger in-house defenses is integral to retaining customer loyalty.

Companies are always absorbing costs that are seen as par for the course of budget planning: maintenance, upgrades, office supplies, wastage, shrinkage, etc. These costs ratchet up the price of a company's products and are then passed on to the consumer. Breaches in cybersecurity and paying out ransoms to hackers should be outside of this remit, and yet more than half of all companies admit to transferring the costs of data breaches on to consumers. Careless or ill-informed employees and other weaknesses in a company's protections lead to catastrophic losses to businesses of around $1,797,945 per minute — and the consumers are paying it off.

**Feeding the Virus**

If a company estimates the recovery costs from a ransomware attack to exceed the requested payment from the hacker, then it feels like a no-brainer — they're better off just cutting their losses and giving in to the cybercriminal's demands. The issue is that this creates an unvirtuous circle of paying the hacker, which enforces nefarious behavior and empowers hackers to increase the number and volume of ransoms.

When it comes to ransomware, 32% of companies pay off hackers, and, of that percentage, the average company only retrieves about 65% of its data. Giving in to hackers is counterintuitive. On an even more disturbing note, one study found that 80% of companies that paid a ransom were targeted a second time, with about 40% paying again and a majority of that 40% paying a higher ransom the second time round. This is ludicrous. With 33% of companies suspending operations following an attack, and nearly 40% resorting to laying off staff, it comes as no surprise that the downstream costs are picked up to some extent by the consumer.

**Targeting the Weaker Defenses**

As for smaller companies, about 50% of US small businesses don't have a cybersecurity plan in place, despite the fact that small businesses are three times more likely to be targeted by cybercriminals than larger companies. An average breach costs these companies around $200,000 and has put many out of business. It isn't simply the cost passed on to consumers, it's also the intangible assets, such as brand reputation.

When data is leaked and a site goes down, customers become rightly anxious when their information is sold to the highest bidder on the Dark Web. To safeguard against this, companies of all sizes should exploit automated solutions while training every single member of staff to recognize and report online threats. Paying a ransom does not guarantee the return of data, and for a smaller business, losing valuable customer information could cause long-term damage way beyond the initial attack.

**Forearmed Is Forewarned**

Cybersecurity professionals, governments, and law enforcement agencies all advise companies to avoid paying the hackers' ransoms. This strategy is affirmed by the success businesses have had in retrieving the stolen data and turning the lights back on — 78% of organizations who say they did not pay a ransom were able to fully restore systems and data without the decryption key. This evidently is not enough to reassure companies who, at the click of a dangerous email being opened, have lost sensitive information and access to their systems and are desperate to get back online. There are many preventative techniques businesses can take advantage of before it even gets to that stage.

Cybersecurity insurance is a way of mitigating financial damage associated with an attack, although a company must meet strict security eligibility requirements to qualify for coverage. This can include ensuring the implementation of measures such as multifactor authentication, endpoint detection and response, privileged access management, and patch management. A more cost-effective and equally necessary route is to conduct a company-wide exercise mimicking an attack — this can highlight frailties in the system. Before ever depositing a cent into a hacker's bank account, a company might consider employing a ransomware negotiator on retainer. Whether negotiation services are available should be determined well in advance in the incident response plan.

**Plan Before You Pay**

Cybersecurity costs are now considered inherent to running a company — and therefore they are referred straight to the consumer. There is no foolproof method for anticipating or preventing ransomware attacks, but there needs to be a real adjustment in how companies deal with them and where the final payment is shifted to.

Paying the piper emboldens the criminal syndicates behind the hackers and only serves to buttress ransom demands, opening the door to more attacks and burdening the consumer with higher prices. Businesses must assess their security perimeters more diligently, as ensuring stronger in-house defenses is integral to retaining customer loyalty, as well as to the survival of the company itself.

When Companies Compensate the Hackers, We All Foot the Bill

New Cortex Xpanse features give organizations visibility and control of their attack surfaces to discover, evaluate, and address cyber risks.

**SANTA CLARA, Calif.****,** **Dec. 12, 2022** **/PRNewswire/ —** Cyberattackers today use highly automated methods to quickly find and exploit weaknesses in target organizations — sometimes within minutes of a new vulnerability being disclosed. Most security teams try to find these weaknesses, but because they are doing this with manual tools they quickly fall behind. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, introduced a new Cortex® capability: Xpanse Active Attack Surface Management, or Xpanse Active ASM. This helps security teams not just actively find but also proactively fix their known and unknown internet-connected risks. Xpanse Active ASM equips organizations with automation to give them the edge over attackers.

"While the fundamental need for attack surface management hasn't changed, the threat landscape today is much different. Organizations need an active defense system that operates faster than attackers can," said Matt Kraning, chief technology officer of Cortex for Palo Alto Networks. "As the leader and pioneer in the ASM market, we realize that customers need complete, accurate, and timely discovery and remediation of risky exposures in their internet-connected systems. With Xpanse Active ASM, we give defenders the ability not only to see their exposures instantly but also to shut them down automatically with no human labor required."

Available today, Xpanse Active ASM gives organizations the following tools and capabilities:

*   **Active Discovery**: Attackers use frequent, automated probes to find vulnerable and/or exposed assets, and organizations need tools that allow them to have the same visibility. Active Discovery refreshes its internet-scale database several times a day and uses supervised machine learning to accurately map these vulnerabilities back to an organization. This helps them get an outside-in view of their network — the same view attackers have.
*   **Active Learning**: Xpanse continuously processes discovery data, mapping new systems to the people responsible for each system. Active Learning continuously analyzes and maps the streamed discovery data to understand and prioritize top risks in real time. As a result, customers can stay ahead of attackers by closing down the riskiest exposures quickly.
*   **Active Response**: While instant discovery of vulnerabilities and/or exposures can give security teams a realistic risk picture, merely finding issues isn't enough. Automated remediation is key to staying ahead of attackers, saving response time in the SOC by eliminating the manual step of merely creating a ticket for analysts who then must spend multiple hours of manual effort actually tracking down the owner of the affected system and resolving the vulnerability. True automation is completely solving the end-to-end remediation process without human intervention. A critical new capability for security teams, Active Response includes native embedded automatic remediation capabilities that make use of active discovery data and active learning analysis to automatically shut down exposures before they allow threats into a network. It executes ASM-specific playbooks to triage, deactivate and repair vulnerabilities automatically.

The Xpanse Active Response module includes built-in end-to-end remediation playbooks. These playbooks automatically eliminate critical risks such as exposed Remote Desktop Protocol (RDP) servers and insecure OpenSSH instances without any manual labor.

Following remediation, Active Response automatically validates that remediation was successful by scanning assets, compiling audited actions and placing investigation details into clear dashboards and reports.

Cortex Xpanse is used today by some of the most complex and demanding organizations in the world. Palo Alto Networks recently announced a multiyear deal for Cortex Xpanse to equip the Department of Defense with Internet Operations Management capabilities.

**Availability**

Cortex Xpanse Active ASM is now available globally with full support.

**Additional Resources**

*   Learn more about Xpanse Active ASM.
*   Register for the Xpanse Active ASM online event.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ _the United States_ _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks Inc.

Palo Alto Networks Xpanse Active Attack Surface Management Automatically Remediates Cyber Risks Before They Lead to Cyberattacks

Pulse Connect VPN server software received several updates over the years, and thousands of hosts haven't patched.

Nearly 4,500 Pulse Connect Security SSL virtual private network hosts are running unpatched server software, leaving them open to cyberattacks.

A new analysis from Censys of the Pulse Connect Secure VPN ecosystem of 30,266 hosts found that although several notable flaws have been discovered and patched over the past few years, 4,460 hosts are still running vulnerable versions. Besides Pulse advisories, the Cybersecurity and Infrastructure Security Agency in April 2021 issued an alert that some of the documented Pulse Connect bugs were under active attack, Censys added.

The Censys Pulse Connect report includes a breakdown of the unpatched versions, finding the biggest chunk of vulnerable hosts — 1,033 — is in the US.

Overall, Censys said the team was trying to "... paint a picture of the current state of vulnerable Pulse Connect secure devices that are still running on the Internet," the report added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading