Researchers from SentinelLabs laid out what they know about the attackers and implored the researcher community for help in learning more about the shadowy group.

LABSCON – Scottsdale, Ariz. – A new threat actor that has infected a telecommunications company in the Middle East and multiple Internet service providers and universities in the Middle East and Africa is responsible for two "extremely complex" malware platforms — but a lot about the group that remains shrouded in mystery, according to new research revealed here today.

Researchers from SentintelLabs, who shared their findings at the first-ever LabsCon security conference, named the group Metador, based on the phrase "I am meta" that appears in the malicious code and the fact that the server messages are typically in Spanish. The group is believed to have been active since December 2020, but it has successfully flown under the radar over the past few years. Juan Andrés Guerrero-Saade, senior director of SentinelLabs, said the team shared information about Metador with researchers at other security firms and government partners, but no one knew anything about the group.

Guerrero-Saade and SentinelLabs researchers Amitai Ben Shushan Ehrlich and Aleksandar Milenkoski published a blog post and technical details about the two malware platforms, metaMain and Mafalda, in hopes of finding more victims who have been infected. "We knew where they were, not where they are now," Guerrero-Saade said.

MetaMain is a backdoor that can log mouse and keyboard activity, grab screenshots, and exfiltrate data and files. It can also be used to install Mafalda, a highly modular framework that provides attackers with the ability to collect system and network information and other additional capabilities. Both metaMain and Mafalda operate entirely in memory and do not install themselves on the system’s hard drive.

**Political Comic**

The malware’s name is believed to have been inspired by Mafalda, a popular Spanish-language cartoon from Argentina that regularly comments on political topics.

Metador set up unique IP addresses for each victim, ensuring that even if one command and control is uncovered, the rest of the infrastructure remains operational. This also makes it extremely difficult to find other victims. It's often the case that when researchers uncover attack infrastructure, they find information belonging to multiple victims — which helps map out the extent of the group's activities. Because Metador keeps its target campaigns separated, researchers have only a limited view into Metador's operations and what kind of victims the group is targeting.

What the group doesn't seem to mind, however, is mixing with other attack groups. The Middle Eastern telecommunications company that was one of Metador's victims was already compromised by at least 10 other nation-state attack groups, the researchers found. Many of the other groups appeared to be affiliated with China and Iran.

Multiple threat groups targeting the same system is sometimes referred to as a "magnet of threats," as they attract and host the various groups and malware platforms simultaneously. Many nation-state actors take the time to remove traces of infection by other groups, even going as far as patching the flaws the other groups used, before carrying out their own attack activities. The fact that Metador infected malware on a system already compromised (repeatedly) by other groups suggests that the group doesn't care about what the other groups would do, the SentinelLabs researchers said.

It's possible the telecommunications company was such as high-value target that the group was willing to take the risk of detection since the presence of multiple groups on the same system increases the likelihood that the victim will notice something wrong.

**Shark Attack**

While the group appears to be extremely well-resourced — as evidenced by the technical complexity of the malware, the group's advanced operational security to evade detection, and the fact that it is under active development — Guerrero-Saade warned that it wasn't enough to determine that there was nation-state involvement. It is possible that Metador may be the product of a contractor working on behalf of a nation-state, as there are signs the group was highly professional, Geurrero-Saade said. And the members may have prior experience carrying out these kinds of attacks at this level, he noted.

"We consider the discovery of Metador akin to a shark fin breaching the surface of the water," the researchers wrote, noting that they have no idea what is happening underneath. "It's a cause for foreboding that substantiates the need for the security industry to proactively engineer towards detecting the true upper crust of threat actors that currently traverse networks with impunity."

Researchers Uncover Mysterious 'Metador' Cyber-Espionage Group

Code could allow other attackers to develop copycat versions of the malware, but it could help researchers understand the threat better as well.

One problem with running a ransomware operation along the lines of a regular business is that disgruntled employees may want to sabotage the operation over some perceived injustice.

That appears to have been the case with the operators of the prolific LockBit ransomware-as-a-service operation this week when an apparently peeved developer publicly released the encryptor code for the latest version of the malware — LockBit 3.0 aka LockBit Black — to GitHub. The development has both negative and potentially positive implications for security defenders.

**An Open Season for All**

The public availability of the code means that other ransomware operators — and wannabe ones — now have access to the builder for arguably one of the most sophisticated and dangerous ransomware strains currently in the wild. As a result, new copycat versions of the malware could soon begin circulating and adding to the already chaotic ransomware threat landscape. At the same time, the leaked code gives white-hat security researchers a chance to take apart the builder software and better understand the threat, according to John Hammond, security researcher at Huntress Labs.

"This leak of the builder software commoditizes the ability to configure, customize, and ultimately generate the executables to not only encrypt but decrypt files," he said in a statement. "Anyone with this utility can start a full-fledged ransomware operation." 

At the same time, a security researcher can analyze the software and potentially garner intelligence that could thwart further attacks, he noted.  "At minimum, this leak gives defenders greater insight into some of the work that goes on within the LockBit group," Hammond said. 

Huntress Labs is one of several security vendors that have analyzed the leaked code and identified it as being legitimate.

**Prolific Threat**

LockBit surfaced in 2019 and has since emerged as one of the biggest current ransomware threats. In the first half of 2022, researchers from Trend Micro identified some 1,843 attacks involving LockBit, making it the most prolific ransomware strain the company has encountered this year. An earlier report from Palo Alto Networks' Unit 42 threat research team described the previous version of the ransomware (LockBit 2.0) as accounting for 46% of all ransomware breach events in the first five months of the year. The security identified the leak site for LockBit 2.0 as listing over 850 victims as of May. Since the release of LockBit 3.0 in June, attacks involving the ransomware family have increased 17%, according to security vendor Sectrio.

LockBit's operators have portrayed themselves as a professional outfit focused mainly on organizations in the professional services sector, retail, manufacturing, and wholesale sectors. The group has avowed not to attack healthcare entities and educational and charitable institutions, though security researchers have observed groups using the ransomware do so anyway. 

Earlier this year, the group garnered attention when it even announced a bug bounty program offering rewards to security researchers who found problems with its ransomware. The group is alleged to have paid $50,000 in reward money to a bug hunter who reported an issue with its encryption software.

**Legit Code**

Azim Shukuhi, a researcher with Cisco Talos, says the company has looked at the leaked code and all indications are that it is the legitimate builder for the software. "Also, social media and comments from LockBit's admin themselves indicate that the builder is real. It allows you to assemble or build a personal version of the LockBit payload along with a key generator for decryption," he says.

However, Shukuhi is somewhat dubious about how much the leaked code will benefit defenders. "Just because you can reverse-engineer the builder doesn’t mean that you can stop the ransomware itself," he says. "Also, in many circumstances, by the time the ransomware is deployed, the network has been fully compromised."

Following the leak, LockBit's authors are also likely hard at work rewriting the builder to ensure that future versions won't be compromised. The group is also likely dealing with brand damage from the leak. Shukuhi says.

In an interview, Huntress' Hammond tells Dark Reading that the leak was "certainly an 'oops' \[moment\] and embarrassment for LockBit and their operational security." But like Shukuhi, he believes that the group will simply change up their tooling and continue as before. Other threat actor groups may use this builder for their own operations, he says. Any new activity around the leaked code is just going to perpetuate the existing threat.

Hammond says Huntress' analysis of the leaked code shows that the now-exposed tools might enable security researchers to potentially find flaws or weaknesses in the cryptographic implementation. But the leak does not offer all private keys that could be used to decrypt systems, he adds.

"Truthfully, LockBit seemed to brush off the issue as if it was no concern," Hammond notes. "Their representatives explained, in essence, we have fired the programmer who leaked this, and assured affiliates and supporters that business."

Developer Leaks LockBit 3.0 Ransomware-Builder Code

Emails purporting to be an update to terms of service for GitHub and CircleCI instead attempt to harvest user credentials.

CircleCI has sent out a notice to its customers that a phishing email scam is targeting their users, along with GitHub's, in an attempt to harvest credentials.

The CircleCI security alert included a copy of the malicious email that told recipients that the companies were working together to launch a new terms of service on CircleCI and GitHub accounts.

"As a result of this update, all users will need to review and accept the new Terms of Use and privacy policy in order to continue using CircleCI services," the bogus email read.

Below the notice was a malicious link directing users to log into their GitHub account through CircleCI to accept the new terms.

CircleCI assured its users the company would not require customers to log in to review their terms of service, and pointed out that the malicious link sends victims to **circle-ci\[.\]com**, a domain not owned by the company.

"We have no reason to believe your organization has been specifically targeted or that your account has been compromised, but want our customers to be aware that there is an ongoing phishing attempt and to exercise due caution," CircleCI explained in the notice of the active phishing attack to its customers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CircleCI, GitHub Users Targeted in Phishing Campaign

Quantum computing's impact on cryptography is not a cliff that we'll all be forced to jump off of, according to Deloitte.

As computer scientists march forward in the process of taking quantum computing into the practical realm, cybersecurity vendors and practitioners will need to be ready with encryption mechanisms that can withstand the power of quantum's compute potential. But risk experts say that future-proofing measures for post-quantum cryptography don't have to be created in panic.

Contrary to the way some early pundits have painted the post-quantum computing landscape, the truth is that there will be no quantum cliff in which today's encryption mechanisms will suddenly become obsolete, says Dr. Colin Soutar, the US quantum cyber-readiness leader and managing director for Deloitte Risk & Financial Advisory, which just released a report on quantum encryption. He explains that in reality, the transition to quantum is going to be an ongoing process.

"There's a lot of discussion around quantum right now, and there's a lot of conflation of different ideas. There are even some alarmist statements about how everything needs to change overnight to update to quantum-resistant algorithms," says Soutar. "That implies there's a specific date (for quantum adoption), and there's really not."

Viewing post-quantum security problems from that kind of lens can help the cybersecurity industry start to work the issue with the same kind of risk management and roadmap planning steps they'd take for any other kind of serious emerging technology trend.

**Building Awareness, Not Alarmism**

One thing is for certain: The drumbeat for quantum computing and post-quantum cryptography is getting louder.

Quantum computing stands to give the computing world a major boost in the ability to tackle multi-dimensional analysis problems that strain today's most advanced traditional supercomputers. Whereas traditional computers fundamentally work based on the storage of information in binary, quantum computing is not limited by the "on" or "off" position of information storage.

Quantum computers depend on the phenomenon of quantum mechanics called superposition, in which a particle can exist in two different states simultaneously. They take advantage of that phenomenon by using "qubits," which can store information in a variety of states at the same time.

Once perfected, this will give quantum computers the ability to greatly speed up data analysis on tough problems in areas as disparate as healthcare research and AI. However, this kind of power also makes these computers ideal for cracking cryptographic algorithms. This is the crux of the push for awareness from security advocates over the last several years to ensure that the industry starts preparing for that post-quantum reality.

"Our view on this is less about being alarmist and saying, 'You need to update everything now' and more of raising the awareness to start to think about what your data are, what your risk could be relative to that data and the crypto you use," Soutar says. "And then deciding when you might want to think about, start looking at discovery on your roadmap, and then updates later."

According to the survey released by Deloitte this week, the good news is that among those technology and business executives who are aware of quantum computing, a little over 50% also understood the attendant security considerations to it as well.

**Timing the Post-Quantum Security Impact**

The trick in all of this for security professionals is that there are a lot of fires to put out elsewhere before worrying about something that could be years away. Today's quantum computers operate in the research realm only. They require immensely specialized equipment — including microwaves manipulating quantum objects within supercooled environments that operate at near absolute zero in many instances. There is a long way to go on the research front for quantum computers to work in a commercially viable fashion, and no one is quite sure on what the timeline will be.

That "ambiguity of the timeline" is complicated, says Soutar, who explains there are numerous timelines to consider from a post-quantum cryptography perspective.

"The implications of quantum computing on cybersecurity is fairly well known, and it could be huge. I mean, cryptography is endemic in what we do throughout the economy. The thing is that the timing is unknown because first, a quantum computer needs to be mature and viable enough and commercially robust as well, to actually be able to run Shor's algorithm," he says, referring to an algorithm for finding prime factors of an integer that is the benchmark for whether a quantum computer could effectively break public key cryptography. "Secondly, attackers need to get access to data, and they need to untangle that data."

The other variable in this is a concept of attack called "harvest now, decrypt later," where attackers gather encrypted information now with the understanding that they could break it through quantum computing resources at a later date. The Deloitte survey shows that 50.2% of organizations believe they could be at risk for harvest now, decrypt later schemes.

"That then opens up risk to this data that I'm expecting to be good for the lifetime out of an individual," Soutar says. "Maybe it's personal information, or it's financial information that I want to be secure for at least 10 years. Or it's national security information which may have longer requirements on it."

He adds, "So, people are starting to think about, 'Well, what data do I have and how do I need to protect it? For how long? Secondly, how long is it going to take me to do the updates to post quantum cryptography? When should I start thinking about it?'"

These are the big timeline questions for security and quantum computing experts, who are still at odds over whether we've got 5, 10, or 15 years before the quantum effect impacts encryption. Soutar reiterates that perhaps the better thought process is to stop thinking about it as a definitive date the industry times for, and instead think about relative risk over time. He explains that this is an idea put forward by Dr. Michele Mosca, co-founder and CEO of Evolution Inc, and co-author of a report earlier this year that details that line of thinking.

"Then you can start to think, if I'm with a huge organization, maybe it's going to take me a decade to do the updates," Soutar explains. "I've got all these medical devices or other OT devices that I've got to think about the supply chain communications, and how do I enforce this on my suppliers?"

He adds, "So, again, it's getting that right degree of understanding so that people can start to maybe even quantify what the risk is, and stack that up against other cyber-risks that they're looking to invest in over time."

**Working on the Boring Parts**

At the end of the day, Soutar says that maybe that the quantum lens can be a bit distracting to security. As long as organizations keep quantum on the horizon, it may just be a matter of making "perfunctory updates to crypto" that might not be that big of a deal for the industry if it is all done in due time.

"The quantum threat to crypto should really just be something that's addressed over time. Just do updates as the algorithms get standardized," says Soutar, who believes that the industry should be talking about the nuts and bolts of standardization, which can be boring but also are the most important way to start moving forward. "As they go through that process, then companies and governments have more confidence in making the changes, doing the updates, and they just do it. So, it really should be a non-event."

That's not to say that Soutar believes security practitioners should be sticking their heads in the sand with regard to quantum risk to security postures. The risks will accelerate, but it's just a matter of working that encryption roadmap like any other part of the cyber-risk roadmap. That includes doing risk assessments, discovering and classifying data, and projecting risk over time.

"It's never a bad idea to go look around in the attic. You don't know what you're going to find there. When we do that, when we go through basic cryptography, there are things that we find," he says. "You might say, 'Well, let's update that or let's make sure that we've got the right segregation of duties relative to that.' Or, 'Have we got all the responsibilities and governance laid out?' Again, it's the boring things. But those are things that you find when you look through the quantum lens."

Deloitte's survey shows that it may take some kind of regulatory push to prod security practitioners into serious steps on post-quantum cryptography. Soutar hopes that the industry is able to come together in the coming years to develop a framework for post-quantum cryptographic methods perhaps in the same spirit as the NIST Cybersecurity Framework (CSF).

"It's not a bad idea to have some framework out there when there's a whiff of potential regulation downstream," he says. "I think that's always better than just regulation, having something that's voluntary and outcome-based."

Time to Quell the Alarm Bells Around Post-Quantum Crypto-Cracking

NSA and CISA release guidance on protecting against cybersecurity threats to operational technology and industrial control systems.

The National Security Administration (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are warning that there are active, known threats to industrial control systems (ICS) and operational technology (OT) that critical infrastructure sectors should be aware of.

In particular, the report, "Control Systems Defense: Know the Opponent," warns about the rise in attacks against utilities and industrial targets from advanced persistent threat (APT) groups and gathers insights into the tactics, techniques, and procedures (TTPs) of common threats to ICS and OT systems to help security teams shore up their defenses. For instance, APTs have recently begin developing tools specifically for scanning, compromising, and controlling targeted OT devices, according to the feds.

"State-sponsored APT actors target critical infrastructure for political and/or military objectives, such as destabilizing political or economic landscapes or causing psychological or social impacts on a population," according to the alert, issued Sept. 22. "The cyber-actor selects the target and intended effect — to disrupt, disable, deny, deceive, and/or destroy — based on these objectives."

Awareness of this growing threat is key. "Owners and operators of these systems need to fully understand the threats coming from state-sponsored actors and cybercriminals to best defend against them,” Michael Dransfield, NSA control systems defense expert, said about the new cybersecurity advisory. “We’re exposing the malicious actors’ playbook so that we can harden our systems and prevent their next attempt.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Sound Alarm on Rising OT/ICS Threats From APT Groups

Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts.

A malicious package in the npm open source code repository is hitching a social engineering ride on the "Tailwind" legitimate software library tool, which millions of application developers use around the globe. The finding comes as threat actors continue to see opportunity in seeding open source software with malware.

Threat actors are branding the malicious package as "Material Tailwind," describing it as "an easy-to-use components library for Tailwind CSS and Material Design," two commonly used open source libraries that have millions of downloads each, researchers from ReversingLabs have found.

Tailwind is as an open source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both "are recognizable names and massively popular libraries among developers," according to the firm.

However, Material Tailwind is not helpful to developers at all, researchers revealed in a post published on Sept. 22. It instead delivers a multistage attack — rare for this type of malware — that downloads a malicious, custom-packed Windows executable capable of running PowerShell scripts.

"In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated," Karlo Zanki, reverse engineer at ReversingLabs, observed in the post. "Sophisticated multistage malware samples like Material Tailwind are still a rare find."

Researchers at ReversingLabs detected the malicious behavior because the purported library modification contained code obfuscated with JavaScript Obfuscator. Moreover, while the description of the package seemed legitimate enough, closer inspection revealed that it was copied from another npm package named tailwindcss-stimulus-components, they said, which the threat actors then Trojanized.

"The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind," Zanki wrote. "The malicious package also successfully implements all of the functionality provided by the original package."

**How the Attack Works**

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script, executes immediately after the package is installed — behavior that is in and of itself "a (big) red flag" for threat researchers, Zanki noted.

Once the package installs, the module first sends a POST request with platform information to a specific IP address to validate that it's being executed on a Win32 system. If so, it constructs a download link containing the type of the operating system, and it also adds a parameter likely used to validate that the download request is coming from the victim's machine, researchers found.

A password-protected .zip archive named DiagnosticsLogger.zip is downloaded, which contains a single file, named DiagnosticsHub.exe, likely to disguise the payload as some kind of diagnostic tool, Zanki noted. Attackers probably use password protection to avoid basic antivirus checks as well, he said.

Finally, the script spawns a child process that executes the downloaded file, a custom-packed, Windows executable that uses several protections aimed at making it difficult to analyze, Zanki said.

Packed information includes several PowerShell code snippets responsible for command and control, communication, and process manipulation, researchers found. The malware achieves persistence by executing a Base64-encoded PowerShell command, which sets up a scheduled task to be executed daily.

A stage-two process of the malicious code fetches an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in the case that the link can't be accessed, from one or the other of two alternative download locations — one at GitHub and another one at OneDrive, researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command-and-control server from which the malware receives encrypted instructions using a dedicated socket connection, they added.

**Weaponizing Open Source Code**

Open source software and npm packages in particular have become a target of choice for threat actors lately because they can easily be weaponized against the software supply chain. In fact, planting malware in open source code is one of the fastest-growing types of software supply chain attacks "being spotted almost daily now," according to Zanki.

These types of attacks also are forcing enterprises to pivot when it comes to how they secure their environments, notes Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

"Up until recently, organizations only had to contend with the security vulnerabilities in their applications that were unintentionally inherited through open source components and their dependencies — which wasn’t a trivial task to begin with," he says. "Now, attackers are baiting organizations into using open source packages that were modified with malicious intent."

Npm packages are an attractive conduit for software supply chain attacks "in part due to the sheer volume of open source components and dependencies typically used to build NodeJS applications," he observed.

These dependencies indeed are increasing the security risks for enterprises, presently a considerable challenge in how quickly problems throughout resources can multiply, notes Ben Pick, principal cybersecurity consultant at application security provider nVisium.

"Thus, an attacker would only need to target and compromise one of the many open source projects in a pipeline to cause considerable harm," he observes.

**Software Supply Chain: Multiple Cyberattack Options**

Attackers that leverage npm packages are getting creative in how they use the open source repositories.

A report published in February identified more than 1,300 malicious npm packages in 2021 that allowed attackers to get up to a number of nefarious activities, including cryptojacking and data theft. In terms of tricking people into installing them, some packages masquerade as tools for security research, researchers found.

Two examples of recent attacks in which attackers leverage npm packages surfaced in July. The first, reported on July 5, revealed a long-range supply chain attack after several packages using a JavaScript obfuscator to hide their true function were discovered in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread the "Volt Stealer" and "Lofy Stealer" malware to collect information from their victims, including Discord tokens and credit-card information, as well as spy on them over time.

Malicious npm Package Poses as Tailwind Tool

Allurity has acquired Spanish multinational Aiuken Cybersecurity, as an important step in its journey to becoming Europe's leading cybersecurity provider. Aiuken brings an entire SOC platform spanning three continents, as well as its Cloud Security and SOC-as-a-Service platforms.

Aiuken Cybersecurity was founded in 2012 by former Telefónica executive Juan Miguel Velasco, who is currently the CEO and will continue to lead the company following this transaction. The company has achieved impressive growth and will continue its journey with Allurity as an accelerator.

According to Juan Miguel Velasco, CEO of Aiuken Cybersecurity, “We are proud to join forces with this flourishing European group that has big ambitions to have a long-term impact and drive our growth in the cybersecurity sector. We believe they will be truly valuable and contribute towards our continued rapid expansion with a shared vision to help organisations secure their digital assets via security solutions that combine the best of human and machine intelligence.”

Allurity CEO Frida Westerberg said: “I am delighted to welcome Aiuken to our growing group, consisting of best-in-class cybersecurity service providers in Europe. Aiuken is an important player in the south of Europe and several other countries in different parts of the world, enabling a true “follow the sun” model. Aiuken brings unique expertise, a scalable tech platform and high ambitions and we are committed to supporting them to reach their full potential. Together we have the common goal of fighting cybercrime and making the world a better place.”

This is the fourth company Allurity has acquired, following the purchases of Swedish companies Arctic Group, ID North and Pulsen IAM. Allurity will continue to add new companies to the group with the goal of improving data protection, reducing the significant cost of cyberattacks and contributing to improving talent and competence in the market.

This goal is fully aligned with the cybersecurity targets set by the EU, which is determined to support important business groups, as it seeks to build regional leaders and secure robust European competition.  

**About Aiuken Cybersecurity**

Aiuken Cybersecurity is a Spain-based international company that safeguards major corporations, telecommunications systems and critical infrastructure. The company offers a full suite of cutting-edge services: detecting, identifying and protecting against cybernetic threats, responding to incidents, and implementing and managing the very latest in 24/7 security technologies.

The company operates in seven countries – Spain, Morocco, Saudi Arabia, UAE, Chile, Côte d'Ivoire and Puerto Rico – and has over 300 clients and 120 employees.

https://www.aiuken.com/es

**About Allurity**

Allurity is a group of tech-enabled cybersecurity service providers, comprising best-in-class companies with a common purpose of enabling a safe digital world.

Allurity’s vision is to become the preferred partner of cybersecurity services in Europe. The group offers a full range of cybersecurity services, from proactive to reactive services and software, aimed at improving data protection and reducing the cost of cybercrime.

Allurity's growth strategy is backed by Trill Impact, a Swedish pioneering Impact House with the ambition to create powerful societal impact alongside competitive financial returns.

https://allurity.com/our-group-companies/

Allurity Acquires Spanish Multinational Aiuken Cybersecurity

Businesses need to turn privacy and security into an advantage. Store less data, and live up to customer expectations that their information is protected. Take small steps, be transparent about data management, and chose partners carefully.

Today, the mere threat of a breach can crush your business. The Twitter whistleblower saga shows that, after years of indifference, customers are sensitive to even rumors of data leaks. A few years ago, PR teams could paper over a small breach, and customers would accept it. A decade ago, massive data breaches made headlines, but customers stayed with the vendor because they believed that lightning couldn't strike twice.

Times have changed, though, so how can you protect yourself … and even turn privacy and security into an advantage? The companies that win will embrace small steps, transparency, and the right partners.

**Ex-Twitter Exec Blows the Whistle**

The Twitter whistleblower story will change how the news industry reports on security and privacy moving forward. Just as ransomware went mainstream with the Colonial Pipeline hack, security and privacy stories are going to become mainstream news. Even if your company isn't as high profile as Twitter, the floodgates have opened.

Furthermore, the Twitter story demonstrates that you don't need to be breached to make the news. Former Twitter security executive Peiter Zatko (aka Mudge) made headlines with his concerns about Twitter's security and privacy policies and execution. While there have been well-known Twitter hacks, Zatko's most powerful criticisms are about Twitter's state of security. In his almost 200-page report to federal regulatory agencies and the Department of Justice, the most serious allegations are that Twitter provided regular employees access to central controls and sensitive information without adequate oversight.

**It Doesn't Matter If the Accusations Are True**

If a reporter asked, "Who has access to your data," could you answer? Would you want to answer? You will be convicted in the court of public opinion before you can defend your security posture. I have no inside information on the Twitter case, but it doesn't matter whether it's found to have egregious breaches of standard security protocols. There will be a large contingent that already assumes this information is true.

After so many high-profile breaches (Target, Adobe, Yahoo, and more), companies are considered guilty until proven innocent. Unfortunately, it's almost impossible to prove innocence since you cannot prove the absence of a breach. Furthermore, even if you could, by the time you could prove that you haven't been breached, the news machine already has moved on. You cannot react quickly enough to counteract the rumors.

**Why Are Customers So Sensitive to Privacy?**

Everybody knows that companies are gathering vast amounts of personal data. Clicking on the GDPR-inspired "Track my information" buttons may be a reflex, but we understand that we're always being tracked. Customers accept that their vendors will hold their personal data, but they expect the company to protect their information.

Unfortunately, cybercriminals are targeting personal customer information. Identity theft, spam, phishing, ransomware, and other attacks aren't just theoretical. Everybody knows somebody who's been affected.

With more data and more threats, every customer is sensitive to breaches. Corporate data breaches lead to fines, damaged reputations, and loss of customer trust. Companies are desperate to secure their data because it's the difference between survival and failure.

**How to Protect Yourself: Transparency**

The only way to survive is to be transparent about your data management. Most organizations are hesitant to talk about security and privacy because they know there is a chasm between what they are doing and what they should be doing, but everybody is in the same position. Therefore, whoever steps into the light will immediately take the lead.

When making yourself publicly accountable, you should:

1.  **Create a concrete, achievable plan.** Focus on the most business-critical data and risk areas. Make a short- and long-term plan, so your internal team and external customers will buy-in.
2.  **Set up regular public reviews.** Most organizations review their security and privacy posture with executives and the board of directors. Run that same review with the entire company so employees can participate and see that you care about the mission.
3.  **Get certified.** External auditors and certifications demonstrate that you're willing to hold yourself to a high standard and that you're not hiding anything. Nobody likes being audited, but it keeps you honest.

**Remember, You're Never Done**

Threats and expectations keep evolving, so you must keep ratcheting up your security plan, as well. Since most companies won't give you an unlimited budget, you'll need to plan for how to do more with less  

1.  **Offload work:** You don't need to do all the work on your own. The days of "Do it Yourself" security are past. If you can get a service to cover the basics, you can focus your team on business-specific security and privacy initiatives.
2.  **Use savings to fund initiatives:** Most teams look to push vendors for better discounts, not refresh assets, or overwork their team. Smart teams look for holistic savings. For example, advancements in security and privacy should reduce cyber-insurance premiums.
3.  **Store less data:** Most businesses want to store all their data, messages, and emails forever. Not only is this approach expensive, but it also creates nearly unbounded legal and privacy risks. You need to help your business teams understand the value of reducing retention periods.

**Start Today**

The best way to start protecting your company's reputation is with a single assignment. Pick one dataset — a business-critical application, your CRM system, or your backups. Figure out who has access to them. Create a plan to make them more secure. Then share that plan with your colleagues and hold yourself accountable.

Twitter's security issues are blanketing the news. When even a rumor can destroy your business, it's not the time to wait for consultants and focus groups. Now is the time to make your part of the world a little bit better, every day. Shine a light on how you protect your data, and your customers will trust you.

Twitter's Whistleblower Allegations Are a Cautionary Tale for All Businesses

Expansion of test coverage includes custom scan discovery, custom test scripts and custom test data for REST APIs, enabling developers to leave no paths untouched.

DENVER, Sept. 22, 2022 /PRNewswire/ — StackHawk, the company making application security testing part of software delivery, today announced its Deeper API Security Test Coverage release. This expands StackHawk's solution to help developers scan the entire API layer to uncover potential vulnerabilities. Today's application architectures require different approaches to security testing, and legacy security testing tools result in untested parts of the application, or require tedious manual testing and are too slow for most modern release schedules. With this release. StackHawk provides developers the ability to test APIs deeper and faster, so organizations can be confident every build they release is secure.

The API layer presents the highest level of security risk for software companies. Yet API discovery can be a challenge for many security teams. StackHawk's Deeper API Security Test Coverage release allows teams to leverage existing automated testing tools, such as Postman or Cypress, to guide discovery of the paths and endpoints, provide custom test data to be used during scans and cover proprietary use cases for security testing.

"Modern API and application security requires tooling that integrates into existing engineering workflows and provides thorough test coverage for today's application architectures," said Scott Gerlach, StackHawk co-founder and chief security officer. "With our recent release of Deeper API Security Test features, StackHawk continues to lead the market in depth and accuracy of real API security testing, all while remaining true to our developer-first security approach."

Engineering teams have sophisticated automated test suites in CI/CD to ensure that quality is maintained as they push software changes to production, and security testing should be no different. By integrating into existing testing workflows, StackHawk provides developers with security testing in a familiar way, shifting security left.

StackHawk's comprehensive scan functionalities have expanded to address several key issues, including:

*   Custom Test Data for REST APIs: The ability to use realistic required variables for paths, query, or request body, is something DAST tools historically have struggled with as the use of incorrectly formatted data can prevent the scan from reaching critical logic in the application.
*   Custom Scan Discovery: The ability to use test scripts and data from devtools such as Postman or Cypress for guiding the scanner, resulting in a more comprehensive, thorough test without the need for API docs.
*   Custom Test Scripts: The ability to test for specific use cases like business logic, privacy laws, and sensitive data requires custom scripts. This functionality also addresses the issue of tenancy checks, the top vulnerability in the OWASP Top 10, and testing for Broken Function Level Authorization, which are test cases not covered with the ZAP library.

Those interested in learning more about StackHawk's Deeper API Security Testing can see the functionality in action by registering here for the webinar at 10 AM PT on Wednesday, September 28.

**About StackHawk**

StackHawk is making application security testing part of software delivery. The StackHawk platform empowers engineers to easily find and fix application security bugs at any stage of software development. With a strong founding team that has deep experience in security and DevOps, and some of the best venture investors in the business, StackHawk is putting application security testing into the hands of engineers. Learn more and sign up for a free trial at www.stackhawk.com.

StackHawk Launches Deeper API Security Test Coverage to Improve the Security of APIs

SANTA CLARA, Calif., Sept. 22, 2022 /PRNewswire/ — Palo Alto Networks (NASDAQ: PANW), a Microsoft Azure private MEC ecosystem partner, today announced availability of VM-Series Virtual Next-Generation Firewall (NGFW) technology on the Azure Marketplace. Delivering end-to-end Zero Trust security at the enterprise edge, VM-Series virtual firewalls can now extend best-in-class NGFW capabilities to help protect Azure private MEC applications, providing centralized defense against cyberattacks.

Azure private MEC combines network functions, applications and edge-optimized Azure services managed from the cloud to deliver high-performance, ultra-low-latency 4G/5G private wireless solutions that address the modern business needs of enterprise customers.

"Our long-standing partner solutions with Azure and our VM-Series virtual firewalls have been protecting customer cloud environments for years," said Prem Iyer, vice president, Ecosystems GSI and CSP, Palo Alto Networks. "The new VM-Series 5G capabilities enable enterprises to secure mission-critical applications in industry verticals like manufacturing, healthcare, utilities and public sector, all of which demand the latest in private wireless network technology."

Mobile 5G networks with multi-access edge compute combine AI and cloud technologies to transform enterprises and industries. Customers choose this next-generation mobile technology for its security and reliability, but increasingly sophisticated networks must be safeguarded against a complex and escalating "threatscape." Palo Alto Networks 5G-Native Security on the VM-Series brings advanced Layer 7 security capabilities to help detect and block known exploits, malware, malicious URLs, spyware, and command and control (C2) to 5G-powered edge computing use cases. The VM-Series Next-Generation Firewall enables enterprises to achieve comprehensive security for end-user application traffic that traverses the Azure Private 5G Core, securing edge infrastructure and helping detect and mitigate malicious activity within the user traffic.

Key benefits of the solution include:

*   Faster time to market with a fully tested and validated solution.
*   Simpler deployment at scale from the Azure marketplace, facilitating a rapid rollout of NGFWs.
*   Predefined configuration templates for comprehensive zero-day security.

The Panorama management solution, integrated with Azure, allows for common management of VM-Series virtual firewalls deployed across all cloud and edge environments from a single console and provides centralized visibility and actionable insights into network traffic, logs and threats.

"We're pleased to add Palo Alto Networks 5G security products to Azure Marketplace and our Azure private MEC ecosystem," said Shriraj Gaglani, general manager, Azure for Operators. "This adds an important option for customers when architecting critical end-to-end security frameworks that underpin Industry 4.0 use-cases built on our Azure private MEC solution."

For more information about Microsoft Azure and Palo Alto Networks.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

Source

DARKReading