Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.

Growth in the number of new accounts looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, fake accounts may seem like the answer to your prayers — something you can show investors to demonstrate your reach. And to the end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light.

It's especially damaging when bots use real human data, stolen and sold on the Dark Web, to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own.

We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary.

**Enter the Billionaire**

Love him or hate him, you cannot deny the impact Musk has made on the tech industry. But second-guessing his motives and actions is very much like my dog trying to work out the significance of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, co-founder and CEO of Human Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. 

"It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot," he said. "Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

**Twitter & the Tragedy of the Digital Commons**

Twitter is an increasingly rare Internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse; the phrase "tragedy of the commons" originated to describe people overusing grassy common land to graze their livestock. As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because, along with all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying, _"__Hey, we aren't analyzing what you do or the content of your inbox_, _but here's some stuff to be aware of_,_"_ and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example, #cybersecurity), and then amplify those tweets to their audiences. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

**No One Should Pay for False Volume, Even Billionaires**

The primary incoming revenue stream for social platforms is advertising, which is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform lies in the number of active users, whether it be a general-purpose networking platform such as Twitter, a narrow-purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). Bots, while they may generate activity, defraud advertisers by artificially inflating the user count.

Musk is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When I asked about what a company can do about bots, Hassan commented, "Having the right protections in place, including transparency and regulation around the use of automation, to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business."

Musk very publicly tried to withdraw from the Twitter acquisition, which has generated continuing legal ramifications. If we take his statements at face value, then the clear message is that bots and other fake accounts are bad business. Considering the ways that future Twitter (or any social media platform) could make money, being a trustworthy source of curated identity that doctors, banks, governments, and any other interested party (including peer-to-peer) can rely on would be a significant advantage.

**Here's Mudge in Your Eye**

One of Musk's stated concerns about the Twitter acquisition is that he has no certainty about how many of the platform's 396.5 million accounts are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peiter "Mudge" Zatko, has blown the whistle on poor operational security controls, nonexistent software governance, and (you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups — some of which are backed by nation-states.

As a former Facebook security engineer pointed out to me, "Mudge has a decades-long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community." When I asked whether they believed Mudge's claims about foreign intelligence infiltration, the response was, "I believe enough of it not to care about the rest."

Robert Graham takes a different view in his Cybersect blog, which contrasts the focus of a cybersecurity activist with that of a corporate executive. An executive's primary objective is to further the interest of the company and its shareholders, he wrote, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive.

**Identity as a Commodity**

Identity is the cornerstone of cybersecurity. When an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its user base is a significant one.

It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter asserts that the cost of validating every account (and giving us all a little blue tick) is prohibitive, however, as the lifetime value of each Twitter account is very low.

I'm sure that Twitter is well aware of its security gaps. Indeed, a good use for some of Musk's proposed investment, if the company can still get it, would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier.

This is why identity is important, in particular being able to prove that a specific account is being operated by a human. If we manage to turn Twitter into a place where free speech is valued precisely _because_ the speakers are identified as human, then its value — to investors, the Twitter team, and most importantly, its users — will skyrocket.

Fake Accounts Are Not Your Friends!

The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business can’t avoid to pay, make sure you’ve got a strong data loss prevention practice in place.

$4.35 million. That's the average total cost of a data-exposing cybersecurity incident, according to the Ponemon Institute's "Cost of a Data Breach Report 2022." That's an all-time high, up 12.7% from 2020.

Between the potential loss of trade secrets, reputational harm, and regulatory fines related to data privacy, data breaches can threaten an organization's very existence. And if you don't take proactive measures to prevent them, the circumstances that led to one breach can easily result in another. Eighty-three percent of breached organizations report having suffered more than one such event.

Data loss prevention, or DLP, refers to a category of cybersecurity solutions that are specifically **designed to detect and prevent data breaches, leaks, and destruction**. These solutions do so by applying a combination of data flow controls and content analysis. And in today's cyber-threat landscape, DLP has become a basic business need.

**The Three States of Data and How DLP Protects Them**

There are **three main states** in which data can reside within an organization:

*   **Data in use**:**** Data is considered to be _in use_ when it's being accessed or transferred, either via local channels (e.g., peripherals and removable storage) or applications on the endpoint. An example could be files that are being transferred from a computer to an USB drive.
*   **Data in motion**:**** Data is considered to be _in motion_ when it's moving between computer systems. For example, data that is being transferred from local file storage to cloud storage, or from one endpoint computer to another via instant messenger or email.
*   **Data at rest**:**** Data is considered to be _at_ rest when it's stored, either locally or elsewhere on the network, and is not currently being accessed or transferred.

Of course, most sensitive data will change between these states frequently — in some cases, almost continuously — though there are use cases where data may remain in a single state for its entire life cycle at an endpoint.

Similarly, there are three primary "functional" DLP types, each dedicated to protecting one of these states of data. Here are just some examples of how this can work:

*   **Data-in-use DLP** systems may monitor and flag unauthorized interactions with sensitive data, such as attempts to print it, copy/paste to other locations, or capture screenshots.
*   **Data-in-motion DLP** detects whether an attempt is being made to transfer (confidential) data outside of the organization. Depending on your organization's needs, this can include _potentially_ unsafe destinations, such as USB drives or cloud-based applications.
*   **Data-at-rest DLP** enables a holistic view of the location of sensitive data on a local endpoint or network. This data can then be deleted (if it's out of place), or certain users' access to it blocked depending on your security policies.

Not all potential sources of a data breach are nefarious — they're often the result of good old-fashioned human error. Still, the impact is just as real whether sensitive information is intentionally stolen or simply misplaced.

**DLP Architecture Types**

DLP solutions can be categorized based on their architectural design:

*   **Endpoint DLP** solutions use endpoint-based DLP agents to prevent data in use, data in motion, and data at rest from leaking — regardless of whether they're used solely within a corporate network or exposed to the Internet.
*   **Network/cloud DLP** solutions use only network-resident components — such as hardware/virtual gateways — to protect data in motion or at rest.
*   **Hybrid DLP** solutions utilize both network- and endpoint-based DLP components to perform the functionality of both endpoint and network DLP architectures.

It's important to note that due to the nature of their architecture, network DLP solutions cannot effectively safeguard data in use: It remains vulnerable to purely local activities, like unauthorized printing and screen capturing.

**Adopting DLP Is More Important Than Ever**

The benefits of a strong DLP program are clear. By taking proactive steps to slash the risk of data loss and leakage, organizations can achieve some powerful benefits:

*   More easily achieving and maintaining compliance with relevant data privacy regulations, such as the GDPR and HIPAA
*   Protecting intellectual property and trade secrets
*   Strengthening security in an era of widespread remote work and BYOD policies
*   Minimizing the potential impact of human error and negligence

Larger enterprises may choose to adopt on-premises DLP solutions — and for some, this may be the right choice. But setting up a successful DLP program is complex and resource-intensive, and it requires fine-tuning over an extended period of time. Businesses will also need to bring aboard specialized experts with relevant experience. Those without such a team already in place will likely find it more efficient to work with a managed service provider (MSP) for their DLP needs.

In turn, MSPs are turning to partners to help them build out these Advanced DLP offerings to help prevent data leakage from clients' workloads.

Whether you manage your DLP in-house or turn to a vendor to help, it is a critical part of a modern, and future, security stack.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity. 

Of the 20 total security fixes included, 16 were found by external researchers through Google's bug bounty program. A blog post from Google Chrome's Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:

*   CVE-2022-3304: Use after free in CSS. _Reported by Anonymous on 2022-09-01_
*   CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. _Reported by NDevTK on 2022-07-09_
*   CVE-2022-3305: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24_
*   CVE-2022-3306: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27_
*   CVE-2022-3307: Use after free in Media. _Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08_

The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as "$TBD." 

As usual, Google did not list any technical details of the bugs. 

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Sista wrote. "As usual, our ongoing internal security work was responsible for a wide range of fixes." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Quashes 5 High-Severity Bugs With Chrome 106 Update

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

The company's website remains offline after hackers used its compromised CMS to send out racist messages.

Fast Company, the business-news publication, has taken its website offline after cyberattackers compromised its content management system (CMS). They used the access to send out two obscene and racist push notifications to its Apple News subscribers.

The incident follows a similar defacement attack on the FastCompany.com homepage on Sunday, where the attackers posted similar language. The outlet replaced its website with a statement overnight on Tuesday, which remains in place at press time.

"The messages are vile and are not in line with the content and ethos of Fast Company," the company said in the notice. "Fast Company regrets that such abhorrent language appeared on our platforms and in Apple News, and we apologize to anyone who saw it before it was taken down."

The company is investigating the situation and working to clean the site, it said. While no details of the attack are yet available, James McQuiggan, security awareness advocate at KnowBe4, noted that the goal was clearly brand assassination, perhaps with a side of flexing.

"While cybercriminals always go for the money, from time to time, they like to demonstrate their boldness by showing they have access to sensitive or publicly viewable systems by posting something outside of the normal scope of information shared," he said in an emailed statement.

**Highlighting the Need for Better Security**

Christopher Budd, senior manager of threat research at Sophos, tells Dark Reading that this is just latest example of an attack against PR and news infrastructure to deliver false information, with another recent example being a fake press release claiming Walmart was to begin accepting bitcoin.

The attack "highlights the fragility of PR and news infrastructure, and showcases how attacks like these could potentially be carried out for more malicious purposes that result in more dire consequences," he says. "Ultimately, this attack shows how news channels form a critical information infrastructure, and that this infrastructure should be secured in ways that match its criticality."

On a broader level, Jason Kent, hacker in residence at Cequence Security, suspects a credential-stuffing attack could be in play, indicating that the "credentials weren't terribly sophisticated and not backed up by multifactor auth or VPN requirements," he says.

"Credential-stuffing attacks are some of the most pervasive attacks we see on a daily basis," he adds. "Attackers attempt to guess passwords for valid accounts, and if they are successful the attacker will utilize the full permission of those credentials. Privileged access should be closely monitored as once the attacker has those, they will perform all manner of havoc."

Fast Company CMS Hack Raises Security Questions

Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.

Companies that focus on trusting their developers, looking beyond blame, and striving for strong cooperation tend see greater adoption of measures that contribute to more secure software supply chains.

According to the annual 2022 Accelerate State of DevOps published on Sept. 28 by Google Cloud's DevOps Research and Assessment (DORA) team also found that DevOps teams that focused on good security practices had a lower rate of burnout, with low-security teams having 1.4 times greater odds of voicing high levels of stress.

While technical infrastructure did help, the survey shows that starting with, or developing, the right culture is extremely important.

For instance, the DORA survey at the heart of the report measured DevOps teams' adherence to 13 different aspects measured by the Supply-chain Levels for Software Artifacts (SLSA) security framework, which calls for building product releases using centralized continuous integration/continuous development (CI/CD) systems, storing change histories indefinitely, defining software builds through scripts, and isolating the build process. And even though the majority of companies had completely or moderately implemented all of the 13 practices, those that had more collaborative and less blame-oriented cultures did better, the DORA survey found.

"More open, generative cultures ... tend to have positive effects for organizational performance as well as for the people who work there," says Todd Kulesza, one of the authors of the report and a senior user-experience (UX) researcher at Google Cloud. "What we want to see is — if there is a security problem — we want the engineers to feel empowered and safe to bring attention to that. You don't want your developers to sweep things under the rug, especially in terms of the security."

The survey unfortunately found that there's work to do on the collaborative front: Many software developers feel there is a gulf between programmers and application-security teams.

"High-friction approaches to security can be frustrating for developers and ineffective overall, as people try to avoid the friction points," the report stated. "The developers we spoke with wanted to do the right thing, and often discussed frustration that shipping features or fixes consistently took priority over potential security issues."

**Supply Chain Security: Critical Barometer for DevOps Performance**

In its eighth year, the DevOps Research and Assessment (DORA) team's annual report has strived to identify best practices among teams that use the DevOps approach to software development. In 2021, the DORA group found that software supply chain security had become a critical component of high-performing DevOps organizations, so this year, the researchers focused on determining what led to successful outcomes on that front.

    

Most DevOps teams have adopted SLSA practices. Source: Google Cloud's 2022 DORA report.

In the survey, Google focused on adoption of security practices that are part of supply chains.

In addition to DevOps teams' adherence to the SLSA framework, the survey asked developers the degree to which they comply with dozens of security practices that form the Secure Software Development Framework (SSDF) created by the US National Institute of Standards and Technology (NIST).

Organizations that had highly cooperative teams that shared risks and responsibilities, and prioritized learning over blame — so-called "generative" cultures — were more likely to adopt more than two dozen of those security practices, the survey of DevOps practitioners found.

"A lot of these practices — I'm not going to say that they are 100% established across organizations — but a lot of these practices have 50% or more of practitioners reporting that it is established or very well established," says John Speed Meyers, a co-author of the report and a security data scientist at software supply chain security firm Chainguard. "There is a lot of room for improvement, but these things are not so hard that no one is doing it."

The survey also measured developer burnout, based on how highly they rated their agreement with statements such as "my feelings about work negatively affect my life outside of work" and "I am indifferent or cynical about my work." Teams that did not focus on security were 40% more likely to agree or strongly agree with these statements.

In addition, teams that had the worst change failure rates and took the longest to deploy — anywhere from once a month to once every six months — also had high rates of burnout.

Google Cloud DORA: Securing the Supply Chain Begins With Culture

Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.

Last quarter saw a record-shattering number of observed phishing attacks, fueled in large part by attempts to target users on their mobile devices. 

The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history. 

The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency. 

But much of the rise in phishing volume is due to a new threat actor focus on mobile devices, specifically vishing (voice phishing) and smishing (SMS phishing) attacks, the report noted. 

"We're seeing a huge increase in mobile phone-based fraud, with smishing and vishing collectively seeing a nearly 70% increase in volume as compared to Q1 totals," Matthew Harris, senior product manager of fraud at Opsec said in reaction to the APWG findings. "We are still seeing fraud coming in via the typical OTT apps (WhatsApp, WeChat, Facebook Messenger, etc.), but the SMS-based fraud is really the kicker here," 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Phishing Attacks Crushed Records Last Quarter, Driven by Mobile

With provisional agreement reached on the Digital Operational Resilience Act, the clock is now ticking for banks and information and communications technology (ICT) services companies with European operations. Here's what you need to know.

On May 11, 2022, the European Union (EU) reached provisional agreement on the new Digital Operational Resilience Act (DORA). Despite the phrasing, there's nothing "provisional" about DORA. In fact, one of the world's most far-reaching cybersecurity regulations for financial services and their supply chains is mostly a done deal.

All that remains prior to formal adoption, expected sometime this October, primarily involves a handful of technical changes and translation into the 24 official languages of the EU's member states.

DORA represents the EU's response to the ever-increasing number of cyberattacks against financial institutions. It's designed to strengthen the security of EU financial firms, such as banks, insurance companies, investment firms, and more, by imposing resilience requirements and regulating the supply chain. But, as I noted in an earlier post, the tenets of DORA extend far beyond the EU and its financial sector.

DORA's uniform requirements for the security of network and information systems encompass not only enterprises in the financial sector but also critical third-party vendors providing information and communications technology–related services to the financial sector, such as cloud platforms and data analytics.

Indeed, DORA's reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether or not that enterprise or service is based inside the EU. In fact, under DORA, the complexity of the supply chain or the lack of EU presence are both considered risk factors.

**Mandating New Regulatory Perspectives**

DORA is unique in that it brings a new and different level of regulatory scrutiny to a wide variety of global enterprises. DORA's requirements _mandate_ — not merely suggest — compliance with its provisions. Just as important, the impact of this new level of regulatory scrutiny differs depending on the point of view of the enterprise.

Financial institutions accustomed to a regulatory environment primarily designed to assess financial risk and stability will now have to take the potential risk posed by their ICT operations just as seriously. Financial institutions are accustomed to address risk in the form of capital requirements. DORA takes a different approach by mandating specific behavior and performance-based requirements. From the point of view of financial institutions, that elevation of risk has consequences across multiple aspects of their business, such as how they consume technology and how they transform their business by transitioning to new technologies like cloud computing. This includes overall risk management strategies and capabilities, supply chain security, and organizational staffing and policies for ensuring proper ICT risk assessment and compliance.

DORA also changes the regulatory perspective of ICT organizations. Up to now, they've been regulated primarily on data-related issues, such as data privacy, and data breach notification, based on concerns about personal data and political objectives like digital sovereignty. Groundbreaking rules, such as the General Data Protection Regulation (GDPR) in Europe, and the more recent California Consumer Privacy Act (CCPA) in the United States, come to mind.

ICT organizations might also have other regulatory obligations on security, or have been classified as critical infrastructure, depending on where they are located, such as under the Network and Information Security Directive (NIS) in Europe, the Cybersecurity Act 2018 in Singapore, or sector-specific legislation for specialized industries, such as telecoms in the United States.

Now, if ICT companies are servicing financial institutions in the EU, they most likely will be subject to DORA as well. So, in addition to their prior regulatory frameworks, those ICT providers designated as offering a critical service will suddenly be regulated under DORA in a way that very much feels as if they are becoming _extensions_ of the EU financial institutions they're servicing. Regardless of how one looks at it, that's a dramatic change — for both financial institutions and ICT providers.

But that's not all. DORA changes the perspective for the EU's regulatory establishment. Regulators who are experts on financial institution compliance must now extend their scope to include ICT providers offering critical services, such as cloud providers, data analytics services, and other non-financial businesses. In countries with complex regulatory structures, there will also be the need to cooperate with other bodies tasked with regulating these additional types of non-financial industries.

**Meeting the Challenges**

DORA requires EU financial institutions to assess their own cybersecurity and risk management maturity. Understanding and managing their supply chain risk performance will be central to this effort.

In general, financial institutions are adept at stress tests for determining security and financial stability. It's a different challenge to extend those kinds of tests to other organizations. So, for the EU's financial sector, how to manage vendors, risk management, and operational capabilities in an ever more complex and extended supply chain poses the biggest puzzle.

For example, a financial institution might be headquartered in Europe but have all its support activities outsourced to businesses based in India. These support services may not technically be financial institutions. But DORA will require the financial institution to assess if the vendor is critical to its operations and apply the relevant DORA requirements to that relationship.

For enterprises not based in the EU, the key question is one of jurisdiction and market access. Financial institutions or ICT providers operating outside the EU are not affected. But if the enterprise is a financial institution or ICT service provider servicing the EU finance sector in any way, it will most likely be subject to DORA — directly or indirectly.

**Countdown to 2024**

Unless something changes in the final text, DORA goes into effect 24 months after its official adoption. Realistically, that is likely to be somewhere near the close of 2024. The good news is that this provides plenty of time for organizations to prepare for compliance. Most importantly, it is not too long for inclusion in a typical enterprise budget cycle.

But before that deadline sneaks up on you, start preparing _now_. Here are five key steps:

*   Use the time until 2024 wisely.
*   Understand where you are. Search, find, and identify your compliance gaps.
*   Determine what you need to remediate your gaps.
*   Educate and get buy-in from senior management.
*   Budget for the 24 months.

The clock is ticking.

The Countdown to DORA

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Source

DARKReading