Users can identify risks across five domains, work on multiple projects, and take advantage of exclusive community benefits.

EVERGREEN, Colo., Aug. 4, 2022 /PRNewswire/ — Phylum, The Software Supply Chain Security Company, announces the release of its free Phylum Community Edition to expand the standard in supply chain security risk analysis to everyone.

Users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain.

The free Phylum Community Edition allows any user to identify open-source risks across five domains with deductive analysis that is integrated into every stage of a build. Available immediately, users can:

— Sign up for a free, individual account here  
— Work on up to five projects at a time  
— Join the Phylum slack community to collaborate with other developers and security professionals  
— Get exclusive access to future beta features  
— Contribute feedback to the product  
— Access community support  

"We're excited to get Phylum in the hands of security engineers and developers around the world. Supply chain attacks are just getting started, and users need the ability to identify risk across the entire OSS supply chain attack surface. With the Phylum Community Edition, users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain," said Peter Morgan, co-founder and president of Phylum.

**The Phylum Risk Framework  
**  
Phylum's proactive approach to analyzing the risk inherent within the software supply chain is built from years of research and observation.

Instead of taking a retrospective approach by analyzing incidents after they occur, Phylum starts by consuming all available information about open-source packages and structuring the data in a consistent format for analysis. Layers of analytics, heuristics, and ML models then comb through the data to find risk indicators. Deductive analysis is then applied to account for the entire context around each indicator, and identified risks are prioritized based on the risk tolerance criteria set by the organization.

This allows Phylum to effectively surface and prioritize meaningful issues before an incident occurs, in a manner that does not overwhelm security teams. These risks can then be addressed before leading to compromise, outages, service degradation at runtime or legal liability.

"Given the large volume of components involved in the development of modern software, surfacing meaningful findings becomes critically important — as does accurately prioritizing issues. Phylum defines the attack surface and conducts the deductive analysis, and users define risk tolerance based on project needs. This combination results in a significantly reduced attack surface, and categorized risk prioritized by business objective," said Brad Crawford, vice president of product at Phylum and co-author of the MITRE ATT&CK Framework.

The Phylum Risk Framework is the standard in software supply chain security, defined by the following categories: Malicious Code, Software Vulnerabilities, Authorship Risk, Reputation, License Misuse and Engineering Risk.

Get the Phylum Community Edition here.

Phylum will be at Black Hat 2022 in Innovation City booth# IC53. To meet up at the event, request a meeting here.

About Phylum  
Phylum is the Software Supply Chain Company, on a mission to secure the universe of code. Developers and security professionals use Phylum to identify open-source risks across five domains using deductive analysis that is integrated into every stage of a build. The company is built by a team of career security researchers and developers with decades of experience in the US Intelligence Community and commercial sectors. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

SOURCE: Phylum

Phylum Releases a Free Community Edition to Make Software Supply Chain Security More Accessible

It's a myth that consuming and processing alerts qualifies as security. Today's technology allows better detection and prevention, rather than accepting the low bar for protection set by ingrained incident response reactions.

You've probably seen ads for identity protection. They're everywhere, probably because almost half of all US citizens were victims of identity theft between 2020 and 2022. Although these ads claim to protect your identity, if you listen closely, what the service provides is an alert once your identity has been — or is in the process of being — stolen.

While these alerts can be immeasurably valuable, that's a very generous interpretation of "protection." If you entrusted me with protecting your valuables, and all I could do was let you know they had been stolen, you wouldn't be happy with my performance.

This same myth of protection has become accepted in the cybersecurity industry: the myth that an alert produced every time something is believed to be malicious or suspicious qualifies as security. This low bar for protection is what enterprises and consumers have been taught to accept. It's what security professionals have been taught to work with. The entire ecosystem is designed around the idea that consuming and responding to alerts is synonymous with protection.

Rather than protecting the enterprise, these voluminous alerts are putting enterprise security at risk. Security teams are drowning in alerts and saddled with excessive false positives. They are stretched beyond capacity due to working in a highly reactive, "always on" mode. According to Deep Instinct's Voice of SecOps survey, the industry is reaching a tipping point: Nearly 90% of cybersecurity professionals polled say they are stressed in their role, while 40% believe their existing security solution stack is inadequate and nearly half (46%) of the respondents have thought about quitting the industry.  

Now more than ever, we must redefine protection and lean into prevention. However, before we look ahead to how, let's quickly look at how we got here: a two-prong issue stemming from both the mindset of early cybersecurity groups and the technology available at the time.

**We Must Stop Living in the Past**

The ILoveYou virus hit within my first week in the National Security Incident Response Center, causing billions of dollars in damage. Back in the early 2000s, we dealt with ILoveYou like we did with any disaster. We built a response team, gathered data, worked to stop the damage, and made recommendations for the next time. This mindset was built into every Computer Emergency (or Incident) Response Team that popped up in the 2000s, from inside the Pentagon to Carnegie Mellon. A respond-to-an-event ecosystem was created.

The technologies and intelligence available then lacked the context, precision, and speed needed to get in front of these threats. Practitioners focused on what they could do: process data after an event as quickly as possible. This is where new technologies can be impactful. There was a lot of excitement when endpoint detection and response (EDR) was able to respond within minutes of an intruder entering a network. While that's a commendable response time, you wouldn't want someone inside your house poking around for minutes before you responded. On top of that, the people responsible for responding are now being buried by an avalanche of false alarms.

Many accept that false-positive detection rates of 30% to 50% are inevitable, so we train artificial intelligence to consume and attempt to make sense of those alerts for us. Cybersecurity must evolve beyond making ineffective processes faster. It's time to redefine protection and lean from response toward prevention. What if detection were accurate and fast enough to make a difference _before_ an alert was generated?

We can give defenders the ability to see deeply into network sessions to expose the techniques that hackers employ. We can expose those techniques quickly enough to make a difference so that entire categories of attacks are stopped before they begin, and minor evasions such as changing IP addresses are no longer effective. The detection accuracy is so good that false positives are a thing of the past. It's time to develop and introduce automated preventive controls into an industry that is overly optimized for response.

True protection is no longer a myth. The technology exists today to make this a reality. With ransomware on the rise, defenders are rightly being asked to focus on resilience and recovery. The reality is that defenders will add this focus on resilience and recovery as another task or project on top of their already overwhelming days spent chasing incidents and being buried in false alarms, all while considering quitting the business. We can retrain and reskill our cyber workforce to be stewards of true protection, giving them time and space to do their jobs and make a difference. This is the future of cybersecurity — and that future begins now.

The Myth of Protection Online — and What Comes Next

Agentless approach meets the attacker earlier to protect financial services and other large enterprises from an underserved attack vector.

**NEW YORK, NY – Aug. 3, 2022** – Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today delivered Deep Instinct Prevention for Applications, an agentless, on-demand, antimalware solution for the enterprise that is device and operating system agnostic. This new offering revolutionizes threat protection beyond the endpoint with flexible, deploy anywhere, in-transit file scanning via API to quickly return a malicious versus benign verdict at enterprise speed. It protects any web application or cloud storage from malicious content while fully ensuring data privacy.

Until now, financial services and other industries with petabytes of data in motion each day have been at high risk from uploaded malicious content that can be detonated upon download from storage. These organizations have been relying on antiquated solutions that are slow, consume vast CPU and memory resources, and miss unknown malware, leaving this threat segment underserved.

In the wake of the pandemic, fintech transactions alone rose by 13% and their volume by 11%, indicating significant industry growth. With tens of millions of files in transit each day connected to high-value trading data, mortgage applications, insurance claims, and other sensitive information, financial institutions are at risk from unchecked malicious uploads or downloads and lack viable options to ensure infected content is not a threat to their operations or their customers. As threat actors seek alternative points of entry into enterprise environments, this risk factor will only increase. In fact, one study found that 35% of "never-before-seen" malware files were hidden in Microsoft Office and PDF files.

"As threat actors compromise points of entry beyond the endpoint, financial services institutions that exchange tens of millions of files each day are at increased risk. This was primarily created by the failure of established antivirus, network and other solutions to evolve. They are slow, can't scale or process high volumes of daily traffic or handle large file sizes, and often resort to sandboxing. As a result, they continue to miss unknown threats, and incur high infrastructure costs. "That's the worst of both worlds for an enterprise," said Guy Caspi, CEO and Co-Founder of Deep Instinct. "Deep Instinct is disrupting the cybersecurity status quo by setting a new standard for preventing malicious files, both known and unknown, before they reach storage."

Deep Instinct Prevention for Applications provides organizations an on-demand, high-speed scanning solution that prevents \>99% unknown malware hidden in files and easily scales to scan tens of millions of files per day. With very low CPU requirements, a low false-positive rate of <0.1%, near zero latency, and low processing requirements, Deep Instinct provides the most innovative solution for this underserved threat gap. A typical traditional AV solution is ineffective at preventing unknown malware, will require sandbox and cloud intelligence checks, and takes an average of 90 seconds to 3 minutes to make decisions. Traditional AV/sandbox solutions are ineffective at solving this issue as they are easily evaded and slow to respond. This increases risk and negatively affects the user experience but impacts the business by slowing down critical processes.

"Deep Instinct is addressing a major pain point of today's enterprise — their exposure to an ever-expanding number of attack vectors," said David OLeary, Field CISO – Sr. Director, Global Cybersecurity, SHI. "We look forward to bringing this truly unique solution to our enterprise customer base and helping them better protect themselves and their customers from malicious content as they exchange important files every day."

Other benefits of Deep Instinct Prevention for Applications include the following:

*   Does not rely on the cloud to provide a verdict.
*   Only the file hash ever leaves the environment, retaining full customer data privacy.
*   No customer data is used for training or updating AI models.
*   Minimal infrastructure resources, including CPU and memory usage, combined with a small footprint, ensure a low total cost of ownership.

For more product information and case studies, please visit: https://deepinstinct.com/prevention-for-applications.

**About Deep Instinct**

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world's first and only purpose-built, deep-learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack — providing complete, multilayered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Deep Instinct Pioneers Deep-Learning Malware Prevention to Protect Mission-Critical Business Applications at Scale

In the last month, "Pl0xP" cloned several GitHub repositories, adding malicious code to the forks that would attempt to infect developer systems and steal sensitive files that included software keys.

A hacker going by the handle "Pl0xP" cloned a large number of GitHub repositories and slightly changed the cloned repository names, in a typosquatting effort to impersonate legitimate projects — thus potentially infecting any software that imported the code, software experts said today.

The widespread cloning resulted in more than 35,000 insertions of a malicious URL into different code repositories, although the exact number of affected software projects is likely much smaller, software engineer Stephen Lacy stated in an early morning Twitter post. The attack, a variant of dependency confusion, could have caused problems for developers using the fake GitHub repositories without adequate verification of the software source, he said.

If imported, the malicious code executes code on the system, according to Lacy. "This attack will send the ENTIRE ENV of the script, application, laptop (electron apps), to the attacker's server! ENVs include: Security keys; AWS access keys; Crypto keys … much more." 

"ENVs" are environment variables, used to store information that developers want to reference in their workflows.

The software engineer found the malicious functionality when he audited a software library that he considered incorporating into his own project, Lacy said.

"I discovered the exploit as I was reviewing a project I found off a Google search," he tweeted. "This is why we don't install random packages off the internet!"

Cloning — or "forking" — is not a new malicious technique, but it's a tricky one.

"Bad actors have already been known in the past for creating cloned/forked popular repositories with malicious code," says Mor Weinberg, Aqua Security software engineer. "This can become quite difficult to spot, as cloned repositories may retain code commits with usernames and email addresses of the original authors, giving off a misleading impression that newer commits were made by the original project authors as well. Open source code commits signed with GPG keys of authentic project authors are one way of verifying the authenticity of code."

"This … was akin to someone standing up a 'fake' website or sending a phishing email," adds Mark Lambert, vice president of products at ArmorCode. "This is going to catch people that are not paying attention."

**An Attack or Legitimate Research?**

This mass forking in GitHub may not have been a real attack. A person claiming to have knowledge of the issue positioned the widespread typosquatting as a legitimate research effort.

"This is a mere bug-bounty effort. no harm done. Report will be released," a Twitter user named "pl0x\_plox\_chiken\_p0x" tweeted on Aug. 3.

While an ill-conceived research project could explain the attack, creating thousands of code changes for research seems irrationally risky. Moreover, the Twitter user had only registered the account in the prior three days — short account lifetimes are often a characteristic of fraudulent online personas.

The claim of the attack being part of a bug bounty "is waiting to be proven, as the activity is having the characteristics of one with a malicious intent," Jossef Harush, head of supply chain security engineering at software security firm Checkmarx, tells Dark Reading.

In any event, Michael Skelton, senior director of security operations at bug-bounty platform Bugcrowd, notes that at least the original code repositories remained unaffected.

"While it's unclear what the nature of Pl0xP's bug-bounty finding would be (as social engineering is out of scope for nearly all bug-bounty programs), it does look like they cloned a number of repositories, and made their changes in those clones only — in no cases did this change make its way into the original repositories that had been cloned," he says. "Cloning a repository is a standard action that doesn't impact the original repository unless the owner merges a change back (requested through a pull request), which wasn't done here."

**Malicious Software Dependencies Abound**

GitHub seemingly cleaned up the malicious code commits, and as of the afternoon on Aug. 3, a search for the embedded bad URL turned up zero results. Yet the attack is hardly the first time that open source projects have had to deal with attackers. The number of attacks against the software supply chain jumped 650% in 2021, mainly driven by dependency-confusion attacks, where the attacker uses an almost identically named version of an open source code block in hopes of developers mistyping the name of a desired library or component, or not noticing the slight difference in nomenclature.   

Seeding repositories with malicious, misnamed projects requires the attacker to do some groundwork. In July, software security firm Checkmarx revealed a way of creating fake developer accounts on GitHub, complete with an active history of code commits to increase their credibility. The technique, along with the latest attack, underscores that maintainers need to take steps to only accept signed code commits, Harush says. Developers need to "beware of pull requests and contributions having suspicious unverified commits, \[and need to\] review ... the content of the contributions compared to the disclaimer in the commit message and contributions adding or modifying existing dependencies to similar named dependencies as part of the contribution," he adds.

**Don't Trust, Verify**

To avoid their projects being poisoned, maintainers and developers should only trust those contributors that are known to them and have an extensive and verifiable commit history. They should also use the available tools — such as digital signatures and multifactor authentication — to secure their accounts, Harush says.

"As you should not trust candy from strangers — don't trust code from strangers," he says. "Users may be tricked when evaluating the candidate project and think they are legitimate, \[so\] they use it in their local development computers, build environments, production environments, and even build software, \[until finally executing something malicious\] on customers' \[systems\]."

In Checkmarx's July advisory on spoofing identity information and commit information in the _git_ command-line utility, the company underscored the risks to software projects when malicious committers disguise themselves as known contributors. This "makes the project look trustworthy," the firm stated. "What makes this commit-spoofing even more alarming is the fact that the user being spoofed isn’t notified and won’t know that their name is being used."

GitHub has already added digital signatures for code commits to verify the identity of the contributor, but project maintainers should enable "vigilant mode," a feature of GitHub that displays details of the verification status of every commit and their contributor, Checkmarx stated.

At the very least, developers and project maintainers should occasionally review their commit log and ask their other maintainers to enable GPG-signed commits, Harush says. "Getting used to having a signed commit log will benefit you to pay attention to unverified contributions."

GitHub could not immediately be reached for comment.

35K Malicious Code Insertions in GitHub: Attack or Bug-Bounty Effort?

The identity-services company is being acquired by Thoma Bravo software investment for cash, before being delisted.

Investment firm Thoma Bravo has entered into a agreement to acquire Ping Identity in a deal valued at about $2.8 billion. Upon completion of the all-cash transaction, the firm said it will take the identity management services provider private. 

Ping offers cloud-based security software that enables password-less sign-on, fraud protection, and more. The 10-figure cash offer puts the investment group in a position to take advantage of what they forecast will be a $50 billion enterprise identity-security solutions market, according to Thoma Bravo partner Chip Virnig.

"This compelling transaction is a testament to Ping Identity's leading enterprise identity solutions, our talented team, and our outstanding customers and partners," Andre Durand, Ping Identity's chief executive officer said in an announcement of the deal. "Identity security and frictionless user experiences have become essential in the digital-first economy and Ping Identity is better positioned than ever to capitalize on the growing demand from modern enterprises for robust security solutions."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ping Identity to Go Private After $2.8B Acquisition

Early-stage startup Footprint's goal is to provide tools that change how enterprises verify, authentication, authorize, and secure identity.

Whenever a person walks into a financial services institution to open a bank account, apply for a loan, or obtain a credit card, that institution needs to first verify that person’s identity. Personal information is typically supplied by the person filling out the form, and then the institution matches the information against a series of databases. This process is repeated for every transaction, even if it's within the same institution.  

The current system can tell that a real person is trying to open an account, but it doesn’t actually verify whether the person who is submitting the information is really the person whose information was provided.

Footprint, which announced a $6 million seed investment on Wednesday, wants to solve this problem. The startup intends to change how identity verification is performed by giving enterprises the tools to verify, authenticate, authorize, and secure identity. 

The company relies on cryptography to tokenize identity and uses cutting-edge biometric scans, liveness checks, and peer-to-peer verification to validate people are who they say they are. The approach is similar to Apple Pay in that personally identifiable information (PII) – such as a Social Security number, date of birth, email address, and phone number – is encrypted and stored in a secure enclave on the user’s mobile device. The enclave is backed by hardware-level cryptographic attestation, the company says. Each user has a private key pair for access, and Footprint uses FaceID, TouchID, and other technologies to verify the authenticity of the person.

The tools would address challenges related to know-your-customer verification processes, identity verification, and securely storing PII while keeping people in control of their identities, the company says. The organization won't actually have to collect or store PII. Footprint can pave the way for "a better OAUth for Fintech," the company stated in a press release.

The product is currently in early access release. The tool is expected to be generally available in the fall.  

"Footprint up-levels the consumer experience by becoming their passport to the internet," the company said in the release.

Startup Footprint Tackles Identity Verification

Copado's Kyle Tobener will discuss a three-pronged plan at Black Hat USA for addressing human weaknesses in cybersecurity with this medical concept — from phishing to shadow IT.

It's a well-known fact that humans are — and will remain — one of the weakest links in any company's cyber defenses. Security admins have tried to help the situation through random phishing tests and training, ultimatums, eliminating local control over a given device, and even naming and shaming those unlucky souls who clicked on the wrong link in an email.

Results have been middling at best, as shown by the finding in Verizon's "2022 Data Breach Investigations Report" (DBIR) that the vast majority of breaches start with phishing and social engineering.

Kyle Tobener, vice president and head of security and IT at Copado, says that it doesn't have to be that way. Instead, businesses can take a page from the medical community and find a much more effective approach through the principle of harm reduction. That essentially means adopting a focus on minimizing or mitigating bad outcomes from bad behavior rather than attempting to eliminate bad behavior completely.

**How Harm Reduction Applies to Cybersecurity**

In a session next week at Black Hat USA entitled "Harm Reduction: A Framework for Effective & Compassionate Security Guidance," Tobener plans to discuss this fresh way of thinking about user behavior, education, and awareness when it comes to cyber threats.

"Harm reduction is a big topic in the healthcare space, but it hasn't really made its way into information security all that much," he tells Dark Reading, adding that as a cancer survivor and brother of someone who wrestled with substance addiction, he learned about harm reduction firsthand.

"Unfortunately, what we see is still mostly abstinence-based guidance in a lot of scenarios by security people," he says.

To illustrate the contrast between the two approaches, he uses the example of the attention-grabbing Super Bowl ad back in February from Coinbase, which featured a QR code bouncing around the screen, Pong-like.

"If you went to Twitter right after that, there were thousands of security people saying that you should never use a QR code if you don't know where that QR code's from," he says. "That guidance is not effective whatsoever. I'm sure millions of people have used a QR code, and if your focus is giving guidance that isn't practical or pragmatic, that people aren't going to follow, then it's going to be very ineffective and you're wasting an opportunity to educate those people in a way that's actually useful."

In a harm-reduction approach, the answer would have been to assume that people were going to click on such an intriguing item (and indeed, QR codes are so widespread in their use in general that asking people to never use them is a simple non-starter), and build a defensive strategy with that in mind.

"Educate them on what to look for once they do something like use a QR code," Tobener explains. "How do you know that the website you went to is a safe one? If you only tell people not to do something, and then they do it and they go to the website, and they're not prepared to look for red flags, they're going to be worse off than they would be."

**How to Deploy Harm Reduction**

In his Black Hat talk, Tobener plans to address the implementation of harm reduction in a cybersecurity context with a three-pronged approach, starting with fomenting acceptance that risk-taking behaviors are here to stay.

"I think this is a very pragmatic approach that a lot of security people aren't willing to take; they come with a mindset that risk can be eradicated, which is just not realistic," he notes. "Just like the war on drugs was not effective, Prohibition was not effective, and D.A.R.E. programs and 'scared straight' were actually shown to be more harmful than helpful in kids."

After gaining buy-in from security teams and powers that be on the impossibility of preventing risky actions, the next step is prioritizing the reduction of the negative consequences of those risky behaviors, and understanding which battles to fight when it comes to corporate security policies.

"For example, in an enterprise context, you might have an enterprise password manager that everyone is supposed to use," Tobener explains. "But there will be people who don't want to use the corporate-provided password manager because they're not familiar with it, and they want to use their own. Instead of making them stop what they're doing, consider whether using their own password manager is better than not using a password manager at all. In other words, are there bigger fish to fry?"

The third prong that he plans to cover in this Black Hat USA session is that of compassion.

"The final piece of the framework is kind of a weird one for cybersecurity, but it's really important in the harm reduction space: Embracing compassion while providing guidance," he says. "This one is probably the hardest concept for security people and even healthcare people to wrap their heads around, which is the idea of improving people's situations by being compassionate and supportive, even if you're supporting them in doing what you consider to be the wrong thing."

Just like social stigma makes people avoid drug treatment rather than accept it, the harsh attitude and conflict-fraught approach coming from some cybersecurity teams toward users is going to make people less likely to want to do the right thing, he explains. For instance, in the above shadow-IT password manager example, teams could send threatening emails to offenders or even get line managers involved; or, they could work out a compromise, offer ease-of-use training, and generally take a "we're with you not against you" tack when discussing the issue.

"By being supportive and compassionate, you show them that you accept them despite what they're doing, and that even though it's not perfect now, they have a chance to improve in the future," Tobener says. "Oftentimes, when you are compassionate with people, they will then educate themselves. And make better choices in the long run."

The session will look to give attendees practicable takeaways about becoming a more effective security practitione when it comes to managing users who aren't listening to you.

"I get really tired of seeing on Twitter people telling people 'do this or you deserve the consequences,'" Tobener says. "I'm trying to raise the security consciousness to a place where we stop telling people not to do things, and instead say, OK, you shouldn't do this, but if you do, here's how to do it more safely."

How IT Teams Can Use 'Harm Reduction' for Better Cybersecurity Outcomes

SMBs should patch CVE-2022-32548 now to avoid a host of horrors, including complete network compromise, ransomware, state-sponsored attacks, and more.

A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.

The bug (tracked as CVE-2022-32548) carries the highest vulnerability-severity score on the CVSS scale: 10 out of 10. This is no surprise given that not only is it an RCE that doesn't require authentication, but attackers could exploit it to compromise a device without social engineering or user interaction, according to a vulnerability disclosure out today from Trellix.

DrayTek routers are often used by small and midsize (SMBs) to provide VPN access to employees — an increasing need given the mass migration of workers to work-from-home situations since the pandemic started. They're widely deployed, including in the US, and throughout Asia and Europe, especially in the UK.

The zero-click attack is possible if the device's management interface is configured to be Internet-facing, according to Trellix (a Shodan search showed that about 200,000 routers have interfaces open to the Internet). But even if it's not, a one-click attack is also possible, which would require access to the LAN.

**Patch Now: SMBs in the Crosshairs**

So far, there are no signs of exploitation, but since the bug is now disclosed, that's likely to change, so administrators should apply their device-specific firmware updates immediately.

DrayTek routers are firmly in the sights of cybercriminals, with the US Cybersecurity and Infrastructure Security Agency (CISA) going so far as to issue a warning to that effect last June. In fact, DrayTek RCE bugs are among the most popular used by Chinese state-sponsored attackers, the agency noted, who are using them to go after SMBs in a trend that's been evident since 2020.

Lumen also published an advisory in June on ZuoRAT exploiting a bug in the Vigor 3900, an end-of-life device with a large installed base among small-office/home-office (SOHO) users.

It may seem counter-intuitive for advanced persistent threats (APTs) to be going after small fish, but Trellix points out that in 2020, the US Small Business Administration reported that there are 6 million small businesses with fewer than 500 employees in the country, compared with just 20,000 large businesses.

"While we may forget about this massive attack surface, our adversaries have not," the Trellix researchers note. "It is imperative to understand you are a target no matter the size or type of business. Data continues to demonstrate that not only is this space a target but often a more likely target. It is critical for SOHO and SMB users to understand their networks, stay update to date on all vendor patches and immediately report breaches to law enforcement."

Indeed, Barracuda Networks in March published a report that found that small businesses are three times more likely to be targeted by cybercriminals than their larger counterparts.

**Risky Outcomes: Full Device Compromise**

In the case of the new bug, an attack can lead to a host of game-changing outcomes for SMBs, according to the researchers — in some cases, company-ending outcomes.

These include the theft of sensitive data stored on the router, such as keys and administrative passwords that could be used to pivot further into the network to deliver ransomware or other malware. Espionage-minded attackers could also gain access to the internal resources located on the LAN that would normally require VPN access; launch man-in-the-middle (MitM) attacks to spy on DNS requests and other unencrypted traffic flowing from users through the router; and achieving packet capture of the data going through any port of the router. Other kinds of attacks include adding the device to a botnet for distributed denial-of-service (DDoS) or cryptomining purposes.

Even failed exploitation attempts can be problematic, according to Trellix, resulting in the device rebooting or a DoS condition that would lock out users from accessing company resources on the LAN.

**Under the Hood with CVE-2022-32548**

The RCE bug specifically affects the Vigor 3910 and 28 other DrayTek models sharing the same codebase (a list is included in the Trellix advisory). The researchers note that it stems from a buffer overflow in the login page for the devices' Web management interface (/cgi-bin/wlogin.cgi).

"An attacker may supply a carefully crafted username and/or password as base64 encoded strings inside the fields aa and ab of the login page," according to the write-up. "This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings."

As shown in a proof-of-concept (PoC) exploit video, attackers can then take over of the DrayOS operating system that implements the router functionalities.

"On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network," the researchers explain. "Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals."

**How to Protect Against SMB/SOHO Router Attacks**

For businesses using DrayTek routers, protection from attack starts with patching and making sure the firmware is always up to date.

Beyond that, Trellix researchers recommend that admins should never expose the management interface to the Internet unless absolutely required; and if it is, they should implement two-factor authentication (2FA) and IP restrictions to minimize risk.

Once the patch is applied admins should also verify that port mirroring, DNS settings, authorized VPN access, and any other relevant settings have not been tampered with in the management interface. And they should change the password of the devices and revoke any secret stored on the router that may have been accessed prior to patching.

For those companies that can't patch right away, Trellix researchers say that monitoring for compromise should be a priority.

"Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the /cgi-bin/wlogin.cgi end-point on the web management interface router," they note. "Base64 encoded strings are expected to be found in the aa and ab fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious."

Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks

The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times.

An apparently school-age hacker based in Verona, Italy, has become the latest to demonstrate why developers need to pay close attention to what they download from public code repositories these days.

The young hacker recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment.

The packages were named "requesys," "requesrs," and "requesr," which are all common typosquats of "requests" — a legitimate and widely used HTTP library for Python.

According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times — presumably by developers who made typographical errors when attempting to download the real "requests" package. The package had scripts for traversing folders such as Documents, Downloads, and Pictures on Windows systems and encrypting them. 

One version of the requesys package contained the encryption and decryption code in plaintext Python. But a subsequent version contained a Base64-obfuscated executable that made analysis a little harder, according to Sonatype.

**An Absence of Malice?**

Developers who ended up with their system encrypted received a pop-up message instructing them to contact the author of the package — "b8ff" (aka "OHR" or Only Hope Remains) — on his Discord channel, for the decryption key. Victims were able to obtain the decryption key without having to make a payment for it, Sonatype says.

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package.

Sonatype discovered the malware on July 28 and immediately reported it to PyPI's administrators, the company says. Two of the packages have since been removed and the hacker has renamed the requesys package, so developers no longer mistake it for a legitimate package.

"There are two takeaways here," says Ankita Lamba, senior security researcher, at Sonatype. "First, be cautious when typing out the names of popular libraries, as typosquatting is one of the most common attack methods for malware," she says.

Second and more broadly, developers should always be cautious about what they’re downloading and what packages they’re incorporating into their software builds. "Open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks," Lamba says.

**Growing Number of Malicious Code in Repositories**

The incident is among a growing number of instances recently in which threat actors have planted malicious code in widely used software repositories, with the goal of getting developers to download and install it in their environments. 

Some of them — like the latest incident — have involved typosquatted packages, or malware with similar sounding names as legitimate software on public software repositories. In May, for instance, Sonatype found that some 300 developers had downloaded a malicious package for distributing Cobalt Strike called "Pymafka" from the PyPI registry, thinking it was "PyKafka," a legitimate and widely downloaded Kafka client. 

Also in May, Sonatype discovered another malicious package on PyPI called "karaspace," used for stealing system information, that had the same name as a legitimate Kafka project on GitHub.

In July, researchers at Kaspersky discovered four information-stealing packages in the Node Package Manager (npm) repository. The same month, ReversingLabs reported finding some two-dozen, heavily obfuscated npm modules for stealing data that had been downloaded more than 27,000 times. The vendor estimated the malicious packages were likely installed in hundreds — and likely even thousands — of mobile applications and websites.

Security researchers have pointed to the trend as heightening the need for organizations to pay closer attention to their software supply chains — especially when it comes to using open source software from public repositories such as PyPI, npm, and Maven Central.

**A "Fun" Research Project**

Following the latest discovery, researchers at Sonatype contacted the author of the malicious code and found him to be a self-described school-going hacker apparently intrigued by exploits and the ease of developing them.

Lamba says b8ff told Sonatype that the ransomware script was completely open source and part of a project that he had developed for fun.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

So far, the ongoing attack has impacted nearly 8,000 Solana hot wallets.

An attack that began on Aug. 2 has so far drained nearly $6 million in assets from almost 8,000 Solana wallets — specifically "hot" wallets that are always connected to the Internet. 

According to Elliptic Connect, the attackers have stolen SOL, a few nonfungible tokens (NFTs), and more than 300 Solana blockchain-based tokens. According to the Elliptic report, the bug that enabled the cryptocurrency attack appears to be in the wallet software rather than the Solana blockchain. 

Solana, in a series of tweets, confirmed that the breach also affected Slope and Phantom wallets, and it asked any affected customers to provide the compromised wallet address. 

"Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit," Solana said in a tweeted announcement of the crypto-wallet breach. "Wallets drained should be treated as compromised, and abandoned."

Users should disconnect their wallets from the Internet if they're configured to be always-connected.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading