Months after a fix was issued by a vendor, downstream Android device manufacturers still haven't patched, highlighting a troubling trend.

It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.  

According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  "promptly" issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. 

Until there's a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it's up to security teams to remain "vigilant," the Google Project Zero team advised. 

"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," the patch gap report explained. "Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Patch Lag' Leaves Millions of Android Devices Vulnerable

The infostealer Aurora’s low detection rates and newcomer status are helping it fly under the radar, as more cybercriminal gangs target cryptocurrency wallets and communications apps.

A growing number of cybercriminal groups are turning to an information stealer named Aurora, which is based on the Go open source programming language, to target data from browsers, cryptocurrency wallets, and local systems.

A research team at cybersecurity firm Sekoia discovered at least seven malicious actors, which it refers to as "traffers," that have added Aurora into their infostealer arsenal. In some cases, it's being used in conjunction with the Redline or Raccoon infostealers as well.

More than 40 cryptocurrency wallets, and applications like Telegram, have been successfully targeted so far, according to the report, which highlighted Aurora's relative unknown status and elusive nature as tactical advantages.

Aurora was first discovered by the company in July and is thought to have been promoted on Russian-speaking forums since April, where its remote access features and advanced infomation-stealing capabilities were touted.

"In October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to confirm SEKOIA.IO\['s\] previous assessment that Aurora stealer would become a prevalent infostealer," the company's blog post explained. "As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat."

The report also noted that cybercriminal threat actors have been distributing it using multiple infection chains. These run the gamut from phishing websites masquerading as legitimate ones, to YouTube videos and fake "free software catalog" websites.

"These infection chains leverage phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," the blog post continued.

The company's analysis also highlights two infection chains currently distributing the Aurora stealer in the wild, one through a phishing site impersonating Exodus Wallet and another from a YouTube video from a stolen account on how to install cracked software for free.

The malware uses a simple file-grabber configuration to gather a list of directories to search for files of interest. It then communicates using TCP connection on ports 8081 and 9865, with 8081 being the most widespread open port. The exfiltrated files are then encoded in base64 and sent to the command-and-control server (C2).

The collected data is offered at high prices on various marketplaces to cybercriminals looking to carry out lucrative follow-up campaigns, in so-called "big-game hunting" operations that go after large companies and government-sector targets, according to the researchers.

**Open Source Malware Rising in Popularity**

A growing number of malicious actors are building malware and ransomware with open source programming languages like Go, which offers increased flexibility.

Go's cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors, such as the ones behind BianLian, to make constant changes and add new capabilities to a malware to avoid detection.

The operators of the cross-platform BianLian ransomware have actually increased their C2 infrastructure in recent months, indicating an acceleration in their operational pace.

Uncommon programming languages — including Go, Rust, Nim, and DLang — are also becoming favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, according to a report last year from BlackBerry.

Hot Ticket: 'Aurora' Go-Based InfoStealer Finds Favor Among Cyber-Threat Actors

Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.

Microsoft this week identified a gaping attack vector for disabling industrial control systems (ICS), which is unfortunately pervasive throughout critical infrastructure networks: the Boa Web server.

The computing giant has identified vulnerabilities in the server as the initial access point for successful attacks on the Indian energy sector earlier this year, carried out by Chinese hackers. But here's the kicker: It's a Web server that's been discontinued since 2005.

It may seem strange that a nearly 20-year-old end-of-life server is still hanging around, but Boa is included in a range of popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for ICS, according to Microsoft. As such, it's still used across myriad IoT devices to access settings, management consoles, and sign-in screens for devices on industrial networks — which leaves critical infrastructure vulnerable to attack on a large scale.

These include SDKs released by RealTek that are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, researchers noted.

In April, Recorded Future reported on attacks on the Indian power sector that researchers attributed to a Chinese threat actor tracked as RedEcho. The activity targeted organizations responsible for carrying out real-time operations for grid control and electricity dispatch within several northern Indian states, and it occurred throughout the year.

It turns out that the vulnerable component in the attacks was the Boa Web server. According to a Microsoft Security Threat Intelligence blog post published Nov. 22, the Web servers and the vulnerabilities they represent in the IoT component supply chain are often unbeknownst to developers and administrators who manage the system and its various devices. In fact, admins often don't realize that updates and patches aren't addressing the Boa server, the researchers said.

"Without developers managing the Boa Web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," researchers wrote in the post.

**Making the Discovery**

It took some digging to identify that the Boa servers were the ultimate culprit in the Indian energy-sector attacks, the researchers said. First they noticed that the servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future at the time of the release of the initial report last April, and also that the electrical grid attack targeted exposed IoT devices running Boa, they said.

Moreover, half of the IP addresses returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool that Recorded Future identified was used in the attack, the researchers noted.

Further investigation of the headers indicated that more than 10% of all active IP addresses returning the headers were related to critical industries — including the petroleum industry and associated fleet services — with many of the IP addresses assigned to IoT devices with unpatched critical vulnerabilities. This highlighted "an accessible attack vector for malware operators," according to Microsoft.

The final clue was that most of the suspicious HTTP response headers that researchers observed were returned over a short time frame of several days, which linked them to likely intrusion and malicious activity on networks, they said.

**Gaping Security Vulnerabilities in the Supply Chain**

It's no secret that the Boa Web server is full of holes — notably including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — that are unpatched and need no authentication to exploit, the researchers said.

"These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the 'passwd' file from the device or accessing sensitive URIs in the Web server to extract a user's credentials," they wrote.

"Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek's SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks," they said.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities — factors that also make the existence of Boa Web servers in ICS ripe for exploitation, researchers added.

**Current Threat Activity and Mitigation**

Microsoft's research indicates that Chinese attackers have successfully targeted Boa servers as recently as late October, when the Hive threat group claimed a ransomware attack on Tata Power in India. And in their continued tracking of the activity, researchers continued to see attackers attempting to exploit Boa vulnerabilities, "indicating that it is still targeted as an attack vector" and will continue to be one as long as these servers are in use.

For this reason, it's crucial for ICS network administrators to identify when the vulnerable Boa servers are in use and to patch vulnerabilities wherever possible, as well as take other actions to mitigate risk from future attacks, researchers said.

Specific steps that can be taken include using device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments that identify unpatched devices in the network and set workflows for initiating appropriate patch processes with solutions.

Administrators also should extend vulnerability and risk detection beyond the firewall to identify Internet-exposed infrastructure running Boa Web server components, researchers said. They also can reduce the attack surface by eliminating unnecessary Internet connections to IoT devices in the network, as well as applying the practice of isolating with firewalls all IoT and critical-device networks.

Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on devices; configuring detection rules to identify malicious activity whenever possible; and adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network.

Microsoft: Popular IoT SDKs Leave Critical Infrastructure Wide Open to Cyberattack

Fueling the trend are the rising adoption of cloud computing solutions, technology advancements, stricter data safety regulations, and the move to digitalization, says Brandessence Market Research.

**LONDON, Nov. 23, 2022 /PRNewswire/** — The Global Penetration Testing Market is poised to reach a valuation of USD 5.28 Billion in 2028 from USD 1.87 Billion in 2021, registering a CAGR of 15.97% over the forecast duration.

Penetration test is referred to as a type of ethical hacking that is deliberately performed on a computer system to assess its security while identifying exploitable vulnerabilities. The testers adopt similar equipment, tool, and tactics used by cyberattacks. This is mainly done to deceive the criminals by distributing decoys and traps in the system that resemble the genuine assets. Organizations that are highly prone to cybercrime adopt this testing method to ensure the overall safety of their computer infrastructure.

The growth occurrences of cyberattacks, rising adoption of cloud computing solutions, along with technology advancements in the field are primarily augmenting the outlook of this business vertical. Further, the booming IT industry, stringent data safety regulations, and rapidly evolving technological infrastructure across various regions are creating lucrative opportunities for this marketplace to prosper.

Also, rising R&D activities in the field, surging digitalization trends across various industry verticals, coupled with increasing number of data centres worldwide, are adding traction to the development of Global Penetration Testing Market. Moreover, escalating demand for high-speed internet connection, rising popularity of remote working, and increasing incidences of cyberattack sophistication are stimulating the overall dynamics for this industry vertical. On the flip side, high costs pertaining to penetration tests and dearth of skilled professionals in the field are hindering the remuneration scope of this business sphere.

**Get Sample of \[email protected\] https://brandessenceresearch.com/downloadSample/PostId/2143**

**Competitive Hierarchy**

The prominent players characterizing the competitive Terrain of Global Penetration Testing Market are:

*   Checkmarx
*   Coalfire Systems
*   Core Security Technologies
*   FireEye
*   HackerOne Inc.
*   ImmuniWeb SA
*   Indium Software
*   International Business Machines Corporation
*   Netragard LLC
*   Netsparker Ltd
*   OffSec Services Limited
*   Micro Focus International plc
*   Acunetix
*   Others.

These companies are trying to enhance their position in the global market. They are adopting various strategies, including mergers & acquisitions, product launches, R&D investments, partnerships, and collaborations, among others to stay ahead of the curve.

**Global Penetration Testing Market Segmentation:**

**By Type:**

*   Wireless Network Penetration Testing Services
*   Network Penetration Testing
*   Web Application Penetration Testing
*   Social Engineering Penetration Testing
*   Mobile Application Penetration Testing
*   Others

**By Deployment:**

*   Cloud
*   On-premises

**By End-User:**

*   Healthcare
*   Government & Defense
*   Retail
*   BFSI
*   IT & Telecom
*   Others

**Category-Wise Outlook**

**Which is the leading deployment mode segment in this business sphere?**

The on-premises segment presently dominates the market in terms of volume share since it provides high control and flexibility to end-use enterprises which reducing the risks of data losses.

**Which end-user segment is poised to amass notable gains over the estimated timeline?**

The healthcare segment is anticipated to generate significant returns over the estimated timeline. This is credited to the rising adoption of EHR and telehealth solutions, which in turn increases the susceptibility of healthcare organizations to various forms of cybercrimes.

**Get Methodology @** **https://brandessenceresearch.com/requestMethodology/PostId/2143**

**Comparing the historical outlook and ongoing trends of this market**

This industry has been generating significant returns due to the presence of various expansion propellants across the globe.

There has been rising occurrence of cyberattacks across various industry verticals worldwide. In fact, the crime dwellers have begun adopting advanced technologies such as AI, analytics, and ML to sophisticate cyber-attacks. Such attacks tend to go unnoticed or undetected since most of the organizations lack preparedness and high-end tools. Many enterprises incur massive financial losses due to such attacks which in turn also affects their reputation in the market. This has increased the demand for effective tools and tactics to minimize the risk of sophisticated cybercrimes across numerous organizations.

The rising digitalization trend across a wide range of industries has resulted in the rising data privacy concerns. Due to widespread internet proliferation and growing adoption of smart devices, sectors such as healthcare, education, and retail, among others are trying to streamline their operations with an aim to reduce their overall expenses while leaving no room for human errors. But this has provided hackers with profitable opportunities since they can easily crack into the system of these organizations and procure confidential data. After getting their hands on these valuable assets, cybercriminals sell them on the dark web and earn massive profits. Therefore, many of these organizations have strengthened their cybersecurity entities which in turn is increasing the deployment of penetration testing solutions.

The onset of the COVID-19 pandemic is adding momentum to the progression of Global Penetration Testing market. Stringent lockdowns completely restricted the mobility of the masses and led to the temporary closure of commercial complexes. This pushed organizations to shift to a virtual mode of operations, thereby popularizing remote working trends. Unfortunately, this resulted in the surging occurrence of cyberattacks which in turn necessitated the deployment of effective tactics and tools to ensure user data safety and privacy during online communications, data transfer, and other activities.

**Region-Wise Insights**

**Which is the fastest growing region in this industry vertical?**

North America has emerged as one of the most rapidly growing regions in this marketplace owing to rapid internet proliferation, growing adoption of smart devices, and rising disposable income of the masses.

**How is Asia-Pacific faring in the marketplace?**

Asia Pacific is reckoned to capture a substantial revenue share over the forecast timeframe due to the rising occurrence of cyberattacks, the booming IT sector, and technological innovations in the field.

**Major Developments**

In June 2022, Synopsys announced the acquisition of Whitehat Security to strengthen its overall portfolio in this vertical.

**On Special Requirement,** **Penetration Testing Market Report is also available for regions listed below:**

**North America**

*   U.S, Canada

**Europe**

*   Germany, France, U.K., Italy, Spain, Sweden, Netherland, Turkey, Switzerland, Belgium, Rest of Europe

**Asia-Pacific**

*   South Korea, Japan, China, India, Australia, Philippines, Singapore, Malaysia, Thailand, Indonesia, Rest Of APAC

**Latin America**

*   Mexico, Colombia, Brazil, Argentina, Peru, Rest of Latin America

**Middle East and Africa**

*   Saudi Arabia, UAE, Egypt, South Africa, Rest Of MEA

**Purchase Copy of Report @ https://brandessenceresearch.com/Checkout?report\_id=2143**

**Related Reports:**

*   Security Information and Event Management Market is valued at USD 4.21 Billion in 2021 and is expected to reach USD 6.62 Billion by 2028 with a CAGR of 8.1% over the forecast period.
*   Security Orchestration Automation and Response (SOAR) Market is valued at USD 1.16 Billion in 2021 and is expected to reach USD 3.19 Billion by 2028 with a CAGR of 15.58% over the forecast period.
*   Application Security Market is valued at USD 7041.2 Million in 2021 and is expected to reach USD 20880.7 Million by 2028 with a CAGR of 16.8% over the forecast period.
*   Security and Vulnerability Management Market are valued at USD 11.26 Billion in 2021 and expected to reach USD 21.38 Billion by 2028 with a CAGR of 9.6% over the forecast period.
*   Chemical Sensor Market is valued at USD 25.46 Billion in 2021 and is expected to reach USD 42.23 Billion by 2028 with a CAGR of 7.5% over the forecast period.
*   Image Sensor Market is valued at USD 20.62 Billion in 2021 and is expected to reach USD 36.78 Billion by 2028 with a CAGR of 8.62% over the forecast period.
*   Ultrasonic Sensors Market is valued at USD 6.29 Billion in 2021 and expected to reach USD 13.74 Billion by 2028 with a CAGR of 11.8% over the forecast period.
*   Smart Sensors Market is valued at USD 42.74 Billion in 2021 and expected to reach USD 145.30 Billion by 2028 with the CAGR of 19.1% over the forecast period.
*   CMOS Image Sensor Market is valued at USD 16.82 Billion in 2021 and is expected to reach USD 23.04 Billion by 2028 with a CAGR of 8.65% over the forecast period.

**Brandessence Market Research & Consulting Pvt ltd.**

Brandessence Market Research publishes market research reports & business insights produced by highly qualified and experienced industry analysts. Our research reports are available in a wide range of industry verticals including aviation, food & beverage, healthcare, ICT, Construction, Chemicals, and lot more. Brand Essence Market Research report will be best fit for senior executives, business development managers, marketing managers, consultants, CEOs, CIOs, COOs, and Directors, governments, agencies, organizations, and Ph.D. Students. We have a delivery center in Pune, India, and our sales office is in London.

**Follow Us:** LinkedIn **Blog:** **Top 5 Electric Air Taxi Market**

SOURCE: Brandessence Market Research and Consulting Private Limited

Penetration Testing Market Size Is Projected to Reach $5.28B Globally by 2028

New laws have made the current US privacy landscape increasingly complex.

With 65% of the global population expected to have its personal data covered under modern privacy regulations by 2023, respecting data privacy has never been more critical. As an example, the introduction of the federal American Data Privacy and Protection Act (ADPPA), along with the recent passage of a patchwork of state-level privacy laws, has made the current US privacy landscape increasingly complex. This results in challenges for organizations, both in managing exploding volumes of data and understanding how specific data privacy regulations apply to them.

As businesses of all sizes try to remain on top of ever-changing data privacy laws and proactively monitor relevant rules, they should also be taking necessary steps to map where consumer and employment data lives, and the potential risks to that data. By bolstering cybersecurity defenses, organizations can be better prepared for data privacy regulations, now and in the future.

Let's remember why this has become so vital. First, consumers and employees are more informed than ever about personal rights and how data privacy regulations apply to them. This is an important and positive development, considering the dramatic increase in the risk of fines and litigation for noncompliance — one of the foundations necessary for protecting individual rights.

The convergence of personally identifiable information (PII) and protected health information (PHI) also represents data risks. For example, payment information from an insurance claim, along with an email address and other digital breadcrumbs found on the Internet, can be used to steal identities or result in data exfiltration. In addition, the adoption and long-term acceptance of hybrid work models can create challenges. Some organizations ask their employees very focused questions about behaviors and work-from-home arrangements for measuring productivity. Depending on the specific questions, there could be further privacy implications.

**Landscape of Confusion**

Given the vast varieties and jurisdictions of the current data privacy and protection regulations, there can be some confusion. For example, US companies located in North Dakota that conduct business domestically may be somewhat less preoccupied with rules that apply overseas. By contrast, for US organizations offering goods and services in the UK or EU, regulations such as the General Data Protection Regulation (GDPR) — along with the potential for penalties if they are breached — may well apply.

Additionally, in some organizations preconceptions related to the size of the company could cause compliance or regulatory issues, such as believing a company is too small for the data privacy regulations to apply. While it's true that most of the newer regulations focus on companies of a certain size, the actual sizing criteria may relate to a range of factors, such as the number of employees or annual revenue. Whether data privacy regulations apply or not might also depend on the volume of consumer information an organization handles.

The point is, every set of regulations has nuances, which is why it's important to understand both the relevance and boundaries of each. This should be monitored under regular review, particularly as organizations grow and regulations begin to apply where they didn't before. For instance, there have been recent developments around the new EU–UK Data Privacy Framework, also known as Privacy Shield 2.0, concerning intelligence activities.

A good rule of thumb is to follow best practices as soon as possible, so when the need for formal compliance arrives, everything is in place. The risk of getting it wrong is serious, with organizations potentially facing massive fines for non-compliance. That says nothing of the impact to brand reputation when a serious breach is revealed, including loss of consumer, employee, or investor confidence, where the effects can be prolonged and painful.

**Time for Federal Laws?**

New data privacy laws are being proposed on a regular basis. There are five US states set to have key regulations going into effect in 2023: California, Virginia, Colorado, Connecticut, and Utah. With 10% of US states to be covered by data privacy legislation by the end of next year, it's clear that a federal law would be useful.

In particular, federal legislation could play a critical role in aligning the US with other countries on the subject of data privacy. It would also provide vendors and users with much-needed clarity on how to use, store, and manage sensitive data. This alone would go a long way in clearing up the widespread confusion that abounds due to the existing patchwork of regulation. While the exact timing of federal legislation like the proposed ADPPA is unclear, it's not a matter of if, but when.

Overall, data and the laws that govern its protection exist within a rapidly evolving regulatory ecosystem. Further change — both domestically and internationally — is inevitable. Therefore, organizations must focus on the short- and long-term responsibilities of handling and safeguarding data. It's not just the right thing to do ethically and morally, it also represents sound decision making for the health of the business.

Where Are We Heading With Data Privacy Regulations?

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twittern is experiencing massive user growth — and an increased scrutiny of its flaws.  

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.

**Twitter Users Flock to Mastodon**

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so _caveat emptor_ is timeless and universal.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts.

A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.

The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.

**Evolving Tactics**

WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign.

In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.

In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.

"We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. 

In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.

"The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page."

**Targeted Attacks**

The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. 

The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail's information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. 

The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.

The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says.  Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.

Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.

**Building Smarter Malware**

Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. 

"However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.

The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. 

Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.

Ducktail Cyberattackers Add WhatsApp to Facebook Business Attack Chain

Cybercrooks have drained DraftKings accounts of $300K in the past few days thanks to credential stuffing, just as the 2022 FIFA World Cup starts up.

The popular online betting platform DraftKings has been targeted by credential-stuffing attacks — allowing cyberthieves to make off with around $300,000 in ill-gotten funds so far.  

One of its rivals, FanDuel, also said this week that it's seen an uptick in account takeover attempts against its customers.

Credential stuffing is a tactic where cybercrooks try to compromise accounts by using lists of username-and-password combinations gleaned from previous breaches, often purchased on the Dark Web. They bank — quite literally — on account holders reusing their email addresses and passwords across multiple accounts, so that a credential phished from, say, a Netflix user will work against higher-value targets like financial or online-gambling accounts.

Starting this weekend, reports on social media began cropping up from DraftKings users, complaining that they had been locked out of their accounts and their funds drained. The company soon confirmed the activity.

"DraftKings is aware that some customers are experiencing irregular activity with their accounts," Paul Liberman, DraftKings' co-founder and president for global technology and product, said in a media statement on Monday. "We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information."

While the number of accounts affected is unknown, the company said that about $300,000 in funds have been drained so far, and that it intends to "make whole any customer that was impacted."

**Cybercriminals Eye World Cup & More**

The increased activity could be due to the confluence of the NHL and NBA seasons starting, and the NFL season entering the make it-or-break-it phase before the playoffs — and, of course, the 2022 FIFA World Cup kicking off over the weekend.

"Online gambling sites are attractive targets due to the large amounts of money that are wagered on a daily basis," Chris Hauk, consumer privacy champion at Pixel Privacy, tells Dark Reading. "Many customers let their winnings ride (don't cash in when they win) so they have balances they can wager for the next game, match, or other sporting event. This is particularly true now, as the World Cup is now being conducted in Qatar, as soccer matches are attractive to bettors."

And indeed, DraftKings is not alone in seeing an uptick in attacks; one of its main competitors, FanDuel, told CNBC that it has also seen increased account targeting (though no confirmed compromises so far). Yet amid the increased cybercriminal interest, the success of the DraftKings attackers points out an ongoing issue with user awareness, according to James McQuiggan, security awareness advocate at KnowBe4.

"As many data breaches and attacks have occurred, people still don't realize the implications of having their bank accounts attached to their gambling accounts. If not protected adequately, they can be subject to theft," he says. "Most of the time, people don't think it will happen to them and lack the awareness of the various attacks and lengths that cybercriminals will go to steal their money or identity."

The stakes are high for online gambling businesses too. "DraftKings and other online betting sites could see their reputations suffer if they are targeted by attacks like this," Hauk says. "Bettors may lose their faith in the sites as to whether they are secure and can keep their bettors' balances safe from being drained by bad actors."

**More Robust Multifactor Authentication Is Needed**

DraftKings, like most online account providers, offers two-factor authentication for users as an option. But it's not required.

"DraftKings does not force users to enable two-factor authentication on their accounts," explains Paul Bischoff, privacy advocate at Comparitech. "The only exception is Connecticut, which requires DraftKings to force-enable two-factor authentication for all accounts geolocated there. I think this is a mistake given how much money is at stake. Hacking accounts with 2FA enabled would require a further attack to acquire the one-time codes, which makes them far less vulnerable."

Given what's at stake for the business and its customers, Hauk notes that putting more robust protection options in place for users should be an imperative, starting with requiring, at the very least, 2FA that relies on one-time passwords sent via text or email.

KnowBe4's McQuiggan notes that there are also mechanisms for encouraging better user choices.

"Companies' approaches should also \[include the ability to\] cross-reference passwords against known passwords involved in breaches," he explains. "If the users are using simple and breached passwords, they should request that the users reset their passwords to unique and secure passwords."

That said, while these measures could remove some low-hanging fruit, simple 2FA can of course be subverted without too much effort. Thus, researchers note that the proper way to secure accounts would be with FIDO2-approved authentication methods, using non-phishable MFA. But unfortunately, we're not likely to see that implementation anytime soon, given that it's often difficult for these types of companies to adequately balance the user experience with security.

"Much of it comes down to risk-based assessments of the risk of an attack versus the costs to implement more robust MFA applications or features," McQuiggan says. "The gambling sites also want to make it simple for people to log into the platform; if it's too complex, the users will go elsewhere to play. Most users nowadays are familiar with the SMS code, and while it's one of the weaker MFA methods, it's easier for the users to complete account access."

DraftKings Account Takeovers Frame Sports-Betting Cybersecurity Dilemma

To get the full picture, companies need to look into the cybersecurity history and practices of the business they're acquiring.

Imagine getting ready to spend billions of dollars on an acquisition, only to find out that the target of the acquisition was the victim of multiple cyberattacks affecting billions of accounts. One would think such a scenario would be a huge red flag that no corporate board or general counsel would ever forget, regardless of the size of the acquisition, but that clarion call does not seem to be heard universally.

That's what happened around the 2017 revelation of the massive breach of Yahoo uncovered by its sale to Verizon, and it cost the search engine company a $400 million hit to its purchase price. Apparently, however, cybersecurity and related technological components are still relatively low on the essential due diligence checklist.

The right time to start evaluating the cybersecurity risk profile of an acquisition target, experts agree, is early on in the due diligence process. Too often due diligence is limited to balance sheets, sales operations, and outstanding legal obligations, with cybersecurity, compliance, and technical compatibility of security tools left to the end of the discussion, if they are discussed at all.

"The value of pre-sign due diligence is to make sure that companies are assessing all the relevant risks before they sign on the dotted line," says John Hauser, principal and cyber due diligence leader at Ernst & Young, as well as a former FBI special agent and a former assistant United States Attorney. "Cyber can be a major factor in deciding whether or not a client decides to walk away" from a merger or acquisition.

Early cyber due diligence allows a potential suitor to "negotiate better terms through the purchase price reductions, or indemnities, or other contractual provisions," he adds.

In conjunction with the traditional business due diligence, companies are turning to threat intelligence experts to evaluate the prospective target's risk profile, looking for evidence that the company might have been breached with data for sale on the Dark Web or perhaps has weak controls on other internal operations. Using open source intelligence (OSINT), he said, investigators often can find evidence of a breach, such as indicators of leaked credentials, communications between the target company infrastructure and any known malware families and command and control servers, or other insights.

Other significant intelligence can be gleaned by asking the target company to provide data such as attestations made to a cyber insurance provider, source code, penetration test results, and past compliance reports. 

"You're starting to see more technical verification, moving into the pre-sign phase," Hauser says.

**Assessing Vulnerabilities**

Cyber criminals often watch mergers and acquisitions activity, looking for a potentially weak target being acquired by a stronger company, especially one that might have a lot of valuable information for the cybercrooks, notes Heather Clauson Haughian, founder and managing partner at the Atlanta-based law firm Culhane Meadows. Once the acquisition goes through, it would not be uncommon for the target firm to get attacked with the hopes of breaching a weak link and thus accessing the more lucrative part of the merged companies.

Another vulnerability occurs when organizations with differing compliance requirements join, Haughian says. While the acquiring organization might be well versed in its own compliance reporting requirements, it might not have the same expertise with the company it acquires.

If the acquiring company does not employ compliance experts for the acquired company's operations, there could be a gap in compliance reporting, along with missed opportunities to layer security controls over the acquired company, leaving it vulnerable to a cyberattack, she says.

In such cases, using a third-party advisory service is recommended, says Shay Colson, managing partner of cyber diligence at Bellingham, Washington-based firm Coastal Cyber Risk Advisors. A company executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser evaluate the target's security posture, including what its program looks like, strengths and weaknesses, and existing security tool sets. 

"Then you can get views on the targets that are both objective to the target and deal with this integration challenge," he says.

**Taking Responsibility**

Ultimately, general counsels need to come up to speed as quickly as possible on cyber risk and cybersecurity. "They are going to be the ones who own cyber risk at their enterprise because if there's an incident, they're calling outside counsel, they're coordinating forensics, and they're looking at regulatory response obligations," Colson says.

"I think the more proactive \[general counsels\] are, \[they are\] going to realize that cyber risk is a place where they can actually drive value to the business and enable things," he adds. "It's just a matter of time before more and more GCs get on board with that."

EY's Hauser said that SEC Chairman Gary Gensler's recent proposed rules for public companies and other financial services organizations could help boards of directors to navigate through the cybersecurity due diligence challenges.

There is a consensus that there is a growing risk of cybercrimes and that boards need to pay greater attention to it, he said. Courts and regulators are making it explicitly clear that failing to do proper cyber due diligence makes it easier for a future plaintiff to accuse a board member of negligence. That, combined with Gensler's proposed rules that put more personal responsibility on C-suites and board members, and you have the perfect storm for cybersecurity experts to take a more active role in board-level decisions, he notes.

Source

DARKReading