Some predictions about impending security challenges, with a few tips for proactively addressing them.

Cloud transformation has become a strategic advantage for many organizations, providing convenience, cost savings, and near-permanent uptimes compared with on-premises infrastructure. At the same time, the move to cloud has also increased the attack surface, resulting in an uptick in criminal activity targeting cloud environments. As we roll into 2023, fears about a potential recession and a corresponding desire to cut costs are renewing urgency to move to the public cloud.

For organizations to successfully secure cloud environments, they must understand the critical risks that can be exploited by attackers to infiltrate cloud environments. As with legitimate activity in the cloud, attackers continue to evolve their approaches, so the challenges faced in 2023 will be different than those faced in 2022 and prior. Here are my top 2023 predictions.

**Multicloud Environments Will Continue to Compound Security Challenges**

Multicloud offers numerous benefits, from avoiding vendor lock-in to reliability, agility, and cost-efficiency. At the same time, however, it brings additional layers of complexity, particularly regarding security management. According to a recent report, 78% of organizations deploy applications on more than three public clouds.

Moreover, the number of services available from the top three public cloud providers (Amazon Web Services, Azure, and Google) is expected to surpass 1,000, up from 750 today. In an effort to embrace agility and innovation, security practitioners will need to find ways to support these news services as soon as they are available.

With each cloud provider's unique capabilities enhanced and expanded almost daily, organizations will have to invest in automated tools that map new services to security and compliance frameworks, like NIST, CIS, and others.

**Securing Developer Environments Will Become the Most Critical Component**

The continuous growth and diversity of application deployments are creating an extensive attack surface for malicious actors. We have seen cybersecurity incidents like SolarWinds, Kaseya, and Spring4Shell significantly impact organizations.

On the other hand, we also see issues like Log4j, which recently demonstrated how many organizations can be impacted due to software vulnerabilities. Hence, we expect securing developer environments will become one of the most critical components for organizations in 2023.

**DevSecOps Tool Sprawl Will Begin to Consolidate**

According to Gartner, of those organizations that have implemented a DevSecOps pipeline for cloud security, "these organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk."

Recognizing the overhead with managing so many tools, and the challenges with achieving consistent policies across cloud providers and services, information security teams will increasingly standardize on broader platforms, such as cloud-native application protection platforms, at the expense of point products, such as cloud security posture management, infrastructure-as-code scanners, and cloud workload protection platforms.

**Focused Approach for Data Protection**

Monitoring data across multicloud environments has been an unsolved problem for a couple of years for most organizations. When production workloads are moved between multiple public cloud environments, it becomes difficult to track data or access permissions. Tools for cloud service providers have limitations to secure data in multicloud environments.

In 2023, organizations need to adopt new tool sets and new mindsets, and make a greater effort to detect, classify, and enforce policies to secure sensitive data. We expect data protection to be at the center of the cloud security strategy to avoid increasingly high-profile, complex cyberattacks and data breaches.

**Do More With Less**

The current economic climate is pointing toward a trend of tighter budgets in 2023. To combat this challenge, leaders will be consolidating tools, processes, and expertise with a more collaborative approach. We'll see wider use of cross-functional teams with even greater ROI focus to boost efficiency and reduce complexity.

**Cybersecurity Hiring Will Remain a Challenge**

According to the (ISC)2 2022 Cybersecurity Workforce Study, there is a shortage of 3.4 million cybersecurity workers worldwide. With limited staff, we expect security leaders to emphasize security automation with risk-based prioritization.

**How to Stay Safe in 2023**

Based on our experience of investigating attacks and related incidents, we believe that security leaders need to focus on the following tactics and techniques:

*   Cloud security approach and strategy: With the prevalence of large-scale cloud-native deployments, adopting a more modern, agile, and integrated cybersecurity approach is mission-critical.

*   Select the right tooling: Shifting to robust security with the right solutions and level of expertise, over security layers and threat intelligence.

*   Prioritizing visibility: Gain insight and control over the complex cloud environment covering threats, risks, and vulnerabilities in the cloud.

*   Data security in focus: Secure data in large, dispersed environments with strategic integrated data protection and DLP approach.

*   Threat intelligence, advanced correlation, and machine-learning techniques: Use a combination of advanced techniques to stay ahead of bad actors and proactively reduce risk.

*   Automate and maintain continuous compliance standards.

*   Team collaboration: Distribute and delegate security responsibilities using automation across the organization.

Multicloud Security Challenges Will Persist in 2023

In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos.

Tuesday, January 24, 2023 09:01

While our ongoing support to Ukraine and response to the Log4j vulnerabilities were two of our most comprehensive and impactful efforts in 2022, we also dealt with a multitude of other threats as the security community faced an expanding set of adversaries and malware. In January, we identified several emerging trends that we expected would affect or dominate the threat landscape in 2022, many of which ultimately played out as significant events this year. In this section, we provide an overview of the general threat landscape throughout 2022 and major trends based on telemetry sets gathered across Talos, including:

*   Behavioral indicators from Secure Malware Analytics.
*   Snort and ClamAV alerts .
*   Behavioral Protections (BPs) from Cisco Secure Endpoint.
*   Case studies from CTIR engagements.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections).  Supported versions that are affected are 12.1 and  12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

In 2022, multiple high-profile vulnerabilities like Log4j and OpenSSL provided important takeaways for future public reporting.

As we pass the first anniversary of the Log4j vulnerability disclosure, it's a timely reminder that when a vulnerability is serious, it deserves our utmost attention. Organizations taking vulnerability disclosure more seriously is a net positive for the industry, especially because patching is so vital for basic cyber hygiene and accountability.

But, when a vulnerability is overblown or overpromoted, it can misguide the security community and distract from other more serious incidents — or cause other serious problems, like alert fatigue.

As public vulnerability disclosure becomes more commonplace for researchers, vendors, and the broader security community, the question of "when to panic or not panic?" is important. Here are some key lessons for approaching vulnerability management.

**1\. Distinguish Between Noise and Necessity**

For security experts and the media alike, it's imperative to determine when something is critical and when an issue might be overblown. According to research, the Log4j vulnerability Log4Shell could potentially impact 72% of organizations, and it was coined an "endemic vulnerability" by the US Cybersecurity and Infrastructure Security Agency.

Months later, the Text4Shell vulnerability was disclosed. Media and researchers alike wondered if it was "the next Log4Shell." But the vulnerability was proven to have a much lower impact and was much less severe.

This is one example of a gray area between ensuring something is well-broadcast and its actual impact. Being able to make this distinction can help prevent alert fatigue, which has been associated with security staff burnout and is costly to a company due to direct expenditures spent responding to these alerts, including initial triage.

In another case, if a vulnerability is originally thought to be more severe, it could be overblown. For example, a vulnerability in OpenSSL disclosed in December generated significant attention due to the ubiquity of OpenSSL inside many products to enable Transport Layer Security (TLS).

This one may have been overhyped because of the last significant vulnerability in the software in 2014: Heartbleed. Given this past, when it was announced that the new vulnerability's severity level was critical, people were understandably concerned.

But the hype around the latest OpenSSL vulnerability turned out to be kind of a non-event. At the time of release, the two CVEs (common vulnerabilities and exposures) were downgraded from critical to high. This hype wound up being a distraction because it actually led to a more complicated ConnectWise vulnerability being under-covered. The ConnectWise vulnerability had the potential to be more harmful and impact nearly 5,000 servers.

**2\. Communicate and Mitigate Risk**

Communicating risk will always have to be a collaborative effort because it happens in so many channels. Organizations post on their own websites and forums, the government issues bulletins, and the InfoSec community is particularly active on social media — researchers sometimes "scoop" vendors before they can release details about the vulnerability or mitigations themselves.

Often, there exists an educational gap between deeply technical security researchers and IT professionals and the broader business community. This disconnect results in organizations not knowing the right steps to take when a vulnerability is publicly disclosed.

**3\. Follow the Data**

The Common Vulnerability Scoring System provides a qualitative measure of the severity of cybersecurity vulnerabilities, and ratings can range from 0 to 10. It is one resource that can help us compare the vulnerability at hand to the rate of "noise" in the community. Leaning on data and hard numbers can help ensure we're paying attention to what really matters.

There are other risk-scoring models to help organizations prioritize vulnerabilities. To address the specific needs of cyber-insurance underwriting, Coalition offers the Coalition Exploit Scoring System (CESS) to help organizations prioritize vulnerability mitigation. CESS is powered by a set of machine learning models that assign severity scores to vulnerabilities based on multiple features — the description, social mentions, incident data, honeypot exploitation, and similarity to previous vulnerabilities — and measures the potential, or how likely it is, that attackers will actually exploit the CVE. This way, organizations can prioritize responses and resources according to their threat level.

Think of the CESS score as a percentile regarding severity and likelihood of exploitation. Our threshold of deeming an exploit "critical" is 0.7 or 70%. For example, CESS ranked the new OpenSSL vulnerability as 0.66 in our percentile scale, with a 1.0 being 100%. Our threshold for significance to notify policyholders is 0.7 or 70%. This slight 0.4 decile difference is actually really helpful in understanding the thousands of vulnerabilities that exist and helps cut through the noise of the hundreds publicized daily. Coalition uses CESS to prioritize which vulnerabilities policyholders should address first based on a two-pronged data approach: which vulnerabilities are the most severe and which are most likely to be exploited. Other security organizations will likely implement similar data-driven risk-scoring systems.

**How Vendors Fit In**

Vendors have a role to play in ensuring customers have a trusted source, whether communicating vulnerability severity scores or providing a balanced perspective with clear mitigation advice and updates. Vulnerability management is twofold, and the onus to resolve issues is just as much on the vendor side to communicate them properly as on the organization side to patch them efficiently.

All organizations have a responsibility when it comes to incident response and vulnerability management. Spending time educating on the technicality of how a vulnerability works and the potential exposure around technologies vulnerabilities often target can go a long way in seeing trouble before it starts.

Not everything is the "next Heartbleed" or "next Log4shell," but having the right resources in place can ensure we are ready for new security challenges without being distracted by the newest shiny object.

3 Lessons Learned in Vulnerability Management

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent...

Tuesday, January 10, 2023 09:01

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive malware. Major trends observed include:

*   Delivering new, custom malware and updated variants of previously known malware.
*   Exploiting publicly known vulnerabilities, such as Log4j utilities.
*   Updating tooling and behavior patterns to evade discovery.
*   Increasing APT activity in our Cisco Talos Incident Response (CTIR) engagements, including the Iran state-sponsored MuddyWater group and several China affiliated APTs.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

APT Topic Summary Report: Cisco Talos Year in Review 2022

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

DevOps platform advises customers to revoke API tokens

John Leyden 05 January 2023 at 14:38 UTC

DevOps platform advises customers to revoke API tokens

Developers are being urged to rotate secrets and API tokens following the discovery of a breach at popular DevOps platform CircleCI.

CircleCI, which offers a platform for continuous integration and continuous delivery of software development projects, admitted a “security incident” on Wednesday (January 4).

The vendor has launched an investigation which remains ongoing. In the meantime, and as a precaution, it is urging its software developer customers to take “preventative measures” to protect the integrity of software development projects.

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

Customers should immediately “rotate any and all secrets stored in CircleCI”, whether they are stored in project environment variables or in contexts. In addition, software development teams that rely on CircleCI should review systems logs dating back to December 21 for signs of compromise.

Lastly, in cases where software development projects use Project API tokens, software developers should invalidate existing project API tokens and replace them with freshly minted credentials.

**‘Confident’**

The nature of the apparent breach is currently unclear. However, in a statement on the incident, CircleCI said it is “confident that there are no unauthorized actors active in our systems” (perhaps implying that malign parties did have some access to its systems until the breach was detected).

CircleCI concluded by promising to keep customers “in the loop” about how its investigation was progressing.

“While we are actively investigating this incident, we are committed to sharing more details with customers in the coming days,” the vendor said.

The Daily Swig asked CircleCI to comment on the circumstances of the breach, what additional precautions it is taking to prevent a repeat of the incident, and any lessons it has learned. We’ll update this story as and when CircleCI responds to our query or publishes a post-mortem on the incident.

**All change**

The episode is likely to be most inconvenient for software development teams that are in the habit of storing configuration files and secrets directly on CircleCI. It is more secure, albeit less straightforward, for calls to be made to fetch secrets from elsewhere.

Precisely what secrets need to be changed up has become a topic of discussion on CircleCI support forums.

In response to queries about whether SSH keys, Jira and Slack integration tokens, and webhook secrets also need to be changed as well as contexts and environment variables, a CircleCI employee implied that a complete re-up was in order.

“At this time, we recommend rotating SSH Keys and all tokens or secrets,” they said.

DON’T MISS Fill out our reader survey to be in with a chance of winning Burp Suite swag

Devs urged to rotate secrets after CircleCI suffers security breach

The toasts, triumphs, and biggest security wins of the year

The toasts, triumphs, and biggest security wins of the year

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Yesterday we showcased the year’s biggest fails – the security disasters, industry calamities, and the emergence of vulnerabilities so stupid they’ll make your eyes roll.

Today, we’re celebrating the times that organizations, governments, and the infosec community have shown laudable skill, judgement, and commitment to better securing the cyber sphere in 2022.

**CCFA changes**

This year saw major progress made in protecting ethical hacking from unfair legal consequences. Current laws worldwide often enable prosecution of security researchers motivated to protect rather than harm users, creating risks for ethical hackers in the course of doing their job.

In the US, the Department of Justice (DoJ) announced it will no longer prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.

The amendment, announced back in May, laid out changes to prosecution criteria under the Computer Fraud and Abuse Act (CFAA).

Good faith in this case refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

RELATED Stupid security 2022 – this year’s infosec fails

**Decriminalizing UK ethical hackers**

Across the pond, UK legislators proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill back in June that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).

Critics argue that the law, which came into effect in 1990, is outdated and unduly prosecutes security researchers, ethical hackers, and pen testers who responsibly hunt for or report vulnerabilities.

Campaigners continue to call for legal clarification of legitimate hacking activities, which they argue include responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

The UK government continues to hold talks on the proposed law changes. A call for information was closed in September.

**Making disclosure smoother**

Progress was also made in helping security researchers to make the vulnerability disclosure process smoother.

HackerOne encouraged customers to adopt its new standard policy, released in November, that goes further to protect hackers from legal problems.

The Gold Standard Safe Harbour agreement “is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”, said HackerOne.

“This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Catch up on the latest bug bounty news

Meanwhile, the maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference in November.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

**In defence of Ukraine**

The Russian invasion of Ukraine dominated headlines this year, and as individuals across the world stepped up to help, so did the hacking community.

In March, Hackers Without Borders (HWB) a Geneva-based non-governmental organization (NGO), was launched to offer emergency infosec assistance to other NGOs and providers of critical services affected by conflicts around the world.

Staffed by volunteer hackers and infosec experts, the organization helps individuals or organizations handle the fallout of cyber-attacks, protect them from further assaults, and bolster their cyber-resilience – free of charge.

In an interview with The Daily Swig, co-founder Florent Curtet said: “We are here to be like firefighters for people, companies, institutions that don’t have the money, skills, or information to protect themselves from today’s digital threats.”

Also speaking in defence of Ukraine, WithSecure’s Mikko Hyppönen told the cybersecurity company’s first ever conference attendees this year that “Russia is trying, but it is largely failing”, in its efforts to ignite cyberwarfare.

Speaking at Sphere 2022 in neighbouring Finland, Hyppönen said: “Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.”

**Back to Hacker Summer Camp**

This year saw the return of in-person conferences, in particular Black Hat, which was held online in previous years due to the coronavirus pandemic.

In May, Black Hat Asia attendees in Singapore heard keynote speaker Samir Aran warn that “if democracy is to survive, technology will have to be tamed”.

At Black Hat USA, held in Las Vegas in August, former CISA director Chris Krebs also spoke out about geopolitical tensions, urging organizations worldwide to bolster their online infrastructure amid Taiwan tensions.

And at Black Hat Europe, held in London in November, renowned security researcher Daniel Cuthbert told attendees that a defendable internet is possible – “but only with industry makeover”.

The conferences also saw the release of various hacking tools built by the community for the community.

**Securing the open source ecosystem**

Finally, efforts to secure the open source supply chain were ramped up for 2022, with a number of new initiatives launched.

The Secure Open Source Rewards (SOS.dev) scheme was set up to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

The Open Source Security Foundation (OpenSSF) also launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.

And a summit held at the White House resulted in a plan to better secure the government’s software supply chain, in the wake of the Log4j incident back in 2021.

DON’T MISS Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

Security done right – infosec wins of 2022

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

Epic web security fails and salutary lessons from another inevitably eventful year in infosec

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Tomorrow we’ll publish some examples of the year’s cybersecurity successes, but today we’re kicking off with some amusing vulnerabilities, security disasters, and ‘must do better’ scorecards.

**Reddit NSFW bypass**

Reddit’s ‘Not safe for work’ restrictions could have been subverted via a cross-site request forgery (CSRF) vulnerability addressed by the social media platform in February.

The security bug enabled attackers to trick users into enabling the ‘I am over eighteen years old’ option and express a willingness to view adult content.

This medium severity issue earned the security researcher who found the flaw a $500 bug bounty.

**QWACkers proposal**

Mozilla, The Electronic Frontier Foundation, and dozens of computer science experts this year pleaded with EU lawmakers to abandon plans to force web browsers to recognize the validity of contentious web certificates created by the bloc.

A proposed amendment to the eIDAS – or electronic Identification, Authentication, and Trust Services – regulation would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).

RECOMMENDED Finding the next Log4j – OpenSSF’s Brian Behlendorf on pivoting to a ‘risk-centred view’ of open source development

The EU created QWACs in 2014 to validate a website’s professed identity and therefore, supposedly, protect users from fraud, malware, and surveillance. Mozilla argues that QWACs are inferior to, and would circumvent, the more effective and longstanding web authentication ecosystem already in place.

Some 38 security experts signed an open letter criticizing the plans that was addressed to the European Parliament in March.

**  
Cyber fraud executive turned cyber fraudster**

A US entrepreneur who pocketed millions of dollars after falsifying bank statements to generate investment for his cyber fraud prevention firm was sentenced to five years for securities fraud in November.

In a classic case of nefarious activities belying the noble or socially important role they are ostensibly playing (‘effective altruist’ Sam Bankman-Fried is accused of similar), Adam Rogas was convicted in relation to using fraudulent financial data to secure more than $123 million in financing for NS8, the company he co-founded.

This figure includes around $17.5 million that he apparently “personally obtained”, as The Daily Swig reported in March.

US attorney Damian Williams said: “Adam Rogas took the ‘fake-it-till-you-make-it’ saying to a criminal extreme. While claiming to be in the fraud prevention business, Rogas himself faked nearly all of his company’s customers, revenue, and assets.”

**Patching process needs remediation**

There have been some improvements when it comes to developing and applying patches but there remain causes for concern.

Not least the bug of 2021 – and perhaps the century – ‘Log4Shell’ did not provoke a universal rush to patch, with a third of Log4j downloads still pulling vulnerable versions nearly a year after its emergence.

Other causes for concern on this front include Apache Software Foundation (ASF) expressing alarm at the numbers of organizations running end-of-life versions of Apache software, while a North Carolina State University study warned of unacceptable delays to open source patches being rolled out.

**AI still no substitute for human bug hunters**

ChatGPT represents a great leap forward for AI, but proved no surrogate for homo erectus when it comes to finding and disclosing software security vulnerabilities.

The game-changing large language model (LLM) from OpenAI has already being used to write ransomware and craft phishing campaigns and offers potential utility for defenders too.

However, it’s shortcomings as a bug bounty hunter were exposed this month when a OUSD stablecoin maintainer suspected his interlocutor was a chatbot.

Daniel Von Fange reported “inconstancy between emails – each email seemed to pretend we were discussing a different bug, and each was a bug based on nonsensical premises, and each set of code sent along to prove the issues was valueless”.

The ‘researcher’ who submitted the flaw ultimately admitted ChatGPT had detailed the bug’s impact, exploitability, and possible remedies, but still had the audacity to ask for a bounty.

Von Fange told The Daily Swig that “current LLMs are good at finding plausible reasons why code might have a vulnerability”, but a bigger breakthrough would come when AI can automatically write and run code to verify exploitability.

**LastPass existential crisis**

Another year, another drip-drip of data breaches great and small, and few – if any – have sparked as much alarm as the recent compromise at password management platform LastPass.

Infosec Twitter’s horror centers on the potential impact – 33 million customers entrust their passwords to the password management market leader – and the fact the breach appeared to become more severe with every fresh update from the beleaguered company.

LastPass first revealed its servers had been hacked in August, but said it had found “no evidence” that attackers had accessed “customer data or encrypted password vaults”.

However, this changed over the festive period when LastPass admitted that hackers had stolen an employee’s cloud storage keys and pilfered customers’ encrypted password vaults.

The company nevertheless now says that, so long as customers use the recommended default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology”.

RELATED Password theft bug chain patched in Passwordstate credential manager

Stupid security 2022 – this year’s infosec fails

A variety of initiatives — such as memory-safe languages and software bills of materials — promise more secure applications, but sustained improvements will require that vendors do much better, researchers agree.

Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

"Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?" he says. "You've stripped away those protections and defenses."

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

**The Software Supply Chain's Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users' human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

"The unfortunate truth is that no matter what is happening in the enterprise and how well you lock it down and secure it, there is opportunity to attack the users," he says. "With ransomware and malware, phishing and scams, even if the back end is secure, they can take advantage of the user."

****Cyberthreats Against Applications Only Loom Larger**

To see an example of how little progress cybersecurity has made in the past three decades, companies do not have to look further than phishing. The social engineering technique has been around for almost as long as email, yet the vast majority of companies (83%) have suffered a successful email-based phishing attack in 2022. Phishing easily leads to credential harvesting and then to compromises of Web applications and cloud infrastructure.

The simple technique can bypass multiple layers of application security and give attackers access to sensitive data, systems, and networks, Daniel Cuthbert, global head of cyber security research at Banco Santander, said at this month's Black Hat Europe security conference.

"You should be able to click on something and not have it push a reverse shell out to somebody else," he lamented. "Is it that hard to ask?"

Attackers are also focusing on targeting applications in ways that get by many of the security controls that are operating at the edge of the network.

At the Black Hat Asia conference in May, researchers outlined ways to sneak attacks past web application firewalls (WAFs) to deliver malicious payloads to otherwise-protected applications and their databases. In December, cybersecurity firm Claroty demonstrated more general attacks using JSON to bypass five major WAFs, including those of Amazon Web Services and Cloudflare. In the same month, a pair of researchers used a vulnerable version of Spring Boot to bypass Akamai's WAF.

Companies have to be more tactical about how they rely on WAFs, says Akamai's Lauro. So-called "virtual patching" — when the WAF is used to block the exploit of vulnerabilities that are not yet, or cannot yet be, patched — is an important capability. Yet, too many companies use WAFs to protect poorly designed applications, he says.

"You need to identify how that vulnerability could be attacked from the Internet, and virtual patches helps there, but once you are inside the network, the first thing I'm going to do as an attacker is look for some of these zero-days and use them to move laterally," he says.

**Future AppSec Requires Innovation**

Efforts to protect the fundamental components of software by securing the software supply chain will be a key source of innovation in the near future. These advances take time to implement and are not silver bullets, but they can result in far more robust software development and end product, experts say.

Providing developers more information about the components they import into their own software through systems like Scorecard, for example, has significant security benefits. Scorecard checks a variety of software project attributes, such as whether there are binary code included in the software, have dangerous development workflows, or has signed releases. Just that information can determine whether a project is vulnerable with 78% accuracy, according to the Open Software Security Foundation (OpenSSF).

Sigstore, which allows each software component to be signed, is another technology that will help developers understand and secure their supply chains, says John Speed Meyers, principal security scientist at Chainguard, a software security firm.

"A key building block for preventing software supply chain compromises is the widespread use of digital signatures," he says. "This helps reduce the chance of software supply chain compromises and reduce the blast radius when they do happen."

**Companies Can Make Cyber-Secure Application Choices**

While those advances in the software development process can result in more secure software, the choice of language can make a significant difference as well. Memory-safe languages can all but eliminate pernicious classes of software flaws, such as buffer overflows and use-after-free vulnerabilities. 

Google, for example, found that the use of memory-safe languages, such as Java and Rust, rather than C and C++ resulted in lowering the number of vulnerabilities from 223 to 85 over three years.

Companies need to give developers more support and leeway in selecting secure tools and frameworks, not just focus on productivity and features, says Sonatype's Fox.

"There is a new reality that companies need to wake up to and deal with, and that is that the developers at the end of the day are the ones that have to make these changes, and the organizations need to recognize their problems and support them," he says. "Developers are finding their own tools, and they know that's a problem, but they are not getting the support from the company, so even in a world where developers want to do the right thing, their companies are holding them back."

At the executive level, companies also need to be using their buying power to focus on holding their vendors accountable for security of their products, Banco Santander's Cuthbert said during his Black Hat Europe keynote.

"When we look at buying product, and we look at buying software, the reality is that we have zero input to make sure that those vendors, those products are secure," he said. "We just don't have that power and we don't have meaningful influence."

Tag

#log4j