An analysis of trillions of DNS requests shows a shocking amount of malicious traffic inside enterprise networks, with threats using DNS as a sort of malicious Autobahn.

The Internet's domain name system (DNS) has become a superhighway of sorts for threat actors, with one in six organizations experiencing malicious network traffic in the form of either malware such as Emotet, phishing attacks, or command-and-control (C2) activity in an given quarter, researchers have found.

Researchers from Akamai looked at data from more than than 7 trillion daily DNS requests to examine how threat actors are leveraging the servers and devices enterprises use to manage these requests to conduct their nefarious activity.

What they found is that attackers are zooming in and out of networks via DNS at an alarming frequency, with between 23% and 27% of organizations experiencing at least one instance in which C2 traffic was observed traveling out of their network in any given quarter, the Akamai researchers said in a report published today.

This traffic provides "a very accurate predictor for attacks in progress, and can provide a very accurate image of the threat landscape," says Eliad Kimhy, cybersecurity research team lead at Akamai.

Moreover, much of this traffic is occurring in real time, making it harder for the enterprise to defend against it, he adds.

"Attackers are increasingly operating with a 'hands on keyboard' philosophy, giving the job of hacking an organization to a live operator," Kimhy says. "This is going to make detecting and stopping C2 traffic a crucial aspect of an organization's security, and we will likely see this play an ever-growing role in the modern attack."

**Emotet, QSnatch & the Current State of Attacks**

The Akamai researchers reported a range of findings about not only how attackers are using DNS, but what type of attacks and malware are most prevalent in their observations. One of the most interesting was that the stalwart threat Emotet, which resurfaced recently after a brief hiatus, is not only back, but back with a vengeance.

"It is prevalent and seems to conduct massive campaigns to try and breach organizations," Kimhy says.

The researchers observed one "massive campaign" last year, and it appears that the threat group is ramping up for another, he says. "This is a very difficult group to contend with, as it specializes in breaching and selling access to more dangerous groups, like ransomware groups," Kimhy notes.

Moreover, this resurgence of Emotet is a good indicator that more attacks — potentially from ransomware groups — are on the horizon, as the malware is often used as an initial access to networks, he says.

In fact, the researchers found that 9% of infected network devices that they observed reaching out to C2s accessed domains associated with ransomware-as-a-service (RaaS) group, demonstrating the continued risk from ransomware attacks with business-crippling consequences — including remediation and recovery costs, legal fees, fines, downtime resulting in loss of productivity, and brand and reputation damages — for the enterprise.

Attackers also are increasingly finding their way into organizations' networks via network-attached storage (NAS) devices on the back of the botnet QSnatch, with more than a third of affected devices that researchers observed showing traffic leading to C2 domains related to this threat, the researchers found.

These devices can represent "a huge threat surface" if they're not well-secured, as organizations often use NAS devices for backups and the storage of crucial data, according to Akamai.

"Finding yourself in a position where your data is stolen or backups are deleted in support of a ransomware attack can be a terrible position to be in," Kimhy says.

In terms of which types of organizations attackers go after using DNS, the researchers found that manufacturing, business services, and retail are facing the highest risk, though no industry is safe from imminent attack.

**How Cyber Defenders Can Protect Against DNS Threats**

Given the insight about the current malicious activity hitching a ride into enterprise networks via DNS, security administrators can now arm themselves against the most prevalent threats targeting their networks. One way to do this is to conduct gap assessments and close those gaps where necessary, the researchers said.

Overall, given the current threat landscape, knowledge is power, Kimhy says. "Security teams need to know who’s on the other side of the attack — and which groups put their organization at risk — in order for them to be able to defend," he says.

Moreover, the "broken record" advice of adopting a "zero trust" mentality continues to ring true, with the deployment of "products that specialize in stopping an attack that has gone past the perimeter" — such as endpoint detection and response (EDR), microsegmentation, and secure Web gateways (SWGs) — offering particular advantage in defending against the current threat landscape, the researchers said.

Given the advanced threat posed to NAS devices, the Akamai researchers also recommended that organizations ensure any that companies have on their network be securely nailed down. "It is strongly advised that security teams ensure their NAS devices are up to date," Kimhy says "and properly secured via segmentation, or other appropriate tools."

Emotet, QSnatch Malware Dominate Malicious DNS Traffic

Only by working collaboratively can boards and security leaders make progress and agree about cybersecurity threats and priorities.

As leaders responsible for prioritizing their organizations' goals, board members must push the cybersecurity agenda forward. Yet new research shows healthcare boards are far behind their peers in making cybersecurity a priority and understanding cyber-risks, despite the potentially severe consequences to patient safety and care.

"Cybersecurity: The 2022 Board Perspective," a new global report from Proofpoint and Cybersecurity at MIT Sloan, found that cybersecurity is much lower on healthcare boards' agendas compared with other sectors. Although 77% of the 600 board members surveyed suggested cybersecurity is a top priority for their organizations, only 59% of healthcare directors concurred.

The report also found that only 61% of healthcare boardrooms discuss the topic at least monthly (versus 75% across all sectors), and only 64% believe they have invested adequately in cybersecurity (versus 76% for all sectors).

The future appears just as bleak. While 87% of participants expected to see their cybersecurity budgets increase in the next 12 months, only 77% of healthcare board members share this belief.

****Healthcare Boards Need Better Focus on Cyber-Risks****

What makes these findings more alarming is the contrast between healthcare boards' opinions about their cyber preparedness and the sentiments of other boards. Despite their lower cyber priorities, healthcare boards are much more optimistic. Only 50% believe their organization is at risk of a material cyberattack in the next 12 months (compared to 65% across sectors), and just 43% think their organizations are unprepared to cope with a targeted cyberattack (compared with 47% for all cohorts).

One reason behind the healthcare directors' misplaced confidence is their lack of cybersecurity understanding and expertise — another area where they fall behind their peers. Across all industries, 85% of survey participants believe their boards understand systemic risk, but only 61% of healthcare directors feel the same. Furthermore, fewer healthcare organizations have experts on their boards (68% versus 73%) and adequate training to respond to a cyber incident (59% versus 74%).

Given the gap in the directors' understanding of cyber-risks, it is understandable that they would look to their chief information security officers (CISOs) for guidance. However, the report findings show that this is not true. Only 57% of healthcare boardrooms have regular presentations from CISOs or other cybersecurity experts, compared to 73% across all sectors. Twenty-three percent of healthcare board members only see their CISOs when they appear before the board to make a cybersecurity report.

****Board-CISO Rift a Barrier to Progress****

Our industry is well aware of the communications gap between boards and CISOs. For years, boards showed little interest in cybersecurity, viewing it as an IT problem rather than a business one. Today, thanks to growing publicity about escalating threats such as ransomware, we finally see cybersecurity elevated to the board level.

But this increased awareness has not yet resulted in thawed tensions between boards and their security leaders. The survey found that 31% of directors globally still do not see eye to eye with their CISOs — and even more healthcare directors (41%) fall into this camp. If the two sides don't know, like, or even see each other very much, how can they agree on priorities and improve their organizations' security posture?

This chasm is especially alarming given the magnitude of cyber threats and patient risk in healthcare. A Ponemon Institute report on healthcare threats earlier this year found that 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months. Among those that experienced attacks such as ransomware and cloud compromise, 20% saw an increased patient mortality, rate while 57% saw poor patient outcomes because of delays in tests or procedures. There is a clear connection between cybersecurity and patient wellbeing — yet the healthcare sector often fails to take that seriously.

Why Healthcare Boards Lag Other Industries in Preparing for Cyberattacks

Organizations recognize that they are responsible for protecting remote workers from cyber threats, but they have a long way to go in deploying the necessary security technologies.

Remote work, or work from anywhere, is the reality for most organizations. However, organizations are still in the early stages of implementing security technology to accommodate the remote workforce, according to a recent report from Fortinet.

The insecurity of home networks, employees using company laptops for personal use, and compromised family devices infecting an employee's work device are considered to be the top security risks around work-from-anywhere, the company found in its "2023 Work-From-Anywhere Global Study." Just shy of three-quarters of respondents (71%) of respondents said the responsibility for protecting home offices falls on the corporation and service providers.

Of the 570 respondents, 40% had shifted back to being in the office full-time and 55% had some form of hybrid policy (remote work either one to two days or three to four days per week). Nearly two-thirds (62%) of respondents said their companies experienced a data breach during the past two to three years that could be attributed to an employee working remotely.

The survey asked respondents to identify which security solutions are the most important to secure remote employees, which security solutions have already been deployed within their organizations, and which areas they plan to invest in over the next 24 months. The results are uneven and show that organizations have much room for improvement in how they protect their remote workforce. While the top priority was network access control, only 58% said they have deployed network access control. In fact, only half of the respondents in the survey said they have implemented some of the fundamentals, such as installing antivirus on corporate devices (62%), enabling multifactor authentication (59%), and setting up a secure web gateway (53%). Barely half of the organizations have VPNs (51%) or require employees to run a firewall on personal devices (48%) despite the fact that they both were included in the list of 10 most important security technologies to protect remote workers.

Interestingly, those who have had a breach that can be attributed to a remote employee are more likely to be investing in antivirus for corporate devices, virtual private networks, secure access service edge, SD-WAN, and zero-trust network access. However, the report suggests that organizations are still figuring out what kind of protection to provide.

Not many organizations have deployed advanced security controls, such as zero trust networks (29%) or extended detection and response (XDR), but the interest in implementing them is high, at 72% and 79%, respectively. The fact that 92% of the respondents said they have plans to implement VPN in the next two years is a sign of just how far organizations have to go.

Orgs Have a Long Way to Go in Securing Remote Workforce

**BENGALURU, March 10 –** CloudSEK researchers have detected an increase of 200-300% month-on-month in YouTube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions since November 2022.

These videos pretend to be tutorials on downloading cracked versions of licensed software, such as Adobe Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others, available only to paid users.

Threat actors are using various tactics to spread the malicious software, including screen recordings, audio walkthroughs, and, more recently, AI-generated personas, which appear more trustworthy and familiar to users.

AI-generated videos featuring synthetic personas are on the rise, used in various languages and platforms for recruitment, education, and promotional purposes. Unfortunately, threat actors have also adopted this tactic. **(****For More Information Check Full Report****)**

Infostealers are malicious software designed to steal sensitive information from computers, such as passwords, credit card information, bank account numbers, and other confidential data. Infostealers are spread via malicious downloads, fake websites, and YouTube tutorials. They infiltrate systems and steal information, which is uploaded to the attacker's Command and Control server.

YouTube is a popular platform with over 2.5 billion active monthly users, making it an easy target for threat actors. CloudSEK has observed a 2 to 3 times month-on-month increase in the number of videos spreading stealer malware on YouTube. Threat actors use a variety of tactics to deceive the platform's algorithm and review process, such as using region-specific tags, adding fake comments to give the videos legitimacy, and frequent video uploads to compensate for deleted or taken-down videos. **(****For Detailed Analysis Check Full Report)**

“The threat of infostealers is rapidly evolving and becoming more sophisticated, leaving users vulnerable to devastating consequences. In a concerning trend, these threat actors are now utilizing AI-generated videos to amplify their reach, and YouTube has become a convenient platform for their distribution. As a result, it is absolutely critical that users exercise extreme caution when downloading software and avoid any suspicious links or videos at all costs,”said Pavan Karthick, a CloudSEK researcher.

**Automated and Frequent Video Uploads of Malicious Content on YouTube**

CloudSEK research shows that 5-10 crack software download videos with malicious links are uploaded to YouTube every hour. The videos contain deceptive tactics that mislead users into downloading malware, making it challenging for the YouTube algorithm to identify and remove them.

**SEO Optimization using Region-Specific Tags and Obfuscated Links**

The threat actors use SEO optimization with region-specific tags and obfuscated links to make these malicious videos appear more credible. Using random keywords in different languages, the YouTube algorithm recommends the videos, making them more accessible to users. Additionally, URL shorteners and links to file hosting platforms, such as bit.ly, and cutt.lymediafire.com, make it difficult for users to detect malicious links.

**Fake Comments and AI-generated Videos**

The threat actors also add fake comments to give the legitimacy of the video. These comments trick users into believing the malware is legitimate. Moreover, using AI-generated videos featuring personas that appear more familiar and trustworthy is a growing trend among threat actors.

**The Way Forward**

Traditional string-based rules will prove ineffective against malware that dynamically generates strings and/or uses encrypted strings. Therefore, organizations need to adopt adaptive threat monitoring to address constantly changing threats. Closely monitoring threat actors' tactics, techniques, and procedures is crucial to identifying potential threats. It is also essential to conduct awareness campaigns and equip users to detect and prevent potential threats. Additionally, users should enable multi-factor authentication, refrain from clicking on unknown links and emails, and avoid downloading or using pirated software.

**About CloudSEK**

CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.

To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com/ or drop a note to \[email protected\].

200-300% Increase in AI-Generated YouTube Videos to Spread Stealer Malware

The implosion of Silicon Valley Bank will impact investors, startups, and enterprise customers as they become more cautious over the near term, security experts say.

Last week's stunning collapse of Silicon Valley Bank (SVB) could put a damper on the ability of venture-backed cybersecurity startups to secure vital capital for operations and strategic investments.

Security experts perceive that even the US government's swift move over the weekend to protect SVB customer deposits will likely do little to tamp down the uncertainly that the bank's sudden exit has caused.

**Younger Startups Will Feel the Brunt**

"Financial support in the form of lines of credit and venture debt is going to become much more difficult \[for startups\] to come by," says Rob Ackerman, founder and managing director of AllegisCyber Capital. "SVB was the leading source of that financing and with them gone, the slope of the hill for young startups just became that much more difficult."

SVB was, until the middle last week, the 16th largest bank in the US with assets of more than $200 billion and total deposits of some $175 billion. Its troubles began March 8 when the bank, in a midquarter update, announced that it had lost $1.8 billion from the sale of US treasuries and mortgage-backed securities that it had purchased heavily in recent years. On the same day, SVB announced plans to raise $2.25 billion via public offering to pay customers seeking to withdraw their deposits from the bank.

The news triggered a near immediate run on the institution, as spooked investors and customers withdrew a staggering $42 billion from the bank in a 24-hour period — leaving SVB with a negative balance of $958 million by close of business March 9. A day later, on Friday, March 10, federal regulators declared the bank insolvent and seized its deposits, signaling the biggest banking failure since the collapse of Lehman Brothers in 2008.

**Containing the Damage**

Over the weekend, the Federal Deposit Insurance Corporation (FDIC) as receiver created a new entity called the Deposit Insurance National Bank of Santa Clara (DINB) and transferred all of SVB's deposits to it. On March 12, a US government scrambling to prevent a broad meltdown across the banking sector quickly announced that depositors would have full access to all of their money at SVB starting Monday, March 13. In a statement, Secretary of the Treasury Janet Yellen said the government would extend the same exception for customers of Signature Bank of New York, which also went insolvent over the weekend.

Analysts see SVB's failure as taking an especially heavy toll on the technology sector. "SVB was a foundational cornerstone of the financing ecosystem for the innovation ecosystem, and the cybersecurity industry is no exception," Ackerman says. "They were arguably more influential than any other single player to the growth and success of tech startups."

Virtually every venture firm was engaged with SVB at some level — be it the venture firms themselves banking at SVB, or their portfolio companies. And within the security community, they were vital to the banking and financing needs of the sector in the US, Israel, and the UK, Ackerman says.

**A Revaluation of Investment Practices?**

Richard Stiennon, chief research analyst at IT-Harvest, says public reports show that some 500 cybersecurity vendors banked with SVB — a not-surprising number considering there are 640 cybersecurity firms just in California alone. The move by federal regulators to ensure that SVB customer deposits remained untouched has relieved some of the early anxiety over the failure when many cybersecurity firms faced the real prospect of being unable to make payroll. 

"The VCs that were locked out of their accounts on Friday spent a long weekend trying to save their portfolio companies, while their own funds were unavailable," Stiennon says.

That experience will likely leave them reevaluating their practices. "I fully expect a death in new investments in cybersecurity," Stiennon tells Dark Reading. Cybersecurity investment activity in the first two months of 2023 has already been low; at just $1.7 billion so far, it's back at 2020 levels. 

"Companies, which were raising to extend runways, will either have dramatic down rounds or actually have to shut down," he says. Limited partners, or the investors who back VC initiatives, are going to be reluctant to put more money into funds. And with the generous venture funding that was available only through SVB now gone, startups have three options, he says. They have to either find a way to become profitable, significantly cut costs, or find a new funding source.

"Companies with good technology and good teams may be snapped up by strategic investors at rock-bottom valuations," Stiennon notes. "Private equity firms will have a unique opportunity to snap up some good companies."

**Spreading the Financial Risk**

Expect to see VC firms and their portfolio companies diversify where they hold their deposits, Ackerman adds. Increasingly, they are going to be looking for the security offered by much larger financial institutions — which, however, are unlikely going to be as supportive or as understanding of the requirements of innovative cybersecurity firms, he notes.

Analysts also expect that the SVB debacle will have an impact on how and from where enterprise organizations source their cybersecurity requirements, at least in the short term. SVB's failure has drawn attention to the risks associated with buying from startups and many are going to be looking for the security that more established, mature organizations offer.

"I'd expect procurement teams to introduce more hurdles in the due diligence process of earlier-stage vendors to understand the underlying resilience of the cybersecurity vendors' financial ecosystem," Forrester analyst Jeff Pollard tells Dark Reading. Enterprise procurement staff are going to want to know more about the concentration risk and resilience of their vendor's banking processes, he adds. And they will likely need reassurances that if a similar scenario plays out again, their early vendor can continue to make payroll or pay critical suppliers for a specific period of time.

Also, cybersecurity startups will increasingly look to bank with more than one entity to spread risk. "The problem with that is many startups worked with SVB because SVB made it easy for startups to work with them," Pollard says. 

Now startups are going to have a hard time working with other banks, because cyber startups tend to have more volatility in their cash flows, he notes. "In addition, many founders may not be US citizens which can create its own set of issues when trying to establish accounts."

SVB Meltdown: What It Means for Cybersecurity Startups' Access to Capital

AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.

Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.

That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.

"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker \[and\] phishing still continues to be the No. 1 threat for almost all of our customers."

In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.

Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.

The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.

**An Often-Ignored Threat**

Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.

Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.

It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.

"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."

Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.

Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.

**The Long Tail of Phish**

The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.

Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.

"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those \[that\] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."

Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures

Campaign demonstrates the DPRK-backed cyberattackers are gaining tools to avoid EDR tools.

North Korean advanced persistent threat (APT) group Lazarus (aka UNC290) has been targeting security researchers with a phishing campaign via LinkedIn since last June.

Mandiant reported that the phishing attacks started against a US-based tech company, and noted the threat actors were using three new code families — Touchmove, Sideshow, and Touchshift — in their activities.

Posing as recruiters on LinkedIn, the group works to earn a victim's trust, and it then convinces them engage on WhatsApp or by email, where they can send a malware dropper, Mandiant explained.

"Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting US and European media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against endpoint detection and response (EDR) tools," Mandiant said about the emerging phishing campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers Lure Cybersecurity Researchers With Fake LinkedIn Recruiter Profiles

AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more.

Artificial Intelligence is being used to generate videos pretending to be step-by-step tutorials on how to access programs like Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others without a license. Instead, the videos are loaded with infostealer malware that scrapes the viewer's sensitive personal data stored on the device.

Researchers with CloudSEK measured a month-over-month increase of 200% to 300% since November 2022 of AI-created YouTube videos with links to infostealer malware, including Vidar, RedLine, and Raccoon.

Making the video lures more compelling to its targets, the CloudSEK security team added, AI video tools such as Synthesia and D-ID are being used to generate personas intended to exude trustworthiness across multiple languages and social media platforms, supercharging threat actors' ability to deliver infostealer malware.

"It is well known that videos featuring humans, especially those certain facial features, appear more familiar and trustworthy," the CloudSEK report explained. "Hence, there has been a recent trend of videos featuring AI-generated personas, across languages and platforms (Twitter, Youtube, Instagram), providing recruitment details, educational training, promotional material, etc. And threat actors have also now adopted this tactic." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Created YouTube Videos Spread Around Malware

Developers must balance creativity with security frameworks to keep applications safe. Correlating business logic with security logic will pay in safety dividends.

Web applications are the top vectors attackers use to pull off breaches. According to Verizon's "Data Breach Investigations Report" (PDF), Web applications were the way in for roughly 70% of all breaches studied.

After conducting more than 300 Web application penetration tests, I see why. Developers keep making the same security missteps that create vulnerabilities. They often don't use secure frameworks and try to write security code and authentication processes themselves.

It's important to note how much pressure developers are under to bring products to market quickly. They're rewarded based on how many features they can introduce as quickly as possible, not necessarily as securely as possible. This leads to taking security shortcuts and, down the road, vulnerabilities in Web applications.

**Five Lessons for More-Secure Apps**

Pen testers play the role of devil's advocate and reverse engineer what application developers create to show where and how attackers gain access. The results have highlighted common fundamental mistakes. Here are five lessons software development companies can learn to make their applications more secure.

1.  **Attackers are still leveraging cross-site scripting (XSS).** XSS has long been a popular Web application vulnerability. In 2021, it came off the Open Web Application Security Project (OWASP) top 10 list due to improvements in application development frameworks, but it's still evident in nearly every penetration test we perform.
    
    It's often thought of as low risk, but the XSS risks can be severe, including account takeover, data theft, and the complete compromise of an application's infrastructure. Many developers think that using a mature-input validation library and setting proper HttpOnly cookie attributes is enough, but XSS bugs still find a way in when custom code is used. Take WordPress sites, for example — an XSS attack that targets an administrator is critical because the credentials allow the user to load plug-ins, thus executing code-like malicious payloads on the server.
    
2.  **Automated scanners don't go far enough.** If you're only scanning Web applications using automated tooling, there's a good chance that vulnerabilities slip through the cracks. Those tools use fuzzing — a method that injects malformed data into systems — but that technique can create false positives.
    
    Scanners are typically not up to date with modern Web development and don't offer the best results for JavaScript single-page applications, WebAssembly, or Graph. Complicated vulnerabilities need a handcrafted payload to validate them, making the automated tools less effective.
    
    There's a human element required for the most accurate and detailed analysis of vulnerabilities and exploits, but these scanners can be a complementary resource to quickly find the low-hanging fruit.
    
3.  **When authentication is homegrown, it's usually too weak.** Authentication is everything to securing a Web application. When developers try to create their own forgotten password workflow, they typically don't do it in the most secure way.
    
    Pen testers often get access to other users' information or have excessive privileges that aren't in line with their role. This creates horizontal and vertical access control issues that can allow attackers to lock users out of their accounts or compromise the application.
    
    It's all about how these protocols are implemented. Security Assertion Markup Language (SAML) authentication, for instance, is a single sign-on protocol that's becoming more popular as a means of increasing security, but if you implement it incorrectly, you've opened more doors than you've locked.
    
4.  **Attackers target flaws in business logic.** Developers look at features to determine whether they accomplish a customer's use case. They're often not looking from the other side of the lens to identify how an attacker might use that feature maliciously.
    
    A great example is the shopping cart for an e-commerce website. It's business-critical, but often not secure, which creates severe vulnerabilities such as zeroing out the total at checkout, adding items after checkout, or replacing products with other SKUs.
    
    It's hard to blame developers for focusing on the primary use case and not recognizing other, typically nefarious, uses. Their performance is based on delivering the feature. Executives need to see the other side of the coin and understand that the business logic should correlate to security logic. The features with the highest business value, such as a shopping cart or authentication workflow, probably aren't the job for a junior developer.
    
5.  **There's no "out of scope" in a good penetration test.** Web applications can quickly become complex based on how many resources and assets go into them. Back-end API servers that enable the functionality of the main application need to be considered.
    
    It's important to share all those external assets, and how they connect to what the developers built, with security auditors that conduct penetration tests. The developer may consider those assets to be "out of scope" and that they therefore aren't responsible for them, but an attacker wouldn't respect that line in the sand. As penetration tests show, nothing is "out of scope."
    

**A Question of Balance**

When software development companies understand some of these common risks up front, they can have better engagements with security auditors and make penetration tests less painful. No company wants to hold its developers back, but by balancing creativity with security frameworks, developers know where they have freedom and where they need to align with the guardrails that keep applications safe.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

5 Lessons Learned From Hundreds of Penetration Tests

With the rise of cybercriminals targeting online piracy, this year's Oscar-nom fans need to be especially careful not to download malicious files while attempting to watch popular films for free.

Beware the Oscar nominees! In the age of films being available to pirate for free on the Internet, the data shows this: The more popular and critically acclaimed a pirated film is, the more likely it is to have a higher number of infected files.

This year, a research team at ReasonLabs collected data on film piracy from January 2022 to last month, focusing on some of the most well-known films from this past year, all of which are contenders for awards at the upcoming 95th Academy Awards. The researchers found thousands of cases of cyber threats within files pretending to be these highly nominated films. The boobytraps range from spyware to Trojans to malware.

In particular, _Everything Everywhere All at Once_, _Top Gun: Maverick_, and _Avatar: The Way of Water_, all fan and critic favorites, have been among the top films used to fish and lure movie watchers this past year.

Online piracy sites have been experiencing a steady influx of visitors, up 20% more than last year due to the COVID-19 pandemic, according to a study by MUSO, with film piracy experiencing the fastest level of growth. Businesses should take note, given that remote workers often use personal devices to access corporate assets.

ReasonLabs found the most common threats in this year's pirated Oscar contenders to be:

*   **Spyware Personal Documents Stealer:** A false, Microsoft-presenting file written in .NET that steals documents and sends them to the attacker's email.
*   **Password Stealer Extension:** A malicious installer that downloads external files to the C:\\programdata folder, with deceiving names.
*   **The Bat Worm:** An executable that drops three files, hidden from the user, and copies the user's files to each drive in the device.
*   **Keylogger:** An executable that sends stolen data to its server by tracking a user's keyboard activity.
*   **Search Hijacker Extension:** A Trojan file that installs malware instead of movies using a malicious extension and installer.

In turn, users and employers need to protect themselves by utilizing tools available to them. These "include physical and digital products but also include general education," says Dana Yosifovich, security researcher at ReasonLabs. "The continued push for cyber awareness by security companies and AV providers is paramount in order to reduce the vulnerabilities of home users, and the overall success of next-generation attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading