Scammers are setting out lures for people looking for work. If a position sounds too good to be true, it probably is.

The economic downturn is already a devastating blow to job seekers everywhere. Now scammers are taking advantage of the situation by ramping up their methods of swindling people.

Job scamming is a threat to job seekers all over the world. For example, the Better Business Bureau (BBB) reported an increase in job scam complaints in the United States and Canada in the past several years. Singapore job seekers lost $660 million SGD ($495 million USD) in 2022 alone. And in the UK, 10,000 people were approached on LinkedIn and Facebook by "foreign spies and malicious actors" to steal information.

Phishing attacks and malware are the primary methods of scamming job seekers, according to a February Trellix report. Scammers create fake websites, often employing typosquatting. A fake site uses a real name like Indeed that's slightly misspelled (such as "Indeeed") or extends the URL in hopes the job seeker will not notice the base domain name. These sites appear legitimate but are used to steal passwords and financial information.

Another method of stealing sensitive information is to ask a job seeker to download a file or click on a link that contains malware. Some of the malware Trellix identified include the Trojans Emotet, Cryxos, and Agent Tesla.

Gabriel Friedlander, founder of security training site Wizer, says these job opportunities offer great pay and remote work flexibility as a lure to steal Social Security numbers or send fake checks for equipment purchases to get that person's bank information.

**Who's Most Vulnerable**

Job scams can affect people of any gender, race, ethnicity, or age. Because many people seek employment quickly to prevent income gaps, they may have their guards down and be more prone to being scammed.

Similar to a romance scam, people become emotionally invested in finding the right job, says Roger Grimes, KnowBe4's data-driven defense evangelist. Even those trained to seek out scammers can get caught up in a scheme, he ads.

"It's just human behavior," Grimes says. "We want to trust people, and you start to give them the benefit of the doubt."

**How to Fight Off Scams**

Legitimate job companies will never ask for money to purchase equipment, training, or background checks. Always be skeptical of companies like these, and you're far less likely to be scammed.

If things are moving too fast, it's most likely a fake job. Most jobs aren't offered after just one remote interview. Also, be wary of companies that want to move conversations outside of typical platforms like LinkedIn.

"Be reasonable," Friedlander says. "Does this job make sense? Is this too good to be true? Here's the thing with scammers, in general: Their problem is time. They have to close the deal fast. Everything is just rapidly happening because they have to close before they get detected."

The BBB recommends calling or going directly to a company website, especially if the job description is vague. Other tips include not clicking any links, downloading any files, calling numbers, or replying to email addresses that are given.

LinkedIn is rolling out new measures to ensure people are who they say they are. However, one of the verification tools requests government identification. This can be problematic for some people, including transgender or nonbinary individuals who have changed their names but are unable to do so on official documents.

**Learn From the Experience**

Once a job seeker has been scammed, they are less likely to keep pursuing job opportunities, one study noted. They tend to blame themselves or their lack of savviness to detect scams.

"The people that I've talked to that had been scammed, they feel utterly broken," Grimes says. "It can be really tough on them, just because they were trusting people."

Job seekers should stay guarded to ensure they aren't scammed again. But instead of being discouraged, they should use this to drive them forward in their job search.

"Once you know the magic, then you can't unsee it," Friedlander says. "That's all it is. You just need to be aware of the trick."

Job Seekers, Look Out for Job Scams

Under construction: The world's leading ransomware gang is workshopping ransomware for less obvious systems beyond Windows environments. Experts weigh in on how worried we should be.

The LockBit gang is building ransomware for new architectures, forgoing Windows and potentially posing entirely new problems for their victims along the way.

In a blog published June 22, researchers from Kaspersky describe having "stumbled on" a .ZIP file with a trove of LockBit malware samples inside. The samples appear to have derived from LockBit's previous encryptor variations targeting VMWare ESXi hypervisors.

The samples targeted FreeBSD and Linux — a growing trend among ransomware actors — plus various embedded technologies, including instruction set architecture (ISA) firmware for CPUs, like ARM, MIPS, ESA/390, and PowerPC, as well as Apple M1, an ARM-based system-on-chip (SoC) used in Mac and iPad devices.

The samples were clearly a work in progress, Kaspersky noted, since "for instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one-byte XOR."

Should they eventually make it to the wild, however, these new ransomware variants could prove useful to LockBit as it tries to stay relevant, says Jason Baker, threat intelligence analyst at GuidePoint Security. "In an increasingly crowded RaaS marketplace competing for talent and targets, this kind of differentiating behavior may ultimately benefit LockBit despite the additional costs and lower volume of targets."

**Can LockBit Deliver Embedded Ransomware?**

Especially after the breakup of Conti, LockBit arguably took up the mantle as the world's premier ransomware gang. Last month brought a notable decline in its activity, however. While the ransomware industry rose as a whole, LockBit claimed 30% fewer victims than the month prior.

Perhaps, in retrospect, it was dedicating extra time and resources to developing its new malware. Or, perhaps, the new malware is a response to its decline.

Either way, its new direction is a cause for concern for defenders. Security analysts already raised the alarm on Android SoCs in 2021, Apple M1 in 2022, and multiple vulnerabilities in popular AMI SoCs were revealed earlier this year.

"We're seeing increased reporting lately related to embedded devices being used for persistence," reports Adam Pennington, project leader for MITRE, though major attacks have not yet been demonstrated in the wild.

LockBit will face hurdles in breaking through this glass ceiling, explains Callie Guenther, cyber threat research senior manager at Critical Start. "Unlike traditional operating systems, embedded systems and IoT devices often have resource constraints, limited processing power, and specific hardware configurations. Ransomware designed for SoCs needs to be tailored to these limitations and adapted to the specialized environment," she points out.

"Furthermore," she continues, "SoCs often run specialized firmware or customized operating systems, which may require a different approach in terms of payload delivery, execution, and evasion techniques. Ransomware targeting SoCs may need to exploit specific vulnerabilities or weaknesses within the firmware or system architecture to gain control over the device and encrypt its data."

Baker speculates that the challenge may be part of the appeal for LockBit. "The most likely reason to target SoCs that are not being targeted by other groups, such as Apple silicon, is for the sake of brand strength and prestige. Larger, more advanced groups such as LockBit have the in-house expertise and resources to throw at this problem set, and developing a unique capability not available elsewhere would continue to highlight the group as a pioneer in the ransomware-as-a-service (RaaS) ecosystem," he says.

**Why Embedded Malware Is Difficult to Excise**

The reason to worry about ransomware for embedded technologies, Pennington explains, isn't merely that it's new and uncharted. It's also that these technologies are easier to overlook and sometimes harder to protect.

"Most enterprises heavily focus their security efforts on Windows, despite various other server and embedded operating systems occupying the exact same networks. Among other reasons, targeting these alternate platforms can be a really effective way to evade existing defenses," Pennington assesses.

He poses a scenario where "a ransomware or other actor infects a network, defenders clean up the type of systems where they have visibility and tools to see and manage systems, and then they discover months later that an implant has been left behind on something like a Linux-based security camera running on one of these other architectures."

To prevent attackers gaining this upper hand, Pennington says, "organizations need to consider a diverse set of operating systems and architectures when they secure themselves, and not just their Windows systems."

"Nearly everyone is running some number of systems with these types of OSs and chips," he emphasizes, "even if they don't realize it."

LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems

Software-as-a-service has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise.

Macro trends such as the shift to cloud services, a growing remote (or hybrid) workforce, and heavy reliance on third-party partners and contractors mean organizations are working with more software-as-a-service (SaaS) applications than ever. It also means that attackers are taking advantage of the ubiquity of SaaS as they target insecure default configurations and weakly secured identities.

Over the past year, attackers have attempted to intercept OAuth tokens, bypass multifactor authentication schemes, and exploit misconfigured systems and applications to gain unauthorized access to business-critical applications, such as GitHub, Microsoft 365, Google Workspace, Slack, and Okta — to name a few.

In the new "2023 State of SaaS Security" report, researchers from Valence Threat Labs identified various ways SaaS usage exposes organizations to attack. The report findings are based on organizations that have deployed Valence Security’s SaaS security platform.

The upshot? Organizations have to do a better job of tracking abandoned applications, files, and user accounts.

*   Over half — 51% — of an organization's SaaS third-party integrations are inactive.
*   Most — 90% — of an average organization's shared assets (files and folders shared with external collaborators) have not been accessed for at least 90 days.
*   On average, 1 in 8 employee accounts are dormant (with the user no longer with the company, for example).
*   On average, 10% of an organization's shared integrations and data belong to ex-employees.

**More SaaS = More Risk**

SaaS has also evolved to be an ecosystem of interconnected applications sharing data and identities; they are no longer standalone single-function applications. But all of that integration is a problem because applications have too many privileges, and data sharing is out of control.

*   100% of organizations grant full read/write access to email, files, and calendar to at least one third-party tool or service.
*   There are 21 integrations per organization with tenant-wide access to company and employee data.
*   Files are shared with personal accounts 30% of the time.
*   There are 54 shared resources (files, folders, SharePoint sites) per employee, and 193,000 shared resources per company, on average. Most are sitting idle.

SaaS has its benefits, but abandoned SaaS integrations and idle data sharing introduce risk to the enterprise. Organizations should regularly remove unused integrations and revoke sharing to reduce the attack surface. Data shares should be automatically revoked after a certain time period (such as 30 days), and user accounts should be deactivated when they leave the company. Life cycle management is critical to ensure that existing business processes are not impacted when an employee leaves the company and that their account gets deactivated, the report states.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Growing SaaS Usage Means Larger Attack Surface

Acquisition of NetSpyGlass extends Airgap Zero Trust Firewall™ innovation leadership with advanced network and asset intelligence for business-critical networks.

**SAN JOSE, Calif.****,** **June 21, 2023** **/PRNewswire/ --** Airgap Networks, the innovation leader in cybersecurity solutions for business-critical networks, has announced the acquisition of NetSpyGlass, an innovative network and asset intelligence solution provider.

The award-winning Airgap Zero Trust Firewall defends business critical infrastructure and secures core networks by providing identity, agentless microsegmentation, and secure access for every connected endpoint. Integrating the NetSpyGlass suite of asset intelligence capabilities into the Airgap architecture enables Airgap ZTFW™ customers to better detect, locate, and contain device anomalies in real time.

Improved visibility into core networks with diverse topologies and comprehensive asset discovery equips the Airgap Zero Trust Firewall with detailed insights into device status, attributes, and interactions. With this acquisition, Airgap empowers customers with data-driven decisions and a proactive response to potential risks and vulnerabilities in business-critical networks.

_"The acquisition of NetSpyGlass by Airgap Networks marks a crucial step forward in delivering an intelligent and innovative cybersecurity architecture to secure core networks and safeguard critical infrastructure,"_ said NetSpyGlass CEO and Co-Founder, Shyam Davuluru.

With an evolving threat landscape increasingly targeting business-critical assets, enterprises are struggling now more than ever to secure their real-world business networks.

"_The greater the accuracy of asset discovery in these systems, the shorter the response time,_" said the CEO and Co-Founder of Airgap Networks, Ritesh Agrawal. "_With the addition of NetSpyGlass, the Airgap ZTFW offers businesses the steering wheel to drive trust out of their core network at speed and scale. It's a game-changer for securing business-critical networks."_

**About Airgap**

Founded in 2019 and headquartered in Santa Clara, California, Airgap is the innovation leader in delivering network security for business-critical infrastructure. Airgap shrinks attacks surface, secures access to critical devices, and accurately discovers all assets in your environment. Airgap deploys in hours, is pay as you grow, and is trusted by the Global 500 to protect their most business-critical networks and assets.

For more information about how Airgap can help you improve security for your business-critical networks and devices, please visit us at www.airgap.io

Contact: Spring Sanchez, \[email protected\]

SOURCE Airgap Networks Inc.

Airgap Networks Acquires NetSpyGlass

Cybersecurity expert and proven entrepreneur to help protective DNS leader drive vision and scale through hypergrowth.

**WASHINGTON--(****BUSINESS WIRE****) --** DNSFilter today announced that Jon Oberheide, former Duo Security co-founder and CTO, has joined the company's board of directors. A strategic appointment to the board, Oberheide will support the company as it continues its mission to make the internet more secure via DNS, with a specific focus on long-term strategy and supporting scale through hypergrowth.

"DNSFilter has an incredible founding team, great chemistry, and proven technology—all things I look for when joining a board," said Oberheide. "And unlike other buzzy, flash-in-the-pan security acronyms, DNSFilter provides fundamental security controls that are easy to deploy and accessible to organizations of all sizes, from small businesses to larger Fortune 500 corporations. I'm excited to join the team and for the opportunity to help scale the company to new heights."

DNSFilter delivers Protective DNS and content filtering solutions powered by Machine Learning. The offering protects organizations from phishing, malware, and other advanced internet-based threats.

The appointment comes at a time of rapid growth and recognition for DNSFilter. The company has grown roughly 250% since January 2021, and now supports more than 26 million monthly users and over 2 trillion monthly DNS queries.

Last year, the company was highlighted as one of the most innovative and compelling technologies to address cybersecurity threats and vulnerabilities through the SINET16 Innovator award. DNSFilter was also named a 2022 Black Unicorn Award winner, which honors cybersecurity companies predicted to be worth $1 billion in market value in three to five years. In 2022, the company also acquired firewall and VPN platform provider Guardian to more effectively protect users information and secure organizations against web-based threats.

"As someone who has scaled a cyber company, I’m happy to have Jon in our corner to give us guidance as we continue to grow and build our offering," said Ken Carnesi, CEO, DNSFilter. "He's a proven entrepreneur that puts in time with the companies he advises, shares lessons learned, and offers prescriptive advice on getting to the next level. We're honored to have him on our board sharing strategic advice for our next stage of growth."

Oberheide is a board member, advisor, and investor focused on cybersecurity and enterprise SaaS companies. In 2009, he co-founded Duo Security, serving as the CTO. Cisco acquired the company for $2.35 billion in 2018. Over its 12-year journey, Duo Security scaled from zero to 30,000 customers, $500 million ARR and over one thousand full-time employees. Prior, Oberheide was a security researcher. He completed his bachelor's, master's and doctorate in cybersecurity from the University of Michigan.

To learn more about DNSFilter, visit https://www.dnsfilter.com/.

**About DNSFilter**

DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. DNSFilter is making the internet safer and workplaces more productive. In 2022 the threat protection leader blocked 9.1 billion threats, more than any other threat detection software globally. With 70% of attacks involving the Domain Name System (DNS) layer, DNSFilter provides Protective DNS powered by machine learning that uniquely identifies 61% more threats than competitors on an average of seven days earlier, including zero-day attacks.

Over 26 million monthly users trust DNSFilter to protect them from phishing, malware, and advanced cyber threats. DNSFilter’s brands include Webshrinker, it’s next generation web categorization software and Guardian, a consumer app focused on privacy protection. DNSFilter.com

Former Duo Security Co-Founder Jon Oberheide Joins DNSFilter Board of Directors

Full-cycle verification platform enhances its facial biometrics verification with innovative deepfake detection technology; shares new 2023 identity fraud trends.

**MIAMI****,** **June 22, 2023** **/PRNewswire/ --** Sumsub, the global verification platform providing customizable KYC, KYB, transaction monitoring, and AML solutions for the whole customer journey, today announces the launch of its enhanced deepfakes detection technology into Sumsub's liveness and deepfake detection solution.

According to Sumsub reports, **the number of deepfakes detected in Q1 2023 was 10% greater than all of 2022 combined**. Responding to this growing threat of identity fraud, the company made major updates to its in-house liveness solution – a facial biometrics tool and integral part of KYC flow for businesses. Now, the deepfake frauddetector integrates into Sumsub's liveness solution and is enhanced to align with the latest AI technology, making sure no fraudster passes the check.

_"We noticed the emerging deepfake trend long ago and started building solutions to fight this rapidly evolving type of_ fraud_," said_ **Vyacheslav Zholudev, co-founder and CTO of Sumsub**_. "As an anti-_fraud _provider, Sumsub strives to stay ahead of the game. We continuously develop innovative_ fraud _detection solutions to combat the advancing malicious technologies and prevent the potentially high damage to digital platforms, people, and communities. Our new advanced deepfake detector reinforces our core KYC product and commitment to further enhancing the AI-driven technologies built into our anti-_fraud_solution."_

Sumsub's proprietary liveness technology easily detects spoofing attempts while authenticating real users in seconds. The system ensures users are physically present by creating a 3D FaceMap which is continuously referenced for authorizing all future actions (transactions, logins, etc).

All businesses operating online are vulnerable to deepfakes, with fintech, payments, crypto, and gambling platforms at high risk. Sumsub's internal identity fraud statistics show deepfakes continuously replace 'simple' kinds of identity fraud, such as document printouts. The data also revealed:

*   In 2022, the leader in deepfake fraud was Spain with **49.7% of all global cases**, followed by Great Britain (9.3%), and the U.S. (4.2%).
*   In Q1 2023, the most deepfakes came from Great Britain and Spain with 11.8% and 11.2% of **global deepfake** fraud, respectively.

*   Followed by Germany (6.7%), and the Netherlands (4.7%).
*   The U.S. held 5th place, representing 4.3% of global deepfake fraud cases.

*   From 2022 to Q1 2023, **the proportion of deepfakes among all** fraud **types** increased in Canada by 4,500%, the U.S. by 1,200%, Germany by 407%, and the UK by 392%\*.
*   Last quarter, a high **proportion of deepfakes among all** fraud **types** was also noticed in Australia (5.3%), Argentina(5.1%), and China (4.9%).

_"As we face the ever-evolving trends in generative AI and AI-driven_ fraud_, we anticipate AI technologies to develop quickly, and more sophisticated_ fraud _to emerge, affecting even more industries. The use of synthetic_ fraud _is rising at an alarming rate and leading to the rapid spread of misinformation, as recently seen with the fake images of the explosion at the Pentagon, resulting in significant media hype. As AI advances, more tools become available to fraudsters, and Sumsub is here to fight all kinds of synthetic_ fraud_. Our team is working on a solution to detect a large scope of AI-generated_ fraud _beyond deepfakes,_" says **Pavel Goldman-Kalaydin, Head of AI/ML at Sumsub**.

To learn more about Sumsub's deepfake detection technology please visit: https://sumsub.com/blog/liveness-and-deepfake-detection/

**About** **Sumsub**

Sumsub is a full-cycle verification platform that secures the whole user journey. With Sumsub's customizable KYC, KYB, transaction monitoring and fraud prevention solutions, you can orchestrate your verification process, welcome more customers worldwide, meet compliance requirements, reduce costs and protect your business.

Sumsub has over 2,000 clients across the fintech, crypto, transportation, trading, e-commerce and gaming industries including Binance, Mercuryo, Bybit, Huobi, Unlimint, DiDi, Poppy, and TransferGo.

Sumsub Launches Advanced Deepfakes Detector

Award-winning XEM platform introduces advanced SBOM capabilities, expanded ARM support, and additional Risk & Compliance improvements.

Tanium, the industry’s only provider of converged endpoint management (XEM), today released major enhancements to the Tanium Software Bill of Materials (SBOM) that now include Common Vulnerability and Exposures (CVE) information. Tanium's SBOM identifies software components on endpoints, including open-source software embedded in libraries within native and third-party software, enabling organizations to prioritize and remediate software supply chain risks with unmatched speed and scale. In addition to several new Risk & Compliance features, Tanium also announced the expansion of support for ARM-Based endpoints to help IT teams minimize blind spots and drastically reduce the need for separate endpoint tools. 

Software supply chain attacks continue to spike due in part to the increasing reliance of organizations on numerous third-party suppliers and service providers. To keep a firm pulse on the threats facing today's most vulnerable and highly targeted organizations, Tanium has added SBOM to its Vulnerability Management solution to find, prioritize, and remediate emerging and zero-day vulnerabilities in the software components of applications, including open-source software embedded within application libraries, across all endpoints. 

"Over ninety-two percent of applications contain open-source libraries that may contain hidden vulnerabilities like Log4j, OpenSSL, or Struts, which are exploited by attackers," said Nic Surpatanu, chief product officer, Tanium. "Federal agencies, cyber insurance providers, and other organizations are increasingly requiring an SBOM for all utilized software. Tanium SBOM is the only solution on the market that allows organizations to identify and remediate software supply chain vulnerabilities in production. This empowers DevOps and SecOps to identify and mitigate risks across development, staging, and production environments."

In addition to confronting threats introduced by reliance on open-source software, today’s organizations also grapple with continually evolving processor architecture. In fact, the use of ARM-based servers grew sevenfold between 2019 and 2022 and ARM-based computers are expected to make up thirty percent of all personal computers by 2026. In 2022, Tanium rolled out support for endpoints running ARM-based processors from Apple and Amazon. With an eye towards futureproofing, Tanium has expanded its support to additional ARM-based endpoints running Oracle Linux, RedHat, and Windows 11. 

"We expect the use of ARM-based processors to continue to grow for the foreseeable future due to its better performance and lower energy usage compared to x86-based processors," said Vivek Bhandari, VP, product marketing at Tanium. "With these enhancements, Tanium continues to empower customers to find and bring missing endpoints under management and move away from point solutions towards a single, unified platform."

Today's announcement also coincides with a host of new Risk & Compliance enhancements that will amplify the efficiency and efficacy of vulnerability and risk management programs, while also reducing the need for disparate point solutions. These include:  

*   ESXi Support: New compliance and vulnerability assessments of ESX and ESXi hypervisors via vCenter APIs empower security teams to view and perform risk assessments on all virtual servers efficiently 
*   CISA Known Exploits and Vulnerabilities (KEV): Tanium’s vulnerability assessments now include CISA KEV information on the most dangerous and active exploits, eliminating the need for manual analysis, instantly prioritizing high-risk CVEs for remediation with its integrated remediation options.  
*   Exception Management: Tanium’s Risk and Compliance solution offers the ability to create exceptions for compliance and vulnerability findings with valid reason or expiration date, enabling organizations to focus on areas that need immediate attention.  
*   Benchmark Enhancements: A new page within Tanium Benchmark allows customers to quickly visualize the health of their key operations and security metrics.  

As organizations continue to embrace digital transformation, comprehensive endpoint visibility, control, and remediation at scale and in real-time are crucial to mitigate risks from cyber threats of today – and tomorrow. To learn more about these enhancements, join the Tanium Innovation and Technology Update Wednesday, June 28, 2023, 11:00 – 11:30 am PT. Register today.

Tanium Platform Advances Threat Identification Capabilities and Enhances Endpoint Reach

Small and midsized companies work to jettison some security tools to simplify operations and reduce cost, even as any economic downturn continues to remain at bay.

Enterprises are not the only organizations looking to consolidate their security tools and vendors in the face of a potential economic slowdown — small and midsized businesses are looking to reduce their costs and simplify their security as well.

The vast majority (86%) of SMB customers using managed security service providers (MSSPs), for example, are aiming to reduce their current portfolio of security tools, according to a survey published this week by OpenText. The majority of those businesses are driven primarily by an effort to reduce costs (28%) or to simplify complex security environments (26%), the survey found.

Consolidation does not just benefit the company, but can help the provider of security services as well, says Geoff Bibby, senior vice president at OpenText Cybersecurity, a cybersecurity conglomerate.

"Consolidation is two-fold," he says. "Businesses are going to service providers because they don't have the staffing or financial resources to purchase and manage multiple tools, and from the service-provider perspective, fewer tools — and fewer vendors — means simplified billing and greater ease of doing business."

Consolidation of vendors has become a major trend following the rush to adapt to the pandemic-era business landscape by moving more services to the cloud. By mid-2022 — when 83% of companies predicted a downturn in the coming year — three-quarters of companies planned to reduce the number of security vendors they used, up from 29% in 2020. The top strategies explored by companies were reducing non-essential spending (43%), re-evaluating vendors (30%), and decommissioning infrastructure (29%), according to Spiceworks Ziff Davis's "2023 State of IT" report.

Efforts to cut costs remain strong, despite a reprieve in the dark economic forecast. A majority of economists (59%) polled in May still predict that the US would enter a recession in the next 12 months, but poor-performance predictions have remained unfulfilled as employment numbers and the stock market continue to resist a downturn.

"This is the most anticipated recession that won't ever seem to arrive, and all of the data indicates that it might never arrive because none of the factors for recession seem to be there," says Jeff Pollard, vice president and principal analyst at market intelligence firm Forrester Research.

**Optimizing Vendors and Security Services**

Yet while economic risks certainly spurred concerns over IT and IT-security budgets, initiatives to both simplify and reduce the cost of security operations inside companies has a life of its own, Pollard says.

"If you go back ... to the heady days of growth just nine months ago or so, what I was consistently hearing from security leaders was: too many tools, too many products," he says. "And it wasn't based on an economic argument. It was based on simplification of technology and portfolio rationalization — they felt like they had too many security controls and too many security products."

Business intelligence firm Gartner sees a similar picture. Most midsized enterprises (MSEs) — firms with $50 million to $1 billion in revenue and up to 2,500 employees — are looking to reduce the number of vendors, but rather than focus on consolidation, the companies are looking to optimize their security operations, says Patrick Long, an analyst with Gartner.

Such optimization generally focuses on two approaches. Outsourcing to service providers allows companies to overcome a shortage of security workers, because there are currently 21 IT employees for every security-focused employee, he says. Another form of consolidating is through the products, adopting all-in-one suites from a single vendor, which helps reduce licensing costs and can result in more holistic security capabilities, he says.

Currently, two-thirds of MSEs (68%) are pursuing security-vendor reduction strategies, while the remaining third have delayed consolidation but will likely simplify their security within the next three years, Long says.

"They are optimizing their architecture and integration strategies, vendor management, workforce management, and their costs," he says, adding that "current economic conditions influence security vendor consolidation but is not the primary driver for consolidation."

**Integration Still a High Hurdle**

Reducing the number of security products is not easy. Licensing can often become a blocker, especially if a company signed long contract periods, and products from the same vendors do not always have seamless integration, says Forrester's Pollard. In addition, any adoption of an integrated product will require a security team to learn the new system, so efficiency gains can take a while to materialize, he says.

"When you buy a bundle and consolidate, in theory, the product will integrate well, but what I really hear from a lot of security leaders is that the cost savings, frankly, doesn't often materialize," Pollard says. "Because what you wind up having to do is learn a new product, a new solution, and people have to get trained on it, so you have to modify your processes."

Yet companies are making headway. Overall, companies that pursue consolidation have seen IT security costs decrease by more than 2%, with data security costs reduced by a quarter and identity management shrink by more than a third, says Ben Pippenger, chief strategy officer at Zylo, a SaaS management platform.

"There tends to be some redundancy within security categories," he says, pointing out the cloud identity and access management are among the top-15 most redundant software functions, with nearly five applications handling that capability in the average company.

"While security is an important business function, it's one that could still likely benefit from consolidation," he says.

Even With No Recession, Smaller Firms Aim to Consolidate Security Tools

The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.

The Cybersecurity and Infrastructure Security Agency (CISA) has teamed up with the FBI to offer a $10 million reward to anyone that can offer intelligence on the Cl0p ransomware gang.

The group, a Russian gang that extorts its victims with threats of publishing private data, has racked up hundreds of victims, including agencies within the United States government itself, most recently exploiting various MOVEit vulnerabilities such as CVE-2023-35708, CVE-2023-34362, and CVE-2023-35036.

In a tweet posted by the US Department of State's "Rewards for Justice" program, the feds announced the award, stating "Do you have info linking Cl0p ransomware gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward." 

In addition, the image posted in the tweet reads, "Reward up to $10 million. For information on the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act. Send us your information on Signal, Telegram, WhatsApp, or via our Tor-based tip line below."

Due to the nature of the cybercrime gang and the possibility of retaliation should anyone come forward with information regarding the group, all messaging systems that the US State Department suggests in the tweet are encrypted. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA, FBI Offer $10M for Cl0p Ransomware Gang Information

The "nOAuth" attack allows cross-platform spoofing and full account takeovers, and enterprises need to remediate the issue immediately, researchers warn.

Organizations that have implemented the "Log in with Microsoft" feature in their Microsoft Azure Active Directory environments could potentially be vulnerable to an authentication bypass that opens the door to online and cloud account takeovers.

According to researchers at Descope, who dubbed the attack "nOAuth," the issue is an authentication implementation flaw that affects multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. A successful attack gives a bad actor full run of a victim's accounts, with the ability to establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.

"OAuth and OpenID Connect are open, popular standards which millions of Web properties already use," says Omer Cohen, CISO at Descope. "If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted."

**Inside the nOAuth Cyberattack Threat**

By way of background, OAuth is an open, token-based authorization framework that allows users to log into applications automatically, based on previous authentication to another trusted app. This is familiar to most people from the "Log in with Facebook" or "Log in with Google" options available on many e-commerce websites.

In the Azure AD environment, OAuth is used to help manage user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps.

"Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols," according to the Descope analysis. In other words, it holds the keys to a lot of important corporate data.

The weakness allows bad actors to perform cross-platform spoofing simply by using an unwitting victim's email address to impersonate them, according to Descope's analysis on the issue, released this week.

"In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications," explained researchers at Descope. "However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, so it cannot be trusted."

That means that anyone with malicious intent and a decent amount of platform knowledge can simply set up an Azure AD account, and arbitrarily change the email attribute under "Contact Information" in that account to control the email authentication claim.

"\[This\] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate," the researchers explained. "They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication."

The attack flow is unnervingly simple:

1.  The attackers accesses their Azure AD account as an administrator.
2.  The attackers change the "email" attribute of their account used for authentication to the victim’s email address.
3.  Since Microsoft does not require the email change to be validated on Azure AD, the system merges the two accounts and gives the attackers access to the victim's environment.

**A Far-Ranging Authentication Weakness**

To better understand the scope of the problem, the Descope researchers created a nOAuth proof-of-concept (PoC) exploit and tested it "with a white-hat attack on hundreds of websites and applications to check if any of them were vulnerable," they said. "We found that quite a few of them were."

Amid the sitting ducks were a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, as well as several SMBs and early-stage startups.

"We also informed two authentication platform providers that were merging user accounts when 'Log in with Microsoft' was used on an existing user account," according to the report. "In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using 'Log in with Microsoft' would have been vulnerable."

These findings, according to the researchers, "are a drop in the ocean of the Internet," and there are likely many, many thousands of other users that could be affected.

Microsoft has always issued general guidance to users to not to use an email address as a unique identifier for authentication, but after Descope informed Microsoft of the breadth of the issue, the computing giant has revamped its Azure AD OAuth implementation guidance to include two new claims to use, and dedicated sections on claim verification.

"If your app uses 'Log in with Microsoft' and you handle authentication in-house, it’s critical that you check if you use the email claim returned by Azure AD as the unique identifier," Cohen notes. "If so, remediation steps should be taken to ensure the claim used as the unique identifier for the user is the 'sub' (Subject) claim to avoid potential exploitation."

**Incorrect OAuth Implementations Plague Businesses**

Incorrect implementations of OAuth have been coming to light at big businesses lately, showcasing a need for organizations to lock down this potentially damaging attack vector.

In March, for instance, flaws in the authorization system of the Booking.com website came to light that could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.

And in May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of any users that used various and social media accounts to log in to an online service that uses the framework.

Cohen underscores that the OAuth standard and others like it are trustworthy and strong authentication approaches but that businesses need to make sure to work with cybersecurity and authentication experts when building them in.

"These standards are extremely complicated to work with," he says. "Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application."

He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts."

He stresses that the importance of this can't be understated, given that cybercriminals are actively looking for these types of weaknesses.

"These are very typical attack vectors exploited," Cohen notes. "Attackers use these to cause widespread harm."

He adds, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."

Source

DARKReading