Data scientists, who often choose open source packages without considering security, increasingly face concerns over the unvetted use of those components, new study shows.

Vulnerabilities in open source components — such as the widespread flaws revealed 10 months ago in Log4j 2.0 — have forced data scientists to reevaluate the open source code frequently used in analysis and the creation of machine learning models.

According to a report by Anaconda, a data-science platform firm, in the past year, 40% of surveyed data scientists, business analysts, and students have scaled back their use of open source components, while a third remained steady, and only 7% incorporated more open source code into their projects. The majority of those surveyed do not report to the information technology department (18%), but work within their own data science or research and development group (47%), according to Anaconda's "2022 State of Data Science" report, released last week.

While software developers and IT have already started vetting secure code, the concerns over the security in open source software is a relatively new trend for the data science world, says Peter Wang, co-founder and CEO of Anaconda.

"We see a tremendous portion of people who are at organizations where IT has created a very strict posture around open source and Python," he says. "These are not expert developers. ... They are data scientists and machine learning people who may not be very seasoned developers at all, using whatever they could download to do their analysis, and then they handed that over that to IT."

The security of open source components — and the software supply chain, in general — has become a primary consideration among software developers, businesses, and national governments over the past two years. In May, for example, the US National Institute of Standards and Technology (NIST) issued guidance for address software supply chain risks. In addition, a growing number of software vendors have joined with the Linux Foundation's Open Software Security Foundation (OpenSSF).

    

While many data science teams scan open source components for vulnerabilities, many create their own software instead. Source: Anaconda's "2022 State of Data Science" report.

Overall, the maturity of organizations' security efforts has improved. About half of firms have an open source security policy in place, which leads to better performance in measures of security readiness, according to the June survey. In addition, the efforts to control open source risk has jumped by 51% in the past 12 months, a study of security maturity stated on Sept. 21.

"\[W\]ith the attention placed on software supply chains, most enterprise organizations are taking a risk-based approach to application security," Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement announcing the study. "Such an approach recognizes that security isn't limited to the codebase; it includes the process of software development where security reviews and testing 'shift everywhere' to continuously improve security outcomes."

**Devs Expand Use of Open Source **

Software companies are not seeing any sort of decrease in open source usage, according to other data. Instead, development organizations are focusing on improving the security of open source software and using security as a primary guide in selecting components.

In the "2021 State of the Software Supply Chain" report, for example, Sonatype found that the top four open source ecosystems — the Maven Central Repository (Java), Node.js (JavaScript), the Python Package Index (Python), and the NuGet gallery (.NET) — housed 37 million open source projects and components, an increase of 20% year-over-year. The demand for those components is likewise increasing: More than 2.2 trillion components were downloaded, a 73% annual increase.

A self-reported move away from open source packages by the data science community is likely indicative of greater awareness of security issues and less about jettisoning open source components in development, says Tracy Miranda, head of open source at Chainguard.

While data science teams and development teams may have reacted differently to major security issues — such as Log4j 2.0 — companies have little recourse when moving away from one open source package than to adopt a different package whose maintainers have put a greater emphasis on security, she says.

"Companies leverage open source as a way to increase their velocity so if they are scaling back, what are they scaling back to? Writing code in-house? Using third-party versions packaged up?" Miranda says, adding that instead, "I do think we can expect to see companies be more discerning about the quality of the open source they use, especially related to security features."

**Data Scientists Are Playing Catch-up**

The disconnect between the two sides is likely due to the different audiences in the various surveys. Anaconda's survey focused on data science professionals, as can be seen from their respondent's choice of programming languages — 58% used Python and 42% used SQL, while only 26% used JavaScript. 

A better measure of software developer sentiments is StackOverflow's "2022 Developer Survey," which found that while 58% of 'people learning to code' use Python, only 44% of professional developers code in that language. On the other hand, 68% of professional developers use JavaScript, according to StackOverflow's survey.

In addition, while data science professional work at companies that overwhelmingly (87%) allow open-source software, about a quarter (26%) have minimal oversight by the IT department of their open source choices, the Anaconda report stated. In another 18% of companies, the IT department only specifies about half of the available open source components.

The maintainers of the most critical projects — of which there are hundreds, if not thousands — need to use secure dependencies, test their own code, and validate the trustworthiness of contributors. The maintainers should also publish a security scorecard — a Google-created initiative now managed by the Open Source Security Foundation (OpenSSF), which gives a security grade to a project based on nearly 20 different criteria.

While awareness is likely increasing, there is no quick solution, Miranda says.

"The reality is that the more secure options have not previously existed," she says. "Trimming unnecessary dependencies to reduce attack surface is sensible, but it's hard to do once the dependency tree has grown large."

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.

Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry\-level attack is just over the horizon.

The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.

By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.

**Devices Hold the Keys to the Kingdom — and They're Everywhere**

In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.

But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.

Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.

**Mobile Ransomware Would Have a Double Impact**

The risks of mobile ransomware essentially exist on two fronts.

*   **Mobile devices as a delivery mechanism for ransomware:** The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
*   **Actual mobile ransomware:** Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.

A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.

The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.

**The Time to Focus on Security Is Now**

A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.

Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.

Don't Wait for a Mobile WannaCry

After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cybersecurity measures.

A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.

The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. 

The case (No. 22-cv-2145) was filed in the U.S. District Court for the Central District of Illinois on July 6. At the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.

This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing.

Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim, but it is hardly unique, said Scott Godes, a partner at Barnes & Thornburg LLP, a Washington, D.C.-based law firm. 

"I have seen this issue bubbling up over the last few years. From my perspective, insurance carriers have made this a hard market — raising premiums and lowering limits — and that has emboldened them to choose the nuclear option by rescinding coverage," Godes says.

Security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack, notes Sean O'Brien, visiting fellow at the Information Society Project at Yale Law School and the founder of Privacy Lab at Yale Law School.

"The insurance industry is likely to become more and more persnickety as cybersecurity claims rise, defending their bottom line and avoiding reimbursement wherever possible," O'Brien says. "This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organization's interests after the dust settles from a cyberattack."

That said, organizations should not expect a payout for poor cybersecurity policies and practices, he notes.

While the Travelers case was specifically about the single MFA security control, insurance companies might modify their underwriters' reliance on self-attestation without some type of third-party verification on other security controls going forward, notes Jess Burn, a senior analyst at Forrester Research.

"The lawsuits and the rescinding of coverage, the calling out of the insured and the policyholders on little fibs that they told, or omission of details around how they're protected in their secure practices" appear to be an emerging trend, Burn says.

One option to eliminate any questions about whether a company is implementing security controls is to provide verified support, she adds. Even if the transparency is not required, providing third-party verification that controls are in place for MFA, third-party risk management, endpoint detection, or any of the myriad of security controls should eliminate any misunderstanding or concerns in advance of the policy being issued.

**Evolving Cyber Insurance**

While technology and security implementations change over time, cyber insurance companies reevaluate their underwriting controls annually, notes Marc Schein, national co-chair at the Cyber Center for Excellence at Marsh McLennan Agency, the world's largest insurance broker. Unlike common casualty insurance policies, which have a very extensive statistical history for underwriters, cyber insurance is still considered a nascent field and underwriters are still perfecting their algorithms and analysis to best price risk.

One area where underwriters rely heavily on self-attestation from companies concerning their risk profile is controls: what controls they have in place, how well they were configured, and their effectiveness. At times, Schein continued, an underwriter might require an insurance prospect to undergo evaluations such as a penetration test. Should the test come back with a significantly different result than anticipated — for example, if 100 ports are open that the prospect said were closed — the insurance company likely would have a discussion about those open ports, as well as other attestations, to determine whether the company was deliberately trying to hide a problem or whether there was an accidental error.

CISOs are reluctant to answer questions on applications that might lead the underwriter to require significant investments to mitigate the problem before insurance is approved, says Schein. If a company indicates it plans to invest in the mitigation efforts but the project is not expected to be completed until after the date the insurance becomes effective, the insurer might compromise by binding the application but limiting the actual coverage to a percentage of the policy's limits — perhaps 10% of a policy's $1 million coverage limit — until such time as the remediation efforts are complete.

"It's remarkable that insurance carriers refuse to test, inspect, or engage in loss control when underwriting," attorney Godes notes. "Maybe they believe that they can just pull the rug out from underneath unaware policyholders, relying on rescission to avoid covering risks that the insurers could have inspected on their own."

Godes is not sold on the idea that cyber insurers are simply readjusting their underwriting procedures. "The industry is making it more and more challenging to respond to their applications," he notes, "and there continues to be vagaries in the applications."

"In my experience," he says, "the only investigation \[by cyber insurers\] is an effort to figure out how the carrier can rescind coverage, or threaten to do so, rather than figure out if the claim is covered and how it should be settled."

Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

As ransomware attacks continue to evolve, beyond using security best practices organizations can build resiliency with extended detection and response solutions and fast response times to shut down attacks.

Ransomware is the most significant cybersecurity threat facing organizations today. But recently, leaders from the National Security Agency and the FBI both indicated that attacks declined during the first half of 2022. The combination of sanctions on Russia, where many cybercriminal gangs originate, and crashing cryptocurrency markets may have had an effect, making it difficult for ransomware gangs to extract funds and get their payouts.

But we aren't out of the woods yet. Despite a temporary dip, ransomware is not only thriving but also evolving. Today, ransomware-as-a-service (RaaS) has evolved from a commoditized, automated model relying on prepackaged exploit kits, to a human-operated, highly targeted, and sophisticated business operation. That's reason for businesses of any size to be concerned.

**Becoming RaaS**

It is widely known that today's cybercriminals are well equipped, highly motivated, and very effective. They didn't get that way by accident, and they haven't remained so effective without continuously evolving their technologies and methodologies. The motivation of massive financial gain has been the only constant.

Early ransomware attacks were simple, technology-driven attacks. The attacks drove increased focus on backup and restore capabilities, which led adversaries to seek out online backups and encrypt those, too, during an attack. Attacker success led to larger ransoms, and the larger ransom demands made it less likely that the victim would pay, and more likely that law enforcement would get involved. Ransomware gangs responded with extortion. They transitioned to not only encrypting data, but exfiltration and threatening to make public the often-sensitive data of the victim's customers or partners, introducing a more complex risk of brand and reputational damage. Today, it isn't unusual for ransomware attackers to seek out a victim's cyber-insurance policy to help set the ransom demand and make the whole process (including payment) as efficient as possible.

We have also seen less disciplined (but equally damaging) ransomware attacks. For example, choosing to pay a ransom in turn also identifies a victim as a reliable fit for a future attack, increasing the likelihood it will be hit again, by the same or a different ransomware gang. Research estimates between 50% to 80% (PDF) of organizations that paid a ransom suffered a repeat attack.

As ransomware attacks have evolved, so have security technologies, especially in areas of threat identification and blocking. Anti-phishing, spam filters, antivirus, and malware-detection technologies have all been fine-tuned to address modern threats to minimize the threat of a compromise through email, malicious websites, or other popular attack vectors.

This proverbial "cat and mouse" game between adversaries and security providers that deliver better defenses and sophisticated approaches to stopping ransomware attacks has led to more collaboration within global cybercriminal rings. Much like safecrackers and alarm specialists used in traditional robberies, experts in malware development, network access, and exploitation are powering today's attacks and created conditions for the next evolution in ransomware.

**The RaaS Model Today**

RaaS has evolved to become a sophisticated, human-led operation with a complex, profit sharing business model. A RaaS operator who may have worked independently in the past now contracts with specialists to increase chances of a success.

A RaaS operator — who maintains specific ransomware tools, communicates with the victim, and secures payments — will now often work alongside a high-level hacker, who will perform the intrusion itself. Having an interactive attacker inside the target environment enables live decision-making during the attack. Working together, they identify specific weaknesses within the network, escalate privileges, and encrypt the most sensitive data to ensure payouts. In addition, they carry out reconnaissance to find and delete online backups and disable security tooling. The contracted hacker will often work alongside an access broker, who is responsible for providing access to the network through stolen credentials or persistence mechanisms that are already in place.

The attacks resulting from this collaboration of expertise have the feel and appearance of "old-fashioned," state-sponsored advanced persistent threat-style attacks, but are much more prevalent.

**How Organizations Can Defend Themselves**

The new, human operated RaaS model is much more sophisticated, targeted, and destructive than the RaaS models of the past, but there are still best practices organizations can follow to defend themselves.

Organizations must be disciplined about their security hygiene. IT is always changing, and any time a new endpoint is added, or a system is updated, it has the potential to introduce a new vulnerability or risk. Security teams must remain focused on security best practices: patching, using multifactor authentication, enforcing strong credentials, scanning the Dark Web for compromised credentials, training employees on how to spot phishing attempts, and more. These best practices help reduce the attack surface and minimize the risk that an access broker will be able to exploit a vulnerability to gain entry. Additionally, the stronger security hygiene an organization has, the less "noise" there will be for analysts to sort through in the security operations center (SOC), enabling them to focus on the real threat when one is identified.

Beyond security best practices, organizations must also ensure they have advanced threat detection and response capabilities. Because access brokers spend time performing reconnaissance in the organization's infrastructure, security analysts have an opportunity to spot them and stop the attack in its early stages — but only if they have the right tools. Organizations should look to extended detection and response solutions that can detect and cross-correlate telemetry from security events across their endpoints, networks, servers, email and cloud systems, and applications. They also need the ability to respond wherever the attack is identified to shut it down quickly. Large enterprises may have these capabilities built into their SOC, whereas midsize organizations may want to consider the managed detection and response model for 24/7 threat monitoring and response.

Despite the recent decline in ransomware attacks, security professionals shouldn't expect the threat to go extinct anytime soon. RaaS will continue to evolve, with the latest adaptations replaced by new approaches in response to cybersecurity innovations. But with a focus on security best practices paired with key threat prevention, detection, and response technologies, organizations will become more resilient against attacks.

Ransomware: The Latest Chapter

A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.

Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this \[threat\] and prepare to respond to it."

**Ongoing & Prevalent Campaign**

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

**Rapid Evolution**

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

**ChromeLoader's Updated Malicious Tactics**

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.  

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."

ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat

The  attack uses hijacked Egress branding and the legit Powtoon video platform to steal user credentials.

**UPDATE**  

A unique multistep cyberattack has been observed in the wild that attempts to trick users into playing a malicious video that ultimately serves up a spoofed Microsoft page to steal credentials. 

The team at Perception Point released a report on the phishing campaign, noting that attacks begin with an email that appears to contain an invoice from British email security company Egress. The report noted the fake Egress email contains a valid sender signature, which helps it pass email security filters.   

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

It all, the attack methodology is notable, researchers said. "This is a highly sophisticated phishing attack that involves multiple steps...and video," according to the Perception Point report on the two-step video phishing campaign.

**Egress Brand Impersonation**

Egress tells Dark Reading that its own investigation found the attack to rely on brand impersonation, even though the email could be seen on face value as being a legitimate Egress email.

"We can confirm that there is currently no evidence that Egress itself has been the victim of a phishing attack, and reports of an account takeover attack involving any Egress employee or any Egress user are false," the company said in a statement sent to Dark Reading. "There is no need for any Egress customer or user to take any action at this time."

The statement continued, "Our investigation shows that this is a standard brand impersonation. As you are probably aware, cybercriminals leverage many trusted and well-known brands to add legitimacy to their attacks. In the instance reported, a phishing email was sent using an Egress Protect (email encryption) template."

**_This story was updated at 9:30 a.m. ET on Sept. 21, to clarify that there was no account takeover at Egress. This story was also updated at 12:50 p.m. ET on Sept. 22, after Perception Point amended certain details in its blog on the attack._**

.

2-Step Email Attack Uses Powtoon Video to Execute Payload

The airline and the fintech giant both fell to successful phishing attacks against employees.

Call it breach week: Hard on the heels of the Uber bombshell, American Airlines said that it suffered a data breach after a successful phishing attempt hooked a few employee email accounts. And consumer banking app Revolut confirmed that more than 50,000 customers may be impacted by a targeted data heist.

In the case of American, the airline told customers in a notification letter filed with the Montana Department of Justice that in July it discovered compromised email accounts for a "limited number" of employees. The mailboxes contained a raft of customer data, which could include name, date of birth, phone number, mailing address, email address, driver's license number, passport number, and perhaps medical information. That said, there's no confirmation that attackers actually took off with any of the information.

Meanwhile, fintech bigwig Revolut, which offers global banking, debit cards, fee-free currency exchange, stock trading, cryptocurrency exchange, and peer-to-peer payment services, said that a cyberattacker was able to access data for about 0.16% of its 20 million customers for a "short period” of time. The data protection regulator in Lithuania, where Revolut is headquartered, said that translates to about 50,150 people impacted.

The attackers were able to access names, phone numbers, emails, physical addresses, partial card details, and some unspecified account information, according to the regulator notice — but Revolut noted that funds were safe.

"To be clear, no funds have been accessed or stolen," the company announced in an email to customers (shared on Reddit). "Our customers' money is safe — as it has always been. All customers can continue to use their cards and accounts as normal."

Nonetheless, in both breach cases, the exposed data gives cyberattackers everything they would need to mount targeted follow-on attacks using social engineering, or for credential-stuffing efforts. And indeed, some Revolut customers have already reported phishing messages aimed at capturing their banking account logins.

"While the resulting second-wave phishing attack wasn’t the likely motive in this case, secondary outreach directly to the end user is always a possibility when it comes to these types attacks," says Randy Watkins, CTO at CRITICALSTART. "Likely, the attackers would have preferred to get the information they wanted directly from Revolut, but with the information they were able to gain access to, they can significantly raise their chances of phishing the end users.”

Beware of Phish: American Airlines, Revolut Data Breaches Expose Customer Info

The release augments the company's Kubernetes management platform with free, user-friendly insight on security postures, along with cost monitoring and observability.

Cloud cost management platform provider Cast AI has released Cloud Security Insights, a free security analysis tool that integrates into an organization's AI-driven cloud optimization platform.

The platform, which is free for all users, aims to help DevOps and DevSecOps teams manage cloud resources, cloud optimization, and Kubernetes security.

It represents the second pillar of Cast AI's autonomous Kubernetes management platform, adding to the suite of tools for automating Kubernetes cost reduction, cloud resource provisioning, and security monitoring across Google Cloud, Amazon Web Services (AWS), and Microsoft Azure.

The vendor-independent platform provides users with fully automated reports containing Kubernetes configuration checks, which help ensure clusters are configured according to best practices for pods and workloads. The user interface provides details on individual checks and resources.

The platform also offers vulnerability scans for an overview of potential issues that might appear due to container images downloaded from public registries, as well as 24/7 visibility into Kubernetes cluster configurations.

In addition, container image vulnerability detection and security recommendations can be arranged and presented in order of priority. Other features help users achieve security and regulatory compliance and provide a common platform for security and development team integration and collaboration.

"In addition to comprehensive cost monitoring, you're now provided with individually tailored security recommendations to mitigate cloud native workload security issues," explains Cast AI co-founder and CPO Laurent Gil. "You just need to create an account and connect your AWS, Google, or Azure Kubernetes apps."

Gil adds that Cloud Security Insights can be used for multicloud or single-cloud environments, providing the same security alerts and insights regardless of which cloud providers the organization uses viaa common and simple control plane.

Native tools can handle these tasks, of course. Microsoft offers Microsoft Defender for Containers, for example, which covers more but costs $7 per CPU per virtual machine. It also requires customers to install an agent on their resources.

Google Cloud runs a vulnerability assessment service for images at a price of 26 cents per scanned container image, while security for Kubernetes includes this service and vulnerability assessment in the pre-general release.

"However, we already see that we are able to detect many more best practices violations," Gil asserts. "The value is in the platform — Security Insights and cloud optimization makes your applications secure and autonomous at the same time, with an instant position ROI."

In short, Gil says users get a "powerful and complete" insight on Kubernetes security monitoring, plus an instant ROI where the cost of Cast AI is always a fraction of the savings benefits.

"Applications now run securely and autonomously, with instant rightsizing and one of the fastest autoscalers on the planet," he adds.

**Kubernetes Environments Pose Multiple Challenge**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, points out that Kubernetes (aka k8s) environments have several specific challenges.

"These include compromised images, visibility into the environment, establishing and maintaining secure configurations, and a range of other problems related to securing containerized images in the cloud," he explains.

Anything that can help a security operations team consolidate their tools and give them more context and clarity helps, he adds.

"That's the case whether it's in the form of a single focused tool that covers multiple aspects of a deployment or a risk management tool that brings other tools together," Parkin says.

As a deployment orchestrator, Kubernetes will dominate an organization's alignment challenges, whether hybrid/multicloud or data center-based, says John Steven, CTO at automated threat modeling provider ThreatModeler.  

"Indeed, the point of Kubernetes is to abstract away the underlying infrastructure management, replacing it with its own scheme," he says. He explains that managed Kubernetes solutions simplify scale out because the cloud service provider's (CSP) control of underlying infrastructure makes it appear infinite.

Managed solutions also make incorporating key CSP-specific services, such as Directory Services, Persistence Solutions, or Learning APIs, into a Kubernetes application easier and more secure, he says.

"However, organizations can also feel like managed k8s is shackling — tying them to a particular provider through configuration, service, and administration idiosyncrasies," Steven says.

He notes that organizations with exceptionally high uptime requirements may struggle to provide multicloud resilience against failure of a single CSP availability zone or region.

"In practice, managed k8s trades the complexity of multicloud k8s for the idiosyncrasy and lock-in of managing a single cloud," Steven says. "Given the above, it's strategic for security solutions to target k8s. Providing visibility into clusters meets a crucial need."

Steven adds that more than one startup has suffered multiday outage because k8s misconfiguration knocked a critical business function offline or because storage, memory, or compute allotment claims defined too low a ceiling for peak usage during heavy use.

"If businesses begin to view k8s as an unreliable platform — even if \[it's\] because they don't have the expertise to wield it — they will move to simpler solutions," he says.

Source

DARKReading