Innovative risk-based model enables better security measures.

**TEL AVIV, Israel****,** **June 28, 2023** **/PRNewswire/ --** OTORIO, the leading provider of operational technology (OT) cyber and digital risk management solutions, today announced a significant advancement in OT security with the availability of its Attack Graph Analysis technology, integrated into the company's powerful Cyber Digital Twin (CDT) model. By leveraging the capabilities of the CDT, organizations can now gain dynamic visual network topology and advanced risk assessment, enabling the proactive management of vulnerabilities in their OT infrastructure. This announcement follows the company's recent securing of a patent from the U.S. Patent and Trademark Office (USPTO) for its risk management model and attack graph analysis algorithm.

Even organizations with skilled OT security personnel face challenges when protecting operational environments due to their complexities and the shortcomings of existing OT security solutions. Limited visibility and partial data can result in an unclear asset inventory, and businesses often don't understand their actual exposure to attacks by only focusing on endpoint vulnerabilities. These factors make it difficult to accurately assess OT security posture.

OTORIO's Cyber Digital Twin and Attack Graph Analysis overcome these challenges. The CDT consists of an automated, secure, and logical representation of the operational network, its entities, and their interrelationships. It acts as a sandboxed model of the operational environment, enabling safe breach and attack simulations (BAS) as well as data-driven impact analysis.

Once the relationships between the entities have been established, the CDT algorithm generates an Attack Graph: a visualization of all network assets, vulnerabilities, and connections that show segmentation gaps and potential attack vectors targeting critical assets and processes. By calculating risk across all assets, threats, and scenarios, it enables businesses to continuously assess, monitor, and proactively protect their critical OT systems. Attack Graph Analysis empowers organizations to prioritize their security efforts by providing actionable insights into the most critical vulnerabilities and potential attack vectors. By identifying and visualizing the high-risk areas within their OT infrastructure, businesses can allocate resources more efficiently and stay ahead of emerging threats.

The CDT and Attack Graph Analysis technology are built on three key pillars:

*   Automation -- OTORIO streamlines security processes, reducing human error and enabling rapid response. It provides an automated, user-friendly report with action items and priorities, eliminating the need for manual analysis.
*   Explainability - The Attack Graph Analysis ensures transparency and enables users to better understand their security posture from a risk and business impact standpoint.
*   Actionability - The visually intuitive Cyber Digital Twin and Attack Graph Analysis reports provide recommendations tailored to network needs. This comprehensive approach equips organizations with effective security strategies, enabling proactive vulnerability management.

"Our Cyber Digital Twin and patent-protected Attack Graph Analysis are game-changing solutions for OT security, and we're thrilled to provide them to our customers," said Ben Reich, Chief Platform Architect at OTORIO. "We are bringing a new level of precision and effectiveness to OT security by empowering organizations to proactively manage risk, ensure operational resilience, and protect their critical assets from evolving cyber threats."

**About OTORIO** 

OTORIO has pioneered an industrial-native OT security platform that enables its customers to achieve an integrated, holistic security strategy for industrial control systems (ICS) and cyber-physical systems (CPS). Together with its partners, OTORIO empowers operational security practitioners to proactively manage cyber risks and ensure resilient operations.

The company's platform provides automated and consolidated visibility of the entire operational network, enabling companies to take control of their security posture, eliminate critical risks, and deliver immediate business value across the  organization. OTORIO's global team combines the extensive mission-critical experience of top nation-state cyber security experts with deep operational and industrial domain expertise. To learn more, visit OTORIO.com.

Logo - https://mma.prnewswire.com/media/2004395/4139581/Otorio\_Logo.jpg

SOURCE OTORIO

OTORIO Rolls Out Advanced Attack Graph Analysis for OT Security

The company introduces a solution to restore trust in customers' existing cyber defense techstack.

**LAWRENCE, Kan.****,** **June 28, 2023** **/PRNewswire/ --** Invary, a cybersecurity pioneer focused on detecting hidden malware and preventing costly ransomware attacks, has raised pre-seed funding to launch its innovative solution. The investment was led by Flyover Capital, with additional participation from NetWork Kansas GROWKS Equity program, and the KU Innovation Park.

The pre-seed funding round will fuel the launch of Invary's flagship Runtime Integrity offering, designed to uncover and neutralize hidden threats that elude modern threat detection systems. This unique service debuts this summer, and will empower organizations to fortify their security postures and proactively safeguard their digital environment against high impact attacks.

Additionally, Invary's free Runtime Integrity Score (RISe) service is available now, allowing customers to spot-check their system's integrity and identify hidden malware.

The Invary leadership team brings decades of operational expertise in Trusted Computing research and reunites entrepreneurs with a successful history of collaboration. The company is spearheaded by CEO Jason Rogers, who has extensive experience building secure cloud-scale platforms, and scaling engineering & operations at category leader Matterport through IPO. The team's security credentials are further bolstered by founder Dr. Perry Alexander, a distinguished authority in Trusted Computing research and his protege and former student, Dr. Wesley Peck, the CTO of Invary, who obtained his PhD under Dr. Alexander's guidance.

The highly dynamic nature of today's threat landscape poses a significant challenge to the security posture of all organizations, including those with advanced defenses like XDR, SIEM and CNAPP solutions. The primary flaw within these defense layers stems from their assumption that the operating system remains uncompromised. This leaves a critical gap in the overall security infrastructure that threat actors can discreetly exploit to prepare a ransomware attack or data breach. This oversight is incredibly problematic because a staggering 72% of cyberattacks occur in production according to Datadog's latest State of Application Security report. 

Invary plugs this security gap at runtime by mandating continuous validation of the operating system - making it an indispensable component of a "trust nothing" Zero Trust architecture. Built on an exclusive intellectual property grant from the NSA, Invary's technology provides proven and superior protection for the digital environment, pinpointing compromise with high confidence, eliminating superfluous, noisy monitoring data.

Jon Broek, CEO of Tenfold Security, a leader in cloud security services, said, "Invary Runtime Integrity gives us an unfair advantage over the competition when deployed with our security solutions for cloud and virtual machines. It also provides a key component of keeping our customers secured end to end and preventing things like ransomware that are highly targeting our core customers in higher education."  

"We are thrilled to have secured this pre-seed funding, as it validates the need for  Invary's novel technology to shore up existing cyber defenses against high impact hidden threats," said Jason Rogers, CEO of Invary. "With the support of our investors, customers and partners, we are well-positioned to advance our mission of fortifying the security ecosystem by reinforcing Zero Trust principles."

The IT team at LMH Health said, "One of the key challenges in combating destructive ransomware is the hidden malware within operating systems that often serves as the foundation for such attacks. Invary Runtime Integrity gives visibility into a part of the system overlooked by most other security tools. We are able to gain confidence that the operating system has not been compromised, but if there are cases where anomalies are detected, a wealth of information is provided to help determine if they are benign, intentional or potentially malicious." 

"Ensuring the safety of our customers and cyber community is our #1 priority. Our pre-seed funding enables us to realize this dedication by continuously improving Invary's Runtime Integrity Service while also making our agent open source. We're proud to enhance operating system security for all by accelerating the industry's progress toward truly comprehensive Zero Trust Architectures," said Dr. Wesley Peck, CTO of Invary. 

The successful completion of the pre-seed funding round underscores Invary's commitment to pushing the boundaries of Runtime Security. With this significant investment, Invary is poised to accelerate its growth, enhance its technology and expand its reach in preventing data breaches and ransomware attacks.

For more information about Invary and its Runtime Integrity solutions, please visit www.invary.com.

**About Invary**

Invary is the leader in operating system runtime validation and security. The company's technology detects hidden, high impact threats to the operating system that are missed by other foundational defense systems including XDR, SIEM and CNAPP platforms. By securing the integrity of the operating system as a first class citizen in the "trust nothing" entity list of Zero Trust architectures, Invary becomes an indispensable part of modern cyberdefense. Based on an exclusive IP grant from the NSA and proven technology that has been deployed in real-world, critical infrastructure, Invary's proprietary technology ensures malware, ransomware and other hidden, high impact threats commonly found in operating systems are exposed — before they can cause downtime and expand the blast radius of attack.

Invary Raises $1.85M in Pre-Seed Funding to Close Critical Gap in Zero Trust Security

New report offers valuable resource to help organizations evaluate the safety and reliability of open-source packages.

**TEL AVIV, Israel** **and** **BOSTON****,** **June 28, 2023** **/PRNewswire/ --** Mend.io, a leader in application security, released findings today from its latest report, the Mend.io Open Source Reliability Leaderboard. Powered by data from Renovate, Mend.io's popular open-source dependency management tool, the Leaderboard presents the top packages in terms of reliability across three of the most widely used languages.

"The Leaderboard helps shift the AppSec view from detection to prevention, a valuable perspective for reducing the risk imposed by our increasingly vulnerable software supply chain," said Rhys Arkins, vice president of product management, Mend.io. "Success hinges on having the knowledge necessary to prevent possible open-source vulnerabilities from ever being installed in the first place. For that to happen, companies need to know not only what packages are in use at their companies, but how safe they are."

The Leaderboard allows the Mend.io team to leverage and share a valuable resource. There is no better arbiter of package reliability than Renovate, which has gathered crowd-sourced data on over 25 million dependency updates. By analyzing what packages are consistently releasing good updates, the Leaderboard presents an accurate picture of a package's overall reliability for software engineers trying to balance functional risk with security risk. 

The full report showcases detailed rankings for npm, PyPi, and Maven.

**Key findings:**

**Group runs bring down overall package reliability.** 

Any fan of the TV show _Survivor_ can tell you that in competition, groups are often hurt by their weakest link, and the same holds true when it comes to group updates. A group of ten packages is ten times more likely to encounter a failure. 

**Release frequency has no effect on average success rates.**

You would think that more-frequent releases would improve reliability through faster bug fixes and an engaged maintainer community, but such was not the case.

**The Best of the Best**

Looking across the overall categories, the top three most reliable packages for each language are: 

**Npm:**

1.  prettier-eslint
2.  np
3.  jest-cli

**Maven:**

1.  org.apache.maven.scm:maven-scm-provider-gitexe
2.  com.github.ekryd.sortpom:sortpom-maven-plugin
3.  org.apache.maven.plugins:maven-release-plugin

**PyPi:** 

1.  Pulumi
2.  Botocore-stubs
3.  types-python-dateutil

**About the Report**

The report examines data from Renovate, an automated dependency management tool that leverages crowd-sourced data on over 25 million dependency updates.

Download a full copy of the report here.

**About Mend.io**

Mend.io, formerly known as WhiteSource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open-source and custom code, and open-source license risks. With a proven track record of successfully meeting complex and large-scale application security needs, Mend.io is the go-to technology for the world's most demanding development and security teams. The company has more than 1,000 customers, including 25 percent of the Fortune 100, and manages Renovate, the open-source automated dependency update project. For more information, visit www.mend.io, the Mend.io blog, and Mend.io on LinkedIn and Twitter.

SOURCE Mend.io

Mend.io Launches Inaugural Open Source Reliability Leaderboard

Virtual kidnapping is just one of many new artificial intelligence attack types that threat actors have begun deploying, as voice cloning emerges as a potent new imposter tool.

An incident earlier this year in which a cybercriminal attempted to extort $1 million from an Arizona-based woman whose daughter he claimed to have kidnapped is an early example of what security experts say is the growing danger from voice cloning enabled by artificial intelligence.

As part of the extortion attempt, the alleged kidnapper threatened to drug and physically abuse the girl while letting her distraught mother, Jennifer DeStefano, hear over the phone what appeared to be her daughter's yelling, crying, and frantic pleas for help.

But, those pleas ended up being deepfakes.

**Deepfakes Create Identical Voices**

In recounting details of the incident, DeStefano told police she had been convinced the individual on the phone had actually kidnapped her daughter because of how identical the alleged kidnapping victim's voice was to her daughter's.

The incident is one in a rapidly growing number of instances where cybercriminals have exploited AI-enabled tools to try and scam people. The problem has become so rampant that the FBI in early June issued a warning to consumers that criminals manipulating benign videos and photos are targeting people in various kinds of extortion attempts.

"The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content," the agency warned. "The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes." Scams involving deepfakes have added a new twist to so-called imposter scams, which last year cost US consumers a startling $2.6 billion in losses, according to the Federal Trade Commission.

In many instances, all it takes for attackers to create deepfake videos and audio — of the kind that fooled DeStefano — are very small samples of biometric content, Trend Micro said in a report this week highlighting the threat. Even a few seconds of audio that an individual might post on social media platforms like Facebook, TikTok, and Instagram is all that a threat actor requires to clone that individual's voice. Helpfully for them, a slew of AI tools is readily available — with many more on the way — that allow them to do voice cloning relatively easily using small voice biometrics harvested from various sources, according to Trend Micro researchers.

"Malicious actors who are able to create a deepfake voice of someone's child can use an input script (possibly one that's pulled from a movie script) to make the child appear to be crying, screaming, and in deep distress," Trend Micro researchers Craig Gibson and Josiah Hagen wrote in their report. "The malicious actors could then use this deepfake voice as proof that they have the targeted victim's child in their possession to pressure the victim into sending large ransom amounts."

**A Plethora of AI Imposter Tools**

Some examples of AI-enabled voice cloning tools include ElevenLabs' VoiceLab, Resemble.AI, Speechify, and VoiceCopy. Many of the tools are only available for a fee, though some offer freemium versions for trial. Even so, the cost to use these tools is often well less than $50 a month, making them readily accessible to those engaged in imposter scams.

A great deal of videos, audio clips, and other identity-containing data is readily available on the Dark Web that threat actors can correlate with publicly available information to identify targets for virtual kidnapping scams like DeStefano experienced and other imposter scams, Trend Micro noted. In fact, specific tools for enabling virtual kidnapping scams are emerging on the Dark Web that threat actors can use to hone their attacks, the researchers say in emailed comments to Dark Reading.

AI tools such as ChatGPT allow attackers to fuse data — including video, voice, and geolocation data — from disparate sources to essentially narrow down groups of people they can target in voice cloning or other scams. Much like social network analysis and propensities (SNAP) modeling allows marketers to determine the likelihood of customers taking specific actions, attackers can leverage tools like ChatGPT to focus on potential victims. "Attacks are enhanced by feeding user data, such as likes, into the prompt for content creation," the Trend Micro researchers say. "Convince this cat-loving woman, living alone who likes musicals, that their adult son has been kidnapped," they say, as one example. Tools like ChatGPT allow imposters to generate in a wholly automated way the entire conversation that an imposter might use in a voice cloning scam, they add.

Expect also to see threat actors use SIM-jacking — where they essentially hijack an individual's phone — in imposter scams such as virtual kidnapping. "When virtual kidnappers use this scheme on a supposedly kidnapped person, the phone number becomes unreachable, which can increase the chances of a successful ransom payout," Trend Micro said. Security professionals can also expect to see threat actors incorporate communication paths that are harder to block, like voice and video in ransomware attacks and other cyber-extortion schemes, the security vendor said.

**Cloning Vendors Cognizant of the Cyber-Risks**

Several vendors of voice cloning themselves are aware of the threat and appear to be taking measures to mitigate the risk. In Twitter messages earlier this year, ElevenLabs said it had seen an increasing number of voice-cloning misuse cases among users of its beta platform. In response, the company said it was considering adding additional account checks, such as full ID verification and verifying copyright to the voice. A third option is to manually verify each request for cloning a voice sample.

Microsoft, which has developed an AI-enabled text-to-speech technology called Vall-E, has warned of the potential for threat actors to misuse its technology to spoof voice identification or impersonate specific speakers. "If the model is generalized to unseen speakers in the real world, it should include a protocol to ensure that the speaker approves the use of their voice and a synthesized speech detection model," the company said.

Facebook parent Meta, which has developed a generative AI tool for speech called VoiceBox, has decided to go slow in how it makes the tool generally available, citing concerns over potential misuse. The company has claimed technology uses a sophisticated new approach to cloning a voice from raw audio and an accompanying transcription. "There are many exciting use cases for generative speech models, but because of the potential risks of misuse, we are not making the Voicebox model or code publicly available at this time," Meta researchers wrote in recent recent post describing the technology.

AI-Enabled Voice Cloning Anchors Deepfaked Kidnapping

Workers were lured in by false job promises from Facebook ads, only to be tricked into committing cybercrimes with no way out.

Thousands of workers in China, Indonesia, the Philippines, Vietnam, and a host of other countries who were tricked into performing forced labor for cybercrime groups, including running fake online gaming sites, were rescued in a raid on June 27 by the Filipino police. 

Workers that had previously attempted to quit were forced to pay large amounts of money for the privilege, and others were afraid that they would be sold into other human-trafficking syndicates. They were lured in by Facebook ads with promises of high salaries and fair working conditions.

The head of the anti-cybercrime unit of the Philippines police, Brigadier General Sydney Hernia, said that police searched various buildings in Las Pinas with warrants, rescuing 1,534 Filipinos and 1,190 others from a variety of different countries. This comes after a police raid in May at the Clark Freeport in Mabalacat City, where roughly 1,400 workers were rescued after being forced to commit cryptocurrency crimes. 

Muhammah Mahfud, Indonesian Minister, said that the Association of Southeast Asian Nations (ASEAN) needs to make progress on a regional extradition treaty that has been long proposed, which would ultimately help authorities prosecute these kinds of offenders and mitigate the escalating human trafficking and cybercrimes in these regions.

It is currently unknown how many of the cybercrime syndicate leaders were arrested in the police raid. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Thousands of Filipinos, Others Rescued From Forced Cybercrime Labor

Organizations should consider their security practices the same way people think about their well-being. Focus on staying healthy instead of finding a new pill for every security symptom you see.

Since the early 1990s, we've watched the internet evolve from dial-up connections to high-speed, cloud-based computing. Organizations have navigated a shifting maze of technology while defending against cyberattacks. Sadly, after three decades in cybersecurity, I see organizations wrestling with the same problems in 2023 that they grappled with in 1995 when they first plugged into the internet.

Attacks on users through email, attacks on availability through denial-of-service campaigns, and exploits of systems through vulnerable applications are longstanding strategies that remain fruitful for threat actors.

Even today, with increased awareness and public reporting of data breaches, business leaders and developers aren't taught to balance new technologies with the required security. Organizations still focus on functionality and time to market, not on ensuring secure, predictable behavior. This creates a weakened infrastructure that attackers continue to prey on successfully and daily.

So, why do cybersecurity losses continue growing despite a projected $188.3 billion global annual spending on information security and risk management products and services?

**We're Treating Symptoms, Not Causes**

Vendor messaging over the decades has trained the marketplace to believe the solution to cybersecurity challenges is technology. More and more technology. The same proposition leads people to think they can lose weight with a pill — not eating better or exercising more, but a quick and easy solution so that they can pay to make the problem disappear.

The growth of security budgets shows this line of thinking is pervasive and leads to a vicious cycle of trying to outspend risk. In truth, while much of the technology is valuable, cybersecurity issues arise in the gaps.

Like prescriptions that are stopped mid-course or bandages over broken bones, technology adopted without a plan can create misplaced confidence in an incomplete system. Many organizations focus on shiny, new attacks at the expense of solid foundational protection, and this misprioritization has continued a culture of victimization and never-ending vulnerabilities.

The rising cost and destructive power of cyberattacks aren't new; they're collateral damage from years of neglecting basic security policies and best practices. Increased security investment is spent on niche protection technologies promoted by analysts, vendors, press coverage, and practitioner curiosity.

The constant change in tooling and focus also leads to burnout and job dissatisfaction among experienced leaders, exacerbating the cybersecurity skills shortage. To address ongoing vulnerability and increasing stress, we need to think about cybersecurity differently, recognizing that successful businesses rely on a healthy security posture.

**Cybersecurity's Preventive Medicine**

Organizations should consider their security practices the same way people think about their well-being. Focus on staying healthy instead of finding a new pill for every security symptom you see. The same principles you hear from the doctor apply to cybersecurity resilience: Diet, exercise, and regular checkups.

Security's basic food groups are prevention, detection, response, and remediation. Address each appropriately based on the specifics of your organizational need. Too little prevention and your detection, response, and remediation will be swamped. Too little response and security events will drag on. Your security program should consume only what it needs and what your team can digest and use. Any more than this, and you'll be carrying extra weight in your budget.

Cybersecurity conditioning means regularly conducting awareness training, tabletop exercises, practitioner certifications, asset inventory verifications, and penetration tests. Keep the team up to date on roles and responsibilities. Your response will be faster and more targeted, and your organization less disturbed, if you take the time to work out that security muscle regularly.

No one likes going for a yearly physical, but it's a great way to learn if you're as healthy as you think. Find time to run through your security program to make sure it's still balanced. Have your team double-check critical controls and compliance with relevant standards or best practices. Get a second opinion once in a while. Find a third party that doesn't have the context of your business and ask what they see. Good cybersecurity health means looking for even small indications something may have been missed. It doesn't take long for that blind spot to put your whole effort at risk.

**If You Do Get Sick…**

Maintaining a resilient, trustworthy security system is complicated by new capabilities and a diverse threat landscape. By some estimates, more than 250,000 new pieces of malware are detected daily. We need to diagnose and treat new problems like the healthcare industry addresses constantly changing epidemiological challenges.

The healthcare system keeps up with new and mutating diseases because specialists focus on a single condition, determining the best means to identify and diagnose it. Another group focuses on treatment to quell the problem early. Others develop the specialized equipment that powers diagnosis and treatment, while hospitals and the entire healthcare ecosystem support patients.

If we understand our organizations and the threats we're likely to face, we can begin to live the healthy, budgetable, and predictable corporate cybersecurity life we've sought for decades. By taking cyber health more seriously, we can cure the fundamental problems that have plagued the industry for the past 30 years and stop merely treating the symptoms and attacks.

Cybersecurity Is the Healthcare Your Organization Needs

Misconfiguration exposed the physical addresses of 60,000 patent filers over three years.

The US Patent and Trademark Office (USPTO) informed more than 60,000 trademark application filers that it mistakenly left their physical addresses exposed to the public Internet for three years.

A leaky API was the culprit, according to reports, and left data sets exposed, including addresses collected from applicants, which are mandatory when they file for a trademark with the USPTO.

"When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented," the notice sent to impacted filers and shared with TechCrunch read.

A spokesperson added the leak affected about 3% of the applications filed during the three-year time period.

"We regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points," a USPTO spokesperson added. "We apologize for our mistake and will do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas."

Jason Kent, hacker in residence with Cequence Security, said in a statement provided to Dark Reading that this type of API misconfiguration is precisely what cyberattackers are trawling for across the Internet.

"The more technical exit points are the ones the attackers tend to prefer," Kent said. "In 2023 API security parlance, they had API9:2023 Improper Inventory Management that allowed an attacker to find the endpoint, learn that it wasn’t authenticated API2:2023 Broken User Authentication that could have allowed an automated attacker to pull all of the impacted data in a very short period of time, API6:2023 Unrestricted Access to Sensitive Business Flows."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Patent Office Data Spill Exposes Trademark Applications

As cloud adoption grows, organizations need to rethink their approaches to securing hybrid cloud and multicloud environments.

Cloud technology is a powerful tool that facilitates collaboration among distributed workforces and allows businesses to quickly scale their digital workloads. According to a Microsoft survey, 95% of respondents said cloud technology was critical to their organizations' successes, and 86% planned to increase their investments in hybrid cloud and multicloud tech. 

However, cloud technology also comes with increased risks. The lack of visibility and coverage across hybrid and multicloud environments can make it difficult for security teams to identify and resolve risks. Security teams are also being asked to monitor fragmented tools across different clouds, which can make it difficult to create a unified view of their comprehensive security posture. 

Microsoft research from earlier this year found that 86% of surveyed decision-makers believed their current cybersecurity strategies were not sufficient to secure their multicloud environments. So how should organizations adapt their security approach?

**Create a Single-Pane-of-Glass View**

Cloud technology enables businesses to quickly scale their digital workloads because they are not constrained by managing physical devices or IT infrastructure. However, this agility can also make it difficult for them to keep track of their various workloads, data streams, and applications because they are scattered across a mix of different cloud platforms and on-premises locations. Securing a hybrid or multicloud environment requires organizations to have visibility and cross-platform control in a single-pane-of-glass view. That way they can visualize the security posture of multiple workloads at once, regardless of location.

**Use CNAPP For Code-to-Cloud Context**

For many organizations, security and compliance used to be distinct silos — making it difficult for development and security teams to protect applications in the cloud. More than half (54%) of enterprises do not integrate security into their DevOps pipelines, according to Microsoft's "Enterprise DevOps Report." Cloud-native application protection platforms (CNAPPs) integrate these silos into a single, easy-to-reference platform to help organizations secure and protect cloud-native applications.

Strong security hygiene means being able to monitor and remediate code within the same pane-of-glass view that organizations use to manage their overall cloud security posture. CNAPPs enable increased collaboration and integration between development and security teams while also reducing the possibility of code issues being moved into the cloud. By intaking all infrastructure-as-code scanning signals and combining them with data sensitivity, identity, and runtime intelligence, CNAPPs enable security teams to make recommendations and prioritize risks within the context of the entire hybrid or multicloud network.

**Fortify Security Hygiene With Threat Detection and Response**

Active threat detection is a critical component of securing the cloud environment against potential cybersecurity breaches. For example, organizations should examine the connections among applications, data stores, and workstreams to anticipate how threat actors could conceivably move through their environments to compromise operations.

When protecting workloads, it's critical that developers, security administrators, and security operations center analysts are all on the same page. It's also important that organizations take a cohesive, collaborative approach to cloud security by ensuring that all of the key players are working together to build security integrations that cover the full scope of your threat landscape. This can look like embedding anti-malware scanning tools into DevOps to ensure a company's code is protected against malware or preventing attackers from entering its network by hardening container security.

_— This article was written by Yuri Diogenes, a member of the Microsoft Security Team._

3 Tips to Increase Hybrid and Multicloud Security

We're still unprepared to fight the security bugs we already encounter, let alone new AI-borne issues.

From the first rumbles of hype for the latest culture-shattering AI tools, developers and the coding-curious alike have been using them to generate code at the touch of a button. Security experts quickly pointed out that, in many cases, the code being produced was poor quality and vulnerable and, in the hands of those with little security awareness, could cause an avalanche of insecure apps and Web development to hit unsuspecting consumers.

And then there are those who have enough security knowledge to use it for, well, evil. For every mind-blowing AI feat, it seems there is a counter-punch of the same technology being used for nefarious purposes. Phishing, deep fake scam videos, malware creation, general script kiddie shenanigans — these disruptive activities are now achievable much faster, with lower barriers to entry.

There is certainly a lot of clickbait touting this tooling as revolutionary, or at least coming out on top when matched with "average" human skill. While it is looking inevitable that large language models–style (LLM) AI technology will change the way we approach many aspects of work — not just software development — we need to take a step back and consider the risks beyond the headlines.

And as a coding companion, its flaws are perhaps its most "human" attribute.

**Poor Coding Patterns Dominate Its Go-To Solutions**

With ChatGPT trained on decades of existing code and knowledge bases, it's no surprise that for all its marvel and mystery, it too suffers from the same common pitfalls people face when navigating code. Poor coding patterns are the go-to, and it still takes a security-aware driver to generate secure coding examples by asking the right questions and delivering the right prompt engineering.

Even then, there is no guarantee that the code snippets given are accurate and functional from a security perspective; the technology is prone to hallucination, even making up nonexistent libraries when asked to perform some specific JSON operations. This could lead to "hallucination squatting" by threat actors, who would be all too happy to spin up some malware disguised as the fabricated library recommended with full confidence by ChatGPT.

Ultimately, we have to face the reality that, in general, we have not expected developers to be sufficiently security-aware, nor have we as an industry adequately prepared them to write secure code as a default state. This will be evident in the enormous amount of training data fed into ChatGPT, and we can expect similar lackluster security results from its output, at least initially. Developers would have to be able to identify the security bugs and either fix them themselves or design better prompts for a more robust outcome.

The first large-scale user study examining how users interact with an AI coding assistant to solve a variety of security-related functions — conducted by researchers at Stanford University — supports this notion.

Between this and the inevitable AI-borne threats that will permeate our future, developers, now more than ever, must hone their security skills and raise the bar for code quality, no matter its origin.

**The Road to a Data Breach Disaster Is Paved With Good Intentions**

It should come as no surprise that AI coding companions are popular, especially as developers are faced with increasing responsibility, tighter deadlines, and the ambitions of a company's innovation resting on their shoulders. However, even with the best intentions, a lack of actionable security awareness when using AI for coding will inevitably lead to glaring security problems. All developers with AI/ML tooling will generate more code, and its level of security risk will depend on their skill level. Organizations need to be acutely aware that untrained people will certainly generate code faster, but so too will they increase the speed of technical security debt.

Even our preliminary test with ChatGPT in April revealed it will generate very basic mistakes that could have devastating consequences. When we asked it to build a login routine in PHP using a MySQL database, functional code was generated quickly. However, it defaulted to storing passwords in plaintext in a database, storing database connection credentials in code, and using a coding pattern that could result in SQL injection (although, it did do some level of filtering on the input parameters and spitting out database errors). All rookie errors by any measure:

    

Source: Pieter Danhieux and Matias Madou

Further prompting ensured the mistakes were amended, but it takes significant security knowledge to course-correct. Unchecked and widespread use of these tools is no better than unleashing junior developers onto your projects, and if this code is building sensitive infrastructure or processing personal data, then we're looking at a ticking time bomb.

Of course, just like junior developers undoubtedly increase their skills over time, we expect AI/ML capabilities to improve. A year from now, it may not make such obvious and simple security mistakes. However, that will have the effect of dramatically increasing the security skill required to track down the more serious, hidden, non-trivial security errors it will still be in danger of producing.

**We Remain Ill-Prepared to Find and Fix Security Vulnerabilities, and AI Widens the Gap**

While there has been much talk of "shifting left" for many years, the fact remains that, for most organizations, there is a significant lack of practical security knowledge among the development cohort, and we must work harder to provide the right-fit tools and education to help them on their way.

As it stands, we're not prepared for the security bugs we already encounter, not to mention the new AI-borne issues like prompt injection and hallucination squatting that represent entirely new attack vectors that are set to take off like wildfire. AI coding tools do represent the future of a developer's coding arsenal, but the education to wield these productivity weapons safely must come now.

When It Comes to Secure Coding, ChatGPT Is Quintessentially Human

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Source

DARKReading