**PRESS RELEASE**

**WATERLOO, ON, Oct. 10,2023 / PRNewswire/--** BlackBerry Limited (NYSE: BB; TSX: BB), the pioneer of enterprise mobility management, today announced two major new Unified Endpoint Management (UEM) innovations — BlackBerry UEM at the edge and BlackBerry UEM for the IoT.

BlackBerry® UEM software is used for managing, monitoring, and securing all of an organization's end-user devices. Taking BlackBerry UEM to the edge will enhance enterprise productivity and employee experience by placing workloads close to the end user and their device for ultra-low latency connectivity, while maintaining the highest security standards that customers rely on and trust BlackBerry to deliver – in testing users saw up to 87% decrease in latency. The solution brings the BlackBerry Network Operations Center (NOC), the company's unique secure connectivity infrastructure, to the edge and integrates with AWS Local Zones and Availability Zones to securely place compute, storage, and other services where data is being generated and consumed. BlackBerry UEM at the edge is compatible with BlackBerry UEM on-prem and cloud.

BlackBerry UEM for the Internet of Things (IoT) will expand unified endpoint management to IoT devices enabling organizations to realize the vast benefits of the IoT and reduce unknown risks in their environment. The solution integrates BlackBerry UEM with AWS IoT Greengrass, an open source edge runtime and cloud service used on millions of IoT endpoints across the connected world – in factories, vehicles, healthcare, enterprises – to provide IoT endpoint visibility and management and empower IT teams. Advancing the company's convergence vision, this new addition to BlackBerry UEM will enable organizations to seamlessly and securely inventory and manage their IT and IoT endpoints from a single console.

"BlackBerry founded and has been a leader in the enterprise mobility management market for over twenty years. We are once again revolutionizing the market, by leapfrogging the industry in endpoint management innovation and paving the way for convergence," said Neelam Sandhu, Chief Elite Customer Success Officer, BlackBerry. "It has been wonderful to collaborate with AWS to develop BlackBerry UEM at the edge and BlackBerry UEM for the IoT, to enable our customers to unlock new business value through digital technologies, which offer the potential to transform and advance every aspect of the connected world, spanning how we live and work." 

"IoT has advanced over the past years across different industries – automotive, enterprise, medical, manufacturing. The convergence of the IoT with security at the forefront of the conversation is now emerging as a must-have for the connected world. Bridging systems in the cloud provides scale, consistency, and flexibility to organizations to access data across the IoT and developers to innovate to deliver new value. AWS is delighted to collaborate with BlackBerry on UEM edge and IoT solutions to deliver unified and innovative endpoint management solution for the future of the connected world," said Dr. Sarah Cooper, General Manager for Industry Products at AWS.

The IoT is a foundational pillar of the future of digital transformation and unlocks new business opportunities for organizations by dramatically extending the reach of information technology. The value of enterprise IoT is largely untapped today due to the heavy compute requirements of the IoT and the complexity of the IoT network. Edge computing addresses the increasing demand for real-time data processing and analysis, and increased endpoint visibility provides valuable situational awareness and security benefits, enabling organizations to easily integrate IoT into their IT strategies. 

BlackBerry UEM holds the most security certifications in the industry and is the only UEM product to be named 2023 Customers Choice by Gartner® Peer Insights™.

AWS provides reliable, scalable, and inexpensive cloud computing services to organizations around the world. For more information on AWS products click here.

For more information on BlackBerry UEM at the edge or BlackBerry UEM for the IoT, including general availability dates, register for BlackBerry Summit, taking place on October 17, where speakers from industry, enterprise and BlackBerry will reveal the future of IoT, IT and Cybersecurity and showcase the latest BlackBerry innovations.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust.

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services._

BlackBerry Unveils Next-Generation UEM Redefining the Endpoint Management Market

The company has taken down its systems in an effort to determine the scope of the attack.

Simpson Manufacturing filed an 8-K form with the Securities and Exchange Commission (SEC), stating that it experienced disruptions in its IT infrastructure and applications due to a cyberattack on Oct. 10.

Simpson Manufacturing, an engineering, manufacturing, and building products company based in California, employs more than 5,000 people worldwide.

Due to the attack, the company has taken certain systems offline to mitigate the issue; operations are expected to be disrupted until the incident is fully resolved. An investigation has been launched to determine the nature of the attack as well as the scope of its effect.

The company has also enlisted the help of third-party cybersecurity experts to assist in the ongoing investigation as well as the recovery efforts.

It is possible that the cyberattack Simpson Manufacturing experienced deals with ransomware, given that the company's response method to the incident is typical for a ransomware attack, though Simpson Manufacturing provided no information as to the type of attack it experienced. 

This incident came just after the company announced it would report its third-quarter financial results later this month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Simpson Manufacturing Launches Investigation After Cyberattack

By working cooperatively, the West and Africa can mobilize to tackle nation-state-backed cyber threats.

Nation-state hackers are a potent weapon in the hands of countries. The days a war starts by someone pulling a trigger are gone: It has been replaced by the Enter key.

To gain the best possible insights into global threat landscapes, who is attacking who, why they're attacking, and how the West and Africa can mobilize to tackle nation-backed cyber threats, it's crucial to understand the geopolitical dynamics of cyber warfare. Only by gaining a thorough context of the situation can governments, businesses, and cybersecurity providers effectively reduce nation-backed cyberattacks.

**The Role of Africa in Global Cyber Warfare**

Africa, and South Africa in particular, forms a delicate bridge between the East and the West. On one hand, Africa has economically benefited from the East; Eastern mining, infrastructure, and private-sector companies all have roots in the continent. At the same time, Africa increasingly seeks trade deals with the West.

Careful balancing of economic ties with Eastern and Western nations has enabled Africa to accelerate its export trade in the last decade, with the continent's average GDP growth expected to rise from 3.8% in 2022 to 4.1% in 2023–2024.

However, as large Western organizations conduct business with African nations, they become vulnerable to the threat of cyberattacks coordinated across the continent. Many of these attacks are perpetrated by attackers based in or backed by the BRICS nations (Brazil, Russia, India, China, and South Africa).

Cyberattacks have proliferated over the last decade, particularly in Africa. In Kenya and Nigeria, Kaspersky reports a large increase in financial and banking Trojans in the second quarter of 2021 compared with the first quarter of 2021: a 59% increase in Kenya, and a 32% increase in Nigeria.

A 10-year review of the cyber-threat landscape in South Africa finds that the most prevalent perpetrators of cybercrime were trained hackers, and the most common motivation was criminal.

Countries spanning the continent are targeted on a mass scale, often using the same threat methodologies. At Performanta, we've seen attack methodologies repeated by actors across various countries: we discovered a Lazarus Group cyberattack network operating in Zambia and tracked the same attack tools and methodologies to activity in Uganda.

We've also seen APT40, also known as Kryptonite Panda, an advanced persistent threat (APT) located in Haikou, Hainan Province, People's Republic of China, target government organizations, companies, and universities in a wide range of industries via Africa and across the United States, Canada, Europe, and the Middle East. APT40 counterparties, China-based Phantom Panda and Wet Panda, have similarly targeted these regions over telecommunications networks.

Why are Eastern APT groups attacking via Africa? There are a few motivations: Attackers may perceive attacking Africa to have fewer risks; they're aiming to access Western assets via Africa; or they are testing attack methodologies on Africa to later use in the West on home soil. The big picture is dangerously murky, but all these reasons enter into the equation.

**Where Does the West Come in?**

The West and Africa are intrinsically linked as they both fall afoul of the East and BRICS attacks. To counter this, both must implement long-term collaborative efforts to turn the cyberwars in their favor. Any short-term partnership fails to consider the aggressively innovating threat landscape, where insights are outdated almost as soon as they are collected.

Working cooperatively, the West and Africa can share knowledge of APT threats, attack success rates, emerging methodologies, and the strategies deployed by specific nations, sponsored groups, or ransomware-as-a-service (RaaS) brokers. Managed security service providers possess deep knowledge of regional threat landscapes in Africa, and this could prove pivotal in deciphering the severity of threat data and data loss, allowing more efficient threat categorization.

With this information, the right combat tools can be put into place and attacks can be thwarted more successfully. Both parties can gain visibility into new threat-prevention methods, big data sets, and powerful cybersecurity tools that can help them fight the threat of BRICS-backed actors on all fronts.

In the pursuit of global cyber safety, immediate, direct cooperation is the only way that Africa's unique placement as a bridge between East and West can transform from a vulnerability to an advantage.

The Cyberwar Between the East and the West Goes Through Africa

Evasive malware disguised as a caching plug-in allows attackers to create an admin account on a WordPress site, then take over and monetize sites at the expense of legitimate SEO and user privacy.

Sophisticated malware capable of creating an administration account for a website is lurking behind an authentic-looking WordPress caching plug-in, giving threat actors a way to completely hijack infected websites at will.

Researchers from Wordfence discovered the plug-in, which can perform a variety of malicious tasks while masquerading as legitimate add-on software for the WordPress platform, they revealed in a blog post Oct. 11. Chief among this activity is the ability to create an admin account and remotely activate plug-ins — basically giving threat actors free rein over infected sites.

The backdoor can work both as a standalone script and also as a plug-in, with features like remote plug-in activation and conditional content filtering that give it evasion capabilities difficult for inexperienced users to detect.

Other capabilities include the ability to add filters to prevent the malware from being included in the list of activated plug-ins, pinging functionality that allows a malicious actor to check if the script is still operational, and file-modification capabilities. Further, the backdoor can activate or deactivate arbitrary plug-ins remotely, which is "useful to disable unwanted plug-ins and also to activate this malicious plug-in as needed," Wotschka wrote.

"Since the malicious file runs as a plug-in within the context of WordPress, it does have access to normal WordPress functionality just like other plug-ins do," Wordfence vulnerability researcher Marco Wotschka wrote in the post. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy."

A Wordfence analyst discovered a sample of the malware during a site clean on July 18, and created a signature the following day, which was subsequently tested and released to Wordfence customers on Sept. 1.

**Malicious Plug-in: A Hidden but Detectable Malware Enemy**

The researchers broke down some of the key functionality of the malicious plug-in, including features that are most likely to arise suspicion among current site administrators or users.

One of those is to use wp\_create\_user function to create a new user account with the username superadminand a hardcoded password to set up an attacker as a website administrator. This account is removed once a victim has been successfully compromised as a way to remove traces and thus reduce changes of detection, according to Wordfence.

"While often seen in test code, user creation with hardcoded passwords should be considered a red flag, and the elevation of this user to an administrator is certainly reason enough for suspicion," Wotschka wrote.

The malicious plug-in also includes bot detection code, which is often present in malware on a website that serves normal content to some users while redirecting or presenting malicious content to others.

"One common thread shared by these infection scenarios is that site owners find their site looks fine to them, but their visitors have reported issues such as seeing spam or being redirected to dubious sites," Wotschka explained.

Further, since this kind of malware wants search engines to find the malicious content, it is usually served to them as they index a site, he said. Threat actors use keyword stuffing to help increase traffic sent to infected sites, with administrators often reporting a sudden, unexpected surge in site traffic when their sites are hit by an infection.

While the presence of bot detection code on its own is not enough to verify that malicious activity is present on a website, it does stand out as suspicious activity, Wotschka added.

**Securing WordPress Sites**

Plug-ins remain an exposed and sizeable attack surface for WordPress and the millions of sites built on it, an endemic issue that remains a persistent threat. Threat actors have targeted WordPress sites via both malicious and vulnerable plug-ins, with both issues often going unnoticed by site operators until after a website is already under active attack.

Overall, anyone building websites using WordPress should follow security best practices in how they configure the sites to ensure they remain as protected as possible. Wordfence advised that they should also include some type of security monitoring on the site in case of compromise even after following these practices.

Backdoor Lurks Behind WordPress Caching Plug-in to Hijack Websites

Government security processes are often viewed as tedious and burdensome — but applying the lessons learned from them is imperative for private industry to counter a nation-state threat.

The private sector's utility, telecom, banking, transportation, and medical networks have become a part of physical, mental, and economic well-being in the modern world. They are also under unprecedented threat from state actors — recently underscored by the unclassified summary of the Department of Defense's cybersecurity strategy, which stated that China "steals technology secrets and undermines the DIB \[defense industrial base\]," and that, in the event of conflict, China "likely intends to launch destructive cyber attacks against the U.S. Homeland." The Director of National Intelligence's assessment further elaborated that "China is almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."

The DIB and critical infrastructure are under clear threat from our near-peer competitors and would do well to apply select best practices from US government classified systems to protect their own crown jewels.

**Understand Where and How Protected Enclaves and the Internet Intersect**

Whether in the operational technology (OT) networks of utilities, the research and development enclaves of pharmaceutical networks, or the medical equipment networks of hospitals, some parts of networks need to be more secure than others. But even in utilities' OT networks, which contain a critical mass of potentially vulnerable legacy technology, total segmentation is a myth, and for good reason: Companies increasingly require the power of big data analytics, integrations with Internet-connected financial systems, and similar services to operate an effective business.

A sound approach to risk management in connecting protected enclaves to broader IT networks can be found in a relatively obscure section of National Security Memorandum 8 (NSM-8): Cultivate visibility and rigor around the areas in which the networks overlap. By declaring that cross-domain systems — the systems responsible for connecting classified networks to unclassified networks — are "vital \[national security systems\] that require centralized visibility" and establishing the NSA's Raise the Bar program to oversee them, the US government ensured a level of consistent risk evaluation and security rigor around these inherently risky junctures in the network.

By doing the same, organizations can better manage risk and ensure a consistent approach, rather than crafty and unique but often unvetted solutions to bridge protected enclaves and the broader network. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers (ISACs) or ad hoc collaborative networks to understand best practices and technologies to minimize the risks at these critical network junctures.

**Protect the Critical Enterprise Along With Critical Infrastructure**

As alluded to above, the crown jewels of critical infrastructure organizations may be well-protected, but they are surrounded by a critical enterprise of enabling functions — HR, customer service, finance, logistics — hosted on a less-secure IT network and sometimes one step removed from the culture of security that permeates operational parts of the organization. But the threat of lateral movement within the network, whereby an adversary could compromise an employee in the critical enterprise and eventually navigate their way to more sensitive systems, renders this an unwise approach. The risk is compounded by the fact that a joint advisory by the NSA, CISA, the FBI, and others highlights China-sponsored threat actors "living off the land" within critical infrastructure networks, using native services rather than malware to evade detection once they have established a foothold.

The intelligence community has long embraced the concept of the critical enterprise by requiring that all employees — whether working operationally or in a support role — complete a thorough suitability process and protect support networks with the same rigor as their mission networks. By doing so, they not only protect their endpoints and systems at a given classification level from technical compromise but also cultivate a culture of security that renders the organization less vulnerable to human-enabled attacks, such as phishing.

While it is untenable for private sector companies to subject their employees to the same degree of scrutiny needed for a US security clearance, they can take a page from the government by securing the entire critical enterprise through training, preventive cybersecurity architecture, and a culture of security that makes the entire critical enterprise aware of the shared risks to their organization.

**Demand Security by Design**

The complexity of creating a solid cybersecurity architecture is compounded by the fact that, as CISA director Jen Easterly put it, "We've unwittingly come to accept as normal that such technology is dangerous-by-design." This has resulted in the need to deploy myriad security and network management solutions, some of which have proven dangerous by design in and of themselves.

The US government, in general, and its Department of Defense, in particular, have long exercised rigorous processes around technology readiness assessment and operational testing and evaluation. These processes, while costly and lengthy, are designed to ensure the security, maturity, and operational readiness of the technologies that will be deployed to conduct the most critical functions of the US government and support its war fighters. By exercising diligence in their procurement processes, including a strong eye toward security, US government agencies minimize the risk that their technology will be compromised.

It would be impractical to recommend that private sector organizations conduct the same degree of testing and evaluation of technology. But incorporating questions geared toward CISA's joint "Security-by-Design and -Default" principles is an appealing alternative. By moving beyond reliance on regulatory certifications (many of which test a manufacturer's processes and policies rather than the inherent security of the underlying technology), security leaders can partner with acquisition teams to increase the security of both critical infrastructure and critical enterprise. A few examples of such questions include:

*   Does your solution include multiple layers of security in case an adversary defeats one layer?
*   Do you provide and maintain a software bill of materials?
*   What hardware architectural protections are in place?
*   What is required to "harden" deployment of this solution?

Government security processes are often viewed as tedious and burdensome, but applying the lessons learned from them doesn't need to be. Taking these three key lessons and applying them to securing not only critical infrastructure but also the broader critical enterprise is imperative for private industry to counter a nation-state threat.

Protect Critical Infrastructure With Same Rigor as Classified Networks

Joe Sullivan's lawyers have claimed his conviction on two felony charges is based on tenuous theories and criminalizes the use of bug bounty programs.

Former Uber CISO Joseph Sullivan's conviction earlier this year on charges related to a 2016 data breach at the company should not be allowed to stand because it threatens the use of bug bounty programs among enterprise organizations, his lawyers argued in an appeal this week.

In a brief filed Tuesday with the US Court of Appeals for the Ninth Circuit, Sullivan's legal team described him as the victim of a "profoundly flawed" verdict that was based on tenuous theories about his responsibilities as the security chief at Uber.

**'Profoundly Flawed' Decision**

"Joe Sullivan used tools and strategies that all CISOs utilize to protect the data of hundreds of thousands of Uber drivers and was prosecuted for doing his job," said one his lawyers, Aravind Swaminathan of the Orrick law firm, in a statement. "If \[the verdict\] is allowed to stand, it's a precedent that threatens to take away a valuable tool that has helped security teams across all industries better protect their systems and puts Americans at much greater risk of being harmed."

A federal jury last October found Sullivan guilty of obstructing justice and misprision of a felony — or working to conceal it — in connection with a 2016 breach at Uber that exposed sensitive data of more than 50 million customers and 600,000 drivers.

The breach happened in the middle of an investigation by the Federal Trade Commission (FTC) of an earlier 2014 security incident at Uber involving the compromise of personal information belonging to some 50,000 individuals.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company's data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

**Flawed Understanding of Bug Bounty Programs**

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber's CEO at the time, and other members of the ridesharing giant's legal team.

But prosecutors described the payment and an associated nondisclosure agreement that Sullivan's team wanted the hackers to sign as an attempt to cover up what was in effect a felony breach of Uber's network.

Following the jury verdict in May 2023, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation and 200 hours of community service and ordered him to pay a $50,000 fine.

**Scapegoats for Security Failures?**

Sullivan's fate struck a nerve with many peers and others in the industry who perceived CISOs as becoming scapegoats for broader security failures at their companies. Many argued — and continue to argue — that Sullivan acted with the full knowledge of his supervisors but in the end became the sole culprit for the breach and the associated failures for which he was charged. They believed that if Sullivan could be held culpable for his failure to report the 2016 breach to the FTC — and for the alleged hush payment — then so should Kalanick at the very least, and probably others as well.

It's an argument that Sullivan's lawyers once again raised in their appeal of the obstruction conviction this week. "Despite the fact that Mr. Sullivan was not responsible at Uber for the FTC's investigation, including the drafting or signing any of the submissions to the FTC, the government singled him out among over 30 of his co-employees who all had information that Mr. Sullivan is alleged to have hidden from the FTC," Swaminathan said.

The appeal similarly challenged the misprision conviction, arguing that it criminalized bug bounty programs, a practice that other organizations have made a fundamental part of their security strategies. Sullivan's lawyers argued that the former Uber CISO had leveraged the program effectively to get the two hackers to disclose how they had accessed the data and to get them to agree not to publicly release it.

**Criminalizing a Commonly Used Tactic**

The bug bounty program worked as it should have, the brief claimed. "Mr. Sullivan and his team fully resolved the 2016 incident through a Bug Bounty agreement," the appeal noted. "Two young men agreed to disclose the vulnerability, destroy a database of 600,000 drivers' license numbers they had downloaded, and not disclose the data or incident publicly," the brief said. "Uber paid a $100,000 reward and pursued no legal action. No data was ever exposed. No Uber user was ever injured. Mr. Sullivan and his team had done their jobs."

By characterizing what Sullivan did as a crime, the government in effect asked the jury to view the bug bounty agreement as a hush money payment and not as an effective way to mitigate security risks, the brief claimed.

"We aren't raising new legal arguments or evidence, since we are confined to the record," says David Chamberlin, managing director at Orrick, in comments to Dark Reading. "But the appeal does emphasize key legal limitations on when an individual can be held criminally liable for organizational decisions, actions, and inactions." It also adds "nuance on the importance of bug bounty programs and the uncertain factual settings and legal frameworks in which they operate."

The government's response is due by Nov. 9, and Sullivan will have an opportunity to respond to that by Nov. 30. Oral arguments in the appeals case are projected to start in the spring of 2024, and a decision won't happen until mid- to late 2024, Chamberlin says.

Uber's Ex-CISO Appeals Conviction Over 2016 Data Breach

Cryptocurrency apps were the most high risk for exposing sensitive information, a reverse-engineering study shows.

Encryption, authentication, and signing keys are often exposed in mobile fintech apps used across Africa, according to researchers at Approov, who found passwords, application programming interface (API) keys, and private keys for cryptography when the most commonly used apps were reverse-engineered.

**Risky Mobile Business**

Approov examined the top 10 apps based on revenue and downloads. The fintech apps included those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services.

Trevor Henry Chiboora, research associate at CyLab-Africa, which conducted the study along with Approov, says some of the apps surveyed are used exclusively within Africa, and some are geolocked to regions within Africa. He also confirmed all the apps were downloaded from the Google Play Store.

The crypto apps were determined to be the worst when it comes to security, with 33.3% of them rated as high risk and 53.3% as medium risk.

The high-risk category is considered extremely dangerous if exposed, as they disclose private keys, keys for payment or transfer services, and "authentication" or "attestation" keys. Researchers said the exposure of these secrets could potentially lead to unauthorized access, data breaches, and compromised user privacy.

The medium-risk category secrets include sensitive data that, if exposed, could potentially compromise the confidentiality of user data and application functionality. Although not as critical as the high-severity secrets, the compromise of these secrets could still have significant repercussions.

Chiboora says there is neglect across the board when it comes to the levels of security in the apps, but crypto apps have a larger user base and geographical coverage than most other categories.

Research found 22.2% of personal finance apps were rated as high risk and 66.7% as medium risk. Payment and transfer apps were next worst, with 19.1% rated as high risk and 76.6% as medium risk. Of the total of 224 applications examined, only 5.4% revealed no details.

**The Secret Key Is Exposed**

To do the analysis, the researchers collected each app's ID and, using an automated script to download the Android Application Packages, the apps were reverse-engineered and scanned for risky items.

Cryptographic API keys, private keys, and passwords are used to authenticate the application and authorize access to protected resources or services, as well as to ensure the integrity and security of data exchanges between the application and a server.

Typically an API serves a dual purpose: It identifies the app to the backend API, and it validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. This mechanism effectively prevents unauthorized or anonymous access attempts and provides a means to regulate the flow of data requests.

The researchers claimed that exposing API keys — especially those related to services like Google, AWS, and other cloud services — can result in unauthorized usage, which may incur unexpected costs or disrupt the functionality of integrated features.

"Keys are vital in the security and privacy of data as they authenticate and authorize access to services," Chiboora says, adding that most of the time these details are hidden from application users. "There are mobile cybersecurity methods that allow app developers to move these keys out of the app and into the cloud, which is a better approach and a recommendation for better security."

The researchers said this secret information is essential for verifying the identity of the application and protecting against unauthorized access, tampering, or data breaches. These secret keys are often present in the compiled source code of these applications and may also be inadvertently published to public repositories like GitHub.

Ted Miracco, CEO of Approov, said that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated. "Developers can no longer depend on 'official' app stores or on native client OS security and must ensure that end-to-end security is built into the app itself," he said.

Pan-African Financial Apps Leak Encryption, Authentication Keys

Companies with customers in California need to prepare for a new process for demanding deletion of personal data.

Now that California Gov. Gavin Newsom has signed a bill defining the legal obligations of data brokers into law, businesses that serve people in the Golden State will have to meet a new set of processes to safeguard consumers' personal privacy. The new law consolidates California-specific processes under a state agency established by prior privacy legislation.

The California Delete Act, formally called "Data Broker Registration: Accessible Deletion Mechanism" (SB362), updates the state civil code to add and modify sections that pertain to data brokers to clarify such entities' responsibilities and processes. The new law also moves enforcement of data broker obligations from the California District Attorney's office to the California Privacy Protection Agency.

The California Privacy Protection Agency is tasked with maintaining a website that informs consumers of their rights and how to exercise them, as well as establishing a mechanism by Jan. 1, 2026, that allows consumers to request any and all data brokers to delete their personal data. The data brokers will have to start accessing the agency's mechanism and process all consumer deletion requests at least every 45 days as of Aug. 1, 2026. Once the broker has deleted a consumer's data, it further has to delete any personal information it has regarding that consumer during that same 45-day period. The Delete Act also requires data brokers to "register with, pay a registration fee to, and provide information to" the California Privacy Protection Agency starting July 1, 2027.

**Business Concerns**

The new law defines a data broker as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The California Privacy Rights Act of 2020's definition of "business" — a company that meets at least one of these conditions: gross annual revenues of more than $25 million; collects personal information of at least 50,000 people, households, or devices; and/or makes at least half its annual revenue from selling consumer data — still stands.

Data brokers will have to register with the California Privacy Protection Agency, providing information such as business contact information, data deletion links, audit reports, and whether the company collects information about minors, geolocation data, or reproductive health care — a hot-button issue for consumer rights advocates since the striking down of federal abortion rights protections.

Neither the CCPA, the CPRA, nor the Delete Act defines "direct relationship" with consumers, however, as industry group International Association of Privacy Professionals (IAPP) pointed out in its coverage of the new law. Another concern data brokers have, according to the IAPP, includes a provision that doubles fines for brokers that fail to register with the California Privacy Protection Agency to $200 a day. Meanwhile, the Consumer Data Industry Association asserted that deleting consumer data will open the door to fraud.

Joey Stanford, vice president of data privacy and compliance at Platform.sh, said in a statement that the Act will close some loopholes, which will benefit consumers.

"Regulation comes with implementation costs for businesses and usually a negative hit to the bottom line of companies that are affected, which can cause pushback from corporations," he added.

**Fodder for Wider Regulation**

Interestingly, the Delete Act was signed into law just two days before the UK-US Data Bridge takes effect on Oct. 12. That agreement sets out conditions for transferring personal data between the US and the UK. A similar agreement already exists between the US and the European Union, but because the UK left the EU as of 2020, after the 2016 Brexit referendum, a separate agreement was required. Now that Britain is out of the EU, it has privacy laws separate from Europe's stringent GDPR — as do many other countries, presenting compliance complexity. But the US has yet to create a truly unified piece of federal privacy regulation. Federal data privacy legislation seems like a natural progression, once lawmakers can agree on the right balance.

"As we see more attempts at regulating data privacy at the state level, perhaps with the right combination of CCPA+CPRA+Delete Act rolled up together, it could be a blueprint for a federal law. Although there would be no effect on data brokers in other geographies (e.g. India), creating nationwide policy for the US would help tremendously," Stanford said.

New California Delete Act Tightens Rules for Data Brokers

A sophisticated APT known as "ToddyCat," sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.

Chinese advanced persistent threats (APTs) are known for being sophisticated, but the "ToddyCat" group is bucking the trend, compromising telecommunications organizations in Central and Southeast Asia using a constantly evolving arsenal of custom-developed, but very simple, backdoors and loaders.

ToddyCat was first discovered last year, though it has been in operation since at least 2020. According to Check Point, it has previously been linked with Chinese espionage operations.

In a blog post published this week, Check Point's researchers described how the group is staying nimble these days: by deploying, and just as quickly throwing away, cheap malware it can use to drop its payloads.

Victims of its latest "Stayin' Alive" campaign — active since at least 2021 — include telcos from Kazakhstan, Pakistan, Uzbekistan, and Vietnam. The precise extent of their reach, and whether they caused any damage, are yet unknown.

**ToddyCat's Latest Tactics**

Stayin' Alive attacks begin with spear phishing emails containing archive files. Once executed, the archive files are designed to take advantage of CVE-2022-23748, a 7.8 out of 10 "High" criticality DLL sideloading vulnerability in Dante AV systems software. ToddyCat uses such DLL sideloading — a popular technique, especially among Chinese threat actors — to drop loaders and downloaders onto targeted devices.

These loaders and downloaders are not nearly to the specs one would expect of a high-level, state-affiliated threat actor, explains Sergey Shykevich, threat intelligence group manager at Check Point.

"They have relatively basic functionality, but they're good enough to achieve initial goals, like allowing the attacker to get basic reports about infected machines: computer name, user name, system info, some directories, and so on. They also include the functionality of shelling, allowing the execution of any command the attacker wants," he explains.

"Our assumption is that via the shell, they were able to implement additional backdoors and modules," he adds, though the research didn't extend to finding out what payloads they ultimately did deploy.

**A Smart Use of Dumb Malware**

Though at first it might seem lazy or ineffectual, there is a reasoning behind using such basic tools instead of more sophisticated, multifunctional weapons of cyberwar.

"The smaller the tool, the more difficult it is to detect," Shykevich explains. "And also, when it's a small tool, it's relatively easy to adjust it to a target."

Easier to adjust, and less expensive to throw away. Typically, researchers identify and track APTs by cross-referencing details between different attacks. With ToddyCat, however, it's impossible to do that — each of its malware samples has zero discernible overlap with known malware families, or even with one another. The researchers expect that they're likely discarded for new samples even after little use. "The small changes mean that you can catch one of them, but it won't be so straightforward to catch all the others. It will require some additional work," Shykevich says.

That said, ToddyCat is undone by the fact that each sample traces back to its easily identifiable command-and-control (C2) infrastructure.

To defend against such a nimble attacker, Shykevich recommends a layered approach. "The first layer here, for example, was the email — you should have proper email protection to identify a malicious attachment," he advocates. "But another level is endpoint detection and response (EDR) endpoints, to identify for example the DLL sideloading and malicious shell activity."

Chinese 'Stayin' Alive' Attacks Dance Onto Targets With Dumb Malware

Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.

For days now, the cybersecurity community has waited anxiously for the big reveal about two security flaws that, according to curl founder Daniel Stenberg, included one that was likely "the worst curl security flaw in a long time."

Curl is an open source proxy resolution tool used as a "middle man" to transfer files between various protocols, which is present in literally billions of application instances. The suggestion of a massive open source library flaw evoked memories of the catastrophic log4j flaw from 2021. As Alex Ilgayev, head of security research at Cycode, worried, "the vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago."

But following today's unveiling of patches and bug details, neither vulnerability lived up to the hype. However, it's still important for organizations to uncover whether the bugs are present in their environments (Dark Reading's latest Tech Tip covers how to scan environments for the curl vulnerabilities), and remediate accordingly.

**Impacting a Limited Number of Curl Deployments**

The first vuln, a heap-based buffer overflow flaw tracked under CVE-2023-38545, was assigned a rating of "high" due to the potential for data corruption or even remote code execution (RCE). The issue lies in the SOCKS5 proxy handoff, according to the advisory.

"When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes," the advisory stated. "If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy."

The bug could allow the wrong value to be handed off during the SOCKS5 handshake.

"Due to a bug, the local variable that means 'let the host resolve the name' could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there," the advisory added.

However, the high severity designation only applies to a fraction of deployments, cybersecurity expert Jake Williams says.

"This is only high severity in very limited circumstances," Williams says. "I think it's just an issue that when you have a library vulnerability, you know know how the library is being used. You have to assign the CVE assuming a worst case scenario for implementation."

The second curl bug, tracked under CVE-2023-38546, is a low-severity cookie injection flaw that only impacts the libcurl library, not curl itself.

"I think this is a bigger problem for security devices, and appliances (which fetch untrusted content and often use curl under the hood)," Andy Hornegold, vice president of product at Intruder, said in a statement in reaction to the release of the curl bug details. "I don't see it being a huge problem for standalone usage."

**Dangers of Hyping Up a Fix**

Beyond heartburn for cybersecurity teams, hyping up a fix before technical details are released can hand over an easy win to threat actors. In this instance, Williams points out that RedHat updated its change log ahead of the official curl release, which could have given cyberattackers important intel on unpatched targets, had the vulnerability been as dangerous as previously assumed.

Indeed, Mike McGuire with Synopsys saw the dangers of the amped up attention on the curl update and wrote about it in an Oct. 9 blog.

"Despite having no additional details about the vulnerability, threat actors will undoubtedly begin exploit attempts," McGuire wrote. "Additionally, it's not unheard of for attackers to post bogus 'fixed' versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software."

Source

DARKReading