QNAP is urging customers of its NAS products to update QTS and avoid exposing the devices to the Internet.

Network-attached storage provider QNAP is warning that its NAS devices are under active attack by the so-called Deadbolt ransomware. 

QNAP NAS device models affected are primarily TS-x51 series and TS-x53 series using QTS 4.3.6 and QTS 4.4.1, according to the company.  

"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet," the company advised. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Deadbolt Ransomware Targeting QNAP NAS Devices

In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says.

In March, in the middle of Russia's invasion of Ukraine, a video surfaced that showed Ukraine's President Volodymyr Zelensky announcing his country's surrender to the Russian forces. Another story the same month said he had committed suicide in the military bunker in Kyiv where he had been directing his country's fight against Russia, apparently because of Ukrainian military failures.

The video was a sophisticated deepfake of Zelensky generated by artificial intelligence. The story of his suicide was a completely concocted report from a group set up to spread fabricated narratives aligned with Russian interests. Both are examples of what Mandiant on Thursday described as systematic, targeted, and organized cyber-enabled information operations (IO) that has targeted Ukraine's population and audiences in other regions of the world since the war began in February.

Many of the actors behind these campaigns are previously known Russian, Belarusian, and other pro-Russian groups. Their goal is threefold, according to Mandiant: to demoralize Ukrainians; to cause division between the beleaguered nation and its allies; and to foster a positive perception of Russia internationally. Also in the fray are actors from Iran and China that are opportunistically using the war to advance their own anti-US and anti-West narratives.

**Success Hard to Gauge  
**The success of these information operations is hard to gauge given its scope, says Alden Wahlstrom, a senior analyst at Mandiant. "With the Russia-aligned activity, we’ve observed multiple instances in which the Ukrainian government has appeared to rapidly engage with and issue counter-messaging to disinformation narratives promoted by \[information\] operations," he says. But the sheer scale and tempo of operations has made the task challenging, Wahlstrom says. "One concern when looking at this activity in aggregate is that it helps to build an atmosphere of fear and uncertainty among the population in which individuals potentially question the validity of legitimate sources of information."

Mandiant's analysis shows several known groups are behind the information operations activity in Ukraine. Among them is APT28, a threat group that the US government and others have attributed to a unit of the Russian General Staff’s Main Intelligence Directorate (GRU). Mandiant observed members of APT28 using Telegram channels previously associated with the GRU to promote content designed to demoralize Ukrainians and weaken support from allies.

The Belarus-based operator of Ghostwriter, a long-running disinformation campaign in Europe is another actor that is active in Ukraine. In April, Mandiant observed the threat actor using what appeared to be a previously compromised website and likely compromised or threat actor-controlled social media accounts to publish and promote fake content aimed at fomenting distrust between Ukraine and Poland, its ally.

In the weeks leading up the Russia's invasion of Ukraine and in the months since then, Mandiant also observed an information campaign tracked as "Secondary Infektion" targeting audiences in Ukraine with fake narratives about the war. It was Secondary Infektion, for instance, that was responsible for the fake report about Zelensky's suicide. The same group also promoted stories about operatives from Ukraine's Azov Regiment — a unit that Russia has labeled as being comprised of Nazis — apparently seeking vengeance on Zelensky for allegedly letting Ukrainian soldiers die in Mariupol.

The group was often observed using forged documents, pamphlets, screenshots, and other fake source materials to support its fake content.

**False Narratives to Sow Fear and Confusion  
**Mandiant said it observed several other operatives engaged in a wide range of similar information operations in Ukraine often using bot-generated social media accounts and fake personas to promote a variety of Russia-aligned narratives. This has included fake content about growing resentment in Poland over refugees from Ukraine and Polish criminal gangs harvesting organs from Ukrainians fleeing into their country.

Often the information operations have coincided with other disruptive and destructive cyber activity, according to Mandiant. For example, the content about Zelensky's alleged surrender to Russia broke the same time that threat actors hit a Ukrainian organization with a disk-wiping malware tool that was scheduled to execute three hours before a Zelensky speech to the UN.

Wahlstrom says Mandiant has not been able to definitively link the information operations to the concurrent destructive attacks. 

"However, this limited pattern of overlap is worth paying attention to and may suggest that the actors behind the information operations are at least linked to groups with more extensive capabilities," he says. The coordinated attacks also suggest a full spectrum of actors and tactics are being employed in operations targeting Ukraine, Wahlstrom says.

For the most part, the information operations activity in Ukraine that the various groups are engaged in appear consistent with what they have engaged in previously. But one notable evolution is the prominence of dual-purpose information ops, says Sam Riddell, an analyst at Mandiant. "Popular pro-Russian 'hacktivist'  activity and coordinated 'grassroots' campaigns have pursued specific influence objectives while simultaneously attempting to create the impression of broad popular support for the Kremlin," he says.

The conflict in Ukraine has also shown how rapidly information operation assets and infrastructure can be repurposed for the theme of the day, he says. "At the onset of the war, a whole ecosystem of pro-Russian IO assets was able to quickly flip a switch and engage in wartime IO at high volumes," he says. "For defenders, this means that disrupting assets before significant global events break out is paramount."

Mandiant's report coincided with another one from Nisos this week that shed light on a Internet of Things botnet, tracked as "Fronton," that apparently was developed a few years ago at the direction of the Federal Security Service of the Russian Federation (FSB). The botnet's primary purpose, according to Fronton, is to serve as a platform for creating and distributing fake content and disinformation on a global scale. It includes what Nisos described as a Web-based dashboard called SANA for formulating and deploying trending social media events on a mass scale. 

Nisos' report on Fronton is based on a review of documents that were publicly leaked after a hacktivist group called Digital Revolution broke into systems belonging to a subcontractor who developed the botnet for FSB.

Vincas Ciziunas, research principal at Nisos, says there is no evidence of Fronton or SANA being used in the current conflict between Russia and Ukraine. But presumably the FSB has some use for the technology, Ciziunas adds. "We only have demo footage and documentation," he says. But the FSB did appear to create a fake network of Kazakh users on the Russian social media platform V Kontakte, and they did have some fake content related to a squirrel statue in a Kazakhstan city that appears to later have become the basis for a BBC report.

"The conversation related to the statue led to a BBC report," Ciziunas says. "We did not directly identify any of the social media postings mentioned in the BBC article as having been made by the platform."

Pro-Russian Information Operations Escalate in Ukraine War

Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.

The US Department of Justice announced this week that it has revised a policy that explicitly states it will not charge security researchers with violations of the Computer Fraud and Abuse Act (CFAA).

The new guidance recognizes "good faith" security research done to promote safety and not carried out in a way that causes harm. The new policy, effective immediately, replaces the previous CFAA charging policy from 2014, the DOJ said. 

"Computer security research is a key driver of improved cybersecurity," said Deputy Attorney General Lisa O. Monaco in a statement about the new DOJ policy. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ Won't Charge 'Good Faith' Security Researchers

Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.

Researchers with Shadowserver Foundation have discovered more than 380,000 open Kubernetes API servers exposed on the Internet. That represents 84% of all global Kubernetes API instances observable online.

The research was conducted across IPv4 infrastructure using HTTP GET requests. The researchers didn’t do any intrusive checks to figure out exactly the level of exposure that the servers exhibited, but the findings suggest potential trouble across this landscape.

“While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface,” according to the Shadowserver report. “They also allow for information leakage on version and builds.”

The densest cluster of exposed API servers was found in the US, where some 201,348 of these open API instances were discovered. That accounts for 53% of the total open servers found.

This report is yet more evidence in a growing body of research around API security that shows many organizations are unprepared to protect against, respond to, or even have visibility into potential API attacks.

**Data Breaches via API Incidents  
**According to the recent "State of API Security 2022" report from Salt Security, approximately 34% of organizations have absolutely no API security strategy in place, and an additional 27% say that they have just a basic strategy that involves minimal scanning and manual reviews of API security status and no controls or management over them. Another study, from 451 Research on behalf of Noname Security, found that 41% of organizations had an API security incident in the last 12 months. Of those, 63% involved a data breach or data loss.

The scope of the potential API attack surface in modern application and cloud infrastructure is huge. According to the 451 Research study, large enterprises on average have more than 25,000 APIs connected to or operating within their infrastructure. The number is set to keep growing, and in a recent Gartner Predicts 2022 document, analysts say they believe that less than 50% of enterprise APIs will be managed three years from now “as explosive growth in APIs surpasses the capabilities of API management tools."

The Kubernetes exposure found by Shadowserver is evidence for a particularly acute problem in cloud security today. APIs are often one of the weakest links in cloud infrastructure management because they are usually at the heart of the control plane that handles configuration of cloud infrastructures and applications.

“All cloud breaches follow the same pattern: control plane compromise. The control plane is the API’s surface that configures and operates the cloud. APIs are the primary driver of cloud computing; think of them as 'software middlemen' that allow different applications to interact with each other,” explains Josh Stella, chief architect at Snyk and the founder of Fugue, which was recently acquired by Snyk. “The API control plane is the collection of APIs used to configure and operate the cloud. Unfortunately, the security industry remains a step behind the hackers because many vendor solutions do not protect their customers against attacks that target the cloud control plane.”

In the Predicts piece, Gartner analysts agree that newly created APIs that are churning into the scene are an integral part of the emerging cloud and application architectures that are at the heart of the modern continuous delivery model of application development.

“This situation resembles the early days of infrastructure as a service (IaaS) deployment, as ungoverned API usage is on the rise. As the architecture and operational technologies continue to mature, security controls try to apply old paradigms to new problems,” according to Gartner. “These controls can be a temporary solution, but it will take a long time for security controls and practices to catch up with the new architecture paradigm.”

Majority of Kubernetes API Servers Exposed to the Public Internet

CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.

TEL AVIV, Israel, May 19, 2022 /PRNewswire/ -- Cloud data security company **Dig** emerged from stealth today, announcing $11M in seed funding for the first cloud Data Detection and Response (DDR) solution. The seed round was led by **Team8**, with cybersecurity firms **CrowdStrike**, through their Falcon Fund, and **CyberArk** joining as strategic investors alongside **Merlin Ventures**. Moving beyond posture solutions, Dig Security helps organizations discover, monitor, detect, protect and govern their cloud data in real time through a single unified policy engine.

Angel investors include Tom Killalea (Chairman of MongoDB), Jeff Fagnan (Carbon Black, Veracode), Nir Polak (Founder of Exabeam), Ori Fragman (CISO Europe of Ahold Delhaize) and Nitzan Shapira (Founder of Epsagon).\[1\]

Data is the ultimate target of most cyberattacks; it's the easiest way to profit from hacking. However, data in the cloud is fragmented across multiple clouds and services. A typical enterprise stores data on more than 20 types of service and thousands of instances. These organizations don't have visibility, context or control over their cloud data. Existing data security solutions weren't built to protect _cloud_ data and are often irrelevant.

"I've spoken to more than a hundred CISOs and hear the same complaints over and over", said Dan Benjamin, CEO and co-founder of Dig. "Companies don't know what data they hold in the cloud, where it is, or — most importantly — how to protect it. They have tools to protect endpoints, networks, APIs… but nothing to actively secure their data in public clouds".

Dig gives organizations complete control over their cloud data, providing **real-time Data Detection and Response (DDR)**. Using one of the industry's most comprehensive threat models for cloud data attacks, Dig detects, analyzes and responds instantly to threats to cloud data, triggering alerts on suspicious or anomalous activity, stopping attacks, exfiltrations and employee data misuse.

The solution discovers all data assets across public clouds and brings context to how they are used. It also tracks whether each data source supports compliance like SOC2 and HIPAA.

Dig was founded by Dan Benjamin, Ido Azran and Gad Akuka, three veteran entrepreneurs who've previously founded successful companies that were acquired by major firms. They also gained experience at tech giants including Google and Microsoft. Since it was founded, Dig has grown extremely quickly; the company already has a large data security research team and paying customers.

"It's rare to meet a founding team who have both an insider view of cloud security challenges from within Microsoft and Google's cloud organizations, alongside the experience of founding successfully acquired security companies," said Liran Grinberg, Co-Founder & Managing Partner at Team8. "Dig's active approach, bringing detection and response to data in the cloud, is precisely what the market needs. Data security in the cloud is high on the priority list of most CISOs today and we're proud to invest in the company we believe will lead this category."

"Organizations that lack visibility across their infrastructure have data protection challenges," said Michael Sentonas, Chief Technology Officer at CrowdStrike. "Through our Falcon Fund, we look forward to supporting Dig in their journey to provide data transparency, improving cloud data security and protection."

\[1\] Angel investors in their personal capacities. Affiliations included for identification purposes only.

Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution

Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Mobile platforms are increasingly under threat as criminal and nation-state actors look for new ways to install malicious implants with advanced capabilities on iPhone and Android devices.

Although mobile attacks have been an ongoing problem for many years, the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Attackers are now actively deploying malware with full remote access capabilities, modular design, and, in some cases, worm-like characteristics that can pose significant threats to users and the companies they work for. Many of these malware families are continually improving through regular development updates, and cybercriminals are getting better at beating the review process of official app stores. Meanwhile, both the US and EU are considering new antitrust regulations that could make "sideloading" apps a consumer right.

It is important for businesses to recognize that mobile attacks are a key focus area for sophisticated threat actors. These attacks will continue to evolve as new tools and tactics emerge, posing unique challenges to traditional corporate security.

Here are six mobile malware tactics that companies need to prepare for:

**1\. On-Device Fraud  
**One of the most concerning new mobile malware advancements is the ability to carry out fraudulent actions directly from the victim’s device. Known as on-device fraud (ODF), this advanced capability has been detected in recent mobile banking Trojans, most notably Octo, TeaBot, Vultur, and Escobar. In Octo's case, the malware exploited Android's MediaProjection service (to enable screen sharing) and Accessibility Service (to perform actions on the device remotely). This hands-on remote access feature has also been enabled through an implementation of VNC Viewer, as in the case of Escobar and Vultur.

ODF marks a significant turning point for mobile attacks, which have largely focused on overlay-based credential theft and other types of data exfiltration. Although most ODF Trojans are primarily focused on financial theft, these modules could be adapted to target other types of accounts and communications tools used by businesses, such as Slack, Teams, and Google Docs.

**2\. Phone Call Redirection  
**Another troubling capability is the interception of legitimate phone calls, which recently emerged in the Fakecalls banking Trojan.

In this attack, the malware can break the connection of a user-initiated call without the caller's knowledge and redirect the call to another number under the attacker's control. Since the call screen continues to show the legitimate phone number, the victim has no way of knowing they have been diverted to a fake call service. The malware achieves this by securing call handling permission during the app installation.

**3\. Notification Direct Reply Abuse  
**In February, FluBot spyware (Version 5.4) introduced the novel capability of abusing Android’s Notification Direct Reply feature, which allows the malware to intercept and directly reply to push notifications in the applications it targets. This feature has since been discovered in other mobile malware, including Medusa and Sharkbot.

This unique capability allows the malware to sign fraudulent financial transactions, intercept two-factor authentication codes, and modify push notifications. However, this feature can also be used to spread the malware in a worm-like manner to the victim's contacts by sending automated malicious responses to social application notifications (such as WhatsApp and Facebook Messenger), a tactic known as "push message phishing."

**4\. Domain Generation Algorithm  
**The Sharkbot banking Trojan is also notable for another feature: domain generation algorithm (DGA), which it uses to avoid detection. As with other conventional malware with DGA, the mobile malware constantly creates new domain names and IP addresses for its command-and-control (C2) servers, which makes it difficult for security teams to detect and block the malware.

**5\. Bypassing App Store Detection  
**The app review process has always been a cat-and-mouse game with malware developers, but recent cybercriminal tactics are worth noting. The CryptoRom criminal campaign, for example, abused Apple’s TestFlight beta testing platform and Web Clips feature to deliver malware to iPhone users by bypassing the App Store altogether. Google Play's security process was bypassed by one criminal actor that paid developers to use its malicious SDK in their apps, which then stole personal data from users.

While droppers have become increasingly common for mobile malware distribution, researchers have recently noticed an uptick in activity in the underground market for these services, along with other distribution actors. .

**6\. More Refined Development Practices  
**While modular malware design isn't new, Android banking Trojans are now being developed with sophisticated update capabilities, such as the recently discovered Xenomorph malware. Xenomorph combines a modular design, accessibility engine, infrastructure and C2 protocol to allow for significant update capabilities that could enable it to become a far more advanced Trojan down the line, including the automatic transfer system (ATS) feature. Going forward, more mobile malware families will incorporate better update processes to enable enhanced features and entirely new functionality on compromised devices.

**Fight Back by Boosting Corporate Defenses  
**To fight back against these new mobile malware tactics, businesses need to make sure their cybersecurity programs include robust defenses. These include mobile device management solutions, multifactor authentication, and strong employee access controls. And, since mobile malware infections typically begin with social engineering, companies should provide security awareness training and consider technology that monitors communication channels for these attacks.

6 Scary Tactics Used in Mobile App Attacks

For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort  organizations in other ways. 

Researchers from Kroll recently analyzed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

**Multiple Attack Vectors  
**Kroll's analysis shows that attackers leveraged the initial foothold gained via phishing in multiple ways, including to drop ransomware and malware, and to extort without any ransomware or encryption. 

In one incident that Kroll investigated during the first quarter, adversaries acquired an organization's global admin credentials after an IT employee at the company clicked on a phishing email they had sent. The adversaries used the credentials to take over multiple email accounts belonging to other members of the IT team as well as the C-suite, which in turn they used to download sensitive enterprise data. The attackers followed up with a demand seeking a ransom in exchange for the attack to stop.

In other instances, Kroll's researchers identified attackers breaking into a network by exploiting a vulnerability and then using that access to launch convincing-looking phishing campaigns. In one incident, the attackers exploited the ProxyShell vulnerability in Exchange Server to access the target network. Once inside, the attackers attempted to phish employees by attaching a malicious .zip file to a reply to a legacy internal email thread. The .zip file was disguised as an invoice, and appeared to be from a trusted internal source: Several users opened it and unknowingly downloaded IcedID on their systems. That organization was subsequently hit with the QuantumLocker ransomware two weeks later, Kroll said.

Phishing was not the only tactic that attackers used to try and gain initial access on a target system or network. In several incidents that Kroll investigated, threat actors exploited widely publicized vulnerabilities such as ProxyLogon and Log4Shell to gain a foothold from which to drop ransomware such as Conti, AvosLocker, and QuantumLocker on target networks. 

**Inadequate Defenses  
**Patrick Harr, CEO at SlashNext, a provider of anti-phishing services, says current organizations defenses are not fully designed to protect against attacks that appear to originate from inside the organization. "You can’t stop phishing that comes from legitimate services with employee awareness training," he says. "As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats." 

The broader adoption of work-from-home models over the past two years has also made it easier for attackers to target employees in phishing campaigns — and get away with it. "Remote work certainly created more opportunities for threat actors to execute \[business email compromise\] and other phishing attacks," says Hank Schless, senior manager of security solutions at Lookout. "Without being able to walk over to another person’s desk in the office, employees have a much harder time validating unknown texts or emails."

The increased reliance on smartphones and tablets for internal communications has created several issues, he adds. Spear-phishing attacks on mobile devices, for instance, are much harder to catch than on a desktop. Users also cannot preview link destinations or verify the sender's identity. So, a lot of the things that employees are trained to recognize as part of their phishing awareness training are hard or almost impossible to spot on a mobile device, Schless says.

**Temporary Ransomware Drop-off  
**Kroll's analysis showed that ransomware attacks — as a proportion of all attacks — dropped 20% between the fourth quarter of 2021 and the first quarter of 2022 and 30% between the third quarter of 2021 and the first quarter of 2022. At least some of the drop-off in attacks appears to have resulted from law enforcement's disruption of malicious activity by groups such as REvil, Kroll said. Another factor that likely contributed to the slowdown in ransomware attacks was the voluntary exit from the scene made by groups such as BlackMatter, Kroll added.

However, early data from the second quarter of 2022 suggests that ransomware actors are regrouping and preparing to resume their usual level of activity soon, according to Kroll.

An earlier report from Digital Shadows noted a similar drop-off in ransomware incidents in the first quarter of 2022 but pointed to emerging trends in the space that could have implications for enterprise organizations. One example is the growing trend by ransomware groups to align themselves for or against Russia in that country's war against Ukraine.

Like Kroll, researchers from Digital Shadows also observed incidents involving extortion, where no ransomware was deployed. One example cited by both companies was the attacks by a group identified as Lapsus$ (aka DEV-0537) that targeted several technology and security firms in the first quarter of 2022. In some of the incidents, the attackers defaced the websites of target organizations and claimed they had suffered a ransomware attack. In other instance, the group used stolen credentials to exfiltrate data and then threatened victims that it would release the data publicly unless paid a ransom.

Phishing Attacks for Initial Access Surged 54% in Q1

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain - including software.

MITRE's so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product. 

"An accountant, a lawyer, \[or\] an operations manager could understand this structure at the top level," says Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. "The System of Trust is about organizing and amalgamating existing capabilities that just don't get connected right now" to ensure full vetting of software as well as service provider offerings, for example.

The SoT will make its official public debut next month at the RSA Conference (RSAC) in San Francisco, where Martin will present the framework as a first step in gathering security community support and insight for the project. So far, he says, the initial feedback has been "very positive."

MITRE is best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, for the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.

Martin says he'll demonstrate the SoT framework and provide more details on the project during his RSAC presentation. The framework currently includes 12 top-level risk areas - everything from financial stability to cybersecurity practices - that organizations should evaluate during their acquisition process. More than 400 specific questions cover issues in detail, such as whether the supplier is properly and thoroughly tracking the software components and their integrity and security.

Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting data scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. An enterprise could then more quantitatively analyze a software supplier's "trustworthiness."

**SBOM Symmetry  
**Martin says that with software supply chain security, the SoT also goes hand in hand with software bill of materials (SBOM) programs. "SBOMs can give you deeper reason into understanding why you should trust," for example, a software component. Among several risk factors in the SoT, SBOMs can actually mitigate those risks or, at the least, provide better insight into the software and any risks. 

"If the SBOM has pedigree information, that information would allow for assessment of the tools and techniques used to build the software - whether reproducible builds were used to build the software, memory protection methods \[were\] invoked during the build" and other details, he notes.

So how does the SoT framework differ from risk management models? Traditional risk management employs probabilities, Martin says. With SoT, there's a list of risks that can be evaluated and scored to determine whether there is risk in specific areas and, if so, just how bad it really is.

"We want to help provide a consistent way of doing assessments ... and we would like to encourage data-driven decisions wherever we can" in supply chain evaluations, he says.

The next steps: introducing the concept of the SoT and offering the live taxonomy for public comment and scrutiny. "Then we can see what parts can be automated and where," and ensure that it can be integrated into the acquisition process. Vendors, too, could use SoT terminology in their product materials.

"'Supply chain' has a lot of different meanings," Martin explains. "We're not talking microelectronics in the US versus overseas. We're not trying to solve port issues. We're trying to get a culture of organizational risk management that includes supply chain concerns as a normal part of that. We want to bring some consistencies, automation, and data-driven evidence so there's more understanding of supply chain risks."

MITRE Creates Framework for Supply Chain Security

Last month attackers quickly reverse-engineered VMware patches to launch RCE attacks. CISA warns it's going to happen again.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks.

The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks. 

CISA said that last month, within just 48 hours of VMware patching its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks. 

"These vulnerabilities pose an unacceptable risk to federal network security," CISA director said Jen Easterly in a statement. "CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government's lead and take similar steps to safeguard their networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

Source

DARKReading