PRESS RELEASE

LAS VEGAS, Oct. 30, 2024 /PRNewswire/ -- MONEY 20/20 --  AU10TIX, a global technology leader in identity verification and management, today released its Q3 2024 Global Identity Fraud Report at Money 20/20 USA in Las Vegas. Drawing insights from millions of transactions processed around the globe from July to September 2024, the report uncovers significant trends in large-scale organized identity fraud. This quarter, automated bot attacks targeting social media platforms surged in the lead-up to next week's US presidential election, with the sector accounting for 28% of all attacks in Q3, up from just 3% in Q1. The report also reveals a faster-than-anticipated leap in the sophistication of AI-powered impersonation bots and deepfake technology, including synthetic selfies that have shown the ability to bypass some leading verification systems.

Rapid developments in AI technology have enabled the industrialization of identity fraud, with bad actors launching automated mega-attacks of thousands of false identities targeting payments, crypto and social media companies all over the world. In Q3, AU10TIX observed an especially high number of bot attacks combined with deepfake content in attempts to open fake social media accounts at scale. Some of the attacks appeared to incorporate advanced randomized GenAI elements, marking a new level of automated detection evasion. This rapid growth began in March 2024 and peaked in September, with outlets like Associated Press reporting on bots spreading disinformation and manipulating public perception in the weeks leading up to the US election.

Another major Q3 development involved the debut of synthetic selfies. Selfies have historically been one of the least-used methods of fraud, due to the difficulty of outsmarting facial matching tech. However, fraudsters are now exploiting extremely sophisticated technology to create 100% deepfaked "selfies" that match the synthetic IDs they use to trick automated KYC processes.

"Fraudsters are evolving faster than ever, leveraging AI to scale and execute their attacks, especially in the social media and payments sectors," said Dan Yerushalmi, CEO of AU10TIX. "While companies are using AI to bolster security, criminals are weaponizing the same technology to create synthetic selfies and fake documents, making detection almost impossible. The only way to detect this type of fraud is by analyzing behavior at the traffic level, as AU10TIX does with our Serial Fraud Monitor. We are committed to continually advancing our detection methods to protect customers against this rapid evolution of fraud tactics, using a combination of advanced AI, biometric verification, and deepfake detection."

In addition to the increase in synthetic selfies, AU10TIX reported a 20% rise in the use of "image template" attacks by bad actors. This trend suggests that AI is being used to rapidly create variations of synthetic identities—including photos, document numbers, and other personal information—using the same ID template. The regional hotspots driving this change are APAC and North America; the surges have not been observed in other regions.

On a more positive note, fraud rates in the payments sector dropped from 52% in Q2 to 39% in Q3, which AU10TIX attributes to increased self-regulation and law enforcement interventions. Although the payments industry continued to be the most targeted segment, discouraged fraudsters shifted their attention to less regulated sectors like the crypto market, which accounted for 31% of Q3 attacks.

AU10TIX's Q3 2024 Global Identity Fraud Report offers three actionable insights to help organizations protect against identity fraud:

*   Adopt Behavior-Based Detection: Traditional document verification alone isn't enough. To catch today's sophisticated fraudsters, organizations must analyze user behavior and traffic patterns.
    
*   Use AI to Combat AI: As fraudsters deploy AI to scale attacks, it is critical to leverage AI-driven solutions to keep pace with these threats.
    
*   Be Ready for Synthetic Selfies: The rise in synthetic selfies means that relying on traditional KYC methods may no longer be effective. Organizations must enhance their detection systems to spot these new forms of fraud.
    

About AU10TIX   
AU10TIX plays a pivotal role in establishing trust between individuals/companies and digital systems. Founded in 2002, it is the global leader in identity verification and management, protecting the world's largest brands against advanced fraud. The company's future-proof product portfolio helps businesses provide frictionless customer onboarding and verification in 4-8 seconds while staying ahead of emerging threats and evolving regulatory requirements. AU10TIX offers the world's only 100% automated global identity management system, as well as the industry's only solution that can detect organized mass attacks by analyzing traffic patterns and cross-checking data in a consortium of more than 60 major companies. With its deep roots in airport security, AU10TIX has authenticated billions of identities and prevented over $18 billion in identity fraud. AU10TIX is a subsidiary of ICTS International N.V. (OTCQB: ICTSF). Connect with AU10TIX on LinkedIn and on X at @AU10TIXLimited. For more information, visit AU10TIX.com.

AU10TIX Q3 2024 Global Identity Fraud Report Detects Skyrocketing Social Media Attacks

OWASP has released guidance materials addressing how to respond to deepfakes, AI security best practices, and how to secure open source and commercial generative AI applications.

Source: Jozef Sedmak via Alamy Stock Photo

The Open Worldwide Application Security Project (OWASP) has announced new security guidance materials to help organizations identify and manage the risks associated with the adoption, deployment, and management of large language models (LLMs) and generative artificial intelligence (GenAI) applications. 

The guidance is part of the OWASP Top 10 for LLM Application Security Project, a global, community-led open source project. Since its inception in 2023, the group has released research, guidance, and resource materials to help organizations develop a comprehensive strategy encompassing governance, collaboration, and practical tools.

*   The "Guide for Preparing and Responding to Deepfake Events" illustrates the problems posed by "hyper-realistic digital forgeries." An outgrowth of the AI Cyber Threat Intelligence initiative, this resource combines practical and pragmatic defense strategies to help organizations stay secure as deepfake technology improves. 
    
*   The "Center of Excellence Guide" helps businesses establish best practices and frameworks for creating AI security practices. The guidance helps organizations establish systems for risk management and interdepartmental coordination among security, legal, data science, and operations teams, as well as how to develop and enforce security policy and educate staff on AI security.
    
*   The "AI Security Solution Landscape Guide" is a broad reference on how to secure both open source and commercial LLM and GenAI applications. It categorizes existing and emerging security products and gives guidance on how to think about risks identified in the Top 10 list.
    

The project brings together more than 500 cybersecurity and AI experts from companies and organizations around the world to identify LLM vulnerabilities and mitigations. In early 2024, the project expanded its focus to include strategic stakeholders, like CISOs and compliance officers, in addition to developers, data scientists, and other security practitioners.

"We're two years into the generative AI boom, and attackers are using AI to get smarter and faster," said Steve Wilson, project lead for the OWASP Top 10 for LLM Project, in a statement. "Security leaders and software developers need to do the same. Our new resources arm organizations with the tools they need to stay ahead of these increasingly sophisticated threats."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

OWASP Releases AI Security Guidance

Misconfigurations, weak authentication, and logic flaws are among the main drivers of API security risks at many organizations.

Source: Who is Danny via Shutterstock

Security vulnerabilities in the application programming interfaces (APIs) powering modern digital services and applications have emerged as a major threat to enterprise systems and data.

A recent report from Wallarm shows a 21% increase in API-related flaws between this year's second and third quarters. Nearly one-third (32%) were associated with cloud infrastructure and cloud-native applications and services. In addition to the increased volume, a high proportion of the vulnerabilities that Wallarm reviewed had severity scores of 7.5 or higher, indicating growing risk for organizations from API use.

"In Q3 we saw API breaches driven by authentication and authorization issues, leaked API data, and classic injection attacks," says Wallarm founder and CEO Ivan Novikov.

Significantly, while many of the vulnerabilities in OWASP's list of Top 10 API vulnerabilities are server-focused, Wallarm's data shows an uptick in client-side flaws, like OAuth misconfiguration and cross-site issues, Novikov says.

"It's concerning because defenders are resource-constrained and need to focus on the most important types of attacks," he says.

A continuing enterprise emphasis on API integration and functionality — over security — is exacerbating the issue. Just 37% of organizations have formally incorporated security testing into their API life cycle management practices, a study by Postman found earlier this year.

"APIs are now a top target for malicious actors, making security and observability critical," the report noted.

What are the major contributors to API security risks? And what should organizations be doing to mitigate them?

**Misconfigured APIs**

Many API security issues in recent years have stemmed from relatively easily avoidable misconfigurations. Common examples include inadequate authentication and authorization, lack of input validation, improper rate limiting, inadequate logging and monitoring, and the exposure of sensitive data through error messages. Such misconfigurations can have severe consequences.

For instance, Broken Object Level Authorization — when an API does not properly validate user access to resources — can allow attackers to manipulate object IDs to access unauthorized data, says Ankit Sobti, co-founder and CTO of Postman. Similarly, Broken User Authentication vulnerabilities — when an API fails to enforce proper authentication — often allow attackers to bypass authentication checks and gain unauthorized access to endpoints.

Organizations can mitigate these issues by implementing security best practices, such as strict authorization checks, role-based access control, multifactor authentication, server-side data filtering, and reviewing API responses for unnecessary data.

"Without proper rate limiting, APIs become vulnerable to abuse through techniques like brute-force attacks or denial-of-service attacks, which can overwhelm the service," Sobti stresses.

The vast majority of API-related breaches over the past few years have resulted from poor posture governance, says Nick Rago, field CTO at Salt Security. In many instances, "the barrier to breach was pretty low, and the attacker did not need any herculean effort to take advantage of a misconfigured API."

Rago attributes the problem to a lack of proper oversight over API development and management.

Building a governance framework around the creation of a corporate posture standard is an important first step, he says. To alleviate risks, organizations need to implement capabilities for discovering API assets, assessing their security posture, and remediating noncompliance as needed, Rago adds.

**Badly Designed APIs**

Poorly designed APIs are another major driver of API security incidents; these APIs do everything they are supposed to do, except in a manner that an adversary can take advantage of, Rago says.

"Think of APIs that return more information than an application needs or APIs that can be scraped for information over time," he explains.

Other examples include APIs that use unvalidated SQL inputs, expose implementation details, are too complex and bloated, handle errors in an insecure manner, or have inconsistent naming and structure.

In addition, a poorly designed API can sometimes ignore business logic inconsistencies, Rago says. Examples include ecommerce APIs that allow users to manipulate prices or make modifications that enable overly permissive access to accounts and transactions. Imperva's "State of API Security 2024" report, in fact, identified business logic abuse as last year's top attack on APIs. These attacks accounted for 27% of all API related attacks in 2023, an increase of some 10% over the prior year.

"Both abuse of badly designed APIs or attacks leveraged against a business logic vulnerability can be addressed by leveraging specialized behavioral threat protection that can decipher not just anomalous usage but discern malicious intent behind an API consumer," Rago notes.

As Imperva vice president of API security Lebin Cheng wrote in an op-ed earlier this year, poorly made API design decisions can have a lasting impact on organizations and their customers. APIs, for instance, could cause serious performance bottlenecks if developers fail to consider scalability requirements when designing them. Similarly, by focusing mostly on business needs, developers can often overlook common security issues, such as buffer overflow errors, during design time, Cheng wrote. 

"The issue of poor API design is further compounded by the fact that there are no strict standards for how APIs should be designed," he said. "This leaves it up to individual developers to determine the best way to implement and develop APIs, which means that poor design decisions can easily slip through the cracks."

**Lack of Visibility**

APIs have emerged as a top attack vector for threat actors because of their near ubiquitous use. Imperva's research showed organizations, on average, have 613 API endpoints per account. The security vendor found API traffic to account for 71% of all Web traffic in 2023, with the average enterprise making 1.5 billion API calls per year.

Despite the proliferating use and corresponding risk exposure, many organizations don't have enough visibility over their APIs.

"New methods are required to discover and test APIs," says Kimm Yeo, solutions manager at Black Duck.

Organizations need to start thinking about API security in a more proactive manner, Yeo advocates. That means implementing capabilities to discover and inspect APIs earlier in the software development life cycle, she says. The goal should be to ensure APIs and applications are continuously tested before they get into production.

"Today's API security solutions largely focus on implementing API discovery during production, \[where\] any critical alerts produced are difficult to trace to the code," she says. This can make it impossible for developers to fix identified issues, Yeo adds.

The pressing issue for most organizations is their lack of inventory of all externally facing APIs, says Krishna Vishnubhotla, vice president of product strategy at Zimperium.

"It's critical to act quickly as bad actors are exploiting this gap," he says. "The first step is to urgently discover and inventory all these public APIs, followed by immediate measures to secure them.

**Inadequate Security Testing**

Many organizations are failing to prioritize API security adequately and often underestimate the unique risks APIs pose. Postman's survey found just 37% of organizations currently do automated scanning and regular penetration tests to try and catch API vulnerabilities earlier in the development life cycle. Relatively few have integrated security testing and checks in their API development process or centralized API monitoring capabilities.

Organizations that embrace API-first strategies — where APIs are a priority focus during the software planning, design, architecture, and development process — are seeing better success on the API security front, says Salt Security's Rago.

"Those organizations typically enforce 'spec-first development,' meaning an API must be 'blueprinted' with Swagger or OAS and approved before a line of code is written," he says. "You need to blueprint the hospital first and validate its construction against the plan before you let patients in. Seems obvious, but in most organizations that is still not the way it works."

API risks fall under two big categories: access and availability, Wallarm's Novikov says. Attackers either gain access to something they shouldn't or they can take an API offline by impacting its availability.

"There are lots of technical details about how they might accomplish these objectives, but they all bubble up to these two outcomes," Novikov says.

At a high level, the key protections against these risks are strong authentication and authorization across all API endpoints, he says.

"That means knowing all the APIs you have, which should require authentication, strictly checking authorization on the server side, and implementing advanced rate limiting to slow attackers down," he advises. "These mitigations are best practices, but that doesn't mean they're common practices."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

4 Main API Security Risks Organizations Need to Address

As organizations centralize IT security, the risk of espionage is silently becoming a more profitable threat.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

In recent years, large-scale financial and reputational damages have taught organizations the value of IT security. From corporations to universities, many organizations employ advanced security measures, such as implementing multifactor authentication, conducting regular ISO 27001 audits, providing social engineering training, and even conducting penetration tests and red-team exercises. Beyond this, to prevent unaffiliated devices from roaming freely in their networks, many organizations ask individuals to register their devices and apply security policies on them, such as using complex passwords. 

This is where the game suddenly changes: Security decisions being centralized completely to the organization's IT team poses significant risks. Specifically, our key argument is that this issue will likely increase the use of espionage techniques to compromise systems. 

Consider the following scenario: An executive of a large organization enrolls in a part-time master's program. To access university resources and emails, she connects her personal Windows laptop to the university's network (i.e., Settings > Accounts > Access work or school). Now, her laptop is managed by the university's mobile device management (MDM) system. If she asks about this, the IT team will assure her that this setup is mainly for ensuring updates and strong password policies — and this is all true. 

But what she probably will not be told is that now they have the technical capability to do much more. Many IT teams self-impose limitations on what they can do bring-your-own-device (BYOD) situations to respect user privacy. However, these limitations are policy-based and can easily be reconfigured by a rogue employee. For instance, if such an individual decides to install a program, wipe her disks, or run a script to steal her files, they can adjust the MDM policies to do so. Worse yet, an IT team member who has gone rogue is not only able to do anything she can do on her machine but can also do anything she can do on her company's network. 

**Risk Across Sectors**

While we used the example of a university in this case, obviously this scenario is not limited to educational institutions; The same risks exist across sectors such as healthcare, corporations, and even gaming. Whenever an IT team is allowed to centrally control IT security, such as through an MDM system, there is potential for abuse. 

Given this, traditional espionage techniques — in particular, planting an employee into the IT team or broader organization — become a viable model for criminal enterprises. In fact, unlike most other criminal endeavors that offer similar levels of potential monetary gains (e.g., stealing from a bank), this is not only less risky but also requires much less personnel (e.g., just one individual who deceives their way into the IT team). 

This is because, in most cases, espionage completely bypasses security controls, by capitalizing on the trust placed in IT teams. In contrast, trying to hack into a hardened system comes with all kinds of hurdles. For instance, you can try to use a zero-day exploit, but it would cost exorbitant amounts of money. Exploit brokers such as Zerodium pay large sums (e.g., $2.5 million) to buy a zero-day, and then add their profits to the sum while selling it. In contrast, the price of planting a spy, especially within a lower-risk environment like a school or public hospital, is significantly lower. Furthermore, planting a spy in the organization can provide information and access for extended periods. 

Therefore, this trend toward centralized IT control makes the use of industrial spies a more profitable and less risky proposition. After all, how many organizations — let alone universities, schools, or public hospitals — can effectively root out a highly trained professional spy embedded within their IT team? 

Furthermore, this centralization trend is expanding beyond enterprise environments. For example, many multiplayer games employ anti-cheating measures that operate at the kernel level, granting full access to the gaming company's IT team. One way to hack hundreds of thousands of users, therefore, is hiring a sophisticated team of hackers to reverse engineer the anti-cheat engine for countless hours to find a zero-day vulnerability. Generally, though, planting someone into the gaming company is a much cheaper alternative. 

**How Do We Design Our Systems Better?**

In response, we need to improve the design of our systems in at least three ways.

*   First, systems must be designed with decentralization in mind; highly centralized systems come with the threat of a single point of critical failure.
    
*   Second, information security should not be confined to IT teams; we have to embed the zero-trust mindset into all organizational functions, ranging from HR (e.g., recruitment practices) to managerial decision-making.
    
*   Finally, for IT admins today, the top-level concern is the breach of the servers and domain controllers. However, unwarranted access to personal devices must become another top concern beyond the compromise of the organization's own servers. 
    

Ultimately, we must recognize that the centralization of IT security elevates espionage to a critical threat, marking the next phase in the evolution of information security. 

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Lecturer (Assistant Professor) in Marketing, University of Sussex

Fulya Acikgoz is a lecturer (assistant professor) in marketing at the University of Sussex. Her research covers a wide range of topics with a particular focus on technology and innovation marketing and management in different contexts. Her work has been published in high-impact journals. She is also the co-author of the book Blockchain for Tourism and Hospitality Industries.

IT Security Centralization Makes the Use of Industrial Spies More Profitable

Fraudsters running the Phish 'n Ships campaign infected legitimate website and used SEO poisoning to redirect shoppers to their fake web shops

Researchers at the Satori Threat Intelligence and Research team have published their findings about a group of cybercriminals that infect legitimate web shops to create and promote fake product listings.

The threat, dubbed “Phish ‘n Ships” by the researchers, reportedly infected more than 1,000 websites and built 121 fake web stores to trick consumers. Estimated losses are in the region of tens of millions of dollars over the past five years.

The group infected legitimate web shops with a malicious payload that would redirect visitors to web shops under their own control. While visiting such an affected web shop the visitor would be served fake product listings. When they clicked on the link for that item, hundreds of thousands of victims were redirected.

The fraudsters also made sure that their fake product listings contained metadata that put them near the top of search engine rankings for those items. SEO poisoning is a technique employed by cybercriminals to manipulate search engine results, making harmful websites or advertisements appear at the top of search results.

On the fake web shop, one of four targeted third-party payment processors collects credit card info and confirms a “purchase,” but the product never arrives.

The fraudsters used several established vulnerabilities to infect a wide variety of web shops.

For the users it’s not just the payment for an article they’ll never receive and the disappointment about not getting that sought-after article, but there is also the risk of providing cybercriminals with their payment card information.

The campaign has been disrupted for a large part due to the efforts of the researchers, but they warn that part of it is still active.

**So, what can consumers do to stay safe?**

Keep an eye on the website displayed in the address bar. Did the advertisement you clicked on take you to the expected web shop? And when the checkout process runs through a different web shop, this is another reason for alarm.

Be especially cautious when you are looking for hard-to-get items, because this is what the group specializes in.

If you are suspicious, it’s a good idea to try the input validation of the shipping information. The fraudsters do not care whether you fill out a real phone number or street address since they have no intention of shipping anything, so the validation process does not work. On a legitimate web shop this should work and warn visitors about invalid entries.

Malwarebytes’ web protection module and Browser Guard block the IP addresses in use by this group.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 1,000+ web shops infected by &#8220;Phish ‘n Ships&#8221; criminals who create fake product listings for in-demand products 

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

****The Attack Chain****

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.

****EMERALDWHALE’s Tools of Choice****

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’_“_

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

1.  Best Practices for Cloud Computing Security
2.  Abandoned S3 Buckets Used for Malicious Payloads
3.  350 million credentials exposed on misconfigured AWS S3 bucket
4.  iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
5.  AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records

EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

Xlibre Xnest versions 24.1.0 and 24.2.0 suffer from a buffer overflow vulnerability that affected Xorg.

    XLibre project security advisory---------------------------------As Xlibre Xnest is based on Xorg, it is affected by some security issueswhich recently became known in Xorg: CVE-2024-9632: can be triggered by providing a modified bitmap to theX.Org server. CVE-2024-9632: Heap-based buffer overflow privilege escalation in_XkbSetCompatMapSee:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9632Affected versions:  * 24.1.0  * 24.2.024.1.x release:   Repo:   https://gitlab.freedesktop.org/metux/xserver.git   Branch: xlibre/xnest/24.1   Tag:    xnest-24.1.1   SHA:    11450b0946c1035944c5946d665f21f83356b6b924.2.x release:   Repo:   https://gitlab.freedesktop.org/metux/xserver.git   Branch: xlibre/xnest/24.2   Tag:    xnest-24.2.1   SHA:    9a6aec9bf62b6bdd75795a5e28648d4af07fe413These bugfix branches also contain several other pointer and boundsrelated problems that haven't been rated as possibly exploitable yet,but no other unnecessary changes which don't fix actual bugs.All users are strongly advised to upgrade to the fixed mainenancereleases ASAP.--mtx-----Enrico Weigelt, metux IT consultFree software and Linux embedded engineeringinfo@metux.net -- +49-151-27565287

Xlibre Xnest 24.1.0 / 24.2.0 Buffer Overflow

Ubuntu Security Notice 7088-1 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-1October 31, 2024linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm,linux-ibm-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linuxkernel contained an integer overflow vulnerability. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB subsystem;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-43894, CVE-2024-46737, CVE-2024-46828, CVE-2024-42244,CVE-2024-46723, CVE-2024-41073, CVE-2024-46756, CVE-2024-42288,CVE-2024-46840, CVE-2024-46771, CVE-2024-46757, CVE-2024-43860,CVE-2024-46747, CVE-2024-41017, CVE-2024-42246, CVE-2024-44988,CVE-2024-42281, CVE-2024-36484, CVE-2024-43856, CVE-2024-47668,CVE-2024-46759, CVE-2024-46744, CVE-2024-42289, CVE-2024-42131,CVE-2024-46679, CVE-2024-42304, CVE-2024-46818, CVE-2024-43858,CVE-2024-44960, CVE-2024-45028, CVE-2024-26885, CVE-2024-46676,CVE-2024-46780, CVE-2024-42310, CVE-2024-44987, CVE-2024-41090,CVE-2024-44954, CVE-2024-45026, CVE-2024-42285, CVE-2023-52614,CVE-2024-27051, CVE-2024-43880, CVE-2024-43839, CVE-2024-43884,CVE-2024-42311, CVE-2024-43893, CVE-2024-41072, CVE-2024-41091,CVE-2024-46758, CVE-2024-41022, CVE-2024-46745, CVE-2024-42305,CVE-2024-46673, CVE-2024-42284, CVE-2024-46844, CVE-2024-46677,CVE-2024-45025, CVE-2024-43861, CVE-2024-43914, CVE-2024-46783,CVE-2024-41012, CVE-2024-44999, CVE-2024-44946, CVE-2024-42276,CVE-2024-46740, CVE-2024-42295, CVE-2024-44947, CVE-2024-41059,CVE-2024-26669, CVE-2024-38602, CVE-2024-42306, CVE-2023-52918,CVE-2024-42297, CVE-2024-42229, CVE-2024-43853, CVE-2024-45006,CVE-2024-44998, CVE-2024-42283, CVE-2024-44952, CVE-2024-46761,CVE-2024-43841, CVE-2024-44944, CVE-2024-42313, CVE-2024-45008,CVE-2024-46714, CVE-2024-41065, CVE-2024-43883, CVE-2024-43867,CVE-2024-42286, CVE-2024-43879, CVE-2024-43846, CVE-2024-42280,CVE-2024-43854, CVE-2021-47212, CVE-2024-35848, CVE-2024-41020,CVE-2024-41068, CVE-2024-45021, CVE-2024-41098, CVE-2024-44965,CVE-2024-43890, CVE-2024-45003, CVE-2024-44969, CVE-2024-41011,CVE-2024-46738, CVE-2024-41071, CVE-2024-26800, CVE-2024-46721,CVE-2024-42292, CVE-2024-41081, CVE-2024-44948, CVE-2023-52531,CVE-2024-26891, CVE-2024-26641, CVE-2024-42287, CVE-2024-46722,CVE-2024-41042, CVE-2024-46675, CVE-2024-46743, CVE-2024-42259,CVE-2024-41015, CVE-2024-43908, CVE-2024-46719, CVE-2024-43871,CVE-2024-46739, CVE-2024-42301, CVE-2024-47659, CVE-2024-42271,CVE-2024-26668, CVE-2024-43835, CVE-2024-46829, CVE-2024-47667,CVE-2024-44995, CVE-2024-47669, CVE-2024-38611, CVE-2024-40929,CVE-2024-46815, CVE-2024-43830, CVE-2024-42309, CVE-2024-41063,CVE-2024-46782, CVE-2024-46777, CVE-2024-42265, CVE-2024-46781,CVE-2024-26607, CVE-2024-41064, CVE-2024-46685, CVE-2024-43882,CVE-2024-44935, CVE-2024-46800, CVE-2024-46822, CVE-2024-46755,CVE-2024-46817, CVE-2024-43829, CVE-2024-46798, CVE-2024-46689,CVE-2024-42290, CVE-2024-46750, CVE-2024-26640, CVE-2024-47663,CVE-2024-41070)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1082-ibm      5.4.0-1082.87  linux-image-5.4.0-1102-gkeop    5.4.0-1102.106  linux-image-5.4.0-1139-gcp      5.4.0-1139.148  linux-image-5.4.0-200-generic   5.4.0-200.220  linux-image-5.4.0-200-generic-lpae  5.4.0-200.220  linux-image-5.4.0-200-lowlatency  5.4.0-200.220  linux-image-gcp-lts-20.04       5.4.0.1139.141  linux-image-generic             5.4.0.200.196  linux-image-generic-lpae        5.4.0.200.196  linux-image-gkeop               5.4.0.1102.100  linux-image-gkeop-5.4           5.4.0.1102.100  linux-image-ibm-lts-20.04       5.4.0.1082.111  linux-image-lowlatency          5.4.0.200.196  linux-image-oem                 5.4.0.200.196  linux-image-oem-osp1            5.4.0.200.196  linux-image-virtual             5.4.0.200.196Ubuntu 18.04 LTS  linux-image-5.4.0-1082-ibm      5.4.0-1082.87~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1139-gcp      5.4.0-1139.148~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-200-generic   5.4.0-200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-200-lowlatency  5.4.0-200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1139.148~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1082.87~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.200.220~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.200.220~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-200.220  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1139.148  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1102.106  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1082.87

Ubuntu Security Notice USN-7088-1

When a CISO can articulate risk in context to the business as a whole, development teams can better prioritize their activities.

Source: JHENG YAO LIN via Alamy Stock Photo

COMMENTARY

When it comes to making a difference to business performance, chief information officers (CIOs) are investing in application development and improvements to software. According to Gartner, 60% of companies plan to spend more on software, with 52% of companies increasing their spend on software to improve productivity. Analyst firm Omdia points to modernization and investment in applications as a critical goal, due to the cost of maintaining existing technology stacks over time. 

For chief information security officers (CISOs), these investments represent a significant challenge. How can you keep up with the relentless pace of change taking place, where new IT infrastructures are created, used, and torn down every minute, every day? One CISO I discussed this with described it as like trying to dam a river — impossible to achieve, a thankless task, and one that leaves you considerably more uncomfortable than when you started. Worse, trying to impose standards left them feeling like the "department of no," and antagonistic to the business's overall goals, affecting their internal standing and making them more likely to be ignored. 

So, we can't go against this pace of change. Instead, how can we understand developer velocity and the goals that these teams have? How can we get ahead of these changes so we can apply security at the source, and what is in that approach for us? 

**Starting at the Beginning**

Understanding the software development process in your organization is a good place to begin looking at how you can insert security measures into the mix. How do those teams manage their requests, requirements, and changes over time, and how does their life cycle work? How do those teams work faster and more efficiently, and what steps are they taking to improve their performance?  

For CISOs, each phase in the software development process is a potential place to insert security into the conversation. Yet many developers are wary of security asks. The reason for this? Security often gives them huge volumes of change requests, with no guidance beyond "This needs to be fixed." This can lead to resentment at the additional work, as the business is already asking them to deliver new functionality or services. 

To improve this situation, look at the overall goals that all the teams involved have to deliver on, and what information can directly benefit them. Developers want to build, and the business wants those results as fast as possible. For CISOs, the guidance here is to enable that pace of change, or at least get out of the way. To make this work in practice, security teams must look at what they can automate so that it delivers security results directly into the developer workflow. 

Developers themselves live in code. They don't want any manual tasks in their processes, let alone in processes that are dictated to them by outside teams. To get over this hurdle, put your security approach into that code workflow so that it gets applied by default to any part of the development environment within those tools that are already in use. A security defect can then be flagged for fixing to that developer in the same way as a code component not compiling properly, or an API integration failing.  

**Moving Up the Stack**

The security sector has been keen to promote more secure development and design practices in software. The promise here is that fixing issues earlier in the process is cheaper in the long run than doing so later in the process, whether that is in production or in later test and deployment phases. The secure-by-design mantra is brilliant in theory. However, developers are moving so fast that this framework will be hard to apply and keep up on its own.

Instead, we must treat software security as a methodology. We can still support developers in making changes as fast as the business needs, let developers know about issues, and then try to fix those problems before they hit production. However, that is not enough on its own. One CISO in France let me know that he had successfully implemented security checks and controls for the company's containerized applications only during the build phase. In theory, this would mean that any image developers deployed should be secure through into production without the requirement for checks in later stages. Yet his team members found that they still faced problems in production, and vulnerabilities and misconfigurations were still occurring. The issue was that those containers would drift over time, where they would then need to be remediated, or as sometimes happens, the risk is accepted and those images are in run time with known issues.  

This is where CISOs can come into their own — by providing context. Articulating risk in context to the business as a whole, or to specific platforms or departments, allows development teams to prioritize their activities. Additionally, it empowers teams to continuously improve their coding practices and build more secure applications faster. Security teams are then only providing guard rails versus slowing down developer velocity — security can then get out of the way, while still reducing risk and putting remediation efforts where they are needed. The end result? When the CISO really needs to communicate around risk, the rest of the business is more likely to pay attention. 

**About the Author**

Managing Director for EMEA North, Qualys

Matt Middleton-Leal is Managing Director for EMEA North at Qualys, a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions designed to streamline and consolidate customer’s security and compliance solutions in a single platform. Qualys helps organizations build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings. Matt has over 20 years' experience in the cybersecurity industry with a deep understanding of both customers' and suppliers' needs. Matt is also a Certified Information Systems Security Professional (CISSP®).

Developer Velocity &amp; Security: Can You Get Out of the Way in Time?

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.
The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket,

Vulnerability / Cloud Security

Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.

The activity, codenamed **EMERALDWHALE**, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.

"The stolen credentials belong to Cloud Service Providers (CSPs), Email providers, and other services," Sysdig said in a report. "Phishing and spam seem to be the primary goal of stealing the credentials."

The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.

Targeting servers with exposed Git repository configuration files using broad IP address ranges, the toolset adopted by EMERALDWHALE allows for the discovery of relevant hosts and credential extraction and validation.

These stolen tokens are subsequently used to clone public and private repositories and grab more credentials embedded in the source code. The captured information is finally uploaded to the S3 bucket.

Two prominent programs the threat actor uses to realize its goals are MZR V2 and Seyzo-v2, which are sold on underground marketplaces and are capable of accepting a list of IP addresses as inputs for scanning and exploitation of exposed Git repositories.

These lists are typically compiled using legitimate search engines like Google Dorks and Shodan and scanning utilities such as MASSCAN.

What's more, Sysdig's analysis found that a list comprising more than 67,000 URLs with the path "/.git/config" exposed is being offered for sale via Telegram for $100, signaling that there exists a market for Git configuration files.

"EMERALDWHALE, in addition to targeting Git configuration files, also targeted exposed Laravel environment files," Sysdig researcher Miguel Hernández said. "The .env files contain a wealth of credentials, including cloud service providers and databases."

"The underground market for credentials is booming, especially for cloud services. This attack shows that secret management alone is not enough to secure an environment."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git