The decentralized finance (DeFi) platform was the victim of an exploit for a partner's vulnerable code — highlighting a challenging cybersecurity environment in the sector.

London-based cryptocurrency-trading platform Wintermute saw cyberattackers take off with $160 million this week, likely due to a security vulnerability found in a partner's code. The incident showcases deep concerns around implementing security for this finance sector, researchers say.

Wintermute founder and CEO Evgeny Gaevoy took to Twitter to say that the heist was aimed at the company's decentralized finance (DeFi) arm, and that while the incident might disrupt some operations "for a few days," the company is not existentially impacted.

"We are solvent with twice over that amount in equity left," he tweeted. "If you have a \[money-management\] agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after."

He also said that about 90 assets were hit, and appealed to the culprit: "We are (still) open to treat this as a white hat \[incident\], so if you are the attacker — get in touch."

Meanwhile, he explained to Forbes that the "white hat" comment means that Wintermute is offering a $16 million "bug bounty," if the cyberattacker returns the remaining $144 million.

**Filled With Profanity**

He also told the outlet that the theft likely traces back to a bug in a service called Profanity, which allows users to assign a handle to their cryptocurrency accounts (normally account names are made up of long, gibberish strings of letters and numbers). The vulnerability, disclosed last week, allows attackers to uncover keys used to encrypt and pry open Ethereum wallets generated with Profanity.

Wintermute was using 10 Profanity-generated accounts to make rapid trades as part of its DeFi business, according to Forbes. DeFi networks connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions. When news of the bug broke, the crypto-firm tried to take the accounts offline, but due to “human error,” one of the 10 accounts remained vulnerable and allowed the attackers into the system, Gaevoy said.

"Some of these \[DeFi\] technologies also involve third-party integrations and connections where the company may not have the ability to control the source code, leading to additional risk for the company," Karl Steinkamp, director at Coalfire, tells Dark Reading. "In this instance, a vanity digital asset address provider, Profanity, was leveraged in the attack ... An expensive and preventable mistake for Wintermute."

**DeFi Exchanges Will Grow as a Target**

Analysts with Bishop Fox earlier this year found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the difficulty in locking down the sector, which relies on automated transactions.

And, just last month, the FBI issued a warning that cybercriminals are increasingly exploiting vulnerabilities in DeFi platforms to steal cryptocurrency, to the tune of $1.3 billion nabbed between January and March 2022 alone.

Researchers note that enhanced adoption and price appreciation of digital assets has and will continue to attract the attention of malicious individuals — as will the lax state of security in the DeFi area.

"Many of these companies are growing at such a rapid pace, customer acquisition is their primary focus," Mike Puterbaugh, CMO at Pathlock, says. "If internal security and access controls are secondary to 'grow at all costs,' there will be gaps in application security that will be exploited."

The obstacles in shoring up DeFi security are numerous; Wintermute's chief noted that finding appropriate tools is difficult.

"You need to sign transactions on the fly, within seconds," Gaevoy told Forbes, adding that Wintermute had to create its own security protocols since tools are lacking. He also admitted that Profanity didn't offer multifactor authentication, but the company decided to use the service anyway. "Ultimately, that's the risk we took. It was calculated," he added.

Steinkamp notes, "Depending on the architecture of the DeFi platform, there may be a multiple of challenges in securing them. These may range from risk from third parties, to crypto-bridge bugs, human error, and the lack of secure software development, to name just a few."

And Puterbaugh points out that even with out-of-the-box controls and configurations enabled, customizations and integrations could create weaknesses in overall security.

**Best Practices for Shoring Up DeFi Security**

Despite the challenges, there are nonetheless best-practice approaches that DeFi platforms should be implementing.

For instance, Puterbaugh advocates implementing access controls with each new app deployment, along with continuous checks for access conflicts or application vulnerabilities, as key, especially when dealing with easily portable digital currency.

Also, "companies within the DeFi space need to routinely be doing internal and external testing of their platforms to continually ensure they are mitigating threats proactively," according to Steinkamp. He adds that companies should also implement additional enhanced security measures as a part of transactional security, including multifactor authentication and alert triggers on suspicious and/or malicious transactions.

Every layer helps, he adds. "Which would you rather try to gain access to: a house with the door open or a castle with a moat and draw bridge?" he says. "DeFi companies will continue to be prime targets by cyber-thieves until they implement adequate security and process controls to make attacking their platforms less attractive."

Wintermute DeFi Platform Offers Hacker a Cut in $160M Crypto-Heist

SecurityScorecard's ROI Calculator helps organizations quantify cyber-risk to understand the financial impact of a cyberattack.

Security practitioners have to figure out how to accomplish their security goals with the budgets they have. They also must show that their security programs are effective at protecting their organizations. They need to be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).

Now there's a tool for that. SecurityScorecard released a content and ROI calculator to help security practitioners figure out high-level estimates to illustrate the organization's overall security posture.

"At a time of economic uncertainty, strengthening cybersecurity postures must be a priority, as bad actors take advantage of volatility," says Cindy Zhou, chief marketing officer at SecurityScorecard. "Organizations must be able to know and articulate if the cybersecurity products and tools they have purchased provide a sound ROI."

Security teams should consider a wide variety of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, social engineering, and knowing their digital supply chain.

**Calculating Risk to Justify Spend**

Quantifying cyber-risk in financial terms allows organizations to understand the financial impact of a cyberattack, gain insight into the risks their vendors pose, and quantify the reduction in expected losses if issues are resolved. For example, a cybersecurity product may cost $200,000; however, it may defend against a $5 million data breach, thus saving the organization considerable funds in the long run.

"CISOs must be able to quantify their business' cyber-risk to justify the spend on their cybertech stack," Zhou says.

Another key factor is the ability to procure cyber-risk insurance and the associated premiums.

"Many insurers use SecurityScorecard to assess if a company is eligible for a policy," she says. "CISOs and CFOs need to demonstrate their security posture just to be considered for a policy."

The interactive calculator is based on data collected for Forrester Consulting's Total Economic Impact of SecurityScorecard. Forrester Consulting constructed a financial model using a Total Economic Impact formula.

As part of the study, the consultants quantified the effects of having SecurityScorecard in the enterprise, including increased efficiency in risk management, technology efficiencies and consolidation, and improved security posture. This approach not only measures costs and cost reduction within an organization, but it also weighs the enabling value of a technology in increasing the effectiveness of overall business processes.

The ROI calculator expands SecurityScorecard's Cyber Risk Quantification (CRQ) capabilities, which are designed to help customers understand cyber-risk in financial terms as part of holistic business risk analysis.

**Getting Executive Buy-In**

The C-suite and the board are used to focusing on the organization's financial performance, so the CISO needs to be able to quantify cyber-risk in financial terms, says John Hellickson, field CISO at Coalfire. This way, the CISO can also justify and prioritize cyber investments.

This lets all parties make informed decisions about the financial impact and business outcomes of such investments.

"Justifying and accounting for the people, process, and technologies already in place ensures that current mitigating controls are considered in the overall risk calculations," Hellickson says.

From Hellickson's perspective, validating the comprehensiveness of the cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk is key to gaining executive trust and support.

"Focusing spend on the assurance of not being breached just about went by the wayside when fear, uncertainty, and doubt tactics stopped working nearly a decade ago when year after year security investments continued to rise," he adds.

Building a cyber program strategy that demonstrates positive business outcomes goes much further in the CISO's ability to influence other executives.

For years, organizations have increased spend, especially application security spend, and they've still failed to achieve the kind of coverage of their application portfolio they desire, says John Steven, CTO of ThreatModeler.

"When organizations see this spend as unsustainable, let alone the requested rate of growth, security executives must demonstrate they're not only getting stuff done, but getting more done for less than peer CISOs, or those that have come before them," he says.

As common as breaches are across the industry, they are probably rare within a single organization, so "time since breach" should be a fairly sleepy indicator of activity and result, Steven adds.

"Focusing on delivery enablement or customer friction can be significantly more impactful," he says.

Quantify Risk, Calculate ROI

The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.

A malicious campaign targeting Internet users in Slovakia is serving up another reminder of how phishing operators frequently leverage legitimate services and brands to evade security controls.

In this instance, the threat actors are taking advantage of a LinkedIn Premium feature called Smart Links to direct users to a phishing page for harvesting credit card information. The link is embedded in an email purportedly from the Slovakian Postal Service and is a legitimate LinkedIn URL, so secure email gateways (SEGs) and other filters are often unlikely to block it.

"In the case that Cofense found, attackers used a trusted domain like LinkedIn to get past secure email gateways," says Monnia Deng, director of product marketing at Bolster. "That legitimate link from LinkedIn then redirected the user to a phishing site, where they went to great lengths to make it seem legitimate, such as adding a fake SMS text message authentication."

The email also asks the recipient to pay a believably small amount of money for a package that is apparently pending shipment to them. Users tricked into clicking on the link arrive at a page designed to appear like one the postal service uses to collect online payments. But instead of merely paying for the supposed package shipment, users end up giving away their entire payment card details to the phishing operators as well.

**Not the First Tine Smart Links Feature Has Been Abused**

The campaign is not the first time that threat actors have abused LinkedIn's Smart Links feature — or Slinks, as some call it — in a phishing operation. But it marks one of the rare instances where emails containing doctored LinkedIn Slinks have ended up in user inboxes, says Brad Haas, senior intelligence analyst at Cofense. The phishing protection services vendor is currently tracking the ongoing Slovakian campaign and this week issued a report on its analysis of the threat so far.

LinkedIn's Smart Links is a marketing feature that lets users who are subscribed to its Premium service direct others to content the sender want them to see. The feature allows users to use a single LinkedIn URL to point users to multiple marketing collateral — such as documents, Excel files, PDFs, images, and webpages. Recipients receive a LinkedIn link that, when clicked, redirects them to the content behind it. LinkedIn Slinks allows users to get relatively detailed information on who might viewed the content, how they might have interacted with it, and other details.

It also gives attackers a convenient — and very credible — way to redirect users to malicious sites. 

"It's relatively easy to create Smart Links," Haas says. "The main barrier to entry is that it requires a Premium LinkedIn account," he notes." A threat actor would need to purchase the service or gain access to a legitimate user's account. But besides that, it's relatively easy for threat actors to use these links to send users to malicious sites, he says. "We have seen other phishing threat actors abuse LinkedIn Smart Links, but as of today, it's uncommon to see it reaching inboxes."

**Leveraging Legitimate Services**

The growing use by attackers of legitimate software-as-a-service and cloud offerings such LinkedIn, Google Cloud, AWS, and numerous others to host malicious content or to direct users to it, is one reason why phishing remains one of the primary initial access vectors.

Just last week, Uber experienced a catastrophic breach of its internal systems after an attacker social engineered an employee's credentials and used them to access the company's VPN. In that instance, the attacker — who Uber identified as belonging to the Lapsus$ threat group — tricked the user into accepting a multifactor authentication (MFA) request by pretending to be from the company's IT department.

It's significant that attackers are leveraging social media platforms as a proxy for their fake phishing websites. Also troubling is the fact that phishing campaigns have evolved significantly to not only be more creative but also more accessible to people who can’t write code, Deng adds.

"Phishing occurs anywhere you can send or receive a link," adds Patrick Harr, CEO at SlashNext. Hackers are wisely using techniques that avoid the most protected channels, like corporate email. Instead, they are opting to use social media apps and personal emails as a backdoor into the enterprise. "Phishing scams continue to be a serious problem for organizations, and they are moving to SMS, collaboration tools, and social," Harr says. He notes that SlashNext has seen an increase in requests for SMS and messaging protection as compromises involving text messaging becomes a bigger problem.

Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards

At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.

While NSO Group's Pegasus spyware is perhaps the highest-profile surveillance weapon used by repressive governments against civil society, a recently discovered, powerful mobile reconnaissance malware dubbed Hermit has come to light, being touted by an Italian developer as a "lawful intercept" tool.

At the upcoming SecTor 2022 conference in Toronto, Christoph Hebeisen, director of security intelligence research at Lookout, and Paul Shunk, security researcher at the firm, will lay out Hermit's surveillance capabilities, against the backdrop of the growing nation-state market and use of these shadowy applications.

So far, Lookout has observed the Hermit spyware being used by the government of Kazakhstan after the violent suppression of protests with the help of Russian armed forces; being applied by Italian law enforcement; and being deployed against the Kurdish minority in the conflict-plagued northeastern Syrian region of Rojava.

**Hermit: Hiding Out 1 Tier Below Pegasus**

The researchers will kick off their Oct. 5 session, entitled "A Hermit Out of Its Shell," with a discussion of where Hermit fits into the mobile spyware picture. It was developed by an Italy-based vendor called RCS Lab and a related company called Tykelab Srl, according to Hebeisen, and is usually distributed on both Android and iOS platforms by masquerading as legitimate mobile apps rather than in attacks that exploit software vulnerabilities.

"There's a varied market for these; NSO Group is certainly placed at the top of the field, and everybody recognizes the name, because they use zero-click exploits to get their surveillance malware onto the device without the user even noticing anything," Hebeisen tells Dark Reading. "But then there is a tier of these weapons just below that, which are distributed as apps, and they are very effective even though they require a little bit of social engineering to get onto a target's device. That's where Hermit plays."

In terms of its capabilities, he adds that Hermit packs an info-vacuuming punch. In addition to "standard" spyware fare like tracking users' locations, accessing device microphones and cameras, eavesdropping on calls and texts, and stealing media files, it also offers the ability to sniff out every scrap of content and data housed in any of the apps that users have installed, including encrypted messaging apps.

"This is a very sophisticated surveillance tool," Hebeisen says. "It takes over the operating system completely and can spy on literally everything. Given how deeply ingrained into our lives phones are these days and especially our all of our private activities, this is practically a perfect tool to find out everything an attacker ever wanted to know about somebody."

He adds that under the hood, the malware is designed to be agile and flexible.

"Hermit is built in a very enterprise way in that it's modular," Hebeisen explains. "So we suspect that that might actually be part of the business model, where they can sell different tiers of this surveillance kit by including or excluding certain modules."

From a broader perspective, Hermit showcases an uncomfortable reality when it comes to next-gen mobile malware: "Despite mobile operating systems being much more modern than many of the desktop systems and having many more security controls already in place, it's still possible for attackers to get past them and then actually use the legitimate functionality of the operating system against targets," Hebeisen says.

**Nation-State Spyware: A Growing Threat**

It should be noted that companies operating in this gray space, including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies, maintain that they only sell to legitimate intelligence and enforcement agencies. That however is a claim that many reject, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

Nonetheless, Hebeisen notes that there are more and more mobile spyware tools being developed for the blossoming so-called "lawful intercept" market, indicating ongoing demand. When one is struck down, "there are plenty of other companies standing in the wings just waiting to take over," he says.

The demand makes sense from the geopolitical perspective as nations move away from kinetic conflict.

"As opposed to physical arms, for which you have to deal with all kinds of export controls if you want to sell those to regimes that are known for human rights violations, it seems much easier to get around that when you're dealing with surveillance tools, which are essentially just a different set of weapons in the fight," Hebeisen explains.

Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance

Reduced to pen, paper, and phones, 911 operators ask NYPD for backup in handling emergency calls.

A Sept. 8 ransomware attack on Suffolk County government systems in New York continues to wreak havoc on citizens of the area, driving overwhelmed 911 operators working without the aid of computers to call for backup.

The ransomware attack means that emergency operators are working with pen and paper, then making phone calls to dispatch officers to send help, according to New York's NBC affiliate. The Suffolk County Police Department has asked the New York Police Department for help handling the calls. In response, the NYPD will add five extra officers per shift to help, NBC New York reported.

Emergency lines aren't the only systems that have been impacted in Suffolk County. Police don't have access to their car computers, and even the system for title reporting is shut down, meaning no one can close real estate deals in the area.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers Paralyze 911 Operations in Suffolk County, NY

Data scientists, who often choose open source packages without considering security, increasingly face concerns over the unvetted use of those components, new study shows.

Vulnerabilities in open source components — such as the widespread flaws revealed 10 months ago in Log4j 2.0 — have forced data scientists to reevaluate the open source code frequently used in analysis and the creation of machine learning models.

According to a report by Anaconda, a data-science platform firm, in the past year, 40% of surveyed data scientists, business analysts, and students have scaled back their use of open source components, while a third remained steady, and only 7% incorporated more open source code into their projects. The majority of those surveyed do not report to the information technology department (18%), but work within their own data science or research and development group (47%), according to Anaconda's "2022 State of Data Science" report, released last week.

While software developers and IT have already started vetting secure code, the concerns over the security in open source software is a relatively new trend for the data science world, says Peter Wang, co-founder and CEO of Anaconda.

"We see a tremendous portion of people who are at organizations where IT has created a very strict posture around open source and Python," he says. "These are not expert developers. ... They are data scientists and machine learning people who may not be very seasoned developers at all, using whatever they could download to do their analysis, and then they handed that over that to IT."

The security of open source components — and the software supply chain, in general — has become a primary consideration among software developers, businesses, and national governments over the past two years. In May, for example, the US National Institute of Standards and Technology (NIST) issued guidance for address software supply chain risks. In addition, a growing number of software vendors have joined with the Linux Foundation's Open Software Security Foundation (OpenSSF).

    

While many data science teams scan open source components for vulnerabilities, many create their own software instead. Source: Anaconda's "2022 State of Data Science" report.

Overall, the maturity of organizations' security efforts has improved. About half of firms have an open source security policy in place, which leads to better performance in measures of security readiness, according to the June survey. In addition, the efforts to control open source risk has jumped by 51% in the past 12 months, a study of security maturity stated on Sept. 21.

"\[W\]ith the attention placed on software supply chains, most enterprise organizations are taking a risk-based approach to application security," Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement announcing the study. "Such an approach recognizes that security isn't limited to the codebase; it includes the process of software development where security reviews and testing 'shift everywhere' to continuously improve security outcomes."

**Devs Expand Use of Open Source **

Software companies are not seeing any sort of decrease in open source usage, according to other data. Instead, development organizations are focusing on improving the security of open source software and using security as a primary guide in selecting components.

In the "2021 State of the Software Supply Chain" report, for example, Sonatype found that the top four open source ecosystems — the Maven Central Repository (Java), Node.js (JavaScript), the Python Package Index (Python), and the NuGet gallery (.NET) — housed 37 million open source projects and components, an increase of 20% year-over-year. The demand for those components is likewise increasing: More than 2.2 trillion components were downloaded, a 73% annual increase.

A self-reported move away from open source packages by the data science community is likely indicative of greater awareness of security issues and less about jettisoning open source components in development, says Tracy Miranda, head of open source at Chainguard.

While data science teams and development teams may have reacted differently to major security issues — such as Log4j 2.0 — companies have little recourse when moving away from one open source package than to adopt a different package whose maintainers have put a greater emphasis on security, she says.

"Companies leverage open source as a way to increase their velocity so if they are scaling back, what are they scaling back to? Writing code in-house? Using third-party versions packaged up?" Miranda says, adding that instead, "I do think we can expect to see companies be more discerning about the quality of the open source they use, especially related to security features."

**Data Scientists Are Playing Catch-up**

The disconnect between the two sides is likely due to the different audiences in the various surveys. Anaconda's survey focused on data science professionals, as can be seen from their respondent's choice of programming languages — 58% used Python and 42% used SQL, while only 26% used JavaScript. 

A better measure of software developer sentiments is StackOverflow's "2022 Developer Survey," which found that while 58% of 'people learning to code' use Python, only 44% of professional developers code in that language. On the other hand, 68% of professional developers use JavaScript, according to StackOverflow's survey.

In addition, while data science professional work at companies that overwhelmingly (87%) allow open-source software, about a quarter (26%) have minimal oversight by the IT department of their open source choices, the Anaconda report stated. In another 18% of companies, the IT department only specifies about half of the available open source components.

The maintainers of the most critical projects — of which there are hundreds, if not thousands — need to use secure dependencies, test their own code, and validate the trustworthiness of contributors. The maintainers should also publish a security scorecard — a Google-created initiative now managed by the Open Source Security Foundation (OpenSSF), which gives a security grade to a project based on nearly 20 different criteria.

While awareness is likely increasing, there is no quick solution, Miranda says.

"The reality is that the more secure options have not previously existed," she says. "Trimming unnecessary dependencies to reduce attack surface is sensible, but it's hard to do once the dependency tree has grown large."

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.

Enterprises worldwide are living dangerously, skating by with inadequate visibility and security into their mobile attack surface. While many organizations have adopted some level of management over the mobile devices connected to their systems, it's not the same as mobile security and leaves them unprepared for a growing threat. Attacks against mobile phones and tablets continue to increase, and chances are good that a devastating WannaCry\-level attack is just over the horizon.

The WannaCry ransomware attack caught the world unaware in 2017, infecting hundreds of thousands of computers in 150 countries worldwide. And it could have been worse had a British security research group not discovered a kill switch that stopped it from spreading within hours of the attack. But its impact was substantial nevertheless, crippling systems, causing several car manufacturers to stop production, and even forcing some hospitals in the UK to turn away patients. Damage was estimated to be in the billions of dollars.

By heeding the lessons of that attack, enterprises can now work to avoid a "mobile WannaCry" before it hits, rather than dealing with the damage after the fact. A mobile-based attack of that scale is possible, and its impact could be far worse because of the ubiquity and utility of mobile phones, along with the fact that almost everyone's device is vulnerable. As a US House Intelligence Committee recently heard, mobile spyware has even infected the phones of US diplomats worldwide.

**Devices Hold the Keys to the Kingdom — and They're Everywhere**

In the five years since WannaCry's appearance, mobile devices have become even more critical targets than laptops or desktop PCs. Smartphones are with us every minute of the day and are loaded with personal and organizational data. They hold passwords and email accounts, credit card and payment data, and biometric data often used in multifactor authentication (MFA) for logical and physical access. They also have microphones, cameras, and location data that can add to the risks if a device is compromised.

But as much as we depend on them, enterprises have not adequately addressed the mobile attack surface presented by these devices. Beyond changing the security mindset to include the mobile space, there are unique challenges that apply to mobile endpoints. Bring your own device (BYOD) is one of the biggest challenges to addressing an enterprise's mobile attack surface, due to the privacy needs and requirements regarding personally owned devices. Because of privacy concerns, standard products like mobile device management (MDM) are typically used only for corporate-managed devices and are often insufficient in detecting, reporting, and securing mobile devices against modern threats.

Mobile devices can present attackers with virtual keys to the kingdom if they are compromised and used to get past MFA. Email access is a prominent attack tool, but a mobile device also can provide access to accounting, finance, and customer relationship management tools such as Salesforce, Microsoft Office 365, or Google Workspace. And with these tools now available on personal devices, outside the scope and visibility of the security infrastructure, enterprises are putting their data and services at risk in the name of technological benefits like BYOD.

**Mobile Ransomware Would Have a Double Impact**

The risks of mobile ransomware essentially exist on two fronts.

*   **Mobile devices as a delivery mechanism for ransomware:** The compromising of a device, which can be accomplished with or without the owner's knowledge, could allow the sending of a ransomware-spreading email that appears to come from a trusted co-worker or source. Mobile devices can be used to spread traditional ransomware in ways that are very difficult to detect and stop.
*   **Actual mobile ransomware:** Early versions of mobile ransomware were somewhat faux ransomware, using overlays to take advantage of accessibility features. But Apple and Google effectively closed those holes, leading attackers toward actual mobile ransomware.

A mobile attack could lock not only an organization's data and systems, but a user's as well, threatening to wipe out their bank account, for instance, if a ransom is not paid. The attacker who took ownership of that device could leave its microphone and camera on at all times to bug corporate meetings.

The bottom line is mobile ransomware attacks could do everything WannaCry did, plus a lot more.

**The Time to Focus on Security Is Now**

A future large-scale and impactful ransomware attack against mobile is inevitable. Each year, we see mobile malware become more complex, with new features and capabilities introduced to impact the victim. These advancing malware techniques are only proofs of concepts for future attacks, laying the way for larger dangers to mobile endpoints. It is only a matter of time before malicious actors deliver complex mobile ransomware with a significant impact on users and enterprises.

Enterprises have not placed a high-enough priority on mobile security as devices have become indispensable in our personal and business lives. Mobile devices are ripe for an attack of WannaCry proportions, but whether that takes the form of ransomware or something else, the time to focus on mobile security is now, before it's too late.

Don't Wait for a Mobile WannaCry

After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cybersecurity measures.

A voided lawsuit from a cyber insurance carrier claiming its customer misled it on its insurance application could potentially pave the way to change how underwriters evaluate self-attestation claims on insurance applications.

The case — Travelers Property Casualty Company of America v. International Control Services Inc. (ICS) — hinged on ICS claiming it had multifactor authentication (MFA) in place when the electronics manufacturer applied for a policy. In May the company experienced a ransomware attack. Forensics investigators determined there was no MFA in place, so Travelers asserted it should not be liable for the claim. 

The case (No. 22-cv-2145) was filed in the U.S. District Court for the Central District of Illinois on July 6. At the end of August, the litigants agreed to void the contract, ending ICS's efforts to have its insurer cover its losses.

This case was unusual in that Travelers maintained the misrepresentation "materially affected the acceptance of the risk and/or the hazard assumed by Travelers" in the court filing.

Taking a client to court is a departure from other similar cases where an insurance company simply denied the claim, but it is hardly unique, said Scott Godes, a partner at Barnes & Thornburg LLP, a Washington, D.C.-based law firm. 

"I have seen this issue bubbling up over the last few years. From my perspective, insurance carriers have made this a hard market — raising premiums and lowering limits — and that has emboldened them to choose the nuclear option by rescinding coverage," Godes says.

Security should be proactive, stopping possible breaches before they occur rather than simply responding to each successful attack, notes Sean O'Brien, visiting fellow at the Information Society Project at Yale Law School and the founder of Privacy Lab at Yale Law School.

"The insurance industry is likely to become more and more persnickety as cybersecurity claims rise, defending their bottom line and avoiding reimbursement wherever possible," O'Brien says. "This has always been the role of insurance adjusters, of course, and their business is in many ways adversarial to your organization's interests after the dust settles from a cyberattack."

That said, organizations should not expect a payout for poor cybersecurity policies and practices, he notes.

While the Travelers case was specifically about the single MFA security control, insurance companies might modify their underwriters' reliance on self-attestation without some type of third-party verification on other security controls going forward, notes Jess Burn, a senior analyst at Forrester Research.

"The lawsuits and the rescinding of coverage, the calling out of the insured and the policyholders on little fibs that they told, or omission of details around how they're protected in their secure practices" appear to be an emerging trend, Burn says.

One option to eliminate any questions about whether a company is implementing security controls is to provide verified support, she adds. Even if the transparency is not required, providing third-party verification that controls are in place for MFA, third-party risk management, endpoint detection, or any of the myriad of security controls should eliminate any misunderstanding or concerns in advance of the policy being issued.

**Evolving Cyber Insurance**

While technology and security implementations change over time, cyber insurance companies reevaluate their underwriting controls annually, notes Marc Schein, national co-chair at the Cyber Center for Excellence at Marsh McLennan Agency, the world's largest insurance broker. Unlike common casualty insurance policies, which have a very extensive statistical history for underwriters, cyber insurance is still considered a nascent field and underwriters are still perfecting their algorithms and analysis to best price risk.

One area where underwriters rely heavily on self-attestation from companies concerning their risk profile is controls: what controls they have in place, how well they were configured, and their effectiveness. At times, Schein continued, an underwriter might require an insurance prospect to undergo evaluations such as a penetration test. Should the test come back with a significantly different result than anticipated — for example, if 100 ports are open that the prospect said were closed — the insurance company likely would have a discussion about those open ports, as well as other attestations, to determine whether the company was deliberately trying to hide a problem or whether there was an accidental error.

CISOs are reluctant to answer questions on applications that might lead the underwriter to require significant investments to mitigate the problem before insurance is approved, says Schein. If a company indicates it plans to invest in the mitigation efforts but the project is not expected to be completed until after the date the insurance becomes effective, the insurer might compromise by binding the application but limiting the actual coverage to a percentage of the policy's limits — perhaps 10% of a policy's $1 million coverage limit — until such time as the remediation efforts are complete.

"It's remarkable that insurance carriers refuse to test, inspect, or engage in loss control when underwriting," attorney Godes notes. "Maybe they believe that they can just pull the rug out from underneath unaware policyholders, relying on rescission to avoid covering risks that the insurers could have inspected on their own."

Godes is not sold on the idea that cyber insurers are simply readjusting their underwriting procedures. "The industry is making it more and more challenging to respond to their applications," he notes, "and there continues to be vagaries in the applications."

"In my experience," he says, "the only investigation \[by cyber insurers\] is an effort to figure out how the carrier can rescind coverage, or threaten to do so, rather than figure out if the claim is covered and how it should be settled."

Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls

An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.

A 15-year-old flaw in the Python open source programming language has remained unpatched in many places, making its way into hundreds of thousands of both open source and closed source projects worldwide. This is inadvertently creating a broadly vulnerable software supply chain that most affected organizations are unaware of, researchers warned.

That's according to the Trellix Advanced Research Center, whose analysts found that a path traversal-related vulnerability, tracked as CVE-2007-4559, presently remains unpatched in more than 350,000 unique open source repositories, leaving software applications vulnerable to exploit.

In a blog post published Sept. 21, principal engineer and director of vulnerability research Douglas McKee said that the code base in question is present in software that spans a vast number of industries — primarily software development, artificial intelligence/machine learning, and code development, but also including sectors as diverse as security, IT management, and media. 

The Python tarfile module also exists in a default module in any project using Python, and is currently found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as applications used for machine learning, automation, and Docker containerization, researchers said.

While the bug allows attackers to escape the directory that a file is supposed to be extracted to, actors can also exploit the flaw to execute malicious code, researchers said.

"Today, left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface," McKee said.

**New Problem, Old Vulnerability**

After finding that Python's tarfile module wasn't properly checking for path traversal vulnerabilities in an enterprise device recently, Trellix researchers thought they had stumbled across a new zero-day Python vulnerability, McKee wrote in the post. However, they soon realized that the flaw was one that had already been discovered.

Further digging and later cooperation from GitHub revealed that there are about 2.87 million open source files that contain Python’s tarfile module in about 588,000 unique repositories. Results of Trellix analysis found that about 61% of those instances are vulnerable, which led researchers to a current estimate of 350,000 vulnerable Python repositories.

**In Open Source, There's No One to Blame**

There are a number of reasons that the flaw has been able to spread throughout software unchecked for so long; however, it would be unfair to put specific blame on the Python project, various maintainers of the project, or any developers using the platform, McKee noted.

"Let's start by being explicitly clear — there is no one party, organization, or person to blame for the current state of CVE-2007-4559, but here we are anyway," he wrote.

Because open source projects like Python are run and maintained by a nebulous group of volunteers and not one federated organization — and in this case, a nonprofit foundation, to boot — it's harder to track and fix even known issues in a timely manner, McKee observed.

Further, "it is not uncommon for libraries or software development kits … to consider the responsibility for securely leveraging their APIs as part of the developer's responsibility," he said.

Indeed, Python has put a warning in its documentation of the tarfile function about the risks of using it, explicitly telling developers never to "extract archives from untrusted sources without prior inspection" due to the directory traversal issue.

While a warning is "a positive step" toward spreading awareness of the issue, it clearly hasn't prevented the vulnerability from being perpetuated, since it's still up to developers leveraging the code base to ensure that the software they build is secure, McKee observed.

He added that exacerbating the problem is the fact that most of the Python tutorials for developers on how to use the platform's modules — including Python's own documentation and popular sites like tutorialspoint, geeksforgeeks, and askpython.com — aren't clear on how to avoid insecure use of the tarfile module, he noted.

This discrepancy has allowed the vulnerability to be programmed into the supply chain, a trend that will likely continue for years to come unless there's broader awareness of the problem, McKee noted.

**'Incredibly Easy' to Exploit the Flaw**

On the technical front, CVE-2007-4559 is a path traversal attack in Python's tarfile module that allows an attacker to overwrite arbitrary files, by adding the ".." sequence to filenames in a TAR archive. 

The actual flaw arises from two or three lines of code using unsanitized tarfile.extract() or the built-in defaults of tarfile.extractall(), noted Trellix vulnerability researcher Charles McFarland in a separate blog post on the problem published Wednesday.

"Failure to write any safety code to sanitize the members' files before calling or tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system," he wrote.

For an attacker to take advantage of this vulnerability they need to add ".." with the separator for the operating system ("/" or "\\") into the file name to escape the directory the file is supposed to be extracted to, Schulz detailed. Python's tarfile module lets developers do exactly that, he noted.

Trellix vulnerability research intern Kasimir Schulz — whose research on a separate issue is actually responsible for bringing the extensive Python tarfile bug to light — described in detail in a third separate Trellix blog post he wrote published Wednesday how "incredibly easy" it is to exploit CVE-2007-4559.

Tarfiles in Python contain a collection of multiple different files and metadata that's later used to unarchive the tarfile itself, Schulz explained in his post. The metadata contained within a TAR archive includes but is not limited to information such as the file name, the size and checksum of the file, and information about the owner of the file when the file was archived.

"The tarfile module lets users add a filter that can be used to parse and modify a file's metadata before it is added to the TAR archive," Schulz wrote. This enables attackers to create their exploits with as little as six lines of code, he said.

Schulz goes on in his post to explain in detail how he used the flaw and a custom-built script called Creosote — which searches through directories scanning for and then analyzing Python files — to execute malicious code within Spyder IDE, a free and open source scientific environment written for Python that can be run on Windows and macOS.

**Spotlight on the Supply Chain**

The tarfile issue once again highlights the software supply chain as an attack surface, one that has risen in prominence in recent years due to the broad impact attackers can have by targeting flawed code that's present across multiple platforms and thus enterprise environments. This can serve to expansively widen the impact of malicious campaigns without extra work on the part of threat actors.

There have been numerous examples already of what can happen across the supply chain in these types of attacks, with the now-infamous SolarWinds and Log4J scenarios being among the most prominent. The former started in late December 2020 with a breach in the SolarWinds Orion software and spread deep into the next year with multiple attacks across various organizations. The latter saga unfolded in early December 2021 with the discovery of a flaw dubbed Log4Shell in a widely used Java logging tool that spurred multiple exploits and made millions of applications vulnerable to attack, many of which remain unpatched today.

Lately, attackers have begun to see the benefit of going directly after open source code repositories to plant their own malicious code that can be exploited later for supply chain attacks. In fact, the Python project has found itself directly in the crosshairs.

In late August, attackers targeted users of the Python Package Index (PyPI) with their first-ever phishing attack aimed at stealing users' credentials so threat actors could load compromised packages to the repository. Earlier that month, PyPI already had removed 10 malicious code packages from the registry after a security vendor warned that threat actors were embedding malicious code into the package installation script.

15-Year-Old Python Flaw Slithers into Software Worldwide

As ransomware attacks continue to evolve, beyond using security best practices organizations can build resiliency with extended detection and response solutions and fast response times to shut down attacks.

Ransomware is the most significant cybersecurity threat facing organizations today. But recently, leaders from the National Security Agency and the FBI both indicated that attacks declined during the first half of 2022. The combination of sanctions on Russia, where many cybercriminal gangs originate, and crashing cryptocurrency markets may have had an effect, making it difficult for ransomware gangs to extract funds and get their payouts.

But we aren't out of the woods yet. Despite a temporary dip, ransomware is not only thriving but also evolving. Today, ransomware-as-a-service (RaaS) has evolved from a commoditized, automated model relying on prepackaged exploit kits, to a human-operated, highly targeted, and sophisticated business operation. That's reason for businesses of any size to be concerned.

**Becoming RaaS**

It is widely known that today's cybercriminals are well equipped, highly motivated, and very effective. They didn't get that way by accident, and they haven't remained so effective without continuously evolving their technologies and methodologies. The motivation of massive financial gain has been the only constant.

Early ransomware attacks were simple, technology-driven attacks. The attacks drove increased focus on backup and restore capabilities, which led adversaries to seek out online backups and encrypt those, too, during an attack. Attacker success led to larger ransoms, and the larger ransom demands made it less likely that the victim would pay, and more likely that law enforcement would get involved. Ransomware gangs responded with extortion. They transitioned to not only encrypting data, but exfiltration and threatening to make public the often-sensitive data of the victim's customers or partners, introducing a more complex risk of brand and reputational damage. Today, it isn't unusual for ransomware attackers to seek out a victim's cyber-insurance policy to help set the ransom demand and make the whole process (including payment) as efficient as possible.

We have also seen less disciplined (but equally damaging) ransomware attacks. For example, choosing to pay a ransom in turn also identifies a victim as a reliable fit for a future attack, increasing the likelihood it will be hit again, by the same or a different ransomware gang. Research estimates between 50% to 80% (PDF) of organizations that paid a ransom suffered a repeat attack.

As ransomware attacks have evolved, so have security technologies, especially in areas of threat identification and blocking. Anti-phishing, spam filters, antivirus, and malware-detection technologies have all been fine-tuned to address modern threats to minimize the threat of a compromise through email, malicious websites, or other popular attack vectors.

This proverbial "cat and mouse" game between adversaries and security providers that deliver better defenses and sophisticated approaches to stopping ransomware attacks has led to more collaboration within global cybercriminal rings. Much like safecrackers and alarm specialists used in traditional robberies, experts in malware development, network access, and exploitation are powering today's attacks and created conditions for the next evolution in ransomware.

**The RaaS Model Today**

RaaS has evolved to become a sophisticated, human-led operation with a complex, profit sharing business model. A RaaS operator who may have worked independently in the past now contracts with specialists to increase chances of a success.

A RaaS operator — who maintains specific ransomware tools, communicates with the victim, and secures payments — will now often work alongside a high-level hacker, who will perform the intrusion itself. Having an interactive attacker inside the target environment enables live decision-making during the attack. Working together, they identify specific weaknesses within the network, escalate privileges, and encrypt the most sensitive data to ensure payouts. In addition, they carry out reconnaissance to find and delete online backups and disable security tooling. The contracted hacker will often work alongside an access broker, who is responsible for providing access to the network through stolen credentials or persistence mechanisms that are already in place.

The attacks resulting from this collaboration of expertise have the feel and appearance of "old-fashioned," state-sponsored advanced persistent threat-style attacks, but are much more prevalent.

**How Organizations Can Defend Themselves**

The new, human operated RaaS model is much more sophisticated, targeted, and destructive than the RaaS models of the past, but there are still best practices organizations can follow to defend themselves.

Organizations must be disciplined about their security hygiene. IT is always changing, and any time a new endpoint is added, or a system is updated, it has the potential to introduce a new vulnerability or risk. Security teams must remain focused on security best practices: patching, using multifactor authentication, enforcing strong credentials, scanning the Dark Web for compromised credentials, training employees on how to spot phishing attempts, and more. These best practices help reduce the attack surface and minimize the risk that an access broker will be able to exploit a vulnerability to gain entry. Additionally, the stronger security hygiene an organization has, the less "noise" there will be for analysts to sort through in the security operations center (SOC), enabling them to focus on the real threat when one is identified.

Beyond security best practices, organizations must also ensure they have advanced threat detection and response capabilities. Because access brokers spend time performing reconnaissance in the organization's infrastructure, security analysts have an opportunity to spot them and stop the attack in its early stages — but only if they have the right tools. Organizations should look to extended detection and response solutions that can detect and cross-correlate telemetry from security events across their endpoints, networks, servers, email and cloud systems, and applications. They also need the ability to respond wherever the attack is identified to shut it down quickly. Large enterprises may have these capabilities built into their SOC, whereas midsize organizations may want to consider the managed detection and response model for 24/7 threat monitoring and response.

Despite the recent decline in ransomware attacks, security professionals shouldn't expect the threat to go extinct anytime soon. RaaS will continue to evolve, with the latest adaptations replaced by new approaches in response to cybersecurity innovations. But with a focus on security best practices paired with key threat prevention, detection, and response technologies, organizations will become more resilient against attacks.

Source

DARKReading