Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.

**IRVINE, Calif., Aug. 31, 2022 —** SecureAuth, a leader in access management and authentication, announces the general availability of Arculix, a next-generation access management and continuous authentication platform. Driven by SecureAuth’s patented risk-based behavioral modeling engine, Arculix provides end users with a frictionless and passwordless digital journey.

The platform takes into account an identity’s level of assurance based on user, device and browser trust that employs artificial intelligence and machine learning (AI/ML) to determine anomalous behavior. Arculix enables organizations to accelerate their Zero Trust initiatives by ensuring the right digital identities have the right amount of access to the right resources while improving user experience by eliminating the need to repeatedly ask users to re-authenticate. It can be deployed as a standalone identity provider or can extend other IdPs, like Microsoft (E3/E5 subscriptions), if the customer chooses to leverage their existing primary identity provider but needs to implement more advanced risk-based continuous authentication.

“Arculix’s groundbreaking AI-driven behavioral modeling and device trust capabilities take identity and access management (IAM) to a new level of security and user experience with passwordless authentication,” said Mark Mahovlich, Vice President of Strategy and Execution, ICM Cyber, a SecureAuth certified partner. “With Arculix we are helping our customers implement true passwordless and continuous authentication to mature their IAM programs and better secure their organizations.”

“With Arculix, organizations can improve digital experience and productivity at a time when identity has become the primary attack surface,” said Matt Ulery, Chief Product Officer, SecureAuth. “Organizations can have simplicity without sacrificing flexibility, enable a Zero Trust approach and leverage actionable threat intelligence and situational context to deliver the right user experience for workforce and customers. Early adopters of Arculix within the financial and insurance industries have been able to improve user experience and reduce help desk costs while reducing identity attacks including fraud, account take over (ATO) and credential stuffing.”

Arculix generates a risk score at the start of the user journey when logging into a device that is used to grant access to everything the user needs like web apps, servers, and services without interacting with another factor check. Risk is continuously re-assessed to provide invisible multi-factor authentication (MFA) that utilizes analytics to deliver a frictionless user experience with adaptive workflows that step-up or step-down authentication based on overall risk.

"Identity security remains a top concern and investment area for most enterprise and government organizations especially given that universal adoption of passwordless log-in technology is encouraged by leaders such as Apple, Google, Meta, Microsoft, Twitter, and more," said Jay Bretzmann, Research Vice President for Security Products, IDC. “Arculix has the potential to be a Phoenix taking advanced authentication technology to the next adoption level so that security teams actually start to use it.”

**Arculix Platform**

Key features of the Arculix platform include:

1. **Arculix Risk Analysis —** Based on its innovative behavioral modeling patent technology and AI, this system allows for a frictionless authentication process as well as the ability to predict a user’s digital behavior and patterns to preemptively prevent fraud.

2\. **Arculix Device Trust** — This capability utilizes analytics to evaluate device context and telemetry to provide a seamless experience to create the user’s digital DNA for resource and app access/usage. Arculix Device Trust is FIDO2 certified.

3\. **Arculix Mobile App** — The mobile app informs end-users of risk after login based on device and browser fingerprint analysis after login and automatically performs step-up login when a threat is detected.

To learn more, visit, Arculix Overview.

**About SecureAuth Corporation**

SecureAuth is a next-gen access management and authentication company that enables secure and passwordless, continuous authentication experience for employees, partners and customers. With the only solution that can be deployed in cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world. To find out more, please visit www.secureauth.com.

SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Researchers at Johns Hopkins University recently uncovered a startling 180 zero-day vulnerabilities across thousands of Node.js libraries using a new code analysis tool they developed specifically for the purpose, called ODGen.

Seventy of those flaws have since received common vulnerabilities and exposures (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities — some of them in widely used applications.

In a paper released at the Usenix Security Symposium earlier this month, the Johns Hopkins researchers — Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao — described ODGen as a better alternative to current code-analysis and so-called graph query-based approaches for finding Node.js vulnerabilities.

Program analysis-based approaches have proved useful in helping detect individual vulnerability types such as code-injection flaws in JavaScript. But they cannot be easily extended to detect all kind of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code-analysis methods — where code is first represented as a graph and then queried for specific coding errors — works well in environments such as C++ and PHP. However, graph-based approaches are not as efficient in mining for JavaScript vulnerabilities because of the programming language's extensive use of dynamic features, they noted.

**A 'Novel' Approach for Finding JavaScript Vulnerabilities**

So, the researchers instead developed what they described as a "novel" and better method called Object Dependence Graph (ODG) that can be used for detecting Node.js vulnerabilities. They implemented ODGen to generate "ODG" for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and a co-author of the research report, uses a couple of analogies to describe graph-based code analysis in general and their proposed Objective Dependence Graph. "If we consider a vulnerability as a special pattern — say, a green node connected with a red node and then a black node — a graph-based code-analysis tool first converts programs to a graph with many nodes and edges," Cao says. "Then the tool looks for such patterns in the graph to locate a vulnerability."

The Object Dependence Graph that the researchers have proposed refines this approach by representing JavaScript objects as nodes and adding features — including dependencies between objects — that are specific to the programming language, and then querying for errors. Cao describes how the method works using grains in a handful of rice: If all the grains look the same before boiling but assume two different shades after boiling — one representing good grains and the other bad grains — then it becomes easier to spot and weed out the bad grains. "Abstract interpretation is kind of like the boiling process that converts rice — that is, programs — into different colored objects" so errors are easier to spot, Cao says.

**A Variety of Bugs**

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the node package manager (npm) repository. The test showed the scanner correctly identifying 302 of the 330 vulnerabilities. Buoyed by the relatively high accuracy rate, the researchers ran ODGen against some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities across the packages. The researchers checked 264 of them — all with more than 1,000 downloads per week on average — and were able to confirm 180 as being legitimate vulnerabilities. Forty-three of them were at the application level, 122 were in packages that are imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities that ODGen detected were command injection flows that allow attackers to execute arbitrary code at the operating system level via a vulnerable application. Thirty were path traversal flaws; 24 enabled code tampering, and 19 involved a specific type of command injection attack called prototype pollution.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.

That said, for most companies, a "good" application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let's discuss the differences, and how to create something that meets your company's needs.

**Elections Require Perfection**

For a "perfect" AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report "any and all" possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.

A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It's unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.

They don't write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.

**5 Ways to Make Good 'Good Enough'**

With that story in mind, does your organization need to be truly _perfect_? Or is "good" _good enough_? Let's look at some ways your organization could create a scalable and affordable application security program that is _good_.

**1\. Automate.** First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of "high" in the first year of your program, and then shifting to "medium" in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.

**2\. Use anti-pattern matching SAST.** For SAST tools, when you're aiming for "good" results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.

**3\. Spell out technical requirements.** When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don't face unexpected overtime.

**4\. Run a threat model.** During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.

**5\. Train people on secure coding.** Give your software developers secure coding training. There's several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.

Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make "good" software.

Don't Let 'Perfect' Be the Enemy of a Good AppSec Program

Analysts find five cookie-stuffing extensions, including one that's Netflix-themed, that track victim browsing and insert rogue IDs into e-commerce sites to rack up fake affiliate payments.

Researchers have flagged five separate malicious Chrome extensions masquerading as Netflix viewers and more. They track user activity and insert code into any e-commerce sites they visit, letting cyberattackers steal payments through the retailer affiliate programs. 

McAfee Labs analysts found the Chrome extensions being marketed to let users watch Netflix in groups, automatically clip coupons, and take screenshots. All together, the apps have been downloaded 1.4 million times, they found. 

The McAfee team has been working on tracking down malicious Chrome extensions, and its latest report is part of that project, researchers wrote in a recent blog about their findings. The researchers warn end users to take extra precautions to verify an extension's safety if it asks for additional permissions. 

"This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code," they said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Malicious Chrome Extensions Plague 1.4M Users

The phishing campaign deploying a ScanBox reconnaissance framework has targeted the Australian government and companies maintaining wind turbines in the South China Sea.

The Chinese state-aligned threat actor TA423 (aka Leviathan/APT40) is behind a sustained cyber-espionage campaign against countries and entities operating in the South China Sea, including organizations involved in an offshore wind farm in the Taiwan Strait.

The threat actor's most recent campaigns used malicious emails impersonating Australian media organizations, including the fake Australian Morning News, to deliver ScanBox malware for reconnaissance, according to a report drafted by cybersecurity firm Proofpoint, working in collaboration with PwC.

Researchers also observed phishing activity targeting governmental agencies, media companies, and South China Sea wind turbine operators, as well as a European manufacturer supplying equipment for the Yunlin Offshore Windfarm in the Taiwan Strait.

The espionage campaign was active from April through June, with URLs delivered in phishing emails that redirected victims to a malicious website, where the landing page delivered a JavaScript ScanBox malware payload to selected targets.

"The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilized a variety of subject \[lines\] including 'Sick Leave,' 'User Research,' and 'Request Cooperation,'" a blog post on the campaign noted, adding that the phishing campaign is currently ongoing.

ScanBox is a reconnaissance and exploitation framework designed to harvest several types of information, such as the target's public-facing IP address, the type of Web browser they use, and their browser configuration (language or plugin information, for example). It allows threat actors to profile victims, and to deliver further carefully crafted malware to selected targets of interest.

This serves as a setup for the following stages of information gathering and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim's systems and allow the attacker to perform espionage activities.

"It creates an impression of the victim's network that the actors then study and decide the best route to take to achieve further compromise," explains Sherrod DeGrippo, Proofpoint's vice president of threat research and detection.

Proofpoint began to observe a consistent pattern of targeting against entities based in Malaysia and Australia as far back as March 2021 — the first phase of the campaign.

"The second phase began in March 2022 and consisted of phishing campaigns which used RTF template injection attachments leveraging template URLs that were customized for each target," the report noted.

**Active for Almost a Decade**

DeGrippo notes that TA423 has been active for almost 10 years, with its activity dovetailing with military and political events in the Asia-Pacific region. TA423's typical targets include defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.

She calls TA423 "one of the most consistent" advanced persistent threat (APT) actors in the threat landscape, supporting the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan.

"This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia," she explains.

The group is so capable that in 2021, the US Department of Justice charged four of its alleged members with "global computer intrusion campaign targeting intellectual property and confidential business information."

"We expect TA423 to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries with interests in the South China Sea, as well as further intrusions in Australia, Europe and the United States," DeGrippo says.

**Spike in Phishing Campaigns**

Malicious actors are using increasingly sophisticated and unusual methods to conduct phishing campaigns.

Earlier this month, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials in a widespread campaign.

Google researchers also discovered the latest threat from Iranian APT group Charming Kitten, which has a new data-scraping tool that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.

DeGrippo says protecting email users and the email vector should be a top priority for organizations, particularly those heavily targeted industries with significant email traffic.

"Organizations should focus on a cybersecurity strategy based on people, processes, and technology," she adds. "This means training individuals to identify malicious emails, using email security tools to block threats before they reach users' inboxes, and putting the right processes in place to ensure that threats can be mitigated immediately."

Chinese Hackers Target Energy Sector in Australia, South China Sea

The relationship between information technology and operational technology will need top-down support if a holistic security culture is to truly thrive.

Most members of the security community acknowledge the need for an improved security culture — meaning systemic corporate awareness, measurement, and monitoring for improvement of cybersecurity to lower the overall risk. Just look at Kim Zetter's Black Hat USA 2022 keynote, which called for crucial security improvements throughout critical infrastructure.

Many times, the impediment to effective security is not necessarily technical but, rather, a cultural issue. Many often mistakenly equate user education and training with the creation of a security culture. User education is about information sharing on issues and obligations — whereas security culture is about behavioral changes in support of security.

**Building Security Culture Through User Awareness**

Though user awareness and building a security culture are different exercises with distinct challenges, they share one commonality_:_ They require serious attention and support. With that in mind, these two exercises actually complement each other.

Consider this: While there are many debates on CISO reporting structures, the support necessary for driving a security culture is not dependent upon this hierarchy; it's dependent on the modification of user behavior through generally accepted business operations. This holistic business process modification is why the security culture needs to be driven from the top down.

User awareness should be baked into an organization's security tools and take place as consistently as searching the systems for indications of compromise. User awareness does not take the place of, and is not the same as, the creation of a security culture — rather, it's a necessary component of any effective security culture.

**Getting on Board**

Ownership and support for creating security culture must be driven at the board level. This is because while many exploitations and attacks are no more than another security alert to manage, when a skilled adversary gets involved, serious risks arise. As I always say: Amateurs hack systems; professionals hack people. Hacking the human as a security risk category has a high yield of success and transcends technological safeguards.

The trick is to protect the human operator from the pitfalls of human nature by controlling and sculpting behavior. This often requires critical thought about ingrained business practices. Support for the realization of necessary changes will rely heavily upon top-down influence.

**Security Culture in OT Environments**

OT environments are saddled with even more significant challenges in examining and cultivating their security culture. Not only do business users play an integral role, but OT engineers are just as vital to preventing and responding to security events.

The relationship between IT and OT is where the creation of a holistic security culture will need top-down support to look critically at the overall business and operational processes. Things that can torpedo the most earnest attempts at shoring up a security effort could be as unsuspecting as the accounting process for applying budgets across the individual locations or the perception of ownership for security.

While these examples are the tip of the iceberg, it's important to create a holistic and continuous process improving program within the organization to continue to ask, "How could our security culture be improved?"

**Security Culture in IT Environments**

Unlike OT, the recognition of the need for technologies is well defined in IT. For example, asset inventory and visibility is a commodity product set for IT. There are many asset management vendors from which to choose, and a skilled IT team can quickly adopt these tools. The process of selecting technology may be influenced by an IT-centric process. Cultural changes may be found that would better fit the selection of complementary products on the OT side.

Asset inventory, vulnerability, and risk management are more challenging in OT due to the nature of the technology and topology. The personnel are typically engineers that specialize in the process and not necessarily the tool (systems) with how they interact with the operations of moving molecules. The owners of OT assets have a different mission focus from IT owners, and their training does not necessarily include security. The creation of a security culture must take these different mindsets into account and use relatable tactics to change behavior.

**Blending Cultures: IT and OT**

A risk-based approach will help IT and OT professionals by standardizing key metrics like life, health, safety, not to mention the impact on production capacity and efficiency. This approach should also include maximum tolerable downtime (MTD) and mean time to recovery (MTR).

This will drive answers to why personnel should care about security. Organizations will want to give the collective team a chance for success. While looking at business processes for assigning tasks across groups, subtle changes may become apparent when viewed through a security lens. While system ownership must remain bifurcated due to inherent, operationally driven needs, the IT/security/OT teams must all work in lockstep to address critical vulnerabilities, potential security events, and incident response/recovery. Speed and efficiency are paramount.

These are only two aspects of creating a security culture but serve as an excellent example of why there is more to changing behavior than simple information sharing. Creating a security culture is vital to any organization to augment the security technology investments but is indispensable to an OT operator's survival in the fast-paced breach response process.

Security Culture: An OT Survival Story

Nearly half of respondents say their company relies on outdated backup and recovery infrastructure — in some cases dating back to the 1990s, before today's sophisticated cyberattacks.

**SAN JOSE, Calif. Aug. 29, 2022** (BUSINESS WIRE) — New global research commissioned by Cohesity, a leader in next-gen data management, reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old, and was designed long before today’s multicloud era and onslaught of sophisticated cyberattacks plaguing enterprises globally.

“In this survey, we found nearly 100 respondents who said their organizations are relying on outdated data infrastructure, and this raises the question, how many other businesses are in the same situation around the world?”

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilize if and when a cyberattack occurs. Nearly 60% of respondents\* expressed some level of concern that their IT and security teams would be able to mobilize efficiently to respond to an attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia, and New Zealand. All respondents play a role in the decision-making process for IT or security within their organizations.

“IT and security teams should raise the alarm bell if their organization continues to use antiquated technology to manage and secure their most critical digital asset – their data,” said Brian Spanswick, chief information security officer, Cohesity. “Cyber criminals are actively preying on this outdated infrastructure, as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyberattacks.”

**Backup and Recovery Infrastructure That Could Be Considered Archaic**

Forty-six percent of respondents said that their organization relies on primary backup and recovery infrastructure that was designed in, or before, 2010. Nearly 100 respondents (94 out of 2011) revealed that their organization relies on backup and recovery infrastructure that was built before the new millennium — in the 1990s.

Enterprises are utilizing this legacy technology despite the fact that managing and securing data environments has become much more complex, not just because of the exponential growth in structured and unstructured data, but because of the vast array of locations where that data is stored. Forty-one percent of respondents stated that they store data on-premises, 43% rely on public cloud storage, 53% utilize a private cloud, and 44% have adopted a hybrid model (some respondents are using more than one option).

“In 2022, the fact that any organization is using technology to manage their data that was designed in the 1990s is frightening, given that data can be compromised, exfiltrated, held hostage, and it can create massive compliance issues for organizations,” said Spanswick. “In this survey, we found nearly 100 respondents who said their organizations are relying on outdated data infrastructure, and this raises the question, how many other businesses are in the same situation around the world?”

**What Keeps IT and SecOps Teams Up at Night**

Respondents highlighted what they believe would be their biggest barriers to getting their organization back up and running after a successful ransomware attack. The findings are as follows _(respondents were asked to check all that apply)_:

*   integration between IT and security systems (41%)
*   lack of coordination between IT and Security (38%)
*   lack of an automated disaster recovery system (34%)
*   antiquated backup and recovery systems (32%)
*   lack of a recent, clean, immutable copy of data (32%)
*   lack of and timely detailed alerts (31%)

With respect to the lack of coordination between IT and security, this coincides with other findings from this survey, denoting that a gap often exists between IT and SecOps that puts businesses and security postures at risk. For more on that, click here.

**What Do Survey Respondents Want Management to Prioritize?**

Respondents revealed that modernizing data management, protection, and recovery capabilities, in addition to increasing collaboration between IT and SecOps, offers a path to strengthening their organizations’ security postures and multicloud operations. The top five “must have'' measures that respondents would ask management for in 2022 are:  

1\. Integration between modern data management and security platforms and AI-powered anomalous data access alerts to provide early warning of attacks in progress (34%)  
2\. Extensible platform for third-party applications for security operations and incident response (33%)  
3\. Automated disaster recovery of systems and data (33%)  
4\. Upgrading from legacy backup and recovery systems (32%)  
5\. Rapid, organizationwide backup with in-transit data encryption (30%)

“Both IT decision-makers and SecOps should co-own the cyber-resilience outcomes, and this includes an evaluation of all infrastructure used in accordance with the NIST framework for data identification, protection, detection, response, and recovery. Also, both teams need to have a comprehensive understanding of the potential attack surface,” said Spanswick. “Next-gen data management platforms can close the technology gap, improve data visibility, help IT and SecOps teams sleep better at night, and stay one step ahead of bad actors who take great delight in exfiltrating data from legacy systems that can’t be recovered.”

**For more information:**

*   To learn more about Cohesity Data Security, click here.
*   To learn more about Cohesity Ransomware Recovery, click here.
*   To learn more about Cohesity Threat Defense, click here.
*   To learn more about next-gen data management, click here.

_\[\*\] When asked “If a ransomware attack occurred today, how confident, if at all, are you/would you be that your IT and Security teams would be able to mobilize efficiently to respond to the attack,” 60% applies to respondents who said ‘Somewhat confident’, ‘Not very confident’, and ‘Not at all confident’._

**About Cohesity**

Cohesity radically simplifies data management. We make it easy to protect, manage, and derive value from data — across the data center, edge, and cloud. We offer a full suite of services consolidated on one multicloud data platform: backup and recovery, disaster recovery, file and object services, dev/test, and data compliance, security, and analytics — reducing complexity and eliminating mass data fragmentation. Cohesity can be delivered as a service, self-managed, or provided by a Cohesity-powered partner.

_© 2022 Cohesity, Inc. All rights reserved. Cohesity, the Cohesity logo, Helios, and other Cohesity marks are trademarks or registered trademarks of Cohesity, Inc. in the U.S. and/or internationally. Other company and product names may be trademarks of the respective companies with which they are associated._

Cohesity Research Reveals that Reliance on Legacy Technology Is Undermining How Organizations Respond to Ransomware

The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a "validation" process.

A phishing campaign is targeting users of the Python Package Index (PyPI) by threatening to remove their code packages if they don't put it through a bogus validation process, PyPI administrators have warned.

PyPI administrators are alerting users about the repository — which enables Python developers to publish and find code packages to use for building software — of emails that claim they are implementing a "mandatory 'validation' process," they said in a series of tweets outlining how the scam works.

The messages invite PyPI users to follow a link to perform the validation "or otherwise risk the package being removed from PyPI." The administrators assured users in a post that they would never remove a valid project from the index, and they only take down projects that are found to be malicious or violate the company's terms of service.

The campaign, which the administrators said is the first of its kind, steals users credentials to load compromised packages to the repository. The administrators noted that the phishing campaign does not target code repositories as a way to spread malware through the software supply chain.

The attackers behind the scam already have successfully stolen credentials from several PyPI users and uploaded malware into the projects they maintain to serve as the latest release for those projects, according to PyPI.

"These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen," according to PyPI's Twitter post.

**How the Scam Works**

According to PyPI, the initial phishing message dangles the lure that Google is behind the validation process of new and existing PyPI packages. Ironically, the message claims the new process is due to "a surge in malicious packages being uploaded to the PyPI.org domain."

The link takes the user to a phishing site that mimics PyPI's login page, which steals any credentials entered through a phishing site, "sites\[dot\]google\[dot\]com/view/pypivalidate." The data is sent to a URL on the domain "linkedopports\[dot\]com," according to PyPI.

PyPI administrators have been unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes but noted that accounts protected by hardware security keys are not vulnerable to the attack.

Repository administrators are in the process of actively reviewing reports of new malicious releases and ensuring that they are removed so the accounts that have been compromised are restored and their maintainers can continue to use PyPI.

**Supply Chain in the Crosshairs**

The campaign bucks the trend where threat actors are targeting public code repositories to distribute malware to the software supply chain. Flawed code can be a goldmine for threat actors, expansively widening the impact of malicious campaigns when compromised code is built into numerous applications or websites without developers or users knowing.

The Log4J case — in which a flaw in a widely used Java logging tool affected millions of applications, many of which are still vulnerable — brought this to light in a big way, and threat actors recently have ramped up attacks on code repositories as a way to spread malicious code quickly through the supply chain.

Earlier this month, PyPI removed 10 malicious code packages from the registry after a security vendor informed it about the issue. Threat actors targeted the registry by embedding malicious code into the package installation script.

PyPI has been aware of the target on its back and in the past few years has enacted several security initiatives to better protect its users.

These measures include the addition of two-factor authentication (2FA) as a login option and API tokens for uploading software to the registry, a dependency resolver to ensure the pip package installer installs the right versions of package dependencies, and the creation of databases of known Python vulnerabilities in PyPI projects.

**Thwarting the Attack**

PyPI is currently working to make 2FA more prevalent across projects on the repository, administrators said, adding that PyPI users with 2FA already implemented should reset recovery codes if they think that their account has been compromised.

To avoid being phished altogether, PyPI users should confirm that the URL in the address bar of any email purporting to come from PyPI is http://pypi.org and that the site's TLS certificate is issued to http://pypi.org. Users also should consider using a browser-integrated password manager, administrators tweeted.

Enabling 2FA by using hardware security keys or WebAuthn 2FA also can help PyPI users avoid being compromised by phishing attempts, they said. In fact, to help facilitate better protection, the repository currently offers free hardware keys for maintainers of the top 1% of projects.

PyPI advised any users who think they've been compromised to contact \[email protected\] with details about the sender email address and URL of the malicious site to help administrators to respond to this issue.

Phishing Campaign Targets PyPI Users to Distribute Malicious Code

A people-first approach reduces fatigue and burnout, and it empowers employees to seek out development opportunities, which helps retention.

I manage a security operations center (SOC) in the midst of the Great Resignation and a massive cybersecurity skills gap. During this time, I've learned a few surprising things about how to recruit and maintain a cohesive SOC team.

A 2021 Devo study of more than 1,000 cybersecurity professionals found that working in a SOC has some unique pain points, including the amount of information that needs to be processed and the on-call nature of the job. Alert fatigue also contributes to this pain.

I've found that keeping the SOC staffed and engaged starts with a SOC's most important asset: its people. A people-first approach not only helps with reducing fatigue and burnout, but it also empowers employees to seek out opportunities for their own development, greatly aiding in retention. Here are three ways that I rely on to support my SOC colleagues.

**Give and Receive Regular Feedback**

Actionable feedback, both given and received, is something that people naturally desire. When done proactively, the team gains a clear understanding of their performance while building trust with their leaders. Even if everything is going well, letting your colleagues know what they are excelling at is imperative. This positive reinforcement often has more impact than letting them know when something needs to be improved.

I have an open-door policy with my team, which allows for a consistent feedback loop. If I need to be doing more for my team, I expect them to tell me where I can improve; on the flip side, hearing if something is going well helps me better calibrate my leadership style to my team.

I also encourage others to find departments within your company that will provide 180-degree feedback. This is vital for me as both a leader and an employee as it empowers me to check my own blind spots. As a leader, you should want to discover the areas where you can grow and better support your team.

**Rotate Tasks and Responsibilities**

Within my team, I have everyone rotate between managing alerts, self-paced training, and project work. This not only gives each team member a window into different aspects of the SOC, and work to develop themselves, it also removes some of the monotony and stress of the job.

For instance, if you have to come to work every day and consistently worry about urgent tickets and client requests, you will feel anxious and as though you constantly have to fix other people's problems. These feelings contribute mightily to burnout. Additionally, finding ways to automate regular tasks will reduce the stress and burden placed on the team so they can focus on more strategic work.

**Promote Interactions Throughout the Company**

It can be easy to get lost looking at each tree in the SOC, when you should instead be focusing on the forest of the company. That is why I encourage my team to take a step back and realize how their work is helping the company and community.

I do this by coordinating opportunities for my team to work with individuals outside their realm, for instance in sales or marketing, so everyone understands the product and overall goals. Also, assisting others outside of your team and even your company helps you to fully understand the value you provide and where others can benefit from your team's support and expertise.

I encourage my team to complete a quarterly "Do Good" project, which focuses on the needs of the company and the larger security community. For instance, how can we work together to educate others about bad actors and mitigate the threats they pose? In April, the SOC team identified and validated IP addresses that were being used for attacks across several of our clients. After they were identified, we ensured they were available to the public so others could leverage our knowledge to block attackers.

Doing projects like these reminds the team how critical their work is and unites us around a common goal.

**The Key Differentiator: How People Are Treated**

How the leaders treat their people is a key differentiator in today's job market, especially as many organizations look to creative ways to solve cybersecurity's ongoing talent shortage. It goes without saying that employers should also look to train employees rather than expect them to come to an entry-level job with 30 years of experience and a CISSP cert.

When I am hiring, I look for strong base foundations and proven self-starters, along with potential — and desire — to grow, rather than previous experience. It is always rewarding to give deserving people an opportunity and watch them flourish.

Additionally, having your team complete self-paced training and educational opportunities enables each person to work on skills and techniques that will only aid the company down the line. Fostering that growth is just good business.

While there certainly isn't a one-size-fits-all approach to managing people, as each person, SOC, and company are different, keeping your people at the heart of all things will never go out of style. The stronger your employees, the better off your SOC, and your organization as a whole, will be.

Building a Strong SOC Starts With People

The search engine giant's Vulnerability Rewards Program now covers any Google open source software projects — with a focus on critical software such as Go and Angular.

Google plans to pay out cash rewards for information on vulnerabilities discovered in any of its open source projects as part of an ongoing effort to improve the security of open source code.

The new Open Source Software Vulnerability Rewards Program (OSS VRP), which extends Google's existing Vulnerability Rewards Program, was announced in a blog post published today.

Google will pay researchers up to $31,337 for information on vulnerabilities in open source software projects — particularly those managed by Google — that impact the firm's software and services. Google's goal is to secure its own software supply chain, but because many non-Google developers use the company's open source software — such as the Go programming language and Angular Web framework — the initiative promises to help secure the wider open source ecosystem as well.

At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.

"We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program," he says. "Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers."

**Supply Chain Security Challenges**

Securing the software supply chain has become a major effort of technology firms and the policymakers. In January, the Biden administration met with technology companies and open source organizations to find ways to promote secure coding, find more vulnerabilities, and speed patching of open source projects.

Last year, Google pledged to spend $10 billion over five years, supporting efforts by the OpenSSF, adding a cybersecurity advisory group, and bolstering its Invisible Security zero trust initiative.

"Governments and businesses are at a watershed moment in addressing cybersecurity," Kent Walker, president of global affairs for Google and its parent company Alphabet, said in the 2021 announcement of the company's $10 billion pledge. "Cyberattacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges."

Over the past decade, Google has paid out more than $38 million in rewards to researchers who have submitted 13,000 vulnerabilities to the company, as part of its Vulnerability Rewards Program. 

Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021.

**Paying for "Eleet" Bug Finds**

With its Open Source Software Vulnerability Rewards Program (OSS VRP), Google is creating a standard framework to reward researchers who find issues in the open source software projects maintained by the company.

Google will allow submissions for "\[a\]ll up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations," the company stated in its blog post. In addition, the company has focused on rewards for several critical projects, including the Go programming language, the Angular Web framework, and its nascent operating system for connected devices, Fuchsia.

The company currently asks for submissions of vulnerabilities that affect the supply chain, design issues that could result in vulnerabilities in Google's products, and security weaknesses such as compromised credentials, weak passwords, or insecure installation configurations. As part of its focus on the supply chain, the company will reward researchers who submit vulnerabilities to third-party open source projects on which Google's software depends.

"This program focuses on Google-produced open source projects, and the proposed short list of flagship projects listed includes projects also driven by Google," says Google's Perron. "The rules also include the 'Standard' tier, which does incorporate a vast amount of projects."

The company plans to pay researchers anywhere from $100 to $31,337 — a special number because it spells out "eleet," or elite, in hackerspeak — with the higher payouts going to more severe, or more creative, vulnerabilities.

With the additional bounty programs, some vulnerabilities rewards may overlap with other programs. Google pledged to work with researchers to submit their vulnerability reports to the right programs to maximize their payout, the company said.

Source

DARKReading