Multiple cybercrime groups have been spotted selling stolen credentials and other sensitive personal information pilfered from travel-related websites.

Much in the same way that cybercriminals followed the fervor around the pandemic, they now are doing the same with the travel boom, creating various scams that aim to take advantage of travel organizations, airlines, and individuals going on vacation.

Since the start of the year, security firm Intel 471 has tracked several cybercrime groups selling credentials and databases of stolen personal identifiable information (PII) tied to travel-related websites.

"People are starting to travel more than they have in the past few years, so there is increased attention and heightened traffic online," Intel 471 researcher Greg Otto explains. "Cybercriminals love operating in areas where a lot of people are congregating and trying to spend money ASAP."

The methods of malicious actors have evolved because of the concentration on PII: From reservations to rewards programs to security checks, these organizations collect a wide array of PII, he says.

He points to one threat actor that was specifically targeting individuals with at least 100,000 miles in their mileage rewards accounts. Other actors are seeking help in gathering additional information to perpetrate travel fraud schemes, offering up their own slate of PII as incentive.

"Financially motivated cybercriminals have realized how much value lies in the data that travel companies and organizations collect, which is why they have moved to target organizations in the travel, aviation, and hospitality industry," he says. "If that PII is not protected, it's going to be targeted."

While ransomware-as-a-service (RaaS) does not appear to pose an acute threat to the global travel industry so far, an Intel 471 blog post outlined the threat RaaS has posed to regional airlines, including low-cost Indian airline SpiceJet and an unnamed Thai airline.

**What to Do About It**

What can organizations do to deter cybercriminals from targeting their systems? Have written security policies and procedures tailored to your specific organization, Otto says, and craft expectations for protection of data, including the confidentiality of data, and set limits of permissible data access and use for employees.

"Be aware of social engineering scams, have a robust passwords policy for employees and users, and patch vulnerabilities when applicable," he says.

Meanwhile, Intel 471 also noted activity around pro-Russia hacktivist groups, namely an actor joining KillNet, which has conducted attacks against targets in Romania and other countries providing support to Ukraine.

Threat actors are using their position within the government agencies to facilitate illegal border crossings for Ukrainian males aged 18 to 60.

“Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints,” the blog post noted.

Cybercriminals Capitalizing on Resurgence in Travel

The Japanese-language Panchan botnet has been discovered stealing SSH keys from Linux servers across Asia, Europe, and North America, with a focus on telecom and education providers.

A peer-to-peer (P2P) botnet and worm called Panchan has been actively breaching Linux servers and harvesting Secure Shell (SSH) keys to perform lateral movement — at times brute-forcing credentials.

That's according to researchers from Akamai, who discovered the botnet in late March. Written in Golang, it parses local SSH private keys and known hosts on each victim (using a static dictionary), then uses them to spread itself further.

While it could use the botnet for anything, Panchan is focused on a cryptojacking endgame for now. 

"It is mostly a cryptojacker, so I don't think it's that dangerous. But it is unique," Akamai researcher Stiv Kupchik says. "P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel. Also, I don't think I've ever seen a Japanese threat actor."

The malware is believed to have Japanese origins (it's name is a possible reference to Panchan Rina, the Japanese kickboxer), and focuses on attacking telecommunications education providers in Asia, Europe, and North America.

From Kupchik's perspective, education was likely a highly targeted vertical because of the SSH-key harvesting aspect of the botnet.

"I have seen some victim institutes that were in the same country, or very close geographically," he says. “I think that academic collaborations between institutes might yield a higher percentage of shared SSH keys than in other verticals, so maybe that is the reason."

**Unique Botnet Features**

The malware — which deploys two miners, XMrig and nbhash, has a handful of unique technical features, according to the Akamai researchers. For one, it uses NiceHash for its mining pools and wallets. Because Nicehash is a regular wallet (using certain defined Bitcoin addresses for deposits) and not a blockchain wallet, Akamai was unable to see transaction and mining details to estimate the actual revenue that Panchan has earned.

Further, to hamper traceability, the cryptominers are dropped as memory-mapped files without any disk presence, and the cryptomining can be terminated if any process monitoring is detected. 

There's also a "godmode" feature baked into the malware, in the form of an admin panel that can edit the mining configuration — another unique feature of Panchan, according to the firm.  

**Defeating Panchan**

Because the malware uses a basic list of default passwords to spread, Kupchik says one of the key steps security teams can take to stop the malware in its tracks is through password hardening.

"The dictionary that the malware uses to spread is extremely basic, so any non-default password should help thwart it," he explains. “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well."

He adds that Akamai has published indicators of compromise, queries, signatures, and scripts that organizations can use to test for infection.

The report also recommends continuous monitoring of virtual machine resources. Monitoring could alert security teams to suspicious activity since botnets focused on cryptojacking can raise machine resource usage to abnormal levels.

"In the case of Panchan, resource usage monitoring would have also terminated the cryptomining entirely," according to the report.

Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys

Organizations that can break out of siloed data and apply context can transform intelligence into actionable, relevant security knowledge.

For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.

To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.

For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?

**Three Tips**

Use these tips for turning your threat intel into security knowledge:

1\. **Use multiple sources of data.** By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.

2\. **Make the data actionable.** Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.

The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.

3**. Adopt a security knowledge mindset.** Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.

Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.

**Conclusion**

Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.

Why We Need Security Knowledge and Not Just Threat Intel

Username and password combinations offered for sale on the Dark Web by criminals has increased 65% since 2020.

Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.

That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.

The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.  

Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them. 

**'Endless List' of Breached Data**

Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.

“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.

**Passwordless to the Rescue?**

This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords. 

The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.

One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb. 

Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.

But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.

“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far

Here's a rundown of Dark Reading's reporting and commentary from and surrounding the first in-person RSA Conference since the pandemic began in 2020.

RSA Conference 2022 — If you didn't make the trip to San Francisco last week for the RSA Conference or were too busy watching the Golden State Warriors battle the Boston Celtics in the NBA Finals, Dark Reading has you covered. Here's a compilation of our news analysis and commentary before, during, and after the show:

Beware the 'Secret Agent' Cloud Middleware

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War  
In 1985, a group of klezmer musicians from the US rendezvoused with underground dissidents in Tbilisi, Georgia. This is the story of how they pulled it off with homebrew cryptography.

An Emerging Threat: Attacking 5G via Network Slices

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

Why AIs Will Become Hackers

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSAC Startup Competition Focuses on Post-Cloud IT Infrastructure

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

Now Is the Time to Plan for Post-Quantum Cryptography

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSAC Opens With Message of Transformation

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

Ransomware's ROI Retreat Will Drive More BEC Attacks

Crackdowns are driving down ransomware profits, and analysts see signs that operators are pivoting to business email compromise attacks, security researcher warned.

Communication Is Key to CISO Success

A panel of CISOs at the RSA Conference outlined what a successful first 90-day plan looks like, and it boiled down to effective communication and listening.

IBM to Buy Attack Surface-Management Firm Randori

Randori's attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.

The CISO Shortlist: Top Priorities at RSAC 2022

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

Data Transformation: 3 Sessions to Attend at RSAC 2022

Three RSAC 2022 sessions take deep dives into the security considerations around data cloud transformation.

MITRE Creates Framework for Supply Chain Security

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

5 Years That Altered the Ransomware Landscape

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

In Case You Missed RSA Conference 2022: A News Digest

Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.

Microsoft today issued a patch for the recently disclosed and widely exploited "Follina" zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.

The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.

Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as "important."

Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.

**Fix for Follina Flaw**

Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.

Andy Gill, senior security consultant at Lares Consulting, says Microsoft's new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. "Therefore, while the main risk of code execution is mitigated the software is still launched," he says.

Johannes Ullrich, dean of research at the SANS Institute, says it's a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. "Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.

"Follina has been actively exploited for a couple weeks now," Ullrich says. "\[Microsoft's\] workaround, will prevent msdt.exe from launching \[and\] should probably stay in place if it doesn't cause any problems."

**Three Critical Flaws to Patch Now**

In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month's update fixes the bug in NFS V4.1, while last month's update pertained to two older NFS versions, he said.

"It's not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix," Childs said.

Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. "But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities," he says.

The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.

Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.

Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. "Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered," Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft's fix for it, he said.

**'Dig a Bit Deeper'**

ZDI's analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.

Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.

Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.

The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says. 

"The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven," Goettl says. "But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used."

Goettl also recommends that organizations review Microsoft's FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.

The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.

Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update

The distributed denial-as-a-service websites were behind more than 200K attacks on targets including schools and hospitals.

The operator of a distributed denial-of-service (DDoS) attack business was sentenced to two years in federal prison after being found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Matthew Gatrel offered DDoS attacks as a service on sites including DownThem.org and AmpNode.com, along with what was billed as "bulletproof" hosting. The sites offered subscription plans with varying degrees of attack capacity, power, and durations, according to the US Attorney's Office in the Central District of California, which prosecuted the case. 

Records show Gatrel's services were behind more than 200,000 attacks on victims that included homes, schools, universities, local and municipal governments, and financial institutions. 

"Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers," prosecutors explained in court documents. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Gatrel's co-defendant, California resident Juan Martinez, pleaded guilty to participating in the cybercrime and was sentenced to five years' probation, the US Attorney's office said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Subscription Service Operator Gets 2 Years in Prison

Organizations do not have good visibility into all the software-as-a-service applications that connect to and access data stored in core business.

While software-as-a-service helps organizations improve productivity and agility, it also adds complexity to the enterprise environment as IT security teams need to have visibility over the data stored in each of the applications.

And when organizations integrate SaaS applications with other SaaS applications, the attack surface grows even more because more applications have access to the corporate data. For example, connecting Asana to Google Workspace gives the task management platform access to data stored in the productivity suite.

In a recent report from Valence Threat Labs, 56% of CISOs said they don't have a process in place, or are not satisfied with the process they have, for discovering and managing SaaS-to-SaaS connections and integrations.

**Understanding SaaS Mesh**

_SaaS mesh_ refers to connecting a SaaS application with another SaaS, using methods such as OAuth and API tokens, low-code/no-code workflow, and SaaS marketplaces. Examples include using third-party platforms such as Heroku to access GitHub repositories via OAuth user tokens, or creating and sending email campaigns from the organization's website using the API instead of logging into Mailchimp's platform. It is possible to complete a task in Asana and have a corresponding notification message be printed in Slack.

Connecting SaaS tools to core business applications such as Office 365, Salesforce, and Google Workspace within a SaaS mesh helps enhance the organization's agility, productivity, and collaboration. However, if the mesh isn't managed correctly, it can expose data stored in business-critical applications, according to Valence Threat Labs.

The average organization uses around 80 SaaS applications — BetterCloud estimates that organizations with more than 1,000 employees use more than 150 applications, while organizations with 50 employees or less use only 16 SaaS applications. When asked how many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications (such as Office 365, Salesforce, and Google Workspace), 50% of CISOs said they have 200 or fewer integrations, or that they didn't know, Valence Threat Labs found.

    

How many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications? (Source: Valence Threat Labs)

In actuality, the average organization has 917 SaaS-to-SaaS third-party integrations, according to Valence Threat Labs.

While 76% of CISOs think under 20 new integrations are added every month to their environment, in reality, 76 new third-party integrations are onboarded every 30 days.

**Over-Provisioned Connections**

When asked if they had a process in place to determine if an integration is overprivileged, 53% of CISOs in the Valence Threat Labs report said they didn’t. This is a problem because nearly half, or 48%, of SaaS integrations (443 integrations, to be specific) are unused, and many of them have more privileges than they need. A SaaS-to-SaaS integration is usually inactive because someone forgot to turn it off after testing out the integration and then deciding not to use it. But because the integration is still there, someone else who gains access to one application now has access to the other and can move laterally.

"Most organizations do not have a continuous process in place that allows them to assess the business justification of non-human identities and properly offboard unnecessary third-party vendors," Valence Threat Labs said in its report.

Low-code/no-code platforms such as Workato, Zapier, and Microsoft Power Platform are powerful because non-developers can pull together workflows to access data from multiple sources. However, if they aren't configured correctly, they can expose data erroneously. Because these platforms often are not managed by application security or IT security teams, CISOs may not even know these tools exist or are accessing business applications. In the Valence Threat Labs report, 35% of CISOs said they do not have low-code/no-code platforms in their environment, when it turns out over 96% of companies have at least one such platform in use. In fact, the average organization has four or five, according to the report.

In the report, 85% of CISOs said they did not have appropriate visibility and protection from the risks of SaaS-to-SaaS connections and third-party integrations. "The fact that 85% of CISOs were unhappy with the current solutions suggests the need for more solutions specifically designed to protect the SaaS mesh," Valence Threat Labs said in its report.

Quantifying the SaaS Supply Chain and Its Risks

Mobile apps that rely on facial recognition for identity proofing can now detect fraudulent attempts to fake liveness.

**Palo Alto, CA -- June 14, 2022 --** Mobile authentication pioneer Incognia, today announced the launch of a new location identity fraud detection module to support mobile fraud prevention for mobile apps across finserv, crypto, social networks, online gaming and more. Incognia’s latest solution module is Location-based Liveness Spoofing Detection which prevents fraud at onboarding caused by biometric liveness spoofing.

Fraudsters are creating online accounts using fake identities to take advantage of sign-up bonuses and to create “money mule” accounts for money laundering. To verify a new user’s identity on a mobile app, the onboarding process today typically involves taking a selfie and passing a biometric “liveness test.” Fraudsters are now using techniques to spoof liveness to trick the selfie liveness detection algorithms. A common method is the use of facial images downloaded from the web to create deepfake videos. The use of free or low cost software packages and apps can be used to create effective deepfakes that can trick even award winning liveness detection tools. The Incognia Location-based Liveness Spoofing Detection solution is designed to prevent both injection and presentation deepfake attacks in real-time with no added friction to the mobile user.

Incognia enables enhanced mobile fraud prevention by using information from a user’s device to detect use of emulators, rooted or jailbroken devices, that are the main ways fraudsters leverage deepfakes to spoof legitimate liveness detection apps. The Incognia Location-based Liveness Spoofing Detection solution module goes beyond traditional biometric systems and addresses the device integrity and also the device location to accurately determine risk whenever a user performs a selfie and submits a biometric proof of liveness. This module can be used in conjunction with the Incognia Location Spoofing Detection and Global Mobile Address Validation modules.

Key benefits and features include:

*   Reduced friction during the onboarding process for legitimate good users
*   Detects biometric liveness spoofing, multiple app installs and high risk devices
*   Produces highly accurate risk-assessments
*   Performs device integrity checks, evaluates device/account behavioral analytics and checks Watchlists for known bad devices

“As fraudsters advance their techniques to trick liveness detection tools, it is critical that there is a solution on the market that can successfully combat the use of deepfakes at onboarding,” said André Ferraz, founder and CEO of Incognia. “We’re excited to expand Incognia’s fraud prevention capabilities even further with our latest solution module, which uses device integrity checks, device watchlists and emulator detection to prevent liveness detection spoofing caused by deepfakes. With this new module, we’re ensuring that customers across crypto, finserv, online gaming and more are protected during onboarding with a completely frictionless solution.”

Incognia fraud prevention modules are available now. To get started, visit www.incognia.com.

**About Incognia**

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 200 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Incognia Introduces Location-Based Liveness Spoofing Detection Solution

SBOMs should be connected with vulnerability databases to fulfill their promise of reducing risk, Google security team says.

Software bills of materials (SBOMs) — a detailed list of components, modules, and libraries used to build products — are being endorsed by the National Institute of Standards and Technology (NIST) and US regulators as a way to drive down supply chain cybersecurity risks for consumers. 

But Google's Open Source Security Team points out in a blog post today that SBOM use alone isn't an effective tool for assessing exposure. Rather, the documentation should be compared with a database of known vulnerabilities to identify any known software flaws. 

"By connecting these two sources of information, consumers will know not just what's in ... their software, but also its risks and whether they need to remediate any issues," the team explains. 

The Google analysts detail how they were able to map a Kubernetes SBOM document using the Open Source Vulnerabilities (OSV) database. The OSV database offers both a standardized format for comparison across several databases, including the Github Advisory Database (GHSA) and Global Security Database (GSD), as well as aggregated data across multiple ecosystems, ranging from Python and Golang to Rust, according to the post.  

"Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX (Vulnerability-Exploitability eXchange), which provides additional context around whether vulnerabilities in software have been mitigated," the blog states. 

To make it easier for security teams to assess the full risk picture, the Google researchers recommend that SBOM creators begin to include a reference using a naming convention like a Purl URL for all packages in the software supply chain. 

"This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above," they say. 

**SBOM Evolution  
**Steps toward marrying the software components with known flaws will help SBOMs fulfill their intended purpose: to help manage the prospect of cyberattack, the Google security blog states. 

"Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume," they said.

Source

DARKReading