By Deeba Ahmed
New Android malware alert! Brokewell steals data, takes over devices & targets your bank. Learn how this sneaky malware works & what you can do to protect yourself. Stop Brokewell before it stops you!
This is a post from HackRead.com Read the original post: Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

Brokewell malware poses a new cybersecurity threat to your device and personal information. Unlike your typical data-stealing app, Brokewell takes it a step further by granting attackers near-complete control of your phone.

In their report, fraud risk firm ThreatFabric’s threat intelligence researchers shared details of a newly discovered Android banking malware dubbed Brokewell, which uses overlay attacks to capture user credentials and steal cookies.

Further probing revealed a repository called “Brokewell Cyber Labs,” created by an individual “Baron Samedit.”  This repository hosted the source code for the “Brokewell Android Loader,” a tool designed to bypass Android 13+ accessibility restrictions and widely used by cybercriminals.

Brokewell has previously been used in campaigns targeting “buy now, pay later” financial services like Klarna and in exploiting the Austrian digital authentication application, ID Austria.

****Fake Updates, Real Danger****

Brokewell hides behind a familiar facade – fake software updates. It typically masquerades as a critical update for Google Chrome, tricking users into downloading and installing it. Once installed, Brokewell unleashes its wrath as it isn’t just after your login credentials. It’s a comprehensive toolkit for conducting a wide-scale data theft. 

Fake Chrome browser update as seen by ThreatFabric

The trojan uses its own WebView to load a legitimate website and dumps session cookies after the victim completes the login process. Brokewell also has “accessibility logging” capabilities, capturing every event on the device, posing a threat to all installed applications.

****What Information is at Stake?****

Brokewell can steal a wide range of information, including call logs, text messages, and contact lists. Moreover, it looks for your financial apps and if found, it overlays fake login screens on top of legitimate banking apps, capturing your login details without you realizing it.

The most problematic part is that Brokewell grants attackers remote access to your device. It supports spyware functionalities, collecting device information, geolocation, and recording audio. After stealing credentials, the actors can initiate a Device Takeover attack using remote control capabilities.

****An Evolving Threat****

In their blog post, ThreatFabric researchers warned that althoughBrokewell is under active development, the malware’s creators are constantly adding new features to enhance its capabilities.

To protect yourself from Brokewell and other malicious software, download apps from the official Google Play Store only.  Be cautious of fake updates and always use a reputable security app. Staying updated on the latest Android security threats is crucial to protect your device.

****Experts’ Opinion****

Ray Kelly, Fellow from Synopsys Software Integrity Group shared their thoughts on Brokewell’s discovery with Hackread.com stating, _“_As a policy, users should never install apps outside of the Google and Apple stores as Malware often sneaks in through ‘side loading’ apps, especially on rooted or jailbroken devices from fake stores._“_

“What makes this instance different is that the malicious app sideloaded on non-rooted devices and bypassed Google’s security measures,” stressed Ray. _“_The key takeaway is don’t fall for web popups prompting app updates; always rely on the Play Store for updates to safeguard against such threats._“_

1.  Android TV Boxes Infected with Backdoors
2.  SpyNote Android Spyware Poses as Legit Crypto Wallets
3.  Fake YouTube Android Apps Used to Distribute CapraRAT
4.  Xamalicious Backdoor Infects 25 Apps, Affects 327K Devices
5.  Android Malware FjordPhantom Steals Funds Via Virtualization

Fake Chrome Updates Hide Android Brokewell Malware Targeting Your Bank

By Deeba Ahmed
Beware! Agent Tesla & Taskun Malware are targeting US Education & Gov. This cyberattack steals data & exploits vulnerabilities. Learn how to protect schools & government agencies from this double threat!
This is a post from HackRead.com Read the original post: Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

A new wave of cyberattacks has set its sights on the sensitive data within the US education and government sectors, discovered cybersecurity researchers at the cybersecurity platform, Veriti. This campaign leverages a combination of two malware strains: Agent Tesla and Taskun.

****Agent Tesla and Taskun- The Deceptive Duo****

Agent Tesla is an infamous malware and sophisticated spyware, designed to steal a user’s most valuable data. The malware is known for capturing keystrokes, screenshots, and even login credentials for various applications including browsers and VPNs. With this stolen information, attackers gain unauthorized access to user’s accounts and potentially sensitive systems.

On the other hand, according to Veriti’s blog post, Taskun serves as the perfect accomplice for Agent Tesla’s malicious activities. It works by compromising a system’s integrity, creating a backdoor for Agent Tesla to infiltrate and establish persistence. This allows Agent Tesla to remain undetected for extended periods, deepening its hold on the system and maximizing data theft.

It’s important to highlight that Taskun and Agent Tesla were recently discovered as accomplices in a similar campaign. Researchers observed TicTacToe Dropper targeting Windows devices, subsequently infecting them with Leonem, AgentTesla, SnakeLogger, LokiBot, Remcos, RemLoader, Sabsik, Taskun, Androm, and Upatre.

****Attackers’ Calculated Approach****

As for the latest, campaign, the attack is launched through malicious email attachments exploiting vulnerabilities in Windows OS software like Microsoft Office, one of the most exploited software in malware attacks.

The attackers’ strategy centers around performing reconnaissance to identify vulnerabilities within the targeted systems. This approach often exploits weaknesses in commonly used office applications and operating systems. By targeting these widespread vulnerabilities, the attackers can maximize the impact of their attack, potentially compromising a vast number of devices within an organization.

Phishing emails as observed by Veriti

****Why Education and Government Sectors are Vulnerable****

Educational institutions and government agencies often hold a treasure trove of sensitive data, making them prime targets for cybercriminals. This data can include student records, research findings, social security numbers, and other confidential information.

Moreover, schools have been identified as highly lucrative targets for cybercriminals. Both in the past and recently, hackers have targeted over 900 schools in the United States by exploiting the notorious MOVEit vulnerability.

A successful attack using Agent Tesla and Taskun could result in a significant data breach, causing immense financial loss, reputational damage, and even identity theft for affected individuals.

****How to Fight Back?****

Institutions can strengthen their cybersecurity defences against cyber threats by applying security patches promptly, educating users on cybersecurity awareness, and implementing a multi-layered security approach. Regularly patching vulnerabilities, providing cybersecurity awareness training, and implementing a multi-layered security approach can help protect sensitive data.

1.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Researchers Warn of New Microsoft Office 0-Day Flaw Follina
5.  NodeStealer Mimics ‘Microsoft’ to Hack Facebook, Browser Data

Agent Tesla and Taskun Malware Targeting US Education and Govt Entities

The volume of malicious cyber activity against the Philippines quadrupled in the first quarter of 2024 compared to the same period in 2023.

Source: robertharding via Alamy Stock Photo

A recent massive spike in cyber misinformation and hacking campaigns against the Philippines coincides with rising tensions between the country and its superpower neighbor China.

The cyberattacks consist of a combination of hack and leak (55%), distributed denial-of-service (10%), and misinformation and influence campaigns (35%), according to researchers at Resecurity who have been following the campaigns. The main targets are government (80%) and educational institutions (20%) in the Philippines, and these attacks — on police agencies, government ministries, and universities — and associated data leaks are sowing discontent in the country, according to the researchers.

This represents a four-fold (325%) increase in what the researchers identify as malicious cyber-espionage activity targeting the Philippines in the first quarter of 2024 compared to the same period last year. "The goal of this activity is to discredit the government and create chaos via cyberspace, as the Philippine population also relies on digital media channels and is active on social media networks," says Shawn Loveland, COO of Resecurity.

Resecurity has worked with authorities in the Philippines to trace back the source of attacks to online infrastructures in China and Vietnam. These "false flag" and "other territories" could be allies of China in such campaigns or provide them infrastructure for it, according to Resecurity.

**Fake News**

The goal of the cyberattacks correlates with disinformation campaigns spinning Chinese narratives on topics such as regional disputes about territories in the South China Sea.

In a blog post this month, Resecurity detailed the myriad of different groups associated with this collective activity. In one notable attack, a threat actor going by the alias "KryptonZambie" claimed to have obtained from unnamed sources over 152 gigabytes of stolen data containing Philippine citizen identity cards. Resecurity investigated this claim, which related to a post on Breach Forums, a Dark Web site, but found it unsubstantiated. The threat actor did not respond to any messages Resecurity investigators sent to a Telegram account used to publicize the supposed breach.

Other elements of the campaign involved posting an "audio deepfake" of Philippine President Ferdinand Marcos Jr. supposedly ordering military action against China. No such directive exists, according to authorities in the Philippines.

It’s not all fakery, however. Several of the groups covered by Resecurity's report — including  Philippines Exodus Security and DeathNote Hackers — ran attacks that led to a confirmed data breach.

**Not Real Hacktivists**

While some of this activity might resemble that of hactivists, Resecurity believes nation state-backed hackers from China or possibly North Korea (another regional adversary to the Philippines) are really to blame.

Resecurity has reported over 12 government organizations in the Philippines being targeted in the same timeframe — hallmarks of a well-organised co-ordinated attack by nation-state actors rather than independent hacktivists.

"Leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online," according to Resecurity.

Last year a Chinese state-linked advanced persistent threat (APT) group known as Mustang Panda hacked a Philippine government target via a simple side-loading technique. "This group has a strong focus on Philippines and \[is\] still active," according to Resecurity. Hacks by the group on Philippine government entities have been actively promoted via social media.

In April 2023, more than 800 gigabytes of both applicant and employee records from multiple state agencies — including the Philippine National Police (PNP), National Bureau of Investigation (NBI), Bureau of Internal Revenue (BIR), and Special Action Force (SAF) — were compromised.

This was followed in September by a breach and ransomware attack on the Philippine Health Insurance Corporation (PhilHealth) that led to the exposure of hospital bills, internal memos, and identification documents. There remains an ongoing investigation into the full extent of the leak, according to cyber threat detection firm Gatewatcher.

**Why Spy?**

China (and to a lesser extent North Korea) is the prime suspect in much of this malfeasance, according to both Resecurity and other threat intel experts.

"China is a far more complex and nuanced territory than generally portrayed. Its internal pressures are likely to lead to increased cyber-espionage activity, rather than slowing it down,"  says Ian Thornton-Trump, CISO at threat intel firm Cyjax.

"The PRC's approach to cyberspace has always been to use it to advance its business interests, extracting technologies from Western companies and creating a protected domestic market for these industries, giving them an advantage in the global market," Thornton-Trump notes.

Relations between China and the Philippines have deteriorated over recent months. Beijing condemned Filipino President Ferdinand Marcos Jr.'s congratulations to Taiwanese President-elect Lai following the latter's recent election. China regards Taiwan as a renegade province.

The Philippines has recently reaffirmed its strong alliance with the United States, announcing plans for "more robust" military activities with the US and its allies, much to the chagrin of China. In addition, the Philippines and China are in dispute over territorial claims involving islands and waters in the South China Sea.

**Incident Response**

The US, Japan, and the Philippines recently entered a cyber threat-sharing arrangement in the wake of rising attacks by China, North Korea, and Russia, a development likely to help the Philippines stay on top of the growing tide of cyberthreats.

Understanding the pattern of upsurge in malign cyber activity is the first step towards combatting it, experts say. "\[With\] a better understanding of the country's internal forces, and how these relate to its cyber strategy, we can plan better defenses against PRC cyber espionage," Cyjax's Thornton-Trump says.

Resecurity offered recommendations to safeguard both the populace and Philippine business from cyberattacks:

*   Accelerate digital identity protection of Philippine citizens — as hack and leak activity is putting their personal data at risk of being exposed.
    
*   Tighten Web application security by implementing WAFs (web application firewalls) and ongoing vulnerability assessment and pen-testing automation procedures to detect and contain vulnerabilities before bad actors exploit them.
    
*   Create fact-checking services online to combat disinformation and influence campaigns. Citizens should be offered a process for reporting suspicious online activity.
    

**About the Author(s)**

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Philippines Pummeled by Assortment of Cyberattacks &amp; Misinformation Tied to China

PRESS RELEASE

Montreal, Quebec, Canada – April 25, 2024 – Flare, a global leader in Threat Exposure Management, is pleased to announce that renowned cybersecurity expert Jason Haddix has joined the organization as Field CISO. 

Jason Haddix (aka @jhaddix) is CEO, hacker, and trainer for Arcanum Information Security, a world class and highly sought cybersecurity assessment and training company. Over his 20-year career in cybersecurity, Jason has held numerous high profile roles, including as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. 

Jason is well-known throughout the cybersecurity community, having authored a number of talks on offensive security methodology. Over the years he has spoken at many high profile security conferences, including DEFCON, BSides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, and Toorcon.

"We are excited to welcome Jason to the Flare team as a strategic advisor. His exceptional background, depth of knowledge, and vision in cyber make him the perfect fit to help us accelerate our expansion and recognition as a leader in Threat Exposure Management,” said Flare CEO Norman Menz. “Jason’s appointment reaffirms our commitment to staying one step ahead in the continually evolving cyber threat landscape, and to maintaining the highest security standards for our clients." 

In his strategic advisory role as Field CISO, Jason will leverage his deep industry expertise to forge connections within the cybersecurity community, and will help guide Flare’s security strategies and product vision. Jason’s diverse background will bring fresh perspectives and help enrich Flare's approach to addressing critical security challenges and shaping strategic initiatives.

"Joining Flare offers me a unique opportunity to contribute to the company’s mission of excellence in Cyber Threat Exposure Management, while also continuing my commitment to Arcanum,” said Jason. “I’m excited to share my experience and work alongside Flare's talented team to drive forward-looking security initiatives and cutting-edge product features. I’m looking forward to being an integral part of Flare’s commitment to protecting customers and leveling the playing field for defenders in the cyber security realm.”

To learn more about the rest of the team driving Flare’s growth in the Threat Exposure Management space, visit https://flare.io/company/team/. 

About Flare

Flare is at the forefront of Threat Exposure Management, delivering AI-driven solutions that provide comprehensive, real-time threat analysis and remediation. With its advanced technology, Flare offers a proactive approach to cybersecurity, scanning the online world, including the clear and dark web, to identify, prioritize, and address potential threats swiftly and efficiently. For more information, visit https://flare.io.

Jason Haddix Joins Flare As Field CISO

The business intelligence servers contain vulnerabilities that Qlik patched last year, but which Cactus actors have been exploiting since November. Swathes of organizations have not yet been patched.

Source: S. Bonaime via Shutterstock

Nearly five months after security researchers warned of the Cactus ransomware group leveraging a set of three vulnerabilities in Qlik Sense data analytics and business intelligence (BI) platform, many organizations remain dangerously vulnerable to the threat.

Qlik disclosed the vulnerabilities in August and September. The company's August disclosure involved two bugs in multiple versions of Qlik Sense Enterprise for Windows tracked as CVE-2023-41266 and CVE-2023-41265. The vulnerabilities, when chained, give a remote, unauthenticated attacker a way to execute arbitrary code on affected systems. In September, Qlik disclosed CVE-2023-48365, which turned out to be a bypass of Qlik's fix for the previous two flaws from August.

Gartner has ranked Qlik as one of the top data visualization and BI vendors in the market.

**Continued Exploitation of Qlik Security Bugs**

Two months later, Arctic Wolf reported observing operators of Cactus ransomware exploiting the three vulnerabilities to gain an initial foothold in target environments. At the time, the security vendor said it was responding to multiple instances of customers encountering attacks via the Qlik Sense vulnerabilities and warned of the Cactus group campaign as being rapidly developing.

Even so, many organization appear not to have received the memo. A scan by researchers at Fox-IT on April 17 uncovered a total of 5,205 Internet-accessible Qlik Sense servers, of which 3,143 servers were still vulnerable to Cactus group's exploits. Of that number, 396 servers appeared to be located in the US. Other countries with a relatively high number of vulnerable Qlik Sense servers include Italy with 280, Brazil with 244 and Netherlands and Germany with 241 and 175 respectively.

Fox-IT is among a group of security organizations in the Netherlands — including the Dutch Institute for Vulnerability Disclosure (DIVD) — working collaboratively under the aegis of an effort called Project Melissa, to disrupt Cactus group operations.

Upon discovering the vulnerable servers, Fox-IT relayed its fingerprints and scan data to DIVD, which then began contacting administrators of the vulnerable Qlik Sense servers about their organization's exposure to potential Cactus ransomware attacks. In some instances, DIVD sent the notifications out directly to potential victims while in others the organization attempted to relay the information to them via their respective country computer emergency response teams.

**Security Orgs Are Notifying Potential Cactus Ransomware Victims**

The ShadowServer Foundation is also reaching out to at-risk organizations. In a critical alert this week, the nonprofit threat intelligence service described the situation as one where a failure to remediate could leave organizations at a very high likelihood of compromise.

"If you receive an alert from us on a vulnerable instance detected in your network or constituency, please also assume compromise of your instance and possibly your network," ShadowServer said. "Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension."

Fox-IT said it had identified at least 122 Qlik Sense instances as likely compromised via the three vulnerabilities. Forty-nine of them were in the US; 13 in Spain; 11 in Italy; and the rest scattered across 17 other countries. "When the indicator of compromise artefact is present on a remote Qlik Sense server, it can imply various scenarios," Fox-IT said. It could for instance, suggest that the attackers executed code remotely on the server, or it could simply be an artifact from a previous security incident.

"It's crucial to understand that 'already compromised' can mean that either the ransomware has been deployed and the initial access artifacts left behind were not removed, or the system remains compromised and is potentially poised for a future ransomware attack," Fox-IT said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of Qlik Sense Servers Open to Cactus Ransomware

The semiconductor manufacturing giant's security team describes how hardware hackathons, such as Hack@DAC, have helped chip security by finding and sharing hardware vulnerabilities.

Source: kawin ounprasertsuk via Alamy Stock Photo

Ever since the first Hack@DAC hacking competition in 2017, thousands of security engineers have helped discover hardware-based vulnerabilities, develop mitigation methods, and perform root cause analysis of issues found.

Intel initially decided to organize the competition, which draws security professionals from academia and industry partners around the world, to raise awareness about hardware-based vulnerabilities and to promote the need for more detection tools, says Arun Kanuparthi, a principal engineer and offensive security researcher at Intel. Another goal behind Hack@DAC, capture-the-flag competitions, and other hackathonsis to draw the attention of chip designers, to motivate them to design silicon more securely, he says.

"There is very little awareness of hardware security weaknesses in general," says Kanuparthi, who spoke about lessons Intel learned from years running Hack@DAC at the recent Black Hat Asia conference in Singapore. "And we thought, really, how can we get this awareness amongst the security research community?"

"If you look at software, there are lots of tools for security, with software or firmware, but when you look at hardware, there are really only a handful of EDA or electronic design automation tools," Kanuparthi says.

These kinds of events are effective for bringing people together to find vulnerabilities and share their knowledge. CTFs are established methods for teaching and learning new skills and best practices. Intel also believes it is important to give students "an experience of what it feels like to be a security researcher at a design company," says Kanuparthi.

Intel is now accepting entries for the 2024 Hack@DAC, which will take place in June in San Francisco.

**Tackling Hard Problems**

When Intel first organized Hack@DAC, there was no standard design or open-source platform for discovering or sharing information on hardware vulnerabilities, says Hareesh Khattri, a principal engineer for offensive security research at Intel. That has changed with Intel’s collaboration with Texas A&M University and Technical University of Darmstadt in Germany. The professors and students took open-source projects and inserted existing hardware vulnerabilities to create a common framework for detecting them and new ones.

"And now a lot of hardware security research papers have also started citing this work," Khattri says.

In 2020, Intel joined other semiconductor manufacturers in aligning with MITRE’s Common Weakness Enumeration (CWE) team, which lists and classifies potential vulnerabilities in software, hardware and firmware to bring more focus to hardware.  It was an attempt to address a gap, since MITRE only maintained software weakness types, and CWE fell short of addressing root cause analyses of hardware vulnerabilities, Kanuparthi recalls.

"If a hardware issue was identified, \[the CWE\] would be tagged with some generic catch-all kind of \[alert that said\] there’s a problem or the system does not work as expected," Kanuparthi says. "But now there is a design view for hardware which you can root cause that this is specifically the problem. And that has largely been the output of some of the work that we have been doing that led to hack attack and the creation of the hybrid CWE."

As semiconductor manufacturers accelerate their focus on adding designs that can support new AI capabilities, security researchers are looking to identify weaknesses even closer to hardware design, Khattri adds. That has accelerated interest in new efforts like the Google-contributed OpenTitan Project, an open-source reference design and integration guidelines for securing root of trust RoT chips.

The efforts behind Hack@DAC and Intel’s work with MITRE on CWE have led to improved tooling, Khattri says. For example, hardware vulnerability assessment tool provider Cycuity (which uses OpenTitan as a benchmark for how its tool measures CWEs) claims its Radix can now identify 80% of known hardware weaknesses in the CWE database.

"We’ve seen a lot of progression in this space compared to when we started it," Khattri says. "Now, a lot of security research communities’ focus has gone towards trying to identify weaknesses that are closer to the hardware design."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Intel Harnesses Hackathons to Tackle Hardware Vulnerabilities

You can't thinking about inclusion in the workplace without first understanding what kinds of exclusive behaviors prevent people from advancing in their careers.

Source: Jose Luis Stephens via Alamy

Most of us do not want to be excluded at work – especially if we are trying to innovate, collaborate, and make a meaningful impact in our role. Making connections with colleagues, ensuring you are invited to key meetings, and getting face time with important executives in the company are all essential elements to learning and growing in an organization. But systemic exclusion is a troubling reality for many in the cybersecurity industry.

Olivia Rose, at IANS Research faculty member and CISO/founder of Rose CISO Group, is a 17-year CISO and industry veteran. She has experienced exclusionary practices based on her gender throughout her career.

"I believe the interference is rooted in making assumptions about women," Rose says. "When I got married years ago and was in cybersecurity consulting, a leader told my manager to keep my workload light for a few months as I would surely be planning my wedding. I've not been invited to happy hours and to company trips as I have kids and who would watch them? Whether it's intentional or not, making assumptions about women and the various roles we play puts us into a box where it's just another hurdle we need to overcome to be regarded equally."

Women are five times more likely to report exclusion from direct managers and peers, according to Women in CyberSecurity's (WiCyS) "2023 State of Inclusion Benchmark in Cybersecurity Report." But exclusion is not just limited to gender. Individuals with disabilities and intersectional identities experience levels of workplace exclusion comparable to, or even exceeding, those related to gender, emphasizing the compounded impact of multiple differing identity traits.

**Microaggressions Are Subtle**

It’s not just about being left out of the room. Being on the receiving end of disrespectful behaviors, sexually inappropriate advances, and a lack of appreciation for skills and experience can also make it hard to advance in the workplace. These kinds of microaggressions are difficult to pin down, Rose says.

"I don't personally believe research can help much when it comes to understanding microaggressions and how they are the silent killer for women's careers," she says. "I speak from experience when I say that these microaggressions are so slight and menial that women can't go to HR to report them."

Rose recalls a corporate leader at one point in her career who would attempt to undermine her regularly during meetings by sharply blowing air out of his nostrils whenever she spoke.

"By itself, this doesn't mean anything," Rose says. "\[But\] add it to the multiple instances where I had seen this individual trying to cut me out of the picture, by sending emails 'forgetting' to copy me, and not providing requested information to my team, and the puzzle starts to come together. How do you even start to explain this, though, to your manager or HR?"

Rose advises managers she works with to take what employees say seriously and write down every instance of reported discrimination and exclusion to form a larger picture of a pattern of problematic behavior.

**Pressure in the Room Where It Happens**

Umaimah Khan, founder and CEO of identity security company Opal Security, says cybersecurity is more asymmetrical than other tech sectors, largely due to the emphasis on product development processes and sales-driven culture, which often targets executives. This high-risk and high-pressure environment amplifies biases and is resistant to change, says Khan, whose background is in academia and research labs before founding Opal.

Women are also pressured to be both business-savvy and technically adept in their roles, and assertiveness can be misconstrued as aggressiveness. This dichotomy can deter many from entering or remaining in the cybersecurity field, Khan says, noting that "they are not willing to go through pain and frustration and having to be second-guessed."

For her part, Khan strives to build a diverse team at Opal. But even under the best circumstances, she thinks resilience is an essential attribute for women to thrive. Women often need to prove themselves repeatedly and must develop a thick skin, she says.

"I think there is truth to having to be twice as good," Khan adds. "I found myself in my early days having to prove myself in those rooms. You have this feeling that \[you\] have to be right 100% of the time."

**Steps to Change and Improve Inclusion**

Exclusion is intricately intertwined with career issues, such as inadequate compensation and being passed over for promotions. Combating these issues requires communicating clearly with both peers and management, says Larci Robertson, a senior sales engineer at Obsidian Security. Document accomplishments and have metrics to demonstrate success, she suggests.

"Talk about pay with your peers," Robertson says. "Have a clear path to promotions and raises for people from management. Expectations and a pathway clearly communicated will take care of the, 'Why didn’t I get promoted over someone else?'"

Finally, find an internal mentor who can help shepherd you along the right path and get the kudos you deserve.

"It's very hard to learn and grow without an advocate," Robertson says.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Held Back: What Exclusion Looks Like in Cybersecurity

Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.

Source: SOPA Images Limited via Alamy Stock Photo

Palo Alto Networks (PAN) is sharing updated remediation information regarding a max-critical vulnerability that is actively being exploited in the wild.

The vulnerability, tracked as CVE-2024-3400, has a CVSS vulnerability-severity score of 10 out of 10, and can allow an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall device, according to the update.

Present in PAN-OS 10.2, 11.0, and 11.1, the flaw was originally disclosed on April 12 after being discovered by researchers at Volexity.

PAN said that the number of attacks exploiting this vulnerability continue to grow and that "proof of concepts for this vulnerability have been publicly disclosed by third parties."

The company is recommending that customers upgrade to a fixed version of PAN-OS, such as PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions, as this will fully protect their devices. PAN has also released additional hotfixes for other deployed maintenance releases.

PAN recommends that in order to mitigate the issue fully, customers should take actions based on suspected activity. For instance, if there has been probing or testing activity, users should update to the latest PAN-OS hotfix, and secure running-configs, create a master key and elect AES-256-GCM. This is defined as there being either no indication of a compromise, or evidence that the vulnerability being tested for on the device (i.e., a 0-byte file has been created and is resident on the firewall, but there's no indication of any known unauthorized command execution).

"PAN-OS hotfixes sufficiently fix the vulnerability," according to the update. "Private data reset or factory reset is not suggested as there is no indication of any known unauthorized command execution or exfiltration of files."

However, if a file on the device has been copied to a location accessible via a Web request (in most cases, the file being copied is running\_config.xml, according to PAN), users should perform a private data reset, which eliminates risks of potential misuse of device data. And if there's evidence of interactive command execution (i.e., the presence of shell-based back doors, introduction of code, pulling files, running commands), PAN suggested doing a full factory reset.

Palo Alto Updates Remediation for Max-Critical Firewall Bug

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: security license mandates; a move to four-day remediation requirements; lessons on OWASP for LLMs.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   Kindervag Says: 5 Hard Truths About the State of Cloud Security 2024
    
*   MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
    
*   Lessons for CISOs From OWASP's LLM Top 10
    
*   Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software
    
*   Global: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros
    
*   Johnson & Johnson Spin-Off CISO on Maximizing Cybersecurity
    
*   SolarWinds 2024: Where Do Cyber Disclosures Go From Here?
    

**5 Hard Truths About the State of Cloud Security 2024**

By Ericka Chickowski, Contributing Writer, Dark Reading

Dark Reading talks cloud security with John Kindervag, the godfather of zero trust.

Most organizations aren't working with fully mature cloud security practices, despite almost half of the breaches originating in the cloud and almost $4.1 million lost to cloud breaches in the past year.

That's a big problem, according to the godfather of zero trust security, John Kindervag, who conceptualized and popularized the zero-trust security model as an analyst at Forrester. He tells Dark Reading that there are some hard truths to face in order to turn things around.

1\. You don't become more secure just by going to the cloud: The cloud is not innately more secure than most on-premises environments: hyperscale cloud providers may be very good at protecting infrastructure, but the control and responsibility they have over their customers' security posture is very limited. And the shared responsibility model doesn't really work.

2\. Native security controls are hard to manage in a hybrid world: Quality is inconsistent when it comes to offering customers more control over their workloads, identities, and visibility, but security controls that can be managed across all the multiple clouds are elusive.

3\. Identity won't save your cloud: With so much emphasis placed on cloud identity management and disproportionate attention on the identity component in zero trust, it's important for organizations to understand that identity is only part of a well-balanced breakfast for zero trust in the cloud.

4\. Too many firms don't know what they're trying to protect: Each asset or system or process will carry its own unique risk, but organizations lack a clear idea of what is in the cloud or what connects to the cloud, let alone what needs protecting.

5\. Cloud-native development incentives are out of whack: Too many organizations simply do not have the right incentive structures for developers to bake in security as they go — and, in fact, many have perverse incentives that end up encouraging insecure practice. "I like to say that the DevOps app people are the Ricky Bobbys of IT. They just want to go fast," Kindervag says.

Read more: 5 Hard Truths About the State of Cloud Security 2024

Related: Zero Trust Takes Over: 63% of Orgs Implementing Globally

**MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs**

By Nate Nelson, Contributing Writer, Dark Reading

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Whatever their goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

Read more: MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Related: Top MITRE ATT&CK Techniques & How to Defend Against Them

**Lessons for CISOs From OWASP's LLM Top 10**

Commentary by Kevin Bocek, Chief Innovation Officer, Venafi

It's time to start regulating LLMs to ensure they're accurately trained and ready to handle business deals that could affect the bottom line.

OWASP recently released its top 10 list for large language model (LLM) applications, so developers, designers, architects, and managers now have 10 areas to clearly focus on when it comes to security concerns.

Almost all of the top 10 LLM threats center around a compromise of authentication for the identities used in the models. The different attack methods run the gamut, affecting not only the identities of model inputs but also the identities of the models themselves, as well as their outputs and actions. This has a knock-on effect and calls for authentication in the code-signing and creating processes to halt the vulnerability at the source.

While more than half of the top 10 risks are ones that are essentially mitigated and calling for the kill switch for AI, companies will need to evaluate their options when deploying new LLMs. If the right tools are in place to authenticate the inputs and models, as well as the models' actions, companies will be better equipped to leverage the AI kill-switch idea and prevent further destruction.

Read more: Lessons for CISOs From OWASP's LLM Top 10

Related: Bugcrowd Announces Vulnerability Ratings for LLMs

**Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software**

By Rob Lemos, Contributing Writer, Dark Reading

Attackers will likely use software bills-of-material (SBOMs) for searching for software potentially vulnerable to specific software flaws.

Government and security-sensitive companies are increasingly requiring software makers to provide them with software bills of material (SBOMs) to address supply-chain risk — but this is creating a new category of worry.

In a nutshell: An attacker who determines what software a targeted company is running, can retrieve the associated SBOM and analyze the application's components for weaknesses, all without sending a single packet, says Larry Pesce, a director for product security research and analysis at software supply-chain security firm Finite State.

He's a former penetration tester of 20 years who plans to warn about the risk in a presentation on "Evil SBOMs" at the RSA Conference in May. He will show that SBOMs have enough information to allow attackers to search for specific CVEs in a database of SBOMs and find an application that is likely vulnerable. Even better for attackers, SBOMs will also list other components and utilities on the device that the attacker could use for "living off the land" post-compromise, he says.

Read more: Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software

Related: Southern Company Builds SBOM for Electric Power Substation

**Global: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros**

By Robert Lemos, Contributing Writer, Dark Reading

Malaysia, Singapore, and Ghana are among the first countries to pass laws that require cybersecurity firms — and in some cases, individual consultants — to obtain licenses to do business, but concerns remain.

Malaysia has joined at least two other nations — Singapore and Ghana — in passing laws that require cybersecurity professionals or their firms to be certified and licensed to provide some cybersecurity services in their country.

While the legislation's mandates have yet to be determined, "this will likely apply to service providers that provide services to safeguard information and communications technology device of another person — \[for example\] penetration testing providers and security operation centers," according to Malaysia-based law firm Christopher & Lee Ong.

Asia-Pacific neighbor Singapore has already required the licensing of cybersecurity service providers (CSPs) for the past two years, and the West African nation of Ghana, which requires the licensing and the accreditation of cybersecurity professionals. More widely, governments such as the European Union have normalized cybersecurity certifications, while other agencies — such as the US state of New York — require certification and licenses for cybersecurity capabilities in specific industries.

However, some experts see potentially dangerous consequences from these moves.

Read more: Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity Pros

Related: Singapore Sets High Bar in Cybersecurity Preparedness

**J&J Spin-Off CISO on Maximizing Cybersecurity**

By Karen D. Schwartz, Contributing Writer, Dark Reading

How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.

Johnson & Johnson's Mike Wagner helped shape the Fortune 100 company's security approach and security stack; now, he's the first CISO of J&J's year-old consumer healthcare spinoff, Kenvue, tasked with creating a streamlined and cost-effective architecture with maximum security.

This article breaks down the steps that Wagner and his team worked through, which include:

Define key roles: Architects and engineers to implement tools; identity and access management (IAM) experts to enable secure authentication; risk management leaders to align security with business priorities; security operations staff for incident response; and dedicated staff for each cyber function.

Embed machine learning and AI: Tasks include automating IAM; streamlining supplier vetting; behavioral analysis; and improving threat detection.

Choose which tools and processes to retain, and which to replace: While J&J's cybersecurity architecture is a patchwork of systems created by decades of acquisitions; tasks here included inventorying J&J's tools; mapping them to Kenvue's operating model; and identifying new needed capabilities.

Wagner says there is more to do. Next, he plans to lean into modern security strategies, including adoption of zero trust and enhancement of technical controls.

Read more: J&J Spin-Off CISO on Maximizing Cybersecurity

Related: A Peek into Visa's AI Tools Against Fraud

**SolarWinds 2024: Where Do Cyber Disclosures Go From Here?**

Commentary by Tom Tovar, CEO & Co-Creator, Appdome

Get updated advice on how, when, and where we should disclose cybersecurity incidents under the SEC's four-day rule after SolarWinds, and join the call to revamp the rule to remediate first.

In a post-SolarWinds world, we should move to a remediation safe harbor for cybersecurity risks and incidents. Specifically, if any company remediates the deficiencies or attack within the four-day time frame, it should be able to (a) avoid a fraud claim (i.e., nothing to talk about) or (b) use the standard 10Q and 10K process, including the Management Discussion and Analysis section, to disclose the incident.

On Oct. 30, the SEC filed a fraud complaint against SolarWinds and its chief information security officer, alleging that even though SolarWinds employees and executives knew about the increasing risks, vulnerabilities, and attacks against SolarWinds' products over time, "SolarWinds' cybersecurity risk disclosures did not disclose them in any way."

To help prevent liability issues in these situations, a remediation safe harbor would allow companies a full four-day time frame to evaluate and respond to an incident. Then, if remediated, take the time to disclose the incident properly. The result is more emphasis on cyber response and less impact to a company’s public stock. 8Ks could still be used for unresolved cybersecurity incidents.

Read more: SolarWinds 2024: Where Do Cyber Disclosures Go From Here?

Related: What SolarWinds Means for DevSecOps

CISO Corner: Evil SBOMs; Zero-Trust Pioneer Slams Cloud Security; MITRE's Ivanti Issue

Ubuntu Security Notice 6751-1 - It was discovered that Zabbix incorrectly handled input data in the discovery and graphs pages. A remote authenticated attacker could possibly use this issue to perform reflected cross-site scripting attacks.

==========================================================================

Ubuntu Security Notice USN-6751-1

April 25, 2024

zabbix vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Zabbix could allow reflected cross-site scripting (XSS) attacks.

Software Description:  
- zabbix: Open-source monitoring software tool for diverse IT components

Details:

It was discovered that Zabbix incorrectly handled input data in the  
discovery and graphs pages. A remote authenticated attacker could possibly  
use this issue to perform reflected cross-site scripting (XSS) attacks.  
(CVE-2022-35229, CVE-2022-35230)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS (Available with Ubuntu Pro):  
   zabbix-agent                    1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-frontend-php             1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-java-gateway             1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-proxy-mysql              1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-proxy-pgsql              1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-proxy-sqlite3            1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-server-mysql             1:4.0.17+dfsg-1ubuntu0.1~esm1  
   zabbix-server-pgsql             1:4.0.17+dfsg-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   zabbix-agent                    1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-frontend-php             1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-java-gateway             1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-proxy-mysql              1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-proxy-pgsql              1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-proxy-sqlite3            1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-server-mysql             1:3.0.12+dfsg-1ubuntu0.1~esm3  
   zabbix-server-pgsql             1:3.0.12+dfsg-1ubuntu0.1~esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   zabbix-agent                    1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-frontend-php             1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-java-gateway             1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-proxy-mysql              1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-proxy-pgsql              1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-proxy-sqlite3            1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-server-mysql             1:2.4.7+dfsg-2ubuntu2.1+esm3  
   zabbix-server-pgsql             1:2.4.7+dfsg-2ubuntu2.1+esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   zabbix-agent                    1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-frontend-php             1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-java-gateway             1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-proxy-mysql              1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-proxy-pgsql              1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-proxy-sqlite3            1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-server-mysql             1:2.2.2+dfsg-1ubuntu1+esm5  
   zabbix-server-pgsql             1:2.2.2+dfsg-1ubuntu1+esm5

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6751-1   
<https://ubuntu.com/security/notices/USN-6751-1>  
   CVE-2022-35229, CVE-2022-35230

Tag

#auth